Package com.sun.web.security

Class RealmAdapter

java.lang.Object
org.apache.catalina.realm.RealmBase
com.sun.web.security.RealmAdapter
All Implemented Interfaces:
com.sun.enterprise.security.integration.RealmInitializer, org.apache.catalina.Lifecycle, org.apache.catalina.Realm, org.glassfish.hk2.api.PostConstruct
@Service @PerLookup public final class RealmAdapter extends org.apache.catalina.realm.RealmBase implements com.sun.enterprise.security.integration.RealmInitializer, org.glassfish.hk2.api.PostConstruct
This is the realm adapter used to authenticate users and authorize access to web resources. The authenticate method is called by Tomcat to authenticate users. The hasRole method is called by Tomcat during the authorization process.
Author:
Harpreet Singh, JeanFrancois Arcand

  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    static final String
    BASIC
     
    static final String
    FORM
     
    protected boolean
    isCurrentURIincluded
     
    protected static final String
    name
    Descriptive information about this Realm implementation.
    protected final ReadWriteLock
    rwLock
     
    static final String
    SECURITY_CONTEXT
     
    protected com.sun.enterprise.security.ee.web.integration.WebSecurityManager
    webSecurityManager
    A WebSecurityManager object associated with a CONTEXT_ID
    protected com.sun.enterprise.security.ee.web.integration.WebSecurityManagerFactory
    webSecurityManagerFactory
    The factory used for creating WebSecurityManager object.

    Fields inherited from class org.apache.catalina.realm.RealmBase

    checkIfRequestIsSecure, container, controller, debug, digest, digestEncoding, info, lifecycle, log, md, rb, sha256Helper, started, support, validate

    Fields inherited from interface org.apache.catalina.Lifecycle

    AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, INIT_EVENT, START_EVENT, STOP_EVENT

    Fields inherited from interface org.apache.catalina.Realm

    AUTHENTICATE_NEEDED, AUTHENTICATE_NOT_NEEDED, AUTHENTICATED_NOT_AUTHORIZED

  • Constructor Summary

    Constructors
    Constructor
    Description
    RealmAdapter()
     
    RealmAdapter(String realmName, String moduleID)
    Create for Web Services Enterprise Beans endpoint authentication.

  • Method Summary

    Modifier and Type
    Method
    Description
    Principal
    authenticate(jakarta.servlet.http.HttpServletRequest httpServletRequest)
     
    boolean
    authenticate(jakarta.servlet.http.HttpServletRequest request, com.sun.enterprise.security.ee.web.integration.WebPrincipal principal)
    IASRI 4688449 This method was only used by EEInstanceListener to set the security context prior to invocations by re-authenticating a previously set WebPrincipal.
    Principal
    authenticate(org.apache.catalina.HttpRequest request, String username, char[] password)
     
    Principal
    authenticate(org.apache.catalina.HttpRequest request, X509Certificate[] certificates)
     
    protected void
    configureSecurity(com.sun.enterprise.deployment.WebBundleDescriptor webBundleDescriptor, boolean isSystem)
    Commit the Jakarta Authorization module, bringing the policy into service.
    static void
    copySubject(Subject target, Subject source)
     
    Principal
    createFailOveredPrincipal(String username)
    This method is added to create a Principal based on the username only.
    void
    destroy()
     
    org.apache.catalina.deploy.SecurityConstraint[]
    findSecurityConstraints(String requestPathMB, String httpMethod, org.apache.catalina.Context context)
     
    org.apache.catalina.deploy.SecurityConstraint[]
    findSecurityConstraints(org.apache.catalina.HttpRequest request, org.apache.catalina.Context context)
     
    org.glassfish.epicyro.services.BaseAuthenticationService
    getAuthenticationService()
     
    protected String
    getName()
     
    protected char[]
    getPassword(String username)
     
    protected Principal
    getPrincipal(String username)
     
    String
    getRealmName()
     
    com.sun.enterprise.deployment.WebBundleDescriptor
    getWebDescriptor()
     
    com.sun.enterprise.security.ee.web.integration.WebSecurityManager
    getWebSecurityManager(boolean logNull)
    Utility method to get web security manager.
    boolean
    hasResourcePermission(org.apache.catalina.HttpRequest request, org.apache.catalina.HttpResponse response, org.apache.catalina.deploy.SecurityConstraint[] constraints, org.apache.catalina.Context context)
     
    boolean
    hasRole(String servletName, Principal principal, String role)
     
    boolean
    hasRole(org.apache.catalina.HttpRequest request, org.apache.catalina.HttpResponse response, Principal principal, String role)
     
    boolean
    hasUserDataPermission(org.apache.catalina.HttpRequest request, org.apache.catalina.HttpResponse response, org.apache.catalina.deploy.SecurityConstraint[] constraints)
     
    boolean
    hasUserDataPermission(org.apache.catalina.HttpRequest request, org.apache.catalina.HttpResponse response, org.apache.catalina.deploy.SecurityConstraint[] constraints, String uri, String method)
     
    void
    initAuthenticationService(jakarta.servlet.ServletContext servletContext)
     
    void
    initializeRealm(Object descriptor, boolean isSystemApp, String initialRealmName)
     
    boolean
    invokeAuthenticateDelegate(org.apache.catalina.HttpRequest request, org.apache.catalina.HttpResponse response, org.apache.catalina.Context context, org.apache.catalina.Authenticator authenticator, boolean calledFromAuthenticate)
     
    boolean
    invokePostAuthenticateDelegate(org.apache.catalina.HttpRequest request, org.apache.catalina.HttpResponse response, org.apache.catalina.Context context)
     
    boolean
    isSecurityExtensionEnabled(jakarta.servlet.ServletContext context)
    Return true if Jakarta Authentication is available.
    void
    logout()
     
    void
    logout(org.apache.catalina.HttpRequest httpRequest)
     
    void
    postConstruct()
     
    void
    postSetRunAsIdentity(org.glassfish.api.invocation.ComponentInvocation inv)
    Attempts to restore old SecurityContext (but fails).
    int
    preAuthenticateCheck(org.apache.catalina.HttpRequest request, org.apache.catalina.HttpResponse response, org.apache.catalina.deploy.SecurityConstraint[] constraints, boolean disableProxyCaching, boolean securePagesWithPragma, boolean ssoEnabled)
     
    void
    preSetRunAsIdentity(org.glassfish.api.invocation.ComponentInvocation componentInvocation)
    Set the run-as principal into the SecurityContext when needed.
    static void
    removeFromCredentials(Subject subject, Class<?> typeToRemove)
     
    void
    setCurrentSecurityContext(Principal principal)
     
    void
    setCurrentSecurityContextWithWebPrincipal(Principal principal)
     
    void
    setRealmName(String realmName)
     
    void
    setVirtualServer(Object container)
    Sets the virtual server on which the web module (with which this RealmAdapter is associated with) has been deployed.
    static void
    toSubject(Subject subject, Principal principal)
     
    static void
    toSubject(Subject subject, Set<Principal> principals)
     
    static void
    toSubjectCredential(Subject subject, Object credential)
     
    void
    updateWebSecurityManager()
     

    Methods inherited from class org.apache.catalina.realm.RealmBase

    addLifecycleListener, addPropertyChangeListener, authenticate, backgroundProcess, digest, disableProxyCaching, findLifecycleListeners, getAlternateAuthType, getAlternatePrincipal, getContainer, getController, getDebug, getDigest, getDigest, getDigestEncoding, getInfo, getValidate, hasMessageDigest, hasRole, log, log, removeLifecycleListener, removePropertyChangeListener, setContainer, setController, setDebug, setDigest, setDigestEncoding, setRealmName, setValidate, start, stop

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Field Details

    • SECURITY_CONTEXT

      public static final String SECURITY_CONTEXT
      See Also:

    • BASIC

      public static final String BASIC
      See Also:

    • FORM

      public static final String FORM
      See Also:

    • name

      protected static final String name
      Descriptive information about this Realm implementation.
      See Also:

    • webSecurityManager

      protected volatile com.sun.enterprise.security.ee.web.integration.WebSecurityManager webSecurityManager
      A WebSecurityManager object associated with a CONTEXT_ID

    • isCurrentURIincluded

      protected boolean isCurrentURIincluded

    • rwLock

      protected final ReadWriteLock rwLock

    • webSecurityManagerFactory

      @Inject protected com.sun.enterprise.security.ee.web.integration.WebSecurityManagerFactory webSecurityManagerFactory
      The factory used for creating WebSecurityManager object.

  • Constructor Details

    • RealmAdapter

      public RealmAdapter()

    • RealmAdapter

      public RealmAdapter(String realmName, String moduleID)
      Create for Web Services Enterprise Beans endpoint authentication.

      Roles related data is not available here.

  • Method Details

    • initializeRealm

      public void initializeRealm(Object descriptor, boolean isSystemApp, String initialRealmName)
      Specified by:
      initializeRealm in interface com.sun.enterprise.security.integration.RealmInitializer

    • isSecurityExtensionEnabled

      public boolean isSecurityExtensionEnabled(jakarta.servlet.ServletContext context)
      Return true if Jakarta Authentication is available.
      Specified by:
      isSecurityExtensionEnabled in interface org.apache.catalina.Realm
      Overrides:
      isSecurityExtensionEnabled in class org.apache.catalina.realm.RealmBase
      Returns:
      true if Jakarta Authentication is available. 1171

    • findSecurityConstraints

      public org.apache.catalina.deploy.SecurityConstraint[] findSecurityConstraints(org.apache.catalina.HttpRequest request, org.apache.catalina.Context context)
      Specified by:
      findSecurityConstraints in interface org.apache.catalina.Realm
      Overrides:
      findSecurityConstraints in class org.apache.catalina.realm.RealmBase

    • findSecurityConstraints

      public org.apache.catalina.deploy.SecurityConstraint[] findSecurityConstraints(String requestPathMB, String httpMethod, org.apache.catalina.Context context)
      Specified by:
      findSecurityConstraints in interface org.apache.catalina.Realm
      Overrides:
      findSecurityConstraints in class org.apache.catalina.realm.RealmBase

    • hasUserDataPermission

      public boolean hasUserDataPermission(org.apache.catalina.HttpRequest request, org.apache.catalina.HttpResponse response, org.apache.catalina.deploy.SecurityConstraint[] constraints) throws IOException
      Specified by:
      hasUserDataPermission in interface org.apache.catalina.Realm
      Overrides:
      hasUserDataPermission in class org.apache.catalina.realm.RealmBase
      Throws:
      IOException

    • hasUserDataPermission

      public boolean hasUserDataPermission(org.apache.catalina.HttpRequest request, org.apache.catalina.HttpResponse response, org.apache.catalina.deploy.SecurityConstraint[] constraints, String uri, String method) throws IOException
      Specified by:
      hasUserDataPermission in interface org.apache.catalina.Realm
      Overrides:
      hasUserDataPermission in class org.apache.catalina.realm.RealmBase
      Throws:
      IOException

    • preAuthenticateCheck

      public int preAuthenticateCheck(org.apache.catalina.HttpRequest request, org.apache.catalina.HttpResponse response, org.apache.catalina.deploy.SecurityConstraint[] constraints, boolean disableProxyCaching, boolean securePagesWithPragma, boolean ssoEnabled) throws IOException
      Specified by:
      preAuthenticateCheck in interface org.apache.catalina.Realm
      Overrides:
      preAuthenticateCheck in class org.apache.catalina.realm.RealmBase
      Throws:
      IOException

    • invokeAuthenticateDelegate

      public boolean invokeAuthenticateDelegate(org.apache.catalina.HttpRequest request, org.apache.catalina.HttpResponse response, org.apache.catalina.Context context, org.apache.catalina.Authenticator authenticator, boolean calledFromAuthenticate) throws IOException
      Specified by:
      invokeAuthenticateDelegate in interface org.apache.catalina.Realm
      Overrides:
      invokeAuthenticateDelegate in class org.apache.catalina.realm.RealmBase
      Throws:
      IOException

    • getName

      protected String getName()
      Specified by:
      getName in class org.apache.catalina.realm.RealmBase

    • getRealmName

      public String getRealmName()
      Specified by:
      getRealmName in interface org.apache.catalina.Realm
      Overrides:
      getRealmName in class org.apache.catalina.realm.RealmBase

    • setVirtualServer

      public void setVirtualServer(Object container)
      Sets the virtual server on which the web module (with which this RealmAdapter is associated with) has been deployed.
      Specified by:
      setVirtualServer in interface com.sun.enterprise.security.integration.RealmInitializer
      Parameters:
      container - The virtual server

    • updateWebSecurityManager

      public void updateWebSecurityManager()
      Specified by:
      updateWebSecurityManager in interface com.sun.enterprise.security.integration.RealmInitializer

    • authenticate

      public Principal authenticate(org.apache.catalina.HttpRequest request, String username, char[] password)
      Specified by:
      authenticate in interface org.apache.catalina.Realm
      Overrides:
      authenticate in class org.apache.catalina.realm.RealmBase

    • authenticate

      public Principal authenticate(jakarta.servlet.http.HttpServletRequest httpServletRequest)
      Specified by:
      authenticate in interface org.apache.catalina.Realm

    • authenticate

      public Principal authenticate(org.apache.catalina.HttpRequest request, X509Certificate[] certificates)
      Specified by:
      authenticate in interface org.apache.catalina.Realm
      Overrides:
      authenticate in class org.apache.catalina.realm.RealmBase

    • hasResourcePermission

      public boolean hasResourcePermission(org.apache.catalina.HttpRequest request, org.apache.catalina.HttpResponse response, org.apache.catalina.deploy.SecurityConstraint[] constraints, org.apache.catalina.Context context) throws IOException
      Specified by:
      hasResourcePermission in interface org.apache.catalina.Realm
      Overrides:
      hasResourcePermission in class org.apache.catalina.realm.RealmBase
      Throws:
      IOException

    • invokePostAuthenticateDelegate

      public boolean invokePostAuthenticateDelegate(org.apache.catalina.HttpRequest request, org.apache.catalina.HttpResponse response, org.apache.catalina.Context context) throws IOException
      Specified by:
      invokePostAuthenticateDelegate in interface org.apache.catalina.Realm
      Overrides:
      invokePostAuthenticateDelegate in class org.apache.catalina.realm.RealmBase
      Throws:
      IOException

    • hasRole

      public boolean hasRole(org.apache.catalina.HttpRequest request, org.apache.catalina.HttpResponse response, Principal principal, String role)
      Specified by:
      hasRole in interface org.apache.catalina.Realm
      Overrides:
      hasRole in class org.apache.catalina.realm.RealmBase

    • destroy

      public void destroy()
      Overrides:
      destroy in class org.apache.catalina.realm.RealmBase

    • getWebDescriptor

      public com.sun.enterprise.deployment.WebBundleDescriptor getWebDescriptor()

    • getWebSecurityManager

      public com.sun.enterprise.security.ee.web.integration.WebSecurityManager getWebSecurityManager(boolean logNull)
      Utility method to get web security manager. Will log warning if the manager is not found in the factory, and logNull is true.

      Note: webSecurityManagerFactory can be null the very questionable SOAP code just instantiates a RealmAdapter

      Parameters:
      logNull -
      Returns:
      WebSecurityManager or null

    • hasRole

      public boolean hasRole(String servletName, Principal principal, String role)

    • logout

      public void logout(org.apache.catalina.HttpRequest httpRequest)
      Specified by:
      logout in interface org.apache.catalina.Realm
      Overrides:
      logout in class org.apache.catalina.realm.RealmBase

    • logout

      public void logout()
      Specified by:
      logout in interface com.sun.enterprise.security.integration.RealmInitializer

    • authenticate

      public boolean authenticate(jakarta.servlet.http.HttpServletRequest request, com.sun.enterprise.security.ee.web.integration.WebPrincipal principal)
      IASRI 4688449 This method was only used by EEInstanceListener to set the security context prior to invocations by re-authenticating a previously set WebPrincipal. This is now cached so no need.

    • preSetRunAsIdentity

      public void preSetRunAsIdentity(org.glassfish.api.invocation.ComponentInvocation componentInvocation)
      Set the run-as principal into the SecurityContext when needed.

      This method will attempt to obtain the name of the servlet from the ComponentInvocation. Note that there may not be one since this gets called also during internal processing (not clear..) not just part of servlet requests. However, if it is not a servlet request there is no need (or possibility) to have a run-as setting so no further action is taken.

      If the servlet name is present the runAsPrincipals cache is checked to find the run-as principal to use (if any). If one is set, the SecurityContext is switched to this principal.

      Parameters:
      componentInvocation - The invocation object to process.

    • postSetRunAsIdentity

      public void postSetRunAsIdentity(org.glassfish.api.invocation.ComponentInvocation inv)
      Attempts to restore old SecurityContext (but fails).

      In theory this method seems to attempt to check if a run-as principal was set by preSetRunAsIdentity() (based on the indirect assumption that if the servlet in the given invocation has a run-as this must've been the case). If so, it retrieves the oldSecurityContext from the invocation object and set it in the SecurityContext.

      The problem is that the invocation object is not the same object as was passed in to preSetRunAsIdentity() so it will never contain the right info - see bug 4757733.

      In practice it means this method only ever sets the SecurityContext to null (if run-as matched) or does nothing. In particular note the implication that it will be set to null after a run-as invocation completes. This behavior will be retained for the time being for consistency with RI. It must be fixed later.

      Parameters:
      inv - The invocation object to process.

    • getPassword

      protected char[] getPassword(String username)
      Specified by:
      getPassword in class org.apache.catalina.realm.RealmBase

    • getPrincipal

      protected Principal getPrincipal(String username)
      Specified by:
      getPrincipal in class org.apache.catalina.realm.RealmBase

    • createFailOveredPrincipal

      public Principal createFailOveredPrincipal(String username)
      This method is added to create a Principal based on the username only. Hercules stores the username as part of authentication failover and needs to create a Principal based on username only invalid input: '<'sridhar.satuloori@sun.com>
      Parameters:
      username -
      Returns:
      Principal for the user username HERCULES:add

    • setRealmName

      public void setRealmName(String realmName)

    • copySubject

      public static void copySubject(Subject target, Subject source)

    • toSubject

      public static void toSubject(Subject subject, Principal principal)

    • toSubject

      public static void toSubject(Subject subject, Set<Principal> principals)

    • toSubjectCredential

      public static void toSubjectCredential(Subject subject, Object credential)

    • removeFromCredentials

      public static void removeFromCredentials(Subject subject, Class<?> typeToRemove)

    • configureSecurity

      protected void configureSecurity(com.sun.enterprise.deployment.WebBundleDescriptor webBundleDescriptor, boolean isSystem)
      Commit the Jakarta Authorization module, bringing the policy into service. Implementation note: If the committed policy doesn't contains all the permissions, the role mapper is probably broken.

    • setCurrentSecurityContextWithWebPrincipal

      public void setCurrentSecurityContextWithWebPrincipal(Principal principal)

    • setCurrentSecurityContext

      public void setCurrentSecurityContext(Principal principal)

    • initAuthenticationService

      public void initAuthenticationService(jakarta.servlet.ServletContext servletContext)

    • getAuthenticationService

      public org.glassfish.epicyro.services.BaseAuthenticationService getAuthenticationService()
      Returns:
      the authenticationService

    • postConstruct

      public void postConstruct()
      Specified by:
      postConstruct in interface org.glassfish.hk2.api.PostConstruct