| Method from org.apache.catalina.realm.RealmBase Detail: |
|---|
 public static final String Digest(String credentials,
String algorithm,
String encoding) {
try {
// Obtain a new message digest with "digest" encryption
MessageDigest md =
(MessageDigest) MessageDigest.getInstance(algorithm).clone();
// encode the credentials
// Should use the digestEncoding, but that's not a static field
if (encoding == null) {
md.update(credentials.getBytes());
} else {
md.update(credentials.getBytes(encoding));
}
// Digest the credentials and return as hexadecimal
return (HexUtils.convert(md.digest()));
} catch(Exception ex) {
log.error(ex);
return credentials;
}
}
Digest password using the algorithm especificied and
convert the result to a corresponding hex string.
If exception, the plain credentials string is returned |
public void addLifecycleListener(LifecycleListener listener) {
lifecycle.addLifecycleListener(listener);
} Add a lifecycle event listener to this component. |
public void addPropertyChangeListener(PropertyChangeListener listener) {
support.addPropertyChangeListener(listener);
} Add a property change listener to this component. |
public Principal authenticate(X509Certificate[] certs) {
if ((certs == null) || (certs.length < 1))
return (null);
// Check the validity of each certificate in the chain
if (log.isDebugEnabled())
log.debug("Authenticating client certificate chain");
if (validate) {
for (int i = 0; i < certs.length; i++) {
if (log.isDebugEnabled())
log.debug(" Checking validity for '" +
certs[i].getSubjectDN().getName() + "'");
try {
certs[i].checkValidity();
} catch (Exception e) {
if (log.isDebugEnabled())
log.debug(" Validity exception", e);
return (null);
}
}
}
// Check the existence of the client Principal in our database
return (getPrincipal(certs[0]));
} Return the Principal associated with the specified chain of X509
client certificates. If there is none, return null. |
public Principal authenticate(String username,
String credentials) {
String serverCredentials = getPassword(username);
boolean validated ;
if ( serverCredentials == null ) {
validated = false;
} else if(hasMessageDigest()) {
validated = serverCredentials.equalsIgnoreCase(digest(credentials));
} else {
validated = serverCredentials.equals(credentials);
}
if(! validated ) {
if (containerLog.isTraceEnabled()) {
containerLog.trace(sm.getString("realmBase.authenticateFailure",
username));
}
return null;
}
if (containerLog.isTraceEnabled()) {
containerLog.trace(sm.getString("realmBase.authenticateSuccess",
username));
}
return getPrincipal(username);
} Return the Principal associated with the specified username and
credentials, if there is one; otherwise return null. |
public Principal authenticate(String username,
byte[] credentials) {
return (authenticate(username, credentials.toString()));
} Return the Principal associated with the specified username and
credentials, if there is one; otherwise return null. |
public Principal authenticate(String username,
String clientDigest,
String nOnce,
String nc,
String cnonce,
String qop,
String realm,
String md5a2) {
String md5a1 = getDigest(username, realm);
if (md5a1 == null)
return null;
String serverDigestValue = md5a1 + ":" + nOnce + ":" + nc + ":"
+ cnonce + ":" + qop + ":" + md5a2;
byte[] valueBytes = null;
if(getDigestEncoding() == null) {
valueBytes = serverDigestValue.getBytes();
} else {
try {
valueBytes = serverDigestValue.getBytes(getDigestEncoding());
} catch (UnsupportedEncodingException uee) {
log.error("Illegal digestEncoding: " + getDigestEncoding(), uee);
throw new IllegalArgumentException(uee.getMessage());
}
}
String serverDigest = null;
// Bugzilla 32137
synchronized(md5Helper) {
serverDigest = md5Encoder.encode(md5Helper.digest(valueBytes));
}
if (log.isDebugEnabled()) {
log.debug("Digest : " + clientDigest + " Username:" + username
+ " ClientSigest:" + clientDigest + " nOnce:" + nOnce
+ " nc:" + nc + " cnonce:" + cnonce + " qop:" + qop
+ " realm:" + realm + "md5a2:" + md5a2
+ " Server digest:" + serverDigest);
}
if (serverDigest.equals(clientDigest))
return getPrincipal(username);
else
return null;
} Return the Principal associated with the specified username, which
matches the digest calculated using the given parameters using the
method described in RFC 2069; otherwise return null. |
public void backgroundProcess() {
} Execute a periodic task, such as reloading, etc. This method will be
invoked inside the classloading context of this container. Unexpected
throwables will be caught and logged. |
public void destroy() {
// unregister this realm
if ( oname!=null ) {
try {
Registry.getRegistry(null, null).unregisterComponent(oname);
if(log.isDebugEnabled())
log.debug( "unregistering realm " + oname );
} catch( Exception ex ) {
log.error( "Can't unregister realm " + oname, ex);
}
}
} |
protected String digest(String credentials) {
// If no MessageDigest instance is specified, return unchanged
if (hasMessageDigest() == false)
return (credentials);
// Digest the user credentials and return as hexadecimal
synchronized (this) {
try {
md.reset();
byte[] bytes = null;
if(getDigestEncoding() == null) {
bytes = credentials.getBytes();
} else {
try {
bytes = credentials.getBytes(getDigestEncoding());
} catch (UnsupportedEncodingException uee) {
log.error("Illegal digestEncoding: " + getDigestEncoding(), uee);
throw new IllegalArgumentException(uee.getMessage());
}
}
md.update(bytes);
return (HexUtils.convert(md.digest()));
} catch (Exception e) {
log.error(sm.getString("realmBase.digest"), e);
return (credentials);
}
}
} Digest the password using the specified algorithm and
convert the result to a corresponding hexadecimal string.
If exception, the plain credentials string is returned. |
public LifecycleListener[] findLifecycleListeners() {
return lifecycle.findLifecycleListeners();
} Get the lifecycle listeners associated with this lifecycle. If this
Lifecycle has no listeners registered, a zero-length array is returned. |
public SecurityConstraint[] findSecurityConstraints(Request request,
Context context) {
ArrayList< SecurityConstraint > results = null;
// Are there any defined security constraints?
SecurityConstraint constraints[] = context.findConstraints();
if ((constraints == null) || (constraints.length == 0)) {
if (log.isDebugEnabled())
log.debug(" No applicable constraints defined");
return (null);
}
// Check each defined security constraint
String uri = request.getRequestPathMB().toString();
String method = request.getMethod();
int i;
boolean found = false;
for (i = 0; i < constraints.length; i++) {
SecurityCollection [] collection = constraints[i].findCollections();
// If collection is null, continue to avoid an NPE
// See Bugzilla 30624
if ( collection == null) {
continue;
}
if (log.isDebugEnabled()) {
log.debug(" Checking constraint '" + constraints[i] +
"' against " + method + " " + uri + " -- > " +
constraints[i].included(uri, method));
}
for(int j=0; j < collection.length; j++){
String [] patterns = collection[j].findPatterns();
// If patterns is null, continue to avoid an NPE
// See Bugzilla 30624
if ( patterns == null) {
continue;
}
for(int k=0; k < patterns.length; k++) {
if(uri.equals(patterns[k])) {
found = true;
if(collection[j].findMethod(method)) {
if(results == null) {
results = new ArrayList< SecurityConstraint >();
}
results.add(constraints[i]);
}
}
}
}
}
if(found) {
return resultsToArray(results);
}
int longest = -1;
for (i = 0; i < constraints.length; i++) {
SecurityCollection [] collection = constraints[i].findCollections();
// If collection is null, continue to avoid an NPE
// See Bugzilla 30624
if ( collection == null) {
continue;
}
if (log.isDebugEnabled()) {
log.debug(" Checking constraint '" + constraints[i] +
"' against " + method + " " + uri + " -- > " +
constraints[i].included(uri, method));
}
for(int j=0; j < collection.length; j++){
String [] patterns = collection[j].findPatterns();
// If patterns is null, continue to avoid an NPE
// See Bugzilla 30624
if ( patterns == null) {
continue;
}
boolean matched = false;
int length = -1;
for(int k=0; k < patterns.length; k++) {
String pattern = patterns[k];
if(pattern.startsWith("/") && pattern.endsWith("/*") &&
pattern.length() >= longest) {
if(pattern.length() == 2) {
matched = true;
length = pattern.length();
} else if(pattern.regionMatches(0,uri,0,
pattern.length()-1) ||
(pattern.length()-2 == uri.length() &&
pattern.regionMatches(0,uri,0,
pattern.length()-2))) {
matched = true;
length = pattern.length();
}
}
}
if(matched) {
found = true;
if(length > longest) {
if(results != null) {
results.clear();
}
longest = length;
}
if(collection[j].findMethod(method)) {
if(results == null) {
results = new ArrayList< SecurityConstraint >();
}
results.add(constraints[i]);
}
}
}
}
if(found) {
return resultsToArray(results);
}
for (i = 0; i < constraints.length; i++) {
SecurityCollection [] collection = constraints[i].findCollections();
// If collection is null, continue to avoid an NPE
// See Bugzilla 30624
if ( collection == null) {
continue;
}
if (log.isDebugEnabled()) {
log.debug(" Checking constraint '" + constraints[i] +
"' against " + method + " " + uri + " -- > " +
constraints[i].included(uri, method));
}
boolean matched = false;
int pos = -1;
for(int j=0; j < collection.length; j++){
String [] patterns = collection[j].findPatterns();
// If patterns is null, continue to avoid an NPE
// See Bugzilla 30624
if ( patterns == null) {
continue;
}
for(int k=0; k < patterns.length && !matched; k++) {
String pattern = patterns[k];
if(pattern.startsWith("*.")){
int slash = uri.lastIndexOf("/");
int dot = uri.lastIndexOf(".");
if(slash >= 0 && dot > slash &&
dot != uri.length()-1 &&
uri.length()-dot == pattern.length()-1) {
if(pattern.regionMatches(1,uri,dot,uri.length()-dot)) {
matched = true;
pos = j;
}
}
}
}
}
if(matched) {
found = true;
if(collection[pos].findMethod(method)) {
if(results == null) {
results = new ArrayList< SecurityConstraint >();
}
results.add(constraints[i]);
}
}
}
if(found) {
return resultsToArray(results);
}
for (i = 0; i < constraints.length; i++) {
SecurityCollection [] collection = constraints[i].findCollections();
// If collection is null, continue to avoid an NPE
// See Bugzilla 30624
if ( collection == null) {
continue;
}
if (log.isDebugEnabled()) {
log.debug(" Checking constraint '" + constraints[i] +
"' against " + method + " " + uri + " -- > " +
constraints[i].included(uri, method));
}
for(int j=0; j < collection.length; j++){
String [] patterns = collection[j].findPatterns();
// If patterns is null, continue to avoid an NPE
// See Bugzilla 30624
if ( patterns == null) {
continue;
}
boolean matched = false;
for(int k=0; k < patterns.length && !matched; k++) {
String pattern = patterns[k];
if(pattern.equals("/")){
matched = true;
}
}
if(matched) {
if(results == null) {
results = new ArrayList< SecurityConstraint >();
}
results.add(constraints[i]);
}
}
}
if(results == null) {
// No applicable security constraint was found
if (log.isDebugEnabled())
log.debug(" No applicable constraint located");
}
return resultsToArray(results);
} Return the SecurityConstraints configured to guard the request URI for
this request, or null if there is no such constraint. |
public String getAllRolesMode() {
return allRolesMode.toString();
} Return the all roles mode. |
public Container getContainer() {
// ------------------------------------------------------------- Properties
return (container);
} Return the Container with which this Realm has been associated. |
public ObjectName getController() {
return controller;
} |
public String getDigest() {
return digest;
} Return the digest algorithm used for storing credentials. |
protected String getDigest(String username,
String realmName) {
if (md5Helper == null) {
try {
md5Helper = MessageDigest.getInstance("MD5");
} catch (NoSuchAlgorithmException e) {
log.error("Couldn't get MD5 digest: ", e);
throw new IllegalStateException(e.getMessage());
}
}
if (hasMessageDigest()) {
// Use pre-generated digest
return getPassword(username);
}
String digestValue = username + ":" + realmName + ":"
+ getPassword(username);
byte[] valueBytes = null;
if(getDigestEncoding() == null) {
valueBytes = digestValue.getBytes();
} else {
try {
valueBytes = digestValue.getBytes(getDigestEncoding());
} catch (UnsupportedEncodingException uee) {
log.error("Illegal digestEncoding: " + getDigestEncoding(), uee);
throw new IllegalArgumentException(uee.getMessage());
}
}
byte[] digest = null;
// Bugzilla 32137
synchronized(md5Helper) {
digest = md5Helper.digest(valueBytes);
}
return md5Encoder.encode(digest);
} Return the digest associated with given principal's user name. |
public String getDigestEncoding() {
return digestEncoding;
} Returns the digest encoding charset. |
public String getDomain() {
return domain;
} |
public String getInfo() {
return info;
} Return descriptive information about this Realm implementation and
the corresponding version number, in the format
<description>/<version>. |
 abstract protected String getName()
Return a short name for this Realm implementation, for use in
log messages. |
public ObjectName getObjectName() {
return oname;
} |
abstract protected String getPassword(String username) Return the password associated with the given principal's user name. |
protected Principal getPrincipal(X509Certificate usercert) {
return(getPrincipal(usercert.getSubjectDN().getName()));
} Return the Principal associated with the given certificate. |
abstract protected Principal getPrincipal(String username) Return the Principal associated with the given user name. |
public String getType() {
return type;
} |
public boolean getValidate() {
return (this.validate);
} Return the "validate certificate chains" flag. |
protected boolean hasMessageDigest() {
return !(md == null);
} |
public boolean hasResourcePermission(Request request,
Response response,
SecurityConstraint[] constraints,
Context context) throws IOException {
if (constraints == null || constraints.length == 0)
return (true);
// Specifically allow access to the form login and form error pages
// and the "j_security_check" action
LoginConfig config = context.getLoginConfig();
if ((config != null) &&
(Constants.FORM_METHOD.equals(config.getAuthMethod()))) {
String requestURI = request.getRequestPathMB().toString();
String loginPage = config.getLoginPage();
if (loginPage.equals(requestURI)) {
if (log.isDebugEnabled())
log.debug(" Allow access to login page " + loginPage);
return (true);
}
String errorPage = config.getErrorPage();
if (errorPage.equals(requestURI)) {
if (log.isDebugEnabled())
log.debug(" Allow access to error page " + errorPage);
return (true);
}
if (requestURI.endsWith(Constants.FORM_ACTION)) {
if (log.isDebugEnabled())
log.debug(" Allow access to username/password submission");
return (true);
}
}
// Which user principal have we already authenticated?
Principal principal = request.getPrincipal();
boolean status = false;
boolean denyfromall = false;
for(int i=0; i < constraints.length; i++) {
SecurityConstraint constraint = constraints[i];
String roles[];
if (constraint.getAllRoles()) {
// * means all roles defined in web.xml
roles = request.getContext().findSecurityRoles();
} else {
roles = constraint.findAuthRoles();
}
if (roles == null)
roles = new String[0];
if (log.isDebugEnabled())
log.debug(" Checking roles " + principal);
if (roles.length == 0 && !constraint.getAllRoles()) {
if(constraint.getAuthConstraint()) {
if( log.isDebugEnabled() )
log.debug("No roles ");
status = false; // No listed roles means no access at all
denyfromall = true;
} else {
if(log.isDebugEnabled())
log.debug("Passing all access");
return (true);
}
} else if (principal == null) {
if (log.isDebugEnabled())
log.debug(" No user authenticated, cannot grant access");
status = false;
} else if(!denyfromall) {
for (int j = 0; j < roles.length; j++) {
if (hasRole(principal, roles[j]))
status = true;
if( log.isDebugEnabled() )
log.debug( "No role found: " + roles[j]);
}
}
}
if (allRolesMode != AllRolesMode.STRICT_MODE && !status && principal != null) {
if (log.isDebugEnabled()) {
log.debug("Checking for all roles mode: " + allRolesMode);
}
// Check for an all roles(role-name="*")
for (int i = 0; i < constraints.length; i++) {
SecurityConstraint constraint = constraints[i];
String roles[];
// If the all roles mode exists, sets
if (constraint.getAllRoles()) {
if (allRolesMode == AllRolesMode.AUTH_ONLY_MODE) {
if (log.isDebugEnabled()) {
log.debug("Granting access for role-name=*, auth-only");
}
status = true;
break;
}
// For AllRolesMode.STRICT_AUTH_ONLY_MODE there must be zero roles
roles = request.getContext().findSecurityRoles();
if (roles.length == 0 && allRolesMode == AllRolesMode.STRICT_AUTH_ONLY_MODE) {
if (log.isDebugEnabled()) {
log.debug("Granting access for role-name=*, strict auth-only");
}
status = true;
break;
}
}
}
}
// Return a "Forbidden" message denying access to this resource
if(!status) {
response.sendError
(HttpServletResponse.SC_FORBIDDEN,
sm.getString("realmBase.forbidden"));
}
return status;
} Perform access control based on the specified authorization constraint.
Return true if this constraint is satisfied and processing
should continue, or false otherwise. |
public boolean hasRole(Principal principal,
String role) {
// Should be overriten in JAASRealm - to avoid pretty inefficient conversions
if ((principal == null) || (role == null) ||
!(principal instanceof GenericPrincipal))
return (false);
GenericPrincipal gp = (GenericPrincipal) principal;
if (!(gp.getRealm() == this)) {
if(log.isDebugEnabled())
log.debug("Different realm " + this + " " + gp.getRealm());// return (false);
}
boolean result = gp.hasRole(role);
if (log.isDebugEnabled()) {
String name = principal.getName();
if (result)
log.debug(sm.getString("realmBase.hasRoleSuccess", name, role));
else
log.debug(sm.getString("realmBase.hasRoleFailure", name, role));
}
return (result);
} Return true if the specified Principal has the specified
security role, within the context of this Realm; otherwise return
false. This method can be overridden by Realm
implementations, but the default is adequate when an instance of
GenericPrincipal is used to represent authenticated
Principals from this Realm. |
public boolean hasUserDataPermission(Request request,
Response response,
SecurityConstraint[] constraints) throws IOException {
// Is there a relevant user data constraint?
if (constraints == null || constraints.length == 0) {
if (log.isDebugEnabled())
log.debug(" No applicable security constraint defined");
return (true);
}
for(int i=0; i < constraints.length; i++) {
SecurityConstraint constraint = constraints[i];
String userConstraint = constraint.getUserConstraint();
if (userConstraint == null) {
if (log.isDebugEnabled())
log.debug(" No applicable user data constraint defined");
return (true);
}
if (userConstraint.equals(Constants.NONE_TRANSPORT)) {
if (log.isDebugEnabled())
log.debug(" User data constraint has no restrictions");
return (true);
}
}
// Validate the request against the user data constraint
if (request.getRequest().isSecure()) {
if (log.isDebugEnabled())
log.debug(" User data constraint already satisfied");
return (true);
}
// Initialize variables we need to determine the appropriate action
int redirectPort = request.getConnector().getRedirectPort();
// Is redirecting disabled?
if (redirectPort < = 0) {
if (log.isDebugEnabled())
log.debug(" SSL redirect is disabled");
response.sendError
(HttpServletResponse.SC_FORBIDDEN,
request.getRequestURI());
return (false);
}
// Redirect to the corresponding SSL port
StringBuffer file = new StringBuffer();
String protocol = "https";
String host = request.getServerName();
// Protocol
file.append(protocol).append("://").append(host);
// Host with port
if(redirectPort != 443) {
file.append(":").append(redirectPort);
}
// URI
file.append(request.getRequestURI());
String requestedSessionId = request.getRequestedSessionId();
if ((requestedSessionId != null) &&
request.isRequestedSessionIdFromURL()) {
file.append(";");
file.append(Globals.SESSION_PARAMETER_NAME);
file.append("=");
file.append(requestedSessionId);
}
String queryString = request.getQueryString();
if (queryString != null) {
file.append('?");
file.append(queryString);
}
if (log.isDebugEnabled())
log.debug(" Redirecting to " + file.toString());
response.sendRedirect(file.toString());
return (false);
} Enforce any user data constraint required by the security constraint
guarding this request URI. Return true if this constraint
was not violated and processing should continue, or false
if we have created a response already. |
public void init() {
if( initialized && container != null ) return;
// We want logger as soon as possible
if (container != null) {
this.containerLog = container.getLogger();
}
initialized=true;
if( container== null ) {
ObjectName parent=null;
// Register with the parent
try {
if( host == null ) {
// global
parent=new ObjectName(domain +":type=Engine");
} else if( path==null ) {
parent=new ObjectName(domain +
":type=Host,host=" + host);
} else {
parent=new ObjectName(domain +":j2eeType=WebModule,name=//" +
host + path);
}
if( mserver.isRegistered(parent )) {
if(log.isDebugEnabled())
log.debug("Register with " + parent);
mserver.setAttribute(parent, new Attribute("realm", this));
}
} catch (Exception e) {
log.error("Parent not available yet: " + parent);
}
}
if( oname==null ) {
// register
try {
ContainerBase cb=(ContainerBase)container;
oname=new ObjectName(cb.getDomain()+":type=Realm" + cb.getContainerSuffix());
Registry.getRegistry(null, null).registerComponent(this, oname, null );
if(log.isDebugEnabled())
log.debug("Register Realm "+oname);
} catch (Throwable e) {
log.error( "Can't register " + oname, e);
}
}
} |
public static void main(String[] args) {
String encoding = null;
int firstCredentialArg = 2;
if (args.length > 4 && args[2].equalsIgnoreCase("-e")) {
encoding = args[3];
firstCredentialArg = 4;
}
if(args.length > firstCredentialArg && args[0].equalsIgnoreCase("-a")) {
for(int i=firstCredentialArg; i < args.length ; i++){
System.out.print(args[i]+":");
System.out.println(Digest(args[i], args[1], encoding));
}
} else {
System.out.println
("Usage: RealmBase -a < algorithm > [-e < encoding >] < credentials >");
}
} Digest password using the algorithm especificied and
convert the result to a corresponding hex string.
If exception, the plain credentials string is returned |
public void postDeregister() {
} |
public void postRegister(Boolean registrationDone) {
} |
public void preDeregister() throws Exception {
} |
public ObjectName preRegister(MBeanServer server,
ObjectName name) throws Exception {
oname=name;
mserver=server;
domain=name.getDomain();
type=name.getKeyProperty("type");
host=name.getKeyProperty("host");
path=name.getKeyProperty("path");
return name;
} |
public void removeLifecycleListener(LifecycleListener listener) {
lifecycle.removeLifecycleListener(listener);
} Remove a lifecycle event listener from this component. |
public void removePropertyChangeListener(PropertyChangeListener listener) {
support.removePropertyChangeListener(listener);
} Remove a property change listener from this component. |
public void setAllRolesMode(String allRolesMode) {
this.allRolesMode = AllRolesMode.toMode(allRolesMode);
} |
public void setContainer(Container container) {
Container oldContainer = this.container;
this.container = container;
support.firePropertyChange("container", oldContainer, this.container);
} Set the Container with which this Realm has been associated. |
public void setController(ObjectName controller) {
this.controller = controller;
} |
public void setDigest(String digest) {
this.digest = digest;
} Set the digest algorithm used for storing credentials. |
public void setDigestEncoding(String charset) {
digestEncoding = charset;
} Sets the digest encoding charset. |
public void setValidate(boolean validate) {
this.validate = validate;
} Set the "validate certificate chains" flag. |
public void start() throws LifecycleException {
// Validate and update our current component state
if (started) {
if(log.isInfoEnabled())
log.info(sm.getString("realmBase.alreadyStarted"));
return;
}
if( !initialized ) {
init();
}
lifecycle.fireLifecycleEvent(START_EVENT, null);
started = true;
// Create a MessageDigest instance for credentials, if desired
if (digest != null) {
try {
md = MessageDigest.getInstance(digest);
} catch (NoSuchAlgorithmException e) {
throw new LifecycleException
(sm.getString("realmBase.algorithm", digest), e);
}
}
} Prepare for the beginning of active use of the public methods of this
component. This method should be called before any of the public
methods of this component are utilized. It should also send a
LifecycleEvent of type START_EVENT to any registered listeners. |
public void stop() throws LifecycleException {
// Validate and update our current component state
if (!started) {
if(log.isInfoEnabled())
log.info(sm.getString("realmBase.notStarted"));
return;
}
lifecycle.fireLifecycleEvent(STOP_EVENT, null);
started = false;
// Clean up allocated resources
md = null;
destroy();
} Gracefully terminate the active use of the public methods of this
component. This method should be the last one called on a given
instance of this component. It should also send a LifecycleEvent
of type STOP_EVENT to any registered listeners. |
org.apache.catalina.realm.RealmBase
Save This Page