All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.apache.catalina.realm.JAASRealm Maven / Gradle / Ivy

There is a newer version: 7.2024.1.Alpha1
Show newest version
/*
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
 *
 * Copyright (c) 1997-2016 Oracle and/or its affiliates. All rights reserved.
 *
 * The contents of this file are subject to the terms of either the GNU
 * General Public License Version 2 only ("GPL") or the Common Development
 * and Distribution License("CDDL") (collectively, the "License").  You
 * may not use this file except in compliance with the License.  You can
 * obtain a copy of the License at
 * https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html
 * or packager/legal/LICENSE.txt.  See the License for the specific
 * language governing permissions and limitations under the License.
 *
 * When distributing the software, include this License Header Notice in each
 * file and include the License file at packager/legal/LICENSE.txt.
 *
 * GPL Classpath Exception:
 * Oracle designates this particular file as subject to the "Classpath"
 * exception as provided by Oracle in the GPL Version 2 section of the License
 * file that accompanied this code.
 *
 * Modifications:
 * If applicable, add the following below the License Header, with the fields
 * enclosed by brackets [] replaced by your own identifying information:
 * "Portions Copyright [year] [name of copyright owner]"
 *
 * Contributor(s):
 * If you wish your version of this file to be governed by only the CDDL or
 * only the GPL Version 2, indicate your decision by adding "[Contributor]
 * elects to include this software in this distribution under the [CDDL or GPL
 * Version 2] license."  If you don't indicate a single choice of license, a
 * recipient has the option to distribute your version of this file under
 * either the CDDL, the GPL Version 2 or to extend the choice of license to
 * its licensees as provided above.  However, if you add GPL Version 2 code
 * and therefore, elected the GPL Version 2 license, then the option applies
 * only if the new code is made subject to such option by the copyright
 * holder.
 *
 *
 * This file incorporates work covered by the following copyright and
 * permission notice:
 *
 * Copyright 2004 The Apache Software Foundation
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
// Portions Copyright [2019] Payara Foundation and/or affiliates

package org.apache.catalina.realm;


import org.apache.catalina.Container;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.LogFacade;

import javax.security.auth.Subject;
import javax.security.auth.login.*;
import java.security.Principal;
import java.security.acl.Group;
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.logging.Level;

/**
 * 

Implementation of Realm that authenticates users via the Java * Authentication and Authorization Service (JAAS). JAAS support requires * either JDK 1.4 (which includes it as part of the standard platform) or * JDK 1.3 (with the plug-in jaas.jar file).

* *

The value configured for the appName property is passed to * the javax.security.auth.login.LoginContext constructor, to * specify the application name used to select the set of relevant * LoginModules required.

* *

The JAAS Specification describes the result of a successful login as a * javax.security.auth.Subject instance, which can contain zero * or more java.security.Principal objects in the return value * of the Subject.getPrincipals() method. However, it provides * no guidance on how to distinguish Principals that describe the individual * user (and are thus appropriate to return as the value of * request.getUserPrincipal() in a web application) from the Principal(s) * that describe the authorized roles for this user. To maintain as much * independence as possible from the underlying LoginMethod * implementation executed by JAAS, the following policy is implemented by * this Realm:

*
    *
  • The JAAS LoginModule is assumed to return a * Subject with at least one Principal instance * representing the user himself or herself, and zero or more separate * Principals representing the security roles authorized * for this user.
  • *
  • On the Principal representing the user, the Principal * name is an appropriate value to return via the Servlet API method * HttpServletRequest.getRemoteUser().
  • *
  • On the Principals representing the security roles, the * name is the name of the authorized security role.
  • *
  • This Realm will be configured with two lists of fully qualified Java * class names of classes that implement * java.security.Principal - one that identifies class(es) * representing a user, and one that identifies class(es) representing * a security role.
  • *
  • As this Realm iterates over the Principals returned by * Subject.getPrincipals(), it will identify the first * Principal that matches the "user classes" list as the * Principal for this user.
  • *
  • As this Realm iterates over the Principals returned by * Subject.getPrincipals(), it will accumulate the set of * all Principals matching the "role classes" list as * identifying the security roles for this user.
  • *
  • It is a configuration error for the JAAS login method to return a * validated Subject without a Principal that * matches the "user classes" list.
  • *
* * @author Craig R. McClanahan * @version $Revision: 1.3 $ $Date: 2006/03/12 01:27:04 $ */ public class JAASRealm extends RealmBase { // ----------------------------------------------------- Instance Variables /** * The application name passed to the JAAS LoginContext, * which uses it to select the set of relevant LoginModules. */ protected String appName = null; /** * Descriptive information about this Realm implementation. */ protected static final String info = "org.apache.catalina.realm.JAASRealm/1.0"; /** * Descriptive information about this Realm implementation. */ protected static final String name = "JAASRealm"; /** * The list of role class names, split out for easy processing. */ protected ArrayList roleClasses = new ArrayList(); /** * The set of user class names, split out for easy processing. */ protected ArrayList userClasses = new ArrayList(); // ------------------------------------------------------------- Properties /** * setter for the appName member variable * @deprecated JAAS should use the Engine ( domain ) name and webpp/host overrides */ public void setAppName(String name) { appName = name; } /** * getter for the appName member variable */ public String getAppName() { return appName; } @Override public void setContainer(Container container) { super.setContainer(container); String name=container.getName(); if( appName==null ) { appName=name; if (log.isLoggable(Level.INFO)) { log.log(Level.INFO, LogFacade.SETTING_JAAS_INFO, appName); } } } /** * Comma-delimited list of javax.security.Principal classes * that represent security roles. */ protected String roleClassNames = null; public String getRoleClassNames() { return (this.roleClassNames); } public void setRoleClassNames(String roleClassNames) { this.roleClassNames = roleClassNames; roleClasses.clear(); String temp = this.roleClassNames; if (temp == null) { return; } while (true) { int comma = temp.indexOf(','); if (comma < 0) { break; } roleClasses.add(temp.substring(0, comma).trim()); temp = temp.substring(comma + 1); } temp = temp.trim(); if (temp.length() > 0) { roleClasses.add(temp); } } /** * Comma-delimited list of javax.security.Principal classes * that represent individual users. */ protected String userClassNames = null; public String getUserClassNames() { return (this.userClassNames); } public void setUserClassNames(String userClassNames) { this.userClassNames = userClassNames; userClasses.clear(); String temp = this.userClassNames; if (temp == null) { return; } while (true) { int comma = temp.indexOf(','); if (comma < 0) { break; } userClasses.add(temp.substring(0, comma).trim()); temp = temp.substring(comma + 1); } temp = temp.trim(); if (temp.length() > 0) { userClasses.add(temp); } } // --------------------------------------------------------- Public Methods /** * Return the Principal associated with the specified username and * credentials, if there is one; otherwise return null. * * If there are any errors with the JDBC connection, executing * the query or anything we return null (don't authenticate). This * event is also logged, and the connection will be closed so that * a subsequent request will automatically re-open it. * * @param username Username of the Principal to look up * @param credentials Password or other credentials to use in * authenticating this username */ @Override public Principal authenticate(String username, char[] credentials) { // Establish a LoginContext to use for authentication try { LoginContext loginContext = null; if( appName==null ) appName="Tomcat"; if (log.isLoggable(Level.FINE)) { log.log(Level.FINE, "Authenticating {0} {1}", new Object[]{appName, username}); } // What if the LoginModule is in the container class loader ? // ClassLoader ocl=Thread.currentThread().getContextClassLoader(); Thread.currentThread().setContextClassLoader(this.getClass().getClassLoader()); try { loginContext = new LoginContext (appName, new JAASCallbackHandler(this, username, credentials)); } catch (Throwable e) { if (log.isLoggable(Level.FINE)) { log.log(Level.FINE, "Error initializing JAAS: {0}", e.toString()); String msg = MessageFormat.format(rb.getString(LogFacade.LOGIN_EXCEPTION_AUTHENTICATING_USERNAME), username); log.log(Level.FINE, msg, e); } return (null); } finally { Thread.currentThread().setContextClassLoader(ocl); } if (log.isLoggable(Level.FINE)) { log.log(Level.FINE, "Login context created {0}", username); } // Negotiate a login via this LoginContext Subject subject = null; try { loginContext.login(); subject = loginContext.getSubject(); if (subject == null) { if (log.isLoggable(Level.FINE)) { log.log(Level.FINE, LogFacade.USERNAME_NOT_AUTHENTICATED_FAILED_LOGIN, username); } return (null); } } catch (AccountExpiredException e) { if (log.isLoggable(Level.FINE)) { log.log(Level.FINE, LogFacade.USERNAME_NOT_AUTHENTICATED_EXPIRED_ACCOUNT, username); } return (null); } catch (CredentialExpiredException e) { if (log.isLoggable(Level.FINE)) { log.log(Level.FINE, LogFacade.USERNAME_NOT_AUTHENTICATED_EXPIRED_CREDENTIAL, username); } return (null); } catch (FailedLoginException e) { if (log.isLoggable(Level.FINE)) { log.log(Level.FINE, LogFacade.USERNAME_NOT_AUTHENTICATED_FAILED_LOGIN, username); } return (null); } catch (LoginException e) { String msg = MessageFormat.format(rb.getString(LogFacade.LOGIN_EXCEPTION_AUTHENTICATING_USERNAME), username); log.log(Level.FINE, msg, e); return (null); } catch (Throwable e) { log.log(Level.FINE, "Unexpected error", e); return (null); } if( log.isLoggable(Level.FINE)) log.log(Level.FINE, "Getting principal {0}", subject); // Return the appropriate Principal for this authenticated Subject Principal principal = createPrincipal(username, subject); if (principal == null) { if (log.isLoggable(Level.FINE)) { log.log(Level.FINE, "Failed to authenticate username {0}", username); } return (null); } if (log.isLoggable(Level.FINE)) { log.log(Level.FINE, "Successful to authenticate username {0}", username); } return (principal); } catch( Throwable t) { log.log(Level.SEVERE, LogFacade.AUTHENTICATION_ERROR, t); return null; } } // -------------------------------------------------------- Package Methods // ------------------------------------------------------ Protected Methods /** * Return a short name for this Realm implementation. */ @Override protected String getName() { return (this.name); } /** * Return the password associated with the given principal's user name. */ @Override protected char[] getPassword(String username) { return (null); } /** * Return the Principal associated with the given user name. */ @Override protected Principal getPrincipal(String username) { return (null); } /** * Construct and return a java.security.Principal instance * representing the authenticated user for the specified Subject. If no * such Principal can be constructed, return null. * * @param subject The Subject representing the logged in user */ protected Principal createPrincipal(String username, Subject subject) { // Prepare to scan the Principals for this Subject ArrayList roles = new ArrayList(); // Scan the Principals for this Subject for (Principal principal : subject.getPrincipals()) { // No need to look further - that's our own stuff if( principal instanceof GenericPrincipal ) { if (log.isLoggable(Level.FINE)) { log.log(Level.FINE, "Found old GenericPrincipal {0}", principal); } return principal; } String principalClass = principal.getClass().getName(); if (log.isLoggable(Level.FINE)) log.log(Level.FINE, "Principal: {0} {1}", new Object[]{principalClass, principal}); if (userClasses.contains(principalClass)) { // Override the default - which is the original user, accepted by // the friendly LoginManager username = principal.getName(); } if (roleClasses.contains(principalClass)) { roles.add(principal.getName()); } // Same as Jboss - that's a pretty clean solution if( (principal instanceof Group) && "Roles".equals( principal.getName())) { Group grp=(Group)principal; Enumeration en=grp.members(); while( en.hasMoreElements() ) { Principal roleP=(Principal)en.nextElement(); roles.add( roleP.getName()); } } } // Create the resulting Principal for our authenticated user if (username != null) { // Set password null as it will not be carried forward return (new GenericPrincipal(this, username, null, roles)); } else { return (null); } } // ------------------------------------------------------ Lifecycle Methods /** * * Prepare for active use of the public methods of this Component. * * @exception LifecycleException if this component detects a fatal error * that prevents it from being started */ @Override public void start() throws LifecycleException { // Perform normal superclass initialization super.start(); } /** * Gracefully shut down active use of the public methods of this Component. * * @exception LifecycleException if this component detects a fatal error * that needs to be reported */ @Override public void stop() throws LifecycleException { // Perform normal superclass finalization super.stop(); } }




© 2015 - 2024 Weber Informatics LLC | Privacy Policy