| java.lang.Object
 org.apache.catalina.valves.ValveBase
org.apache.catalina.authenticator.SingleSignOn
| SingleSignOn | | public class SingleSignOn extends ValveBase implements Lifecycle,SessionListener(Code) | | A Valve that supports a "single sign on" user experience,
where the security identity of a user who successfully authenticates to one
web application is propogated to other web applications in the same
security domain. For successful use, the following requirements must
be met:
- This Valve must be configured on the Container that represents a
virtual host (typically an implementation of
Host).
- The
Realm that contains the shared user and role
information must be configured on the same Container (or a higher
one), and not overridden at the web application level.
- The web applications themselves must use one of the standard
Authenticators found in the
org.apache.catalina.authenticator package.
author:
Craig R. McClanahan
version:
$Revision: 1.13 $ $Date: 2004/04/26 21:50:36 $ |
| Field Summary | |
| protected HashMap | cache
The cache of SingleSignOnEntry instances for authenticated Principals,
keyed by the cookie value that is used to select them. | | protected int | debug
The debugging detail level for this component. | | protected static String | info
Descriptive information about this Valve implementation. | | protected LifecycleSupport | lifecycle
The lifecycle event support for this component. | | protected HashMap | reverse
The cache of single sign on identifiers, keyed by the Session that is
associated with them. | | final protected static StringManager | sm
The string manager for this package. | | protected boolean | started
Component started flag. |
| Method Summary | |
| public void | addLifecycleListener(LifecycleListener listener)
Add a lifecycle event listener to this component. | | protected void | associate(String ssoId, Session session)
Associate the specified single sign on identifier with the
specified Session. | | protected void | deregister(String ssoId, Session session)
Deregister the specified session. | | protected void | deregister(String ssoId)
Deregister the specified single sign on identifier, and invalidate
any associated sessions. | | public LifecycleListener[] | findLifecycleListeners()
Get the lifecycle listeners associated with this lifecycle. | | public int | getDebug()
Return the debugging detail level. | | public String | getInfo()
Return descriptive information about this Valve implementation. | | public boolean | getRequireReauthentication()
Gets whether each request needs to be reauthenticated (by an
Authenticator downstream in the pipeline) to the security
Realm, or if this Valve can itself bind security info
to the request based on the presence of a valid SSO entry without
rechecking with the Realm | | public void | invoke(Request request, Response response, ValveContext context)
Perform single-sign-on support processing for this request. | | protected void | log(String message)
Log a message on the Logger associated with our Container (if any). | | protected void | log(String message, Throwable throwable)
Log a message on the Logger associated with our Container (if any). | | protected SingleSignOnEntry | lookup(String ssoId)
Look up and return the cached SingleSignOn entry associated with this
sso id value, if there is one; otherwise return null. | | protected boolean | reauthenticate(String ssoId, Realm realm, HttpRequest request)
Attempts reauthentication to the given Realm using
the credentials associated with the single sign-on session
identified by argument ssoId. | | protected void | register(String ssoId, Principal principal, String authType, String username, String password)
Register the specified Principal as being associated with the specified
value for the single sign on identifier. | | public void | removeLifecycleListener(LifecycleListener listener)
Remove a lifecycle event listener from this component. | | protected void | removeSession(String ssoId, Session session)
Remove a single Session from a SingleSignOn. | | public void | sessionEvent(SessionEvent event)
Acknowledge the occurrence of the specified event. | | public void | setDebug(int debug)
Set the debugging detail level. | | public void | setRequireReauthentication(boolean required)
Sets whether each request needs to be reauthenticated (by an
Authenticator downstream in the pipeline) to the security
Realm, or if this Valve can itself bind security info
to the request, based on the presence of a valid SSO entry, without
rechecking with the Realm
If this property is false (the default), this
Valve will bind a UserPrincipal and AuthType to the request
if a valid SSO entry is associated with the request. | | public void | start()
Prepare for the beginning of active use of the public methods of this
component. | | public void | stop()
Gracefully terminate the active use of the public methods of this
component. | | public String | toString()
Return a String rendering of this object. | | protected void | update(String ssoId, Principal principal, String authType, String username, String password)
Updates any SingleSignOnEntry found under key
ssoId with the given authentication data.
The purpose of this method is to allow an SSO entry that was
established without a username/password combination (i.e. |
| cache | | protected HashMap cache(Code) | | The cache of SingleSignOnEntry instances for authenticated Principals,
keyed by the cookie value that is used to select them.
|
| debug | | protected int debug(Code) | | The debugging detail level for this component.
|
| info | | protected static String info(Code) | | Descriptive information about this Valve implementation.
|
| reverse | | protected HashMap reverse(Code) | | The cache of single sign on identifiers, keyed by the Session that is
associated with them.
|
| started | | protected boolean started(Code) | | Component started flag.
|
| addLifecycleListener | | public void addLifecycleListener(LifecycleListener listener)(Code) | | Add a lifecycle event listener to this component.
Parameters:
listener - The listener to add |
| associate | | protected void associate(String ssoId, Session session)(Code) | | Associate the specified single sign on identifier with the
specified Session.
Parameters:
ssoId - Single sign on identifier
Parameters:
session - Session to be associated |
| deregister | | protected void deregister(String ssoId, Session session)(Code) | | Deregister the specified session. If it is the last session,
then also get rid of the single sign on identifier
Parameters:
ssoId - Single sign on identifier
Parameters:
session - Session to be deregistered |
| deregister | | protected void deregister(String ssoId)(Code) | | Deregister the specified single sign on identifier, and invalidate
any associated sessions.
Parameters:
ssoId - Single sign on identifier to deregister |
| findLifecycleListeners | | public LifecycleListener[] findLifecycleListeners()(Code) | | Get the lifecycle listeners associated with this lifecycle. If this
Lifecycle has no listeners registered, a zero-length array is returned.
|
| getDebug | | public int getDebug()(Code) | | Return the debugging detail level.
|
| getInfo | | public String getInfo()(Code) | | Return descriptive information about this Valve implementation.
|
| getRequireReauthentication | | public boolean getRequireReauthentication()(Code) | | Gets whether each request needs to be reauthenticated (by an
Authenticator downstream in the pipeline) to the security
Realm, or if this Valve can itself bind security info
to the request based on the presence of a valid SSO entry without
rechecking with the Realmtrue if it is required that a downstreamAuthenticator reauthenticate each request before calls toHttpServletRequest.setUserPrincipal()and HttpServletRequest.setAuthType() are made;false if the Valve can itself makethose calls relying on the presence of a valid SingleSignOnentry associated with the request.
See Also: SingleSignOn.setRequireReauthentication |
| invoke | | public void invoke(Request request, Response response, ValveContext context) throws IOException, ServletException(Code) | | Perform single-sign-on support processing for this request.
Parameters:
request - The servlet request we are processing
Parameters:
response - The servlet response we are creating
Parameters:
context - The valve context used to invoke the next valvein the current processing pipeline
exception:
IOException - if an input/output error occurs
exception:
ServletException - if a servlet error occurs |
| log | | protected void log(String message)(Code) | | Log a message on the Logger associated with our Container (if any).
Parameters:
message - Message to be logged |
| log | | protected void log(String message, Throwable throwable)(Code) | | Log a message on the Logger associated with our Container (if any).
Parameters:
message - Message to be logged
Parameters:
throwable - Associated exception |
| lookup | | protected SingleSignOnEntry lookup(String ssoId)(Code) | | Look up and return the cached SingleSignOn entry associated with this
sso id value, if there is one; otherwise return null.
Parameters:
ssoId - Single sign on identifier to look up |
| reauthenticate | | protected boolean reauthenticate(String ssoId, Realm realm, HttpRequest request)(Code) | | Attempts reauthentication to the given Realm using
the credentials associated with the single sign-on session
identified by argument ssoId.
If reauthentication is successful, the Principal and
authorization type associated with the SSO session will be bound
to the given HttpRequest object via calls to
HttpRequest.setAuthType HttpRequest.setAuthType() and
HttpRequest.setUserPrincipal HttpRequest.setUserPrincipal()
Parameters:
ssoId - identifier of SingleSignOn session with which thecaller is associated
Parameters:
realm - Realm implementation against which the caller is tobe authenticated
Parameters:
request - the request that needs to be authenticated true if reauthentication was successful,false otherwise. |
| register | | protected void register(String ssoId, Principal principal, String authType, String username, String password)(Code) | | Register the specified Principal as being associated with the specified
value for the single sign on identifier.
Parameters:
ssoId - Single sign on identifier to register
Parameters:
principal - Associated user principal that is identified
Parameters:
authType - Authentication type used to authenticate thisuser principal
Parameters:
username - Username used to authenticate this user
Parameters:
password - Password used to authenticate this user |
| removeLifecycleListener | | public void removeLifecycleListener(LifecycleListener listener)(Code) | | Remove a lifecycle event listener from this component.
Parameters:
listener - The listener to remove |
| removeSession | | protected void removeSession(String ssoId, Session session)(Code) | | Remove a single Session from a SingleSignOn. Called when
a session is timed out and no longer active.
Parameters:
ssoId - Single sign on identifier from which to remove the session.
Parameters:
session - the session to be removed. |
| sessionEvent | | public void sessionEvent(SessionEvent event)(Code) | | Acknowledge the occurrence of the specified event.
Parameters:
event - SessionEvent that has occurred |
| setDebug | | public void setDebug(int debug)(Code) | | Set the debugging detail level.
Parameters:
debug - The new debugging detail level |
| setRequireReauthentication | | public void setRequireReauthentication(boolean required)(Code) | | Sets whether each request needs to be reauthenticated (by an
Authenticator downstream in the pipeline) to the security
Realm, or if this Valve can itself bind security info
to the request, based on the presence of a valid SSO entry, without
rechecking with the Realm
If this property is false (the default), this
Valve will bind a UserPrincipal and AuthType to the request
if a valid SSO entry is associated with the request. It will not notify
the security Realm of the incoming request.
This property should be set to true if the overall server
configuration requires that the Realm reauthenticate each
request thread. An example of such a configuration would be one where
the Realm implementation provides security for both a
web tier and an associated EJB tier, and needs to set security
credentials on each request thread in order to support EJB access.
If this property is set to true, this Valve will set flags
on the request notifying the downstream Authenticator that the request
is associated with an SSO session. The Authenticator will then call its
AuthenticatorBase.reauthenticateFromSSO reauthenticateFromSSO method to attempt to reauthenticate the request to the
Realm, using any credentials that were cached with this
Valve.
The default value of this property is false, in order
to maintain backward compatibility with previous versions of Tomcat.
Parameters:
required - true if it is required that a downstreamAuthenticator reauthenticate each request before callsto HttpServletRequest.setUserPrincipal()and HttpServletRequest.setAuthType() aremade; false if the Valve canitself make those calls relying on the presence of avalid SingleSignOn entry associated with the request.
See Also: AuthenticatorBase.reauthenticateFromSSO |
| start | | public void start() throws LifecycleException(Code) | | Prepare for the beginning of active use of the public methods of this
component. This method should be called after configure(),
and before any of the public methods of the component are utilized.
exception:
LifecycleException - if this component detects a fatal errorthat prevents this component from being used |
| stop | | public void stop() throws LifecycleException(Code) | | Gracefully terminate the active use of the public methods of this
component. This method should be the last one called on a given
instance of this component.
exception:
LifecycleException - if this component detects a fatal errorthat needs to be reported |
| toString | | public String toString()(Code) | | Return a String rendering of this object.
|
| update | | protected void update(String ssoId, Principal principal, String authType, String username, String password)(Code) | | Updates any SingleSignOnEntry found under key
ssoId with the given authentication data.
The purpose of this method is to allow an SSO entry that was
established without a username/password combination (i.e. established
following DIGEST or CLIENT-CERT authentication) to be updated with
a username and password if one becomes available through a subsequent
BASIC or FORM authentication. The SSO entry will then be usable for
reauthentication.
NOTE: Only updates the SSO entry if a call to
SingleSignOnEntry.getCanReauthenticate() returns
false; otherwise, it is assumed that the SSO entry already
has sufficient information to allow reauthentication and that no update
is needed.
Parameters:
ssoId - identifier of Single sign to be updated
Parameters:
principal - the Principal returned by the latestcall to Realm.authenticate.
Parameters:
authType - the type of authenticator used (BASIC, CLIENT-CERT,DIGEST or FORM)
Parameters:
username - the username (if any) used for the authentication
Parameters:
password - the password (if any) used for the authentication |
|
|