FileDocCategorySizeDatePackage
CertificateRealm.javaAPI DocGlassfish v2 API10413Mon Jul 02 03:18:56 BST 2007com.sun.enterprise.security.auth.realm.certificate

CertificateRealm

public final class CertificateRealm extends com.sun.enterprise.security.auth.realm.IASRealm
Realm wrapper for supporting certificate authentication.

The certificate realm provides the security-service functionality needed to process a client-cert authentication. Since the SSL processing, and client certificate verification is done by NSS, no authentication is actually done by this realm. It only serves the purpose of being registered as the certificate handler realm and to service group membership requests during web container role checks.

There is no JAAS LoginModule corresponding to the certificate realm, therefore this realm does not require the jaas-context configuration parameter to be set. The purpose of a JAAS LoginModule is to implement the actual authentication processing, which for the case of this certificate realm is already done by the time execution gets to Java.

The certificate realm needs the following properties in its configuration: None.

The following optional attributes can also be specified:

  • assign-groups - A comma-separated list of group names which will be assigned to all users who present a cryptographically valid certificate. Since groups are otherwise not supported by the cert realm, this allows grouping cert users for convenience.

Fields Summary
public static final String
AUTH_TYPE
private Vector
defaultGroups
Constructors Summary
Methods Summary
public voidauthenticate(javax.security.auth.Subject subject, sun.security.x509.X500Name x500name)
Complete authentication of certificate user.

As noted, the certificate realm does not do the actual authentication (signature and cert chain validation) for the user certificate, this is done earlier in NSS. This method simply sets up the security context for the user in order to properly complete the authentication processing.

If any groups have been assigned to cert-authenticated users through the assign-groups property these groups are added to the security context for the current user.

param
subject The Subject object for the authentication request.
param
x500name The X500Name object from the user certificate.

        // It is important to use x500name.getName() in order to be
        // consistent with web containers view of the name - see bug
        // 4646134 for reasons why this matters.
        
        String name = x500name.getName();

        if (_logger.isLoggable(Level.FINEST)) {
            _logger.finest(
                "Certificate realm setting up security context for: "+ name);
        }

        if (defaultGroups != null) {
	    Set principalSet = subject.getPrincipals();
	    Enumeration e = defaultGroups.elements();
	    while (e.hasMoreElements()) {
		principalSet.add(new Group((String) e.nextElement()));
	    }
	}
        
        SecurityContext securityContext =
	    new SecurityContext(name, subject);
        
	SecurityContext.setCurrent(securityContext);
public java.lang.StringgetAuthType()
Returns a short (preferably less than fifteen characters) description of the kind of authentication which is supported by this realm.

return
Description of the kind of authentication that is directly supported by this realm.

        return AUTH_TYPE;
public java.util.EnumerationgetGroupNames(java.lang.String username)
Returns the name of all the groups that this user belongs to.

param
username Name of the user in this realm whose group listing is needed.
return
Enumeration of group names (strings).
exception
InvalidOperationException thrown if the realm does not support this operation - e.g. Certificate realm does not support this operation.

        // This is called during web container role check, not during
        // EJB container role cheks... fix RI for consistency.

        // Groups for cert users is empty by default unless some assign-groups
        // property has been specified (see init()).
        return defaultGroups.elements();
public java.lang.StringgetJAASContext()
Returns name of JAAS context used by this realm. Overrides default Realm behavior of this method. The certificate realm does not require (or support) a LoginModule. This method should never get called unless there is a configuration error, so this overloading is provided to log an error message. See class documentation.

return
null

        _logger.warning("certrealm.nojaas");
        return null;
protected voidinit(java.util.Properties props)
Initialize a realm with some properties. This can be used when instantiating realms from their descriptions. This method is invoked from Realm during initialization.

param
props Initialization parameters used by this realm.
exception
BadRealmException If the configuration parameters identify a corrupt realm.
exception
NoSuchRealmException If the configuration parameters specify a realm which doesn't exist.


    // Optional link to a realm to verify group (possibly user, later)
    // public static final String PARAM_USEREALM = "use-realm";

    // Optional ordered list of possible elements to use as user name
    // from X.500 name.
    //    public static final String PARAM_NAMEFIELD = "name-field";
    //    private String[] nameFields = null;
    //    private static final String LINK_SEP = ",";

                                                                         
       
          
    
        super.init(props);
        String[] groups = addAssignGroups(null);
        if (groups != null && groups.length > 0) {
            for (String gp : groups) {
                defaultGroups.add(gp);
            }
        }

        /* future enhacement; allow using subset of DN as name field;
           requires RI fixes to handle subject & principal names
           consistently
        String nameLink = props.getProperty(PARAM_NAMEFIELD);
        if (nameLink == null) {
            Util.debug(log, "CertificateRealm: No "+PARAM_NAMEFIELD+
                       " provided, will use X.500 name.");
        } else {

            StringTokenizer st = new StringTokenizer(nameLink, LINK_SEP);
            int n = st.countTokens();
            nameFields = new String[n];

            for (int i=0; i<n; i++) {
                nameFields[i] = (String)st.nextToken();
            }
        }
        */

        /* future enhancement; allow linking to other realm such that
           user presence verification and group membership can be
           defined/shared; requires RI fixes to consistently check role
           memberships and RI fixes to allow multiple active realms.
        String link = props.getProperty(PARAM_USEREALM);
        if (link != null) {
            this.setProperty(PARAM_USEREALM, link);
            Util.debug(log, "CertificateRealm : "+PARAM_USEREALM+"="+link);
        }
        */