org.jasig.portal.security.provider
Class CacheSecurityContext
java.lang.Object
org.jasig.portal.security.provider.ChainingSecurityContext
org.jasig.portal.security.provider.CacheSecurityContext
- All Implemented Interfaces:
- java.io.Serializable, ISecurityContext
class CacheSecurityContext
- extends ChainingSecurityContext
- implements ISecurityContext
This is an implementation of a SecurityContext that performs absolutely
NO validation of the Principal but merely caches the claimed password.
We implement this to provide the illusion of single-signon but it comes
with significant risk. A channel is able to retrieve the originally
validated password of passphrase to perform just-in-time validation but the
means of validation is now COMPLETELY in the hands of the channel. If the
channel utilizes a weak authenticity-checking mechanism and the password is
the same as the one that portal users regard as secure, then unbeknownst to
the user, their "secure" password is being placed in jeopardy. PLEASE use
this SecurityContext implementation sparingly and with your eyes open!
CacheSecurityContext can be chained together with another context such that
both are required. This allows an authentication provider such as
SimpleLdapSecurityContext to be used to verify the password and
CacheSecurityContext to allow channels access to the password. Example of
security.properties settings to accomplish this:
root=org.jasig.portal.security.provider.SimpleSecurityContextFactory
root.cache=org.jasig.portal.security.provider.CacheSecurityContextFactory
principalToken.root=userName
credentialToken.root=password
To ensure that both contexts are exercized the portal property
org.jasig.portal.security.provider.ChainingSecurityContext.stopWhenAuthenticated
must be set to false (by default it is set to true).
- Version:
- $Revision: 1.23 $
- Author:
- Andrew Newman, newman@yale.edu
Method Summary |
void |
authenticate()
We walk the chain of subcontext assigning principals and opaquecredentials
from the parent. |
int |
getAuthType()
Returns the canonical authentication type for this flavor of
authentication. |
IOpaqueCredentials |
getOpaqueCredentials()
We need to override this method in order to return a class that implements
the NotSoOpaqueCredentals interface. |
Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
log
private static final org.apache.commons.logging.Log log
CACHESECURITYAUTHTYPE
private final int CACHESECURITYAUTHTYPE
- See Also:
- Constant Field Values
cachedcredentials
private byte[] cachedcredentials
CacheSecurityContext
CacheSecurityContext()
getAuthType
public int getAuthType()
- Description copied from interface:
ISecurityContext
- Returns the canonical authentication type for this flavor of
authentication. Each value returned should be either a globally registered
auth flavor or a local variant.
- Specified by:
getAuthType
in interface ISecurityContext
- Returns:
- The unique authentication value identifier. Values with the
high order 16 bits clear are local (0x0000 - 0x00FF) where values with the
high order 16 bits set (0xFF00 - 0xFFFF are foundation types distributed
by JASIG. All other should be registered and globally unique.
authenticate
public void authenticate()
throws PortalSecurityException
- Description copied from class:
ChainingSecurityContext
- We walk the chain of subcontext assigning principals and opaquecredentials
from the parent. Note that the contexts themselves should resist
actually performing the assignment if an assignment has already been made
to either the credentials or the UID.
- Specified by:
authenticate
in interface ISecurityContext
- Overrides:
authenticate
in class ChainingSecurityContext
- Throws:
PortalSecurityException
- See Also:
ISecurityContext.getPrincipalInstance()
,
ISecurityContext.getOpaqueCredentialsInstance()
getOpaqueCredentials
public IOpaqueCredentials getOpaqueCredentials()
- We need to override this method in order to return a class that implements
the NotSoOpaqueCredentals interface.
- Specified by:
getOpaqueCredentials
in interface ISecurityContext
- Overrides:
getOpaqueCredentials
in class ChainingSecurityContext
- Returns:
- The currently authenticated credentials object.
- See Also:
IOpaqueCredentials