예제 #1
0
        /// <summary>
        /// EndRequest is used to trigger the appropriate redirection.  There are
        /// currently three scenarios that require special redirections.
        /// <list>
        ///     <item>
        ///         Request is unauthenticated and is being routed to the FormsLoginUrl
        ///         (typically caused by UrlAuthorizationModule).  This request needs to
        ///         be intercepted to change the 'ReturnUrl' parameter to 'serviceName'
        ///     </item>
        ///     <item>
        ///         Request contains a CAS ticket in the URL.  This request needs to be
        ///         redirected back to itself without the 'ticket' parameter in order to
        ///         avoid potential infinite automatic ticket validation loops for when
        ///         a the ticket in the URL has expired or was revoked and the Renew
        ///         configuration parameter is set.
        ///     </item>
        ///     <item>
        ///         Request is authenticated, but is not authorized to access the
        ///         requested resource (by UrlAuthorizationModule).  If the CAS is
        ///         configured with a NotAuthorizedUrl, the request is redirected to
        ///         that page.  Otherwise, it is redirected to the CAS login page with
        ///         a forced 'Renew' property (to prevent infinite redirect loops).
        ///     </item>
        /// </list>
        /// </summary>
        /// <param name="sender">The HttpApplication that sent the request</param>
        /// <param name="e">Not used</param>
        private static void OnEndRequest(object sender, EventArgs e)
        {
            HttpContext context = HttpContext.Current;
            HttpRequest request = context.Request;

            if (RequestEvaluator.GetRequestIsAppropriateForCasAuthentication())
            {
                logger.Debug("Starting EndRequest for " + request.RawUrl);

                if (RequestEvaluator.GetRequestRequiresGateway())
                {
                    logger.Info("  Performing Gateway Authentication");
                    CasAuthentication.GatewayAuthenticate(true);
                }
                else if (RequestEvaluator.GetUserDoesNotAllowSessionCookies())
                {
                    logger.Info("  Cookies not supported.  Redirecting to Cookies Required Page");
                    CasAuthentication.RedirectToCookiesRequiredPage();
                }
                else if (RequestEvaluator.GetRequestHasCasTicket())
                {
                    logger.Info("  Redirecting from login callback");
                    CasAuthentication.RedirectFromLoginCallback();
                }
                else if (RequestEvaluator.GetRequestHasGatewayParameter())
                {
                    logger.Info("  Redirecting from failed gateway callback");
                    CasAuthentication.RedirectFromFailedGatewayCallback();
                }
                else if (RequestEvaluator.GetRequestIsUnauthorized() && !String.IsNullOrEmpty(CasAuthentication.NotAuthorizedUrl))
                {
                    logger.Info("  Redirecting to Unauthorized Page");
                    CasAuthentication.RedirectToNotAuthorizedPage();
                }
                else if (RequestEvaluator.GetRequestIsUnauthorized())
                {
                    logger.Info("  Redirecting to CAS Login Page (Unauthorized without NotAuthorizedUrl defined)");
                    CasAuthentication.RedirectToLoginPage(true);
                }
                else if (RequestEvaluator.GetRequestIsUnAuthenticated())
                {
                    logger.Info("  Redirecting to CAS Login Page");
                    CasAuthentication.RedirectToLoginPage();
                }
                //Async post backs from UpdatePanels suppress the standard Forms Authentication redirect causing the above checks to fail.
                else if (RequestEvaluator.IsAsyncPostBackRequest() && !RequestEvaluator.CheckUrlAccessForCurrentPrincipal())
                {
                    context.Response.Redirect(UrlUtil.ConstructLoginRedirectUrl(false, CasAuthentication.Renew), false);
                }

                logger.Debug("Ending EndRequest for " + request.RawUrl);
            }
            else
            {
                logger.Debug("No EndRequest processing for " + request.RawUrl);
            }
        }
예제 #2
0
        /// <summary>
        /// EndRequest is used to trigger the appropriate redirection.  There are
        /// currently three scenarios that require special redirections.
        /// <list>
        ///     <item>
        ///         Request is unauthenticated and is being routed to the FormsLoginUrl
        ///         (typically caused by UrlAuthorizationModule).  This request needs to
        ///         be intercepted to change the 'ReturnUrl' parameter to 'serviceName'
        ///     </item>
        ///     <item>
        ///         Request contains a CAS ticket in the URL.  This request needs to be
        ///         redirected back to itself without the 'ticket' parameter in order to
        ///         avoid potential infinite automatic ticket validation loops for when
        ///         a the ticket in the URL has expired or was revoked and the Renew
        ///         configuration parameter is set.
        ///     </item>
        ///     <item>
        ///         Request is authenticated, but is not authorized to access the
        ///         requested resource (by UrlAuthorizationModule).  If the CAS is
        ///         configured with a NotAuthorizedUrl, the request is redirected to
        ///         that page.  Otherwise, it is redirected to the CAS login page with
        ///         a forced 'Renew' property (to prevent infinite redirect loops).
        ///     </item>
        /// </list>
        /// </summary>
        /// <param name="sender">The HttpApplication that sent the request</param>
        /// <param name="e">Not used</param>
        private static void OnEndRequest(object sender, EventArgs e)
        {
            HttpContext context = HttpContext.Current;
            HttpRequest request = context.Request;

            if (RequestEvaluator.GetRequestIsAppropriateForCasAuthentication())
            {
                logger.Debug("Starting EndRequest for " + request.RawUrl);

                if (RequestEvaluator.GetRequestRequiresGateway())
                {
                    logger.Info("  Performing Gateway Authentication");
                    CasAuthentication.GatewayAuthenticate(true);
                }
                else if (RequestEvaluator.GetUserDoesNotAllowSessionCookies())
                {
                    logger.Info("  Cookies not supported.  Redirecting to Cookies Required Page");
                    CasAuthentication.RedirectToCookiesRequiredPage();
                }
                else if (RequestEvaluator.GetRequestHasCasTicket())
                {
                    logger.Info("  Redirecting from login callback");
                    CasAuthentication.RedirectFromLoginCallback();
                }
                else if (RequestEvaluator.GetRequestHasGatewayParameter())
                {
                    logger.Info("  Redirecting from failed gateway callback");
                    CasAuthentication.RedirectFromFailedGatewayCallback();
                }
                else if (RequestEvaluator.GetRequestIsUnauthorized() && !String.IsNullOrEmpty(CasAuthentication.NotAuthorizedUrl))
                {
                    logger.Info("  Redirecting to Unauthorized Page");
                    CasAuthentication.RedirectToNotAuthorizedPage();
                }
                else if (RequestEvaluator.GetRequestIsUnauthorized())
                {
                    logger.Info("  Redirecting to CAS Login Page (Unauthorized without NotAuthorizedUrl defined)");
                    CasAuthentication.RedirectToLoginPage(true);
                }
                else if (RequestEvaluator.GetRequestIsUnAuthenticated())
                {
                    logger.Info("  Redirecting to CAS Login Page");
                    CasAuthentication.RedirectToLoginPage();
                }

                logger.Debug("Ending EndRequest for " + request.RawUrl);
            }
            else
            {
                logger.Debug("No EndRequest processing for " + request.RawUrl);
            }
        }
        /// <summary>
        /// Intercepts the beginning of the request pipeline.  This will detect SingleSignOut
        /// requests.  SingleSignOut requests are posted back to the serviceName URL that
        /// was passed when the CAS session was established.  Since the behavior of the script
        /// at that URL is unknown, a POST back by the CAS server could have unexpected
        /// consequences.  We want to prevent this request from authenticating and from
        /// executing the HttpHandler typically associated with that URL.  So we are handling
        /// this by sending back an HTTP 200 (OK) message with a blank body and short
        /// circuiting all event processing and firing EndRequest directly
        /// (via CompleteRequest()).
        /// </summary>
        /// <param name="sender">The HttpApplication that sent the request</param>
        /// <param name="e">Not used</param>
        private static void OnBeginRequest(object sender, EventArgs e)
        {
            // Validate the ticket coming back from the CAS server (NETC-55)
            if (!RequestEvaluator.GetRequestIsAppropriateForCasAuthentication())
            {
                logger.Debug("BeginRequest bypassed for " + HttpContext.Current.Request.RawUrl);
                return;
            }

            CasAuthentication.Initialize();

            HttpContext context = HttpContext.Current;
            HttpRequest request = context.Request;

            logger.Debug("Starting BeginRequest for " + request.RawUrl);

            // Cleanup expired ServiceTickets in the ServiceTicketManager
            if (CasAuthentication.ServiceTicketManager != null)
            {
                CasAuthentication.ServiceTicketManager.RemoveExpiredTickets();
            }

            // Cleanup expired ProxyTicket mappings in the ProxyTicketManager
            if (CasAuthentication.ProxyTicketManager != null)
            {
                CasAuthentication.ProxyTicketManager.RemoveExpiredMappings();
            }

            // Detect & process inbound Single SignOut Requests from the CAS server
            if (CasAuthentication.ServiceTicketManager != null && CasAuthentication.ProcessIncomingSingleSignOutRequests && RequestEvaluator.GetRequestIsCasSingleSignOut())
            {
                logger.Info("Processing inbound Single Sign Out request.");
                CasAuthentication.ProcessSingleSignOutRequest();
                return;
            }

            // Detect & process inbound proxy callback verifications from the CAS server

            if (CasAuthentication.ProxyTicketManager != null && RequestEvaluator.GetRequestIsProxyResponse())
            {
                logger.Info("Processing Proxy Callback request");
                CasAuthentication.ProcessProxyCallbackRequest();
                return;
            }

            logger.Debug("Ending BeginRequest for " + request.RawUrl);
        }
예제 #4
0
        /// <summary>
        /// Handles the authentication of the request.
        ///
        /// If the request contains a ticket, this will validate the ticket and create a
        /// FormsAuthenticationTicket and encrypted cookie container for it.  It will redirect
        /// to remove the ticket from the URL.  With Forms-based authentication, this is
        /// required to prevent the client from automatically/silently re-authenticating on a
        /// refresh or after logout.
        ///
        /// If the request does not contain a ticket, it checks for a FormsAuthentication
        /// cookie, decrypts it, extracts the FormsAuthenticationTicket, verifies that it
        /// exists in the StateProvider/ServiceTicketManager, and assigns a Principal to the
        /// thread and context.User properties.  All events after this request become
        /// authenticated.
        /// </summary>
        /// <param name="sender">The HttpApplication that sent the request</param>
        /// <param name="e">Not used</param>
        private static void OnAuthenticateRequest(object sender, EventArgs e)
        {
            HttpContext context = HttpContext.Current;
            HttpRequest request = context.Request;

            // Validate the ticket coming back from the CAS server
            if (!RequestEvaluator.GetRequestIsAppropriateForCasAuthentication())
            {
                logger.Debug("AuthenticateRequest bypassed for " + request.RawUrl);
                return;
            }

            // Validate the ticket coming back from the CAS server
            if (RequestEvaluator.GetRequestHasCasTicket())
            {
                logger.Info("Processing Proxy Callback request");
                CasAuthentication.ProcessTicketValidation();
            }

            logger.Debug("Starting AuthenticateRequest for " + request.RawUrl);
            CasAuthentication.ProcessRequestAuthentication();
            logger.Debug("Ending AuthenticateRequest for " + request.RawUrl);
        }