Class SingleSignOn
- java.lang.Object
- 
- org.apache.catalina.util.LifecycleBase
- 
- org.apache.catalina.util.LifecycleMBeanBase
- 
- org.apache.catalina.valves.ValveBase
- 
- org.apache.catalina.authenticator.SingleSignOn
 
 
 
 
- 
- All Implemented Interfaces:
- javax.management.MBeanRegistration,- Contained,- JmxEnabled,- Lifecycle,- Valve
 - Direct Known Subclasses:
- ClusterSingleSignOn
 
 public class SingleSignOn extends ValveBase A Valve that supports a "single sign on" user experience, where the security identity of a user who successfully authenticates to one web application is propagated to other web applications in the same security domain. For successful use, the following requirements must be met:- This Valve must be configured on the Container that represents a virtual host (typically an implementation of
 Host).
- The Realmthat contains the shared user and role information must be configured on the same Container (or a higher one), and not overridden at the web application level.
- The web applications themselves must use one of the standard Authenticators found in the
 org.apache.catalina.authenticatorpackage.
 - Author:
- Craig R. McClanahan
 
- 
- 
Nested Class Summary- 
Nested classes/interfaces inherited from interface org.apache.catalina.LifecycleLifecycle.SingleUse
 
- 
 - 
Field SummaryFields Modifier and Type Field Description protected java.util.Map<java.lang.String,SingleSignOnEntry>cacheThe cache of SingleSignOnEntry instances for authenticated Principals, keyed by the cookie value that is used to select them.- 
Fields inherited from class org.apache.catalina.valves.ValveBaseasyncSupported, container, containerLog, next
 - 
Fields inherited from class org.apache.catalina.util.LifecycleMBeanBasemserver
 - 
Fields inherited from interface org.apache.catalina.LifecycleAFTER_DESTROY_EVENT, AFTER_INIT_EVENT, AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_DESTROY_EVENT, BEFORE_INIT_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, CONFIGURE_START_EVENT, CONFIGURE_STOP_EVENT, PERIODIC_EVENT, START_EVENT, STOP_EVENT
 
- 
 - 
Constructor SummaryConstructors Constructor Description SingleSignOn()
 - 
Method SummaryAll Methods Instance Methods Concrete Methods Modifier and Type Method Description protected booleanassociate(java.lang.String ssoId, Session session)Associate the specified single sign on identifier with the specified Session.protected voidderegister(java.lang.String ssoId)Deregister the specified single sign on identifier, and invalidate any associated sessions.java.lang.StringgetCookieDomain()Returns the optional cookie domain.java.lang.StringgetCookieName()booleangetRequireReauthentication()Gets whether each request needs to be reauthenticated (by an Authenticator downstream in the pipeline) to the securityRealm, or if this Valve can itself bind security info to the request based on the presence of a valid SSO entry without rechecking with theRealm.protected SessionListenergetSessionListener(java.lang.String ssoId)voidinvoke(Request request, Response response)Perform single-sign-on support processing for this request.protected booleanreauthenticate(java.lang.String ssoId, Realm realm, Request request)Attempts reauthentication to the givenRealmusing the credentials associated with the single sign-on session identified by argumentssoId.protected voidregister(java.lang.String ssoId, java.security.Principal principal, java.lang.String authType, java.lang.String username, java.lang.String password)Register the specified Principal as being associated with the specified value for the single sign on identifier.protected voidremoveSession(java.lang.String ssoId, Session session)Remove a single Session from a SingleSignOn.voidsessionDestroyed(java.lang.String ssoId, Session session)Process a session destroyed event by removing references to that session from the caches and - if the session destruction is the result of a logout - destroy the associated SSO session.voidsetCookieDomain(java.lang.String cookieDomain)Sets the domain to be used for sso cookies.voidsetCookieName(java.lang.String cookieName)Set the cookie name that will be used for the SSO cookie.voidsetRequireReauthentication(boolean required)Sets whether each request needs to be reauthenticated (by an Authenticator downstream in the pipeline) to the securityRealm, or if this Valve can itself bind security info to the request, based on the presence of a valid SSO entry, without rechecking with theRealm.protected voidstartInternal()Start this component and implement the requirements ofLifecycleBase.startInternal().protected voidstopInternal()Stop this component and implement the requirements ofLifecycleBase.stopInternal().protected booleanupdate(java.lang.String ssoId, java.security.Principal principal, java.lang.String authType, java.lang.String username, java.lang.String password)Updates anySingleSignOnEntryfound under keyssoIdwith the given authentication data.- 
Methods inherited from class org.apache.catalina.valves.ValveBasebackgroundProcess, getContainer, getDomainInternal, getNext, getObjectNameKeyProperties, initInternal, isAsyncSupported, setAsyncSupported, setContainer, setNext, toString
 - 
Methods inherited from class org.apache.catalina.util.LifecycleMBeanBasedestroyInternal, getDomain, getObjectName, postDeregister, postRegister, preDeregister, preRegister, register, setDomain, unregister, unregister
 - 
Methods inherited from class org.apache.catalina.util.LifecycleBaseaddLifecycleListener, destroy, findLifecycleListeners, fireLifecycleEvent, getState, getStateName, getThrowOnFailure, init, removeLifecycleListener, setState, setState, setThrowOnFailure, start, stop
 
- 
 
- 
- 
- 
Field Detail- 
cacheprotected java.util.Map<java.lang.String,SingleSignOnEntry> cache The cache of SingleSignOnEntry instances for authenticated Principals, keyed by the cookie value that is used to select them.
 
- 
 - 
Method Detail- 
getCookieDomainpublic java.lang.String getCookieDomain() Returns the optional cookie domain. May return null.- Returns:
- The cookie domain
 
 - 
setCookieDomainpublic void setCookieDomain(java.lang.String cookieDomain) Sets the domain to be used for sso cookies.- Parameters:
- cookieDomain- cookie domain name
 
 - 
getCookieNamepublic java.lang.String getCookieName() - Returns:
- the cookie name
 
 - 
setCookieNamepublic void setCookieName(java.lang.String cookieName) Set the cookie name that will be used for the SSO cookie.- Parameters:
- cookieName- the cookieName to set
 
 - 
getRequireReauthenticationpublic boolean getRequireReauthentication() Gets whether each request needs to be reauthenticated (by an Authenticator downstream in the pipeline) to the securityRealm, or if this Valve can itself bind security info to the request based on the presence of a valid SSO entry without rechecking with theRealm.- Returns:
- trueif it is required that a downstream Authenticator reauthenticate each request before calls to- HttpServletRequest.setUserPrincipal()and- HttpServletRequest.setAuthType()are made;- falseif the- Valvecan itself make those calls relying on the presence of a valid SingleSignOn entry associated with the request.
- See Also:
- setRequireReauthentication(boolean)
 
 - 
setRequireReauthenticationpublic void setRequireReauthentication(boolean required) Sets whether each request needs to be reauthenticated (by an Authenticator downstream in the pipeline) to the securityRealm, or if this Valve can itself bind security info to the request, based on the presence of a valid SSO entry, without rechecking with theRealm.If this property is false(the default), thisValvewill bind a UserPrincipal and AuthType to the request if a valid SSO entry is associated with the request. It will not notify the securityRealmof the incoming request.This property should be set to trueif the overall server configuration requires that theRealmreauthenticate each request thread. An example of such a configuration would be one where theRealmimplementation provides security for both a web tier and an associated EJB tier, and needs to set security credentials on each request thread in order to support EJB access.If this property is set to true, this Valve will set flags on the request notifying the downstream Authenticator that the request is associated with an SSO session. The Authenticator will then call itsreauthenticateFromSSOmethod to attempt to reauthenticate the request to theRealm, using any credentials that were cached with this Valve.The default value of this property is false, in order to maintain backward compatibility with previous versions of Tomcat.- Parameters:
- required-- trueif it is required that a downstream Authenticator reauthenticate each request before calls to- HttpServletRequest.setUserPrincipal()and- HttpServletRequest.setAuthType()are made;- falseif the- Valvecan itself make those calls relying on the presence of a valid SingleSignOn entry associated with the request.
- See Also:
- AuthenticatorBase.reauthenticateFromSSO(java.lang.String, org.apache.catalina.connector.Request)
 
 - 
invokepublic void invoke(Request request, Response response) throws java.io.IOException, ServletException Perform single-sign-on support processing for this request.- Parameters:
- request- The servlet request we are processing
- response- The servlet response we are creating
- Throws:
- java.io.IOException- if an input/output error occurs
- ServletException- if a servlet error occurs
 
 - 
sessionDestroyedpublic void sessionDestroyed(java.lang.String ssoId, Session session)Process a session destroyed event by removing references to that session from the caches and - if the session destruction is the result of a logout - destroy the associated SSO session.- Parameters:
- ssoId- The ID of the SSO session which which the destroyed session was associated
- session- The session that has been destroyed
 
 - 
associateprotected boolean associate(java.lang.String ssoId, Session session)Associate the specified single sign on identifier with the specified Session.- Parameters:
- ssoId- Single sign on identifier
- session- Session to be associated
- Returns:
- trueif the session was associated to the given SSO session, otherwise- false
 
 - 
deregisterprotected void deregister(java.lang.String ssoId) Deregister the specified single sign on identifier, and invalidate any associated sessions.- Parameters:
- ssoId- Single sign on identifier to deregister
 
 - 
reauthenticateprotected boolean reauthenticate(java.lang.String ssoId, Realm realm, Request request)Attempts reauthentication to the givenRealmusing the credentials associated with the single sign-on session identified by argumentssoId.If reauthentication is successful, the Principaland authorization type associated with the SSO session will be bound to the givenRequestobject via calls toRequest.setAuthType()andRequest.setUserPrincipal()- Parameters:
- ssoId- identifier of SingleSignOn session with which the caller is associated
- realm- Realm implementation against which the caller is to be authenticated
- request- the request that needs to be authenticated
- Returns:
- trueif reauthentication was successful,- falseotherwise.
 
 - 
registerprotected void register(java.lang.String ssoId, java.security.Principal principal, java.lang.String authType, java.lang.String username, java.lang.String password)Register the specified Principal as being associated with the specified value for the single sign on identifier.- Parameters:
- ssoId- Single sign on identifier to register
- principal- Associated user principal that is identified
- authType- Authentication type used to authenticate this user principal
- username- Username used to authenticate this user
- password- Password used to authenticate this user
 
 - 
updateprotected boolean update(java.lang.String ssoId, java.security.Principal principal, java.lang.String authType, java.lang.String username, java.lang.String password)Updates anySingleSignOnEntryfound under keyssoIdwith the given authentication data.The purpose of this method is to allow an SSO entry that was established without a username/password combination (i.e. established following DIGEST or CLIENT_CERT authentication) to be updated with a username and password if one becomes available through a subsequent BASIC or FORM authentication. The SSO entry will then be usable for reauthentication. NOTE: Only updates the SSO entry if a call to SingleSignOnEntry.getCanReauthenticate()returnsfalse; otherwise, it is assumed that the SSO entry already has sufficient information to allow reauthentication and that no update is needed.- Parameters:
- ssoId- identifier of Single sign to be updated
- principal- the- Principalreturned by the latest call to- Realm.authenticate.
- authType- the type of authenticator used (BASIC, CLIENT_CERT, DIGEST or FORM)
- username- the username (if any) used for the authentication
- password- the password (if any) used for the authentication
- Returns:
- trueif the credentials were updated, otherwise- false
 
 - 
removeSessionprotected void removeSession(java.lang.String ssoId, Session session)Remove a single Session from a SingleSignOn. Called when a session is timed out and no longer active.- Parameters:
- ssoId- Single sign on identifier from which to remove the session.
- session- the session to be removed.
 
 - 
getSessionListenerprotected SessionListener getSessionListener(java.lang.String ssoId) 
 - 
startInternalprotected void startInternal() throws LifecycleExceptionDescription copied from class:ValveBaseStart this component and implement the requirements ofLifecycleBase.startInternal().- Overrides:
- startInternalin class- ValveBase
- Throws:
- LifecycleException- if this component detects a fatal error that prevents this component from being used
 
 - 
stopInternalprotected void stopInternal() throws LifecycleExceptionDescription copied from class:ValveBaseStop this component and implement the requirements ofLifecycleBase.stopInternal().- Overrides:
- stopInternalin class- ValveBase
- Throws:
- LifecycleException- if this component detects a fatal error that prevents this component from being used
 
 
- 
 
-