org.apache.catalina.authenticator

Class SingleSignOn

Implemented Interfaces:
Contained, Lifecycle, MBeanRegistration, SessionListener, Valve

public class SingleSignOn
extends ValveBase
implements Lifecycle, SessionListener

A Valve that supports a "single sign on" user experience, where the security identity of a user who successfully authenticates to one web application is propogated to other web applications in the same security domain. For successful use, the following requirements must be met:

Version:
$Revision: 1.13 $ $Date: 2004/04/26 21:50:36 $

Author:
Craig R. McClanahan

Field Summary

protected HashMap
cache
The cache of SingleSignOnEntry instances for authenticated Principals, keyed by the cookie value that is used to select them.
protected int
debug
The debugging detail level for this component.
protected static String
info
Descriptive information about this Valve implementation.
protected LifecycleSupport
lifecycle
The lifecycle event support for this component.
protected HashMap
reverse
The cache of single sign on identifiers, keyed by the Session that is associated with them.
protected static StringManager
sm
The string manager for this package.
protected boolean
started
Component started flag.

Fields inherited from class org.apache.catalina.valves.ValveBase

container, controller, debug, domain, info, mserver, oname, sm

Fields inherited from interface org.apache.catalina.Lifecycle

AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, START_EVENT, STOP_EVENT

Method Summary

void
addLifecycleListener(LifecycleListener listener)
Add a lifecycle event listener to this component.
protected void
associate(String ssoId, Session session)
Associate the specified single sign on identifier with the specified Session.
protected void
deregister(String ssoId)
Deregister the specified single sign on identifier, and invalidate any associated sessions.
protected void
deregister(String ssoId, Session session)
Deregister the specified session.
LifecycleListener[]
findLifecycleListeners()
Get the lifecycle listeners associated with this lifecycle.
int
getDebug()
Return the debugging detail level.
String
getInfo()
Return descriptive information about this Valve implementation.
boolean
getRequireReauthentication()
Gets whether each request needs to be reauthenticated (by an Authenticator downstream in the pipeline) to the security Realm, or if this Valve can itself bind security info to the request based on the presence of a valid SSO entry without rechecking with the Realm
void
invoke(Request request, Response response, ValveContext context)
Perform single-sign-on support processing for this request.
protected void
log(String message)
Log a message on the Logger associated with our Container (if any).
protected void
log(String message, Throwable throwable)
Log a message on the Logger associated with our Container (if any).
protected SingleSignOnEntry
lookup(String ssoId)
Look up and return the cached SingleSignOn entry associated with this sso id value, if there is one; otherwise return null.
protected boolean
reauthenticate(String ssoId, Realm realm, HttpRequest request)
Attempts reauthentication to the given Realm using the credentials associated with the single sign-on session identified by argument ssoId.
protected void
register(String ssoId, Principal principal, String authType, String username, String password)
Register the specified Principal as being associated with the specified value for the single sign on identifier.
void
removeLifecycleListener(LifecycleListener listener)
Remove a lifecycle event listener from this component.
protected void
removeSession(String ssoId, Session session)
Remove a single Session from a SingleSignOn.
void
sessionEvent(SessionEvent event)
Acknowledge the occurrence of the specified event.
void
setDebug(int debug)
Set the debugging detail level.
void
setRequireReauthentication(boolean required)
Sets whether each request needs to be reauthenticated (by an Authenticator downstream in the pipeline) to the security Realm, or if this Valve can itself bind security info to the request, based on the presence of a valid SSO entry, without rechecking with the Realm
void
start()
Prepare for the beginning of active use of the public methods of this component.
void
stop()
Gracefully terminate the active use of the public methods of this component.
String
toString()
Return a String rendering of this object.
protected void
update(String ssoId, Principal principal, String authType, String username, String password)
Updates any SingleSignOnEntry found under key ssoId with the given authentication data.

Methods inherited from class org.apache.catalina.valves.ValveBase

createObjectName, getContainer, getContainerName, getController, getDebug, getDomain, getInfo, getObjectName, getParentName, invoke, postDeregister, postRegister, preDeregister, preRegister, setContainer, setController, setDebug, setObjectName

Field Details

cache

protected HashMap cache
The cache of SingleSignOnEntry instances for authenticated Principals, keyed by the cookie value that is used to select them.


debug

protected int debug
The debugging detail level for this component.


info

protected static String info
Descriptive information about this Valve implementation.


lifecycle

protected LifecycleSupport lifecycle
The lifecycle event support for this component.


reverse

protected HashMap reverse
The cache of single sign on identifiers, keyed by the Session that is associated with them.


sm

protected static final StringManager sm
The string manager for this package.


started

protected boolean started
Component started flag.

Method Details

addLifecycleListener

public void addLifecycleListener(LifecycleListener listener)
Add a lifecycle event listener to this component.
Specified by:
addLifecycleListener in interface Lifecycle

Parameters:
listener - The listener to add


associate

protected void associate(String ssoId,
                         Session session)
Associate the specified single sign on identifier with the specified Session.

Parameters:
ssoId - Single sign on identifier
session - Session to be associated


deregister

protected void deregister(String ssoId)
Deregister the specified single sign on identifier, and invalidate any associated sessions.

Parameters:
ssoId - Single sign on identifier to deregister


deregister

protected void deregister(String ssoId,
                          Session session)
Deregister the specified session. If it is the last session, then also get rid of the single sign on identifier

Parameters:
ssoId - Single sign on identifier
session - Session to be deregistered


findLifecycleListeners

public LifecycleListener[] findLifecycleListeners()
Get the lifecycle listeners associated with this lifecycle. If this Lifecycle has no listeners registered, a zero-length array is returned.
Specified by:
findLifecycleListeners in interface Lifecycle


getDebug

public int getDebug()
Return the debugging detail level.
Overrides:
getDebug in interface ValveBase


getInfo

public String getInfo()
Return descriptive information about this Valve implementation.
Specified by:
getInfo in interface Valve
Overrides:
getInfo in interface ValveBase


getRequireReauthentication

public boolean getRequireReauthentication()
Gets whether each request needs to be reauthenticated (by an Authenticator downstream in the pipeline) to the security Realm, or if this Valve can itself bind security info to the request based on the presence of a valid SSO entry without rechecking with the Realm

Returns:
true if it is required that a downstream Authenticator reauthenticate each request before calls to HttpServletRequest.setUserPrincipal() and HttpServletRequest.setAuthType() are made; false if the Valve can itself make those calls relying on the presence of a valid SingleSignOn entry associated with the request.

See Also:
setRequireReauthentication(boolean)


invoke

public void invoke(Request request,
                   Response response,
                   ValveContext context)
            throws IOException,
                   ServletException
Perform single-sign-on support processing for this request.
Specified by:
invoke in interface Valve
Overrides:
invoke in interface ValveBase

Parameters:
request - The servlet request we are processing
response - The servlet response we are creating
context - The valve context used to invoke the next valve in the current processing pipeline


log

protected void log(String message)
Log a message on the Logger associated with our Container (if any).

Parameters:
message - Message to be logged


log

protected void log(String message,
                   Throwable throwable)
Log a message on the Logger associated with our Container (if any).

Parameters:
message - Message to be logged
throwable - Associated exception


lookup

protected SingleSignOnEntry lookup(String ssoId)
Look up and return the cached SingleSignOn entry associated with this sso id value, if there is one; otherwise return null.

Parameters:
ssoId - Single sign on identifier to look up


reauthenticate

protected boolean reauthenticate(String ssoId,
                                 Realm realm,
                                 HttpRequest request)
Attempts reauthentication to the given Realm using the credentials associated with the single sign-on session identified by argument ssoId.

If reauthentication is successful, the Principal and authorization type associated with the SSO session will be bound to the given HttpRequest object via calls to HttpRequest.setAuthType() and HttpRequest.setUserPrincipal()

Parameters:
ssoId - identifier of SingleSignOn session with which the caller is associated
realm - Realm implementation against which the caller is to be authenticated
request - the request that needs to be authenticated

Returns:
true if reauthentication was successful, false otherwise.


register

protected void register(String ssoId,
                        Principal principal,
                        String authType,
                        String username,
                        String password)
Register the specified Principal as being associated with the specified value for the single sign on identifier.

Parameters:
ssoId - Single sign on identifier to register
principal - Associated user principal that is identified
authType - Authentication type used to authenticate this user principal
username - Username used to authenticate this user
password - Password used to authenticate this user


removeLifecycleListener

public void removeLifecycleListener(LifecycleListener listener)
Remove a lifecycle event listener from this component.
Specified by:
removeLifecycleListener in interface Lifecycle

Parameters:
listener - The listener to remove


removeSession

protected void removeSession(String ssoId,
                             Session session)
Remove a single Session from a SingleSignOn. Called when a session is timed out and no longer active.

Parameters:
ssoId - Single sign on identifier from which to remove the session.
session - the session to be removed.


sessionEvent

public void sessionEvent(SessionEvent event)
Acknowledge the occurrence of the specified event.
Specified by:
sessionEvent in interface SessionListener

Parameters:
event - SessionEvent that has occurred


setDebug

public void setDebug(int debug)
Set the debugging detail level.
Overrides:
setDebug in interface ValveBase

Parameters:
debug - The new debugging detail level


setRequireReauthentication

public void setRequireReauthentication(boolean required)

Parameters:
required - true if it is required that a downstream Authenticator reauthenticate each request before calls to HttpServletRequest.setUserPrincipal() and HttpServletRequest.setAuthType() are made; false if the Valve can itself make those calls relying on the presence of a valid SingleSignOn entry associated with the request.

See Also:
AuthenticatorBase.reauthenticateFromSSO(String,HttpRequest)


start

public void start()
            throws LifecycleException
Prepare for the beginning of active use of the public methods of this component. This method should be called after configure(), and before any of the public methods of the component are utilized.
Specified by:
start in interface Lifecycle

Throws:
LifecycleException - if this component detects a fatal error that prevents this component from being used


stop

public void stop()
            throws LifecycleException
Gracefully terminate the active use of the public methods of this component. This method should be the last one called on a given instance of this component.
Specified by:
stop in interface Lifecycle

Throws:
LifecycleException - if this component detects a fatal error that needs to be reported


toString

public String toString()
Return a String rendering of this object.


update

protected void update(String ssoId,
                      Principal principal,
                      String authType,
                      String username,
                      String password)
Updates any SingleSignOnEntry found under key ssoId with the given authentication data.

The purpose of this method is to allow an SSO entry that was established without a username/password combination (i.e. established following DIGEST or CLIENT-CERT authentication) to be updated with a username and password if one becomes available through a subsequent BASIC or FORM authentication. The SSO entry will then be usable for reauthentication.

NOTE: Only updates the SSO entry if a call to SingleSignOnEntry.getCanReauthenticate() returns false; otherwise, it is assumed that the SSO entry already has sufficient information to allow reauthentication and that no update is needed.

Parameters:
ssoId - identifier of Single sign to be updated
principal - the Principal returned by the latest call to Realm.authenticate.
authType - the type of authenticator used (BASIC, CLIENT-CERT, DIGEST or FORM)
username - the username (if any) used for the authentication
password - the password (if any) used for the authentication


Copyright B) 2000-2003 Apache Software Foundation. All Rights Reserved.