FileDocCategorySizeDatePackage
ClusterSingleSignOn.javaAPI DocApache Tomcat 6.0.1414369Fri Jul 20 04:20:36 BST 2007org.apache.catalina.ha.authenticator

ClusterSingleSignOn

public class ClusterSingleSignOn extends org.apache.catalina.authenticator.SingleSignOn
A Valve that supports a "single sign on" user experience on each nodes of a cluster, where the security identity of a user who successfully authenticates to one web application is propogated to other web applications and to other nodes cluster in the same security domain. For successful use, the following requirements must be met:
  • This Valve must be configured on the Container that represents a virtual host (typically an implementation of Host).
  • The Realm that contains the shared user and role information must be configured on the same Container (or a higher one), and not overridden at the web application level.
  • The web applications themselves must use one of the standard Authenticators found in the org.apache.catalina.authenticator package.
author
Fabien Carrion

Fields Summary
protected static String
info
Descriptive information about this Valve implementation.
protected int
messageNumber
private ClusterSingleSignOnListener
clusterSSOListener
private org.apache.catalina.ha.CatalinaCluster
cluster
Constructors Summary
Methods Summary
protected voidassociate(java.lang.String ssoId, org.apache.catalina.Session session)
Notify the cluster of the addition of a Session to an SSO session and associate the specified single sign on identifier with the specified Session on the local node.

param
ssoId Single sign on identifier
param
session Session to be associated


	if (cluster != null) {
	    messageNumber++;
	    SingleSignOnMessage msg =
		new SingleSignOnMessage(cluster.getLocalMember(),
					ssoId, session.getId());
	    Manager mgr = session.getManager();
	    if ((mgr != null) && (mgr instanceof ClusterManager))
		msg.setContextName(((ClusterManager) mgr).getName());

	    msg.setAction(SingleSignOnMessage.ADD_SESSION);

	    cluster.sendClusterDomain(msg);

	    if (containerLog.isDebugEnabled())
		containerLog.debug("SingleSignOnMessage Send with action "
				   + msg.getAction());
	}

	associateLocal(ssoId, session);

    
protected voidassociateLocal(java.lang.String ssoId, org.apache.catalina.Session session)


	super.associate(ssoId, session);

    
protected voidderegister(java.lang.String ssoId)
Notifies the cluster that a single sign on session has been terminated due to a user logout, deregister the specified single sign on identifier, and invalidate any associated sessions on the local node.

param
ssoId Single sign on identifier to deregister


	if (cluster != null) {
	    messageNumber++;
	    SingleSignOnMessage msg =
		new SingleSignOnMessage(cluster.getLocalMember(),
					ssoId, null);
	    msg.setAction(SingleSignOnMessage.LOGOUT_SESSION);

	    cluster.sendClusterDomain(msg);
	    if (containerLog.isDebugEnabled())
		containerLog.debug("SingleSignOnMessage Send with action "
				   + msg.getAction());
	}

	deregisterLocal(ssoId);

    
protected voidderegister(java.lang.String ssoId, org.apache.catalina.Session session)
Notify the cluster of the removal of a Session from an SSO session and deregister the specified session. If it is the last session, then also get rid of the single sign on identifier on the local node.

param
ssoId Single sign on identifier
param
session Session to be deregistered


	if (cluster != null) {
	    messageNumber++;
	    SingleSignOnMessage msg =
		new SingleSignOnMessage(cluster.getLocalMember(),
					ssoId, session.getId());
	    Manager mgr = session.getManager();
	    if ((mgr != null) && (mgr instanceof ClusterManager))
		msg.setContextName(((ClusterManager) mgr).getName());

	    msg.setAction(SingleSignOnMessage.DEREGISTER_SESSION);

	    cluster.sendClusterDomain(msg);
	    if (containerLog.isDebugEnabled())
		containerLog.debug("SingleSignOnMessage Send with action "
				   + msg.getAction());
	}

	deregisterLocal(ssoId, session);

    
protected voidderegisterLocal(java.lang.String ssoId, org.apache.catalina.Session session)


	super.deregister(ssoId, session);

    
protected voidderegisterLocal(java.lang.String ssoId)


	super.deregister(ssoId);

    
public org.apache.catalina.ha.CatalinaClustergetCluster()


        return cluster;

    
public java.lang.StringgetInfo()
Return descriptive information about this Valve implementation.




                
       

        return (info);

    
protected voidregister(java.lang.String ssoId, java.security.Principal principal, java.lang.String authType, java.lang.String username, java.lang.String password)
Notifies the cluster of the creation of a new SSO entry and register the specified Principal as being associated with the specified value for the single sign on identifier.

param
ssoId Single sign on identifier to register
param
principal Associated user principal that is identified
param
authType Authentication type used to authenticate this user principal
param
username Username used to authenticate this user
param
password Password used to authenticate this user


	if (cluster != null) {
	    messageNumber++;
	    SingleSignOnMessage msg =
		new SingleSignOnMessage(cluster.getLocalMember(),
					ssoId, null);
	    msg.setAction(SingleSignOnMessage.REGISTER_SESSION);
	    msg.setAuthType(authType);
	    msg.setUsername(username);
	    msg.setPassword(password);

	    cluster.sendClusterDomain(msg);
	    if (containerLog.isDebugEnabled())
		containerLog.debug("SingleSignOnMessage Send with action "
				   + msg.getAction());
	}

	registerLocal(ssoId, principal, authType, username, password);

    
protected voidregisterLocal(java.lang.String ssoId, java.security.Principal principal, java.lang.String authType, java.lang.String username, java.lang.String password)


	super.register(ssoId, principal, authType, username, password);

    
protected voidremoveSession(java.lang.String ssoId, org.apache.catalina.Session session)
Remove a single Session from a SingleSignOn and notify the cluster of the removal. Called when a session is timed out and no longer active.

param
ssoId Single sign on identifier from which to remove the session.
param
session the session to be removed.


	if (cluster != null) {
	    messageNumber++;
	    SingleSignOnMessage msg =
		new SingleSignOnMessage(cluster.getLocalMember(),
					ssoId, session.getId());

	    Manager mgr = session.getManager();
	    if ((mgr != null) && (mgr instanceof ClusterManager))
		msg.setContextName(((ClusterManager) mgr).getName());

	    msg.setAction(SingleSignOnMessage.REMOVE_SESSION);

	    cluster.sendClusterDomain(msg);
	    if (containerLog.isDebugEnabled())
		containerLog.debug("SingleSignOnMessage Send with action "
				   + msg.getAction());
	}

	removeSessionLocal(ssoId, session);
    
protected voidremoveSessionLocal(java.lang.String ssoId, org.apache.catalina.Session session)


	super.removeSession(ssoId, session);
	
    
public voidsetCluster(org.apache.catalina.ha.CatalinaCluster cluster)


        this.cluster = cluster;

    
public voidstart()
Prepare for the beginning of active use of the public methods of this component. This method should be called after configure(), and before any of the public methods of the component are utilized.

exception
LifecycleException if this component detects a fatal error that prevents this component from being used


	super.start();

	clusterSSOListener = new ClusterSingleSignOnListener();
	clusterSSOListener.setClusterSSO(this);

        // Load the cluster component, if any
        try {
            //the channel is already running
            Cluster cluster = getCluster();
            // stop remove cluster binding
            if(cluster == null) {
		Container host = getContainer();
		if(host != null && host instanceof Host) {
		    cluster = host.getCluster();
		    if(cluster != null && cluster instanceof CatalinaCluster) {
			setCluster((CatalinaCluster) cluster);
			getCluster().addClusterListener(clusterSSOListener);
		    } else {
			Container engine = host.getParent();
			if(engine != null && engine instanceof Engine) {
			    cluster = engine.getCluster();
			    if(cluster != null && cluster instanceof CatalinaCluster) {
				setCluster((CatalinaCluster) cluster);
				getCluster().addClusterListener(clusterSSOListener);
			    }
			} else {
			    cluster = null;
			}
		    }
                }
            }
            if (cluster == null) {
		throw new LifecycleException
		    ("There is no Cluster for ClusterSingleSignOn");
            }

        } catch (Throwable t) {
	    throw new LifecycleException
		("ClusterSingleSignOn exception during clusterLoad " + t);
        }

    
public voidstop()
Gracefully terminate the active use of the public methods of this component. This method should be the last one called on a given instance of this component.

exception
LifecycleException if this component detects a fatal error that needs to be reported


	super.stop();

	if (getCluster() != null && getCluster() instanceof CatalinaCluster) {
	    getCluster().removeClusterListener(clusterSSOListener);
	}

    
public java.lang.StringtoString()
Return a String rendering of this object.


        StringBuffer sb = new StringBuffer("ClusterSingleSignOn[");
        if (container == null )
            sb.append("Container is null");
        else
            sb.append(container.getName());
        sb.append("]");
        return (sb.toString());

    
protected voidupdate(java.lang.String ssoId, java.security.Principal principal, java.lang.String authType, java.lang.String username, java.lang.String password)
Notifies the cluster of an update of the security credentials associated with an SSO session. Updates any SingleSignOnEntry found under key ssoId with the given authentication data.

The purpose of this method is to allow an SSO entry that was established without a username/password combination (i.e. established following DIGEST or CLIENT-CERT authentication) to be updated with a username and password if one becomes available through a subsequent BASIC or FORM authentication. The SSO entry will then be usable for reauthentication.

NOTE: Only updates the SSO entry if a call to SingleSignOnEntry.getCanReauthenticate() returns false; otherwise, it is assumed that the SSO entry already has sufficient information to allow reauthentication and that no update is needed.

param
ssoId identifier of Single sign to be updated
param
principal the Principal returned by the latest call to Realm.authenticate.
param
authType the type of authenticator used (BASIC, CLIENT-CERT, DIGEST or FORM)
param
username the username (if any) used for the authentication
param
password the password (if any) used for the authentication


	if (cluster != null) {
	    messageNumber++;
	    SingleSignOnMessage msg =
		new SingleSignOnMessage(cluster.getLocalMember(),
					ssoId, null);
	    msg.setAction(SingleSignOnMessage.UPDATE_SESSION);
	    msg.setAuthType(authType);
	    msg.setUsername(username);
	    msg.setPassword(password);

	    cluster.sendClusterDomain(msg);
	    if (containerLog.isDebugEnabled())
		containerLog.debug("SingleSignOnMessage Send with action "
				   + msg.getAction());
	}

	updateLocal(ssoId, principal, authType, username, password);

    
protected voidupdateLocal(java.lang.String ssoId, java.security.Principal principal, java.lang.String authType, java.lang.String username, java.lang.String password)


	super.update(ssoId, principal, authType, username, password);