All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.apache.catalina.authenticator.SingleSignOn Maven / Gradle / Ivy

There is a newer version: 11.0.0-M26
Show newest version
/*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */


package org.apache.catalina.authenticator;


import java.io.IOException;
import java.security.Principal;
import java.util.HashMap;
import java.util.Map;

import javax.servlet.ServletException;
import javax.servlet.http.Cookie;

import org.apache.catalina.Realm;
import org.apache.catalina.Session;
import org.apache.catalina.SessionEvent;
import org.apache.catalina.SessionListener;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.valves.ValveBase;


/**
 * A Valve that supports a "single sign on" user experience,
 * where the security identity of a user who successfully authenticates to one
 * web application is propagated to other web applications in the same
 * security domain.  For successful use, the following requirements must
 * be met:
 * 
    *
  • This Valve must be configured on the Container that represents a * virtual host (typically an implementation of Host).
  • *
  • The Realm that contains the shared user and role * information must be configured on the same Container (or a higher * one), and not overridden at the web application level.
  • *
  • The web applications themselves must use one of the standard * Authenticators found in the * org.apache.catalina.authenticator package.
  • *
* * @author Craig R. McClanahan */ public class SingleSignOn extends ValveBase implements SessionListener { //------------------------------------------------------ Constructor public SingleSignOn() { super(true); } // ----------------------------------------------------- Instance Variables /** * The cache of SingleSignOnEntry instances for authenticated Principals, * keyed by the cookie value that is used to select them. */ protected final Map cache = new HashMap<>(); /** * Indicates whether this valve should require a downstream Authenticator to * reauthenticate each request, or if it itself can bind a UserPrincipal * and AuthType object to the request. */ private boolean requireReauthentication = false; /** * The cache of single sign on identifiers, keyed by the Session that is * associated with them. */ protected final Map reverse = new HashMap<>(); /** * Optional SSO cookie domain. */ private String cookieDomain; // ------------------------------------------------------------- Properties /** * Returns the optional cookie domain. * May return null. * * @return The cookie domain */ public String getCookieDomain() { return cookieDomain; } /** * Sets the domain to be used for sso cookies. * * @param cookieDomain cookie domain name */ public void setCookieDomain(String cookieDomain) { if (cookieDomain != null && cookieDomain.trim().length() == 0) { this.cookieDomain = null; } else { this.cookieDomain = cookieDomain; } } /** * Gets whether each request needs to be reauthenticated (by an * Authenticator downstream in the pipeline) to the security * Realm, or if this Valve can itself bind security info * to the request based on the presence of a valid SSO entry without * rechecking with the Realmtrue if it is required that a downstream * Authenticator reauthenticate each request before calls to * HttpServletRequest.setUserPrincipal() * and HttpServletRequest.setAuthType() are made; * false if the Valve can itself make * those calls relying on the presence of a valid SingleSignOn * entry associated with the request. * * @see #setRequireReauthentication */ public boolean getRequireReauthentication() { return requireReauthentication; } /** * Sets whether each request needs to be reauthenticated (by an * Authenticator downstream in the pipeline) to the security * Realm, or if this Valve can itself bind security info * to the request, based on the presence of a valid SSO entry, without * rechecking with the Realm * If this property is false (the default), this * Valve will bind a UserPrincipal and AuthType to the request * if a valid SSO entry is associated with the request. It will not notify * the security Realm of the incoming request. *

* This property should be set to true if the overall server * configuration requires that the Realm reauthenticate each * request thread. An example of such a configuration would be one where * the Realm implementation provides security for both a * web tier and an associated EJB tier, and needs to set security * credentials on each request thread in order to support EJB access. *

* If this property is set to true, this Valve will set flags * on the request notifying the downstream Authenticator that the request * is associated with an SSO session. The Authenticator will then call its * {@link AuthenticatorBase#reauthenticateFromSSO reauthenticateFromSSO} * method to attempt to reauthenticate the request to the * Realm, using any credentials that were cached with this * Valve. *

* The default value of this property is false, in order * to maintain backward compatibility with previous versions of Tomcat. * * @param required true if it is required that a downstream * Authenticator reauthenticate each request before calls * to HttpServletRequest.setUserPrincipal() * and HttpServletRequest.setAuthType() are * made; false if the Valve can * itself make those calls relying on the presence of a * valid SingleSignOn entry associated with the request. * * @see AuthenticatorBase#reauthenticateFromSSO */ public void setRequireReauthentication(boolean required) { this.requireReauthentication = required; } // ------------------------------------------------ SessionListener Methods /** * Acknowledge the occurrence of the specified event. * * @param event SessionEvent that has occurred */ @Override public void sessionEvent(SessionEvent event) { if (!getState().isAvailable()) { return; } // We only care about session destroyed events if (!Session.SESSION_DESTROYED_EVENT.equals(event.getType()) && (!Session.SESSION_PASSIVATED_EVENT.equals(event.getType()))) { return; } // Look up the single session id associated with this session (if any) Session session = event.getSession(); if (containerLog.isDebugEnabled()) { containerLog.debug("Process session destroyed on " + session); } String ssoId = null; synchronized (reverse) { ssoId = reverse.get(session); } if (ssoId == null) { return; } // Was the session destroyed as the result of a timeout? // If so, we'll just remove the expired session from the // SSO. If the session was logged out, we'll log out // of all session associated with the SSO. if (((session.getMaxInactiveInterval() > 0) && (System.currentTimeMillis() - session.getThisAccessedTimeInternal() >= session.getMaxInactiveInterval() * 1000)) || (Session.SESSION_PASSIVATED_EVENT.equals(event.getType())) || (!session.getManager().getContext().getState().isAvailable())) { removeSession(ssoId, session); } else { // The session was logged out. // Deregister this single session id, invalidating // associated sessions deregister(ssoId); } } // ---------------------------------------------------------- Valve Methods /** * Perform single-sign-on support processing for this request. * * @param request The servlet request we are processing * @param response The servlet response we are creating * * @exception IOException if an input/output error occurs * @exception ServletException if a servlet error occurs */ @Override public void invoke(Request request, Response response) throws IOException, ServletException { request.removeNote(Constants.REQ_SSOID_NOTE); // Has a valid user already been authenticated? if (containerLog.isDebugEnabled()) { containerLog.debug("Process request for '" + request.getRequestURI() + "'"); } if (request.getUserPrincipal() != null) { if (containerLog.isDebugEnabled()) { containerLog.debug(" Principal '" + request.getUserPrincipal().getName() + "' has already been authenticated"); } getNext().invoke(request, response); return; } // Check for the single sign on cookie if (containerLog.isDebugEnabled()) { containerLog.debug(" Checking for SSO cookie"); } Cookie cookie = null; Cookie cookies[] = request.getCookies(); if (cookies == null) { cookies = new Cookie[0]; } for (int i = 0; i < cookies.length; i++) { if (Constants.SINGLE_SIGN_ON_COOKIE.equals(cookies[i].getName())) { cookie = cookies[i]; break; } } if (cookie == null) { if (containerLog.isDebugEnabled()) { containerLog.debug(" SSO cookie is not present"); } getNext().invoke(request, response); return; } // Look up the cached Principal associated with this cookie value if (containerLog.isDebugEnabled()) { containerLog.debug(" Checking for cached principal for " + cookie.getValue()); } SingleSignOnEntry entry = lookup(cookie.getValue()); if (entry != null) { if (containerLog.isDebugEnabled()) { containerLog.debug(" Found cached principal '" + (entry.getPrincipal() != null ? entry.getPrincipal().getName() : "") + "' with auth type '" + entry.getAuthType() + "'"); } request.setNote(Constants.REQ_SSOID_NOTE, cookie.getValue()); // Only set security elements if reauthentication is not required if (!getRequireReauthentication()) { request.setAuthType(entry.getAuthType()); request.setUserPrincipal(entry.getPrincipal()); } } else { if (containerLog.isDebugEnabled()) { containerLog.debug(" No cached principal found, erasing SSO cookie"); } cookie.setMaxAge(0); response.addCookie(cookie); } // Invoke the next Valve in our pipeline getNext().invoke(request, response); } // ------------------------------------------------------ Protected Methods /** * Associate the specified single sign on identifier with the * specified Session. * * @param ssoId Single sign on identifier * @param session Session to be associated */ protected void associate(String ssoId, Session session) { if (containerLog.isDebugEnabled()) { containerLog.debug("Associate sso id " + ssoId + " with session " + session); } SingleSignOnEntry sso = lookup(ssoId); if (sso != null) { sso.addSession(this, session); } synchronized (reverse) { reverse.put(session, ssoId); } } /** * Deregister the specified session. If it is the last session, * then also get rid of the single sign on identifier * * @param ssoId Single sign on identifier * @param session Session to be deregistered */ protected void deregister(String ssoId, Session session) { synchronized (reverse) { reverse.remove(session); } SingleSignOnEntry sso = lookup(ssoId); if (sso == null) { return; } sso.removeSession(session); // see if we are the last session, if so blow away ssoId Session sessions[] = sso.findSessions(); if (sessions == null || sessions.length == 0) { synchronized (cache) { cache.remove(ssoId); } } } /** * Deregister the specified single sign on identifier, and invalidate * any associated sessions. * * @param ssoId Single sign on identifier to deregister */ protected void deregister(String ssoId) { if (containerLog.isDebugEnabled()) { containerLog.debug("Deregistering sso id '" + ssoId + "'"); } // Look up and remove the corresponding SingleSignOnEntry SingleSignOnEntry sso = null; synchronized (cache) { sso = cache.remove(ssoId); } if (sso == null) { return; } // Expire any associated sessions Session sessions[] = sso.findSessions(); for (int i = 0; i < sessions.length; i++) { if (containerLog.isTraceEnabled()) { containerLog.trace(" Invalidating session " + sessions[i]); } // Remove from reverse cache first to avoid recursion synchronized (reverse) { reverse.remove(sessions[i]); } // Invalidate this session sessions[i].expire(); } // NOTE: Clients may still possess the old single sign on cookie, // but it will be removed on the next request since it is no longer // in the cache } /** * Attempts reauthentication to the given Realm using * the credentials associated with the single sign-on session * identified by argument ssoId. *

* If reauthentication is successful, the Principal and * authorization type associated with the SSO session will be bound * to the given Request object via calls to * {@link Request#setAuthType Request.setAuthType()} and * {@link Request#setUserPrincipal Request.setUserPrincipal()} *

* * @param ssoId identifier of SingleSignOn session with which the * caller is associated * @param realm Realm implementation against which the caller is to * be authenticated * @param request the request that needs to be authenticated * * @return true if reauthentication was successful, * false otherwise. */ protected boolean reauthenticate(String ssoId, Realm realm, Request request) { if (ssoId == null || realm == null) { return false; } boolean reauthenticated = false; SingleSignOnEntry entry = lookup(ssoId); if (entry != null && entry.getCanReauthenticate()) { String username = entry.getUsername(); if (username != null) { Principal reauthPrincipal = realm.authenticate(username, entry.getPassword()); if (reauthPrincipal != null) { reauthenticated = true; // Bind the authorization credentials to the request request.setAuthType(entry.getAuthType()); request.setUserPrincipal(reauthPrincipal); } } } return reauthenticated; } /** * Register the specified Principal as being associated with the specified * value for the single sign on identifier. * * @param ssoId Single sign on identifier to register * @param principal Associated user principal that is identified * @param authType Authentication type used to authenticate this * user principal * @param username Username used to authenticate this user * @param password Password used to authenticate this user */ protected void register(String ssoId, Principal principal, String authType, String username, String password) { if (containerLog.isDebugEnabled()) { containerLog.debug("Registering sso id '" + ssoId + "' for user '" + (principal != null ? principal.getName() : "") + "' with auth type '" + authType + "'"); } synchronized (cache) { cache.put(ssoId, new SingleSignOnEntry(principal, authType, username, password)); } } /** * Updates any SingleSignOnEntry found under key * ssoId with the given authentication data. *

* The purpose of this method is to allow an SSO entry that was * established without a username/password combination (i.e. established * following DIGEST or CLIENT_CERT authentication) to be updated with * a username and password if one becomes available through a subsequent * BASIC or FORM authentication. The SSO entry will then be usable for * reauthentication. *

* NOTE: Only updates the SSO entry if a call to * SingleSignOnEntry.getCanReauthenticate() returns * false; otherwise, it is assumed that the SSO entry already * has sufficient information to allow reauthentication and that no update * is needed. * * @param ssoId identifier of Single sign to be updated * @param principal the Principal returned by the latest * call to Realm.authenticate. * @param authType the type of authenticator used (BASIC, CLIENT_CERT, * DIGEST or FORM) * @param username the username (if any) used for the authentication * @param password the password (if any) used for the authentication */ protected void update(String ssoId, Principal principal, String authType, String username, String password) { SingleSignOnEntry sso = lookup(ssoId); if (sso != null && !sso.getCanReauthenticate()) { if (containerLog.isDebugEnabled()) { containerLog.debug("Update sso id " + ssoId + " to auth type " + authType); } synchronized(sso) { sso.updateCredentials(principal, authType, username, password); } } } /** * Look up and return the cached SingleSignOn entry associated with this * sso id value, if there is one; otherwise return null. * * @param ssoId Single sign on identifier to look up */ protected SingleSignOnEntry lookup(String ssoId) { synchronized (cache) { return cache.get(ssoId); } } /** * Remove a single Session from a SingleSignOn. Called when * a session is timed out and no longer active. * * @param ssoId Single sign on identifier from which to remove the session. * @param session the session to be removed. */ protected void removeSession(String ssoId, Session session) { if (containerLog.isDebugEnabled()) { containerLog.debug("Removing session " + session.toString() + " from sso id " + ssoId ); } // Get a reference to the SingleSignOn SingleSignOnEntry entry = lookup(ssoId); if (entry == null) { return; } // Remove the inactive session from SingleSignOnEntry entry.removeSession(session); // Remove the inactive session from the 'reverse' Map. synchronized(reverse) { reverse.remove(session); } // If there are not sessions left in the SingleSignOnEntry, // deregister the entry. if (entry.findSessions().length == 0) { deregister(ssoId); } } }





© 2015 - 2024 Weber Informatics LLC | Privacy Policy