use of org.apache.catalina.Realm in project tomcat by apache.
the class AuthenticatorBase method reauthenticateFromSSO.
/**
* Attempts reauthentication to the <code>Realm</code> using the credentials
* included in argument <code>entry</code>.
*
* @param ssoId
* identifier of SingleSignOn session with which the caller is
* associated
* @param request
* the request that needs to be authenticated
* @return <code>true</code> if the reauthentication from SSL occurred
*/
protected boolean reauthenticateFromSSO(String ssoId, Request request) {
if (sso == null || ssoId == null) {
return false;
}
boolean reauthenticated = false;
Container parent = getContainer();
if (parent != null) {
Realm realm = parent.getRealm();
if (realm != null) {
reauthenticated = sso.reauthenticate(ssoId, realm, request);
}
}
if (reauthenticated) {
associate(ssoId, request.getSessionInternal(true));
if (log.isDebugEnabled()) {
log.debug(" Reauthenticated cached principal '" + request.getUserPrincipal().getName() + "' with auth type '" + request.getAuthType() + "'");
}
}
return reauthenticated;
}
use of org.apache.catalina.Realm in project tomcat by apache.
the class AuthenticatorBase method invoke.
// --------------------------------------------------------- Public Methods
/**
* Enforce the security restrictions in the web application deployment
* descriptor of our associated Context.
*
* @param request
* Request to be processed
* @param response
* Response to be processed
*
* @exception IOException
* if an input/output error occurs
* @exception ServletException
* if thrown by a processing element
*/
@Override
public void invoke(Request request, Response response) throws IOException, ServletException {
if (log.isDebugEnabled()) {
log.debug("Security checking request " + request.getMethod() + " " + request.getRequestURI());
}
// Have we got a cached authenticated Principal to record?
if (cache) {
Principal principal = request.getUserPrincipal();
if (principal == null) {
Session session = request.getSessionInternal(false);
if (session != null) {
principal = session.getPrincipal();
if (principal != null) {
if (log.isDebugEnabled()) {
log.debug("We have cached auth type " + session.getAuthType() + " for principal " + principal);
}
request.setAuthType(session.getAuthType());
request.setUserPrincipal(principal);
}
}
}
}
boolean authRequired = isContinuationRequired(request);
// The Servlet may specify security constraints through annotations.
// Ensure that they have been processed before constraints are checked
Wrapper wrapper = request.getWrapper();
if (wrapper != null) {
wrapper.servletSecurityAnnotationScan();
}
Realm realm = this.context.getRealm();
// Is this request URI subject to a security constraint?
SecurityConstraint[] constraints = realm.findSecurityConstraints(request, this.context);
AuthConfigProvider jaspicProvider = getJaspicProvider();
if (jaspicProvider != null) {
authRequired = true;
}
if (constraints == null && !context.getPreemptiveAuthentication() && !authRequired) {
if (log.isDebugEnabled()) {
log.debug(" Not subject to any constraint");
}
getNext().invoke(request, response);
return;
}
// or browsers as caching can provide a security hole
if (constraints != null && disableProxyCaching && !"POST".equalsIgnoreCase(request.getMethod())) {
if (securePagesWithPragma) {
// Note: These can cause problems with downloading files with IE
response.setHeader("Pragma", "No-cache");
response.setHeader("Cache-Control", "no-cache");
} else {
response.setHeader("Cache-Control", "private");
}
response.setHeader("Expires", DATE_ONE);
}
if (constraints != null) {
// Enforce any user data constraint for this security constraint
if (log.isDebugEnabled()) {
log.debug(" Calling hasUserDataPermission()");
}
if (!realm.hasUserDataPermission(request, response, constraints)) {
if (log.isDebugEnabled()) {
log.debug(" Failed hasUserDataPermission() test");
}
/*
* ASSERT: Authenticator already set the appropriate HTTP status
* code, so we do not have to do anything special
*/
return;
}
}
// Since authenticate modifies the response on failure,
// we have to check for allow-from-all first.
boolean hasAuthConstraint = false;
if (constraints != null) {
hasAuthConstraint = true;
for (int i = 0; i < constraints.length && hasAuthConstraint; i++) {
if (!constraints[i].getAuthConstraint()) {
hasAuthConstraint = false;
} else if (!constraints[i].getAllRoles() && !constraints[i].getAuthenticatedUsers()) {
String[] roles = constraints[i].findAuthRoles();
if (roles == null || roles.length == 0) {
hasAuthConstraint = false;
}
}
}
}
if (!authRequired && hasAuthConstraint) {
authRequired = true;
}
if (!authRequired && context.getPreemptiveAuthentication()) {
authRequired = request.getCoyoteRequest().getMimeHeaders().getValue("authorization") != null;
}
if (!authRequired && context.getPreemptiveAuthentication() && HttpServletRequest.CLIENT_CERT_AUTH.equals(getAuthMethod())) {
X509Certificate[] certs = getRequestCertificates(request);
authRequired = certs != null && certs.length > 0;
}
JaspicState jaspicState = null;
if (authRequired) {
if (log.isDebugEnabled()) {
log.debug(" Calling authenticate()");
}
if (jaspicProvider != null) {
jaspicState = getJaspicState(jaspicProvider, request, response, hasAuthConstraint);
if (jaspicState == null) {
return;
}
}
if (jaspicProvider == null && !doAuthenticate(request, response) || jaspicProvider != null && !authenticateJaspic(request, response, jaspicState, false)) {
if (log.isDebugEnabled()) {
log.debug(" Failed authenticate() test");
}
/*
* ASSERT: Authenticator already set the appropriate HTTP status
* code, so we do not have to do anything special
*/
return;
}
}
if (constraints != null) {
if (log.isDebugEnabled()) {
log.debug(" Calling accessControl()");
}
if (!realm.hasResourcePermission(request, response, constraints, this.context)) {
if (log.isDebugEnabled()) {
log.debug(" Failed accessControl() test");
}
/*
* ASSERT: AccessControl method has already set the appropriate
* HTTP status code, so we do not have to do anything special
*/
return;
}
}
// Any and all specified constraints have been satisfied
if (log.isDebugEnabled()) {
log.debug(" Successfully passed all security constraints");
}
getNext().invoke(request, response);
if (jaspicProvider != null) {
secureResponseJspic(request, response, jaspicState);
}
}
use of org.apache.catalina.Realm in project tomcat by apache.
the class CombinedRealm method authenticate.
/**
* Return the Principal associated with the specified chain of X509
* client certificates. If there is none, return <code>null</code>.
*
* @param certs Array of client certificates, with the first one in
* the array being the certificate of the client itself.
*/
@Override
public Principal authenticate(X509Certificate[] certs) {
Principal authenticatedUser = null;
String username = null;
if (certs != null && certs.length > 0) {
username = certs[0].getSubjectDN().getName();
}
for (Realm realm : realms) {
if (log.isDebugEnabled()) {
log.debug(sm.getString("combinedRealm.authStart", username, realm.getClass().getName()));
}
authenticatedUser = realm.authenticate(certs);
if (authenticatedUser == null) {
if (log.isDebugEnabled()) {
log.debug(sm.getString("combinedRealm.authFail", username, realm.getClass().getName()));
}
} else {
if (log.isDebugEnabled()) {
log.debug(sm.getString("combinedRealm.authSuccess", username, realm.getClass().getName()));
}
break;
}
}
return authenticatedUser;
}
use of org.apache.catalina.Realm in project tomcat by apache.
the class StandardContextSF method storeChildren.
/**
* Store the specified context element children.
*
* @param aWriter Current output writer
* @param indent Indentation level
* @param aContext Context to store
* @param parentDesc The element description
* @throws Exception Configuration storing error
*/
@Override
public void storeChildren(PrintWriter aWriter, int indent, Object aContext, StoreDescription parentDesc) throws Exception {
if (aContext instanceof StandardContext) {
StandardContext context = (StandardContext) aContext;
// Store nested <Listener> elements
LifecycleListener[] listeners = context.findLifecycleListeners();
ArrayList<LifecycleListener> listenersArray = new ArrayList<>();
for (LifecycleListener listener : listeners) {
if (!(listener instanceof ThreadLocalLeakPreventionListener)) {
listenersArray.add(listener);
}
}
storeElementArray(aWriter, indent, listenersArray.toArray());
// Store nested <Valve> elements
Valve[] valves = context.getPipeline().getValves();
storeElementArray(aWriter, indent, valves);
// Store nested <Loader> elements
Loader loader = context.getLoader();
storeElement(aWriter, indent, loader);
// Store nested <Manager> elements
if (context.getCluster() == null || !context.getDistributable()) {
Manager manager = context.getManager();
storeElement(aWriter, indent, manager);
}
// Store nested <Realm> element
Realm realm = context.getRealm();
if (realm != null) {
Realm parentRealm = null;
// @TODO is this case possible?
if (context.getParent() != null) {
parentRealm = context.getParent().getRealm();
}
if (realm != parentRealm) {
storeElement(aWriter, indent, realm);
}
}
// Store nested resources
WebResourceRoot resources = context.getResources();
storeElement(aWriter, indent, resources);
// Store nested <WrapperListener> elements
String[] wLifecycles = context.findWrapperLifecycles();
getStoreAppender().printTagArray(aWriter, "WrapperListener", indent + 2, wLifecycles);
// Store nested <WrapperLifecycle> elements
String[] wListeners = context.findWrapperListeners();
getStoreAppender().printTagArray(aWriter, "WrapperLifecycle", indent + 2, wListeners);
// Store nested <Parameter> elements
ApplicationParameter[] appParams = context.findApplicationParameters();
storeElementArray(aWriter, indent, appParams);
// Store nested naming resources elements (EJB,Resource,...)
NamingResourcesImpl nresources = context.getNamingResources();
storeElement(aWriter, indent, nresources);
// Store nested watched resources <WatchedResource>
String[] wresources = context.findWatchedResources();
wresources = filterWatchedResources(context, wresources);
getStoreAppender().printTagArray(aWriter, "WatchedResource", indent + 2, wresources);
// Store nested <JarScanner> elements
JarScanner jarScanner = context.getJarScanner();
storeElement(aWriter, indent, jarScanner);
// Store nested <CookieProcessor> elements
CookieProcessor cookieProcessor = context.getCookieProcessor();
storeElement(aWriter, indent, cookieProcessor);
}
}
use of org.apache.catalina.Realm in project tomcat by apache.
the class StandardHostSF method storeChildren.
/**
* Store the specified Host properties and children
* (Listener,Alias,Realm,Valve,Cluster, Context)
*
* @param aWriter
* PrintWriter to which we are storing
* @param indent
* Number of spaces to indent this element
* @param aHost
* Host whose properties are being stored
*
* @exception Exception
* if an exception occurs while storing
*/
@Override
public void storeChildren(PrintWriter aWriter, int indent, Object aHost, StoreDescription parentDesc) throws Exception {
if (aHost instanceof StandardHost) {
StandardHost host = (StandardHost) aHost;
// Store nested <Listener> elements
LifecycleListener[] listeners = ((Lifecycle) host).findLifecycleListeners();
storeElementArray(aWriter, indent, listeners);
// Store nested <Alias> elements
String[] aliases = host.findAliases();
getStoreAppender().printTagArray(aWriter, "Alias", indent + 2, aliases);
// Store nested <Realm> element
Realm realm = host.getRealm();
if (realm != null) {
Realm parentRealm = null;
if (host.getParent() != null) {
parentRealm = host.getParent().getRealm();
}
if (realm != parentRealm) {
storeElement(aWriter, indent, realm);
}
}
// Store nested <Valve> elements
Valve[] valves = host.getPipeline().getValves();
if (valves != null && valves.length > 0) {
List<Valve> hostValves = new ArrayList<>();
for (int i = 0; i < valves.length; i++) {
if (!(valves[i] instanceof ClusterValve))
hostValves.add(valves[i]);
}
storeElementArray(aWriter, indent, hostValves.toArray());
}
// store all <Cluster> elements
Cluster cluster = host.getCluster();
if (cluster != null) {
Cluster parentCluster = null;
if (host.getParent() != null) {
parentCluster = host.getParent().getCluster();
}
if (cluster != parentCluster) {
storeElement(aWriter, indent, cluster);
}
}
// store all <Context> elements
Container[] children = host.findChildren();
storeElementArray(aWriter, indent, children);
}
}
Aggregations