org.apache.catalina.realm: public class: JAASRealm

org.apache.catalina.realm
public class: JAASRealm [javadoc | source]

java.lang.Object
   org.apache.catalina.realm.RealmBase
      org.apache.catalina.realm.JAASRealm

All Implemented Interfaces:
Realm, MBeanRegistration, Lifecycle

Implmentation of Realm that authenticates users via the Java Authentication and Authorization Service (JAAS). JAAS support requires either JDK 1.4 (which includes it as part of the standard platform) or JDK 1.3 (with the plug-in jaas.jar file).

The value configured for the appName property is passed to the javax.security.auth.login.LoginContext constructor, to specify the application name used to select the set of relevant LoginModules required.

The JAAS Specification describes the result of a successful login as a javax.security.auth.Subject instance, which can contain zero or more java.security.Principal objects in the return value of the Subject.getPrincipals() method. However, it provides no guidance on how to distinguish Principals that describe the individual user (and are thus appropriate to return as the value of request.getUserPrincipal() in a web application) from the Principal(s) that describe the authorized roles for this user. To maintain as much independence as possible from the underlying LoginMethod implementation executed by JAAS, the following policy is implemented by this Realm:

The JAAS LoginModule is assumed to return a Subject with at least one Principal instance representing the user himself or herself, and zero or more separate Principals representing the security roles authorized for this user.
On the Principal representing the user, the Principal name is an appropriate value to return via the Servlet API method HttpServletRequest.getRemoteUser().
On the Principals representing the security roles, the name is the name of the authorized security role.
This Realm will be configured with two lists of fully qualified Java class names of classes that implement java.security.Principal - one that identifies class(es) representing a user, and one that identifies class(es) representing a security role.
As this Realm iterates over the Principals returned by Subject.getPrincipals(), it will identify the first Principal that matches the "user classes" list as the Principal for this user.
As this Realm iterates over the Princpals returned by Subject.getPrincipals(), it will accumulate the set of all Principals matching the "role classes" list as identifying the security roles for this user.
It is a configuration error for the JAAS login method to return a validated Subject without a Principal that matches the "user classes" list.
By default, the enclosing Container's name serves as the application name used to obtain the JAAS LoginContext ("Catalina" in a default installation). Tomcat must be able to find an application with this name in the JAAS configuration file. Here is a hypothetical JAAS configuration file entry for a database-oriented login module that uses a Tomcat-managed JNDI database resource:
```
Catalina {
org.foobar.auth.DatabaseLoginModule REQUIRED
JNDI_RESOURCE=jdbc/AuthDB
USER_TABLE=users
USER_ID_COLUMN=id
USER_NAME_COLUMN=name
USER_CREDENTIAL_COLUMN=password
ROLE_TABLE=roles
ROLE_NAME_COLUMN=name
PRINCIPAL_FACTORY=org.foobar.auth.impl.SimplePrincipalFactory;
};
```
To set the JAAS configuration file location, set the CATALINA_OPTS environment variable similar to the following:
CATALINA_OPTS="-Djava.security.auth.login.config=$CATALINA_HOME/conf/jaas.config"
As part of the login process, JAASRealm registers its own CallbackHandler, called (unsurprisingly) JAASCallbackHandler. This handler supplies the HTTP requests's username and credentials to the user-supplied LoginModule
As with other Realm implementations, digested passwords are supported if the <Realm> element in server.xml contains a digest attribute; JAASCallbackHandler will digest the password prior to passing it back to the LoginModule

author: Craig - R. McClanahan

author: Yoav - Shapira

version: $ - Revision: 607339 $ $Date: 2007-12-28 22:31:46 +0100 (ven., 28 déc. 2007) $

Field Summary
protected String	appName	The application name passed to the JAAS `LoginContext`, which uses it to select the set of relevant `LoginModule`s.
protected static final String	info	Descriptive information about this `Realm` implementation.
protected static final String	name	Descriptive information about this `Realm` implementation.
protected List	roleClasses	The list of role class names, split out for easy processing.
protected static final StringManager	sm	The string manager for this package.
protected List	userClasses	The set of user class names, split out for easy processing.
protected boolean	useContextClassLoader	Whether to use context ClassLoader or default ClassLoader. True means use context ClassLoader, and True is the default value.
protected String	roleClassNames	Comma-delimited list of `java.security.Principal` classes that represent security roles.
protected String	userClassNames	Comma-delimited list of `java.security.Principal` classes that represent individual users.

Fields inherited from org.apache.catalina.realm.RealmBase:
container, containerLog, digest, digestEncoding, info, lifecycle, md, md5Encoder, md5Helper, sm, started, support, validate, allRolesMode, type, domain, host, path, oname, controller, mserver, initialized

Method from org.apache.catalina.realm.JAASRealm Summary:
authenticate, createPrincipal, getAppName, getName, getPassword, getPrincipal, getRoleClassNames, getUserClassNames, isUseContextClassLoader, makeLegalForJAAS, parseClassNames, setAppName, setContainer, setRoleClassNames, setUseContextClassLoader, setUserClassNames, start, stop

Methods from org.apache.catalina.realm.RealmBase:
Digest, addLifecycleListener, addPropertyChangeListener, authenticate, authenticate, authenticate, authenticate, backgroundProcess, destroy, digest, findLifecycleListeners, findSecurityConstraints, getAllRolesMode, getContainer, getController, getDigest, getDigest, getDigestEncoding, getDomain, getInfo, getName, getObjectName, getPassword, getPrincipal, getPrincipal, getType, getValidate, hasMessageDigest, hasResourcePermission, hasRole, hasUserDataPermission, init, main, postDeregister, postRegister, preDeregister, preRegister, removeLifecycleListener, removePropertyChangeListener, setAllRolesMode, setContainer, setController, setDigest, setDigestEncoding, setValidate, start, stop

Methods from org.apache.catalina.realm.RealmBase:

Digest, addLifecycleListener, addPropertyChangeListener, authenticate, authenticate, authenticate, authenticate, backgroundProcess, destroy, digest, findLifecycleListeners, findSecurityConstraints, getAllRolesMode, getContainer, getController, getDigest, getDigest, getDigestEncoding, getDomain, getInfo, getName, getObjectName, getPassword, getPrincipal, getPrincipal, getType, getValidate, hasMessageDigest, hasResourcePermission, hasRole, hasUserDataPermission, init, main, postDeregister, postRegister, preDeregister, preRegister, removeLifecycleListener, removePropertyChangeListener, setAllRolesMode, setContainer, setController, setDigest, setDigestEncoding, setValidate, start, stop

Methods from java.lang.Object:
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method from org.apache.catalina.realm.JAASRealm Detail:
public Principal authenticate(String username, String credentials) { // Establish a LoginContext to use for authentication try { LoginContext loginContext = null; if( appName==null ) appName="Tomcat"; if( log.isDebugEnabled()) log.debug(sm.getString("jaasRealm.beginLogin", username, appName)); // What if the LoginModule is in the container class loader ? ClassLoader ocl = null; if (!isUseContextClassLoader()) { ocl = Thread.currentThread().getContextClassLoader(); Thread.currentThread().setContextClassLoader( this.getClass().getClassLoader()); } try { loginContext = new LoginContext (appName, new JAASCallbackHandler(this, username, credentials)); } catch (Throwable e) { log.error(sm.getString("jaasRealm.unexpectedError"), e); return (null); } finally { if(!isUseContextClassLoader()) { Thread.currentThread().setContextClassLoader(ocl); } } if( log.isDebugEnabled()) log.debug("Login context created " + username); // Negotiate a login via this LoginContext Subject subject = null; try { loginContext.login(); subject = loginContext.getSubject(); if (subject == null) { if( log.isDebugEnabled()) log.debug(sm.getString("jaasRealm.failedLogin", username)); return (null); } } catch (AccountExpiredException e) { if (log.isDebugEnabled()) log.debug(sm.getString("jaasRealm.accountExpired", username)); return (null); } catch (CredentialExpiredException e) { if (log.isDebugEnabled()) log.debug(sm.getString("jaasRealm.credentialExpired", username)); return (null); } catch (FailedLoginException e) { if (log.isDebugEnabled()) log.debug(sm.getString("jaasRealm.failedLogin", username)); return (null); } catch (LoginException e) { log.warn(sm.getString("jaasRealm.loginException", username), e); return (null); } catch (Throwable e) { log.error(sm.getString("jaasRealm.unexpectedError"), e); return (null); } if( log.isDebugEnabled()) log.debug(sm.getString("jaasRealm.loginContextCreated", username)); // Return the appropriate Principal for this authenticated Subject Principal principal = createPrincipal(username, subject); if (principal == null) { log.debug(sm.getString("jaasRealm.authenticateFailure", username)); return (null); } if (log.isDebugEnabled()) { log.debug(sm.getString("jaasRealm.authenticateSuccess", username)); } return (principal); } catch( Throwable t) { log.error( "error ", t); return null; } } Return the `Principal` associated with the specified username and credentials, if there is one; otherwise return `null`. If there are any errors with the JDBC connection, executing the query or anything we return null (don't authenticate). This event is also logged, and the connection will be closed so that a subsequent request will automatically re-open it.
protected Principal createPrincipal(String username, Subject subject) { // Prepare to scan the Principals for this Subject List< String > roles = new ArrayList< String >(); Principal userPrincipal = null; // Scan the Principals for this Subject Iterator< Principal > principals = subject.getPrincipals().iterator(); while (principals.hasNext()) { Principal principal = principals.next(); String principalClass = principal.getClass().getName(); if( log.isDebugEnabled() ) { log.debug(sm.getString("jaasRealm.checkPrincipal", principal, principalClass)); } if (userPrincipal == null && userClasses.contains(principalClass)) { userPrincipal = principal; if( log.isDebugEnabled() ) { log.debug(sm.getString("jaasRealm.userPrincipalSuccess", principal.getName())); } } if (roleClasses.contains(principalClass)) { roles.add(principal.getName()); if( log.isDebugEnabled() ) { log.debug(sm.getString("jaasRealm.rolePrincipalAdd", principal.getName())); } } } // Print failure message if needed if (userPrincipal == null) { if (log.isDebugEnabled()) { log.debug(sm.getString("jaasRealm.userPrincipalFailure")); log.debug(sm.getString("jaasRealm.rolePrincipalFailure")); } } else { if (roles.size() == 0) { if (log.isDebugEnabled()) { log.debug(sm.getString("jaasRealm.rolePrincipalFailure")); } } } // Return the resulting Principal for our authenticated user return new GenericPrincipal(this, username, null, roles, userPrincipal); } Identify and return a `java.security.Principal` instance representing the authenticated user for the specified `Subject`. The Principal is constructed by scanning the list of Principals returned by the JAASLoginModule. The first `Principal` object that matches one of the class names supplied as a "user class" is the user Principal. This object is returned to tha caller. Any remaining principal objects returned by the LoginModules are mapped to roles, but only if their respective classes match one of the "role class" classes. If a user Principal cannot be constructed, return `null`.
public String getAppName() { return appName; } getter for the `appName` member variable
protected String getName() { return (name); } Return a short name for this `Realm` implementation.
protected String getPassword(String username) { return (null); } Return the password associated with the given principal's user name.
protected Principal getPrincipal(String username) { return (null); } Return the `Principal` associated with the given user name.
public String getRoleClassNames() { return (this.roleClassNames); }
public String getUserClassNames() { return (this.userClassNames); }
public boolean isUseContextClassLoader() { return useContextClassLoader; } Returns whether to use the context or default ClassLoader. True means to use the context ClassLoader.
protected String makeLegalForJAAS(String src) { String result = src; // Default name is "other" per JAAS spec if(result == null) { result = "other"; } // Strip leading slash if present, as Sun JAAS impl // barfs on it (see Bugzilla 30869 bug report). if(result.startsWith("/")) { result = result.substring(1); } return result; } Ensure the given name is legal for JAAS configuration. Added for Bugzilla 30869, made protected for easy customization in case my implementation is insufficient, which I think is very likely.
protected void parseClassNames(String classNamesString, List classNamesList) { classNamesList.clear(); if (classNamesString == null) return; ClassLoader loader = this.getClass().getClassLoader(); if (isUseContextClassLoader()) loader = Thread.currentThread().getContextClassLoader(); String[] classNames = classNamesString.split("[ ],[ ]"); for (int i=0; i< classNames.length; i++) { if (classNames[i].length()==0) continue; try { Class principalClass = Class.forName(classNames[i], false, loader); if (Principal.class.isAssignableFrom(principalClass)) { classNamesList.add(classNames[i]); } else { log.error("Class "+classNames[i]+" is not implementing "+ "java.security.Principal! Class not added."); } } catch (ClassNotFoundException e) { log.error("Class "+classNames[i]+" not found! Class not added."); } } } Parses a comma-delimited list of class names, and store the class names in the provided List. Each class must implement `java.security.Principal`.
public void setAppName(String name) { // ------------------------------------------------------------- Properties appName = name; } Deprecated! `JAAS` - should use the `Engine` (domain) name and webpp/host overrides setter for the `appName` member variable
public void setContainer(Container container) { super.setContainer(container); if( appName==null ) { String name=container.getName(); name = makeLegalForJAAS(name); appName=name; log.info("Set JAAS app name " + appName); } }
public void setRoleClassNames(String roleClassNames) { this.roleClassNames = roleClassNames; } Sets the list of comma-delimited classes that represent roles. The classes in the list must implement `java.security.Principal`. The supplied list of classes will be parsed when #start() is called.
public void setUseContextClassLoader(boolean useContext) { useContextClassLoader = useContext; log.info("Setting useContextClassLoader = " + useContext); } Sets whether to use the context or default ClassLoader. True means use context ClassLoader.
public void setUserClassNames(String userClassNames) { this.userClassNames = userClassNames; } Sets the list of comma-delimited classes that represent individual users. The classes in the list must implement `java.security.Principal`. The supplied list of classes will be parsed when #start() is called.
public void start() throws LifecycleException { // Perform normal superclass initialization super.start(); // These need to be called after loading configuration, in case // useContextClassLoader appears after them in xml config parseClassNames(userClassNames, userClasses); parseClassNames(roleClassNames, roleClasses); } Prepare for active use of the public methods of this `Component`.
public void stop() throws LifecycleException { // Perform normal superclass finalization super.stop(); } Gracefully shut down active use of the public methods of this `Component`.

Method from org.apache.catalina.realm.JAASRealm Detail:

 public Principal authenticate(String username,
    String credentials) {
        // Establish a LoginContext to use for authentication
        try {
        LoginContext loginContext = null;
        if( appName==null ) appName="Tomcat";
        if( log.isDebugEnabled())
            log.debug(sm.getString("jaasRealm.beginLogin", username, appName));
        // What if the LoginModule is in the container class loader ?
        ClassLoader ocl = null;
        if (!isUseContextClassLoader()) {
          ocl = Thread.currentThread().getContextClassLoader();
          Thread.currentThread().setContextClassLoader(
                  this.getClass().getClassLoader());
        }
        try {
            loginContext = new LoginContext
                (appName, new JAASCallbackHandler(this, username,
                                                  credentials));
        } catch (Throwable e) {
            log.error(sm.getString("jaasRealm.unexpectedError"), e);
            return (null);
        } finally {
            if(!isUseContextClassLoader()) {
              Thread.currentThread().setContextClassLoader(ocl);
            }
        }
        if( log.isDebugEnabled())
            log.debug("Login context created " + username);
        // Negotiate a login via this LoginContext
        Subject subject = null;
        try {
            loginContext.login();
            subject = loginContext.getSubject();
            if (subject == null) {
                if( log.isDebugEnabled())
                    log.debug(sm.getString("jaasRealm.failedLogin", username));
                return (null);
            }
        } catch (AccountExpiredException e) {
            if (log.isDebugEnabled())
                log.debug(sm.getString("jaasRealm.accountExpired", username));
            return (null);
        } catch (CredentialExpiredException e) {
            if (log.isDebugEnabled())
                log.debug(sm.getString("jaasRealm.credentialExpired", username));
            return (null);
        } catch (FailedLoginException e) {
            if (log.isDebugEnabled())
                log.debug(sm.getString("jaasRealm.failedLogin", username));
            return (null);
        } catch (LoginException e) {
            log.warn(sm.getString("jaasRealm.loginException", username), e);
            return (null);
        } catch (Throwable e) {
            log.error(sm.getString("jaasRealm.unexpectedError"), e);
            return (null);
        }
        if( log.isDebugEnabled())
            log.debug(sm.getString("jaasRealm.loginContextCreated", username));
        // Return the appropriate Principal for this authenticated Subject
        Principal principal = createPrincipal(username, subject);
        if (principal == null) {
            log.debug(sm.getString("jaasRealm.authenticateFailure", username));
            return (null);
        }
        if (log.isDebugEnabled()) {
            log.debug(sm.getString("jaasRealm.authenticateSuccess", username));
        }
        return (principal);
        } catch( Throwable t) {
            log.error( "error ", t);
            return null;
        }
}

Principal

null

 protected Principal createPrincipal(String username,
    Subject subject) {
        // Prepare to scan the Principals for this Subject
        List< String > roles = new ArrayList< String >();
        Principal userPrincipal = null;
        // Scan the Principals for this Subject
        Iterator< Principal > principals = subject.getPrincipals().iterator();
        while (principals.hasNext()) {
            Principal principal = principals.next();
            String principalClass = principal.getClass().getName();
            if( log.isDebugEnabled() ) {
                log.debug(sm.getString("jaasRealm.checkPrincipal", principal, principalClass));
            }
            if (userPrincipal == null && userClasses.contains(principalClass)) {
                userPrincipal = principal;
                if( log.isDebugEnabled() ) {
                    log.debug(sm.getString("jaasRealm.userPrincipalSuccess", principal.getName()));
                }
            }
            if (roleClasses.contains(principalClass)) {
                roles.add(principal.getName());
                if( log.isDebugEnabled() ) {
                    log.debug(sm.getString("jaasRealm.rolePrincipalAdd", principal.getName()));
                }
            }
        }
        // Print failure message if needed
        if (userPrincipal == null) {
            if (log.isDebugEnabled()) {
                log.debug(sm.getString("jaasRealm.userPrincipalFailure"));
                log.debug(sm.getString("jaasRealm.rolePrincipalFailure"));
            }
        } else {
            if (roles.size() == 0) {
                if (log.isDebugEnabled()) {
                    log.debug(sm.getString("jaasRealm.rolePrincipalFailure"));
                }
            }
        }
        // Return the resulting Principal for our authenticated user
        return new GenericPrincipal(this, username, null, roles, userPrincipal);
}

java.security.Principal

Subject

Principal

null

 public String getAppName() {
        return appName;
}

appName

 protected String getName() {
        return (name);
}

Realm

 protected String getPassword(String username) {
        return (null);
}

Return the password associated with the given principal's user name.

 protected Principal getPrincipal(String username) {
        return (null);
}

Principal

 public String getRoleClassNames() {
     
         return (this.roleClassNames);
}

 public String getUserClassNames() {
     
         return (this.userClassNames);
}

 public boolean isUseContextClassLoader() {
	return useContextClassLoader;
}

Returns whether to use the context or default ClassLoader. True means to use the context ClassLoader.

 protected String makeLegalForJAAS(String src) {
         String result = src;
         // Default name is "other" per JAAS spec
         if(result == null) {
             result = "other";
         }
         // Strip leading slash if present, as Sun JAAS impl
         // barfs on it (see Bugzilla 30869 bug report).
         if(result.startsWith("/")) {
             result = result.substring(1);
         }
         return result;
}

Ensure the given name is legal for JAAS configuration. Added for Bugzilla 30869, made protected for easy customization in case my implementation is insufficient, which I think is very likely.

 protected  void parseClassNames(String classNamesString,
    List classNamesList) {
         classNamesList.clear();
         if (classNamesString == null) return;
         ClassLoader loader = this.getClass().getClassLoader();
         if (isUseContextClassLoader())
             loader = Thread.currentThread().getContextClassLoader();
         String[] classNames = classNamesString.split("[ ]*,[ ]*");
         for (int i=0; i< classNames.length; i++) {
             if (classNames[i].length()==0) continue;        
             try {
                 Class principalClass = Class.forName(classNames[i], false,
                         loader);
                 if (Principal.class.isAssignableFrom(principalClass)) {
                     classNamesList.add(classNames[i]);
                 } else {
                     log.error("Class "+classNames[i]+" is not implementing "+
                               "java.security.Principal! Class not added.");
                 }
             } catch (ClassNotFoundException e) {
                 log.error("Class "+classNames[i]+" not found! Class not added.");
             }
         }
}

java.security.Principal

 public  void setAppName(String name) {
    // ------------------------------------------------------------- Properties
        appName = name;
}

Deprecated! JAAS - should use the Engine (domain) name and webpp/host overrides

appName

 public  void setContainer(Container container) {
        super.setContainer(container);
        if( appName==null  ) {
            String name=container.getName();
            name = makeLegalForJAAS(name);
            appName=name;
            log.info("Set JAAS app name " + appName);
        }
}

 public  void setRoleClassNames(String roleClassNames) {
         this.roleClassNames = roleClassNames;
}

java.security.Principal

#start()

 public  void setUseContextClassLoader(boolean useContext) {
      useContextClassLoader = useContext;
      log.info("Setting useContextClassLoader = " + useContext);
}

Sets whether to use the context or default ClassLoader. True means use context ClassLoader.

 public  void setUserClassNames(String userClassNames) {
        this.userClassNames = userClassNames;
}

java.security.Principal

#start()

 public  void start() throws LifecycleException {
        // Perform normal superclass initialization
        super.start();
        // These need to be called after loading configuration, in case
        // useContextClassLoader appears after them in xml config
        parseClassNames(userClassNames, userClasses);
        parseClassNames(roleClassNames, roleClasses);
}

Component

 public  void stop() throws LifecycleException {
        // Perform normal superclass finalization
        super.stop();
}

Component