/* * Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright ownership. * The ASF licenses this file to You under the Apache License, Version 2.0 * (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package org.apache.catalina.authenticator; import java.io.IOException; import java.security.Principal; import java.util.Map; import java.util.Set; import java.util.concurrent.ConcurrentHashMap; import javax.servlet.ServletException; import javax.servlet.http.Cookie; import org.apache.catalina.Container; import org.apache.catalina.Context; import org.apache.catalina.Engine; import org.apache.catalina.LifecycleException; import org.apache.catalina.Manager; import org.apache.catalina.Realm; import org.apache.catalina.Session; import org.apache.catalina.SessionListener; import org.apache.catalina.connector.Request; import org.apache.catalina.connector.Response; import org.apache.catalina.valves.ValveBase; import org.apache.tomcat.util.res.StringManager; /** * A Valve that supports a "single sign on" user experience, * where the security identity of a user who successfully authenticates to one * web application is propagated to other web applications in the same * security domain. For successful use, the following requirements must * be met: *

This Valve must be configured on the Container that represents a * virtual host (typically an implementation of Host).
The Realm that contains the shared user and role * information must be configured on the same Container (or a higher * one), and not overridden at the web application level.
The web applications themselves must use one of the standard * Authenticators found in the * org.apache.catalina.authenticator package.

* * @author Craig R. McClanahan */ public class SingleSignOn extends ValveBase { private static final StringManager sm = StringManager.getManager(SingleSignOn.class); /* The engine at the top of the container hierarchy in which this SSO Valve * has been placed. It is used to get back to a session object from a * SingleSignOnSessionKey and is updated when the Valve starts and stops. */ private Engine engine; //------------------------------------------------------ Constructor public SingleSignOn() { super(true); } // ----------------------------------------------------- Instance Variables /** * The cache of SingleSignOnEntry instances for authenticated Principals, * keyed by the cookie value that is used to select them. */ protected Map cache = new ConcurrentHashMap<>(); /** * Indicates whether this valve should require a downstream Authenticator to * reauthenticate each request, or if it itself can bind a UserPrincipal * and AuthType object to the request. */ private boolean requireReauthentication = false; /** * Optional SSO cookie domain. */ private String cookieDomain; // ------------------------------------------------------------- Properties /** * Returns the optional cookie domain. * May return null. * * @return The cookie domain */ public String getCookieDomain() { return cookieDomain; } /** * Sets the domain to be used for sso cookies. * * @param cookieDomain cookie domain name */ public void setCookieDomain(String cookieDomain) { if (cookieDomain != null && cookieDomain.trim().length() == 0) { this.cookieDomain = null; } else { this.cookieDomain = cookieDomain; } } /** * Gets whether each request needs to be reauthenticated (by an * Authenticator downstream in the pipeline) to the security * Realm, or if this Valve can itself bind security info * to the request based on the presence of a valid SSO entry without * rechecking with the Realm. * * @return true if it is required that a downstream * Authenticator reauthenticate each request before calls to * HttpServletRequest.setUserPrincipal() * and HttpServletRequest.setAuthType() are made; * false if the Valve can itself make * those calls relying on the presence of a valid SingleSignOn * entry associated with the request. * * @see #setRequireReauthentication */ public boolean getRequireReauthentication() { return requireReauthentication; } /** * Sets whether each request needs to be reauthenticated (by an * Authenticator downstream in the pipeline) to the security * Realm, or if this Valve can itself bind security info * to the request, based on the presence of a valid SSO entry, without * rechecking with the Realm. *

* If this property is false (the default), this * Valve will bind a UserPrincipal and AuthType to the request * if a valid SSO entry is associated with the request. It will not notify * the security Realm of the incoming request. *

* This property should be set to true if the overall server * configuration requires that the Realm reauthenticate each * request thread. An example of such a configuration would be one where * the Realm implementation provides security for both a * web tier and an associated EJB tier, and needs to set security * credentials on each request thread in order to support EJB access. *

* If this property is set to true, this Valve will set flags * on the request notifying the downstream Authenticator that the request * is associated with an SSO session. The Authenticator will then call its * {@link AuthenticatorBase#reauthenticateFromSSO reauthenticateFromSSO} * method to attempt to reauthenticate the request to the * Realm, using any credentials that were cached with this * Valve. *

* The default value of this property is false, in order * to maintain backward compatibility with previous versions of Tomcat. * * @param required true if it is required that a downstream * Authenticator reauthenticate each request before calls * to HttpServletRequest.setUserPrincipal() * and HttpServletRequest.setAuthType() are * made; false if the Valve can * itself make those calls relying on the presence of a * valid SingleSignOn entry associated with the request. * * @see AuthenticatorBase#reauthenticateFromSSO */ public void setRequireReauthentication(boolean required) { this.requireReauthentication = required; } // ---------------------------------------------------------- Valve Methods /** * Perform single-sign-on support processing for this request. * * @param request The servlet request we are processing * @param response The servlet response we are creating * * @exception IOException if an input/output error occurs * @exception ServletException if a servlet error occurs */ @Override public void invoke(Request request, Response response) throws IOException, ServletException { request.removeNote(Constants.REQ_SSOID_NOTE); // Has a valid user already been authenticated? if (containerLog.isDebugEnabled()) { containerLog.debug(sm.getString("singleSignOn.debug.invoke", request.getRequestURI())); } if (request.getUserPrincipal() != null) { if (containerLog.isDebugEnabled()) { containerLog.debug(sm.getString("singleSignOn.debug.hasPrincipal", request.getUserPrincipal().getName())); } getNext().invoke(request, response); return; } // Check for the single sign on cookie if (containerLog.isDebugEnabled()) { containerLog.debug(sm.getString("singleSignOn.debug.cookieCheck")); } Cookie cookie = null; Cookie cookies[] = request.getCookies(); if (cookies != null) { for (int i = 0; i < cookies.length; i++) { if (Constants.SINGLE_SIGN_ON_COOKIE.equals(cookies[i].getName())) { cookie = cookies[i]; break; } } } if (cookie == null) { if (containerLog.isDebugEnabled()) { containerLog.debug(sm.getString("singleSignOn.debug.cookieNotFound")); } getNext().invoke(request, response); return; } // Look up the cached Principal associated with this cookie value if (containerLog.isDebugEnabled()) { containerLog.debug(sm.getString("singleSignOn.debug.principalCheck", cookie.getValue())); } SingleSignOnEntry entry = cache.get(cookie.getValue()); if (entry != null) { if (containerLog.isDebugEnabled()) { containerLog.debug(sm.getString("singleSignOn.debug.principalFound", entry.getPrincipal() != null ? entry.getPrincipal().getName() : "", entry.getAuthType())); } request.setNote(Constants.REQ_SSOID_NOTE, cookie.getValue()); // Only set security elements if reauthentication is not required if (!getRequireReauthentication()) { request.setAuthType(entry.getAuthType()); request.setUserPrincipal(entry.getPrincipal()); } } else { if (containerLog.isDebugEnabled()) { containerLog.debug(sm.getString("singleSignOn.debug.principalNotFound", cookie.getValue())); } // No need to return a valid SSO session ID cookie.setValue("REMOVE"); // Age of zero will trigger removal cookie.setMaxAge(0); // Domain and path have to match the original cookie to 'replace' // the original cookie cookie.setPath("/"); String domain = getCookieDomain(); if (domain != null) { cookie.setDomain(domain); } // This is going to trigger a Set-Cookie header. While the value is // not security sensitive, ensure that expectations for secure and // httpOnly are met cookie.setSecure(request.isSecure()); if (request.getServletContext().getSessionCookieConfig().isHttpOnly() || request.getContext().getUseHttpOnly()) { cookie.setHttpOnly(true); } response.addCookie(cookie); } // Invoke the next Valve in our pipeline getNext().invoke(request, response); } // ------------------------------------------------------ Protected Methods /** * Process a session destroyed event by removing references to that session * from the caches and - if the session destruction is the result of a * logout - destroy the associated SSO session. * * @param ssoId The ID of the SSO session which which the destroyed * session was associated * @param session The session that has been destroyed */ public void sessionDestroyed(String ssoId, Session session) { if (!getState().isAvailable()) { return; } // Was the session destroyed as the result of a timeout or context stop? // If so, we'll just remove the expired session from the SSO. If the // session was logged out, we'll log out of all session associated with // the SSO. if (((session.getMaxInactiveInterval() > 0) && (session.getIdleTimeInternal() >= session.getMaxInactiveInterval() * 1000)) || (!session.getManager().getContext().getState().isAvailable())) { if (containerLog.isDebugEnabled()) { containerLog.debug(sm.getString("singleSignOn.debug.sessionTimeout", ssoId, session)); } removeSession(ssoId, session); } else { // The session was logged out. // Deregister this single session id, invalidating // associated sessions if (containerLog.isDebugEnabled()) { containerLog.debug(sm.getString("singleSignOn.debug.sessionLogout", ssoId, session)); } // First remove the session that we know has expired / been logged // out since it has already been removed from its Manager and, if // we don't remove it first, deregister() will log a warning that it // can't be found removeSession(ssoId, session); // If the SSO session was only associated with one web app the call // above will have removed the SSO session from the cache if (cache.containsKey(ssoId)) { deregister(ssoId); } } } /** * Associate the specified single sign on identifier with the * specified Session. * * @param ssoId Single sign on identifier * @param session Session to be associated * * @return true if the session was associated to the given SSO * session, otherwise false */ protected boolean associate(String ssoId, Session session) { SingleSignOnEntry sso = cache.get(ssoId); if (sso == null) { if (containerLog.isDebugEnabled()) { containerLog.debug(sm.getString("singleSignOn.debug.associateFail", ssoId, session)); } return false; } else { if (containerLog.isDebugEnabled()) { containerLog.debug(sm.getString("singleSignOn.debug.associate", ssoId, session)); } sso.addSession(this, ssoId, session); return true; } } /** * Deregister the specified single sign on identifier, and invalidate * any associated sessions. * * @param ssoId Single sign on identifier to deregister */ protected void deregister(String ssoId) { // Look up and remove the corresponding SingleSignOnEntry SingleSignOnEntry sso = cache.remove(ssoId); if (sso == null) { if (containerLog.isDebugEnabled()) { containerLog.debug(sm.getString("singleSignOn.debug.deregisterFail", ssoId)); } return; } // Expire any associated sessions Set ssoKeys = sso.findSessions(); if (ssoKeys.size() == 0) { if (containerLog.isDebugEnabled()) { containerLog.debug(sm.getString("singleSignOn.debug.deregisterNone", ssoId)); } } for (SingleSignOnSessionKey ssoKey : ssoKeys) { if (containerLog.isDebugEnabled()) { containerLog.debug(sm.getString("singleSignOn.debug.deregister", ssoKey, ssoId)); } // Invalidate this session expire(ssoKey); } // NOTE: Clients may still possess the old single sign on cookie, // but it will be removed on the next request since it is no longer // in the cache } private void expire(SingleSignOnSessionKey key) { if (engine == null) { containerLog.warn(sm.getString("singleSignOn.sessionExpire.engineNull", key)); return; } Container host = engine.findChild(key.getHostName()); if (host == null) { containerLog.warn(sm.getString("singleSignOn.sessionExpire.hostNotFound", key)); return; } Context context = (Context) host.findChild(key.getContextName()); if (context == null) { containerLog.warn(sm.getString("singleSignOn.sessionExpire.contextNotFound", key)); return; } Manager manager = context.getManager(); if (manager == null) { containerLog.warn(sm.getString("singleSignOn.sessionExpire.managerNotFound", key)); return; } Session session = null; try { session = manager.findSession(key.getSessionId()); } catch (IOException e) { containerLog.warn(sm.getString("singleSignOn.sessionExpire.managerError", key), e); return; } if (session == null) { containerLog.warn(sm.getString("singleSignOn.sessionExpire.sessionNotFound", key)); return; } session.expire(); } /** * Attempts reauthentication to the given Realm using * the credentials associated with the single sign-on session * identified by argument ssoId. *

* If reauthentication is successful, the Principal and * authorization type associated with the SSO session will be bound * to the given Request object via calls to * {@link Request#setAuthType Request.setAuthType()} and * {@link Request#setUserPrincipal Request.setUserPrincipal()} *

* * @param ssoId identifier of SingleSignOn session with which the * caller is associated * @param realm Realm implementation against which the caller is to * be authenticated * @param request the request that needs to be authenticated * * @return true if reauthentication was successful, * false otherwise. */ protected boolean reauthenticate(String ssoId, Realm realm, Request request) { if (ssoId == null || realm == null) { return false; } boolean reauthenticated = false; SingleSignOnEntry entry = cache.get(ssoId); if (entry != null && entry.getCanReauthenticate()) { String username = entry.getUsername(); if (username != null) { Principal reauthPrincipal = realm.authenticate(username, entry.getPassword()); if (reauthPrincipal != null) { reauthenticated = true; // Bind the authorization credentials to the request request.setAuthType(entry.getAuthType()); request.setUserPrincipal(reauthPrincipal); } } } return reauthenticated; } /** * Register the specified Principal as being associated with the specified * value for the single sign on identifier. * * @param ssoId Single sign on identifier to register * @param principal Associated user principal that is identified * @param authType Authentication type used to authenticate this * user principal * @param username Username used to authenticate this user * @param password Password used to authenticate this user */ protected void register(String ssoId, Principal principal, String authType, String username, String password) { if (containerLog.isDebugEnabled()) { containerLog.debug(sm.getString("singleSignOn.debug.register", ssoId, principal != null ? principal.getName() : "", authType)); } cache.put(ssoId, new SingleSignOnEntry(principal, authType, username, password)); } /** * Updates any SingleSignOnEntry found under key * ssoId with the given authentication data. *

* The purpose of this method is to allow an SSO entry that was * established without a username/password combination (i.e. established * following DIGEST or CLIENT_CERT authentication) to be updated with * a username and password if one becomes available through a subsequent * BASIC or FORM authentication. The SSO entry will then be usable for * reauthentication. *

* NOTE: Only updates the SSO entry if a call to * SingleSignOnEntry.getCanReauthenticate() returns * false; otherwise, it is assumed that the SSO entry already * has sufficient information to allow reauthentication and that no update * is needed. * * @param ssoId identifier of Single sign to be updated * @param principal the Principal returned by the latest * call to Realm.authenticate. * @param authType the type of authenticator used (BASIC, CLIENT_CERT, * DIGEST or FORM) * @param username the username (if any) used for the authentication * @param password the password (if any) used for the authentication * * @return true if the credentials were updated, otherwise * false */ protected boolean update(String ssoId, Principal principal, String authType, String username, String password) { SingleSignOnEntry sso = cache.get(ssoId); if (sso != null && !sso.getCanReauthenticate()) { if (containerLog.isDebugEnabled()) { containerLog.debug(sm.getString("singleSignOn.debug.update", ssoId, authType)); } sso.updateCredentials(principal, authType, username, password); return true; } return false; } /** * Remove a single Session from a SingleSignOn. Called when * a session is timed out and no longer active. * * @param ssoId Single sign on identifier from which to remove the session. * @param session the session to be removed. */ protected void removeSession(String ssoId, Session session) { if (containerLog.isDebugEnabled()) { containerLog.debug(sm.getString("singleSignOn.debug.removeSession", session, ssoId)); } // Get a reference to the SingleSignOn SingleSignOnEntry entry = cache.get(ssoId); if (entry == null) { return; } // Remove the inactive session from SingleSignOnEntry entry.removeSession(session); // If there are not sessions left in the SingleSignOnEntry, // deregister the entry. if (entry.findSessions().size() == 0) { deregister(ssoId); } } protected SessionListener getSessionListener(String ssoId) { return new SingleSignOnListener(ssoId); } @Override protected synchronized void startInternal() throws LifecycleException { Container c = getContainer(); while (c != null && !(c instanceof Engine)) { c = c.getParent(); } if (c != null) { engine = (Engine) c; } super.startInternal(); } @Override protected synchronized void stopInternal() throws LifecycleException { super.stopInternal(); engine = null; } }