Return-Path:
RuleSet for processing the contents of a Realm definition
+ * element. This Add the set of Rule instances defined in this RuleSet to the
+ * specified null
.
+ *
+ * @param username Username of the Principal to look up
+ * @param credentials Password or other credentials to use in
+ * authenticating this username
+ */
+ public Principal authenticate(String username, byte[] credentials) {
+ Principal authenticatedUser = null;
+
+ for (Realm realm : realms) {
+ if (log.isDebugEnabled()) {
+ log.debug(sm.getString("combinedRealm.authStart", username, realm.getInfo()));
+ }
+
+ authenticatedUser = realm.authenticate(username, credentials);
+
+ if (authenticatedUser == null) {
+ if (log.isDebugEnabled()) {
+ log.debug(sm.getString("combinedRealm.authFail", username, realm.getInfo()));
+ }
+ } else {
+ if (log.isDebugEnabled()) {
+ log.debug(sm.getString("combinedRealm.authSucess", username, realm.getInfo()));
+ }
+ break;
+ }
+ }
+ return authenticatedUser;
+ }
+
+
+ /**
+ * Return the Principal associated with the specified username, which
+ * matches the digest calculated using the given parameters using the
+ * method described in RFC 2069; otherwise return null
.
+ *
+ * @param username Username of the Principal to look up
+ * @param clientDigest Digest which has been submitted by the client
+ * @param nOnce Unique (or supposedly unique) token which has been used
+ * for this request
+ * @param realm Realm name
+ * @param md5a2 Second MD5 digest used to calculate the digest :
+ * MD5(Method + ":" + uri)
+ */
+ public Principal authenticate(String username, String clientDigest,
+ String once, String nc, String cnonce, String qop,
+ String realmName, String md5a2) {
+ Principal authenticatedUser = null;
+
+ for (Realm realm : realms) {
+ if (log.isDebugEnabled()) {
+ log.debug(sm.getString("combinedRealm.authStart", username, realm.getInfo()));
+ }
+
+ authenticatedUser = realm.authenticate(username, clientDigest, once,
+ nc, cnonce, qop, realmName, md5a2);
+
+ if (authenticatedUser == null) {
+ if (log.isDebugEnabled()) {
+ log.debug(sm.getString("combinedRealm.authFail", username, realm.getInfo()));
+ }
+ } else {
+ if (log.isDebugEnabled()) {
+ log.debug(sm.getString("combinedRealm.authSucess", username, realm.getInfo()));
+ }
+ break;
+ }
+ }
+ return authenticatedUser;
+ }
+
+
+ /**
+ * Return the Principal associated with the specified username and
+ * credentials, if there is one; otherwise return null
.
+ *
+ * @param username Username of the Principal to look up
+ * @param credentials Password or other credentials to use in
+ * authenticating this username
+ */
+ public Principal authenticate(String username, String credentials) {
+ Principal authenticatedUser = null;
+
+ for (Realm realm : realms) {
+ if (log.isDebugEnabled()) {
+ log.debug(sm.getString("combinedRealm.authStart", username, realm.getInfo()));
+ }
+
+ authenticatedUser = realm.authenticate(username, credentials);
+
+ if (authenticatedUser == null) {
+ if (log.isDebugEnabled()) {
+ log.debug(sm.getString("combinedRealm.authFail", username, realm.getInfo()));
+ }
+ } else {
+ if (log.isDebugEnabled()) {
+ log.debug(sm.getString("combinedRealm.authSucess", username, realm.getInfo()));
+ }
+ break;
+ }
+ }
+ return authenticatedUser;
+ }
+
+
+ /**
+ * Set the Container with which this Realm has been associated.
+ *
+ * @param container The associated Container
+ */
+ public void setContainer(Container container) {
+ // Set the container for sub-realms. Mainly so logging works.
+ for(Realm realm : realms) {
+ realm.setContainer(container);
+ }
+ super.setContainer(container);
+ }
+
+
+ /**
+ * Prepare for the beginning of active use of the public methods of this
+ * component. This method should be called before any of the public
+ * methods of this component are utilized. It should also send a
+ * LifecycleEvent of type START_EVENT to any registered listeners.
+ *
+ * @exception LifecycleException if this component detects a fatal error
+ * that prevents this component from being used
+ */
+ public void start() throws LifecycleException {
+ // Start 'sub-realms' then this one
+ for (Realm realm : realms) {
+ if (realm instanceof Lifecycle) {
+ ((Lifecycle) realm).start();
+ }
+ }
+ super.start();
+ }
+
+
+ /**
+ * Gracefully terminate the active use of the public methods of this
+ * component. This method should be the last one called on a given
+ * instance of this component. It should also send a LifecycleEvent
+ * of type STOP_EVENT to any registered listeners.
+ *
+ * @exception LifecycleException if this component detects a fatal error
+ * that needs to be reported
+ */
+ public void stop() throws LifecycleException {
+ // Stop this realm, then the sub-realms (reverse order to start)
+ super.stop();
+ for (Realm realm : realms) {
+ if (realm instanceof Lifecycle) {
+ ((Lifecycle) realm).stop();
+ }
+ }
+ }
+
+
+ /**
+ * Return the Principal associated with the specified chain of X509
+ * client certificates. If there is none, return null
.
+ *
+ * @param certs Array of client certificates, with the first one in
+ * the array being the certificate of the client itself.
+ */
+ public Principal authenticate(X509Certificate[] certs) {
+ Principal authenticatedUser = null;
+ String username = null;
+ if (certs != null && certs.length >0) {
+ username = certs[0].getSubjectDN().getName();
+ }
+
+ for (Realm realm : realms) {
+ if (log.isDebugEnabled()) {
+ log.debug(sm.getString("combinedRealm.authStart", username, realm.getInfo()));
+ }
+
+ authenticatedUser = realm.authenticate(certs);
+
+ if (authenticatedUser == null) {
+ if (log.isDebugEnabled()) {
+ log.debug(sm.getString("combinedRealm.authFail", username, realm.getInfo()));
+ }
+ } else {
+ if (log.isDebugEnabled()) {
+ log.debug(sm.getString("combinedRealm.authSucess", username, realm.getInfo()));
+ }
+ break;
+ }
+ }
+ return authenticatedUser;
+ }
+
+ @Override
+ protected String getName() {
+ // This method should never be called
+ // Stack trace will show where this was called from
+ UnsupportedOperationException uoe =
+ new UnsupportedOperationException(
+ sm.getString("combinedRealm.getName"));
+ log.error(sm.getString("combinedRealm.unexpectedMethod"), uoe);
+ throw uoe;
+ }
+
+ @Override
+ protected String getPassword(String username) {
+ // This method should never be called
+ // Stack trace will show where this was called from
+ UnsupportedOperationException uoe =
+ new UnsupportedOperationException(
+ sm.getString("combinedRealm.getPassword"));
+ log.error(sm.getString("combinedRealm.unexpectedMethod"), uoe);
+ throw uoe;
+ }
+
+ @Override
+ protected Principal getPrincipal(String username) {
+ // This method should never be called
+ // Stack trace will show where this was called from
+ UnsupportedOperationException uoe =
+ new UnsupportedOperationException(
+ sm.getString("combinedRealm.getPrincipal"));
+ log.error(sm.getString("combinedRealm.unexpectedMethod"), uoe);
+ throw uoe;
+ }
+
+}
Propchange: tomcat/trunk/java/org/apache/catalina/realm/CombinedRealm.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: tomcat/trunk/java/org/apache/catalina/realm/CombinedRealm.java
------------------------------------------------------------------------------
svn:keywords = Date Revision Author Id
Modified: tomcat/trunk/java/org/apache/catalina/realm/LocalStrings.properties
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/LocalStrings.properties?rev=691805&r1=691804&r2=691805&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/realm/LocalStrings.properties (original)
+++ tomcat/trunk/java/org/apache/catalina/realm/LocalStrings.properties Wed Sep 3 15:18:39 2008
@@ -85,3 +85,11 @@
dataSourceRealm.getPassword.exception=Exception retrieving password for "{0}"
dataSourceRealm.getRoles.exception=Exception retrieving roles for "{0}"
dataSourceRealm.open=Exception opening database connection
+combinedRealm.unexpectedMethod=An unexpected call was made to a method on the combined realm
+combinedRealm.getName=The getName() method should never be called
+combinedRealm.getPassword=The getPassword() method should never be called
+combinedRealm.getPrincipal=The getPrincipal() method should never be called
+combinedRealm.authStart=Attempting to authenticate user "{0}" with realm "{1}"
+combinedRealm.authFailed=Failed to authenticate user "{0}" with realm "{1}"
+combinedRealm.authSucess=Authenticated user "{0}" with realm "{1}"
+combinedRealm.addRealm=Add "{0}" realm, making a total of "{1}" realms
\ No newline at end of file
Modified: tomcat/trunk/java/org/apache/catalina/startup/ContextRuleSet.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/startup/ContextRuleSet.java?rev=691805&r1=691804&r2=691805&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/startup/ContextRuleSet.java (original)
+++ tomcat/trunk/java/org/apache/catalina/startup/ContextRuleSet.java Wed Sep 3 15:18:39 2008
@@ -170,13 +170,7 @@
"addApplicationParameter",
"org.apache.catalina.deploy.ApplicationParameter");
- digester.addObjectCreate(prefix + "Context/Realm",
- null, // MUST be specified in the element
- "className");
- digester.addSetProperties(prefix + "Context/Realm");
- digester.addSetNext(prefix + "Context/Realm",
- "setRealm",
- "org.apache.catalina.Realm");
+ digester.addRuleSet(new RealmRuleSet(prefix + "Context/"));
digester.addObjectCreate(prefix + "Context/Resources",
"org.apache.naming.resources.FileDirContext",
Modified: tomcat/trunk/java/org/apache/catalina/startup/EngineRuleSet.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/startup/EngineRuleSet.java?rev=691805&r1=691804&r2=691805&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/startup/EngineRuleSet.java (original)
+++ tomcat/trunk/java/org/apache/catalina/startup/EngineRuleSet.java Wed Sep 3 15:18:39 2008
@@ -121,13 +121,7 @@
"org.apache.catalina.LifecycleListener");
- digester.addObjectCreate(prefix + "Engine/Realm",
- null, // MUST be specified in the element
- "className");
- digester.addSetProperties(prefix + "Engine/Realm");
- digester.addSetNext(prefix + "Engine/Realm",
- "setRealm",
- "org.apache.catalina.Realm");
+ digester.addRuleSet(new RealmRuleSet(prefix + "Engine/"));
digester.addObjectCreate(prefix + "Engine/Valve",
null, // MUST be specified in the element
Modified: tomcat/trunk/java/org/apache/catalina/startup/HostRuleSet.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/startup/HostRuleSet.java?rev=691805&r1=691804&r2=691805&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/startup/HostRuleSet.java (original)
+++ tomcat/trunk/java/org/apache/catalina/startup/HostRuleSet.java Wed Sep 3 15:18:39 2008
@@ -124,13 +124,7 @@
"addLifecycleListener",
"org.apache.catalina.LifecycleListener");
- digester.addObjectCreate(prefix + "Host/Realm",
- null, // MUST be specified in the element
- "className");
- digester.addSetProperties(prefix + "Host/Realm");
- digester.addSetNext(prefix + "Host/Realm",
- "setRealm",
- "org.apache.catalina.Realm");
+ digester.addRuleSet(new RealmRuleSet(prefix + "Host/"));
digester.addObjectCreate(prefix + "Host/Valve",
null, // MUST be specified in the element
Added: tomcat/trunk/java/org/apache/catalina/startup/RealmRuleSet.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/startup/RealmRuleSet.java?rev=691805&view=auto
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/startup/RealmRuleSet.java (added)
+++ tomcat/trunk/java/org/apache/catalina/startup/RealmRuleSet.java Wed Sep 3 15:18:39 2008
@@ -0,0 +1,109 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+package org.apache.catalina.startup;
+
+
+import org.apache.tomcat.util.digester.Digester;
+import org.apache.tomcat.util.digester.RuleSetBase;
+
+
+/**
+ * RuleSet
supports Realms such as the
+ * CombinedRealm
that used nested Realms.RuleSet
with the default
+ * matching pattern prefix.
+ */
+ public RealmRuleSet() {
+
+ this("");
+
+ }
+
+
+ /**
+ * Construct an instance of this RuleSet
with the specified
+ * matching pattern prefix.
+ *
+ * @param prefix Prefix for matching pattern rules (including the
+ * trailing slash character)
+ */
+ public RealmRuleSet(String prefix) {
+
+ super();
+ this.namespaceURI = null;
+ this.prefix = prefix;
+
+ }
+
+
+ // --------------------------------------------------------- Public Methods
+
+
+ /**
+ * Digester
instance, associating them with
+ * our namespace URI (if any). This method should only be called
+ * by a Digester instance.
CombinedRealm is an implementation of the Tomcat 6
+ Realm
interface that authenticates users through one or more
+ sub-Realms.
Using CombinedRealm gives the developer the ability to combine multiple + Realms of the same or different types. This can be used to authenticate + against different sources, provide fall back in case one Realm fails or for + any other purpose that requires multiple Realms.
+ +Sub-realms are defined by nesting Realm
elements inside the
+ Realm
element that defines the CombinedRealm. Authentication
+ will be attempted against each Realm
in the order they are
+ listed. Authentication against any Realm will be sufficient to authenticate
+ the user.
The Combined Realm implementation does not support any additional + attributes.
+ +See the Container-Managed Security + Guide for more information on setting up container managed security + using the Combined Realm component.
+ @@ -573,7 +597,14 @@No components may be nested inside a Realm element.
+If you are using the Combined Realm Implementation + <Realm> elements may be nested inside it.
+ +No other Realm implementation supports nested components.
CombinedRealm is an implementation of the Tomcat 6
+ Realm
interface that authenticates users through one or more
+ sub-Realms.
Using CombinedRealm gives the developer the ability to combine multiple + Realms of the same or different types. This can be used to authenticate + against different sources, provide fall back in case one Realm fails or for + any other purpose that requires multiple Realms.
+ +Sub-realms are defined by nesting Realm
elements inside the
+ Realm
element that defines the CombinedRealm. Authentication
+ will be attempted against each Realm
in the order they are
+ listed. Authentication against any Realm will be sufficient to authenticate
+ the user.
To configure CombinedRealm, you create a <Realm>
+ element and nest it in your $CATALINA_BASE/conf/server.xml
+ file within your <Engine>
or <Host>
.
+ You can also nest inside a <Context>
node in a
+ context.xml
file. The following attributes are supported by
+ this implementation:
The fully qualified Java class name of this Realm implementation.
+ You MUST specify the value
+ "org.apache.catalina.realm.CombinedRealm
" here.
Here is an example of how your server.xml snippet should look to use a +UserDatabase Realm and a DataSource Realm.
+ + + +