376 lines
20 KiB
HTML
376 lines
20 KiB
HTML
<html><head><META http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><title>Catalina Functional Specifications - JNDIRealm</title><meta name="author" value="Craig McClanahan"><meta name="email" value="craigmcc@apache.org"></head><body bgcolor="#ffffff" text="#000000" link="#525D76" alink="#525D76" vlink="#525D76"><table border="0" width="100%" cellspacing="0"><!--PAGE HEADER--><tr><td><!--PROJECT LOGO--><a href="http://tomcat.apache.org/"><img src="../../../images/tomcat.gif" align="right" alt="
|
|
Catalina Functional Specifications
|
|
" border="0"></a></td><td><font face="arial,helvetica,sanserif"><h1>Apache Tomcat 6.0</h1></font></td><td><!--APACHE LOGO--><a href="http://www.apache.org/"><img src="../../../images/asf-logo.gif" align="right" alt="Apache Logo" border="0"></a></td></tr></table><table border="0" width="100%" cellspacing="4"><!--HEADER SEPARATOR--><tr><td colspan="2"><hr noshade="noshade" size="1"></td></tr><tr><!--RIGHT SIDE MAIN BODY--><td width="80%" valign="top" align="left"><table border="0" width="100%" cellspacing="4"><tr><td align="left" valign="top"><h1>Catalina Functional Specifications</h1><h2>JNDIRealm</h2></td><td align="right" valign="top" nowrap="true"><img src="../../../images/void.gif" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr></table><table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Overview"><strong>Overview</strong></a></font></td></tr><tr><td><blockquote>
|
|
|
|
|
|
<table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Introduction"><strong>Introduction</strong></a></font></td></tr><tr><td><blockquote>
|
|
|
|
<p>The purpose of the <strong>JNDIRealm</strong> implementation is to
|
|
provide a mechanism by which Tomcat 5 can acquire information needed
|
|
to authenticate web application users, and define their security roles,
|
|
from a directory server or other service accessed via JNDI APIs. For
|
|
integration with Catalina, this class must implement the
|
|
<code>org.apache.catalina.Realm</code> interface.</p>
|
|
|
|
<p>This specification reflects a combination of functionality that is
|
|
already present in the <code>org.apache.catalina.realm.JNDIRealm</code>
|
|
class, as well as requirements for enhancements that have been
|
|
discussed. Where appropriate, requirements statements are marked
|
|
<em>[Current]</em> and <em>[Requested]</em> to distinguish them.</p>
|
|
|
|
<p>The current status of this functional specification is
|
|
<strong>PROPOSED</strong>. It has not yet been discussed and
|
|
agreed to on the TOMCAT-DEV mailing list.</p>
|
|
|
|
<p>The code in the current version of <code>JNDIRealm</code>, and the
|
|
ideas expressed in this functional specification, are the results of
|
|
contributions from many individuals, including (alphabetically):</p>
|
|
<ul>
|
|
<li>Holman, John <j.g.holman@qmw.ac.uk></li>
|
|
<li>Lockhart, Ellen <elockhart@home.com></li>
|
|
<li>McClanahan, Craig <craigmcc@apache.org></li>
|
|
</ul>
|
|
|
|
</blockquote></td></tr></table>
|
|
|
|
|
|
<table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="External Specifications"><strong>External Specifications</strong></a></font></td></tr><tr><td><blockquote>
|
|
|
|
<p>The implementation of this functionality depends on the following
|
|
external specifications:</p>
|
|
<ul>
|
|
<li><a href="http://java.sun.com/products/jndi/">Java Naming and
|
|
Directory Interface</a> (version 1.2.1 or later)</li>
|
|
</ul>
|
|
|
|
</blockquote></td></tr></table>
|
|
|
|
|
|
<table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Implementation Requirements"><strong>Implementation Requirements</strong></a></font></td></tr><tr><td><blockquote>
|
|
|
|
<p>The implementation of this functionality shall conform to the
|
|
following requirements:</p>
|
|
<ul>
|
|
<li>Be realized in one or more implementation classes.</li>
|
|
<li>Implement the <code>org.apache.catalina.Realm</code> interface.
|
|
[Current]</li>
|
|
<li>Implement the <code>org.apache.catalina.Lifecycle</code>
|
|
interface. [Current]</li>
|
|
<li>Subclass the <code>org.apache.catalina.realm.RealmBase</code>
|
|
base class.</li>
|
|
<li>Live in the <code>org.apache.catalina.realm</code> package.
|
|
[Current]</li>
|
|
<li>Support a configurable debugging detail level. [Current]</li>
|
|
<li>Log debugging and operational messages (suitably internationalized)
|
|
via the <code>getContainer().log()</code> method. [Current]</li>
|
|
</ul>
|
|
|
|
</blockquote></td></tr></table>
|
|
|
|
|
|
</blockquote></td></tr></table><table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Dependencies"><strong>Dependencies</strong></a></font></td></tr><tr><td><blockquote>
|
|
|
|
|
|
<table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Environmental Dependencies"><strong>Environmental Dependencies</strong></a></font></td></tr><tr><td><blockquote>
|
|
|
|
<p>The following environmental dependencies must be met in order for
|
|
JNDIRealm to operate correctly:</p>
|
|
<ul>
|
|
<li>The desire to utilize JNDIRealm must be registered in
|
|
<code>$CATALINA_HOME/conf/server.xml</code>, in a
|
|
<code><Realm></code> element that is nested inside a
|
|
corresponding <code><Engine></code>, <code><Host></code>,
|
|
or <code><Context></code> element.</li>
|
|
<li>If the <em>Administrator Login</em> operational mode is selected,
|
|
the configured administrator username and password must be configured
|
|
in the corresponding directory server.</li>
|
|
<li>If the <em>Username Login</em> operational mode is selected,
|
|
the corresponding directory server must be configured to accept
|
|
logins with the username and password that will be passed to
|
|
<code>JNDIRealm</code> by the appropriate <code>Authenticator</code>.
|
|
</li>
|
|
</ul>
|
|
|
|
</blockquote></td></tr></table>
|
|
|
|
|
|
<table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Container Dependencies"><strong>Container Dependencies</strong></a></font></td></tr><tr><td><blockquote>
|
|
|
|
<p>Correct operation of JNDIRealm depends on the following
|
|
specific features of the surrounding container:</p>
|
|
<ul>
|
|
<li>Interactions with <code>JNDIRealm</code> will be initiated by
|
|
the appropriate <code>Authenticator</code> implementation, based
|
|
on the login method that is selected.</li>
|
|
<li><code>JNDIRealm</code> must have the JNDI API classes available
|
|
to it. For a JDK 1.2 container, that means <code>jndi.jar</code>
|
|
and the appropriate implementation (such as <code>ldap.jar</code>)
|
|
must be placed in the <code>server/lib</code> directory.</li>
|
|
</ul>
|
|
|
|
</blockquote></td></tr></table>
|
|
|
|
|
|
</blockquote></td></tr></table><table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Functionality"><strong>Functionality</strong></a></font></td></tr><tr><td><blockquote>
|
|
|
|
|
|
<table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Operational Modes"><strong>Operational Modes</strong></a></font></td></tr><tr><td><blockquote>
|
|
|
|
<p>The completed <code>JNDIRealm</code> must support two major operational
|
|
modes in order to support all of the required use cases. For the purposes
|
|
of this document, the modes are called <em>administrator login</em> and
|
|
<em>Username Login</em>. They are described further in the following
|
|
paragraphs.</p>
|
|
|
|
<p>For <em>Administrator Login</em> mode, <code>JNDIRealm</code> will be
|
|
configured to establish one or more connections (using a connection pool)
|
|
to an appropriate directory server, using JNDI APIs, under a "system
|
|
administrator" username and password. This is similar to the approach
|
|
normally used to configure <code>JDBCRealm</code> to access authentication
|
|
and access control information in a database. It is assumed that the
|
|
system administrator username and password that are configured provide
|
|
sufficient privileges within the directory server to read (but not modify)
|
|
the username, password, and assigned roles for each valid user of the
|
|
web application associated with this <code>Realm</code>. The password
|
|
can be stored in cleartext, or in one of the digested modes supported by
|
|
the <code>org.apache.catalina.realm.RealmBase</code> base class.</p>
|
|
|
|
<p>For <em>Username Login</em> mode, <code>JNDIRealm</code> does not
|
|
normally remain connected to the directory server. Instead, whenever a
|
|
user is to be authenticated, a connection to the directory server
|
|
(using the username and password received from the authenticator) is
|
|
attempted. If this connection is successful, the user is assumed to be
|
|
successfully authenticated. This connection is then utilized to read
|
|
the corresponding security roles associated with this user, and the
|
|
connection is then broken.</p>
|
|
|
|
<p><strong>NOTE</strong> - <em>Username Login</em> mode cannot be used
|
|
if you have selected login method <code>DIGEST</code> in your web
|
|
application deployment descriptor (<code>web.xml</code>) file. This
|
|
restriction exists because the cleartext password is never available
|
|
to the container, so it is not possible to bind to the directory server
|
|
using the user's username and password.</p>
|
|
|
|
<p>Because these operational modes work so differently, the functionality
|
|
for each mode will be described separately. Whether or not both modes
|
|
are actually supported by a single class (versus a class per mode) is
|
|
an implementation detail left to the designer.</p>
|
|
|
|
<p><strong>NOTE</strong> - The current implementation only implements
|
|
part of the <em>Administrator Lookup</em> mode requirements. It does
|
|
not support the <em>Username Lookup</em> mode at all, at this point.</p>
|
|
|
|
</blockquote></td></tr></table>
|
|
|
|
|
|
<table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Administrator Login Mode Functionality"><strong>Administrator Login Mode Functionality</strong></a></font></td></tr><tr><td><blockquote>
|
|
|
|
|
|
<h3>Configurable Properties</h3>
|
|
|
|
<p>The implementation shall support the following properties
|
|
that can be configured with JavaBeans property setters:</p>
|
|
<ul>
|
|
<li><code>connectionURL</code> - URL of the directory server we will
|
|
be contacting.</li>
|
|
<li><code>contextFactory</code> - Fully qualified class name of the JNDI
|
|
context factory used to retrieve our InitialContext.
|
|
[com.sun.jndi.ldap.LdapCtxFactory]</li>
|
|
<li>Additional configuration properties required to establish the
|
|
appropriate connection. [Requested]</li>
|
|
<li>Connection pool configuration properties. [Requested]</li>
|
|
<li>Configuration properties defining how a particular user is
|
|
authenticated. The following capabilities should be supported:
|
|
<ul>
|
|
<li>Substitute the specified username into a string. [Requested]</li>
|
|
<li>Retrieve the distinguished name (DN) of an authorized user via an
|
|
LDAP search string with a replacement placeholder for the
|
|
username, and comparison of the password to a configurable
|
|
attribute retrieved from the search result. [Current]</li>
|
|
</ul></li>
|
|
<li>Configuration properties defining how the roles associated with a
|
|
particular authenticated user can be retrieved. The following
|
|
approaches should be supported:
|
|
<ul>
|
|
<li>Retrieve a specified attribute (possibly multi-valued)
|
|
from an LDAP search expression,
|
|
with a replacement placeholder for the DN of the user.
|
|
[Current]</li>
|
|
<li>Retrieve a set of role names that are defined implicitly (by
|
|
selecting principals that match a search pattern) rather than
|
|
explicitly (by finding a particular attribute value).
|
|
[Requested]</li>
|
|
</ul></li>
|
|
</ul>
|
|
|
|
<h3>Lifecycle Functionality</h3>
|
|
|
|
<p>The following processing must be performed when the <code>start()</code>
|
|
method is called:</p>
|
|
<ul>
|
|
<li>Establish a connection to the configured directory server, using the
|
|
configured system administrator username and password. [Current]</li>
|
|
<li>Configure and establish a connection pool of connections to the
|
|
directory server. [Requested]</li>
|
|
</ul>
|
|
|
|
<p>The following processing must be performed when the <code>stop()</code>
|
|
method is called:</p>
|
|
<ul>
|
|
<li>Close any opened connections to the directory server.</li>
|
|
</ul>
|
|
|
|
|
|
<h3>Method authenticate() Functionality</h3>
|
|
|
|
<p>When <code>authenticate()</code> is called, the following processing
|
|
is required:</p>
|
|
<ul>
|
|
<li>Acquire the one and only connection [Current] or acquire a connection
|
|
from the connection pool [Requested].</li>
|
|
<li>Authenticate the user by retrieving the user's Distinguished Name,
|
|
based on the specified username and password.</li>
|
|
<li>If the user was not authenticated, release the allocated connection
|
|
and return <code>null</code>.</li>
|
|
<li>Acquire a <code>List</code> of the security roles assigned to the
|
|
authenticated user.</li>
|
|
<li>Construct a new instance of class
|
|
<code>org.apache.catalina.realm.GenericPrincipal</code>, passing as
|
|
constructor arguments: this realm instance, the authenticated
|
|
username, and a <code>List</code> of the security roles associated
|
|
with this user.</li>
|
|
<li><strong>WARNING</strong> - Do not attempt to cache and reuse previous
|
|
<code>GenericPrincipal</code> objects for a particular user, because
|
|
the information in the directory server might have changed since the
|
|
last time this user was authenticated.</li>
|
|
<li>Return the newly constructed <code>GenericPrincipal</code>.</li>
|
|
</ul>
|
|
|
|
|
|
<h3>Method hasRole() Functionality</h3>
|
|
|
|
<p>When <code>hasRole()</code> is called, the following processing
|
|
is required:</p>
|
|
<ul>
|
|
<li>The <code>principal</code> that is passed as an argument SHOULD
|
|
be one that we returned (instanceof class
|
|
<code>org.apache.catalina.realm.GenericPrincipal</code>, with a
|
|
<code>realm</code> property that is equal to our instance.</li>
|
|
<li>If the passed <code>principal</code> meets these criteria, check
|
|
the specified role against the list returned by
|
|
<code>getRoles()</code>, and return <code>true</code> if the
|
|
specified role is included; otherwise, return <code>false</code>.</li>
|
|
<li>If the passed <code>principal</code> does not meet these criteria,
|
|
return <code>false</code>.</li>
|
|
</ul>
|
|
|
|
</blockquote></td></tr></table>
|
|
|
|
|
|
<table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Username Login Mode Functionality"><strong>Username Login Mode Functionality</strong></a></font></td></tr><tr><td><blockquote>
|
|
|
|
<h3>Configurable Properties</h3>
|
|
|
|
<p>The implementation shall support the following properties
|
|
that can be configured with JavaBeans property setters:</p>
|
|
<ul>
|
|
<li><code>connectionURL</code> - URL of the directory server we will
|
|
be contacting.</li>
|
|
<li><code>contextFactory</code> - Fully qualified class name of the JNDI
|
|
context factory used to retrieve our InitialContext.
|
|
[com.sun.jndi.ldap.LdapCtxFactory]</li>
|
|
<li>Additional configuration properties required to establish the
|
|
appropriate connection. [Requested]</li>
|
|
<li>Connection pool configuration properties. [Requested]</li>
|
|
<li>Configuration properties defining if and how a user might be looked
|
|
up before binding to the directory server. The following approaches
|
|
should be supported:
|
|
<ul>
|
|
<li>No previous lookup is required - username specified by the user
|
|
is the same as that used to authenticate to the directory
|
|
server.</li>
|
|
<li>Substitute the specified username into a string.</li>
|
|
<li>Search the directory server based on configured criteria to
|
|
retrieve the distinguished name of the user, then attempt to
|
|
bind with that distinguished name.</li>
|
|
</ul></li>
|
|
<li>Configuration properties defining how the roles associated with a
|
|
particular authenticated user can be retrieved. The following
|
|
approaches should be supported:
|
|
<ul>
|
|
<li>Retrieve a specified attribute (possibly multi-valued)
|
|
from an LDAP search expression,
|
|
with a replacement placeholder for the DN of the user.
|
|
[Current]</li>
|
|
</ul></li>
|
|
</ul>
|
|
|
|
<h3>Lifecycle Functionality</h3>
|
|
|
|
<p>The following processing must be performed when the <code>start()</code>
|
|
method is called:</p>
|
|
<ul>
|
|
<li>None required.</li>
|
|
</ul>
|
|
|
|
<p>The following processing must be performed when the <code>stop()</code>
|
|
method is called:</p>
|
|
<ul>
|
|
<li>None required.</li>
|
|
</ul>
|
|
|
|
|
|
<h3>Method authenticate() Functionality</h3>
|
|
|
|
<p>When <code>authenticate()</code> is called, the following processing
|
|
is required:</p>
|
|
<ul>
|
|
<li>Attempt to bind to the directory server, using the username and
|
|
password provided by the user.</li>
|
|
<li>If the user was not authenticated, release the allocated connection
|
|
and return <code>null</code>.</li>
|
|
<li>Acquire a <code>List</code> of the security roles assigned to the
|
|
authenticated user.</li>
|
|
<li>Construct a new instance of class
|
|
<code>org.apache.catalina.realm.GenericPrincipal</code>, passing as
|
|
constructor arguments: this realm instance, the authenticated
|
|
username, and a <code>List</code> of the security roles associated
|
|
with this user.</li>
|
|
<li><strong>WARNING</strong> - Do not attempt to cache and reuse previous
|
|
<code>GenericPrincipal</code> objects for a particular user, because
|
|
the information in the directory server might have changed since the
|
|
last time this user was authenticated.</li>
|
|
<li>Return the newly constructed <code>GenericPrincipal</code>.</li>
|
|
</ul>
|
|
|
|
|
|
<h3>Method hasRole() Functionality</h3>
|
|
|
|
<p>When <code>hasRole()</code> is called, the following processing
|
|
is required:</p>
|
|
<ul>
|
|
<li>The <code>principal</code> that is passed as an argument SHOULD
|
|
be one that we returned (instanceof class
|
|
<code>org.apache.catalina.realm.GenericPrincipal</code>, with a
|
|
<code>realm</code> property that is equal to our instance.</li>
|
|
<li>If the passed <code>principal</code> meets these criteria, check
|
|
the specified role against the list returned by
|
|
<code>getRoles()</code>, and return <code>true</code> if the
|
|
specified role is included; otherwise, return <code>false</code>.</li>
|
|
<li>If the passed <code>principal</code> does not meet these criteria,
|
|
return <code>false</code>.</li>
|
|
</ul>
|
|
|
|
</blockquote></td></tr></table>
|
|
|
|
</blockquote></td></tr></table><table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Testable Assertions"><strong>Testable Assertions</strong></a></font></td></tr><tr><td><blockquote>
|
|
|
|
<p>In addition the the assertions implied by the functionality requirements
|
|
listed above, the following additional assertions shall be tested to
|
|
validate the behavior of <code>JNDIRealm</code>:</p>
|
|
<ul>
|
|
</ul>
|
|
|
|
</blockquote></td></tr></table></td></tr><!--FOOTER SEPARATOR--><tr><td colspan="2"><hr noshade="noshade" size="1"></td></tr><!--PAGE FOOTER--><tr><td colspan="2"><div align="center"><font color="#525D76" size="-1"><em>
|
|
Copyright © 1999-2006, Apache Software Foundation
|
|
</em></font></div></td></tr></table></body></html> |