org.jboss.web.tomcat.tc5.sso
Class ClusteredSingleSignOn

java.lang.Object
  org.apache.catalina.authenticator.SingleSignOn
      org.jboss.web.tomcat.tc5.sso.ClusteredSingleSignOn

public class ClusteredSingleSignOn

extends org.apache.catalina.authenticator.SingleSignOn

A Valve that supports a "single sign on" user experience, where the security identity of a user who successfully authenticates to one web application is propogated to other web applications in the same security domain. For successful use, the following requirements must be met:

• This Valve must be configured on the Container that represents a virtual host (typically an implementation of Host).
• The Realm that contains the shared user and role information must be configured on the same Container (or a higher one), and not overridden at the web application level.
• The web applications themselves must use one of the standard Authenticators found in the org.apache.catalina.authenticator package.

See Also:

Serialized Form

ClusteredSingleSignOn

public ClusteredSingleSignOn()

getClusterManager

public SSOClusterManager (src)  getClusterManager()

Gets the object that provides SSO support across a cluster.

Returns:

the object provided cluster support, or null if no such object has been configured.

setClusterManager

public void setClusterManager(SSOClusterManager (src)  clusterManager)

Sets the object that provides SSO support across a cluster.

Parameters:

clusterManager - the object that provides SSO support.

Throws:

java.lang.IllegalStateException - if this method is invoked after this valve has been started.

getClusterManagerClass

public java.lang.String getClusterManagerClass()

Gets the name of the class that will be used to provide SSO support across a cluster.

Returns:

Fully qualified name of a class implementing SSOClusterManager (src) that is being used to manage SSOs across a cluster. May return null (the default) if clustered SSO support is not configured.

setClusterManagerClass

public void setClusterManagerClass(java.lang.String managerClass)

Sets the name of the class that will be used to provide SSO support across a cluster.

NOTE: If this Valve has already started, and no SSOClusterManager has been configured for it, calling this method will

Parameters:

managerClass - Fully qualified name of a class implementing SSOClusterManager (src) that will be used to manage SSOs across a cluster. Class must declare a public no-arguments constructor. null is allowed.

getTreeCacheName

public java.lang.String getTreeCacheName()

Object name of the tree cache used by SSOClusterManager. Only relevant if the SSOClusterManager implementation is TreeCacheSSOClusterManager.

setTreeCacheName

public void setTreeCacheName(java.lang.String cacheName)
                      throws java.lang.Exception

Sets the object name of the tree cache used by SSOClusterManager. Only relevant if the SSOClusterManager implementation is TreeCacheSSOClusterManager.

Throws:

java.lang.Exception

start

public void start()
           throws LifecycleException

Prepare for the beginning of active use of the public methods of this component. This method should be called after configure(), and before any of the public methods of the component are utilized.

Throws:

LifecycleException - if this component detects a fatal error that prevents this component from being used

stop

public void stop()
          throws LifecycleException

Gracefully terminate the active use of the public methods of this component. This method should be the last one called on a given instance of this component.

Throws:

LifecycleException - if this component detects a fatal error that needs to be reported

sessionEvent

public void sessionEvent(SessionEvent event)

Updates the state of a single sign on session to reflect the destruction of a standard HTTP session.

If the given event is a Session destroyed event, checks whether the session was destroyed due to timeout or user action (i.e. logout). If due to timeout, disassociates the Session from the single sign on session. If due to logout, invokes the logout(java.lang.String) method.

Parameters:

event - SessionEvent that has occurred

invoke

public void invoke(Request request,
                   Response response)
            throws java.io.IOException,
                   ServletException

Perform single-sign-on support processing for this request.

Overrides the superclass version by handling the fact that a single sign on may have been originated on another cluster node and thus may not have a Principal object associated with it on this node.

Parameters:

request - The servlet request we are processing

response - The servlet response we are creating

Throws:

java.io.IOException - if an input/output error occurs

ServletException - if a servlet error occurs

associate

protected void associate(java.lang.String ssoId,
                         Session session)

Associate the specified single sign on identifier with the specified Session.

Differs from the superclass version in that it notifies the cluster of any new association of SSO and Session.

Parameters:

ssoId - Single sign on identifier

session - Session to be associated

deregister

protected void deregister(java.lang.String ssoId,
                          Session session)

Deregister the specified session. If it is the last session, then also get rid of the single sign on identifier.

Differs from the superclass version in that it notifies the cluster of any disassociation of SSO and Session.

Parameters:

ssoId - Single sign on identifier

session - Session to be deregistered

deregister

protected void deregister(java.lang.String ssoId)

Deregister the specified single sign on identifier, and invalidate any associated sessions.

Parameters:

ssoId - Single sign on identifier to deregister

logout

protected void logout(java.lang.String ssoId)

Deregister the given SSO, invalidating any associated sessions, then notify any cluster of the logout.

Parameters:

ssoId - the id of the SSO session

getSingleSignOnEntry

protected org.jboss.web.tomcat.tc5.sso.SingleSignOnEntry getSingleSignOnEntry(java.lang.String ssoId)

Look up and return the cached SingleSignOn entry associated with this sso id value, if there is one; otherwise return null.

Parameters:

ssoId - Single sign on identifier to look up

reauthenticate

protected boolean reauthenticate(java.lang.String ssoId,
                                 Realm realm,
                                 Request request)

Attempts reauthentication to the given Realm using the credentials associated with the single sign-on session identified by argument ssoId.

If reauthentication is successful, the Principal and authorization type associated with the SSO session will be bound to the given HttpRequest object via calls to HttpRequest.setAuthType() and HttpRequest.setUserPrincipal()

Parameters:

ssoId - identifier of SingleSignOn session with which the caller is associated

realm - Realm implementation against which the caller is to be authenticated

request - the request that needs to be authenticated

Returns:

true if reauthentication was successful, false otherwise.

register

protected void register(java.lang.String ssoId,
                        java.security.Principal principal,
                        java.lang.String authType,
                        java.lang.String username,
                        java.lang.String password)

Register the specified Principal as being associated with the specified value for the single sign on identifier.

Differs from the superclass version in that it notifies the cluster of the registration.

Parameters:

ssoId - Single sign on identifier to register

principal - Associated user principal that is identified

authType - Authentication type used to authenticate this user principal

username - Username used to authenticate this user

password - Password used to authenticate this user

removeSession

protected void removeSession(java.lang.String ssoId,
                             Session session)

Remove a single Session from a SingleSignOn. Called when a session is timed out and no longer active.

Differs from the superclass version in that it notifies the cluster of any disassociation of SSO and Session.

Parameters:

ssoId - Single sign on identifier from which to remove the session.

session - the session to be removed.

update

protected void update(java.lang.String ssoId,
                      java.security.Principal principal,
                      java.lang.String authType,
                      java.lang.String username,
                      java.lang.String password)

Updates any SingleSignOnEntry found under key ssoId with the given authentication data.

The purpose of this method is to allow an SSO entry that was established without a username/password combination (i.e. established following DIGEST or CLIENT-CERT authentication) to be updated with a username and password if one becomes available through a subsequent BASIC or FORM authentication. The SSO entry will then be usable for reauthentication.

NOTE: Only updates the SSO entry if a call to SingleSignOnEntry.getCanReauthenticate() returns false; otherwise, it is assumed that the SSO entry already has sufficient information to allow reauthentication and that no update is needed.

Differs from the superclass version in that it notifies the cluster of any update.

Parameters:

ssoId - identifier of Single sign to be updated

principal - the Principal returned by the latest call to Realm.authenticate.

authType - the type of authenticator used (BASIC, CLIENT-CERT, DIGEST or FORM)

username - the username (if any) used for the authentication

password - the password (if any) used for the authentication