org.jboss.web.tomcat.tc4.authenticator: public class: SSLAuthenticator

org.jboss.web.tomcat.tc4.authenticator
public class: SSLAuthenticator [javadoc | source]

java.lang.Object
   org.apache.catalina.authenticator.AuthenticatorBase
      org.jboss.web.tomcat.tc4.authenticator.AuthenticatorBase
         org.jboss.web.tomcat.tc4.authenticator.SSLAuthenticator

An Authenticator and Valve implementation of authentication that utilizes SSL certificates to identify client users.

Differs from the standard Tomcat version in that it 1) associates the session of any request with any single sign-on session that may exist and 2) only ignores its own authentication process if a given request already has a Principal bound to it AND this object's cache property is set to true.

Also see:

authenticate

AuthenticatorBase#associate

AuthenticatorBase#getCache

AuthenticatorBase#setCache

SingleSignOn

author: B - Stansberry, based on work by Craig R. McClanahan

version: $ - Revision: 1.1.2.1 $ $Date: 2003/11/22 08:12:44 $ based on Tomcat Revision 1.13

Field Summary
protected static final String	info	Descriptive information about this implementation.

Fields inherited from org.jboss.web.tomcat.tc4.authenticator.AuthenticatorBase:
info, ourSSO

Method from org.jboss.web.tomcat.tc4.authenticator.SSLAuthenticator Summary:
authenticate, getInfo, start, stop

Methods from org.jboss.web.tomcat.tc4.authenticator.AuthenticatorBase:
associate, reauthenticateFromSSO, register, start, stop

Methods from java.lang.Object:
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method from org.jboss.web.tomcat.tc4.authenticator.SSLAuthenticator Detail:
public boolean authenticate(HttpRequest request, HttpResponse response, LoginConfig config) throws IOException { // Have we already authenticated someone? // Note: SingleSignOn does not call setUserPrincipal(), // so whoever did it would have to be some custom valve // in the pipeline. Principal principal = ((HttpServletRequest) request.getRequest()).getUserPrincipal(); //String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE); if (principal != null) { if (debug >= 1) log("Found principal '" + principal.getName() + "'"); // Associate the session with any existing SSO session in order // to get coordinated session invalidation at logout String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE); if (ssoId != null) associate(ssoId, getSession(request, true)); return (true); } // NOTE: We don't try to reauthenticate using any existing SSO session, // because that will only work if the original authentication was // BASIC or FORM, which are less secure than the CLIENT-CERT auth-type // specified for this webapp // // Uncomment below to allow previous FORM or BASIC authentications // to authenticate users for this webapp // TODO make this a configurable attribute (in SingleSignOn??) /* // Is there an SSO session against which we can try to reauthenticate? if (ssoId != null) { if (debug >= 1) log("SSO Id " + ssoId + " set; attempting reauthentication"); // Try to reauthenticate using data cached by SSO. If this fails, // either the original SSO logon was of DIGEST or SSL (which // we can't reauthenticate ourselves because there is no // cached username and password), or the realm denied // the user's reauthentication for some reason. // In either case we have to prompt the user for a logon if (reauthenticateFromSSO(ssoId, request)) return true; } */ // Retrieve the certificate chain for this client HttpServletResponse hres = (HttpServletResponse) response.getResponse(); if (debug >= 1) log(" Looking up certificates"); X509Certificate certs[] = (X509Certificate[]) request.getRequest().getAttribute(Globals.CERTIFICATES_ATTR); if ((certs == null) \|\| (certs.length < 1)) { certs = (X509Certificate[]) request.getRequest().getAttribute(Globals.SSL_CERTIFICATE_ATTR); } if ((certs == null) \|\| (certs.length < 1)) { if (debug >= 1) log(" No certificates included with this request"); hres.sendError(HttpServletResponse.SC_BAD_REQUEST, sm.getString("authenticator.certificates")); return (false); } // Authenticate the specified certificate chain principal = context.getRealm().authenticate(certs); if (principal == null) { if (debug >= 1) log(" Realm.authenticate() returned false"); hres.sendError(HttpServletResponse.SC_UNAUTHORIZED, sm.getString("authenticator.unauthorized")); return (false); } // Cache the principal (if requested) and record this authentication // Note that if there already is an SSO session assoc with this request, // register() associates this app's session with the SSO session register(request, response, principal, Constants.CERT_METHOD, null, null); return (true); } Authenticate the user by checking for the existence of a certificate chain (which should have been made visible by an instance of `CertificatesValve Differs from the standard Tomcat version in that it it associates the session of any request with any single sign-on session that may exist. If the request already has an authenticated Principal, our own authentication is only disabled if getCache() returns true.`
public String getInfo() { return (this.info); } Return descriptive information about this Valve implementation.
public void start() throws LifecycleException { super.start(); } Initialize the database we will be using for client verification and certificate validation (if any).
public void stop() throws LifecycleException { super.stop(); } Finalize the database we used for client verification and certificate validation (if any).

Method from org.jboss.web.tomcat.tc4.authenticator.SSLAuthenticator Detail:

 public boolean authenticate(HttpRequest request,
    HttpResponse response,
    LoginConfig config) throws IOException {
      // Have we already authenticated someone?
      // Note: SingleSignOn does not call setUserPrincipal(),
      // so whoever did it would have to be some custom valve
      // in the pipeline.
      Principal principal =
            ((HttpServletRequest) request.getRequest()).getUserPrincipal();
      //String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
      if (principal != null)
      {
         if (debug  >= 1)
            log("Found principal '" + principal.getName() + "'");
         // Associate the session with any existing SSO session in order
         // to get coordinated session invalidation at logout
         String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
         if (ssoId != null)
            associate(ssoId, getSession(request, true));
         return (true);
      }
      // NOTE: We don't try to reauthenticate using any existing SSO session,
      // because that will only work if the original authentication was
      // BASIC or FORM, which are less secure than the CLIENT-CERT auth-type
      // specified for this webapp
      //
      // Uncomment below to allow previous FORM or BASIC authentications
      // to authenticate users for this webapp
      // TODO make this a configurable attribute (in SingleSignOn??)
      /*
      // Is there an SSO session against which we can try to reauthenticate?
      if (ssoId != null) {
          if (debug  >= 1)
              log("SSO Id " + ssoId + " set; attempting reauthentication");
          // Try to reauthenticate using data cached by SSO.  If this fails,
          // either the original SSO logon was of DIGEST or SSL (which
          // we can't reauthenticate ourselves because there is no
          // cached username and password), or the realm denied
          // the user's reauthentication for some reason.
          // In either case we have to prompt the user for a logon
          if (reauthenticateFromSSO(ssoId, request))
              return true;
      }
      */
      // Retrieve the certificate chain for this client
      HttpServletResponse hres =
            (HttpServletResponse) response.getResponse();
      if (debug  >= 1)
         log(" Looking up certificates");
      X509Certificate certs[] = (X509Certificate[])
            request.getRequest().getAttribute(Globals.CERTIFICATES_ATTR);
      if ((certs == null) || (certs.length <  1))
      {
         certs = (X509Certificate[])
               request.getRequest().getAttribute(Globals.SSL_CERTIFICATE_ATTR);
      }
      if ((certs == null) || (certs.length <  1))
      {
         if (debug  >= 1)
            log("  No certificates included with this request");
         hres.sendError(HttpServletResponse.SC_BAD_REQUEST,
                        sm.getString("authenticator.certificates"));
         return (false);
      }
      // Authenticate the specified certificate chain
      principal = context.getRealm().authenticate(certs);
      if (principal == null)
      {
         if (debug  >= 1)
            log("  Realm.authenticate() returned false");
         hres.sendError(HttpServletResponse.SC_UNAUTHORIZED,
                        sm.getString("authenticator.unauthorized"));
         return (false);
      }
      // Cache the principal (if requested) and record this authentication
      // Note that if there already is an SSO session assoc with this request,
      // register() associates this app's session with the SSO session
      register(request, response, principal, Constants.CERT_METHOD,
               null, null);
      return (true);
}

CertificatesValve
Differs from the standard Tomcat version in that it

it associates the session of any request with any single sign-on
session that may exist.
If the request already has an authenticated Principal,
our own authentication is only disabled if getCache()
returns true.

 public String getInfo() {
              
      return (this.info);
}

Return descriptive information about this Valve implementation.

 public  void start() throws LifecycleException {
      super.start();
}

Initialize the database we will be using for client verification and certificate validation (if any).

 public  void stop() throws LifecycleException {
      super.stop();
}

Finalize the database we used for client verification and certificate validation (if any).