| java.lang.Object org.apache.catalina.valves.ValveBase org.apache.catalina.authenticator.SingleSignOn
All known Subclasses: org.apache.catalina.ha.authenticator.ClusterSingleSignOn,
SingleSignOn | public class SingleSignOn extends ValveBase implements Lifecycle,SessionListener(Code) | | A Valve that supports a "single sign on" user experience,
where the security identity of a user who successfully authenticates to one
web application is propogated to other web applications in the same
security domain. For successful use, the following requirements must
be met:
- This Valve must be configured on the Container that represents a
virtual host (typically an implementation of
Host ).
- The
Realm that contains the shared user and role
information must be configured on the same Container (or a higher
one), and not overridden at the web application level.
- The web applications themselves must use one of the standard
Authenticators found in the
org.apache.catalina.authenticator package.
author: Craig R. McClanahan version: $Revision: 536380 $ $Date: 2007-05-09 01:49:56 +0200 (mer., 09 mai 2007) $ |
Field Summary | |
protected Map<String, SingleSignOnEntry> | cache The cache of SingleSignOnEntry instances for authenticated Principals,
keyed by the cookie value that is used to select them. | protected static String | info Descriptive information about this Valve implementation. | protected LifecycleSupport | lifecycle The lifecycle event support for this component. | protected Map<Session, String> | reverse The cache of single sign on identifiers, keyed by the Session that is
associated with them. | final protected static StringManager | sm The string manager for this package. | protected boolean | started Component started flag. |
Method Summary | |
public void | addLifecycleListener(LifecycleListener listener) Add a lifecycle event listener to this component. | protected void | associate(String ssoId, Session session) Associate the specified single sign on identifier with the
specified Session. | protected void | deregister(String ssoId, Session session) Deregister the specified session. | protected void | deregister(String ssoId) Deregister the specified single sign on identifier, and invalidate
any associated sessions. | public LifecycleListener[] | findLifecycleListeners() Get the lifecycle listeners associated with this lifecycle. | public String | getCookieDomain() Returns the optional cookie domain. | public String | getInfo() Return descriptive information about this Valve implementation. | public boolean | getRequireReauthentication() Gets whether each request needs to be reauthenticated (by an
Authenticator downstream in the pipeline) to the security
Realm , or if this Valve can itself bind security info
to the request based on the presence of a valid SSO entry without
rechecking with the Realm | public void | invoke(Request request, Response response) Perform single-sign-on support processing for this request. | protected SingleSignOnEntry | lookup(String ssoId) Look up and return the cached SingleSignOn entry associated with this
sso id value, if there is one; otherwise return null . | protected boolean | reauthenticate(String ssoId, Realm realm, Request request) Attempts reauthentication to the given Realm using
the credentials associated with the single sign-on session
identified by argument ssoId . | protected void | register(String ssoId, Principal principal, String authType, String username, String password) Register the specified Principal as being associated with the specified
value for the single sign on identifier. | public void | removeLifecycleListener(LifecycleListener listener) Remove a lifecycle event listener from this component. | protected void | removeSession(String ssoId, Session session) Remove a single Session from a SingleSignOn. | public void | sessionEvent(SessionEvent event) Acknowledge the occurrence of the specified event. | public void | setCookieDomain(String cookieDomain) Sets the domain to be used for sso cookies. | public void | setRequireReauthentication(boolean required) Sets whether each request needs to be reauthenticated (by an
Authenticator downstream in the pipeline) to the security
Realm , or if this Valve can itself bind security info
to the request, based on the presence of a valid SSO entry, without
rechecking with the Realm
If this property is false (the default), this
Valve will bind a UserPrincipal and AuthType to the request
if a valid SSO entry is associated with the request. | public void | start() Prepare for the beginning of active use of the public methods of this
component. | public void | stop() Gracefully terminate the active use of the public methods of this
component. | public String | toString() Return a String rendering of this object. | protected void | update(String ssoId, Principal principal, String authType, String username, String password) Updates any SingleSignOnEntry found under key
ssoId with the given authentication data.
The purpose of this method is to allow an SSO entry that was
established without a username/password combination (i.e. |
cache | protected Map<String, SingleSignOnEntry> cache(Code) | | The cache of SingleSignOnEntry instances for authenticated Principals,
keyed by the cookie value that is used to select them.
|
info | protected static String info(Code) | | Descriptive information about this Valve implementation.
|
reverse | protected Map<Session, String> reverse(Code) | | The cache of single sign on identifiers, keyed by the Session that is
associated with them.
|
started | protected boolean started(Code) | | Component started flag.
|
addLifecycleListener | public void addLifecycleListener(LifecycleListener listener)(Code) | | Add a lifecycle event listener to this component.
Parameters: listener - The listener to add |
associate | protected void associate(String ssoId, Session session)(Code) | | Associate the specified single sign on identifier with the
specified Session.
Parameters: ssoId - Single sign on identifier Parameters: session - Session to be associated |
deregister | protected void deregister(String ssoId, Session session)(Code) | | Deregister the specified session. If it is the last session,
then also get rid of the single sign on identifier
Parameters: ssoId - Single sign on identifier Parameters: session - Session to be deregistered |
deregister | protected void deregister(String ssoId)(Code) | | Deregister the specified single sign on identifier, and invalidate
any associated sessions.
Parameters: ssoId - Single sign on identifier to deregister |
findLifecycleListeners | public LifecycleListener[] findLifecycleListeners()(Code) | | Get the lifecycle listeners associated with this lifecycle. If this
Lifecycle has no listeners registered, a zero-length array is returned.
|
getCookieDomain | public String getCookieDomain()(Code) | | Returns the optional cookie domain.
May return null.
The cookie domain |
getInfo | public String getInfo()(Code) | | Return descriptive information about this Valve implementation.
|
getRequireReauthentication | public boolean getRequireReauthentication()(Code) | | Gets whether each request needs to be reauthenticated (by an
Authenticator downstream in the pipeline) to the security
Realm , or if this Valve can itself bind security info
to the request based on the presence of a valid SSO entry without
rechecking with the Realmtrue if it is required that a downstreamAuthenticator reauthenticate each request before calls toHttpServletRequest.setUserPrincipal() and HttpServletRequest.setAuthType() are made;false if the Valve can itself makethose calls relying on the presence of a valid SingleSignOnentry associated with the request. See Also: SingleSignOn.setRequireReauthentication |
invoke | public void invoke(Request request, Response response) throws IOException, ServletException(Code) | | Perform single-sign-on support processing for this request.
Parameters: request - The servlet request we are processing Parameters: response - The servlet response we are creating exception: IOException - if an input/output error occurs exception: ServletException - if a servlet error occurs |
lookup | protected SingleSignOnEntry lookup(String ssoId)(Code) | | Look up and return the cached SingleSignOn entry associated with this
sso id value, if there is one; otherwise return null .
Parameters: ssoId - Single sign on identifier to look up |
reauthenticate | protected boolean reauthenticate(String ssoId, Realm realm, Request request)(Code) | | Attempts reauthentication to the given Realm using
the credentials associated with the single sign-on session
identified by argument ssoId .
If reauthentication is successful, the Principal and
authorization type associated with the SSO session will be bound
to the given Request object via calls to
Request.setAuthType Request.setAuthType() and
Request.setUserPrincipal Request.setUserPrincipal()
Parameters: ssoId - identifier of SingleSignOn session with which thecaller is associated Parameters: realm - Realm implementation against which the caller is tobe authenticated Parameters: request - the request that needs to be authenticated true if reauthentication was successful,false otherwise. |
register | protected void register(String ssoId, Principal principal, String authType, String username, String password)(Code) | | Register the specified Principal as being associated with the specified
value for the single sign on identifier.
Parameters: ssoId - Single sign on identifier to register Parameters: principal - Associated user principal that is identified Parameters: authType - Authentication type used to authenticate thisuser principal Parameters: username - Username used to authenticate this user Parameters: password - Password used to authenticate this user |
removeLifecycleListener | public void removeLifecycleListener(LifecycleListener listener)(Code) | | Remove a lifecycle event listener from this component.
Parameters: listener - The listener to remove |
removeSession | protected void removeSession(String ssoId, Session session)(Code) | | Remove a single Session from a SingleSignOn. Called when
a session is timed out and no longer active.
Parameters: ssoId - Single sign on identifier from which to remove the session. Parameters: session - the session to be removed. |
sessionEvent | public void sessionEvent(SessionEvent event)(Code) | | Acknowledge the occurrence of the specified event.
Parameters: event - SessionEvent that has occurred |
setCookieDomain | public void setCookieDomain(String cookieDomain)(Code) | | Sets the domain to be used for sso cookies.
Parameters: cookieDomain - cookie domain name |
setRequireReauthentication | public void setRequireReauthentication(boolean required)(Code) | | Sets whether each request needs to be reauthenticated (by an
Authenticator downstream in the pipeline) to the security
Realm , or if this Valve can itself bind security info
to the request, based on the presence of a valid SSO entry, without
rechecking with the Realm
If this property is false (the default), this
Valve will bind a UserPrincipal and AuthType to the request
if a valid SSO entry is associated with the request. It will not notify
the security Realm of the incoming request.
This property should be set to true if the overall server
configuration requires that the Realm reauthenticate each
request thread. An example of such a configuration would be one where
the Realm implementation provides security for both a
web tier and an associated EJB tier, and needs to set security
credentials on each request thread in order to support EJB access.
If this property is set to true , this Valve will set flags
on the request notifying the downstream Authenticator that the request
is associated with an SSO session. The Authenticator will then call its
AuthenticatorBase.reauthenticateFromSSO reauthenticateFromSSO method to attempt to reauthenticate the request to the
Realm , using any credentials that were cached with this
Valve.
The default value of this property is false , in order
to maintain backward compatibility with previous versions of Tomcat.
Parameters: required - true if it is required that a downstreamAuthenticator reauthenticate each request before callsto HttpServletRequest.setUserPrincipal() and HttpServletRequest.setAuthType() aremade; false if the Valve canitself make those calls relying on the presence of avalid SingleSignOn entry associated with the request. See Also: AuthenticatorBase.reauthenticateFromSSO |
start | public void start() throws LifecycleException(Code) | | Prepare for the beginning of active use of the public methods of this
component. This method should be called after configure() ,
and before any of the public methods of the component are utilized.
exception: LifecycleException - if this component detects a fatal errorthat prevents this component from being used |
stop | public void stop() throws LifecycleException(Code) | | Gracefully terminate the active use of the public methods of this
component. This method should be the last one called on a given
instance of this component.
exception: LifecycleException - if this component detects a fatal errorthat needs to be reported |
toString | public String toString()(Code) | | Return a String rendering of this object.
|
update | protected void update(String ssoId, Principal principal, String authType, String username, String password)(Code) | | Updates any SingleSignOnEntry found under key
ssoId with the given authentication data.
The purpose of this method is to allow an SSO entry that was
established without a username/password combination (i.e. established
following DIGEST or CLIENT_CERT authentication) to be updated with
a username and password if one becomes available through a subsequent
BASIC or FORM authentication. The SSO entry will then be usable for
reauthentication.
NOTE: Only updates the SSO entry if a call to
SingleSignOnEntry.getCanReauthenticate() returns
false ; otherwise, it is assumed that the SSO entry already
has sufficient information to allow reauthentication and that no update
is needed.
Parameters: ssoId - identifier of Single sign to be updated Parameters: principal - the Principal returned by the latestcall to Realm.authenticate . Parameters: authType - the type of authenticator used (BASIC, CLIENT_CERT,DIGEST or FORM) Parameters: username - the username (if any) used for the authentication Parameters: password - the password (if any) used for the authentication |
|
|