org.jasig.portal.security.provider
Class CacheSecurityContext

java.lang.Object
  extended by org.jasig.portal.security.provider.ChainingSecurityContext
      extended by org.jasig.portal.security.provider.CacheSecurityContext
All Implemented Interfaces:
java.io.Serializable, ISecurityContext

 class CacheSecurityContext
extends ChainingSecurityContext
implements ISecurityContext

This is an implementation of a SecurityContext that performs absolutely NO validation of the Principal but merely caches the claimed password. We implement this to provide the illusion of single-signon but it comes with significant risk. A channel is able to retrieve the originally validated password of passphrase to perform just-in-time validation but the means of validation is now COMPLETELY in the hands of the channel. If the channel utilizes a weak authenticity-checking mechanism and the password is the same as the one that portal users regard as secure, then unbeknownst to the user, their "secure" password is being placed in jeopardy. PLEASE use this SecurityContext implementation sparingly and with your eyes open!

CacheSecurityContext can be chained together with another context such that both are required. This allows an authentication provider such as SimpleLdapSecurityContext to be used to verify the password and CacheSecurityContext to allow channels access to the password. Example of security.properties settings to accomplish this: root=org.jasig.portal.security.provider.SimpleSecurityContextFactory root.cache=org.jasig.portal.security.provider.CacheSecurityContextFactory principalToken.root=userName credentialToken.root=password To ensure that both contexts are exercized the portal property org.jasig.portal.security.provider.ChainingSecurityContext.stopWhenAuthenticated must be set to false (by default it is set to true).

Version:
$Revision: 1.23 $
Author:
Andrew Newman, newman@yale.edu

Nested Class Summary
private  class CacheSecurityContext.CacheOpaqueCredentials
          This is a new implementation of an OpaqueCredentials class that implements the less-opaque NotSoOpaqueCredentials.
 
Nested classes/interfaces inherited from class org.jasig.portal.security.provider.ChainingSecurityContext
ChainingSecurityContext.ChainingAdditionalDescriptor, ChainingSecurityContext.ChainingOpaqueCredentials, ChainingSecurityContext.ChainingPrincipal
 
Field Summary
private  byte[] cachedcredentials
           
private  int CACHESECURITYAUTHTYPE
           
private static org.apache.commons.logging.Log log
           
 
Fields inherited from class org.jasig.portal.security.provider.ChainingSecurityContext
isauth, myAdditionalDescriptor, myOpaqueCredentials, myOrder, myPrincipal, mySubContexts, stopWhenAuthenticated
 
Constructor Summary
CacheSecurityContext()
           
 
Method Summary
 void authenticate()
          We walk the chain of subcontext assigning principals and opaquecredentials from the parent.
 int getAuthType()
          Returns the canonical authentication type for this flavor of authentication.
 IOpaqueCredentials getOpaqueCredentials()
          We need to override this method in order to return a class that implements the NotSoOpaqueCredentals interface.
 
Methods inherited from class org.jasig.portal.security.provider.ChainingSecurityContext
addSubContext, doesSubContextExist, getAdditionalDescriptor, getOpaqueCredentialsInstance, getPrincipal, getPrincipalInstance, getSubContext, getSubContextNames, getSubContexts, isAuthenticated
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 
Methods inherited from interface org.jasig.portal.security.ISecurityContext
addSubContext, getAdditionalDescriptor, getOpaqueCredentialsInstance, getPrincipal, getPrincipalInstance, getSubContext, getSubContextNames, getSubContexts, isAuthenticated
 

Field Detail

log

private static final org.apache.commons.logging.Log log

CACHESECURITYAUTHTYPE

private final int CACHESECURITYAUTHTYPE
See Also:
Constant Field Values

cachedcredentials

private byte[] cachedcredentials
Constructor Detail

CacheSecurityContext

CacheSecurityContext()
Method Detail

getAuthType

public int getAuthType()
Description copied from interface: ISecurityContext
Returns the canonical authentication type for this flavor of authentication. Each value returned should be either a globally registered auth flavor or a local variant.

Specified by:
getAuthType in interface ISecurityContext
Returns:
The unique authentication value identifier. Values with the high order 16 bits clear are local (0x0000 - 0x00FF) where values with the high order 16 bits set (0xFF00 - 0xFFFF are foundation types distributed by JASIG. All other should be registered and globally unique.

authenticate

public void authenticate()
                  throws PortalSecurityException
Description copied from class: ChainingSecurityContext
We walk the chain of subcontext assigning principals and opaquecredentials from the parent. Note that the contexts themselves should resist actually performing the assignment if an assignment has already been made to either the credentials or the UID.

Specified by:
authenticate in interface ISecurityContext
Overrides:
authenticate in class ChainingSecurityContext
Throws:
PortalSecurityException
See Also:
ISecurityContext.getPrincipalInstance(), ISecurityContext.getOpaqueCredentialsInstance()

getOpaqueCredentials

public IOpaqueCredentials getOpaqueCredentials()
We need to override this method in order to return a class that implements the NotSoOpaqueCredentals interface.

Specified by:
getOpaqueCredentials in interface ISecurityContext
Overrides:
getOpaqueCredentials in class ChainingSecurityContext
Returns:
The currently authenticated credentials object.
See Also:
IOpaqueCredentials