Esempio n. 1
0
        /**
         * @throws IllegalArgumentException if TicketGrantingTicket ID, Credentials
         * or Service are null.
         */
        //@Audit(
        //    action="SERVICE_TICKET",
        //    actionResolverName="GRANT_SERVICE_TICKET_RESOLVER",
        //    resourceResolverName="GRANT_SERVICE_TICKET_RESOURCE_RESOLVER")
        //@Profiled(tag="GRANT_SERVICE_TICKET", logFailuresSeparately = false)
        //@Transactional(readOnly = false)
        public string grantServiceTicket(string ticketGrantingTicketId, Service service, Credentials credentials)
        {
            //Assert.notNull(ticketGrantingTicketId, "ticketGrantingticketId cannot be null");
            //Assert.notNull(service, "service cannot be null");

            TicketGrantingTicket ticketGrantingTicket;

            ticketGrantingTicket = (TicketGrantingTicket)this.ticketRegistry.getTicket(ticketGrantingTicketId, typeof(TicketGrantingTicket));

            if (ticketGrantingTicket == null)
            {
                throw new InvalidTicketException();
            }

            lock (ticketGrantingTicket)
            {
                if (ticketGrantingTicket.isExpired())
                {
                    this.ticketRegistry.deleteTicket(ticketGrantingTicketId);
                    throw new InvalidTicketException();
                }
            }

            RegisteredService registeredService = this.servicesManager
                                                  .findServiceBy(service);

            if (registeredService == null || !registeredService.isEnabled())
            {
                //log.warn("ServiceManagement: Unauthorized Service Access. Service [" + service.getId() + "] not found in Service Registry.");
                throw new UnauthorizedServiceException();
            }

            if (!registeredService.isSsoEnabled() && credentials == null &&
                ticketGrantingTicket.getCountOfUses() > 0)
            {
                //log.warn("ServiceManagement: Service Not Allowed to use SSO.  Service [" + service.getId() + "]");
                throw new UnauthorizedSsoServiceException();
            }

            //CAS-1019
            List <Authentication> authns = ticketGrantingTicket.getChainedAuthentications();

            if (authns.Count > 1)
            {
                if (!registeredService.isAllowedToProxy())
                {
                    string message = string.Format("ServiceManagement: Service Attempted to Proxy, but is not allowed. Service: [%s] | Registered Service: [%s]", service.getId(), registeredService.ToString());
                    //log.warn(message);
                    throw new UnauthorizedProxyingException(message);
                }
            }

            if (credentials != null)
            {
                try
                {
                    Authentication authentication = this.authenticationManager
                                                    .authenticate(credentials);
                    Authentication originalAuthentication = ticketGrantingTicket.getAuthentication();

                    if (!(authentication.getPrincipal().Equals(originalAuthentication.getPrincipal()) && authentication.getAttributes().Equals(originalAuthentication.getAttributes())))
                    {
                        throw new TicketCreationException();
                    }
                }
                catch (AuthenticationException e)
                {
                    throw new TicketCreationException(e);
                }
            }

            // this code is a bit brittle by depending on the class name.  Future versions (i.e. CAS4 will know inherently how to identify themselves)
            UniqueTicketIdGenerator serviceTicketUniqueTicketIdGenerator = this.uniqueTicketIdGeneratorsForService
                                                                           .FirstOrDefault(x => x.Key == service.GetType().FullName).Value;

            ServiceTicket serviceTicket = ticketGrantingTicket
                                          .grantServiceTicket(serviceTicketUniqueTicketIdGenerator
                                                              .getNewTicketId(TicketPrefix.ServiceTicket_PREFIX), service,
                                                              this.serviceTicketExpirationPolicy, credentials != null);

            this.serviceTicketRegistry.addTicket(serviceTicket);

            //if (log.isInfoEnabled()) {
            //     List<Authentication> authentications = serviceTicket.getGrantingTicket().getChainedAuthentications();
            //     string formatString = "Granted %s ticket [%s] for service [%s] for user [%s]";
            //     string type;
            //     string principalId = authentications.get(authentications.size()-1).getPrincipal().getId();

            //    if (authentications.size() == 1) {
            //        type = "service";

            //    } else {
            //        type = "proxy";
            //    }

            //    log.info(string.format(formatString, type, serviceTicket.getId(), service.getId(), principalId));
            //}

            return(serviceTicket.getId());
        }