Prev Class | Next Class | Frames | No Frames |
Summary: Nested | Field | Method | Constr | Detail: Nested | Field | Method | Constr |
java.lang.Object
org.apache.catalina.valves.ValveBase
org.apache.catalina.authenticator.SingleSignOn
Host
).Realm
that contains the shared user and role
information must be configured on the same Container (or a higher
one), and not overridden at the web application level.org.apache.catalina.authenticator
package.Field Summary | |
protected HashMap |
|
protected int |
|
protected static String |
|
protected LifecycleSupport |
|
protected HashMap |
|
protected static StringManager |
|
protected boolean |
|
Fields inherited from class org.apache.catalina.valves.ValveBase | |
container , controller , debug , domain , info , mserver , oname , sm |
Fields inherited from interface org.apache.catalina.Lifecycle | |
AFTER_START_EVENT , AFTER_STOP_EVENT , BEFORE_START_EVENT , BEFORE_STOP_EVENT , START_EVENT , STOP_EVENT |
Method Summary | |
void |
|
protected void | |
protected void |
|
protected void |
|
LifecycleListener[] |
|
int |
|
String |
|
boolean |
|
void |
|
protected void |
|
protected void |
|
protected SingleSignOnEntry |
|
protected boolean |
|
protected void |
|
void |
|
protected void |
|
void |
|
void |
|
void |
|
void |
|
void |
|
String |
|
protected void |
|
Methods inherited from class org.apache.catalina.valves.ValveBase | |
createObjectName , getContainer , getContainerName , getController , getDebug , getDomain , getInfo , getObjectName , getParentName , invoke , postDeregister , postRegister , preDeregister , preRegister , setContainer , setController , setDebug , setObjectName |
protected HashMap cache
The cache of SingleSignOnEntry instances for authenticated Principals, keyed by the cookie value that is used to select them.
protected int debug
The debugging detail level for this component.
protected static String info
Descriptive information about this Valve implementation.
protected HashMap reverse
The cache of single sign on identifiers, keyed by the Session that is associated with them.
protected boolean started
Component started flag.
public void addLifecycleListener(LifecycleListener listener)
Add a lifecycle event listener to this component.
- Specified by:
- addLifecycleListener in interface Lifecycle
- Parameters:
listener
- The listener to add
protected void associate(String ssoId, Session session)
Associate the specified single sign on identifier with the specified Session.
- Parameters:
ssoId
- Single sign on identifiersession
- Session to be associated
protected void deregister(String ssoId)
Deregister the specified single sign on identifier, and invalidate any associated sessions.
- Parameters:
ssoId
- Single sign on identifier to deregister
protected void deregister(String ssoId, Session session)
Deregister the specified session. If it is the last session, then also get rid of the single sign on identifier
- Parameters:
ssoId
- Single sign on identifiersession
- Session to be deregistered
public LifecycleListener[] findLifecycleListeners()
Get the lifecycle listeners associated with this lifecycle. If this Lifecycle has no listeners registered, a zero-length array is returned.
- Specified by:
- findLifecycleListeners in interface Lifecycle
public int getDebug()
Return the debugging detail level.
- Overrides:
- getDebug in interface ValveBase
public String getInfo()
Return descriptive information about this Valve implementation.
- Overrides:
- getInfo in interface ValveBase
public boolean getRequireReauthentication()
Gets whether each request needs to be reauthenticated (by an Authenticator downstream in the pipeline) to the securityRealm
, or if this Valve can itself bind security info to the request based on the presence of a valid SSO entry without rechecking with theRealm
- Returns:
true
if it is required that a downstream Authenticator reauthenticate each request before calls toHttpServletRequest.setUserPrincipal()
andHttpServletRequest.setAuthType()
are made;false
if theValve
can itself make those calls relying on the presence of a valid SingleSignOn entry associated with the request.
- See Also:
setRequireReauthentication(boolean)
public void invoke(Request request, Response response, ValveContext context) throws IOException, ServletException
Perform single-sign-on support processing for this request.
- Overrides:
- invoke in interface ValveBase
- Parameters:
request
- The servlet request we are processingresponse
- The servlet response we are creatingcontext
- The valve context used to invoke the next valve in the current processing pipeline
protected void log(String message)
Log a message on the Logger associated with our Container (if any).
- Parameters:
message
- Message to be logged
protected void log(String message, Throwable throwable)
Log a message on the Logger associated with our Container (if any).
- Parameters:
message
- Message to be loggedthrowable
- Associated exception
protected SingleSignOnEntry lookup(String ssoId)
Look up and return the cached SingleSignOn entry associated with this sso id value, if there is one; otherwise returnnull
.
- Parameters:
ssoId
- Single sign on identifier to look up
protected boolean reauthenticate(String ssoId, Realm realm, HttpRequest request)
Attempts reauthentication to the givenRealm
using the credentials associated with the single sign-on session identified by argumentssoId
. If reauthentication is successful, thePrincipal
and authorization type associated with the SSO session will be bound to the givenHttpRequest
object via calls toHttpRequest.setAuthType()
andHttpRequest.setUserPrincipal()
- Parameters:
ssoId
- identifier of SingleSignOn session with which the caller is associatedrealm
- Realm implementation against which the caller is to be authenticatedrequest
- the request that needs to be authenticated
- Returns:
true
if reauthentication was successful,false
otherwise.
protected void register(String ssoId, Principal principal, String authType, String username, String password)
Register the specified Principal as being associated with the specified value for the single sign on identifier.
- Parameters:
ssoId
- Single sign on identifier to registerprincipal
- Associated user principal that is identifiedauthType
- Authentication type used to authenticate this user principalusername
- Username used to authenticate this userpassword
- Password used to authenticate this user
public void removeLifecycleListener(LifecycleListener listener)
Remove a lifecycle event listener from this component.
- Specified by:
- removeLifecycleListener in interface Lifecycle
- Parameters:
listener
- The listener to remove
protected void removeSession(String ssoId, Session session)
Remove a single Session from a SingleSignOn. Called when a session is timed out and no longer active.
- Parameters:
ssoId
- Single sign on identifier from which to remove the session.session
- the session to be removed.
public void sessionEvent(SessionEvent event)
Acknowledge the occurrence of the specified event.
- Specified by:
- sessionEvent in interface SessionListener
- Parameters:
event
- SessionEvent that has occurred
public void setDebug(int debug)
Set the debugging detail level.
- Overrides:
- setDebug in interface ValveBase
- Parameters:
debug
- The new debugging detail level
public void setRequireReauthentication(boolean required)
Sets whether each request needs to be reauthenticated (by an Authenticator downstream in the pipeline) to the securityRealm
, or if this Valve can itself bind security info to the request, based on the presence of a valid SSO entry, without rechecking with theRealm If this property is
false
(the default), thisValve
will bind a UserPrincipal and AuthType to the request if a valid SSO entry is associated with the request. It will not notify the securityRealm
of the incoming request. This property should be set totrue
if the overall server configuration requires that theRealm
reauthenticate each request thread. An example of such a configuration would be one where theRealm
implementation provides security for both a web tier and an associated EJB tier, and needs to set security credentials on each request thread in order to support EJB access. If this property is set totrue
, this Valve will set flags on the request notifying the downstream Authenticator that the request is associated with an SSO session. The Authenticator will then call itsreauthenticateFromSSO
method to attempt to reauthenticate the request to theRealm
, using any credentials that were cached with this Valve. The default value of this property isfalse
, in order to maintain backward compatibility with previous versions of Tomcat.
- Parameters:
required
-true
if it is required that a downstream Authenticator reauthenticate each request before calls toHttpServletRequest.setUserPrincipal()
andHttpServletRequest.setAuthType()
are made;false
if theValve
can itself make those calls relying on the presence of a valid SingleSignOn entry associated with the request.
public void start() throws LifecycleException
Prepare for the beginning of active use of the public methods of this component. This method should be called afterconfigure()
, and before any of the public methods of the component are utilized.
- Throws:
LifecycleException
- if this component detects a fatal error that prevents this component from being used
public void stop() throws LifecycleException
Gracefully terminate the active use of the public methods of this component. This method should be the last one called on a given instance of this component.
- Throws:
LifecycleException
- if this component detects a fatal error that needs to be reported
public String toString()
Return a String rendering of this object.
protected void update(String ssoId, Principal principal, String authType, String username, String password)
Updates anySingleSignOnEntry
found under keyssoId
with the given authentication data. The purpose of this method is to allow an SSO entry that was established without a username/password combination (i.e. established following DIGEST or CLIENT-CERT authentication) to be updated with a username and password if one becomes available through a subsequent BASIC or FORM authentication. The SSO entry will then be usable for reauthentication. NOTE: Only updates the SSO entry if a call toSingleSignOnEntry.getCanReauthenticate()
returnsfalse
; otherwise, it is assumed that the SSO entry already has sufficient information to allow reauthentication and that no update is needed.
- Parameters:
ssoId
- identifier of Single sign to be updatedprincipal
- thePrincipal
returned by the latest call toRealm.authenticate
.authType
- the type of authenticator used (BASIC, CLIENT-CERT, DIGEST or FORM)username
- the username (if any) used for the authenticationpassword
- the password (if any) used for the authentication