package org.apache.catalina;
import java.io.IOException;
-import java.security.Principal;
+import javax.servlet.ServletException;
import javax.servlet.http.HttpServletResponse;
import org.apache.catalina.connector.Request;
public boolean authenticate(Request request, HttpServletResponse response,
LoginConfig config) throws IOException;
- /**
- * Register an authenticated Principal and authentication type in our
- * request, in the current session (if there is one), and with our
- * SingleSignOn valve, if there is one. Set the appropriate cookie
- * to be returned. Passing in a null principal will de-register any
- * SSO sessions.
- *
- * @param request The servlet request we are processing
- * @param response The servlet response we are populating
- * @param principal The authenticated Principal to be registered
- * @param authType The authentication type to be registered
- * @param username Username used to authenticate (if any)
- * @param password Password used to authenticate (if any)
- */
- public void register(Request request, HttpServletResponse response,
- Principal principal, String authType,
- String username, String password);
+ public void login(String userName, String password, Request request)
+ throws ServletException;
+
+ public void logout(Request request) throws ServletException;
}
* security role, within the context of this Realm; otherwise return
* <code>false</code>.
*
+ * @param wrapper wrapper context for evaluating role
* @param principal Principal for whom the role is to be checked
* @param role Security role to be checked
*/
- public boolean hasRole(Principal principal, String role);
+ public boolean hasRole(Wrapper wrapper, Principal principal, String role);
/**
* Enforce any user data constraint required by the security constraint
}
+ public void login(String username, String password, Request request)
+ throws ServletException {
+ Principal principal = doLogin(request, username, password);
+ register(request, request.getResponse(), principal,
+ getAuthMethod(), username, password);
+ }
+
+ protected abstract String getAuthMethod();
+
+ protected Principal doLogin(Request request, String username,
+ String password) throws ServletException {
+ Principal p = context.getRealm().authenticate(username, password);
+ if (p == null) {
+ throw new ServletException(sm.getString("authenticator.loginFail"));
+ }
+ return p;
+ }
+
+ public void logout(Request request) throws ServletException {
+ register(request, request.getResponse(), null,
+ null, null, null);
+
+ }
/**
* Start this component and implement the requirements
}
+ @Override
+ protected String getAuthMethod() {
+ return Constants.BASIC_METHOD;
+ }
}
}
+ @Override
+ protected String getAuthMethod() {
+ return Constants.DIGEST_METHOD;
+ }
+
+
// ------------------------------------------------------ Protected Methods
}
+ @Override
+ protected String getAuthMethod() {
+ return Constants.FORM_METHOD;
+ }
+
+
// ------------------------------------------------------ Protected Methods
authenticator.forbidden=Access to the requested resource has been denied
authenticator.formlogin=Invalid direct reference to form login page
authenticator.invalid=Invalid client certificate chain in this request
+authenticator.loginFail=Login failed
authenticator.keystore=Exception loading key store
authenticator.manager=Exception initializing trust managers
authenticator.notAuthenticated=Configuration error: Cannot perform access control without an authenticated principal
}
+ @Override
+ protected String getAuthMethod() {
+ return "NONE";
+ }
}
return (true);
}
+
+
+ @Override
+ protected String getAuthMethod() {
+ return Constants.CERT_METHOD;
+ }
}
coyoteRequest.chunkedPostTooLarge=Parameters were not parsed because the size of the posted data was too big. Because this request was a chunked request, it could not be processed further. Use the maxPostSize attribute of the connector to resolve this if the application should accept large POSTs.
coyoteRequest.alreadyAuthenticated=This is request has already been authenticated
coyoteRequest.noLoginConfig=No authentication mechanism has been configured for this context
-coyoteRequest.noPasswordLogin=The authentication mechanism configured for this context does not support user name and password authentication
-coyoteRequest.authFail=The authentication of user {0} was not successful
coyoteRequest.authenticate.ise=Cannot call authenticate() after the reponse has been committed
coyoteRequest.uploadLocationInvalid=The temporary upload location [{0}] is not valid
if (realm == null)
return false;
- // Check for a role alias defined in a <security-role-ref> element
- if (wrapper != null) {
- String realRole = wrapper.findSecurityReference(role);
- if ((realRole != null) && realm.hasRole(userPrincipal, realRole))
- return true;
- }
-
// Check for a role defined directly as a <security-role>
- return (realm.hasRole(userPrincipal, role));
+ return (realm.hasRole(wrapper, userPrincipal, role));
}
sm.getString("coyoteRequest.alreadyAuthenticated"));
}
- LoginConfig config = context.getLoginConfig();
- if (config == null) {
- throw new ServletException(
- sm.getString("coyoteRequest.noLoginConfig"));
+ if (context.getAuthenticator() == null) {
+ throw new ServletException("no authenticator");
}
- String authMethod = config.getAuthMethod();
- if (BASIC_AUTH.equals(authMethod) || FORM_AUTH.equals(authMethod) ||
- DIGEST_AUTH.equals(authMethod)) {
- // Methods support user name and password authentication
- Realm realm = context.getRealm();
-
- Principal principal = realm.authenticate(username, password);
-
- if (principal == null) {
- throw new ServletException(
- sm.getString("coyoteRequest.authFail", username));
- }
- // Assume if we have a non-null LoginConfig then we must have an
- // authenticator
- context.getAuthenticator().register(this, getResponse(), principal,
- authMethod, username, password);
- } else {
- throw new ServletException("coyoteRequest.noPasswordLogin");
- }
+ context.getAuthenticator().login(username, password, this);
}
/**
*/
@Override
public void logout() throws ServletException {
- context.getAuthenticator().register(this, getResponse(), null,
- null, null, null);
+ context.getAuthenticator().logout(this);
}
/**
import org.apache.catalina.Realm;
import org.apache.catalina.Server;
import org.apache.catalina.Service;
+import org.apache.catalina.Wrapper;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.core.ApplicationSessionCookieConfig;
log.debug(" No user authenticated, cannot grant access");
} else {
for (int j = 0; j < roles.length; j++) {
- if (hasRole(principal, roles[j])) {
+ if (hasRole(null, principal, roles[j])) {
status = true;
if( log.isDebugEnabled() )
log.debug( "Role found: " + roles[j]);
* @param principal Principal for whom the role is to be checked
* @param role Security role to be checked
*/
- public boolean hasRole(Principal principal, String role) {
+ @Override
+ public boolean hasRole(Wrapper wrapper, Principal principal, String role) {
+ // Check for a role alias defined in a <security-role-ref> element
+ if (wrapper != null) {
+ String realRole = wrapper.findSecurityReference(role);
+ if (realRole != null)
+ role = realRole;
+ }
// Should be overridden in JAASRealm - to avoid pretty inefficient conversions
if ((principal == null) || (role == null) ||
import org.apache.catalina.Role;
import org.apache.catalina.User;
import org.apache.catalina.UserDatabase;
+import org.apache.catalina.Wrapper;
import org.apache.catalina.core.StandardServer;
import org.apache.catalina.util.LifecycleBase;
import org.apache.tomcat.util.ExceptionUtils;
* @param role Security role to be checked
*/
@Override
- public boolean hasRole(Principal principal, String role) {
+ public boolean hasRole(Wrapper wrapper, Principal principal, String role) {
+ // Check for a role alias defined in a <security-role-ref> element
+ if (wrapper != null) {
+ String realRole = wrapper.findSecurityReference(role);
+ if (realRole != null)
+ role = realRole;
+ }
if( principal instanceof GenericPrincipal) {
GenericPrincipal gp = (GenericPrincipal)principal;
if(gp.getUserPrincipal() instanceof User) {
}
if(! (principal instanceof User) ) {
//Play nice with SSO and mixed Realms
- return super.hasRole(principal, role);
+ return super.hasRole(null, principal, role);
}
if("*".equals(role)) {
return true;
make extensions, such as JACC implementations, simpler. Patch provided
by David Jencks. (markt)
</fix>
+ <fix>
+ <bug>50016</bug>: Re-factor <code>isUserInRole()</code> and
+ <code>login()/logout()</code> methods to support JACC implementations
+ and to improve encapsulation. Patch provided by David Jencks. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
projects / tomcat7.0 / commitdiff