Realm.java

/*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.catalina;

import java.beans.PropertyChangeListener;
import java.io.IOException;
import java.security.Principal;
import java.security.cert.X509Certificate;

import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSName;

/**
 * A <b>Realm</b> is a read-only facade for an underlying security realm used to authenticate individual users, and
 * identify the security roles associated with those users. Realms can be attached at any Container level, but will
 * typically only be attached to a Context, or higher level, Container.
 *
 * @author Craig R. McClanahan
 */
public interface Realm extends Contained {

    /**
     * @return the CredentialHandler configured for this Realm.
     */
    CredentialHandler getCredentialHandler();


    /**
     * Set the CredentialHandler to be used by this Realm.
     *
     * @param credentialHandler the {@link CredentialHandler} to use
     */
    void setCredentialHandler(CredentialHandler credentialHandler);


    /**
     * Add a property change listener to this component.
     *
     * @param listener The listener to add
     */
    void addPropertyChangeListener(PropertyChangeListener listener);


    /**
     * Try to authenticate with the specified username.
     *
     * @param username Username of the Principal to look up
     *
     * @return the associated principal, or {@code null} if none is associated.
     */
    Principal authenticate(String username);


    /**
     * Try to authenticate using the specified username and credentials.
     *
     * @param username    Username of the Principal to look up
     * @param credentials Password or other credentials to use in authenticating this username
     *
     * @return the associated principal, or {@code null} if there is none
     */
    Principal authenticate(String username, String credentials);


    /**
     * Try to authenticate with the specified username, which matches the digest calculated using the given parameters
     * using the method described in RFC 2617 (which is a superset of RFC 2069).
     *
     * @param username Username of the Principal to look up
     * @param digest   Digest which has been submitted by the client
     * @param nonce    Unique (or supposedly unique) token which has been used for this request
     * @param nc       the nonce counter
     * @param cnonce   the client chosen nonce
     * @param qop      the "quality of protection" ({@code nc} and {@code cnonce} will only be used, if {@code qop} is
     *                     not {@code null}).
     * @param realm    Realm name
     * @param digestA2 Second digest calculated as digest(Method + ":" + uri)
     *
     * @return the associated principal, or {@code null} if there is none.
     *
     * @deprecated Unused. Use
     *                 {@link #authenticate(String, String, String, String, String, String, String, String, String)}.
     *                 Will be removed in Tomcat 11.
     */
    @Deprecated
    Principal authenticate(String username, String digest, String nonce, String nc, String cnonce, String qop,
            String realm, String digestA2);


    /**
     * Try to authenticate with the specified username, which matches the digest calculated using the given parameters
     * using the method described in RFC 7616.
     * <p>
     * The default implementation calls
     * {@link #authenticate(String, String, String, String, String, String, String, String)} for backwards compatibility
     * which effectively forces the use of MD5 regardless of the algorithm specified in the call to this method.
     * <p>
     * Implementations are expected to override the default implementation and take account of the algorithm parameter.
     *
     * @param username  Username of the Principal to look up
     * @param digest    Digest which has been submitted by the client
     * @param nonce     Unique (or supposedly unique) token which has been used for this request
     * @param nc        the nonce counter
     * @param cnonce    the client chosen nonce
     * @param qop       the "quality of protection" ({@code nc} and {@code cnonce} will only be used, if {@code qop} is
     *                      not {@code null}).
     * @param realm     Realm name
     * @param digestA2  Second digest calculated as digest(Method + ":" + uri)
     * @param algorithm The message digest algorithm to use
     *
     * @return the associated principal, or {@code null} if there is none.
     */
    default Principal authenticate(String username, String digest, String nonce, String nc, String cnonce, String qop,
            String realm, String digestA2, String algorithm) {
        return authenticate(username, digest, nonce, nc, cnonce, qop, realm, digestA2);
    }


    /**
     * Try to authenticate using a {@link GSSContext}.
     *
     * @param gssContext The gssContext processed by the {@link Authenticator}.
     * @param storeCreds Should the realm attempt to store the delegated credentials in the returned Principal?
     *
     * @return the associated principal, or {@code null} if there is none
     */
    Principal authenticate(GSSContext gssContext, boolean storeCreds);


    /**
     * Try to authenticate using a {@link GSSName}. Note that this default method will be turned into an abstract one in
     * Tomcat 10.
     *
     * @param gssName       The {@link GSSName} of the principal to look up
     * @param gssCredential The {@link GSSCredential} of the principal, may be {@code null}
     *
     * @return the associated principal, or {@code null} if there is none
     */
    default Principal authenticate(GSSName gssName, GSSCredential gssCredential) {
        return null;
    }


    /**
     * Try to authenticate using a chain of {@link X509Certificate}s.
     *
     * @param certs Array of client certificates, with the first one in the array being the certificate of the client
     *                  itself.
     *
     * @return the associated principal, or {@code null} if there is none
     */
    Principal authenticate(X509Certificate certs[]);


    /**
     * Execute a periodic task, such as reloading, etc. This method will be invoked inside the classloading context of
     * this container. Unexpected throwables will be caught and logged.
     */
    void backgroundProcess();


    /**
     * Find the SecurityConstraints configured to guard the request URI for this request.
     *
     * @param request Request we are processing
     * @param context Context the Request is mapped to
     *
     * @return the configured {@link SecurityConstraint}, or {@code null} if there is none
     */
    SecurityConstraint[] findSecurityConstraints(Request request, Context context);


    /**
     * Perform access control based on the specified authorization constraint.
     *
     * @param request    Request we are processing
     * @param response   Response we are creating
     * @param constraint Security constraint we are enforcing
     * @param context    The Context to which client of this class is attached.
     *
     * @return {@code true} if this constraint is satisfied and processing should continue, or {@code false} otherwise
     *
     * @exception IOException if an input/output error occurs
     */
    boolean hasResourcePermission(Request request, Response response, SecurityConstraint[] constraint, Context context)
            throws IOException;


    /**
     * Check if the specified Principal has the specified security role, within the context of this Realm.
     *
     * @param wrapper   wrapper context for evaluating role
     * @param principal Principal for whom the role is to be checked
     * @param role      Security role to be checked
     *
     * @return {@code true} if the specified Principal has the specified security role, within the context of this
     *             Realm; otherwise return {@code false}.
     */
    boolean hasRole(Wrapper wrapper, Principal principal, String role);


    /**
     * Enforce any user data constraint required by the security constraint guarding this request URI.
     *
     * @param request    Request we are processing
     * @param response   Response we are creating
     * @param constraint Security constraint being checked
     *
     * @return {@code true} if this constraint was not violated and processing should continue, or {@code false} if we
     *             have created a response already.
     *
     * @exception IOException if an input/output error occurs
     */
    boolean hasUserDataPermission(Request request, Response response, SecurityConstraint[] constraint)
            throws IOException;


    /**
     * Remove a property change listener from this component.
     *
     * @param listener The listener to remove
     */
    void removePropertyChangeListener(PropertyChangeListener listener);


    /**
     * Return roles associated with given principal
     *
     * @param principal the {@link Principal} to get the roles for.
     *
     * @return principal roles
     *
     * @deprecated This will be removed in Tomcat 10.
     */
    @Deprecated
    String[] getRoles(Principal principal);


    /**
     * Return the availability of the realm for authentication.
     *
     * @return {@code true} if the realm is able to perform authentication
     */
    default boolean isAvailable() {
        return true;
    }
}