Author: markt
Date: Fri May 11 16:39:43 2018
New Revision: 1831432
URL: http://svn.apache.org/viewvc?rev=1831432&view=rev
Log:
Add the AuthenticatedUserRealm for use with CLIENT-CERT and SPNEGO when just
the authenticated user name is required.
Added:
tomcat/trunk/java/org/apache/catalina/realm/AuthenticatedUserRealm.java
(with props)
Modified:
tomcat/trunk/test/org/apache/tomcat/util/http/parser/TestHttpParserHost.java
tomcat/trunk/webapps/docs/changelog.xml
tomcat/trunk/webapps/docs/config/realm.xml
tomcat/trunk/webapps/docs/windows-auth-howto.xml
Added: tomcat/trunk/java/org/apache/catalina/realm/AuthenticatedUserRealm.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/AuthenticatedUserRealm.java?rev=1831432&view=auto
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/realm/AuthenticatedUserRealm.java
(added)
+++ tomcat/trunk/java/org/apache/catalina/realm/AuthenticatedUserRealm.java Fri
May 11 16:39:43 2018
@@ -0,0 +1,46 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.realm;
+
+import java.security.Principal;
+
+/**
+ * This Realm is intended for use with Authenticator implementations
+ * ({@link org.apache.catalina.authenticator.SSLAuthenticator},
+ * {@link org.apache.catalina.authenticator.SpnegoAuthenticator}) that
+ * authenticate the user as well as obtain the user credentials. An
+ * authenticated Principal is always created from the user name presented to
+ * without further validation.
+ * <p>
+ * <strong>Note:</strong> It is unsafe to use this Realm with Authenticator
+ * implementations that do not validate the provided credentials.
+ */
+public class AuthenticatedUserRealm extends RealmBase {
+
+ @Override
+ protected String getPassword(String username) {
+ // Passwords never need validating so always return null
+ return null;
+ }
+
+ @Override
+ protected Principal getPrincipal(String username) {
+ // The authentication mechanism has authenticated the user so create
+ // the Principal directly
+ return new GenericPrincipal(username, null, null);
+ }
+}
Propchange:
tomcat/trunk/java/org/apache/catalina/realm/AuthenticatedUserRealm.java
------------------------------------------------------------------------------
svn:eol-style = native
Modified:
tomcat/trunk/test/org/apache/tomcat/util/http/parser/TestHttpParserHost.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/http/parser/TestHttpParserHost.java?rev=1831432&r1=1831431&r2=1831432&view=diff
==============================================================================
---
tomcat/trunk/test/org/apache/tomcat/util/http/parser/TestHttpParserHost.java
(original)
+++
tomcat/trunk/test/org/apache/tomcat/util/http/parser/TestHttpParserHost.java
Fri May 11 16:39:43 2018
@@ -90,6 +90,7 @@ public class TestHttpParserHost {
result.add(new Object[] { TestType.IPv4, "0com:8080",
Integer.valueOf(4), null} );
result.add(new Object[] { TestType.IPv4, "123", Integer.valueOf(-1),
null} );
result.add(new Object[] { TestType.IPv4, "123:8080",
Integer.valueOf(3), null} );
+ result.add(new Object[] { TestType.IPv4, "myapp-t.mydomain.com",
Integer.valueOf(-1), null} );
// Domain Name - invalid
result.add(new Object[] { TestType.IPv4, ".", Integer.valueOf(-1),
IAE} );
result.add(new Object[] { TestType.IPv4, ".:8080",
Integer.valueOf(-1), IAE} );
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1831432&r1=1831431&r2=1831432&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Fri May 11 16:39:43 2018
@@ -81,6 +81,10 @@
<bug>50019</bug>: Add support for <code><lookup-name></code>.
Based on a patch by Gurkan Erdogdu. (markt)
</fix>
+ <add>
+ Add the <code>AuthenticatedUserRealm</code> for use with CLIENT-CERT
and
+ SPNEGO when just the authenticated user name is required. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="Coyote">
Modified: tomcat/trunk/webapps/docs/config/realm.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/realm.xml?rev=1831432&r1=1831431&r2=1831432&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/realm.xml (original)
+++ tomcat/trunk/webapps/docs/config/realm.xml Fri May 11 16:39:43 2018
@@ -1130,6 +1130,32 @@
</subsection>
+ <subsection name="Authenticated User Realm -
org.apache.catalina.realm.AuthenticatedUserRealm">
+
+ <p><strong>AuthenticatedUserRealm</strong> is intended for use with
+ Authenticator implementations (SSLAuthenticator, SpnegoAuthenticator) that
+ authenticate the user as well as obtain the user credentials. An
+ authenticated Principal is always created from the user name presented to
+ without further validation.</p>
+ <p><strong>Note:</strong> It is unsafe to use this Realm with Authenticator
+ implementations that do not validate the provided credentials.</p>
+
+ <p>The AuthenticatedUserRealm implementation supports the following
+ additional attributes.</p>
+
+ <attributes>
+
+ <attribute name="transportGuaranteeRedirectStatus" required="false">
+ <p>The HTTP status code to use when the container needs to issue an
HTTP
+ redirect to meet the requirements of a configured transport
+ guarantee. The provided status code is not validated. If not
+ specified, the default value of <code>302</code> is used.</p>
+ </attribute>
+
+ </attributes>
+
+ </subsection>
+
</section>
Modified: tomcat/trunk/webapps/docs/windows-auth-howto.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/windows-auth-howto.xml?rev=1831432&r1=1831431&r2=1831432&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/windows-auth-howto.xml (original)
+++ tomcat/trunk/webapps/docs/windows-auth-howto.xml Fri May 11 16:39:43 2018
@@ -175,8 +175,10 @@ com.sun.security.jgss.krb5.accept {
</ul>
<p>The SPNEGO authenticator will work with any <a href="config/realm.html">
Realm</a> but if used with the JNDI Realm, by default the JNDI Realm will use
- the user's delegated credentials to connect to the Active Directory.
- </p>
+ the user's delegated credentials to connect to the Active Directory. If
+ only the authenticated user name is required then the AuthenticatedUserRealm
+ may be used that will simply return a Principal based on the authenticated
+ user name that does not have any roles.</p>
<p>The above steps have been tested on a Tomcat server running Windows Server
2008 R2 64-bit Standard with an Oracle 1.6.0_24 64-bit JDK.</p>
</subsection>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
