Class AuthenticatorBase
- java.lang.Object
- 
- org.apache.catalina.util.LifecycleBase
- 
- org.apache.catalina.util.LifecycleMBeanBase
- 
- org.apache.catalina.valves.ValveBase
- 
- org.apache.catalina.authenticator.AuthenticatorBase
 
 
 
 
- 
- All Implemented Interfaces:
- javax.management.MBeanRegistration,- RegistrationListener,- Authenticator,- Contained,- JmxEnabled,- Lifecycle,- Valve
 - Direct Known Subclasses:
- BasicAuthenticator,- DigestAuthenticator,- FormAuthenticator,- NonLoginAuthenticator,- SpnegoAuthenticator,- SSLAuthenticator
 
 public abstract class AuthenticatorBase extends ValveBase implements Authenticator, RegistrationListener Basic implementation of the Valve interface that enforces the<security-constraint>elements in the web application deployment descriptor. This functionality is implemented as a Valve so that it can be omitted in environments that do not require these features. Individual implementations of each supported authentication method can subclass this base class as required.USAGE CONSTRAINT: When this class is utilized, the Context to which it is attached (or a parent Container in a hierarchy) must have an associated Realm that can be used for authenticating users and enumerating the roles to which they have been assigned. USAGE CONSTRAINT: This Valve is only useful when processing HTTP requests. Requests of any other type will simply be passed through. - Author:
- Craig R. McClanahan
 
- 
- 
Nested Class SummaryNested Classes Modifier and Type Class Description protected static classAuthenticatorBase.AllowCorsPreflight- 
Nested classes/interfaces inherited from interface org.apache.catalina.LifecycleLifecycle.SingleUse
 
- 
 - 
Field SummaryFields Modifier and Type Field Description protected booleanalwaysUseSessionShould a session always be used once a user is authenticated?protected static java.lang.StringAUTH_HEADER_NAMEAuthentication headerprotected booleancacheShould we cache authenticated Principals if the request is part of an HTTP session?protected booleanchangeSessionIdOnAuthenticationShould the session ID, if any, be changed upon a successful authentication to prevent a session fixation attack?protected ContextcontextThe Context to which this Valve is attached.protected booleandisableProxyCachingFlag to determine if we disable proxy caching, or leave the issue up to the webapp developer.protected java.lang.StringjaspicCallbackHandlerClassThe name of the JASPIC callback handler class.protected static java.lang.StringREALM_NAMEDefault authentication realm name.protected booleansecurePagesWithPragmaFlag to determine if we disable proxy caching with headers incompatible with IE.protected java.lang.StringsecureRandomAlgorithmThe name of the algorithm to use to create instances ofSecureRandomwhich are used to generate SSO session IDs.protected java.lang.StringsecureRandomClassThe Java class name of the secure random number generator class to be used when generating SSO session identifiers.protected java.lang.StringsecureRandomProviderThe name of the provider to use to create instances ofSecureRandomwhich are used to generate session SSO IDs.protected booleansendAuthInfoResponseHeadersShould the auth information (remote user and auth type) be returned as response headers for a forwarded/proxied request?protected SessionIdGeneratorBasesessionIdGeneratorprotected static StringManagersmThe string manager for this package.protected SingleSignOnssoThe SingleSignOn implementation in our request processing chain, if there is one.- 
Fields inherited from class org.apache.catalina.valves.ValveBaseasyncSupported, container, containerLog, next
 - 
Fields inherited from class org.apache.catalina.util.LifecycleMBeanBasemserver
 - 
Fields inherited from interface org.apache.catalina.LifecycleAFTER_DESTROY_EVENT, AFTER_INIT_EVENT, AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_DESTROY_EVENT, BEFORE_INIT_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, CONFIGURE_START_EVENT, CONFIGURE_STOP_EVENT, PERIODIC_EVENT, START_EVENT, STOP_EVENT
 
- 
 - 
Constructor SummaryConstructors Constructor Description AuthenticatorBase()
 - 
Method SummaryAll Methods Static Methods Instance Methods Abstract Methods Concrete Methods Modifier and Type Method Description protected booleanallowCorsPreflightBypass(Request request)protected voidassociate(java.lang.String ssoId, Session session)Associate the specified single sign on identifier with the specified Session.booleanauthenticate(Request request, HttpServletResponse httpResponse)Authenticate the user making this request, based on the login configuration of theContextwith which this Authenticator is associated.protected java.lang.StringchangeSessionID(Request request, Session session)protected booleancheckForCachedAuthentication(Request request, HttpServletResponse response, boolean useSSO)Check to see if the user has already been authenticated earlier in the processing chain or if there is enough information available to authenticate the user without requiring further user interaction.protected abstract booleandoAuthenticate(Request request, HttpServletResponse response)Provided for sub-classes to implement their specific authentication mechanism.protected java.security.PrincipaldoLogin(Request request, java.lang.String username, java.lang.String password)Process the login request.java.lang.StringgetAllowCorsPreflight()booleangetAlwaysUseSession()protected abstract java.lang.StringgetAuthMethod()booleangetCache()Return the cache authenticated Principals flag.booleangetChangeSessionIdOnAuthentication()Return the flag that states if we should change the session ID of an existing session upon successful authentication.ContainergetContainer()Return the Container to which this Valve is attached.booleangetDisableProxyCaching()Return the flag that states if we add headers to disable caching by proxies.java.lang.StringgetJaspicCallbackHandlerClass()Return the JASPIC callback handler class nameprotected static java.lang.StringgetRealmName(Context context)booleangetSecurePagesWithPragma()Return the flag that states, if proxy caching is disabled, what headers we add to disable the caching.java.lang.StringgetSecureRandomAlgorithm()Return the secure random number generator algorithm name.java.lang.StringgetSecureRandomClass()Return the secure random number generator class name.java.lang.StringgetSecureRandomProvider()Return the secure random number generator provider name.voidinvoke(Request request, Response response)Enforce the security restrictions in the web application deployment descriptor of our associated Context.protected booleanisContinuationRequired(Request request)Does this authenticator require thatauthenticate(Request, HttpServletResponse)is called to continue an authentication process that started in a previous request?protected booleanisPreemptiveAuthPossible(Request request)Can the authenticator perform preemptive authentication for the given request?booleanisSendAuthInfoResponseHeaders()Returns the flag whether authentication information will be sent to a reverse proxy on a forwarded request.voidlogin(java.lang.String username, java.lang.String password, Request request)voidlogout(Request request)voidnotify(java.lang.String layer, java.lang.String appContext)protected booleanreauthenticateFromSSO(java.lang.String ssoId, Request request)Attempts reauthentication to theRealmusing the credentials included in argumententry.voidregister(Request request, HttpServletResponse response, java.security.Principal principal, java.lang.String authType, java.lang.String username, java.lang.String password)Register an authenticated Principal and authentication type in our request, in the current session (if there is one), and with our SingleSignOn valve, if there is one.protected voidregister(Request request, HttpServletResponse response, java.security.Principal principal, java.lang.String authType, java.lang.String username, java.lang.String password, boolean alwaysUseSession, boolean cache)Register an authenticated Principal and authentication type in our request, in the current session (if there is one), and with our SingleSignOn valve, if there is one.voidsetAllowCorsPreflight(java.lang.String allowCorsPreflight)voidsetAlwaysUseSession(boolean alwaysUseSession)voidsetCache(boolean cache)Set the cache authenticated Principals flag.voidsetChangeSessionIdOnAuthentication(boolean changeSessionIdOnAuthentication)Set the value of the flag that states if we should change the session ID of an existing session upon successful authentication.voidsetContainer(Container container)Set the Container to which this Valve is attached.voidsetDisableProxyCaching(boolean nocache)Set the value of the flag that states if we add headers to disable caching by proxies.voidsetJaspicCallbackHandlerClass(java.lang.String jaspicCallbackHandlerClass)Set the JASPIC callback handler class namevoidsetSecurePagesWithPragma(boolean securePagesWithPragma)Set the value of the flag that states what headers we add to disable proxy caching.voidsetSecureRandomAlgorithm(java.lang.String secureRandomAlgorithm)Set the secure random number generator algorithm name.voidsetSecureRandomClass(java.lang.String secureRandomClass)Set the secure random number generator class name.voidsetSecureRandomProvider(java.lang.String secureRandomProvider)Set the secure random number generator provider name.voidsetSendAuthInfoResponseHeaders(boolean sendAuthInfoResponseHeaders)Sets the flag whether authentication information will be send to a reverse proxy on a forwarded request.protected voidstartInternal()Start this component and implement the requirements ofLifecycleBase.startInternal().protected voidstopInternal()Stop this component and implement the requirements ofLifecycleBase.stopInternal().- 
Methods inherited from class org.apache.catalina.valves.ValveBasebackgroundProcess, getDomainInternal, getNext, getObjectNameKeyProperties, initInternal, isAsyncSupported, setAsyncSupported, setNext, toString
 - 
Methods inherited from class org.apache.catalina.util.LifecycleMBeanBasedestroyInternal, getDomain, getObjectName, postDeregister, postRegister, preDeregister, preRegister, register, setDomain, unregister
 - 
Methods inherited from class org.apache.catalina.util.LifecycleBaseaddLifecycleListener, destroy, findLifecycleListeners, fireLifecycleEvent, getState, getStateName, getThrowOnFailure, init, removeLifecycleListener, setState, setState, setThrowOnFailure, start, stop
 
- 
 
- 
- 
- 
Field Detail- 
smprotected static final StringManager sm The string manager for this package.
 - 
AUTH_HEADER_NAMEprotected static final java.lang.String AUTH_HEADER_NAME Authentication header- See Also:
- Constant Field Values
 
 - 
REALM_NAMEprotected static final java.lang.String REALM_NAME Default authentication realm name.- See Also:
- Constant Field Values
 
 - 
alwaysUseSessionprotected boolean alwaysUseSession Should a session always be used once a user is authenticated? This may offer some performance benefits since the session can then be used to cache the authenticated Principal, hence removing the need to authenticate the user via the Realm on every request. This may be of help for combinations such as BASIC authentication used with the JNDIRealm or DataSourceRealms. However there will also be the performance cost of creating and GC'ing the session. By default, a session will not be created.
 - 
cacheprotected boolean cache Should we cache authenticated Principals if the request is part of an HTTP session?
 - 
changeSessionIdOnAuthenticationprotected boolean changeSessionIdOnAuthentication Should the session ID, if any, be changed upon a successful authentication to prevent a session fixation attack?
 - 
contextprotected Context context The Context to which this Valve is attached.
 - 
disableProxyCachingprotected boolean disableProxyCaching Flag to determine if we disable proxy caching, or leave the issue up to the webapp developer.
 - 
securePagesWithPragmaprotected boolean securePagesWithPragma Flag to determine if we disable proxy caching with headers incompatible with IE.
 - 
secureRandomClassprotected java.lang.String secureRandomClass The Java class name of the secure random number generator class to be used when generating SSO session identifiers. The random number generator class must be self-seeding and have a zero-argument constructor. If not specified, an instance ofSecureRandomwill be generated.
 - 
secureRandomAlgorithmprotected java.lang.String secureRandomAlgorithm The name of the algorithm to use to create instances ofSecureRandomwhich are used to generate SSO session IDs. If no algorithm is specified, SHA1PRNG is used. If SHA1PRNG is not available, the platform default will be used. To use the platform default (which may be SHA1PRNG), specify the empty string. If an invalid algorithm and/or provider is specified the SecureRandom instances will be created using the defaults. If that fails, the SecureRandom instances will be created using platform defaults.
 - 
secureRandomProviderprotected java.lang.String secureRandomProvider The name of the provider to use to create instances ofSecureRandomwhich are used to generate session SSO IDs. If no provider is specified the platform default is used. If an invalid algorithm and/or provider is specified the SecureRandom instances will be created using the defaults. If that fails, the SecureRandom instances will be created using platform defaults.
 - 
jaspicCallbackHandlerClassprotected java.lang.String jaspicCallbackHandlerClass The name of the JASPIC callback handler class. If none is specified the defaultCallbackHandlerImplwill be used.
 - 
sendAuthInfoResponseHeadersprotected boolean sendAuthInfoResponseHeaders Should the auth information (remote user and auth type) be returned as response headers for a forwarded/proxied request? When theRemoteIpValveorRemoteIpFiltermark a forwarded request with theGlobals.REQUEST_FORWARDED_ATTRIBUTEthis authenticator can return the values ofHttpServletRequest.getRemoteUser()andHttpServletRequest.getAuthType()as response headersremote-userandauth-typeto a reverse proxy. This is useful, e.g., for access log consistency or other decisions to make.
 - 
sessionIdGeneratorprotected SessionIdGeneratorBase sessionIdGenerator 
 - 
ssoprotected SingleSignOn sso The SingleSignOn implementation in our request processing chain, if there is one.
 
- 
 - 
Method Detail- 
getRealmNameprotected static java.lang.String getRealmName(Context context) 
 - 
getAllowCorsPreflightpublic java.lang.String getAllowCorsPreflight() 
 - 
setAllowCorsPreflightpublic void setAllowCorsPreflight(java.lang.String allowCorsPreflight) 
 - 
getAlwaysUseSessionpublic boolean getAlwaysUseSession() 
 - 
setAlwaysUseSessionpublic void setAlwaysUseSession(boolean alwaysUseSession) 
 - 
getCachepublic boolean getCache() Return the cache authenticated Principals flag.- Returns:
- trueif authenticated Principals will be cached, otherwise- false
 
 - 
setCachepublic void setCache(boolean cache) Set the cache authenticated Principals flag.- Parameters:
- cache- The new cache flag
 
 - 
getContainerpublic Container getContainer() Return the Container to which this Valve is attached.- Specified by:
- getContainerin interface- Contained
- Overrides:
- getContainerin class- ValveBase
- Returns:
- The Container with which this instance is associated or
         nullif not associated with a Container
 
 - 
setContainerpublic void setContainer(Container container) Set the Container to which this Valve is attached.- Specified by:
- setContainerin interface- Contained
- Overrides:
- setContainerin class- ValveBase
- Parameters:
- container- The container to which we are attached
 
 - 
getDisableProxyCachingpublic boolean getDisableProxyCaching() Return the flag that states if we add headers to disable caching by proxies.- Returns:
- trueif the headers will be added, otherwise- false
 
 - 
setDisableProxyCachingpublic void setDisableProxyCaching(boolean nocache) Set the value of the flag that states if we add headers to disable caching by proxies.- Parameters:
- nocache-- trueif we add headers to disable proxy caching,- falseif we leave the headers alone.
 
 - 
getSecurePagesWithPragmapublic boolean getSecurePagesWithPragma() Return the flag that states, if proxy caching is disabled, what headers we add to disable the caching.- Returns:
- trueif a Pragma header should be used, otherwise- false
 
 - 
setSecurePagesWithPragmapublic void setSecurePagesWithPragma(boolean securePagesWithPragma) Set the value of the flag that states what headers we add to disable proxy caching.- Parameters:
- securePagesWithPragma-- trueif we add headers which are incompatible with downloading office documents in IE under SSL but which fix a caching problem in Mozilla.
 
 - 
getChangeSessionIdOnAuthenticationpublic boolean getChangeSessionIdOnAuthentication() Return the flag that states if we should change the session ID of an existing session upon successful authentication.- Returns:
- trueto change session ID upon successful authentication,- falseto do not perform the change.
 
 - 
setChangeSessionIdOnAuthenticationpublic void setChangeSessionIdOnAuthentication(boolean changeSessionIdOnAuthentication) Set the value of the flag that states if we should change the session ID of an existing session upon successful authentication.- Parameters:
- changeSessionIdOnAuthentication-- trueto change session ID upon successful authentication,- falseto do not perform the change.
 
 - 
getSecureRandomClasspublic java.lang.String getSecureRandomClass() Return the secure random number generator class name.- Returns:
- The fully qualified name of the SecureRandom implementation to use
 
 - 
setSecureRandomClasspublic void setSecureRandomClass(java.lang.String secureRandomClass) Set the secure random number generator class name.- Parameters:
- secureRandomClass- The new secure random number generator class name
 
 - 
getSecureRandomAlgorithmpublic java.lang.String getSecureRandomAlgorithm() Return the secure random number generator algorithm name.- Returns:
- The name of the SecureRandom algorithm used
 
 - 
setSecureRandomAlgorithmpublic void setSecureRandomAlgorithm(java.lang.String secureRandomAlgorithm) Set the secure random number generator algorithm name.- Parameters:
- secureRandomAlgorithm- The new secure random number generator algorithm name
 
 - 
getSecureRandomProviderpublic java.lang.String getSecureRandomProvider() Return the secure random number generator provider name.- Returns:
- The name of the SecureRandom provider
 
 - 
setSecureRandomProviderpublic void setSecureRandomProvider(java.lang.String secureRandomProvider) Set the secure random number generator provider name.- Parameters:
- secureRandomProvider- The new secure random number generator provider name
 
 - 
getJaspicCallbackHandlerClasspublic java.lang.String getJaspicCallbackHandlerClass() Return the JASPIC callback handler class name- Returns:
- The name of the JASPIC callback handler
 
 - 
setJaspicCallbackHandlerClasspublic void setJaspicCallbackHandlerClass(java.lang.String jaspicCallbackHandlerClass) Set the JASPIC callback handler class name- Parameters:
- jaspicCallbackHandlerClass- The new JASPIC callback handler class name
 
 - 
isSendAuthInfoResponseHeaderspublic boolean isSendAuthInfoResponseHeaders() Returns the flag whether authentication information will be sent to a reverse proxy on a forwarded request.- Returns:
- trueif response headers shall be sent,- falseotherwise
 
 - 
setSendAuthInfoResponseHeaderspublic void setSendAuthInfoResponseHeaders(boolean sendAuthInfoResponseHeaders) Sets the flag whether authentication information will be send to a reverse proxy on a forwarded request.- Parameters:
- sendAuthInfoResponseHeaders-- trueif response headers shall be sent,- falseotherwise
 
 - 
invokepublic void invoke(Request request, Response response) throws java.io.IOException, ServletException Enforce the security restrictions in the web application deployment descriptor of our associated Context.- Specified by:
- invokein interface- Valve
- Parameters:
- request- Request to be processed
- response- Response to be processed
- Throws:
- java.io.IOException- if an input/output error occurs
- ServletException- if thrown by a processing element
 
 - 
allowCorsPreflightBypassprotected boolean allowCorsPreflightBypass(Request request) 
 - 
authenticatepublic boolean authenticate(Request request, HttpServletResponse httpResponse) throws java.io.IOException Description copied from interface:AuthenticatorAuthenticate the user making this request, based on the login configuration of theContextwith which this Authenticator is associated.- Specified by:
- authenticatein interface- Authenticator
- Parameters:
- request- Request we are processing
- httpResponse- Response we are populating
- Returns:
- trueif any specified constraints have been satisfied, or- falseif one more constraints were not satisfied (in which case an authentication challenge will have been written to the response).
- Throws:
- java.io.IOException- if an input/output error occurs
 
 - 
doAuthenticateprotected abstract boolean doAuthenticate(Request request, HttpServletResponse response) throws java.io.IOException Provided for sub-classes to implement their specific authentication mechanism.- Parameters:
- request- The request that triggered the authentication
- response- The response associated with the request
- Returns:
- trueif the the user was authenticated, otherwise- false, in which case an authentication challenge will have been written to the response
- Throws:
- java.io.IOException- If an I/O problem occurred during the authentication process
 
 - 
isContinuationRequiredprotected boolean isContinuationRequired(Request request) Does this authenticator require thatauthenticate(Request, HttpServletResponse)is called to continue an authentication process that started in a previous request?- Parameters:
- request- The request currently being processed
- Returns:
- trueif authenticate() must be called, otherwise- false
 
 - 
associateprotected void associate(java.lang.String ssoId, Session session)Associate the specified single sign on identifier with the specified Session.- Parameters:
- ssoId- Single sign on identifier
- session- Session to be associated
 
 - 
checkForCachedAuthenticationprotected boolean checkForCachedAuthentication(Request request, HttpServletResponse response, boolean useSSO) Check to see if the user has already been authenticated earlier in the processing chain or if there is enough information available to authenticate the user without requiring further user interaction.- Parameters:
- request- The current request
- response- The current response
- useSSO- Should information available from SSO be used to attempt to authenticate the current user?
- Returns:
- trueif the user was authenticated via the cache, otherwise- false
 
 - 
reauthenticateFromSSOprotected boolean reauthenticateFromSSO(java.lang.String ssoId, Request request)Attempts reauthentication to theRealmusing the credentials included in argumententry.- Parameters:
- ssoId- identifier of SingleSignOn session with which the caller is associated
- request- the request that needs to be authenticated
- Returns:
- trueif the reauthentication from SSL occurred
 
 - 
registerpublic void register(Request request, HttpServletResponse response, java.security.Principal principal, java.lang.String authType, java.lang.String username, java.lang.String password) Register an authenticated Principal and authentication type in our request, in the current session (if there is one), and with our SingleSignOn valve, if there is one. Set the appropriate cookie to be returned.- Parameters:
- request- The servlet request we are processing
- response- The servlet response we are generating
- principal- The authenticated Principal to be registered
- authType- The authentication type to be registered
- username- Username used to authenticate (if any)
- password- Password used to authenticate (if any)
 
 - 
registerprotected void register(Request request, HttpServletResponse response, java.security.Principal principal, java.lang.String authType, java.lang.String username, java.lang.String password, boolean alwaysUseSession, boolean cache) Register an authenticated Principal and authentication type in our request, in the current session (if there is one), and with our SingleSignOn valve, if there is one. Set the appropriate cookie to be returned.- Parameters:
- request- The servlet request we are processing
- response- The servlet response we are generating
- principal- The authenticated Principal to be registered
- authType- The authentication type to be registered
- username- Username used to authenticate (if any)
- password- Password used to authenticate (if any)
- alwaysUseSession- Should a session always be used once a user is authenticated?
- cache- Should we cache authenticated Principals if the request is part of an HTTP session?
 
 - 
loginpublic void login(java.lang.String username, java.lang.String password, Request request) throws ServletException- Specified by:
- loginin interface- Authenticator
- Throws:
- ServletException
 
 - 
getAuthMethodprotected abstract java.lang.String getAuthMethod() 
 - 
doLoginprotected java.security.Principal doLogin(Request request, java.lang.String username, java.lang.String password) throws ServletException Process the login request.- Parameters:
- request- Associated request
- username- The user
- password- The password
- Returns:
- The authenticated Principal
- Throws:
- ServletException- No principal was authenticated with the specified credentials
 
 - 
logoutpublic void logout(Request request) - Specified by:
- logoutin interface- Authenticator
 
 - 
startInternalprotected void startInternal() throws LifecycleExceptionStart this component and implement the requirements ofLifecycleBase.startInternal().- Overrides:
- startInternalin class- ValveBase
- Throws:
- LifecycleException- if this component detects a fatal error that prevents this component from being used
 
 - 
stopInternalprotected void stopInternal() throws LifecycleExceptionStop this component and implement the requirements ofLifecycleBase.stopInternal().- Overrides:
- stopInternalin class- ValveBase
- Throws:
- LifecycleException- if this component detects a fatal error that prevents this component from being used
 
 - 
isPreemptiveAuthPossibleprotected boolean isPreemptiveAuthPossible(Request request) Can the authenticator perform preemptive authentication for the given request?- Parameters:
- request- The request to check for credentials
- Returns:
- trueif preemptive authentication is possible, otherwise- false
 
 - 
notifypublic void notify(java.lang.String layer, java.lang.String appContext)- Specified by:
- notifyin interface- RegistrationListener
 
 
- 
 
-