tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From r...@apache.org
Subject cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator SingleSignOnEntry.java AuthenticatorBase.java BasicAuthenticator.java DigestAuthenticator.java FormAuthenticator.java NonLoginAuthenticator.java SSLAuthenticator.java SingleSignOn.java mbeans-descriptors.xml
Date Mon, 24 Nov 2003 16:46:56 GMT
remm        2003/11/24 08:46:56

  Modified:    catalina/src/share/org/apache/catalina/authenticator
                        AuthenticatorBase.java BasicAuthenticator.java
                        DigestAuthenticator.java FormAuthenticator.java
                        NonLoginAuthenticator.java SSLAuthenticator.java
                        SingleSignOn.java mbeans-descriptors.xml
  Added:       catalina/src/share/org/apache/catalina/authenticator
                        SingleSignOnEntry.java
  Log:
  - Bug 23881: SSO in embedded Tomcat.
  - Patch submitted by Brian Stansberry. Thanks :)
  
  Revision  Changes    Path
  1.14      +86 -20    jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
  
  Index: AuthenticatorBase.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java,v
  retrieving revision 1.13
  retrieving revision 1.14
  diff -u -r1.13 -r1.14
  --- AuthenticatorBase.java	23 Oct 2003 17:33:10 -0000	1.13
  +++ AuthenticatorBase.java	24 Nov 2003 16:46:56 -0000	1.14
  @@ -625,7 +625,7 @@
        *
        * @param request Request we are processing
        * @param response Response we are creating
  -     * @param login Login configuration describing how authentication
  +     * @param config    Login configuration describing how authentication
        *              should be performed
        *
        * @exception IOException if an input/output error occurs
  @@ -643,7 +643,6 @@
       protected synchronized String generateSessionId() {
   
           // Generate a byte array containing a session identifier
  -        Random random = getRandom();
           byte bytes[] = new byte[SESSION_ID_BYTES];
           getRandom().nextBytes(bytes);
           bytes = getDigest().digest(bytes);
  @@ -801,6 +800,53 @@
   
   
       /**
  +     * Attempts reauthentication to the <code>Realm</code> using
  +     * the credentials included in argument <code>entry</code>.
  +     *
  +     * @param ssoId identifier of SingleSignOn session with which the
  +     *              caller is associated
  +     * @param request   the request that needs to be authenticated
  +     */
  +    protected boolean reauthenticateFromSSO(String ssoId, HttpRequest request) {
  +
  +        if (sso == null || ssoId == null)
  +            return false;
  +
  +        boolean reauthenticated = false;
  +
  +        SingleSignOnEntry entry = sso.lookup(ssoId);
  +        if (entry != null && entry.getCanReauthenticate()) {
  +            Principal reauthPrincipal = null;
  +            Container parent = getContainer();
  +            if (parent != null) {
  +                Realm realm = getContainer().getRealm();
  +                String username = entry.getUsername();
  +                if (realm != null && username != null) {
  +                    reauthPrincipal =
  +                        realm.authenticate(username, entry.getPassword());
  +                }
  +            }
  +
  +            if (reauthPrincipal != null) {
  +                associate(ssoId, getSession(request, true));
  +                request.setAuthType(entry.getAuthType());
  +                request.setUserPrincipal(reauthPrincipal);
  +
  +                reauthenticated = true;
  +                if (log.isDebugEnabled()) {
  +                    log.debug(" Reauthenticated cached principal '" +
  +                              entry.getPrincipal().getName() +
  +                              "' with auth type '" +
  +                              entry.getAuthType() + "'");
  +                }
  +            }
  +        }
  +
  +        return reauthenticated;
  +    }
  +
  +
  +    /**
        * Register an authenticated Principal and authentication type in our
        * request, in the current session (if there is one), and with our
        * SingleSignOn valve, if there is one.  Set the appropriate cookie
  @@ -825,9 +871,9 @@
           request.setAuthType(authType);
           request.setUserPrincipal(principal);
   
  +        Session session = getSession(request, false);
           // Cache the authentication information in our session, if any
           if (cache) {
  -            Session session = getSession(request, false);
               if (session != null) {
                   session.setAuthType(authType);
                   session.setPrincipal(principal);
  @@ -845,19 +891,39 @@
           // Construct a cookie to be returned to the client
           if (sso == null)
               return;
  -        HttpServletRequest hreq =
  -            (HttpServletRequest) request.getRequest();
  -        HttpServletResponse hres =
  -            (HttpServletResponse) response.getResponse();
  -        String value = generateSessionId();
  -        Cookie cookie = new Cookie(Constants.SINGLE_SIGN_ON_COOKIE, value);
  -        cookie.setMaxAge(-1);
  -        cookie.setPath("/");
  -        hres.addCookie(cookie);
  -
  -        // Register this principal with our SSO valve
  -        sso.register(value, principal, authType, username, password);
  -        request.setNote(Constants.REQ_SSOID_NOTE, value);
  +
  +        // Only create a new SSO entry if the SSO did not already set a note
  +        // for an existing entry (as it would do with subsequent requests
  +        // for DIGEST and SSL authenticated contexts)
  +        String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
  +        if (ssoId == null) {
  +            // Construct a cookie to be returned to the client
  +            HttpServletResponse hres =
  +                (HttpServletResponse) response.getResponse();
  +            ssoId = generateSessionId();
  +            Cookie cookie = new Cookie(Constants.SINGLE_SIGN_ON_COOKIE, ssoId);
  +            cookie.setMaxAge(-1);
  +            cookie.setPath("/");
  +            hres.addCookie(cookie);
  +
  +            // Register this principal with our SSO valve
  +            sso.register(ssoId, principal, authType, username, password);
  +            request.setNote(Constants.REQ_SSOID_NOTE, ssoId);
  +
  +        } else {
  +            // Update the SSO session with the latest authentication data
  +            sso.update(ssoId, principal, authType, username, password);
  +        }
  +
  +        // Fix for Bug 10040
  +        // Always associate a session with a new SSO reqistration.
  +        // SSO entries are only removed from the SSO registry map when
  +        // associated sessions are destroyed; if a new SSO entry is created
  +        // above for this request and the user never revisits the context, the
  +        // SSO entry will never be cleared if we don't associate the session
  +        if (session == null)
  +            session = getSession(request, true);
  +        sso.associate(ssoId, session);
   
       }
   
  
  
  
  1.3       +26 -7     jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/BasicAuthenticator.java
  
  Index: BasicAuthenticator.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/BasicAuthenticator.java,v
  retrieving revision 1.2
  retrieving revision 1.3
  diff -u -r1.2 -r1.3
  --- BasicAuthenticator.java	12 Mar 2003 06:00:23 -0000	1.2
  +++ BasicAuthenticator.java	24 Nov 2003 16:46:56 -0000	1.3
  @@ -133,7 +133,7 @@
        *
        * @param request Request we are processing
        * @param response Response we are creating
  -     * @param login Login configuration describing how authentication
  +     * @param config    Login configuration describing how authentication
        *              should be performed
        *
        * @exception IOException if an input/output error occurs
  @@ -146,12 +146,31 @@
           // Have we already authenticated someone?
           Principal principal =
               ((HttpServletRequest) request.getRequest()).getUserPrincipal();
  +        String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
           if (principal != null) {
               if (log.isDebugEnabled())
                   log.debug("Already authenticated '" + principal.getName() + "'");
  +            // Associate the session with any existing SSO session
  +            if (ssoId != null)
  +                associate(ssoId, getSession(request, true));
               return (true);
           }
   
  +        // Is there an SSO session against which we can try to reauthenticate?
  +        if (ssoId != null) {
  +            if (log.isDebugEnabled())
  +                log.debug("SSO Id " + ssoId + " set; attempting " +
  +                          "reauthentication");
  +            /* Try to reauthenticate using data cached by SSO.  If this fails,
  +               either the original SSO logon was of DIGEST or SSL (which
  +               we can't reauthenticate ourselves because there is no
  +               cached username and password), or the realm denied
  +               the user's reauthentication for some reason.
  +               In either case we have to prompt the user for a logon */
  +            if (reauthenticateFromSSO(ssoId, request))
  +                return true;
  +        }
  +
           // Validate any credentials already included with this request
           HttpServletRequest hreq =
               (HttpServletRequest) request.getRequest();
  @@ -171,8 +190,8 @@
           String realmName = config.getRealmName();
           if (realmName == null)
               realmName = hreq.getServerName() + ":" + hreq.getServerPort();
  -    //        if (debug >= 1)
  -    //            log("Challenging for realm '" + realmName + "'");
  +    //        if (log.isDebugEnabled())
  +    //            log.debug("Challenging for realm '" + realmName + "'");
           hres.setHeader("WWW-Authenticate",
                          "Basic realm=\"" + realmName + "\"");
           hres.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
  
  
  
  1.3       +46 -11    jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/DigestAuthenticator.java
  
  Index: DigestAuthenticator.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/DigestAuthenticator.java,v
  retrieving revision 1.2
  retrieving revision 1.3
  diff -u -r1.2 -r1.3
  --- DigestAuthenticator.java	2 Sep 2003 21:22:04 -0000	1.2
  +++ DigestAuthenticator.java	24 Nov 2003 16:46:56 -0000	1.3
  @@ -75,6 +75,9 @@
   import javax.servlet.http.HttpServletRequest;
   import javax.servlet.http.HttpServletResponse;
   
  +import org.apache.commons.logging.Log;
  +import org.apache.commons.logging.LogFactory;
  +
   import org.apache.catalina.HttpRequest;
   import org.apache.catalina.HttpResponse;
   import org.apache.catalina.Realm;
  @@ -94,6 +97,7 @@
   
   public class DigestAuthenticator
       extends AuthenticatorBase {
  +    private static Log log = LogFactory.getLog(DigestAuthenticator.class);
   
   
       // -------------------------------------------------------------- Constants
  @@ -206,7 +210,7 @@
        *
        * @param request Request we are processing
        * @param response Response we are creating
  -     * @param login Login configuration describing how authentication
  +     * @param config    Login configuration describing how authentication
        *              should be performed
        *
        * @exception IOException if an input/output error occurs
  @@ -219,8 +223,42 @@
           // Have we already authenticated someone?
           Principal principal =
               ((HttpServletRequest) request.getRequest()).getUserPrincipal();
  -        if (principal != null)
  +        //String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
  +        if (principal != null) {
  +            if (log.isDebugEnabled())
  +                log.debug("Already authenticated '" + principal.getName() + "'");
  +            // Associate the session with any existing SSO session in order
  +            // to get coordinated session invalidation at logout
  +            String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
  +            if (ssoId != null)
  +                associate(ssoId, getSession(request, true));
               return (true);
  +        }
  +
  +        // NOTE: We don't try to reauthenticate using any existing SSO session,
  +        // because that will only work if the original authentication was
  +        // BASIC or FORM, which are less secure than the DIGEST auth-type
  +        // specified for this webapp
  +        //
  +        // Uncomment below to allow previous FORM or BASIC authentications
  +        // to authenticate users for this webapp
  +        // TODO make this a configurable attribute (in SingleSignOn??)
  +        /*
  +        // Is there an SSO session against which we can try to reauthenticate?
  +        if (ssoId != null) {
  +            if (log.isDebugEnabled())
  +                log.debug("SSO Id " + ssoId + " set; attempting " +
  +                          "reauthentication");
  +            // Try to reauthenticate using data cached by SSO.  If this fails,
  +            // either the original SSO logon was of DIGEST or SSL (which
  +            // we can't reauthenticate ourselves because there is no
  +            // cached username and password), or the realm denied
  +            // the user's reauthentication for some reason.
  +            // In either case we have to prompt the user for a logon
  +            if (reauthenticateFromSSO(ssoId, request))
  +                return true;
  +        }
  +        */
   
           // Validate any credentials already included with this request
           HttpServletRequest hreq =
  @@ -264,8 +302,6 @@
        *
        * @param request HTTP servlet request
        * @param authorization Authorization credentials from this request
  -     * @param login Login configuration describing how authentication
  -     *              should be performed
        * @param realm Realm used to authenticate Principals
        */
       protected static Principal findPrincipal(HttpServletRequest request,
  @@ -292,7 +328,6 @@
           String qop = null;
           String uri = null;
           String response = null;
  -        String opaque = null;
           String method = request.getMethod();
   
           while (commaTokenizer.hasMoreTokens()) {
  @@ -434,8 +469,8 @@
        * </pre>
        *
        * @param request HTTP Servlet request
  -     * @param resonse HTTP Servlet response
  -     * @param login Login configuration describing how authentication
  +     * @param response HTTP Servlet response
  +     * @param config    Login configuration describing how authentication
        *              should be performed
        * @param nOnce nonce token
        */
  
  
  
  1.5       +23 -10    jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/FormAuthenticator.java
  
  Index: FormAuthenticator.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/FormAuthenticator.java,v
  retrieving revision 1.4
  retrieving revision 1.5
  diff -u -r1.4 -r1.5
  --- FormAuthenticator.java	2 Sep 2003 21:22:04 -0000	1.4
  +++ FormAuthenticator.java	24 Nov 2003 16:46:56 -0000	1.5
  @@ -138,7 +138,7 @@
        *
        * @param request Request we are processing
        * @param response Response we are creating
  -     * @param login Login configuration describing how authentication
  +     * @param config    Login configuration describing how authentication
        *              should be performed
        *
        * @exception IOException if an input/output error occurs
  @@ -157,16 +157,32 @@
   
           // Have we already authenticated someone?
           Principal principal = hreq.getUserPrincipal();
  +        String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
           if (principal != null) {
               if (log.isDebugEnabled())
                   log.debug("Already authenticated '" +
                       principal.getName() + "'");
  -            String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
  +            // Associate the session with any existing SSO session
               if (ssoId != null)
                   associate(ssoId, getSession(request, true));
               return (true);
           }
   
  +        // Is there an SSO session against which we can try to reauthenticate?
  +        if (ssoId != null) {
  +            if (log.isDebugEnabled())
  +                log.debug("SSO Id " + ssoId + " set; attempting " +
  +                          "reauthentication");
  +            // Try to reauthenticate using data cached by SSO.  If this fails,
  +            // either the original SSO logon was of DIGEST or SSL (which
  +            // we can't reauthenticate ourselves because there is no
  +            // cached username and password), or the realm denied
  +            // the user's reauthentication for some reason.
  +            // In either case we have to prompt the user for a logon */
  +            if (reauthenticateFromSSO(ssoId, request))
  +                return true;
  +        }
  +
           // Have we authenticated this user before but have caching disabled?
           if (!cache) {
               session = getSession(request, true);
  @@ -205,9 +221,6 @@
               register(request, response, principal, Constants.FORM_METHOD,
                        (String) session.getNote(Constants.SESS_USERNAME_NOTE),
                        (String) session.getNote(Constants.SESS_PASSWORD_NOTE));
  -            String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
  -            if (ssoId != null)
  -                associate(ssoId, session);
               if (restoreRequest(request, session)) {
                   if (log.isDebugEnabled())
                       log.debug("Proceed to restored request");
  @@ -380,7 +393,7 @@
               while (paramNames.hasNext()) {
                   String paramName = (String) paramNames.next();
                   String paramValues[] =
  -                    (String[]) saved.getParameterValues(paramName);
  +                    saved.getParameterValues(paramName);
                   request.addParameter(paramName, paramValues);
               }
           }
  
  
  
  1.3       +14 -5     jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/NonLoginAuthenticator.java
  
  Index: NonLoginAuthenticator.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/NonLoginAuthenticator.java,v
  retrieving revision 1.2
  retrieving revision 1.3
  diff -u -r1.2 -r1.3
  --- NonLoginAuthenticator.java	2 Sep 2003 21:22:04 -0000	1.2
  +++ NonLoginAuthenticator.java	24 Nov 2003 16:46:56 -0000	1.3
  @@ -119,7 +119,7 @@
        *
        * @param request Request we are processing
        * @param response Response we are creating
  -     * @param login Login configuration describing how authentication
  +     * @param config    Login configuration describing how authentication
        *              should be performed
        *
        * @exception IOException if an input/output error occurs
  @@ -129,6 +129,15 @@
                                   LoginConfig config)
           throws IOException {
   
  +        /*  Associating this request's session with an SSO would allow
  +            coordinated session invalidation, but should the session for
  +            a webapp that the user didn't log into be invalidated when
  +            another session is logged out?
  +        String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
  +        if (ssoId != null)
  +            associate(ssoId, getSession(request, true));
  +        */
  +        
           if (debug >= 1)
               log("User authentication is not required");
           return (true);
  
  
  
  1.10      +36 -5     jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/SSLAuthenticator.java
  
  Index: SSLAuthenticator.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/SSLAuthenticator.java,v
  retrieving revision 1.9
  retrieving revision 1.10
  diff -u -r1.9 -r1.10
  --- SSLAuthenticator.java	17 Oct 2003 18:47:43 -0000	1.9
  +++ SSLAuthenticator.java	24 Nov 2003 16:46:56 -0000	1.10
  @@ -122,7 +122,7 @@
        *
        * @param request Request we are processing
        * @param response Response we are creating
  -     * @param login Login configuration describing how authentication
  +     * @param config    Login configuration describing how authentication
        *              should be performed
        *
        * @exception IOException if an input/output error occurs
  @@ -135,11 +135,42 @@
           // Have we already authenticated someone?
           Principal principal =
               ((HttpServletRequest) request.getRequest()).getUserPrincipal();
  +        //String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
           if (principal != null) {
               if (debug >= 1)
                   log("Already authenticated '" + principal.getName() + "'");
  +            // Associate the session with any existing SSO session in order
  +            // to get coordinated session invalidation at logout
  +            String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
  +            if (ssoId != null)
  +                associate(ssoId, getSession(request, true));
               return (true);
           }
  +
  +        // NOTE: We don't try to reauthenticate using any existing SSO session,
  +        // because that will only work if the original authentication was
  +        // BASIC or FORM, which are less secure than the CLIENT-CERT auth-type
  +        // specified for this webapp
  +        //
  +        // Uncomment below to allow previous FORM or BASIC authentications
  +        // to authenticate users for this webapp
  +        // TODO make this a configurable attribute (in SingleSignOn??)
  +        /*
  +        // Is there an SSO session against which we can try to reauthenticate?
  +        if (ssoId != null) {
  +            if (log.isDebugEnabled())
  +                log.debug("SSO Id " + ssoId + " set; attempting " +
  +                          "reauthentication");
  +            // Try to reauthenticate using data cached by SSO.  If this fails,
  +            // either the original SSO logon was of DIGEST or SSL (which
  +            // we can't reauthenticate ourselves because there is no
  +            // cached username and password), or the realm denied
  +            // the user's reauthentication for some reason.
  +            // In either case we have to prompt the user for a logon
  +            if (reauthenticateFromSSO(ssoId, request))
  +                return true;
  +        }
  +        */
   
           // Retrieve the certificate chain for this client
           HttpServletResponse hres =
  
  
  
  1.8       +121 -66   jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/SingleSignOn.java
  
  Index: SingleSignOn.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/SingleSignOn.java,v
  retrieving revision 1.7
  retrieving revision 1.8
  diff -u -r1.7 -r1.8
  --- SingleSignOn.java	15 Nov 2003 09:42:26 -0000	1.7
  +++ SingleSignOn.java	24 Nov 2003 16:46:56 -0000	1.8
  @@ -145,6 +145,12 @@
        */
       protected LifecycleSupport lifecycle = new LifecycleSupport(this);
   
  +    /**
  +     * Indicates whether this valve should require a downstream Authenticator to
  +     * reauthenticate each request, or if it itself can bind a UserPrincipal
  +     * and AuthType object to the request.
  +     */
  +    private boolean requireReauthentication = false;
   
       /**
        * The cache of single sign on identifiers, keyed by the Session that is
  @@ -191,6 +197,75 @@
       }
   
   
  +    /**
  +     * Gets whether each request needs to be reauthenticated (by an
  +     * Authenticator downstream in the pipeline) to the security
  +     * <code>Realm</code>, or if this Valve can itself bind security info
  +     * to the request based on the presence of a valid SSO entry without
  +     * rechecking with the <code>Realm</code..
  +     *
  +     * @return  <code>true</code> if it is required that a downstream
  +     *          Authenticator reauthenticate each request before calls to
  +     *          <code>HttpServletRequest.setUserPrincipal()</code>
  +     *          and <code>HttpServletRequest.setAuthType()</code> are made;
  +     *          <code>false</code> if the <code>Valve</code> can
itself make
  +     *          those calls relying on the presence of a valid SingleSignOn
  +     *          entry associated with the request.
  +     *
  +     * @see #setRequireReauthentication
  +     */
  +    public boolean getRequireReauthentication()
  +    {
  +        return requireReauthentication;
  +    }
  +
  +
  +    /**
  +     * Sets whether each request needs to be reauthenticated (by an
  +     * Authenticator downstream in the pipeline) to the security
  +     * <code>Realm</code>, or if this Valve can itself bind security info
  +     * to the request, based on the presence of a valid SSO entry, without
  +     * rechecking with the <code>Realm</code.
  +     * <p>
  +     * If this property is <code>false</code> (the default), this
  +     * <code>Valve</code> will bind a UserPrincipal and AuthType to the request
  +     * if a valid SSO entry is associated with the request.  It will not notify
  +     * the security <code>Realm</code> of the incoming request.
  +     * <p>
  +     * This property should be set to <code>true</code> if the overall server
  +     * configuration requires that the <code>Realm</code> reauthenticate each
  +     * request thread.  An example of such a configuration would be one where
  +     * the <code>Realm</code> implementation provides security for both a
  +     * web tier and an associated EJB tier, and needs to set security
  +     * credentials on each request thread in order to support EJB access.
  +     * <p>
  +     * If this property is set to <code>true</code>, this Valve will set flags
  +     * on the request notifying the downstream Authenticator that the request
  +     * is associated with an SSO session.  The Authenticator will then call its
  +     * {@link AuthenticatorBase#reauthenticateFromSSO reauthenticateFromSSO}
  +     * method to attempt to reauthenticate the request to the
  +     * <code>Realm</code>, using any credentials that were cached with this
  +     * Valve.
  +     * <p>
  +     * The default value of this property is <code>false</code>, in order
  +     * to maintain backward compatibility with previous versions of Tomcat.
  +     *
  +     * @param required  <code>true</code> if it is required that a downstream
  +     *                  Authenticator reauthenticate each request before calls
  +     *                  to  <code>HttpServletRequest.setUserPrincipal()</code>
  +     *                  and <code>HttpServletRequest.setAuthType()</code> are
  +     *                  made; <code>false</code> if the <code>Valve</code>
can
  +     *                  itself make those calls relying on the presence of a
  +     *                  valid SingleSignOn entry associated with the request.
  +     *
  +     * @see AuthenticatorBase#reauthenticateFromSSO
  +     */
  +    public void setRequireReauthentication(boolean required)
  +    {
  +        this.requireReauthentication = required;
  +    }
  +
  +
       // ------------------------------------------------------ Lifecycle Methods
   
   
  @@ -301,10 +376,6 @@
           if (ssoId == null)
               return;
   
  -        deregister(ssoId);
  -        // FIXME: There's no way right now to specify per application or
  -        // global logout
  -        /*
           if ( event.getData() != null 
                && "logout".equals( event.getData().toString() )) {
               // logout of all applications
  @@ -313,7 +384,6 @@
               // invalidate just one session
               deregister(ssoId, session);
           }
  -        */
   
       }
   
  @@ -396,11 +466,14 @@
           if (entry != null) {
               if (debug >= 1)
                   log(" Found cached principal '" +
  -                    entry.principal.getName() + "' with auth type '" +
  -                    entry.authType + "'");
  +                    entry.getPrincipal().getName() + "' with auth type '" +
  +                    entry.getAuthType() + "'");
               request.setNote(Constants.REQ_SSOID_NOTE, cookie.getValue());
  -            ((HttpRequest) request).setAuthType(entry.authType);
  -            ((HttpRequest) request).setUserPrincipal(entry.principal);
  +            // Only set security elements if reauthentication is not required
  +            if (!getRequireReauthentication()) {
  +                ((HttpRequest) request).setAuthType(entry.getAuthType());
  +                ((HttpRequest) request).setUserPrincipal(entry.getPrincipal());
  +            }
           } else {
               if (debug >= 1)
                   log(" No cached principal found, erasing SSO cookie");
  @@ -433,7 +506,7 @@
       }
   
   
  -    // -------------------------------------------------------- Package Methods
  +    // ------------------------------------------------------ Protected Methods
   
   
       /**
  @@ -553,9 +626,6 @@
       }
   
   
  -    // ------------------------------------------------------ Protected Methods
  -
  -
       /**
        * Log a message on the Logger associated with our Container (if any).
        *
  @@ -605,61 +675,46 @@
   
       }
   
  +    //----------------------------------------------  Package-Protected Methods
   
  -}
  -
  -
  -// ------------------------------------------------------------ Private Classes
  -
  -
  -/**
  - * A private class representing entries in the cache of authenticated users.
  - */
  -class SingleSignOnEntry {
  -
  -    public String authType = null;
  -
  -    public String password = null;
  -
  -    public Principal principal = null;
  -
  -    public Session sessions[] = new Session[0];
  -
  -    public String username = null;
  +    /**
  +     * Updates any <code>SingleSignOnEntry</code> found under key
  +     * <code>ssoId</code> with the given authentication data.
  +     * <p>
  +     * The purpose of this method is to allow an SSO entry that was
  +     * established without a username/password combination (i.e. established
  +     * following DIGEST or CLIENT-CERT authentication) to be updated with
  +     * a username and password if one becomes available through a subsequent
  +     * BASIC or FORM authentication.  The SSO entry will then be usable for
  +     * reauthentication.
  +     * <p>
  +     * <b>NOTE:</b> Only updates the SSO entry if a call to
  +     * <code>SingleSignOnEntry.getCanReauthenticate()</code> returns
  +     * <code>false</code>; otherwise, it is assumed that the SSO entry already
  +     * has sufficient information to allow reauthentication and that no update
  +     * is needed.
  +     *
  +     * @param ssoId identifier of Single sign to be updated
  +     * @param principal the <code>Principal</code> returned by the latest
  +     *                  call to <code>Realm.authenticate</code>.
  +     * @param authType  the type of authenticator used (BASIC, CLIENT-CERT,
  +     *                  DIGEST or FORM)
  +     * @param username  the username (if any) used for the authentication
  +     * @param password  the password (if any) used for the authentication
  +     */
  +    void update(String ssoId, Principal principal, String authType,
  +                  String username, String password) {
   
  -    public SingleSignOnEntry(Principal principal, String authType,
  -                             String username, String password) {
  -        super();
  -        this.principal = principal;
  -        this.authType = authType;
  -        this.username = username;
  -        this.password = password;
  -    }
  +        SingleSignOnEntry sso = lookup(ssoId);
  +        if (sso != null && !sso.getCanReauthenticate()) {
  +            if (debug >= 1)
  +                log("Update sso id " + ssoId + " to auth type " + authType);
   
  -    public synchronized void addSession(SingleSignOn sso, Session session) {
  -        for (int i = 0; i < sessions.length; i++) {
  -            if (session == sessions[i])
  -                return;
  -        }
  -        Session results[] = new Session[sessions.length + 1];
  -        System.arraycopy(sessions, 0, results, 0, sessions.length);
  -        results[sessions.length] = session;
  -        sessions = results;
  -        session.addSessionListener(sso);
  -    }
  +            synchronized(sso) {
  +                sso.updateCredentials(principal, authType, username, password);
  +            }
   
  -    public synchronized void removeSession(Session session) {
  -        Session[] nsessions = new Session[sessions.length - 1];
  -        for (int i = 0, j = 0; i < sessions.length; i++) {
  -            if (session == sessions[i])
  -                continue;
  -            nsessions[j++] = sessions[i];
           }
  -        sessions = nsessions;
  -    }
  -
  -    public synchronized Session[] findSessions() {
  -        return (this.sessions);
       }
   
   }
  
  
  
  1.2       +4 -0      jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/mbeans-descriptors.xml
  
  Index: mbeans-descriptors.xml
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/mbeans-descriptors.xml,v
  retrieving revision 1.1
  retrieving revision 1.2
  diff -u -r1.1 -r1.2
  --- mbeans-descriptors.xml	19 Mar 2003 07:29:20 -0000	1.1
  +++ mbeans-descriptors.xml	24 Nov 2003 16:46:56 -0000	1.2
  @@ -129,6 +129,10 @@
       <attribute name="debug"
                  description="The debugging detail level for this component"
                  type="int"/>
  +
  +    <attribute name="requireReauthentication"
  +               description="Should we attempt to reauthenticate each request against the
security Realm?"
  +               type="boolean"/>
         
     </mbean>
   
  
  
  
  1.1                  jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/SingleSignOnEntry.java
  
  Index: SingleSignOnEntry.java
  ===================================================================
  /*
   * $Header: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/SingleSignOnEntry.java,v
1.1 2003/11/24 16:46:56 remm Exp $
   * $Revision: 1.1 $
   * $Date: 2003/11/24 16:46:56 $
   *
   * ====================================================================
   *
   * The Apache Software License, Version 1.1
   *
   * Copyright (c) 1999-2001 The Apache Software Foundation.  All rights
   * reserved.
   *
   * Redistribution and use in source and binary forms, with or without
   * modification, are permitted provided that the following conditions
   * are met:
   *
   * 1. Redistributions of source code must retain the above copyright
   *    notice, this list of conditions and the following disclaimer.
   *
   * 2. Redistributions in binary form must reproduce the above copyright
   *    notice, this list of conditions and the following disclaimer in
   *    the documentation and/or other materials provided with the
   *    distribution.
   *
   * 3. The end-user documentation included with the redistribution, if
   *    any, must include the following acknowlegement:
   *       "This product includes software developed by the
   *        Apache Software Foundation (http://www.apache.org/)."
   *    Alternately, this acknowlegement may appear in the software itself,
   *    if and wherever such third-party acknowlegements normally appear.
   *
   * 4. The names "The Jakarta Project", "Tomcat", and "Apache Software
   *    Foundation" must not be used to endorse or promote products derived
   *    from this software without prior written permission. For written
   *    permission, please contact apache@apache.org.
   *
   * 5. Products derived from this software may not be called "Apache"
   *    nor may "Apache" appear in their names without prior written
   *    permission of the Apache Group.
   *
   * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
   * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
   * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
   * DISCLAIMED.  IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
   * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
   * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
   * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
   * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
   * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
   * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
   * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   * SUCH DAMAGE.
   * ====================================================================
   *
   * This software consists of voluntary contributions made by many
   * individuals on behalf of the Apache Software Foundation.  For more
   * information on the Apache Software Foundation, please see
   * <http://www.apache.org/>.
   *
   * [Additional notices, if required by prior licensing conditions]
   *
   */
  package org.apache.catalina.authenticator;
  
  import java.security.Principal;
  
  import org.apache.catalina.Session;
  import org.apache.catalina.authenticator.Constants;
  
  /**
   * A class that represents entries in the cache of authenticated users.
   * This is necessary to make it available to
   * <code>AuthenticatorBase</code> subclasses that need it in order to perform
   * reauthentications when SingleSignOn is in use.
   *
   * @author  B Stansberry, based on work by Craig R. McClanahan
   * @version $Revision: 1.1 $
   *
   * @see SingleSignOn
   * @see AuthenticatorBase#reauthenticateFromSSO
   */
  class SingleSignOnEntry
  {
      // ------------------------------------------------------  Instance Fields
  
      private String authType = null;
  
      private String password = null;
  
      private Principal principal = null;
  
      private Session sessions[] = new Session[0];
  
      private String username = null;
  
      private boolean canReauthenticate = false;
  
      // ---------------------------------------------------------  Constructors
  
      /**
       * Creates a new SingleSignOnEntry
       *
       * @param principal the <code>Principal</code> returned by the latest
       *                  call to <code>Realm.authenticate</code>.
       * @param authType  the type of authenticator used (BASIC, CLIENT-CERT,
       *                  DIGEST or FORM)
       * @param username  the username (if any) used for the authentication
       * @param password  the password (if any) used for the authentication
       */
      SingleSignOnEntry(Principal principal, String authType,
                          String username, String password) {        
          super();
          updateCredentials(principal, authType, username, password);
      }
  
      // ------------------------------------------------------- Package Methods
  
      /**
       * Adds a <code>Session</code> to the list of those associated with
       * this SSO.
       *
       * @param sso       The <code>SingleSignOn</code> valve that is managing
       *                  the SSO session.
       * @param session   The <code>Session</code> being associated with the SSO.
       */
      synchronized void addSession(SingleSignOn sso, Session session) {
          for (int i = 0; i < sessions.length; i++) {
              if (session == sessions[i])
                  return;
          }
          Session results[] = new Session[sessions.length + 1];
          System.arraycopy(sessions, 0, results, 0, sessions.length);
          results[sessions.length] = session;
          sessions = results;
          session.addSessionListener(sso);
      }
  
      /**
       * Removes the given <code>Session</code> from the list of those
       * associated with this SSO.
       *
       * @param session  the <code>Session</code> to remove.
       */
      synchronized void removeSession(Session session) {
          Session[] nsessions = new Session[sessions.length - 1];
          for (int i = 0, j = 0; i < sessions.length; i++) {
              if (session == sessions[i])
                  continue;
              nsessions[j++] = sessions[i];
          }
          sessions = nsessions;
      }
  
      /**
       * Returns the <code>Session</code>s associated with this SSO.
       */
      synchronized Session[] findSessions() {
          return (this.sessions);
      }
  
      /**
       * Gets the name of the authentication type originally used to authenticate
       * the user associated with the SSO.
       *
       * @return "BASIC", "CLIENT-CERT", "DIGEST", "FORM" or "NONE"
       */
      String getAuthType() {
          return (this.authType);
      }
  
      /**
       * Gets whether the authentication type associated with the original
       * authentication supports reauthentication.
       *
       * @return  <code>true</code> if <code>getAuthType</code> returns
       *          "BASIC" or "FORM", <code>false</code> otherwise.
       */
      boolean getCanReauthenticate() {
          return (this.canReauthenticate);
      }
  
      /**
       * Gets the password credential (if any) associated with the SSO.
       *
       * @return  the password credential associated with the SSO, or
       *          <code>null</code> if the original authentication type
       *          does not involve a password.
       */
      String getPassword() {
          return (this.password);
      }
  
      /**
       * Gets the <code>Principal</code> that has been authenticated by
       * the SSO.
       */
      Principal getPrincipal() {
          return (this.principal);
      }
  
      /**
       * Gets the username provided by the user as part of the authentication
       * process.
       */
      String getUsername() {
          return (this.username);
      }
  
  
      /**
       * Updates the SingleSignOnEntry to reflect the latest security
       * information associated with the caller.
       *
       * @param principal the <code>Principal</code> returned by the latest
       *                  call to <code>Realm.authenticate</code>.
       * @param authType  the type of authenticator used (BASIC, CLIENT-CERT,
       *                  DIGEST or FORM)
       * @param username  the username (if any) used for the authentication
       * @param password  the password (if any) used for the authentication
       */
      void updateCredentials(Principal principal, String authType,
                  String username, String password) {
  
          this.principal = principal;
          this.authType = authType;
          this.username = username;
          this.password = password;
          this.canReauthenticate =
              (Constants.BASIC_METHOD.equals(authType)
                  || Constants.FORM_METHOD.equals(authType));
      }
  
  }
  
  
  

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message