Class PacDataActiveDirectoryRealm
- java.lang.Object
-
- org.apache.catalina.util.LifecycleBase
-
- org.apache.catalina.util.LifecycleMBeanBase
-
- org.apache.catalina.realm.RealmBase
-
- net.sf.michaelo.tomcat.realm.ActiveDirectoryRealmBase
-
- net.sf.michaelo.tomcat.realm.PacDataActiveDirectoryRealm
-
- All Implemented Interfaces:
MBeanRegistration
,Contained
,JmxEnabled
,Lifecycle
,Realm
public class PacDataActiveDirectoryRealm extends ActiveDirectoryRealmBase
A realm which decodes authorization data from already authenticated users from Active Directory via MS-PAC.This realm requires your JVM to provide an
ExtendedGSSContext
implementation. It will useInquireType.KRB5_GET_AUTHZ_DATA
to extractAuthorizationData
according to RFC 4120, section 5.2.6 from an established security context, and use thePac
parser to extract all relevant authorization data (group SIDs), validate the PAC data server signature with thePrivateSunPacSignatureVerifier
and the supplied keytab (login context) and process the data according to MS-KILE, section 3.4.5.3.Configuration
Following options can be configured:loginEntryName
: the login entry identical to the one fromGSSAuthenticatorBase.getLoginEntryName()
.prependRoleFormat
: whether the role format is prepended to the role as{roleFormat}:{role}
. Default isfalse
.addAdditionalAttributes
: whether the following additional attributes with their LDAP name counterparts are added to the principal:sAMAccountName
,displayName
,userPrincipalName
(if available),msDS-PrincipalName
. Default isfalse
.
Note: This realm is meant to be an alternative to the
ActiveDirectoryRealm
when no more additional attributes or other role formats are required beyond those provided by the PAC data andSPNEGO authentication
is used (X.509 authentication
is not supported). Moreover, all processing happens in memory, for that reason it is orders of magnitude faster than the previously mentioned one.
-
-
Nested Class Summary
-
Nested classes/interfaces inherited from class org.apache.catalina.realm.RealmBase
RealmBase.AllRolesMode
-
Nested classes/interfaces inherited from interface org.apache.catalina.Lifecycle
Lifecycle.SingleUse
-
-
Field Summary
Fields Modifier and Type Field Description protected boolean
addAdditionalAttributes
protected String
loginEntryName
protected boolean
prependRoleFormat
-
Fields inherited from class net.sf.michaelo.tomcat.realm.ActiveDirectoryRealmBase
logger, sm
-
Fields inherited from class org.apache.catalina.realm.RealmBase
allRolesMode, container, containerLog, realmPath, stripRealmForGss, support, USER_ATTRIBUTES_DELIMITER, USER_ATTRIBUTES_WILDCARD, userAttributes, userAttributesList, validate, x509UsernameRetriever, x509UsernameRetrieverClassName
-
Fields inherited from class org.apache.catalina.util.LifecycleMBeanBase
mserver
-
Fields inherited from interface org.apache.catalina.Lifecycle
AFTER_DESTROY_EVENT, AFTER_INIT_EVENT, AFTER_START_EVENT, AFTER_STOP_EVENT, BEFORE_DESTROY_EVENT, BEFORE_INIT_EVENT, BEFORE_START_EVENT, BEFORE_STOP_EVENT, CONFIGURE_START_EVENT, CONFIGURE_STOP_EVENT, PERIODIC_EVENT, START_EVENT, STOP_EVENT
-
-
Constructor Summary
Constructors Constructor Description PacDataActiveDirectoryRealm()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected Key[]
getKeys()
protected Principal
getPrincipal(GSSName gssName, GSSCredential gssCredential, GSSContext gssContext)
void
setAddAdditionalAttributes(boolean addAdditionalAttributes)
Sets whether the additional attributes are added to the principal.void
setLoginEntryName(String loginEntryName)
Sets the login entry name which establishes the security context.void
setPrependRoleFormat(boolean prependRoleFormat)
Sets whether the role format is prepended to the role.-
Methods inherited from class net.sf.michaelo.tomcat.realm.ActiveDirectoryRealmBase
getPassword, getPrincipal, getRoles, hasRoleInternal
-
Methods inherited from class org.apache.catalina.realm.RealmBase
addPropertyChangeListener, authenticate, authenticate, authenticate, authenticate, authenticate, authenticate, authenticate, backgroundProcess, findSecurityConstraints, getAllRolesMode, getContainer, getCredentialHandler, getDigest, getDigest, getDomainInternal, getObjectNameKeyProperties, getPrincipal, getPrincipal, getPrincipal, getRealmPath, getRealmSuffix, getServer, getTransportGuaranteeRedirectStatus, getUserAttributes, getValidate, getX509UsernameRetrieverClassName, hasMessageDigest, hasResourcePermission, hasRole, hasUserDataPermission, initInternal, isStripRealmForGss, main, parseUserAttributes, removePropertyChangeListener, setAllRolesMode, setContainer, setCredentialHandler, setRealmPath, setStripRealmForGss, setTransportGuaranteeRedirectStatus, setUserAttributes, setValidate, setX509UsernameRetrieverClassName, startInternal, stopInternal, toString
-
Methods inherited from class org.apache.catalina.util.LifecycleMBeanBase
destroyInternal, getDomain, getObjectName, postDeregister, postRegister, preDeregister, preRegister, register, setDomain, unregister, unregister
-
Methods inherited from class org.apache.catalina.util.LifecycleBase
addLifecycleListener, destroy, findLifecycleListeners, fireLifecycleEvent, getState, getStateName, getThrowOnFailure, init, removeLifecycleListener, setState, setState, setThrowOnFailure, start, stop
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
-
Methods inherited from interface org.apache.catalina.Realm
isAvailable
-
-
-
-
Field Detail
-
loginEntryName
protected String loginEntryName
-
prependRoleFormat
protected boolean prependRoleFormat
-
addAdditionalAttributes
protected boolean addAdditionalAttributes
-
-
Method Detail
-
setLoginEntryName
public void setLoginEntryName(String loginEntryName)
Sets the login entry name which establishes the security context.- Parameters:
loginEntryName
- the login entry name
-
setPrependRoleFormat
public void setPrependRoleFormat(boolean prependRoleFormat)
Sets whether the role format is prepended to the role.- Parameters:
prependRoleFormat
- the prepend role format indication
-
setAddAdditionalAttributes
public void setAddAdditionalAttributes(boolean addAdditionalAttributes)
Sets whether the additional attributes are added to the principal.- Parameters:
addAdditionalAttributes
- the add additional attributes indication
-
getPrincipal
protected Principal getPrincipal(GSSName gssName, GSSCredential gssCredential, GSSContext gssContext)
- Overrides:
getPrincipal
in classRealmBase
-
getKeys
protected Key[] getKeys()
-
-