protected ModelAndView handleRequestInternal( HttpRequest request, HttpResponse response) { string ticketGrantingTicketId = this.ticketGrantingTicketCookieGenerator.retrieveCookieValue(request); string service = request.QueryString[("service")]; if (ticketGrantingTicketId != null) { this.centralAuthenticationService .destroyTicketGrantingTicket(ticketGrantingTicketId); this.ticketGrantingTicketCookieGenerator.removeCookie(response); this.warnCookieGenerator.removeCookie(response); } if (this.followServiceRedirects && service != null) { RegisteredService rService = this.servicesManager.findServiceBy(new SimpleWebApplicationServiceImpl(service)); if (rService != null && rService.isEnabled()) { return(new ModelAndView(new RedirectView(service))); } } return(new ModelAndView(this.logoutView)); }
//public object clone() //{ // AbstractRegisteredService clone = newInstance(); // clone.copyFrom(this); // return clone; //} /** * Copies the properties of the source service into this instance. * * @param source Source service from which to copy properties. */ public void copyFrom(RegisteredService source) { this.setId(source.getId()); this.setAllowedAttributes(new List <string>(source.getAllowedAttributes())); this.setAllowedToProxy(source.isAllowedToProxy()); this.setDescription(source.getDescription()); this.setEnabled(source.isEnabled()); this.setName(source.getName()); this.setServiceId(source.getServiceId()); this.setSsoEnabled(source.isSsoEnabled()); this.setTheme(source.getTheme()); this.setAnonymousAccess(source.isAnonymousAccess()); this.setIgnoreAttributes(source.isIgnoreAttributes()); this.setEvaluationOrder(source.getEvaluationOrder()); this.setUsernameAttribute(source.getUsernameAttribute()); }
/** * @throws IllegalArgumentException if the ServiceTicketId or the * Credentials are null. */ //@Audit( // action="PROXY_GRANTING_TICKET", // actionResolverName="GRANT_PROXY_GRANTING_TICKET_RESOLVER", // resourceResolverName="GRANT_PROXY_GRANTING_TICKET_RESOURCE_RESOLVER") //@Profiled(tag="GRANT_PROXY_GRANTING_TICKET",logFailuresSeparately = false) //@Transactional(readOnly = false) public string delegateTicketGrantingTicket(string serviceTicketId, Credentials credentials) { //Assert.notNull(serviceTicketId, "serviceTicketId cannot be null"); //Assert.notNull(credentials, "credentials cannot be null"); try { Authentication authentication = this.authenticationManager .authenticate(credentials); ServiceTicket serviceTicket; serviceTicket = (ServiceTicket)this.serviceTicketRegistry.getTicket(serviceTicketId, typeof(ServiceTicket)); if (serviceTicket == null || serviceTicket.isExpired()) { throw new InvalidTicketException(); } RegisteredService registeredService = this.servicesManager .findServiceBy(serviceTicket.getService()); if (registeredService == null || !registeredService.isEnabled() || !registeredService.isAllowedToProxy()) { //log.warn("ServiceManagement: Service Attempted to Proxy, but is not allowed. Service: [" + serviceTicket.getService().getId() + "]"); throw new UnauthorizedProxyingException(); } TicketGrantingTicket ticketGrantingTicket = serviceTicket .grantTicketGrantingTicket( this.ticketGrantingTicketUniqueTicketIdGenerator .getNewTicketId(TicketPrefix.TicketGrantingTicket_PREFIX), authentication, this.ticketGrantingTicketExpirationPolicy); this.ticketRegistry.addTicket(ticketGrantingTicket); return(ticketGrantingTicket.getId()); } catch (AuthenticationException e) { throw new TicketCreationException(e); } }
/** * @throws IllegalArgumentException if the ServiceTicketId or the Service * are null. */ //@Audit( // action="SERVICE_TICKET_VALIDATE", // actionResolverName="VALIDATE_SERVICE_TICKET_RESOLVER", // resourceResolverName="VALIDATE_SERVICE_TICKET_RESOURCE_RESOLVER") //@Profiled(tag="VALIDATE_SERVICE_TICKET",logFailuresSeparately = false) //@Transactional(readOnly = false) public Assertion validateServiceTicket(string serviceTicketId, Service service) { //Assert.notNull(serviceTicketId, "serviceTicketId cannot be null"); //Assert.notNull(service, "service cannot be null"); ServiceTicket serviceTicket = (ServiceTicket)this.serviceTicketRegistry.getTicket(serviceTicketId, typeof(ServiceTicket)); RegisteredService registeredService = this.servicesManager.findServiceBy(service); if (registeredService == null || !registeredService.isEnabled()) { //log.warn("ServiceManagement: Service does not exist is not enabled, and thus not allowed to validate tickets. Service: [" + service.getId() + "]"); throw new UnauthorizedServiceException("Service not allowed to validate tickets."); } if (serviceTicket == null) { //log.info("ServiceTicket [" + serviceTicketId + "] does not exist."); throw new InvalidTicketException(); } try { lock (serviceTicket) { if (serviceTicket.isExpired()) { //log.info("ServiceTicket [" + serviceTicketId + "] has expired."); throw new InvalidTicketException(); } if (!serviceTicket.isValidFor(service)) { //log.error("ServiceTicket [" + serviceTicketId + "] with service [" + serviceTicket.getService().getId() + " does not match supplied service [" + service + "]"); throw new TicketValidationException(serviceTicket.getService()); } } List <Authentication> chainedAuthenticationsList = serviceTicket.getGrantingTicket().getChainedAuthentications(); Authentication authentication = chainedAuthenticationsList.ElementAt(chainedAuthenticationsList.Count() - 1); Principal principal = authentication.getPrincipal(); string principalId = this.determinePrincipalIdForRegisteredService(principal, registeredService, serviceTicket); Authentication authToUse; if (!registeredService.isIgnoreAttributes()) { Dictionary <string, Object> attributes = new Dictionary <string, Object>(); foreach (string attribute in registeredService.getAllowedAttributes()) { Object value = principal.getAttributes().FirstOrDefault(x => x.Key == attribute).Value; if (value != null) { attributes.Add(attribute, value); } } Principal modifiedPrincipal = new SimplePrincipal(principalId, attributes); MutableAuthentication mutableAuthentication = new MutableAuthentication(modifiedPrincipal, authentication.getAuthenticatedDate()); var mutableAuthenticationattributes = mutableAuthentication.getAttributes(); var U = mutableAuthentication.getAttributes().Concat(authentication.getAttributes()); mutableAuthentication.Attributes = U.ToDictionary(x => x.Key, x => x.Value); mutableAuthentication.AuthenticatedDate = authentication.getAuthenticatedDate(); //mutableAuthentication.getAuthenticatedDate() = authentication.getAuthenticatedDate(); authToUse = mutableAuthentication; } else { Principal modifiedPrincipal = new SimplePrincipal(principalId, principal.getAttributes()); authToUse = new MutableAuthentication(modifiedPrincipal, authentication.getAuthenticatedDate()); } List <Authentication> authentications = new List <Authentication>(); for (int i = 0; i < chainedAuthenticationsList.Count() - 1; i++) { authentications.Add(serviceTicket.getGrantingTicket().getChainedAuthentications().ElementAt(i)); } authentications.Add(authToUse); return(new ImmutableAssertionImpl(authentications, serviceTicket.getService(), serviceTicket.isFromNewLogin())); } finally { if (serviceTicket.isExpired()) { this.serviceTicketRegistry.deleteTicket(serviceTicketId); } } }
/** * @throws IllegalArgumentException if TicketGrantingTicket ID, Credentials * or Service are null. */ //@Audit( // action="SERVICE_TICKET", // actionResolverName="GRANT_SERVICE_TICKET_RESOLVER", // resourceResolverName="GRANT_SERVICE_TICKET_RESOURCE_RESOLVER") //@Profiled(tag="GRANT_SERVICE_TICKET", logFailuresSeparately = false) //@Transactional(readOnly = false) public string grantServiceTicket(string ticketGrantingTicketId, Service service, Credentials credentials) { //Assert.notNull(ticketGrantingTicketId, "ticketGrantingticketId cannot be null"); //Assert.notNull(service, "service cannot be null"); TicketGrantingTicket ticketGrantingTicket; ticketGrantingTicket = (TicketGrantingTicket)this.ticketRegistry.getTicket(ticketGrantingTicketId, typeof(TicketGrantingTicket)); if (ticketGrantingTicket == null) { throw new InvalidTicketException(); } lock (ticketGrantingTicket) { if (ticketGrantingTicket.isExpired()) { this.ticketRegistry.deleteTicket(ticketGrantingTicketId); throw new InvalidTicketException(); } } RegisteredService registeredService = this.servicesManager .findServiceBy(service); if (registeredService == null || !registeredService.isEnabled()) { //log.warn("ServiceManagement: Unauthorized Service Access. Service [" + service.getId() + "] not found in Service Registry."); throw new UnauthorizedServiceException(); } if (!registeredService.isSsoEnabled() && credentials == null && ticketGrantingTicket.getCountOfUses() > 0) { //log.warn("ServiceManagement: Service Not Allowed to use SSO. Service [" + service.getId() + "]"); throw new UnauthorizedSsoServiceException(); } //CAS-1019 List <Authentication> authns = ticketGrantingTicket.getChainedAuthentications(); if (authns.Count > 1) { if (!registeredService.isAllowedToProxy()) { string message = string.Format("ServiceManagement: Service Attempted to Proxy, but is not allowed. Service: [%s] | Registered Service: [%s]", service.getId(), registeredService.ToString()); //log.warn(message); throw new UnauthorizedProxyingException(message); } } if (credentials != null) { try { Authentication authentication = this.authenticationManager .authenticate(credentials); Authentication originalAuthentication = ticketGrantingTicket.getAuthentication(); if (!(authentication.getPrincipal().Equals(originalAuthentication.getPrincipal()) && authentication.getAttributes().Equals(originalAuthentication.getAttributes()))) { throw new TicketCreationException(); } } catch (AuthenticationException e) { throw new TicketCreationException(e); } } // this code is a bit brittle by depending on the class name. Future versions (i.e. CAS4 will know inherently how to identify themselves) UniqueTicketIdGenerator serviceTicketUniqueTicketIdGenerator = this.uniqueTicketIdGeneratorsForService .FirstOrDefault(x => x.Key == service.GetType().FullName).Value; ServiceTicket serviceTicket = ticketGrantingTicket .grantServiceTicket(serviceTicketUniqueTicketIdGenerator .getNewTicketId(TicketPrefix.ServiceTicket_PREFIX), service, this.serviceTicketExpirationPolicy, credentials != null); this.serviceTicketRegistry.addTicket(serviceTicket); //if (log.isInfoEnabled()) { // List<Authentication> authentications = serviceTicket.getGrantingTicket().getChainedAuthentications(); // string formatString = "Granted %s ticket [%s] for service [%s] for user [%s]"; // string type; // string principalId = authentications.get(authentications.size()-1).getPrincipal().getId(); // if (authentications.size() == 1) { // type = "service"; // } else { // type = "proxy"; // } // log.info(string.format(formatString, type, serviceTicket.getId(), service.getId(), principalId)); //} return(serviceTicket.getId()); }
//public object clone() //{ // AbstractRegisteredService clone = newInstance(); // clone.copyFrom(this); // return clone; //} /** * Copies the properties of the source service into this instance. * * @param source Source service from which to copy properties. */ public void copyFrom(RegisteredService source) { this.setId(source.getId()); this.setAllowedAttributes(new List<string>(source.getAllowedAttributes())); this.setAllowedToProxy(source.isAllowedToProxy()); this.setDescription(source.getDescription()); this.setEnabled(source.isEnabled()); this.setName(source.getName()); this.setServiceId(source.getServiceId()); this.setSsoEnabled(source.isSsoEnabled()); this.setTheme(source.getTheme()); this.setAnonymousAccess(source.isAnonymousAccess()); this.setIgnoreAttributes(source.isIgnoreAttributes()); this.setEvaluationOrder(source.getEvaluationOrder()); this.setUsernameAttribute(source.getUsernameAttribute()); }