Lines 33-38
Link Here
|
33 |
import org.apache.catalina.LifecycleException; |
33 |
import org.apache.catalina.LifecycleException; |
34 |
import org.apache.catalina.LifecycleListener; |
34 |
import org.apache.catalina.LifecycleListener; |
35 |
import org.apache.catalina.Logger; |
35 |
import org.apache.catalina.Logger; |
|
|
36 |
import org.apache.catalina.Realm; |
36 |
import org.apache.catalina.Request; |
37 |
import org.apache.catalina.Request; |
37 |
import org.apache.catalina.Response; |
38 |
import org.apache.catalina.Response; |
38 |
import org.apache.catalina.Session; |
39 |
import org.apache.catalina.Session; |
Lines 559-564
Link Here
|
559 |
|
560 |
|
560 |
|
561 |
|
561 |
/** |
562 |
/** |
|
|
563 |
* Attempts reauthentication to the given <code>Realm</code> using |
564 |
* the credentials associated with the single sign-on session |
565 |
* identified by argument <code>ssoId</code>. |
566 |
* <p> |
567 |
* If reauthentication is successful, the <code>Principal</code> and |
568 |
* authorization type associated with the SSO session will be bound |
569 |
* to the given <code>HttpRequest</code> object via calls to |
570 |
* {@link HttpRequest#setAuthType HttpRequest.setAuthType()} and |
571 |
* {@link HttpRequest#setUserPrincipal HttpRequest.setUserPrincipal()} |
572 |
* </p> |
573 |
* |
574 |
* @param ssoId identifier of SingleSignOn session with which the |
575 |
* caller is associated |
576 |
* @param realm Realm implementation against which the caller is to |
577 |
* be authenticated |
578 |
* @param request the request that needs to be authenticated |
579 |
* |
580 |
* @return <code>true</code> if reauthentication was successful, |
581 |
* <code>false</code> otherwise. |
582 |
*/ |
583 |
protected boolean reauthenticate(String ssoId, Realm realm, |
584 |
HttpRequest request) { |
585 |
|
586 |
if (ssoId == null || realm == null) |
587 |
return false; |
588 |
|
589 |
boolean reauthenticated = false; |
590 |
|
591 |
SingleSignOnEntry entry = lookup(ssoId); |
592 |
if (entry != null && entry.getCanReauthenticate()) { |
593 |
|
594 |
String username = entry.getUsername(); |
595 |
if (username != null) { |
596 |
Principal reauthPrincipal = |
597 |
realm.authenticate(username, entry.getPassword()); |
598 |
if (reauthPrincipal != null) { |
599 |
reauthenticated = true; |
600 |
// Bind the authorization credentials to the request |
601 |
request.setAuthType(entry.getAuthType()); |
602 |
request.setUserPrincipal(reauthPrincipal); |
603 |
} |
604 |
} |
605 |
} |
606 |
|
607 |
return reauthenticated; |
608 |
} |
609 |
|
610 |
|
611 |
/** |
562 |
* Register the specified Principal as being associated with the specified |
612 |
* Register the specified Principal as being associated with the specified |
563 |
* value for the single sign on identifier. |
613 |
* value for the single sign on identifier. |
564 |
* |
614 |
* |
Lines 585-590
Link Here
|
585 |
|
635 |
|
586 |
|
636 |
|
587 |
/** |
637 |
/** |
|
|
638 |
* Updates any <code>SingleSignOnEntry</code> found under key |
639 |
* <code>ssoId</code> with the given authentication data. |
640 |
* <p> |
641 |
* The purpose of this method is to allow an SSO entry that was |
642 |
* established without a username/password combination (i.e. established |
643 |
* following DIGEST or CLIENT-CERT authentication) to be updated with |
644 |
* a username and password if one becomes available through a subsequent |
645 |
* BASIC or FORM authentication. The SSO entry will then be usable for |
646 |
* reauthentication. |
647 |
* <p> |
648 |
* <b>NOTE:</b> Only updates the SSO entry if a call to |
649 |
* <code>SingleSignOnEntry.getCanReauthenticate()</code> returns |
650 |
* <code>false</code>; otherwise, it is assumed that the SSO entry already |
651 |
* has sufficient information to allow reauthentication and that no update |
652 |
* is needed. |
653 |
* |
654 |
* @param ssoId identifier of Single sign to be updated |
655 |
* @param principal the <code>Principal</code> returned by the latest |
656 |
* call to <code>Realm.authenticate</code>. |
657 |
* @param authType the type of authenticator used (BASIC, CLIENT-CERT, |
658 |
* DIGEST or FORM) |
659 |
* @param username the username (if any) used for the authentication |
660 |
* @param password the password (if any) used for the authentication |
661 |
*/ |
662 |
protected void update(String ssoId, Principal principal, String authType, |
663 |
String username, String password) { |
664 |
|
665 |
SingleSignOnEntry sso = lookup(ssoId); |
666 |
if (sso != null && !sso.getCanReauthenticate()) { |
667 |
if (debug >= 1) |
668 |
log("Update sso id " + ssoId + " to auth type " + authType); |
669 |
|
670 |
synchronized(sso) { |
671 |
sso.updateCredentials(principal, authType, username, password); |
672 |
} |
673 |
|
674 |
} |
675 |
} |
676 |
|
677 |
|
678 |
/** |
588 |
* Log a message on the Logger associated with our Container (if any). |
679 |
* Log a message on the Logger associated with our Container (if any). |
589 |
* |
680 |
* |
590 |
* @param message Message to be logged |
681 |
* @param message Message to be logged |
Lines 633-638
Link Here
|
633 |
|
724 |
|
634 |
} |
725 |
} |
635 |
|
726 |
|
|
|
727 |
|
636 |
//---------------------------------------------- Package-Protected Methods |
728 |
//---------------------------------------------- Package-Protected Methods |
637 |
|
729 |
|
638 |
|
730 |
|
Lines 669-713
Link Here
|
669 |
} |
761 |
} |
670 |
} |
762 |
} |
671 |
|
763 |
|
672 |
|
|
|
673 |
/** |
674 |
* Updates any <code>SingleSignOnEntry</code> found under key |
675 |
* <code>ssoId</code> with the given authentication data. |
676 |
* <p> |
677 |
* The purpose of this method is to allow an SSO entry that was |
678 |
* established without a username/password combination (i.e. established |
679 |
* following DIGEST or CLIENT-CERT authentication) to be updated with |
680 |
* a username and password if one becomes available through a subsequent |
681 |
* BASIC or FORM authentication. The SSO entry will then be usable for |
682 |
* reauthentication. |
683 |
* <p> |
684 |
* <b>NOTE:</b> Only updates the SSO entry if a call to |
685 |
* <code>SingleSignOnEntry.getCanReauthenticate()</code> returns |
686 |
* <code>false</code>; otherwise, it is assumed that the SSO entry already |
687 |
* has sufficient information to allow reauthentication and that no update |
688 |
* is needed. |
689 |
* |
690 |
* @param ssoId identifier of Single sign to be updated |
691 |
* @param principal the <code>Principal</code> returned by the latest |
692 |
* call to <code>Realm.authenticate</code>. |
693 |
* @param authType the type of authenticator used (BASIC, CLIENT-CERT, |
694 |
* DIGEST or FORM) |
695 |
* @param username the username (if any) used for the authentication |
696 |
* @param password the password (if any) used for the authentication |
697 |
*/ |
698 |
void update(String ssoId, Principal principal, String authType, |
699 |
String username, String password) { |
700 |
|
701 |
SingleSignOnEntry sso = lookup(ssoId); |
702 |
if (sso != null && !sso.getCanReauthenticate()) { |
703 |
if (debug >= 1) |
704 |
log("Update sso id " + ssoId + " to auth type " + authType); |
705 |
|
706 |
synchronized(sso) { |
707 |
sso.updateCredentials(principal, authType, username, password); |
708 |
} |
709 |
|
710 |
} |
711 |
} |
712 |
|
713 |
} |
764 |
} |