1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
|
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.catalina.realm;
import java.io.IOException;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationTargetException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.security.Principal;
import java.util.ArrayList;
import java.util.List;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.AccountExpiredException;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.CredentialExpiredException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import jakarta.servlet.http.HttpServletRequest;
import org.apache.catalina.Container;
import org.apache.catalina.LifecycleException;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.ExceptionUtils;
import org.apache.tomcat.util.file.ConfigFileLoader;
import org.apache.tomcat.util.file.ConfigurationSource;
/**
* <p>
* Implementation of <b>Realm</b> that authenticates users via the <em>Java Authentication and Authorization
* Service</em> (JAAS).
* </p>
* <p>
* The value configured for the <code>appName</code> property is passed to the
* <code>javax.security.auth.login.LoginContext</code> constructor, to specify the <em>application name</em> used to
* select the set of relevant <code>LoginModules</code> required.
* </p>
* <p>
* The JAAS Specification describes the result of a successful login as a <code>javax.security.auth.Subject</code>
* instance, which can contain zero or more <code>java.security.Principal</code> objects in the return value of the
* <code>Subject.getPrincipals()</code> method. However, it provides no guidance on how to distinguish Principals that
* describe the individual user (and are thus appropriate to return as the value of request.getUserPrincipal() in a web
* application) from the Principal(s) that describe the authorized roles for this user. To maintain as much independence
* as possible from the underlying <code>LoginMethod</code> implementation executed by JAAS, the following policy is
* implemented by this Realm:
* </p>
* <ul>
* <li>The JAAS <code>LoginModule</code> is assumed to return a <code>Subject</code> with at least one
* <code>Principal</code> instance representing the user himself or herself, and zero or more separate
* <code>Principals</code> representing the security roles authorized for this user.</li>
* <li>On the <code>Principal</code> representing the user, the Principal name is an appropriate value to return via the
* Servlet API method <code>HttpServletRequest.getRemoteUser()</code>.</li>
* <li>On the <code>Principals</code> representing the security roles, the name is the name of the authorized security
* role.</li>
* <li>This Realm will be configured with two lists of fully qualified Java class names of classes that implement
* <code>java.security.Principal</code> - one that identifies class(es) representing a user, and one that identifies
* class(es) representing a security role.</li>
* <li>As this Realm iterates over the <code>Principals</code> returned by <code>Subject.getPrincipals()</code>, it will
* identify the first <code>Principal</code> that matches the "user classes" list as the <code>Principal</code> for this
* user.</li>
* <li>As this Realm iterates over the <code>Principals</code> returned by <code>Subject.getPrincipals()</code>, it will
* accumulate the set of all <code>Principals</code> matching the "role classes" list as identifying the security roles
* for this user.</li>
* <li>It is a configuration error for the JAAS login method to return a validated <code>Subject</code> without a
* <code>Principal</code> that matches the "user classes" list.</li>
* <li>By default, the enclosing Container's name serves as the application name used to obtain the JAAS LoginContext
* ("Catalina" in a default installation). Tomcat must be able to find an application with this name in the JAAS
* configuration file. Here is a hypothetical JAAS configuration file entry for a database-oriented login module that
* uses a Tomcat-managed JNDI database resource: <blockquote>
*
* <pre>
* Catalina {
* org.foobar.auth.DatabaseLoginModule REQUIRED
* JNDI_RESOURCE=jdbc/AuthDB
* USER_TABLE=users
* USER_ID_COLUMN=id
* USER_NAME_COLUMN=name
* USER_CREDENTIAL_COLUMN=password
* ROLE_TABLE=roles
* ROLE_NAME_COLUMN=name
* PRINCIPAL_FACTORY=org.foobar.auth.impl.SimplePrincipalFactory;
* };
* </pre>
*
* </blockquote></li>
* <li>To set the JAAS configuration file location, set the <code>CATALINA_OPTS</code> environment variable similar to
* the following:
* <blockquote><code>CATALINA_OPTS="-Djava.security.auth.login.config=$CATALINA_HOME/conf/jaas.config"</code></blockquote>
* </li>
* <li>As part of the login process, JAASRealm registers its own <code>CallbackHandler</code>, called (unsurprisingly)
* <code>JAASCallbackHandler</code>. This handler supplies the HTTP requests' username and credentials to the
* user-supplied <code>LoginModule</code></li>
* <li>As with other <code>Realm</code> implementations, digested passwords are supported if the
* <code><Realm></code> element in <code>server.xml</code> contains a <code>digest</code> attribute;
* <code>JAASCallbackHandler</code> will digest the password prior to passing it back to the
* <code>LoginModule</code></li>
* </ul>
*/
public class JAASRealm extends RealmBase {
private static final Log log = LogFactory.getLog(JAASRealm.class);
// ----------------------------------------------------- Instance Variables
/**
* The application name passed to the JAAS <code>LoginContext</code>, which uses it to select the set of relevant
* <code>LoginModule</code>s.
*/
protected String appName = null;
/**
* The list of role class names, split out for easy processing.
*/
protected final List<String> roleClasses = new ArrayList<>();
/**
* The set of user class names, split out for easy processing.
*/
protected final List<String> userClasses = new ArrayList<>();
/**
* Whether to use context ClassLoader or default ClassLoader. True means use context ClassLoader, and True is the
* default value.
*/
protected boolean useContextClassLoader = true;
/**
* Path to find a JAAS configuration file, if not set global JVM JAAS configuration will be used.
*/
protected String configFile;
protected volatile Configuration jaasConfiguration;
protected volatile boolean jaasConfigurationLoaded = false;
/**
* Keeps track if JAAS invocation of login modules was successful or not. By default, it is true unless we detect
* JAAS login module can't perform the login. This will be used for realm's {@link #isAvailable()} status so that
* {@link LockOutRealm} will not lock the user out if JAAS login modules are unavailable to perform the actual
* login.
*/
private volatile boolean invocationSuccess = true;
// ------------------------------------------------------------- Properties
/**
* @return the path of the JAAS configuration file.
*/
public String getConfigFile() {
return configFile;
}
/**
* Set the JAAS configuration file.
*
* @param configFile The JAAS configuration file
*/
public void setConfigFile(String configFile) {
this.configFile = configFile;
}
/**
* Set the JAAS <code>LoginContext</code> app name.
*
* @param name The application name that will be used to retrieve the set of relevant <code>LoginModule</code>s
*/
public void setAppName(String name) {
appName = name;
}
/**
* @return the application name.
*/
public String getAppName() {
return appName;
}
/**
* Sets whether to use the context or default ClassLoader. True means use context ClassLoader.
*
* @param useContext True means use context ClassLoader
*/
public void setUseContextClassLoader(boolean useContext) {
useContextClassLoader = useContext;
}
/**
* Returns whether to use the context or default ClassLoader. True means to use the context ClassLoader.
*
* @return The value of useContextClassLoader
*/
public boolean isUseContextClassLoader() {
return useContextClassLoader;
}
@Override
public void setContainer(Container container) {
super.setContainer(container);
if (appName == null) {
appName = makeLegalForJAAS(container.getName());
log.info(sm.getString("jaasRealm.appName", appName));
}
}
/**
* Comma-delimited list of <code>java.security.Principal</code> classes that represent security roles.
*/
protected String roleClassNames = null;
public String getRoleClassNames() {
return this.roleClassNames;
}
/**
* Sets the list of comma-delimited classes that represent roles. The classes in the list must implement
* <code>java.security.Principal</code>. The supplied list of classes will be parsed when {@link #start()} is
* called.
*
* @param roleClassNames The class names list
*/
public void setRoleClassNames(String roleClassNames) {
this.roleClassNames = roleClassNames;
}
/**
* Parses a comma-delimited list of class names, and store the class names in the provided List. Each class must
* implement <code>java.security.Principal</code>.
*
* @param classNamesString a comma-delimited list of fully qualified class names.
* @param classNamesList the list in which the class names will be stored. The list is cleared before being
* populated.
*/
protected void parseClassNames(String classNamesString, List<String> classNamesList) {
classNamesList.clear();
if (classNamesString == null) {
return;
}
ClassLoader loader = this.getClass().getClassLoader();
if (isUseContextClassLoader()) {
loader = Thread.currentThread().getContextClassLoader();
}
String[] classNames = classNamesString.split("[ ]*,[ ]*");
for (String className : classNames) {
if (className.isEmpty()) {
continue;
}
try {
Class<?> principalClass = Class.forName(className, false, loader);
if (Principal.class.isAssignableFrom(principalClass)) {
classNamesList.add(className);
} else {
log.error(sm.getString("jaasRealm.notPrincipal", className));
}
} catch (ClassNotFoundException e) {
log.error(sm.getString("jaasRealm.classNotFound", className));
}
}
}
/**
* Comma-delimited list of <code>java.security.Principal</code> classes that represent individual users.
*/
protected String userClassNames = null;
public String getUserClassNames() {
return this.userClassNames;
}
/**
* Sets the list of comma-delimited classes that represent individual users. The classes in the list must implement
* <code>java.security.Principal</code>. The supplied list of classes will be parsed when {@link #start()} is
* called.
*
* @param userClassNames The class names list
*/
public void setUserClassNames(String userClassNames) {
this.userClassNames = userClassNames;
}
// --------------------------------------------------------- Public Methods
@Override
public Principal authenticate(String username, String credentials) {
return authenticate(username, new JAASCallbackHandler(this, username, credentials));
}
@Override
public Principal authenticate(String username, String clientDigest, String nonce, String nc, String cnonce,
String qop, String realmName, String digestA2, String algorithm) {
return authenticate(username, new JAASCallbackHandler(this, username, clientDigest, nonce, nc, cnonce, qop,
realmName, digestA2, algorithm, HttpServletRequest.DIGEST_AUTH));
}
// ------------------------------------------------------ Protected Methods
/**
* Perform the actual JAAS authentication.
*
* @param username The username
* @param callbackHandler The callback handler
*
* @return the associated principal, or <code>null</code> if there is none.
*/
protected Principal authenticate(String username, CallbackHandler callbackHandler) {
// Establish a LoginContext to use for authentication
try {
if (appName == null) {
appName = "Tomcat";
}
if (log.isTraceEnabled()) {
log.trace(sm.getString("jaasRealm.beginLogin", username, appName));
}
// What if the LoginModule is in the container class loader ?
ClassLoader ocl = null;
Thread currentThread = null;
if (!isUseContextClassLoader()) {
currentThread = Thread.currentThread();
ocl = currentThread.getContextClassLoader();
currentThread.setContextClassLoader(this.getClass().getClassLoader());
}
LoginContext loginContext;
try {
Configuration config = getConfig();
loginContext = new LoginContext(appName, null, callbackHandler, config);
} catch (Throwable t) {
ExceptionUtils.handleThrowable(t);
log.error(sm.getString("jaasRealm.unexpectedError"), t);
// There is configuration issue with JAAS so mark the realm as
// unavailable
invocationSuccess = false;
return null;
} finally {
if (currentThread != null) {
currentThread.setContextClassLoader(ocl);
}
}
if (log.isTraceEnabled()) {
log.trace("Login context created " + username);
}
// Negotiate a login via this LoginContext
Subject subject;
try {
loginContext.login();
subject = loginContext.getSubject();
// We were able to perform login successfully so mark JAAS realm as
// available as it could have been set to false in prior attempts.
// Change invocationSuccess variable only when we know the outcome
// of the JAAS operation to keep variable consistent.
invocationSuccess = true;
if (subject == null) {
if (log.isDebugEnabled()) {
log.debug(sm.getString("jaasRealm.failedLogin", username));
}
return null;
}
} catch (AccountExpiredException e) {
if (log.isDebugEnabled()) {
log.debug(sm.getString("jaasRealm.accountExpired", username), e);
}
// JAAS checked LoginExceptions are successful authentication
// invocations so mark JAAS realm as available
invocationSuccess = true;
return null;
} catch (CredentialExpiredException e) {
if (log.isDebugEnabled()) {
log.debug(sm.getString("jaasRealm.credentialExpired", username), e);
}
// JAAS checked LoginExceptions are successful authentication
// invocations so mark JAAS realm as available
invocationSuccess = true;
return null;
} catch (FailedLoginException e) {
if (log.isDebugEnabled()) {
log.debug(sm.getString("jaasRealm.failedLogin", username), e);
}
// JAAS checked LoginExceptions are successful authentication
// invocations so mark JAAS realm as available
invocationSuccess = true;
return null;
} catch (LoginException e) {
log.warn(sm.getString("jaasRealm.loginException", username), e);
// JAAS checked LoginExceptions are successful authentication
// invocations so mark JAAS realm as available
invocationSuccess = true;
return null;
} catch (Throwable t) {
ExceptionUtils.handleThrowable(t);
log.error(sm.getString("jaasRealm.unexpectedError"), t);
// JAAS throws exception different from LoginException so mark the
// realm as unavailable
invocationSuccess = false;
return null;
}
if (log.isTraceEnabled()) {
log.trace(sm.getString("jaasRealm.loginContextCreated", username));
}
// Return the appropriate Principal for this authenticated Subject
Principal principal = createPrincipal(username, subject, loginContext);
if (principal == null) {
if (log.isDebugEnabled()) {
log.debug(sm.getString("jaasRealm.authenticateFailure", username));
}
return null;
}
if (log.isTraceEnabled()) {
log.trace(sm.getString("jaasRealm.authenticateSuccess", username, principal));
}
return principal;
} catch (Throwable t) {
log.error(sm.getString("jaasRealm.unexpectedError"), t);
// JAAS throws exception different from LoginException so mark the realm as unavailable
invocationSuccess = false;
return null;
}
}
/**
* @return the password associated with the given principal's username. This always returns null as the JAASRealm
* has no way of obtaining this information.
*/
@Override
protected String getPassword(String username) {
return null;
}
@Override
protected Principal getPrincipal(String username) {
return authenticate(username, new JAASCallbackHandler(this, username, null, null, null, null, null, null, null,
null, HttpServletRequest.CLIENT_CERT_AUTH));
}
/**
* Identify and return a <code>java.security.Principal</code> instance representing the authenticated user for the
* specified <code>Subject</code>. The Principal is constructed by scanning the list of Principals returned by the
* JAASLoginModule. The first <code>Principal</code> object that matches one of the class names supplied as a "user
* class" is the user Principal. This object is returned to the caller. Any remaining principal objects returned by
* the LoginModules are mapped to roles, but only if their respective classes match one of the "role class" classes.
* If a user Principal cannot be constructed, return <code>null</code>.
*
* @param username The associated username
* @param subject The <code>Subject</code> representing the logged-in user
* @param loginContext Associated with the Principal so {@link LoginContext#logout()} can be called later
*
* @return the principal object
*/
protected Principal createPrincipal(String username, Subject subject, LoginContext loginContext) {
// Prepare to scan the Principals for this Subject
List<String> roles = new ArrayList<>();
Principal userPrincipal = null;
// Scan the Principals for this Subject
for (Principal principal : subject.getPrincipals()) {
String principalClass = principal.getClass().getName();
if (log.isTraceEnabled()) {
log.trace(sm.getString("jaasRealm.checkPrincipal", principal, principalClass));
}
if (userPrincipal == null && userClasses.contains(principalClass)) {
userPrincipal = principal;
if (log.isTraceEnabled()) {
log.trace(sm.getString("jaasRealm.userPrincipalSuccess", principal.getName()));
}
}
if (roleClasses.contains(principalClass)) {
roles.add(principal.getName());
if (log.isTraceEnabled()) {
log.trace(sm.getString("jaasRealm.rolePrincipalAdd", principal.getName()));
}
}
}
// Print failure message if needed
if (userPrincipal == null) {
if (log.isDebugEnabled()) {
log.debug(sm.getString("jaasRealm.userPrincipalFailure"));
log.debug(sm.getString("jaasRealm.rolePrincipalFailure"));
}
return null;
} else {
if (roles.isEmpty()) {
if (log.isDebugEnabled()) {
log.debug(sm.getString("jaasRealm.rolePrincipalFailure"));
}
}
}
// Return the resulting Principal for our authenticated user
return new GenericPrincipal(username, roles, userPrincipal, loginContext);
}
/**
* Ensure the given name is legal for JAAS configuration. Added for Bugzilla 30869, made protected for easy
* customization in case my implementation is insufficient, which I think is very likely.
*
* @param src The name to validate
*
* @return A string that's a valid JAAS realm name
*/
protected String makeLegalForJAAS(final String src) {
String result = src;
// Default name is "other" per JAAS spec
if (result == null) {
result = "other";
}
// Strip leading slash if present, as Sun JAAS impl
// barfs on it (see Bugzilla 30869 bug report).
if (result.startsWith("/")) {
result = result.substring(1);
}
return result;
}
// ------------------------------------------------------ Lifecycle Methods
@Override
protected void startInternal() throws LifecycleException {
// These need to be called after loading configuration, in case
// useContextClassLoader appears after them in xml config
parseClassNames(userClassNames, userClasses);
parseClassNames(roleClassNames, roleClasses);
super.startInternal();
}
/**
* Load custom JAAS Configuration.
*
* @return the loaded configuration
*/
protected Configuration getConfig() {
// Local copy to avoid possible NPE due to concurrent change
String configFile = this.configFile;
try {
if (jaasConfigurationLoaded) {
return jaasConfiguration;
}
synchronized (this) {
if (configFile == null) {
jaasConfigurationLoaded = true;
return null;
}
@SuppressWarnings("unchecked")
Class<Configuration> sunConfigFile =
(Class<Configuration>) Class.forName("com.sun.security.auth.login.ConfigFile");
Constructor<Configuration> constructor = sunConfigFile.getConstructor(URI.class);
URL resource = Thread.currentThread().getContextClassLoader().getResource(configFile);
Configuration config;
if (resource == null) {
try (ConfigurationSource.Resource configFileResource =
ConfigFileLoader.getSource().getResource(configFile)) {
config = constructor.newInstance(configFileResource.getURI());
this.jaasConfigurationLoaded = true;
} catch (IOException ioe) {
throw new RuntimeException(sm.getString("jaasRealm.configFileNotFound", configFile));
}
} else {
URI uri = resource.toURI();
config = constructor.newInstance(uri);
this.jaasConfigurationLoaded = true;
}
this.jaasConfiguration = config;
return this.jaasConfiguration;
}
} catch (InvocationTargetException ex) {
throw new RuntimeException(ex.getCause());
} catch (SecurityException | URISyntaxException | ReflectiveOperationException | IllegalArgumentException ex) {
throw new RuntimeException(ex);
}
}
@Override
public boolean isAvailable() {
return invocationSuccess;
}
}
|
