markt 2004/11/27 10:29:44
Modified: catalina/src/share/org/apache/catalina/realm
DataSourceRealm.java JAASRealm.java JDBCRealm.java
LocalStrings.properties MemoryRealm.java
RealmBase.java UserDatabaseRealm.java
webapps/tomcat-docs realm-howto.xml
Log:
Fix bug 19767. Port support for digested passwords with DIGEST
authentication for JDBC and DataSource realms from TC5.
Remove unused imports in o.a.c.realm package
Revision Changes Path
1.4 +135 -73
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/DataSourceRealm.java
Index: DataSourceRealm.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/DataSourceRealm.java,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- DataSourceRealm.java 26 Aug 2004 21:37:21 -0000 1.3
+++ DataSourceRealm.java 27 Nov 2004 18:29:44 -0000 1.4
@@ -18,36 +18,20 @@
package org.apache.catalina.realm;
-import java.io.File;
-import java.security.MessageDigest;
import java.security.Principal;
import java.sql.Connection;
-import java.sql.Driver;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.ArrayList;
-import java.util.Properties;
-import javax.naming.InitialContext;
import javax.naming.Context;
-import javax.naming.NamingException;
import javax.sql.DataSource;
-import org.apache.catalina.Container;
-import org.apache.catalina.Lifecycle;
-import org.apache.catalina.LifecycleEvent;
import org.apache.catalina.LifecycleException;
-import org.apache.catalina.LifecycleListener;
-import org.apache.catalina.Logger;
-import org.apache.catalina.Realm;
-import org.apache.catalina.Server;
import org.apache.catalina.ServerFactory;
import org.apache.catalina.core.StandardServer;
-import org.apache.catalina.util.HexUtils;
-import org.apache.catalina.util.LifecycleSupport;
import org.apache.catalina.util.StringManager;
-import org.apache.catalina.util.Base64;
/**
*
@@ -323,64 +307,37 @@
*/
private Principal authenticate(Connection dbConnection,
String username,
- String credentials)
- throws SQLException {
+ String credentials) {
- ResultSet rs = null;
- PreparedStatement stmt = null;
- ArrayList list = null;
- try {
- // Look up the user's credentials
- String dbCredentials = null;
- stmt = credentials(dbConnection, username);
- rs = stmt.executeQuery();
- while (rs.next()) {
- dbCredentials = rs.getString(1).trim();
- }
- rs.close();
- rs = null;
- stmt.close();
- stmt = null;
- if (dbCredentials == null) {
- return (null);
- }
-
- // Validate the user's credentials
- boolean validated = false;
- if (hasMessageDigest()) {
- // Hex hashes should be compared case-insensitive
- validated =
(digest(credentials).equalsIgnoreCase(dbCredentials));
- } else
- validated = (digest(credentials).equals(dbCredentials));
-
- if (validated) {
- if (debug >= 2)
- log(sm.getString("dataSourceRealm.authenticateSuccess",
- username));
- } else {
- if (debug >= 2)
- log(sm.getString("dataSourceRealm.authenticateFailure",
- username));
- return (null);
- }
-
- // Accumulate the user's roles
- list = new ArrayList();
- stmt = roles(dbConnection, username);
- rs = stmt.executeQuery();
- while (rs.next()) {
- list.add(rs.getString(1).trim());
- }
- } finally {
- if (rs != null) {
- rs.close();
- }
- if (stmt != null) {
- stmt.close();
- }
+ // No user - can't possibly authenticate
+ if (username == null) {
+ return (null);
}
+ String dbCredentials = getPassword(username);
+
+ // Validate the user's credentials
+ boolean validated = false;
+ if (hasMessageDigest()) {
+ // Hex hashes should be compared case-insensitive
+ validated =
(digest(credentials).equalsIgnoreCase(dbCredentials));
+ } else
+ validated = (digest(credentials).equals(dbCredentials));
+
+ if (validated) {
+ if (debug >=2)
+ log(sm.getString("dataSourceRealm.authenticateSuccess",
+ username));
+ } else {
+ if (debug >=2)
+ log(sm.getString("dataSourceRealm.authenticateFailure",
+ username));
+ return (null);
+ }
+
+ ArrayList list = getRoles(username);
+
// Create and return a suitable Principal for this user
return (new GenericPrincipal(this, username, credentials, list));
@@ -455,7 +412,7 @@
*/
protected String getName() {
- return (this.name);
+ return (DataSourceRealm.name);
}
@@ -465,6 +422,60 @@
*/
protected String getPassword(String username) {
+ ResultSet rs = null;
+ PreparedStatement stmt = null;
+ ArrayList list = null;
+ Connection dbConnection = null;
+
+ // Ensure that we have an open database connection
+ dbConnection = open();
+ if (dbConnection == null) {
+ return null;
+ }
+
+ try {
+ // Look up the user's credentials
+ String dbCredentials = null;
+ stmt = credentials(dbConnection, username);
+ rs = stmt.executeQuery();
+ if (rs.next()) {
+ dbCredentials = rs.getString(1);
+ }
+ rs.close();
+ rs = null;
+ stmt.close();
+ stmt = null;
+ if (dbCredentials == null) {
+ return (null);
+ }
+ dbCredentials = dbCredentials.trim();
+
+ return (dbCredentials);
+
+ } catch(SQLException e) {
+ log(sm.getString("datasourceRealm.getPassword.exception",
+ username));
+ } finally {
+ try {
+ if (rs != null) {
+ rs.close();
+ }
+ if (stmt != null) {
+ stmt.close();
+ }
+ if( !dbConnection.getAutoCommit() ) {
+ dbConnection.commit();
+ }
+ } catch (SQLException e) {
+ log(sm.getString("datasourceRealm.getPassword.exception",
+ username));
+
+ }
+ // Release the database connection we just used
+ close(dbConnection);
+ dbConnection = null;
+
+ }
return (null);
}
@@ -475,10 +486,61 @@
*/
protected Principal getPrincipal(String username) {
- return (null);
+ return (new GenericPrincipal(this,
+ username,
+ getPassword(username),
+ getRoles(username)));
}
+
+
+ /**
+ * Return the roles associated with the gven user name.
+ */
+ protected ArrayList getRoles(String username) {
+
+ ResultSet rs = null;
+ PreparedStatement stmt = null;
+ Connection dbConnection = null;
+
+ // Ensure that we have an open database connection
+ dbConnection = open();
+ if (dbConnection == null) {
+ return null;
+ }
+
+ try {
+ // Accumulate the user's roles
+ ArrayList list = new ArrayList();
+ stmt = roles(dbConnection, username);
+ rs = stmt.executeQuery();
+ while (rs.next()) {
+ String role = rs.getString(1);
+ if (role != null) {
+ list.add(role.trim());
+ }
+ }
+
+ return (list);
+ } catch(SQLException e) {
+ log(sm.getString("datasourceRealm.getRoles.exception",
username));
+ } finally {
+ try {
+ if (rs != null) {
+ rs.close();
+ }
+ if (stmt != null) {
+ stmt.close();
+ }
+ } catch(SQLException e) {
+ log(sm.getString("datasourceRealm.getRoles.exception",
+ username));
+ }
+ }
+
+ return (null);
+ }
/**
1.6 +2 -4
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/JAASRealm.java
Index: JAASRealm.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/JAASRealm.java,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- JAASRealm.java 26 Aug 2004 21:37:21 -0000 1.5
+++ JAASRealm.java 27 Nov 2004 18:29:44 -0000 1.6
@@ -21,14 +21,12 @@
import java.security.Principal;
import java.util.ArrayList;
import java.util.Iterator;
-import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.login.AccountExpiredException;
import javax.security.auth.login.CredentialExpiredException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
-import org.apache.catalina.Lifecycle;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.util.StringManager;
@@ -296,7 +294,7 @@
*/
protected String getName() {
- return (this.name);
+ return (JAASRealm.name);
}
1.25 +117 -68
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java
Index: JDBCRealm.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/JDBCRealm.java,v
retrieving revision 1.24
retrieving revision 1.25
diff -u -r1.24 -r1.25
--- JDBCRealm.java 26 Aug 2004 21:37:21 -0000 1.24
+++ JDBCRealm.java 27 Nov 2004 18:29:44 -0000 1.25
@@ -44,7 +44,8 @@
* @author Craig R. McClanahan
* @author Carson McDonald
* @author Ignacio Ortega
-* @version $Revision$ $Date$*/
+* @version $Revision$ $Date$
+*/
public class JDBCRealm
extends RealmBase {
@@ -384,81 +385,42 @@
* @param username Username of the Principal to look up
* @param credentials Password or other credentials to use in
* authenticating this username
- *
- * @exception SQLException if a database error occurs
*/
public synchronized Principal authenticate(Connection dbConnection,
String username,
- String credentials)
- throws SQLException {
-
- // Look up the user's credentials
- String dbCredentials = null;
- PreparedStatement stmt = null;
- ResultSet rs = null;
-
- try {
- stmt = credentials(dbConnection, username);
- rs = stmt.executeQuery();
-
- if (rs.next()) {
- dbCredentials = rs.getString(1);
- }
- rs.close();
- rs = null;
- if (dbCredentials == null) {
- return (null);
- }
-
- dbCredentials = dbCredentials.trim();
+ String credentials) {
- // Validate the user's credentials
- boolean validated = false;
- if (hasMessageDigest()) {
- // Hex hashes should be compared case-insensitive
- validated =
(digest(credentials).equalsIgnoreCase(dbCredentials));
- } else {
- validated = (digest(credentials).equals(dbCredentials));
- }
+ // No user - can't possibly authenticate
+ if (username == null) {
+ return (null);
+ }
- if (validated) {
- if (debug >= 2)
- log(sm.getString("jdbcRealm.authenticateSuccess",
- username));
- } else {
- if (debug >= 2)
- log(sm.getString("jdbcRealm.authenticateFailure",
- username));
- return (null);
- }
+ // Look up the user's credentials
+ String dbCredentials = getPassword(username);
- // Accumulate the user's roles
- ArrayList roleList = new ArrayList();
- stmt = roles(dbConnection, username);
- rs = stmt.executeQuery();
- while (rs.next()) {
- String role = rs.getString(1);
- if (null!=role) {
- roleList.add(role.trim());
- }
- }
- rs.close();
- rs = null;
+ // Validate the user's credentials
+ boolean validated = false;
+ if (hasMessageDigest()) {
+ // Hex hashes should be compared case-insensitive
+ validated =
(digest(credentials).equalsIgnoreCase(dbCredentials));
+ } else {
+ validated = (digest(credentials).equals(dbCredentials));
+ }
- // Create and return a suitable Principal for this user
- return (new GenericPrincipal(this, username, credentials,
roleList));
- } finally {
- if (rs!=null) {
- try {
- rs.close();
- } catch(SQLException e) {
- log(sm.getString("jdbcRealm.abnormalCloseResultSet"));
- }
- }
- dbConnection.commit();
+ if (validated) {
+ if (debug >= 2)
+ log(sm.getString("jdbcRealm.authenticateSuccess", username));
+ } else {
+ if (debug >=2)
+ log(sm.getString("jdbcRealm.authenticateFailure",
username));
+ return (null);
}
+ ArrayList roles = getRoles(username);
+
+ // Create and return a suitable Principal for this user
+ return (new GenericPrincipal(this, username, credentials, roles));
}
@@ -542,7 +504,7 @@
*/
protected String getName() {
- return (this.name);
+ return (JDBCRealm.name);
}
@@ -552,6 +514,44 @@
*/
protected String getPassword(String username) {
+ // Look up the user's credentials
+ String dbCredentials = null;
+ PreparedStatement stmt = null;
+ ResultSet rs = null;
+
+ try {
+ stmt = credentials(dbConnection, username);
+ rs = stmt.executeQuery();
+
+ if (rs.next()) {
+ dbCredentials = rs.getString(1);
+ }
+ rs.close();
+ rs = null;
+ if (dbCredentials == null) {
+ return (null);
+ }
+
+ dbCredentials = dbCredentials.trim();
+ return dbCredentials;
+
+ } catch(SQLException e){
+ log(sm.getString("jdbcRealm.getPassword.exception", username));
+ } finally {
+ if (rs!=null) {
+ try {
+ rs.close();
+ } catch(SQLException e) {
+ log(sm.getString("jdbcRealm.abnormalCloseResultSet"));
+ }
+ }
+ try {
+ dbConnection.commit();
+ } catch (SQLException e) {
+ log(sm.getString("jdbcRealm.getPassword.exception",
username));
+ }
+ }
+
return (null);
}
@@ -562,11 +562,60 @@
*/
protected Principal getPrincipal(String username) {
- return (null);
+ return (new GenericPrincipal(this,
+ username,
+ getPassword(username),
+ getRoles(username)));
}
+ /**
+ * Return the roles associated with the gven user name.
+ */
+ protected ArrayList getRoles(String username) {
+
+ PreparedStatement stmt = null;
+ ResultSet rs = null;
+
+ try {
+ // Accumulate the user's roles
+ ArrayList roleList = new ArrayList();
+ stmt = roles(dbConnection, username);
+ rs = stmt.executeQuery();
+ while (rs.next()) {
+ String role = rs.getString(1);
+ if (null!=role) {
+ roleList.add(role.trim());
+ }
+ }
+ rs.close();
+ rs = null;
+
+ return (roleList);
+
+ } catch(SQLException e){
+ log(sm.getString("jdbcRealm.getRoles.exception", username));
+ } finally {
+ if (rs!=null) {
+ try {
+ rs.close();
+ } catch(SQLException e) {
+ log(sm.getString("jdbcRealm.abnormalCloseResultSet"));
+ }
+ }
+ try {
+ dbConnection.commit();
+ } catch (SQLException e) {
+ log(sm.getString("jdbcRealm.getRoles.exception", username));
+ }
+ }
+
+ return (null);
+
+ }
+
+
/**
* Open (if necessary) and return a database connection for use by
* this Realm.
1.10 +5 -1
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/LocalStrings.properties
Index: LocalStrings.properties
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/LocalStrings.properties,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- LocalStrings.properties 12 Dec 2003 22:39:22 -0000 1.9
+++ LocalStrings.properties 27 Nov 2004 18:29:44 -0000 1.10
@@ -13,6 +13,8 @@
jdbcRealm.authenticateSuccess=Username {0} successfully authenticated
jdbcRealm.close=Exception closing database connection
jdbcRealm.exception=Exception performing authentication
+jdbcRealm.getPassword.exception=Exception retrieving password for "{0}"
+jdbcRealm.getRoles.exception=Exception retrieving roles for "{0}"
jdbcRealm.open=Exception opening database connection
jndiRealm.authenticateFailure=Username {0} NOT successfully authenticated
jndiRealm.authenticateSuccess=Username {0} successfully authenticated
@@ -41,4 +43,6 @@
dataSourceRealm.authenticateSuccess=Username {0} successfully authenticated
dataSourceRealm.close=Exception closing database connection
dataSourceRealm.exception=Exception performing authentication
+datasourceRealm.getPassword.exception=Exception retrieving password for "{0}"
+datasourceRealm.getRoles.exception=Exception retrieving roles for "{0}"
dataSourceRealm.open=Exception opening database connection
1.15 +2 -8
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java
Index: MemoryRealm.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/MemoryRealm.java,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- MemoryRealm.java 26 Aug 2004 21:37:21 -0000 1.14
+++ MemoryRealm.java 27 Nov 2004 18:29:44 -0000 1.15
@@ -23,13 +23,7 @@
import java.util.ArrayList;
import java.util.HashMap;
import org.apache.catalina.Container;
-import org.apache.catalina.Lifecycle;
-import org.apache.catalina.LifecycleEvent;
import org.apache.catalina.LifecycleException;
-import org.apache.catalina.LifecycleListener;
-import org.apache.catalina.Logger;
-import org.apache.catalina.Realm;
-import org.apache.catalina.util.LifecycleSupport;
import org.apache.catalina.util.StringManager;
import org.apache.commons.digester.Digester;
@@ -243,7 +237,7 @@
*/
protected String getName() {
- return (this.name);
+ return (MemoryRealm.name);
}
1.15 +99 -15
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/RealmBase.java
Index: RealmBase.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- RealmBase.java 26 Aug 2004 21:37:21 -0000 1.14
+++ RealmBase.java 27 Nov 2004 18:29:44 -0000 1.15
@@ -24,10 +24,10 @@
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
-import java.io.File;
+import java.io.UnsupportedEncodingException;
+
import org.apache.catalina.Container;
import org.apache.catalina.Lifecycle;
-import org.apache.catalina.LifecycleEvent;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.LifecycleListener;
import org.apache.catalina.Logger;
@@ -74,6 +74,11 @@
*/
protected String digest = null;
+ /**
+ * The encoding charset for the digest.
+ */
+ protected String digestEncoding = null;
+
/**
* Descriptive information about this Realm implementation.
@@ -202,6 +207,24 @@
/**
+ * Returns the digest encoding charset.
+ *
+ * @return The charset (may be null) for platform default
+ */
+ public String getDigestEncoding() {
+ return digestEncoding;
+ }
+
+ /**
+ * Sets the digest encoding charset.
+ *
+ * @param charset The charset (null for platform default)
+ */
+ public void setDigestEncoding(String charset) {
+ digestEncoding = charset;
+ }
+
+ /**
* Return descriptive information about this Realm implementation and
* the corresponding version number, in the format
* <code><description>/<version></code>.
@@ -262,9 +285,18 @@
String serverCredentials = getPassword(username);
- if ( (serverCredentials == null)
- || (!serverCredentials.equals(credentials)) )
+ boolean validated;
+ if ( serverCredentials == null ) {
+ validated = false;
+ } else if(hasMessageDigest()) {
+ validated =
serverCredentials.equalsIgnoreCase(digest(credentials));
+ } else {
+ validated = serverCredentials.equals(credentials);
+ }
+
+ if(! validated ) {
return null;
+ }
return getPrincipal(username);
@@ -322,14 +354,24 @@
String md5a1 = getDigest(username, realm);
if (md5a1 == null)
return null;
- String serverDigestValue;
- if (!"auth".equals(qop))
- serverDigestValue = md5a1 + ":" + nOnce + ":" + md5a2;
- else
- serverDigestValue = md5a1 + ":" + nOnce + ":" + nc + ":"
+ String serverDigestValue = md5a1 + ":" + nOnce + ":" + nc + ":"
+ cnonce + ":" + qop + ":" + md5a2;
+
+ byte[] valueBytes = null;
+ if(getDigestEncoding() == null) {
+ valueBytes = serverDigestValue.getBytes();
+ } else {
+ try {
+ valueBytes = serverDigestValue.getBytes(getDigestEncoding());
+ } catch (UnsupportedEncodingException uee) {
+ log("Illegal digestEncoding: " + getDigestEncoding(), uee);
+ throw new IllegalArgumentException(uee.getMessage());
+ }
+ }
+
String serverDigest =
-
md5Encoder.encode(md5Helper.digest(serverDigestValue.getBytes()));
+ md5Encoder.encode(md5Helper.digest(valueBytes));
+
//System.out.println("Server digest : " + serverDigest);
if (serverDigest.equals(clientDigest))
@@ -389,12 +431,18 @@
*/
public boolean hasRole(Principal principal, String role) {
+ // Should be overriten in JAASRealm - to avoid pretty inefficient
conversions
if ((principal == null) || (role == null) ||
!(principal instanceof GenericPrincipal))
return (false);
+
GenericPrincipal gp = (GenericPrincipal) principal;
- if (!(gp.getRealm() == this))
- return (false);
+ if (!(gp.getRealm() == this)) {
+ if (debug >= 2) {
+ log("Different realm " + this + " " + gp.getRealm());
+ }
+ }
+
boolean result = gp.hasRole(role);
if (debug >= 2) {
String name = principal.getName();
@@ -539,7 +587,20 @@
synchronized (this) {
try {
md.reset();
- md.update(credentials.getBytes());
+
+ byte[] bytes = null;
+ if(getDigestEncoding() == null) {
+ bytes = credentials.getBytes();
+ } else {
+ try {
+ bytes = credentials.getBytes(getDigestEncoding());
+ } catch (UnsupportedEncodingException uee) {
+ log("Illegal digestEncoding: " +
getDigestEncoding(), uee);
+ throw new IllegalArgumentException(uee.getMessage());
+ }
+ }
+ md.update(bytes);
+
return (HexUtils.convert(md.digest()));
} catch (Exception e) {
log(sm.getString("realmBase.digest"), e);
@@ -565,10 +626,30 @@
throw new IllegalStateException();
}
}
+
+ if (hasMessageDigest()) {
+ // Use pre-generated digest
+ return getPassword(username);
+ }
+
String digestValue = username + ":" + realmName + ":"
+ getPassword(username);
+
+ byte[] valueBytes = null;
+ if(getDigestEncoding() == null) {
+ valueBytes = digestValue.getBytes();
+ } else {
+ try {
+ valueBytes = digestValue.getBytes(getDigestEncoding());
+ } catch (UnsupportedEncodingException uee) {
+ log("Illegal digestEncoding: " + getDigestEncoding(), uee);
+ throw new IllegalArgumentException(uee.getMessage());
+ }
+ }
+
byte[] digest =
- md5Helper.digest(digestValue.getBytes());
+ md5Helper.digest(valueBytes);
+
return md5Encoder.encode(digest);
}
@@ -657,8 +738,11 @@
// Obtain a new message digest with "digest" encryption
MessageDigest md =
(MessageDigest) MessageDigest.getInstance(algorithm).clone();
+
// encode the credentials
+ // Should use the digestEncoding, but that's not a static field
md.update(credentials.getBytes());
+
// Digest the credentials and return as hexadecimal
return (HexUtils.convert(md.digest()));
} catch(Exception ex) {
1.11 +31 -62
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/UserDatabaseRealm.java
Index: UserDatabaseRealm.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/realm/UserDatabaseRealm.java,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- UserDatabaseRealm.java 26 Aug 2004 21:37:21 -0000 1.10
+++ UserDatabaseRealm.java 27 Nov 2004 18:29:44 -0000 1.11
@@ -19,7 +19,6 @@
import java.security.Principal;
-import java.util.ArrayList;
import java.util.Iterator;
import javax.naming.Context;
import org.apache.catalina.LifecycleException;
@@ -126,74 +125,44 @@
// --------------------------------------------------------- Public
Methods
-
/**
- * Return the Principal associated with the specified username and
- * credentials, if there is one; otherwise return <code>null</code>.
+ * Return <code>true</code> if the specified Principal has the specified
+ * security role, within the context of this Realm; otherwise return
+ * <code>false</code>. This implementation returns <code>true</code>
+ * if the <code>User</code> has the role, or if any <code>Group</code>
+ * that the <code>User</code> is a member of has the role.
*
- * @param username Username of the Principal to look up
- * @param credentials Password or other credentials to use in
- * authenticating this username
- */
- public Principal authenticate(String username, String credentials) {
-
- // Does a user with this username exist?
- User user = database.findUser(username);
- if (user == null) {
- return (null);
- }
-
- // Do the credentials specified by the user match?
- // FIXME - Update all realms to support encoded passwords
- boolean validated = false;
- if (hasMessageDigest()) {
- // Hex hashes should be compared case-insensitive
- validated = (digest(credentials)
- .equalsIgnoreCase(user.getPassword()));
- } else {
- validated =
- (digest(credentials).equals(user.getPassword()));
- }
- if (!validated) {
- if (debug >= 2) {
- log(sm.getString("userDatabaseRealm.authenticateFailure",
- username));
- }
- return (null);
- }
-
- // Construct a GenericPrincipal that represents this user
- if (debug >= 2) {
- log(sm.getString("userDatabaseRealm.authenticateSuccess",
- username));
+ * @param principal Principal for whom the role is to be checked
+ * @param role Security role to be checked
+ */
+ public boolean hasRole(Principal principal, String role) {
+ if(! (principal instanceof User) ) {
+ //Play nice with SSO and mixed Realms
+ return super.hasRole(principal, role);
+ }
+ if("*".equals(role)) {
+ return true;
+ } else if(role == null) {
+ return false;
+ }
+ User user = (User)principal;
+ Role dbrole = database.findRole(role);
+ if(dbrole == null) {
+ return false;
}
- ArrayList combined = new ArrayList();
- Iterator roles = user.getRoles();
- while (roles.hasNext()) {
- Role role = (Role) roles.next();
- String rolename = role.getRolename();
- if (!combined.contains(rolename)) {
- combined.add(rolename);
- }
+ if(user.isInRole(dbrole)) {
+ return true;
}
Iterator groups = user.getGroups();
- while (groups.hasNext()) {
- Group group = (Group) groups.next();
- roles = group.getRoles();
- while (roles.hasNext()) {
- Role role = (Role) roles.next();
- String rolename = role.getRolename();
- if (!combined.contains(rolename)) {
- combined.add(rolename);
- }
+ while(groups.hasNext()) {
+ Group group = (Group)groups.next();
+ if(group.isInRole(dbrole)) {
+ return true;
}
}
- return (new GenericPrincipal(this, user.getUsername(),
- user.getPassword(), combined));
-
+ return false;
}
-
// ------------------------------------------------------ Protected
Methods
@@ -202,7 +171,7 @@
*/
protected String getName() {
- return (this.name);
+ return (UserDatabaseRealm.name);
}
1.15 +7 -0 jakarta-tomcat-4.0/webapps/tomcat-docs/realm-howto.xml
Index: realm-howto.xml
===================================================================
RCS file: /home/cvs/jakarta-tomcat-4.0/webapps/tomcat-docs/realm-howto.xml,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- realm-howto.xml 21 Aug 2004 12:37:56 -0000 1.14
+++ realm-howto.xml 27 Nov 2004 18:29:44 -0000 1.15
@@ -1271,6 +1271,13 @@
standard output.</li>
</ul>
+<p>If using digested passwords with DIGEST authentication, the cleartext used
+ to generate the digest is different. In the examples above
+ <code>{cleartext-password}</code> must be replaced with
+ <code>{username}:{realm}:{cleartext-password}</code>. For example, in a
+ development environment this might take the form
+ <code>testUser:localhost:8080:testPassword</code>.</p>
+
<p>To use either of the above techniques, the
<code>$CATALINA_HOME/server/lib/catalina.jar</code> file will need to be
on your class path to make the <code>RealmBase</code> class available.</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
