JAASRealmpublic class JAASRealm extends RealmBase Implmentation of Realm that authenticates users via the Java
Authentication and Authorization Service (JAAS). JAAS support requires
either JDK 1.4 (which includes it as part of the standard platform) or
JDK 1.3 (with the plug-in jaas.jar file).
The value configured for the appName property is passed to
the javax.security.auth.login.LoginContext constructor, to
specify the application name used to select the set of relevant
LoginModules required.
The JAAS Specification describes the result of a successful login as a
javax.security.auth.Subject instance, which can contain zero
or more java.security.Principal objects in the return value
of the Subject.getPrincipals() method. However, it provides
no guidance on how to distinguish Principals that describe the individual
user (and are thus appropriate to return as the value of
request.getUserPrincipal() in a web application) from the Principal(s)
that describe the authorized roles for this user. To maintain as much
independence as possible from the underlying LoginMethod
implementation executed by JAAS, the following policy is implemented by
this Realm:
- The JAAS
LoginModule is assumed to return a
Subject with at least one Principal instance
representing the user himself or herself, and zero or more separate
Principals representing the security roles authorized
for this user.
- On the
Principal representing the user, the Principal
name is an appropriate value to return via the Servlet API method
HttpServletRequest.getRemoteUser().
- On the
Principals representing the security roles, the
name is the name of the authorized security role.
- This Realm will be configured with two lists of fully qualified Java
class names of classes that implement
java.security.Principal - one that identifies class(es)
representing a user, and one that identifies class(es) representing
a security role.
- As this Realm iterates over the
Principals returned by
Subject.getPrincipals(), it will identify the first
Principal that matches the "user classes" list as the
Principal for this user.
- As this Realm iterates over the
Princpals returned by
Subject.getPrincipals(), it will accumulate the set of
all Principals matching the "role classes" list as
identifying the security roles for this user.
- It is a configuration error for the JAAS login method to return a
validated
Subject without a Principal that
matches the "user classes" list.
- By default, the enclosing Container's name serves as the
application name used to obtain the JAAS LoginContext ("Catalina" in
a default installation). Tomcat must be able to find an application
with this name in the JAAS configuration file. Here is a hypothetical
JAAS configuration file entry for a database-oriented login module that uses
a Tomcat-managed JNDI database resource:
Catalina {
org.foobar.auth.DatabaseLoginModule REQUIRED
JNDI_RESOURCE=jdbc/AuthDB
USER_TABLE=users
USER_ID_COLUMN=id
USER_NAME_COLUMN=name
USER_CREDENTIAL_COLUMN=password
ROLE_TABLE=roles
ROLE_NAME_COLUMN=name
PRINCIPAL_FACTORY=org.foobar.auth.impl.SimplePrincipalFactory;
};
- To set the JAAS configuration file
location, set the
CATALINA_OPTS environment variable
similar to the following:
CATALINA_OPTS="-Djava.security.auth.login.config=$CATALINA_HOME/conf/jaas.config"
- As part of the login process, JAASRealm registers its own
CallbackHandler,
called (unsurprisingly) JAASCallbackHandler. This handler supplies the
HTTP requests's username and credentials to the user-supplied LoginModule
- As with other
Realm implementations, digested passwords are supported if
the <Realm> element in server.xml contains a
digest attribute; JAASCallbackHandler will digest the password
prior to passing it back to the LoginModule
|
| Fields Summary |
|---|
| private static org.apache.juli.logging.Log | log | | protected String | appNameThe application name passed to the JAAS LoginContext,
which uses it to select the set of relevant LoginModules. | | protected static final String | infoDescriptive information about this Realm implementation. | | protected static final String | nameDescriptive information about this Realm implementation. | | protected List | roleClassesThe list of role class names, split out for easy processing. | | protected static final org.apache.catalina.util.StringManager | smThe string manager for this package. | | protected List | userClassesThe set of user class names, split out for easy processing. | | protected boolean | useContextClassLoaderWhether to use context ClassLoader or default ClassLoader.
True means use context ClassLoader, and True is the default
value. | | protected String | roleClassNamesComma-delimited list of java.security.Principal classes
that represent security roles. | | protected String | userClassNamesComma-delimited list of java.security.Principal classes
that represent individual users. |
| Methods Summary |
|---|
| public java.security.Principal | authenticate(java.lang.String username, java.lang.String credentials)Return the Principal associated with the specified username and
credentials, if there is one; otherwise return null.
If there are any errors with the JDBC connection, executing
the query or anything we return null (don't authenticate). This
event is also logged, and the connection will be closed so that
a subsequent request will automatically re-open it.
// Establish a LoginContext to use for authentication
try {
LoginContext loginContext = null;
if( appName==null ) appName="Tomcat";
if( log.isDebugEnabled())
log.debug(sm.getString("jaasRealm.beginLogin", username, appName));
// What if the LoginModule is in the container class loader ?
ClassLoader ocl = null;
if (isUseContextClassLoader()) {
ocl=Thread.currentThread().getContextClassLoader();
Thread.currentThread().setContextClassLoader(this.getClass().getClassLoader());
}
try {
loginContext = new LoginContext
(appName, new JAASCallbackHandler(this, username,
credentials));
} catch (Throwable e) {
log.error(sm.getString("jaasRealm.unexpectedError"), e);
return (null);
} finally {
if( isUseContextClassLoader()) {
Thread.currentThread().setContextClassLoader(ocl);
}
}
if( log.isDebugEnabled())
log.debug("Login context created " + username);
// Negotiate a login via this LoginContext
Subject subject = null;
try {
loginContext.login();
subject = loginContext.getSubject();
if (subject == null) {
if( log.isDebugEnabled())
log.debug(sm.getString("jaasRealm.failedLogin", username));
return (null);
}
} catch (AccountExpiredException e) {
if (log.isDebugEnabled())
log.debug(sm.getString("jaasRealm.accountExpired", username));
return (null);
} catch (CredentialExpiredException e) {
if (log.isDebugEnabled())
log.debug(sm.getString("jaasRealm.credentialExpired", username));
return (null);
} catch (FailedLoginException e) {
if (log.isDebugEnabled())
log.debug(sm.getString("jaasRealm.failedLogin", username));
return (null);
} catch (LoginException e) {
log.warn(sm.getString("jaasRealm.loginException", username), e);
return (null);
} catch (Throwable e) {
log.error(sm.getString("jaasRealm.unexpectedError"), e);
return (null);
}
if( log.isDebugEnabled())
log.debug(sm.getString("jaasRealm.loginContextCreated", username));
// Return the appropriate Principal for this authenticated Subject
Principal principal = createPrincipal(username, subject);
if (principal == null) {
log.debug(sm.getString("jaasRealm.authenticateFailure", username));
return (null);
}
if (log.isDebugEnabled()) {
log.debug(sm.getString("jaasRealm.authenticateSuccess", username));
}
return (principal);
} catch( Throwable t) {
log.error( "error ", t);
return null;
}
| | protected java.security.Principal | createPrincipal(java.lang.String username, javax.security.auth.Subject subject)Identify and return a java.security.Principal instance
representing the authenticated user for the specified Subject.
The Principal is constructed by scanning the list of Principals returned
by the JAASLoginModule. The first Principal object that matches
one of the class names supplied as a "user class" is the user Principal.
This object is returned to tha caller.
Any remaining principal objects returned by the LoginModules are mapped to
roles, but only if their respective classes match one of the "role class" classes.
If a user Principal cannot be constructed, return null.
// Prepare to scan the Principals for this Subject
List<String> roles = new ArrayList<String>();
Principal userPrincipal = null;
// Scan the Principals for this Subject
Iterator principals = subject.getPrincipals().iterator();
while (principals.hasNext()) {
Principal principal = (Principal) principals.next();
String principalClass = principal.getClass().getName();
if( log.isDebugEnabled() ) {
log.debug(sm.getString("jaasRealm.checkPrincipal", principal, principalClass));
}
if (userPrincipal == null && userClasses.contains(principalClass)) {
userPrincipal = principal;
if( log.isDebugEnabled() ) {
log.debug(sm.getString("jaasRealm.userPrincipalSuccess", principal.getName()));
}
}
if (roleClasses.contains(principalClass)) {
roles.add(principal.getName());
if( log.isDebugEnabled() ) {
log.debug(sm.getString("jaasRealm.rolePrincipalAdd", principal.getName()));
}
}
}
// Print failure message if needed
if (userPrincipal == null) {
if (log.isDebugEnabled()) {
log.debug(sm.getString("jaasRealm.userPrincipalFailure"));
log.debug(sm.getString("jaasRealm.rolePrincipalFailure"));
}
} else {
if (roles.size() == 0) {
if (log.isDebugEnabled()) {
log.debug(sm.getString("jaasRealm.rolePrincipalFailure"));
}
}
}
// Return the resulting Principal for our authenticated user
return new GenericPrincipal(this, username, null, roles, userPrincipal);
| | public java.lang.String | getAppName()getter for the appName member variable
return appName;
| | protected java.lang.String | getName()Return a short name for this Realm implementation.
return (name);
| | protected java.lang.String | getPassword(java.lang.String username)Return the password associated with the given principal's user name.
return (null);
| | protected java.security.Principal | getPrincipal(java.lang.String username)Return the Principal associated with the given user name.
return (null);
| | public java.lang.String | getRoleClassNames()
return (this.roleClassNames);
| | public java.lang.String | getUserClassNames()
return (this.userClassNames);
| | public boolean | isUseContextClassLoader()Returns whether to use the context or default ClassLoader.
True means to use the context ClassLoader.
return useContextClassLoader;
| | protected java.lang.String | makeLegalForJAAS(java.lang.String src)Ensure the given name is legal for JAAS configuration.
Added for Bugzilla 30869, made protected for easy customization
in case my implementation is insufficient, which I think is
very likely.
String result = src;
// Default name is "other" per JAAS spec
if(result == null) {
result = "other";
}
// Strip leading slash if present, as Sun JAAS impl
// barfs on it (see Bugzilla 30869 bug report).
if(result.startsWith("/")) {
result = result.substring(1);
}
return result;
| | protected void | parseClassNames(java.lang.String classNamesString, java.util.List classNamesList)Parses a comma-delimited list of class names, and store the class names
in the provided List. Each class must implement .
classNamesList.clear();
if (classNamesString == null) return;
String[] classNames = classNamesString.split("[ ]*,[ ]*");
for (int i=0; i<classNames.length; i++) {
if (classNames[i].length()==0) continue;
try {
Class principalClass = Class.forName(classNames[i]);
if (Principal.class.isAssignableFrom(principalClass)) {
classNamesList.add(classNames[i]);
} else {
log.error("Class "+classNames[i]+" is not implementing "+
"java.security.Principal! Class not added.");
}
} catch (ClassNotFoundException e) {
log.error("Class "+classNames[i]+" not found! Class not added.");
}
}
| | public void | setAppName(java.lang.String name)setter for the appName member variable
// ------------------------------------------------------------- Properties
appName = name;
| | public void | setContainer(org.apache.catalina.Container container)
super.setContainer(container);
if( appName==null ) {
String name=container.getName();
name = makeLegalForJAAS(name);
appName=name;
log.info("Set JAAS app name " + appName);
}
| | public void | setRoleClassNames(java.lang.String roleClassNames)Sets the list of comma-delimited classes that represent
roles. The classes in the list must implement java.security.Principal.
When this accessor is called (for example, by a Digester
instance parsing the
configuration file), it will parse the class names and store the resulting
string(s) into the ArrayList field roleClasses.
this.roleClassNames = roleClassNames;
parseClassNames(roleClassNames, roleClasses);
| | public void | setUseContextClassLoader(boolean useContext)Sets whether to use the context or default ClassLoader.
True means use context ClassLoader.
useContextClassLoader = useContext;
log.info("Setting useContextClassLoader = " + useContext);
| | public void | setUserClassNames(java.lang.String userClassNames)Sets the list of comma-delimited classes that represent individual
users. The classes in the list must implement java.security.Principal.
When this accessor is called (for example, by a Digester
instance parsing the
configuration file), it will parse the class names and store the resulting
string(s) into the ArrayList field userClasses.
this.userClassNames = userClassNames;
parseClassNames(userClassNames, userClasses);
| | public void | start()Prepare for active use of the public methods of this Component.
// Perform normal superclass initialization
super.start();
| | public void | stop()Gracefully shut down active use of the public methods of this Component.
// Perform normal superclass finalization
super.stop();
|
|
