/*
* $Header: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/JAASRealm.java,v 1.4 2003/10/06 09:19:40 remm Exp $
* $Revision: 1.4 $
* $Date: 2003/10/06 09:19:40 $
*
* ====================================================================
* The Apache Software License, Version 1.1
*
* Copyright (c) 2001-2002 The Apache Software Foundation. All rights
* reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. The end-user documentation included with the redistribution, if
* any, must include the following acknowlegement:
* "This product includes software developed by the
* Apache Software Foundation (http://www.apache.org/)."
* Alternately, this acknowlegement may appear in the software itself,
* if and wherever such third-party acknowlegements normally appear.
*
* 4. The names "The Jakarta Project", "Tomcat", and "Apache Software
* Foundation" must not be used to endorse or promote products derived
* from this software without prior written permission. For written
* permission, please contact apache@apache.org.
*
* 5. Products derived from this software may not be called "Apache"
* nor may "Apache" appear in their names without prior written
* permission of the Apache Group.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
* USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the Apache Software Foundation. For more
* information on the Apache Software Foundation, please see
* <http://www.apache.org/>.
*
* [Additional notices, if required by prior licensing conditions]
*
*/
package org.apache.catalina.realm;
import java.security.Principal;
import java.security.acl.Group;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.Iterator;
import javax.security.auth.Subject;
import javax.security.auth.login.AccountExpiredException;
import javax.security.auth.login.CredentialExpiredException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.catalina.Container;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.util.StringManager;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
/**
* <p>Implmentation of <b>Realm</b> that authenticates users via the <em>Java
* Authentication and Authorization Service</em> (JAAS). JAAS support requires
* either JDK 1.4 (which includes it as part of the standard platform) or
* JDK 1.3 (with the plug-in <code>jaas.jar</code> file).</p>
*
* <p>The value configured for the <code>appName</code> property is passed to
* the <code>javax.security.auth.login.LoginContext</code> constructor, to
* specify the <em>application name</em> used to select the set of relevant
* <code>LoginModules</code> required.</p>
*
* <p>The JAAS Specification describes the result of a successful login as a
* <code>javax.security.auth.Subject</code> instance, which can contain zero
* or more <code>java.security.Principal</code> objects in the return value
* of the <code>Subject.getPrincipals()</code> method. However, it provides
* no guidance on how to distinguish Principals that describe the individual
* user (and are thus appropriate to return as the value of
* request.getUserPrincipal() in a web application) from the Principal(s)
* that describe the authorized roles for this user. To maintain as much
* independence as possible from the underlying <code>LoginMethod</code>
* implementation executed by JAAS, the following policy is implemented by
* this Realm:</p>
* <ul>
* <li>The JAAS <code>LoginModule</code> is assumed to return a
* <code>Subject with at least one <code>Principal</code> instance
* representing the user himself or herself, and zero or more separate
* <code>Principals</code> representing the security roles authorized
* for this user.</li>
* <li>On the <code>Principal</code> representing the user, the Principal
* name is an appropriate value to return via the Servlet API method
* <code>HttpServletRequest.getRemoteUser()</code>.</li>
* <li>On the <code>Principals</code> representing the security roles, the
* name is the name of the authorized security role.</li>
* <li>This Realm will be configured with two lists of fully qualified Java
* class names of classes that implement
* <code>java.security.Principal</code> - one that identifies class(es)
* representing a user, and one that identifies class(es) representing
* a security role.</li>
* <li>As this Realm iterates over the <code>Principals</code> returned by
* <code>Subject.getPrincipals()</code>, it will identify the first
* <code>Principal</code> that matches the "user classes" list as the
* <code>Principal</code> for this user.</li>
* <li>As this Realm iterates over the <code>Princpals</code> returned by
* <code>Subject.getPrincipals()</code>, it will accumulate the set of
* all <code>Principals</code> matching the "role classes" list as
* identifying the security roles for this user.</li>
* <li>It is a configuration error for the JAAS login method to return a
* validated <code>Subject</code> without a <code>Principal</code> that
* matches the "user classes" list.</li>
* </ul>
*
* @author Craig R. McClanahan
* @version $Revision: 1.4 $ $Date: 2003/10/06 09:19:40 $
*/
public class JAASRealm
extends RealmBase
{
private static Log log = LogFactory.getLog(JAASRealm.class);
// ----------------------------------------------------- Instance Variables
/**
* The application name passed to the JAAS <code>LoginContext</code>,
* which uses it to select the set of relevant <code>LoginModules</code>.
*/
protected String appName = null;
/**
* Descriptive information about this Realm implementation.
*/
protected static final String info =
"org.apache.catalina.realm.JAASRealm/1.0";
/**
* Descriptive information about this Realm implementation.
*/
protected static final String name = "JAASRealm";
/**
* The list of role class names, split out for easy processing.
*/
protected ArrayList roleClasses = new ArrayList();
/**
* The string manager for this package.
*/
protected static final StringManager sm =
StringManager.getManager(Constants.Package);
/**
* The set of user class names, split out for easy processing.
*/
protected ArrayList userClasses = new ArrayList();
// ------------------------------------------------------------- Properties
/**
* setter for the appName member variable
* @deprecated JAAS should use the Engine ( domain ) name and webpp/host overrides
*/
public void setAppName(String name) {
appName = name;
}
/**
* getter for the appName member variable
*/
public String getAppName() {
return appName;
}
public void setContainer(Container container) {
super.setContainer(container);
String name=container.getName();
if( appName==null ) {
appName=name;
log.info("Setting JAAS app name " + appName);
}
}
/**
* Comma-delimited list of <code>javax.security.Principal</code> classes
* that represent security roles.
*/
protected String roleClassNames = null;
public String getRoleClassNames() {
return (this.roleClassNames);
}
public void setRoleClassNames(String roleClassNames) {
this.roleClassNames = roleClassNames;
roleClasses.clear();
String temp = this.roleClassNames;
if (temp == null) {
return;
}
while (true) {
int comma = temp.indexOf(',');
if (comma < 0) {
break;
}
roleClasses.add(temp.substring(0, comma).trim());
temp = temp.substring(comma + 1);
}
temp = temp.trim();
if (temp.length() > 0) {
roleClasses.add(temp);
}
}
/**
* Comma-delimited list of <code>javax.security.Principal</code> classes
* that represent individual users.
*/
protected String userClassNames = null;
public String getUserClassNames() {
return (this.userClassNames);
}
public void setUserClassNames(String userClassNames) {
this.userClassNames = userClassNames;
userClasses.clear();
String temp = this.userClassNames;
if (temp == null) {
return;
}
while (true) {
int comma = temp.indexOf(',');
if (comma < 0) {
break;
}
userClasses.add(temp.substring(0, comma).trim());
temp = temp.substring(comma + 1);
}
temp = temp.trim();
if (temp.length() > 0) {
userClasses.add(temp);
}
}
// --------------------------------------------------------- Public Methods
/**
* Return the Principal associated with the specified username and
* credentials, if there is one; otherwise return <code>null</code>.
*
* If there are any errors with the JDBC connection, executing
* the query or anything we return null (don't authenticate). This
* event is also logged, and the connection will be closed so that
* a subsequent request will automatically re-open it.
*
* @param username Username of the Principal to look up
* @param credentials Password or other credentials to use in
* authenticating this username
*/
public Principal authenticate(String username, String credentials) {
// Establish a LoginContext to use for authentication
try {
LoginContext loginContext = null;
if( appName==null ) appName="Tomcat";
if( log.isDebugEnabled())
log.debug("Authenticating " + appName + " " + username);
// What if the LoginModule is in the container class loader ?
//
ClassLoader ocl=Thread.currentThread().getContextClassLoader();
Thread.currentThread().setContextClassLoader(this.getClass().getClassLoader());
try {
loginContext = new LoginContext
(appName, new JAASCallbackHandler(this, username,
credentials));
} catch (Throwable e) {
log.error(sm.getString("jaasRealm.unexpectedError"), e);
return (null);
} finally {
Thread.currentThread().setContextClassLoader(ocl);
}
if( log.isDebugEnabled())
log.debug("Login context created " + username);
// Negotiate a login via this LoginContext
Subject subject = null;
try {
loginContext.login();
subject = loginContext.getSubject();
if (subject == null) {
if( log.isDebugEnabled())
log.debug(sm.getString("jaasRealm.failedLogin", username));
return (null);
}
} catch (AccountExpiredException e) {
if (log.isDebugEnabled())
log.debug(sm.getString("jaasRealm.accountExpired", username));
return (null);
} catch (CredentialExpiredException e) {
if (log.isDebugEnabled())
log.debug(sm.getString("jaasRealm.credentialExpired", username));
return (null);
} catch (FailedLoginException e) {
if (log.isDebugEnabled())
log.debug(sm.getString("jaasRealm.failedLogin", username));
return (null);
} catch (LoginException e) {
log.warn(sm.getString("jaasRealm.loginException", username), e);
return (null);
} catch (Throwable e) {
log.error(sm.getString("jaasRealm.unexpectedError"), e);
return (null);
}
if( log.isDebugEnabled())
log.debug("Getting principal " + subject);
// Return the appropriate Principal for this authenticated Subject
Principal principal = createPrincipal(username, subject);
if (principal == null) {
log.debug(sm.getString("jaasRealm.authenticateFailure", username));
return (null);
}
if (log.isDebugEnabled()) {
log.debug(sm.getString("jaasRealm.authenticateSuccess", username));
}
return (principal);
} catch( Throwable t) {
log.error( "error ", t);
return null;
}
}
// -------------------------------------------------------- Package Methods
// ------------------------------------------------------ Protected Methods
/**
* Return a short name for this Realm implementation.
*/
protected String getName() {
return (this.name);
}
/**
* Return the password associated with the given principal's user name.
*/
protected String getPassword(String username) {
return (null);
}
/**
* Return the Principal associated with the given user name.
*/
protected Principal getPrincipal(String username) {
return (null);
}
/**
* Construct and return a <code>java.security.Principal</code> instance
* representing the authenticated user for the specified Subject. If no
* such Principal can be constructed, return <code>null</code>.
*
* @param subject The Subject representing the logged in user
*/
protected Principal createPrincipal(String username, Subject subject) {
// Prepare to scan the Principals for this Subject
String password = null; // Will not be carried forward
ArrayList roles = new ArrayList();
// Scan the Principals for this Subject
Iterator principals = subject.getPrincipals().iterator();
while (principals.hasNext()) {
Principal principal = (Principal) principals.next();
// No need to look further - that's our own stuff
if( principal instanceof GenericPrincipal ) {
if( log.isDebugEnabled() )
log.debug("Found old GenericPrincipal " + principal );
return principal;
}
String principalClass = principal.getClass().getName();
if( log.isDebugEnabled() )
log.info("Principal: " + principalClass + " " + principal);
if (userClasses.contains(principalClass)) {
// Override the default - which is the original user, accepted by
// the friendly LoginManager
username = principal.getName();
}
if (roleClasses.contains(principalClass)) {
roles.add(principal.getName());
}
// Same as Jboss - that's a pretty clean solution
if( (principal instanceof Group) &&
"Roles".equals( principal.getName())) {
Group grp=(Group)principal;
Enumeration en=grp.members();
while( en.hasMoreElements() ) {
Principal roleP=(Principal)en.nextElement();
roles.add( roleP.getName());
}
}
}
// Create the resulting Principal for our authenticated user
if (username != null) {
return (new GenericPrincipal(this, username, password, roles));
} else {
return (null);
}
}
// ------------------------------------------------------ Lifecycle Methods
/**
*
* Prepare for active use of the public methods of this Component.
*
* @exception LifecycleException if this component detects a fatal error
* that prevents it from being started
*/
public void start() throws LifecycleException {
// Perform normal superclass initialization
super.start();
}
/**
* Gracefully shut down active use of the public methods of this Component.
*
* @exception LifecycleException if this component detects a fatal error
* that needs to be reported
*/
public void stop() throws LifecycleException {
// Perform normal superclass finalization
super.stop();
}
}