Realm.java
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.catalina;
import java.beans.PropertyChangeListener;
import java.io.IOException;
import java.security.Principal;
import java.security.cert.X509Certificate;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSName;
/**
* A <b>Realm</b> is a read-only facade for an underlying security realm used to authenticate individual users, and
* identify the security roles associated with those users. Realms can be attached at any Container level, but will
* typically only be attached to a Context, or higher level, Container.
*
* @author Craig R. McClanahan
*/
public interface Realm extends Contained {
/**
* @return the CredentialHandler configured for this Realm.
*/
CredentialHandler getCredentialHandler();
/**
* Set the CredentialHandler to be used by this Realm.
*
* @param credentialHandler the {@link CredentialHandler} to use
*/
void setCredentialHandler(CredentialHandler credentialHandler);
/**
* Add a property change listener to this component.
*
* @param listener The listener to add
*/
void addPropertyChangeListener(PropertyChangeListener listener);
/**
* Try to authenticate with the specified username.
*
* @param username Username of the Principal to look up
*
* @return the associated principal, or {@code null} if none is associated.
*/
Principal authenticate(String username);
/**
* Try to authenticate using the specified username and credentials.
*
* @param username Username of the Principal to look up
* @param credentials Password or other credentials to use in authenticating this username
*
* @return the associated principal, or {@code null} if there is none
*/
Principal authenticate(String username, String credentials);
/**
* Try to authenticate with the specified username, which matches the digest calculated using the given parameters
* using the method described in RFC 2617 (which is a superset of RFC 2069).
*
* @param username Username of the Principal to look up
* @param digest Digest which has been submitted by the client
* @param nonce Unique (or supposedly unique) token which has been used for this request
* @param nc the nonce counter
* @param cnonce the client chosen nonce
* @param qop the "quality of protection" ({@code nc} and {@code cnonce} will only be used, if {@code qop} is
* not {@code null}).
* @param realm Realm name
* @param digestA2 Second digest calculated as digest(Method + ":" + uri)
*
* @return the associated principal, or {@code null} if there is none.
*
* @deprecated Unused. Use
* {@link #authenticate(String, String, String, String, String, String, String, String, String)}.
* Will be removed in Tomcat 11.
*/
@Deprecated
Principal authenticate(String username, String digest, String nonce, String nc, String cnonce, String qop,
String realm, String digestA2);
/**
* Try to authenticate with the specified username, which matches the digest calculated using the given parameters
* using the method described in RFC 7616.
* <p>
* The default implementation calls
* {@link #authenticate(String, String, String, String, String, String, String, String)} for backwards compatibility
* which effectively forces the use of MD5 regardless of the algorithm specified in the call to this method.
* <p>
* Implementations are expected to override the default implementation and take account of the algorithm parameter.
*
* @param username Username of the Principal to look up
* @param digest Digest which has been submitted by the client
* @param nonce Unique (or supposedly unique) token which has been used for this request
* @param nc the nonce counter
* @param cnonce the client chosen nonce
* @param qop the "quality of protection" ({@code nc} and {@code cnonce} will only be used, if {@code qop} is
* not {@code null}).
* @param realm Realm name
* @param digestA2 Second digest calculated as digest(Method + ":" + uri)
* @param algorithm The message digest algorithm to use
*
* @return the associated principal, or {@code null} if there is none.
*/
default Principal authenticate(String username, String digest, String nonce, String nc, String cnonce, String qop,
String realm, String digestA2, String algorithm) {
return authenticate(username, digest, nonce, nc, cnonce, qop, realm, digestA2);
}
/**
* Try to authenticate using a {@link GSSContext}.
*
* @param gssContext The gssContext processed by the {@link Authenticator}.
* @param storeCreds Should the realm attempt to store the delegated credentials in the returned Principal?
*
* @return the associated principal, or {@code null} if there is none
*/
Principal authenticate(GSSContext gssContext, boolean storeCreds);
/**
* Try to authenticate using a {@link GSSName}. Note that this default method will be turned into an abstract one in
* Tomcat 10.
*
* @param gssName The {@link GSSName} of the principal to look up
* @param gssCredential The {@link GSSCredential} of the principal, may be {@code null}
*
* @return the associated principal, or {@code null} if there is none
*/
default Principal authenticate(GSSName gssName, GSSCredential gssCredential) {
return null;
}
/**
* Try to authenticate using a chain of {@link X509Certificate}s.
*
* @param certs Array of client certificates, with the first one in the array being the certificate of the client
* itself.
*
* @return the associated principal, or {@code null} if there is none
*/
Principal authenticate(X509Certificate certs[]);
/**
* Execute a periodic task, such as reloading, etc. This method will be invoked inside the classloading context of
* this container. Unexpected throwables will be caught and logged.
*/
void backgroundProcess();
/**
* Find the SecurityConstraints configured to guard the request URI for this request.
*
* @param request Request we are processing
* @param context Context the Request is mapped to
*
* @return the configured {@link SecurityConstraint}, or {@code null} if there is none
*/
SecurityConstraint[] findSecurityConstraints(Request request, Context context);
/**
* Perform access control based on the specified authorization constraint.
*
* @param request Request we are processing
* @param response Response we are creating
* @param constraint Security constraint we are enforcing
* @param context The Context to which client of this class is attached.
*
* @return {@code true} if this constraint is satisfied and processing should continue, or {@code false} otherwise
*
* @exception IOException if an input/output error occurs
*/
boolean hasResourcePermission(Request request, Response response, SecurityConstraint[] constraint, Context context)
throws IOException;
/**
* Check if the specified Principal has the specified security role, within the context of this Realm.
*
* @param wrapper wrapper context for evaluating role
* @param principal Principal for whom the role is to be checked
* @param role Security role to be checked
*
* @return {@code true} if the specified Principal has the specified security role, within the context of this
* Realm; otherwise return {@code false}.
*/
boolean hasRole(Wrapper wrapper, Principal principal, String role);
/**
* Enforce any user data constraint required by the security constraint guarding this request URI.
*
* @param request Request we are processing
* @param response Response we are creating
* @param constraint Security constraint being checked
*
* @return {@code true} if this constraint was not violated and processing should continue, or {@code false} if we
* have created a response already.
*
* @exception IOException if an input/output error occurs
*/
boolean hasUserDataPermission(Request request, Response response, SecurityConstraint[] constraint)
throws IOException;
/**
* Remove a property change listener from this component.
*
* @param listener The listener to remove
*/
void removePropertyChangeListener(PropertyChangeListener listener);
/**
* Return roles associated with given principal
*
* @param principal the {@link Principal} to get the roles for.
*
* @return principal roles
*
* @deprecated This will be removed in Tomcat 10.
*/
@Deprecated
String[] getRoles(Principal principal);
/**
* Return the availability of the realm for authentication.
*
* @return {@code true} if the realm is able to perform authentication
*/
default boolean isAvailable() {
return true;
}
}