This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit c714bfdfbeb37a7fcc679143a35fd72ac40cdabf Author: Mark Thomas <ma...@apache.org> AuthorDate: Tue Sep 15 15:01:18 2020 +0100 Remove deprecated JDBCRealm --- build.xml | 1 - java/org/apache/catalina/mbeans/MBeanFactory.java | 32 - .../apache/catalina/mbeans/mbeans-descriptors.xml | 9 - java/org/apache/catalina/realm/JDBCRealm.java | 745 --------------------- .../apache/catalina/realm/LocalStrings.properties | 7 - .../catalina/realm/LocalStrings_de.properties | 3 - .../catalina/realm/LocalStrings_es.properties | 7 - .../catalina/realm/LocalStrings_fr.properties | 7 - .../catalina/realm/LocalStrings_ja.properties | 7 - .../catalina/realm/LocalStrings_ko.properties | 7 - .../catalina/realm/LocalStrings_zh_CN.properties | 7 - .../apache/catalina/realm/mbeans-descriptors.xml | 71 -- res/findbugs/filter-false-positives.xml | 19 +- webapps/docs/config/realm.xml | 126 ---- webapps/docs/manager-howto.xml | 2 +- webapps/docs/realm-howto.xml | 113 ---- webapps/docs/security-howto.xml | 4 - 17 files changed, 2 insertions(+), 1165 deletions(-) diff --git a/build.xml b/build.xml index 349c1d4..717912d 100644 --- a/build.xml +++ b/build.xml @@ -561,7 +561,6 @@ <exclude name="org/apache/catalina/realm/JAASCallbackHandler.class" /> <exclude name="org/apache/catalina/realm/JAASMemoryLoginModule.class" /> <exclude name="org/apache/catalina/realm/JAASRealm.class" /> - <exclude name="org/apache/catalina/realm/JDBCRealm.class" /> <exclude name="org/apache/catalina/realm/JNDIRealm$User.class" /> <exclude name="org/apache/catalina/realm/JNDIRealm.class" /> <exclude name="org/apache/catalina/realm/LockOutRealm*" /> diff --git a/java/org/apache/catalina/mbeans/MBeanFactory.java b/java/org/apache/catalina/mbeans/MBeanFactory.java index bf2970e..8ef53ce 100644 --- a/java/org/apache/catalina/mbeans/MBeanFactory.java +++ b/java/org/apache/catalina/mbeans/MBeanFactory.java @@ -323,38 +323,6 @@ public class MBeanFactory { /** - * Create a new JDBC Realm. - * - * @param parent MBean Name of the associated parent component - * @param driverName JDBC driver name - * @param connectionName the user name for the connection - * @param connectionPassword the password for the connection - * @param connectionURL the connection URL to the database - * @return the object name of the created realm - * - * @exception Exception if an MBean cannot be created or registered - * - * @deprecated This method will be removed in Tomcat 10. Use a - * DataSourceRealm instead. - */ - @Deprecated - public String createJDBCRealm(String parent, String driverName, - String connectionName, String connectionPassword, String connectionURL) - throws Exception { - - // Create a new JDBCRealm instance - org.apache.catalina.realm.JDBCRealm realm = new org.apache.catalina.realm.JDBCRealm(); - realm.setDriverName(driverName); - realm.setConnectionName(connectionName); - realm.setConnectionPassword(connectionPassword); - realm.setConnectionURL(connectionURL); - - // Add the new instance to its parent component - return addRealmToParent(parent, realm); - } - - - /** * Create a new JNDI Realm. * * @param parent MBean Name of the associated parent component diff --git a/java/org/apache/catalina/mbeans/mbeans-descriptors.xml b/java/org/apache/catalina/mbeans/mbeans-descriptors.xml index 913830f..9597210 100644 --- a/java/org/apache/catalina/mbeans/mbeans-descriptors.xml +++ b/java/org/apache/catalina/mbeans/mbeans-descriptors.xml @@ -105,15 +105,6 @@ type="int"/> </operation> - <operation name="createJDBCRealm" - description="Create a new JDBC Realm (deprecated - will be removed in Tomcat 10)" - impact="ACTION" - returnType="java.lang.String"> - <parameter name="parent" - description="MBean Name of the associated parent component" - type="java.lang.String"/> - </operation> - <operation name="createJNDIRealm" description="Create a new JNDI Realm" impact="ACTION" diff --git a/java/org/apache/catalina/realm/JDBCRealm.java b/java/org/apache/catalina/realm/JDBCRealm.java deleted file mode 100644 index 8b9c472..0000000 --- a/java/org/apache/catalina/realm/JDBCRealm.java +++ /dev/null @@ -1,745 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - - -package org.apache.catalina.realm; - - -import java.security.Principal; -import java.sql.Connection; -import java.sql.Driver; -import java.sql.PreparedStatement; -import java.sql.ResultSet; -import java.sql.SQLException; -import java.util.ArrayList; -import java.util.Properties; - -import org.apache.catalina.LifecycleException; -import org.apache.tomcat.util.ExceptionUtils; - - -/** -* -* Implementation of <b>Realm</b> that works with any JDBC supported database. -* See the JDBCRealm.howto for more details on how to set up the database and -* for configuration options. -* -* <p>For a <b>Realm</b> implementation that supports connection pooling and -* doesn't require synchronisation of <code>authenticate()</code>, -* <code>getPassword()</code>, <code>roles()</code> and -* <code>getPrincipal()</code> or the ugly connection logic use the -* <code>DataSourceRealm</code>.</p> -* -* @author Craig R. McClanahan -* @author Carson McDonald -* @author Ignacio Ortega -* -* @deprecated Will be removed in Tomcat 10 onwards. Use the DataSourceRealm -* instead. -*/ -@Deprecated -public class JDBCRealm - extends RealmBase { - - - // ----------------------------------------------------- Instance Variables - - - /** - * The connection username to use when trying to connect to the database. - */ - protected String connectionName = null; - - - /** - * The connection URL to use when trying to connect to the database. - */ - protected String connectionPassword = null; - - - /** - * The connection URL to use when trying to connect to the database. - */ - protected String connectionURL = null; - - - /** - * The connection to the database. - */ - protected Connection dbConnection = null; - - - /** - * Instance of the JDBC Driver class we use as a connection factory. - */ - protected Driver driver = null; - - - /** - * The JDBC driver to use. - */ - protected String driverName = null; - - - /** - * The PreparedStatement to use for authenticating users. - */ - protected PreparedStatement preparedCredentials = null; - - - /** - * The PreparedStatement to use for identifying the roles for - * a specified user. - */ - protected PreparedStatement preparedRoles = null; - - - /** - * The column in the user role table that names a role - */ - protected String roleNameCol = null; - - - /** - * The column in the user table that holds the user's credentials - */ - protected String userCredCol = null; - - - /** - * The column in the user table that holds the user's name - */ - protected String userNameCol = null; - - - /** - * The table that holds the relation between user's and roles - */ - protected String userRoleTable = null; - - - /** - * The table that holds user data. - */ - protected String userTable = null; - - - // ------------------------------------------------------------- Properties - - /** - * @return the username to use to connect to the database. - */ - public String getConnectionName() { - return connectionName; - } - - /** - * Set the username to use to connect to the database. - * - * @param connectionName Username - */ - public void setConnectionName(String connectionName) { - this.connectionName = connectionName; - } - - /** - * @return the password to use to connect to the database. - */ - public String getConnectionPassword() { - return connectionPassword; - } - - /** - * Set the password to use to connect to the database. - * - * @param connectionPassword User password - */ - public void setConnectionPassword(String connectionPassword) { - this.connectionPassword = connectionPassword; - } - - /** - * @return the URL to use to connect to the database. - */ - public String getConnectionURL() { - return connectionURL; - } - - /** - * Set the URL to use to connect to the database. - * - * @param connectionURL The new connection URL - */ - public void setConnectionURL( String connectionURL ) { - this.connectionURL = connectionURL; - } - - /** - * @return the JDBC driver that will be used. - */ - public String getDriverName() { - return driverName; - } - - /** - * Set the JDBC driver that will be used. - * - * @param driverName The driver name - */ - public void setDriverName( String driverName ) { - this.driverName = driverName; - } - - /** - * @return the column in the user role table that names a role. - */ - public String getRoleNameCol() { - return roleNameCol; - } - - /** - * Set the column in the user role table that names a role. - * - * @param roleNameCol The column name - */ - public void setRoleNameCol( String roleNameCol ) { - this.roleNameCol = roleNameCol; - } - - /** - * @return the column in the user table that holds the user's credentials. - */ - public String getUserCredCol() { - return userCredCol; - } - - /** - * Set the column in the user table that holds the user's credentials. - * - * @param userCredCol The column name - */ - public void setUserCredCol( String userCredCol ) { - this.userCredCol = userCredCol; - } - - /** - * @return the column in the user table that holds the user's name. - */ - public String getUserNameCol() { - return userNameCol; - } - - /** - * Set the column in the user table that holds the user's name. - * - * @param userNameCol The column name - */ - public void setUserNameCol( String userNameCol ) { - this.userNameCol = userNameCol; - } - - /** - * @return the table that holds the relation between user's and roles. - */ - public String getUserRoleTable() { - return userRoleTable; - } - - /** - * Set the table that holds the relation between user's and roles. - * - * @param userRoleTable The table name - */ - public void setUserRoleTable( String userRoleTable ) { - this.userRoleTable = userRoleTable; - } - - /** - * @return the table that holds user data.. - */ - public String getUserTable() { - return userTable; - } - - /** - * Set the table that holds user data. - * - * @param userTable The table name - */ - public void setUserTable( String userTable ) { - this.userTable = userTable; - } - - - // --------------------------------------------------------- Public Methods - - /** - * Return the Principal associated with the specified username and - * credentials, if there is one; otherwise return <code>null</code>. - * - * If there are any errors with the JDBC connection, executing - * the query or anything we return null (don't authenticate). This - * event is also logged, and the connection will be closed so that - * a subsequent request will automatically re-open it. - * - * - * @param username Username of the Principal to look up - * @param credentials Password or other credentials to use in - * authenticating this username - * @return the associated principal, or <code>null</code> if there is none. - */ - @Override - public synchronized Principal authenticate(String username, String credentials) { - - // Number of tries is the number of attempts to connect to the database - // during this login attempt (if we need to open the database) - // This needs rewritten with better pooling support, the existing code - // needs signature changes since the Prepared statements needs cached - // with the connections. - // The code below will try twice if there is an SQLException so the - // connection may try to be opened again. On normal conditions (including - // invalid login - the above is only used once. - int numberOfTries = 2; - while (numberOfTries>0) { - try { - - // Ensure that we have an open database connection - open(); - - // Acquire a Principal object for this user - Principal principal = authenticate(dbConnection, - username, credentials); - - - // Return the Principal (if any) - return principal; - - } catch (SQLException e) { - - // Log the problem for posterity - containerLog.error(sm.getString("jdbcRealm.exception"), e); - - // Close the connection so that it gets reopened next time - if (dbConnection != null) - close(dbConnection); - - } - - numberOfTries--; - } - - // Worst case scenario - return null; - - } - - - // -------------------------------------------------------- Package Methods - - - // ------------------------------------------------------ Protected Methods - - - /** - * Attempt to authenticate the user with the provided credentials. - * - * @param dbConnection The database connection to be used - * @param username Username of the Principal to look up - * @param credentials Password or other credentials to use in authenticating - * this username - * - * @return Return the Principal associated with the specified username and - * credentials, if there is one; otherwise return <code>null</code>. - */ - public synchronized Principal authenticate(Connection dbConnection, - String username, - String credentials) { - // No user or no credentials - // Can't possibly authenticate, don't bother the database then - if (username == null || credentials == null) { - if (containerLog.isTraceEnabled()) - containerLog.trace(sm.getString("jdbcRealm.authenticateFailure", - username)); - return null; - } - - // Look up the user's credentials - String dbCredentials = getPassword(username); - - if (dbCredentials == null) { - // User was not found in the database. - // Waste a bit of time as not to reveal that the user does not exist. - getCredentialHandler().mutate(credentials); - - if (containerLog.isTraceEnabled()) - containerLog.trace(sm.getString("jdbcRealm.authenticateFailure", - username)); - return null; - } - - // Validate the user's credentials - boolean validated = getCredentialHandler().matches(credentials, dbCredentials); - - if (validated) { - if (containerLog.isTraceEnabled()) - containerLog.trace(sm.getString("jdbcRealm.authenticateSuccess", - username)); - } else { - if (containerLog.isTraceEnabled()) - containerLog.trace(sm.getString("jdbcRealm.authenticateFailure", - username)); - return null; - } - - ArrayList<String> roles = getRoles(username); - - // Create and return a suitable Principal for this user - return new GenericPrincipal(username, roles); - } - - - @Override - public boolean isAvailable() { - return (dbConnection != null); - } - - - /** - * Close the specified database connection. - * - * @param dbConnection The connection to be closed - */ - protected void close(Connection dbConnection) { - - // Do nothing if the database connection is already closed - if (dbConnection == null) - return; - - // Close our prepared statements (if any) - try { - preparedCredentials.close(); - } catch (Throwable f) { - ExceptionUtils.handleThrowable(f); - } - this.preparedCredentials = null; - - - try { - preparedRoles.close(); - } catch (Throwable f) { - ExceptionUtils.handleThrowable(f); - } - this.preparedRoles = null; - - - // Close this database connection, and log any errors - try { - dbConnection.close(); - } catch (SQLException e) { - containerLog.warn(sm.getString("jdbcRealm.close"), e); // Just log it here - } finally { - this.dbConnection = null; - } - - } - - - /** - * Return a PreparedStatement configured to perform the SELECT required - * to retrieve user credentials for the specified username. - * - * @param dbConnection The database connection to be used - * @param username Username for which credentials should be retrieved - * @return the prepared statement - * @exception SQLException if a database error occurs - */ - protected PreparedStatement credentials(Connection dbConnection, String username) - throws SQLException { - - if (preparedCredentials == null) { - StringBuilder sb = new StringBuilder("SELECT "); - sb.append(userCredCol); - sb.append(" FROM "); - sb.append(userTable); - sb.append(" WHERE "); - sb.append(userNameCol); - sb.append(" = ?"); - - if(containerLog.isDebugEnabled()) { - containerLog.debug("credentials query: " + sb.toString()); - } - - preparedCredentials = - dbConnection.prepareStatement(sb.toString()); - } - - if (username == null) { - preparedCredentials.setNull(1,java.sql.Types.VARCHAR); - } else { - preparedCredentials.setString(1, username); - } - - return preparedCredentials; - } - - - /** - * Get the password for the specified user. - * @param username The user name - * @return the password associated with the given principal's user name. - */ - @Override - protected synchronized String getPassword(String username) { - - // Look up the user's credentials - String dbCredentials = null; - - // Number of tries is the number of attempts to connect to the database - // during this login attempt (if we need to open the database) - // This needs rewritten with better pooling support, the existing code - // needs signature changes since the Prepared statements needs cached - // with the connections. - // The code below will try twice if there is an SQLException so the - // connection may try to be opened again. On normal conditions (including - // invalid login - the above is only used once. - int numberOfTries = 2; - while (numberOfTries > 0) { - try { - // Ensure that we have an open database connection - open(); - - PreparedStatement stmt = credentials(dbConnection, username); - try (ResultSet rs = stmt.executeQuery()) { - if (rs.next()) { - dbCredentials = rs.getString(1); - } - - dbConnection.commit(); - - if (dbCredentials != null) { - dbCredentials = dbCredentials.trim(); - } - - return dbCredentials; - } - } catch (SQLException e) { - // Log the problem for posterity - containerLog.error(sm.getString("jdbcRealm.exception"), e); - } - - // Close the connection so that it gets reopened next time - if (dbConnection != null) { - close(dbConnection); - } - - numberOfTries--; - } - - return null; - } - - /** - * Get the principal associated with the specified user. - * @param username The user name - * @return the Principal associated with the given user name. - */ - @Override - protected synchronized Principal getPrincipal(String username) { - - return new GenericPrincipal(username, getRoles(username)); - - } - - - /** - * Return the roles associated with the given user name. - * @param username The user name - * @return an array list of the role names - */ - protected ArrayList<String> getRoles(String username) { - - if (allRolesMode != AllRolesMode.STRICT_MODE && !isRoleStoreDefined()) { - // Using an authentication only configuration and no role store has - // been defined so don't spend cycles looking - return null; - } - - // Number of tries is the number of attempts to connect to the database - // during this login attempt (if we need to open the database) - // This needs rewritten wuth better pooling support, the existing code - // needs signature changes since the Prepared statements needs cached - // with the connections. - // The code below will try twice if there is an SQLException so the - // connection may try to be opened again. On normal conditions (including - // invalid login - the above is only used once. - int numberOfTries = 2; - while (numberOfTries>0) { - try { - // Ensure that we have an open database connection - open(); - - PreparedStatement stmt = roles(dbConnection, username); - try (ResultSet rs = stmt.executeQuery()) { - // Accumulate the user's roles - ArrayList<String> roleList = new ArrayList<>(); - - while (rs.next()) { - String role = rs.getString(1); - if (null!=role) { - roleList.add(role.trim()); - } - } - - return roleList; - } finally { - dbConnection.commit(); - } - } catch (SQLException e) { - // Log the problem for posterity - containerLog.error(sm.getString("jdbcRealm.exception"), e); - - // Close the connection so that it gets reopened next time - if (dbConnection != null) - close(dbConnection); - } - - numberOfTries--; - } - - return null; - } - - - /** - * Open (if necessary) and return a database connection for use by - * this Realm. - * @return the opened connection - * @exception SQLException if a database error occurs - */ - protected Connection open() throws SQLException { - - // Do nothing if there is a database connection already open - if (dbConnection != null) - return dbConnection; - - // Instantiate our database driver if necessary - if (driver == null) { - try { - Class<?> clazz = Class.forName(driverName); - driver = (Driver) clazz.getConstructor().newInstance(); - } catch (Throwable e) { - ExceptionUtils.handleThrowable(e); - throw new SQLException(e.getMessage(), e); - } - } - - // Open a new connection - Properties props = new Properties(); - if (connectionName != null) - props.put("user", connectionName); - if (connectionPassword != null) - props.put("password", connectionPassword); - dbConnection = driver.connect(connectionURL, props); - if (dbConnection == null) { - throw new SQLException(sm.getString( - "jdbcRealm.open.invalidurl",driverName, connectionURL)); - } - dbConnection.setAutoCommit(false); - return dbConnection; - - } - - - /** - * Return a PreparedStatement configured to perform the SELECT required - * to retrieve user roles for the specified username. - * - * @param dbConnection The database connection to be used - * @param username Username for which roles should be retrieved - * @return the prepared statement - * @exception SQLException if a database error occurs - */ - protected synchronized PreparedStatement roles(Connection dbConnection, String username) - throws SQLException { - - if (preparedRoles == null) { - StringBuilder sb = new StringBuilder("SELECT "); - sb.append(roleNameCol); - sb.append(" FROM "); - sb.append(userRoleTable); - sb.append(" WHERE "); - sb.append(userNameCol); - sb.append(" = ?"); - preparedRoles = dbConnection.prepareStatement(sb.toString()); - } - - preparedRoles.setString(1, username); - return preparedRoles; - - } - - - private boolean isRoleStoreDefined() { - return userRoleTable != null || roleNameCol != null; - } - - - // ------------------------------------------------------ Lifecycle Methods - - /** - * Prepare for the beginning of active use of the public methods of this - * component and implement the requirements of - * {@link org.apache.catalina.util.LifecycleBase#startInternal()}. - * - * @exception LifecycleException if this component detects a fatal error - * that prevents this component from being used - */ - @Override - protected void startInternal() throws LifecycleException { - - // Validate that we can open our connection - but let tomcat - // startup in case the database is temporarily unavailable - try { - open(); - } catch (SQLException e) { - containerLog.error(sm.getString("jdbcRealm.open"), e); - } - - super.startInternal(); - } - - - /** - * Gracefully terminate the active use of the public methods of this - * component and implement the requirements of - * {@link org.apache.catalina.util.LifecycleBase#stopInternal()}. - * - * @exception LifecycleException if this component detects a fatal error - * that needs to be reported - */ - @Override - protected void stopInternal() throws LifecycleException { - - super.stopInternal(); - - // Close any open DB connection - close(this.dbConnection); - - } - - -} diff --git a/java/org/apache/catalina/realm/LocalStrings.properties b/java/org/apache/catalina/realm/LocalStrings.properties index 20398fa..49034d1 100644 --- a/java/org/apache/catalina/realm/LocalStrings.properties +++ b/java/org/apache/catalina/realm/LocalStrings.properties @@ -60,13 +60,6 @@ jaasRealm.unexpectedError=Unexpected error jaasRealm.userPrincipalFailure=No valid user Principal found jaasRealm.userPrincipalSuccess=Principal [{0}] is a valid user class. We will use this as the user Principal. -jdbcRealm.authenticateFailure=Username [{0}] NOT successfully authenticated -jdbcRealm.authenticateSuccess=Username [{0}] successfully authenticated -jdbcRealm.close=Exception closing database connection -jdbcRealm.exception=Exception performing authentication -jdbcRealm.open=Exception opening database connection -jdbcRealm.open.invalidurl=Driver [{0}] does not support the url [{1}] - jndiRealm.authenticateFailure=Username [{0}] NOT successfully authenticated jndiRealm.authenticateSuccess=Username [{0}] successfully authenticated jndiRealm.cipherSuites=Enable [{0}] as cipher suites for tls connection. diff --git a/java/org/apache/catalina/realm/LocalStrings_de.properties b/java/org/apache/catalina/realm/LocalStrings_de.properties index bf923bf..8d51653 100644 --- a/java/org/apache/catalina/realm/LocalStrings_de.properties +++ b/java/org/apache/catalina/realm/LocalStrings_de.properties @@ -27,9 +27,6 @@ jaasRealm.credentialExpired=Benutzername [{0}] konnte auf Grund abgelaufener Zug jaasRealm.failedLogin=Benutzername [{0}] konnte auf Grund einer fehlerhaften Anmeldung NICHT authentifiziert werden jaasRealm.loginContextCreated=JAAS LoginContext für Benutzername [{0}] erzeugt -jdbcRealm.authenticateFailure=Benutzername [{0}] konnte NICHT authentifiziert werden -jdbcRealm.authenticateSuccess=Benutzername [{0}] konnte erfolgreich authentifiziert werden - jndiRealm.authenticateFailure=Benutzername [{0}] konnte NICHT authentifiziert werden jndiRealm.authenticateSuccess=Benutzername [{0}] konnte erfolgreich authentifiziert werden diff --git a/java/org/apache/catalina/realm/LocalStrings_es.properties b/java/org/apache/catalina/realm/LocalStrings_es.properties index 49e521e..c915fee 100644 --- a/java/org/apache/catalina/realm/LocalStrings_es.properties +++ b/java/org/apache/catalina/realm/LocalStrings_es.properties @@ -46,13 +46,6 @@ jaasRealm.unexpectedError=Error inesperado jaasRealm.userPrincipalFailure=No se ha hallado usuario Principal jaasRealm.userPrincipalSuccess=El Principal [{0}] es una clase válida de usuario. La vamos a usar como usuario Principal. -jdbcRealm.authenticateFailure=El usuario [{0}] NO ha sido autentificado correctamente -jdbcRealm.authenticateSuccess=El usuario [{0}] ha sido autentificado correctamente -jdbcRealm.close=Excepción al cerrar la conexión a la base de datos -jdbcRealm.exception=Excepción al realizar la autentificación -jdbcRealm.open=Excepción abriendo la conexión a la base de datos -jdbcRealm.open.invalidurl=El conductor [{0}] no soporta la url [{1}] - jndiRealm.authenticateFailure=Autentificación fallida para el usuario [{0}] jndiRealm.authenticateSuccess=Autentificación correcta para el usuario [{0}] jndiRealm.close=Excepción al cerrar la conexión al servidor de directorio diff --git a/java/org/apache/catalina/realm/LocalStrings_fr.properties b/java/org/apache/catalina/realm/LocalStrings_fr.properties index f3f2382..854c9bd 100644 --- a/java/org/apache/catalina/realm/LocalStrings_fr.properties +++ b/java/org/apache/catalina/realm/LocalStrings_fr.properties @@ -60,13 +60,6 @@ jaasRealm.unexpectedError=Erreur inattendue jaasRealm.userPrincipalFailure=Aucun principal valide trouvé jaasRealm.userPrincipalSuccess=Le principal [{0}] est une classe utilisateur valide, elle sera utilisée comme principal de l''utilisateur -jdbcRealm.authenticateFailure=le nom d''utilisateur [{0}] N''A PAS été authentifié -jdbcRealm.authenticateSuccess=le nom d''utilisateur [{0}] a été authentifié avec succès -jdbcRealm.close=Exception lors de la fermeture de la connexion à la base de données -jdbcRealm.exception=Exception pendant le traitement de l'authentification -jdbcRealm.open=Exception lors de l'ouverture de la base de données -jdbcRealm.open.invalidurl=Le pilote [{0}] ne supporte pas l''URL [{1}] - jndiRealm.authenticateFailure=Le nom d''utilisateur [{0}] N''A PAS été authentifié jndiRealm.authenticateSuccess=Le nom d''utilisateur [{0}] a été authentifié avec succès jndiRealm.cipherSuites=La suite de chiffres [{0}] a été activée pour la connection TLS diff --git a/java/org/apache/catalina/realm/LocalStrings_ja.properties b/java/org/apache/catalina/realm/LocalStrings_ja.properties index 1e306cd..0d55feb 100644 --- a/java/org/apache/catalina/realm/LocalStrings_ja.properties +++ b/java/org/apache/catalina/realm/LocalStrings_ja.properties @@ -60,13 +60,6 @@ jaasRealm.unexpectedError=予期せぬエラー jaasRealm.userPrincipalFailure=有効なユーザープリンシパルが見つかりません。 jaasRealm.userPrincipalSuccess=プリンシパル[{0}]は有効なユーザークラスです。 これをユーザープリンシパルとして使用します。 -jdbcRealm.authenticateFailure=ユーザ名 [{0}] は認証に失敗しました -jdbcRealm.authenticateSuccess=ユーザ名 [{0}] は認証に成功しました -jdbcRealm.close=データベース接続クローズ中の例外です -jdbcRealm.exception=認証実行中の例外です -jdbcRealm.open=データベース接続オープン中に例外が発生しました -jdbcRealm.open.invalidurl=ドライバー [{0}] は url [{1}] に対応していません。 - jndiRealm.authenticateFailure=ユーザ名 [{0}] は認証に失敗しました jndiRealm.authenticateSuccess=ユーザ名 [{0}] は認証に成功しました jndiRealm.cipherSuites=TLS 接続で暗号スイート [{0}] を有効化しました。 diff --git a/java/org/apache/catalina/realm/LocalStrings_ko.properties b/java/org/apache/catalina/realm/LocalStrings_ko.properties index a3cfcc2..8946f62 100644 --- a/java/org/apache/catalina/realm/LocalStrings_ko.properties +++ b/java/org/apache/catalina/realm/LocalStrings_ko.properties @@ -60,13 +60,6 @@ jaasRealm.unexpectedError=예기치 않은 오류 jaasRealm.userPrincipalFailure=유효한 사용자 Principal을 찾을 수 없습니다. jaasRealm.userPrincipalSuccess=Principal [{0}]은(는) 유효한 사용자 클래스입니다. 이를 사용자 Principal로 사용하겠습니다. -jdbcRealm.authenticateFailure=사용자명 [{0}]이(가) 성공적으로 인증되지 못했습니다. -jdbcRealm.authenticateSuccess=사용자명 [{0}]이(가) 성공적으로 인증되었습니다. -jdbcRealm.close=데이터베이스 연결을 닫는 중 예외 발생 -jdbcRealm.exception=인증 처리 수행 중 예외 발생 -jdbcRealm.open=데이터베이스 연결을 여는 중 예외 발생 -jdbcRealm.open.invalidurl=드라이버 [{0}]은(는) URL [{1}]을(를) 지원하지 않습니다. - jndiRealm.authenticateFailure=사용자명 [{0}]이(가) 성공적으로 인증되지 못했습니다. jndiRealm.authenticateSuccess=사용자명 [{0}]이(가) 성공적으로 인증되었습니다. jndiRealm.cipherSuites=이 tls 연결을 위한 cipher suite들로서, [{0}]을(를) 사용 가능하게 합니다. diff --git a/java/org/apache/catalina/realm/LocalStrings_zh_CN.properties b/java/org/apache/catalina/realm/LocalStrings_zh_CN.properties index 36c5f22..f3d0b80 100644 --- a/java/org/apache/catalina/realm/LocalStrings_zh_CN.properties +++ b/java/org/apache/catalina/realm/LocalStrings_zh_CN.properties @@ -59,13 +59,6 @@ jaasRealm.unexpectedError=意外错误 jaasRealm.userPrincipalFailure=未发现有效的用户Principal jaasRealm.userPrincipalSuccess=主体[{0}]是有效的用户类。我们将其用作用户主体。 -jdbcRealm.authenticateFailure=用户名称[{0}]未校验成功 -jdbcRealm.authenticateSuccess=用户名[{0}]已成功通过身份验证 -jdbcRealm.close=关闭数据库连接异常 -jdbcRealm.exception=执行身份验证时发生异常 -jdbcRealm.open=打开数据库连接时发生异常 -jdbcRealm.open.invalidurl=驱动程序[{0}]不支持url[{1}]。 - jndiRealm.authenticateFailure=用户名[{0}]没有成功认证 jndiRealm.authenticateSuccess=用户名[{0}]成功认证 jndiRealm.cipherSuites=启用 [{0}] 作为 TLS 连接的加密套件。 diff --git a/java/org/apache/catalina/realm/mbeans-descriptors.xml b/java/org/apache/catalina/realm/mbeans-descriptors.xml index a75a66d..b2aa2c9 100644 --- a/java/org/apache/catalina/realm/mbeans-descriptors.xml +++ b/java/org/apache/catalina/realm/mbeans-descriptors.xml @@ -138,77 +138,6 @@ </mbean> - <mbean name="JDBCRealm" - description="Implementation of Realm that works with any JDBC supported database" - domain="Catalina" - group="Realm" - type="org.apache.catalina.realm.JDBCRealm"> - - <attribute name="allRolesMode" - description="The all roles mode." - type="java.lang.String"/> - - <attribute name="className" - description="Fully qualified class name of the managed object" - type="java.lang.String" - writeable="false"/> - - <attribute name="connectionName" - description="The connection username to use when trying to connect to the database" - type="java.lang.String"/> - - <attribute name="connectionPassword" - description="The connection password to use when trying to connect to the database" - type="java.lang.String"/> - - <attribute name="connectionURL" - description="The connection URL to use when trying to connect to the database" - type="java.lang.String"/> - - <attribute name="driverName" - description="The JDBC driver to use" - type="java.lang.String"/> - - <attribute name="roleNameCol" - description="The column in the user role table that names a role" - type="java.lang.String"/> - - <attribute name="realmPath" - description="The realm path" - type="java.lang.String"/> - - <attribute name="stateName" - description="The name of the LifecycleState that this component is currently in" - type="java.lang.String" - writeable="false"/> - - <attribute name="userCredCol" - description="The column in the user table that holds the user's credentials" - type="java.lang.String"/> - - <attribute name="userNameCol" - description="The column in the user table that holds the user's username" - type="java.lang.String"/> - - <attribute name="userRoleTable" - description="The table that holds the relation between user's and roles" - type="java.lang.String"/> - - <attribute name="userTable" - description="The table that holds user data" - type="java.lang.String"/> - - <attribute name="validate" - description="The 'validate certificate chains' flag." - type="boolean"/> - - - <operation name="start" description="Start" impact="ACTION" returnType="void" /> - <operation name="stop" description="Stop" impact="ACTION" returnType="void" /> - <operation name="init" description="Init" impact="ACTION" returnType="void" /> - <operation name="destroy" description="Destroy" impact="ACTION" returnType="void" /> - </mbean> - <mbean name="JNDIRealm" description="Implementation of Realm that works with a directory server accessed via the Java Naming and Directory Interface (JNDI) APIs" domain="Catalina" diff --git a/res/findbugs/filter-false-positives.xml b/res/findbugs/filter-false-positives.xml index 6d25bbd..322e1c8 100644 --- a/res/findbugs/filter-false-positives.xml +++ b/res/findbugs/filter-false-positives.xml @@ -345,10 +345,7 @@ </Match> <Match> <!-- SQL construction is safe since it is from trusted config --> - <Or> - <Class name="org.apache.catalina.realm.DataSourceRealm" /> - <Class name="org.apache.catalina.realm.JDBCRealm" /> - </Or> + <Class name="org.apache.catalina.realm.DataSourceRealm" /> <Or> <Method name="credentials" /> <Method name="getPassword" /> @@ -358,20 +355,6 @@ <Bug pattern="SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING" /> </Match> <Match> - <Class name="org.apache.catalina.realm.JDBCRealm" /> - <Field name="containerLog" /> - <Bug code="IS" /> - </Match> - <Match> - <!-- Sync is protecting preparedRoles, not these fields --> - <Class name="org.apache.catalina.realm.JDBCRealm" /> - <Or> - <Field name="roleNameCol" /> - <Field name="userRoleTable" /> - </Or> - <Bug pattern="IS2_INCONSISTENT_SYNC " /> - </Match> - <Match> <!-- roles will be initialized in addAttributeValues --> <Class name="org.apache.catalina.realm.JNDIRealm" /> <Or> diff --git a/webapps/docs/config/realm.xml b/webapps/docs/config/realm.xml index 08e4480..444070a 100644 --- a/webapps/docs/config/realm.xml +++ b/webapps/docs/config/realm.xml @@ -1055,132 +1055,6 @@ </subsection> - <subsection name="JDBC Database Realm - org.apache.catalina.realm.JDBCRealm"> - - <p><strong>The JDBC Database Realm has been deprecated and will be removed - in Tomcat 10 onwards. Use the DataSourceRealm instead.</strong></p> - - <p>The <strong>JDBC Database Realm</strong> connects Tomcat to - a relational database, accessed through an appropriate JDBC driver, - to perform lookups of usernames, passwords, and their associated - roles. Because the lookup is done each time that it is required, - changes to the database will be immediately reflected in the - information used to authenticate new logins.</p> - - <p>Note: The <strong>JDBC Database Realm</strong> uses a single connection - to the database with synchronisation to prevenbt concurrent usage. It is not - recommended for production usage. Use the DataSource Realm instaead.</p> - - <p>A rich set of additional attributes lets you configure the required - connection to the underlying database, as well as the table and - column names used to retrieve the required information:</p> - - <attributes> - - <attribute name="allRolesMode" required="false"> - <p>This attribute controls how the special role name <code>*</code> is - handled when processing authorization constraints in web.xml. By - default, the specification compliant value of <code>strict</code> is - used which means that the user must be assigned one of the roles defined - in web.xml. The alternative values are <code>authOnly</code> which means - that the user must be authenticated but no check is made for assigned - roles and <code>strictAuthOnly</code> which means that the user must be - authenticated and no check will be made for assigned roles unless roles - are defined in web.xml in which case the user must be assigned at least - one of those roles.</p> - <p>When this attribute has the value of <code>authOnly</code> or - <code>strictAuthOnly</code>, the <strong>roleNameCol</strong> and - <strong>userRoleTable</strong> attributes become optional. If those two - attributes are omitted, the user's roles will not be loaded by this - Realm.</p> - </attribute> - - <attribute name="connectionName" required="true"> - <p>The database username to use when establishing the JDBC - connection.</p> - </attribute> - - <attribute name="connectionPassword" required="true"> - <p>The database password to use when establishing the JDBC - connection.</p> - </attribute> - - <attribute name="connectionURL" required="true"> - <p>The connection URL to be passed to the JDBC driver when - establishing a database connection.</p> - </attribute> - - <attribute name="driverName" required="true"> - <p>Fully qualified Java class name of the JDBC driver to be - used to connect to the authentication database.</p> - </attribute> - - <attribute name="roleNameCol" required="false"> - <p>Name of the column, in the "user roles" table, which contains - a role name assigned to the corresponding user.</p> - <p>This attribute is <strong>required</strong> in majority of - configurations. See <strong>allRolesMode</strong> attribute for - a rare case when it can be omitted.</p> - </attribute> - - <attribute name="stripRealmForGss" required="false"> - <p>When processing users authenticated via the GSS-API, this attribute - controls if any "@..." is removed from the end of the user - name. If not specified, the default is <code>true</code>.</p> - </attribute> - - <attribute name="transportGuaranteeRedirectStatus" required="false"> - <p>The HTTP status code to use when the container needs to issue an HTTP - redirect to meet the requirements of a configured transport - guarantee. The provided status code is not validated. If not - specified, the default value of <code>302</code> is used.</p> - </attribute> - - <attribute name="userCredCol" required="true"> - <p>Name of the column, in the "users" table, which contains - the user's credentials (i.e. password). If a - <code>CredentialHandler</code> is specified, this component - will assume that the passwords have been encoded with the - specified algorithm. Otherwise, they will be assumed to be - in clear text.</p> - </attribute> - - <attribute name="userNameCol" required="true"> - <p>Name of the column, in the "users" and "user roles" table, - that contains the user's username.</p> - </attribute> - - <attribute name="userRoleTable" required="false"> - <p>Name of the "user roles" table, which must contain columns - named by the <code>userNameCol</code> and <code>roleNameCol</code> - attributes.</p> - <p>This attribute is <strong>required</strong> in majority of - configurations. See <strong>allRolesMode</strong> attribute for - a rare case when it can be omitted.</p> - </attribute> - - <attribute name="userTable" required="true"> - <p>Name of the "users" table, which must contain columns named - by the <code>userNameCol</code> and <code>userCredCol</code> - attributes.</p> - </attribute> - - <attribute name="X509UsernameRetrieverClassName" required="false"> - <p>When using X509 client certificates, this specifies the class name - that will be used to retrieve the user name from the certificate. - The class must implement the - <code>org.apache.catalina.realm.X509UsernameRetriever</code> - interface. The default is to use the certificate's SubjectDN - as the username.</p> - </attribute> - </attributes> - - <p>See the <a href="../realm-howto.html">Container-Managed Security Guide</a> for more - information on setting up container managed security using the - JDBC Database Realm component.</p> - - </subsection> - </section> diff --git a/webapps/docs/manager-howto.xml b/webapps/docs/manager-howto.xml index 351e89b..61be235 100644 --- a/webapps/docs/manager-howto.xml +++ b/webapps/docs/manager-howto.xml @@ -181,7 +181,7 @@ Exactly how the usernames/passwords are configured depends on which add the <strong>manager-script</strong> role to the comma-delimited <code>roles</code> attribute for one or more existing users, and/or create new users with that assigned role.</li> -<li><em>DataSourceRealm</em> or <em>JDBCRealm</em> +<li><em>DataSourceRealm</em> — Your user and role information is stored in a database accessed via JDBC. Add the <strong>manager-script</strong> role to one or more existing users, and/or create one or more new users diff --git a/webapps/docs/realm-howto.xml b/webapps/docs/realm-howto.xml index adad6aa..1cd8567 100644 --- a/webapps/docs/realm-howto.xml +++ b/webapps/docs/realm-howto.xml @@ -84,8 +84,6 @@ can be implemented by "plug in" components to establish this connection. Six standard plug-ins are provided, supporting connections to various sources of authentication information:</p> <ul> -<li><a href="#JDBCRealm">JDBCRealm</a> - Accesses authentication information - stored in a relational database, accessed via a JDBC driver.</li> <li><a href="#DataSourceRealm">DataSourceRealm</a> - Accesses authentication information stored in a relational database, accessed via a named JNDI JDBC DataSource.</li> @@ -1111,117 +1109,6 @@ functionality to a UserDatabase Realm.</p> </subsection> -<subsection name="JDBCRealm"> - -<h5>Introduction</h5> - -<p><strong>The JDBC Database Realm has been deprecated and will be removed -in Tomcat 10 onwards. Use the DataSourceRealm instead.</strong></p> - -<p><strong>JDBCRealm</strong> is an implementation of the Tomcat -<code>Realm</code> interface that looks up users in a relational database -accessed via a JDBC driver. There is substantial configuration flexibility -that lets you adapt to existing table and column names, as long as your -database structure conforms to the following requirements:</p> -<ul> -<li>There must be a table, referenced below as the <em>users</em> table, - that contains one row for every valid user that this <code>Realm</code> - should recognize.</li> -<li>The <em>users</em> table must contain at least two columns (it may - contain more if your existing applications required it): - <ul> - <li>Username to be recognized by Tomcat when the user logs in.</li> - <li>Password to be recognized by Tomcat when the user logs in. - This value may in cleartext or digested - see below for more - information.</li> - </ul></li> -<li>There must be a table, referenced below as the <em>user roles</em> table, - that contains one row for every valid role that is assigned to a - particular user. It is legal for a user to have zero, one, or more than - one valid role.</li> -<li>The <em>user roles</em> table must contain at least two columns (it may - contain more if your existing applications required it): - <ul> - <li>Username to be recognized by Tomcat (same value as is specified - in the <em>users</em> table).</li> - <li>Role name of a valid role associated with this user.</li> - </ul></li> -</ul> - -<h5>Quick Start</h5> - -<p>To set up Tomcat to use JDBCRealm, you will need to follow these steps:</p> -<ol> -<li>If you have not yet done so, create tables and columns in your database - that conform to the requirements described above.</li> -<li>Configure a database username and password for use by Tomcat, that has - at least read only access to the tables described above. (Tomcat will - never attempt to write to these tables.)</li> -<li>Place a copy of the JDBC driver you will be using inside the - <code>$CATALINA_HOME/lib</code> directory. - Note that <strong>only</strong> JAR files are recognized!</li> -<li>Set up a <code><Realm></code> element, as described below, in your - <code>$CATALINA_BASE/conf/server.xml</code> file.</li> -<li>Restart Tomcat if it is already running.</li> -</ol> - -<h5>Realm Element Attributes</h5> - -<p>To configure JDBCRealm, you will create a <code><Realm></code> -element and nest it in your <code>$CATALINA_BASE/conf/server.xml</code> file, -as described <a href="#Configuring_a_Realm">above</a>. The attributes for the -JDBCRealm are defined in the <a href="config/realm.html">Realm</a> configuration -documentation.</p> - -<h5>Example</h5> - -<p>An example SQL script to create the needed tables might look something -like this (adapt the syntax as required for your particular database):</p> -<source>create table users ( - user_name varchar(15) not null primary key, - user_pass varchar(15) not null -); - -create table user_roles ( - user_name varchar(15) not null, - role_name varchar(15) not null, - primary key (user_name, role_name) -);</source> - -<p>Example <code>Realm</code> elements are included (commented out) in the -default <code>$CATALINA_BASE/conf/server.xml</code> file. Here's an example -for using a MySQL database called "authority", configured with the tables -described above, and accessed with username "dbuser" and password "dbpass":</p> -<source><![CDATA[<Realm className="org.apache.catalina.realm.JDBCRealm" - driverName="org.gjt.mm.mysql.Driver" - connectionURL="jdbc:mysql://localhost/authority?user=dbuser&password=dbpass" - userTable="users" userNameCol="user_name" userCredCol="user_pass" - userRoleTable="user_roles" roleNameCol="role_name"/>]]></source> - -<h5>Additional Notes</h5> - -<p>JDBCRealm operates according to the following rules:</p> -<ul> -<li>When a user attempts to access a protected resource for the first time, - Tomcat will call the <code>authenticate()</code> method of this - <code>Realm</code>. Thus, any changes you have made to the database - directly (new users, changed passwords or roles, etc.) will be immediately - reflected.</li> -<li>Once a user has been authenticated, the user (and his or her associated - roles) are cached within Tomcat for the duration of the user's login. - (For FORM-based authentication, that means until the session times out or - is invalidated; for BASIC authentication, that means until the user - closes their browser). The cached user is <strong>not</strong> saved and - restored across sessions serialisations. Any changes to the database - information for an already authenticated user will <strong>not</strong> be - reflected until the next time that user logs on again.</li> -<li>Administering the information in the <em>users</em> and <em>user roles</em> - table is the responsibility of your own applications. Tomcat does not - provide any built-in capabilities to maintain users and roles.</li> -</ul> - -</subsection> - </section> </body> diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml index 0eddda6..34c62da 100644 --- a/webapps/docs/security-howto.xml +++ b/webapps/docs/security-howto.xml @@ -440,10 +440,6 @@ <p>The MemoryRealm is not intended for production use as any changes to tomcat-users.xml require a restart of Tomcat to take effect.</p> - <p>The JDBCRealm is not recommended for production use as it is single - threaded for all authentication and authorization options. Use the - DataSourceRealm instead.</p> - <p>The UserDatabaseRealm is not intended for large-scale installations. It is intended for small-scale, relatively static environments.</p> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org