com.sun.web.security

Class RealmAdapter

java.lang.Object

org.apache.catalina.realm.RealmBase

com.sun.web.security.RealmAdapter

All Implemented Interfaces:

com.sun.enterprise.security.integration.RealmInitializer, org.apache.catalina.Lifecycle, org.apache.catalina.Realm, org.glassfish.hk2.api.PostConstruct

@Service
 @PerLookup
public class RealmAdapter
extends org.apache.catalina.realm.RealmBase
implements com.sun.enterprise.security.integration.RealmInitializer, org.glassfish.hk2.api.PostConstruct

This is the realm adapter used to authenticate users and authorize access to web resources. The authenticate method is called by Tomcat to authenticate users. The hasRole method is called by Tomcat during the authorization process.

Author:

Harpreet Singh, JeanFrancois Arcand

Field Summary

Fields

Modifier and Type	Field and Description
static String	BASIC
protected static String	CONF_FILE_NAME
static String	FORM
protected static String	HTTP_SERVLET_LAYER
protected boolean	isCurrentURIincluded
protected static String	name Descriptive information about this Realm implementation.
protected ReadWriteLock	rwLock
static String	SECURITY_CONTEXT
protected com.sun.enterprise.security.web.integration.WebSecurityManager	webSecurityManager A WebSecurityManager object associated with a CONTEXT_ID
protected com.sun.enterprise.security.web.integration.WebSecurityManagerFactory	webSecurityManagerFactory The factory used for creating WebSecurityManager object.

Fields inherited from class org.apache.catalina.realm.RealmBase

checkIfRequestIsSecure, container, controller, debug, digest, digestEncoding, info, lifecycle, log, md, sha256Helper, started, support, validate

Fields inherited from interface org.apache.catalina.Lifecycle

AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, INIT_EVENT, START_EVENT, STOP_EVENT

Fields inherited from interface org.apache.catalina.Realm

AUTHENTICATE_NEEDED, AUTHENTICATE_NOT_NEEDED, AUTHENTICATED_NOT_AUTHORIZED

Constructor Summary

Constructors

Constructor and Description
RealmAdapter()
RealmAdapter(String realmName, String moduleID) Create for WS Ejb endpoint authentication.

Method Summary

Modifier and Type	Method and Description
Principal	authenticate(javax.servlet.http.HttpServletRequest hreq)
Principal	authenticate(String username, char[] password) Authenticates and sets the SecurityContext in the TLS.
protected boolean	authenticate(String username, char[] password, X509Certificate[] certs) Authenticates and sets the SecurityContext in the TLS.
boolean	authenticate(com.sun.enterprise.security.web.integration.WebPrincipal prin)
Principal	authenticate(X509Certificate[] certs)
protected void	configureSecurity(com.sun.enterprise.deployment.WebBundleDescriptor wbd, boolean isSystem) Generate the JSR 115 policy file for a web application, bundled within a ear or deployed as a standalone war file.
Principal	createFailOveredPrincipal(String username) This method is added to create a Principal based on the username only.
void	destroy() Create the realm adapter.
org.apache.catalina.deploy.SecurityConstraint[]	findSecurityConstraints(org.apache.catalina.HttpRequest request, org.apache.catalina.Context context) Returns null 1.
org.apache.catalina.deploy.SecurityConstraint[]	findSecurityConstraints(String requestPathMB, String httpMethod, org.apache.catalina.Context context) Returns null 1.
protected String	getName() Return a short name for this Realm Adapter implementation.
protected char[]	getPassword(String username)
protected Principal	getPrincipal(String username)
String	getRealmName() Return the name of the realm this RealmAdapter uses.
com.sun.enterprise.deployment.WebBundleDescriptor	getWebDescriptor()
com.sun.enterprise.security.web.integration.WebSecurityManager	getWebSecurityManager(boolean logNull)
boolean	hasResourcePermission(org.apache.catalina.HttpRequest request, org.apache.catalina.HttpResponse response, org.apache.catalina.deploy.SecurityConstraint[] constraints, org.apache.catalina.Context context) Perform access control based on the specified authorization constraint.
boolean	hasRole(org.apache.catalina.HttpRequest request, org.apache.catalina.HttpResponse response, Principal principal, String role) Check if the given principal has the provided role.
boolean	hasRole(String servletName, Principal principal, String role)
boolean	hasUserDataPermission(org.apache.catalina.HttpRequest request, org.apache.catalina.HttpResponse response, org.apache.catalina.deploy.SecurityConstraint[] constraints) Enforce any user data constraint required by the security constraint guarding this request URI.
boolean	hasUserDataPermission(org.apache.catalina.HttpRequest request, org.apache.catalina.HttpResponse response, org.apache.catalina.deploy.SecurityConstraint[] constraints, String uri, String method) Checks if the given request URI and method are the target of any user-data-constraint with a transport-guarantee of CONFIDENTIAL, and whether any such constraint is already satisfied.
void	initConfigHelper(javax.servlet.ServletContext servletContext)
void	initializeRealm(Object descriptor, boolean isSystemApp, String realmName)
boolean	invokeAuthenticateDelegate(org.apache.catalina.HttpRequest request, org.apache.catalina.HttpResponse response, org.apache.catalina.Context context, org.apache.catalina.Authenticator authenticator, boolean calledFromAuthenticate) Authenticates the user making this request, based on the specified login configuration.
boolean	invokePostAuthenticateDelegate(org.apache.catalina.HttpRequest request, org.apache.catalina.HttpResponse response, org.apache.catalina.Context context) Post authentication for given request and response.
boolean	isSecurityExtensionEnabled(javax.servlet.ServletContext context) Return true if a Security Extension is available.
void	logout()
void	logout(org.apache.catalina.HttpRequest req)
void	postConstruct()
void	postSetRunAsIdentity(org.glassfish.api.invocation.ComponentInvocation inv) Attempts to restore old SecurityContext (but fails).
int	preAuthenticateCheck(org.apache.catalina.HttpRequest request, org.apache.catalina.HttpResponse response, org.apache.catalina.deploy.SecurityConstraint[] constraints, boolean disableProxyCaching, boolean securePagesWithPragma, boolean ssoEnabled) Checks whether or not authentication is needed.
void	preSetRunAsIdentity(org.glassfish.api.invocation.ComponentInvocation inv) Set the run-as principal into the SecurityContext when needed.
void	setCurrentSecurityContext(Principal principal)
void	setCurrentSecurityContextWithWebPrincipal(Principal principal)
void	setRealmName(String realmName)
void	setVirtualServer(Object container) Sets the virtual server on which the web module (with which this RealmAdapter is associated with) has been deployed.
void	updateWebSecurityManager()

Methods inherited from class org.apache.catalina.realm.RealmBase

addLifecycleListener, addPropertyChangeListener, authenticate, backgroundProcess, digest, disableProxyCaching, findLifecycleListeners, getAlternateAuthType, getAlternatePrincipal, getContainer, getController, getDebug, getDigest, getDigest, getDigestEncoding, getInfo, getValidate, hasMessageDigest, hasRole, log, log, removeLifecycleListener, removePropertyChangeListener, setContainer, setController, setDebug, setDigest, setDigestEncoding, setRealmName, setValidate, start, stop

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

SECURITY_CONTEXT

public static final String SECURITY_CONTEXT

See Also:

Constant Field Values

BASIC

public static final String BASIC

See Also:

Constant Field Values

FORM

public static final String FORM

See Also:

Constant Field Values

name

protected static final String name

Descriptive information about this Realm implementation.

See Also:

Constant Field Values

webSecurityManager

protected volatile com.sun.enterprise.security.web.integration.WebSecurityManager webSecurityManager

A WebSecurityManager object associated with a CONTEXT_ID

webSecurityManagerFactory

@Inject
protected com.sun.enterprise.security.web.integration.WebSecurityManagerFactory webSecurityManagerFactory

The factory used for creating WebSecurityManager object.

isCurrentURIincluded

protected boolean isCurrentURIincluded

rwLock

protected final ReadWriteLock rwLock

CONF_FILE_NAME

protected static final String CONF_FILE_NAME

See Also:

Constant Field Values

HTTP_SERVLET_LAYER

protected static final String HTTP_SERVLET_LAYER

See Also:

Constant Field Values

Constructor Detail

RealmAdapter

public RealmAdapter()

RealmAdapter

public RealmAdapter(String realmName,
                    String moduleID)

Create for WS Ejb endpoint authentication. Roles related data is not available here.

Method Detail

destroy

public void destroy()

Create the realm adapter. Extracts the role to user/group mapping from the runtime deployment descriptor.

Overrides:

destroy in class org.apache.catalina.realm.RealmBase

Parameters:

the - web bundle deployment descriptor.

isSystemApp - if the app is a system app.

realmName - The realm name to use if the app does not specify its own public RealmAdapter(WebBundleDescriptor descriptor, boolean isSystemApp, String realmName) { this.isSystemApp = isSystemApp; webDesc = descriptor; Application app = descriptor.getApplication(); mapper = app.getRoleMapper(); LoginConfiguration loginConfig = descriptor.getLoginConfiguration(); _realmName = app.getRealm(); if (_realmName == null && loginConfig != null) { _realmName = loginConfig.getRealmName(); } if (realmName != null && (_realmName == null || _realmName.equals(""))) { _realmName = realmName; } // BEGIN IASRI 4747594 CONTEXT_ID = WebSecurityManager.getContextID(descriptor); runAsPrincipals = new HashMap(); Iterator bundle = webDesc.getWebComponentDescriptors().iterator(); while (bundle.hasNext()) { WebComponentDescriptor wcd = (WebComponentDescriptor) bundle.next(); RunAsIdentityDescriptor runAsDescriptor = wcd.getRunAsIdentity(); if (runAsDescriptor != null) { String principal = runAsDescriptor.getPrincipal(); String servlet = wcd.getCanonicalName(); if (principal == null || servlet == null) { _logger.warning("web.realmadapter.norunas"); } else { runAsPrincipals.put(servlet, principal); _logger.fine("Servlet " + servlet + " will run-as: " + principal); } } } // END IASRI 4747594 this.appID = app.getRegistrationName(); // helper are set until setVirtualServer is invoked }

setVirtualServer

public void setVirtualServer(Object container)

Sets the virtual server on which the web module (with which this RealmAdapter is associated with) has been deployed.

Specified by:

setVirtualServer in interface com.sun.enterprise.security.integration.RealmInitializer

Parameters:

container - The virtual server

getWebDescriptor

public com.sun.enterprise.deployment.WebBundleDescriptor getWebDescriptor()

getWebSecurityManager

public com.sun.enterprise.security.web.integration.WebSecurityManager getWebSecurityManager(boolean logNull)

updateWebSecurityManager

public void updateWebSecurityManager()

Specified by:

updateWebSecurityManager in interface com.sun.enterprise.security.integration.RealmInitializer

hasRole

public boolean hasRole(org.apache.catalina.HttpRequest request,
                       org.apache.catalina.HttpResponse response,
                       Principal principal,
                       String role)

Check if the given principal has the provided role. Returns true if the principal has the specified role, false otherwise.

Specified by:

hasRole in interface org.apache.catalina.Realm

Overrides:

hasRole in class org.apache.catalina.realm.RealmBase

Parameters:

request - Request we are processing

response - Response we are creating

the - principal

the - role

Returns:

true if the principal has the specified role.

hasRole

public boolean hasRole(String servletName,
                       Principal principal,
                       String role)

logout

public void logout(org.apache.catalina.HttpRequest req)

Specified by:

logout in interface org.apache.catalina.Realm

Overrides:

logout in class org.apache.catalina.realm.RealmBase

logout

public void logout()

Specified by:

logout in interface com.sun.enterprise.security.integration.RealmInitializer

authenticate

public Principal authenticate(javax.servlet.http.HttpServletRequest hreq)

Specified by:

authenticate in interface org.apache.catalina.Realm

Overrides:

authenticate in class org.apache.catalina.realm.RealmBase

authenticate

public Principal authenticate(String username,
                              char[] password)

Authenticates and sets the SecurityContext in the TLS.

Specified by:

authenticate in interface org.apache.catalina.Realm

Overrides:

authenticate in class org.apache.catalina.realm.RealmBase

Parameters:

the - user name.

the - password.

Returns:

the authenticated principal.

authenticate

public Principal authenticate(X509Certificate[] certs)

Specified by:

authenticate in interface org.apache.catalina.Realm

Overrides:

authenticate in class org.apache.catalina.realm.RealmBase

authenticate

public boolean authenticate(com.sun.enterprise.security.web.integration.WebPrincipal prin)

authenticate

protected boolean authenticate(String username,
                               char[] password,
                               X509Certificate[] certs)

Authenticates and sets the SecurityContext in the TLS.

Parameters:

the - username.

the - authentication method.

the - authentication data.

Returns:

true if authentication succeeded, false otherwise.

preSetRunAsIdentity

public void preSetRunAsIdentity(org.glassfish.api.invocation.ComponentInvocation inv)

Set the run-as principal into the SecurityContext when needed.

This method will attempt to obtain the name of the servlet from the ComponentInvocation. Note that there may not be one since this gets called also during internal processing (not clear..) not just part of servlet requests. However, if it is not a servlet request there is no need (or possibility) to have a run-as setting so no further action is taken.

If the servlet name is present the runAsPrincipals cache is checked to find the run-as principal to use (if any). If one is set, the SecurityContext is switched to this principal.

Parameters:

inv - The invocation object to process.

postSetRunAsIdentity

public void postSetRunAsIdentity(org.glassfish.api.invocation.ComponentInvocation inv)

Attempts to restore old SecurityContext (but fails).

In theory this method seems to attempt to check if a run-as principal was set by preSetRunAsIdentity() (based on the indirect assumption that if the servlet in the given invocation has a run-as this must've been the case). If so, it retrieves the oldSecurityContext from the invocation object and set it in the SecurityContext.

The problem is that the invocation object is not the same object as was passed in to preSetRunAsIdentity() so it will never contain the right info - see bug 4757733.

In practice it means this method only ever sets the SecurityContext to null (if run-as matched) or does nothing. In particular note the implication that it will be set to null after a run-as invocation completes. This behavior will be retained for the time being for consistency with RI. It must be fixed later.

Parameters:

inv - The invocation object to process.

getPassword

protected char[] getPassword(String username)

Specified by:

getPassword in class org.apache.catalina.realm.RealmBase

getPrincipal

protected Principal getPrincipal(String username)

Specified by:

getPrincipal in class org.apache.catalina.realm.RealmBase

createFailOveredPrincipal

public Principal createFailOveredPrincipal(String username)

This method is added to create a Principal based on the username only. Hercules stores the username as part of authentication failover and needs to create a Principal based on username only

Parameters:

username -

Returns:

Principal for the user username HERCULES:add

hasResourcePermission

public boolean hasResourcePermission(org.apache.catalina.HttpRequest request,
                                     org.apache.catalina.HttpResponse response,
                                     org.apache.catalina.deploy.SecurityConstraint[] constraints,
                                     org.apache.catalina.Context context)
                              throws IOException

Perform access control based on the specified authorization constraint. Return true if this constraint is satisfied and processing should continue, or false otherwise.

Specified by:

hasResourcePermission in interface org.apache.catalina.Realm

Overrides:

hasResourcePermission in class org.apache.catalina.realm.RealmBase

Parameters:

request - Request we are processing

response - Response we are creating

constraint - Security constraint we are enforcing

The - Context to which client of this class is attached.

Throws:

IOException - if an input/output error occurs

hasUserDataPermission

public boolean hasUserDataPermission(org.apache.catalina.HttpRequest request,
                                     org.apache.catalina.HttpResponse response,
                                     org.apache.catalina.deploy.SecurityConstraint[] constraints)
                              throws IOException

Enforce any user data constraint required by the security constraint guarding this request URI.

Specified by:

hasUserDataPermission in interface org.apache.catalina.Realm

Overrides:

hasUserDataPermission in class org.apache.catalina.realm.RealmBase

Parameters:

request - Request we are processing

response - Response we are creating

constraints - Security constraint being checked

Returns:

true if this constraint was not violated and processing should continue, or false if we have created a response already

Throws:

IOException - if an input/output error occurs

hasUserDataPermission

public boolean hasUserDataPermission(org.apache.catalina.HttpRequest request,
                                     org.apache.catalina.HttpResponse response,
                                     org.apache.catalina.deploy.SecurityConstraint[] constraints,
                                     String uri,
                                     String method)
                              throws IOException

Checks if the given request URI and method are the target of any user-data-constraint with a transport-guarantee of CONFIDENTIAL, and whether any such constraint is already satisfied. If uri and method are null, then the URI and method of the given request are checked. If a user-data-constraint exists that is not satisfied, then the given request will be redirected to HTTPS.

Specified by:

hasUserDataPermission in interface org.apache.catalina.Realm

Overrides:

hasUserDataPermission in class org.apache.catalina.realm.RealmBase

Parameters:

request - the request that may be redirected

response - the response that may be redirected

constraints - the security constraints to check against

uri - the request URI (minus the context path) to check

method - the request method to check

Returns:

true if the request URI and method are not the target of any unsatisfied user-data-constraint with a transport-guarantee of CONFIDENTIAL, and false if they are (in which case the given request will have been redirected to HTTPS)

Throws:

IOException

getName

protected String getName()

Return a short name for this Realm Adapter implementation.

Specified by:

getName in class org.apache.catalina.realm.RealmBase

getRealmName

public String getRealmName()

Return the name of the realm this RealmAdapter uses.

Specified by:

getRealmName in interface org.apache.catalina.Realm

Overrides:

getRealmName in class org.apache.catalina.realm.RealmBase

Returns:

realm name

setRealmName

public void setRealmName(String realmName)

findSecurityConstraints

public org.apache.catalina.deploy.SecurityConstraint[] findSecurityConstraints(org.apache.catalina.HttpRequest request,
                                                                               org.apache.catalina.Context context)

Returns null 1. if there are no security constraints defined on any of the web resources within the context, or 2. if the target is a form login related page or target. otherwise return an empty array of SecurityConstraint.

Specified by:

findSecurityConstraints in interface org.apache.catalina.Realm

Overrides:

findSecurityConstraints in class org.apache.catalina.realm.RealmBase

findSecurityConstraints

public org.apache.catalina.deploy.SecurityConstraint[] findSecurityConstraints(String requestPathMB,
                                                                               String httpMethod,
                                                                               org.apache.catalina.Context context)

Returns null 1. if there are no security constraints defined on any of the web resources within the context, or 2. if the target is a form login related page or target. otherwise return an empty array of SecurityConstraint.

Specified by:

findSecurityConstraints in interface org.apache.catalina.Realm

Overrides:

findSecurityConstraints in class org.apache.catalina.realm.RealmBase

preAuthenticateCheck

public int preAuthenticateCheck(org.apache.catalina.HttpRequest request,
                                org.apache.catalina.HttpResponse response,
                                org.apache.catalina.deploy.SecurityConstraint[] constraints,
                                boolean disableProxyCaching,
                                boolean securePagesWithPragma,
                                boolean ssoEnabled)
                         throws IOException

Checks whether or not authentication is needed. Returns an int, one of AUTHENTICATE_NOT_NEEDED, AUTHENTICATE_NEEDED, or AUTHENTICATED_NOT_AUTHORIZED

Specified by:

preAuthenticateCheck in interface org.apache.catalina.Realm

Overrides:

preAuthenticateCheck in class org.apache.catalina.realm.RealmBase

Parameters:

request - Request we are processing

response - Response we are creating

constraints - Security constraint we are enforcing

disableProxyCaching - whether or not to disable proxy caching for protected resources.

securePagesWithPragma - true if we add headers which are incompatible with downloading office documents in IE under SSL but which fix a caching problem in Mozilla.

ssoEnabled - true if sso is enabled

Throws:

IOException - if an input/output error occurs

invokeAuthenticateDelegate

public boolean invokeAuthenticateDelegate(org.apache.catalina.HttpRequest request,
                                          org.apache.catalina.HttpResponse response,
                                          org.apache.catalina.Context context,
                                          org.apache.catalina.Authenticator authenticator,
                                          boolean calledFromAuthenticate)
                                   throws IOException

Authenticates the user making this request, based on the specified login configuration. Return true if any specified requirements have been satisfied, or false if we have created a response challenge already.

Specified by:

invokeAuthenticateDelegate in interface org.apache.catalina.Realm

Overrides:

invokeAuthenticateDelegate in class org.apache.catalina.realm.RealmBase

Parameters:

request - Request we are processing

response - Response we are creating

context - The Context to which client of this class is attached.

authenticantion - the current authenticator.

Throws:

IOException - if an input/output error occurs

invokePostAuthenticateDelegate

public boolean invokePostAuthenticateDelegate(org.apache.catalina.HttpRequest request,
                                              org.apache.catalina.HttpResponse response,
                                              org.apache.catalina.Context context)
                                       throws IOException

Post authentication for given request and response.

Specified by:

invokePostAuthenticateDelegate in interface org.apache.catalina.Realm

Overrides:

invokePostAuthenticateDelegate in class org.apache.catalina.realm.RealmBase

Parameters:

request - Request we are processing

response - Response we are creating

context - The Context to which client of this class is attached.

Throws:

IOException - if an input/output error occurs

isSecurityExtensionEnabled

public boolean isSecurityExtensionEnabled(javax.servlet.ServletContext context)

Return true if a Security Extension is available.

Specified by:

isSecurityExtensionEnabled in interface org.apache.catalina.Realm

Overrides:

isSecurityExtensionEnabled in class org.apache.catalina.realm.RealmBase

Returns:

true if a Security Extension is available. 1171

initializeRealm

public void initializeRealm(Object descriptor,
                            boolean isSystemApp,
                            String realmName)

Specified by:

initializeRealm in interface com.sun.enterprise.security.integration.RealmInitializer

configureSecurity

protected void configureSecurity(com.sun.enterprise.deployment.WebBundleDescriptor wbd,
                                 boolean isSystem)

Generate the JSR 115 policy file for a web application, bundled within a ear or deployed as a standalone war file. Implementation note: If the generated file doesn't contains all the permission, the role mapper is probably broken.

setCurrentSecurityContextWithWebPrincipal

public void setCurrentSecurityContextWithWebPrincipal(Principal principal)

setCurrentSecurityContext

public void setCurrentSecurityContext(Principal principal)

initConfigHelper

public void initConfigHelper(javax.servlet.ServletContext servletContext)

postConstruct

public void postConstruct()

Specified by:

postConstruct in interface org.glassfish.hk2.api.PostConstruct