/// <summary> /// Validates a ticket contained in the URL, presumably generated by /// the CAS server after a successful authentication. The actual ticket /// validation is performed by the configured TicketValidator /// (i.e., CAS 1.0, CAS 2.0, SAML 1.0). If the validation succeeds, the /// request is authenticated and a FormsAuthenticationCookie and /// corresponding CasAuthenticationTicket are created for the purpose of /// authenticating subsequent requests (see ProcessTicketValidation /// method). If the validation fails, the authentication status remains /// unchanged (generally the user is and remains anonymous). /// </summary> internal static void ProcessTicketValidation() { HttpContext context = HttpContext.Current; HttpApplication app = context.ApplicationInstance; HttpRequest request = context.Request; CasAuthenticationTicket casTicket; ICasPrincipal principal; string ticket = request[TicketValidator.ArtifactParameterName]; try { // Attempt to authenticate the ticket and resolve to an ICasPrincipal principal = TicketValidator.Validate(ticket); // Save the ticket in the FormsAuthTicket. Encrypt the ticket and send it as a cookie. casTicket = new CasAuthenticationTicket( ticket, UrlUtil.RemoveCasArtifactsFromUrl(request.Url.AbsoluteUri), request.UserHostAddress, principal.Assertion ); if (ProxyTicketManager != null && !string.IsNullOrEmpty(principal.ProxyGrantingTicket)) { casTicket.ProxyGrantingTicketIou = principal.ProxyGrantingTicket; casTicket.Proxies.AddRange(principal.Proxies); string proxyGrantingTicket = ProxyTicketManager.GetProxyGrantingTicket(casTicket.ProxyGrantingTicketIou); if (!string.IsNullOrEmpty(proxyGrantingTicket)) { casTicket.ProxyGrantingTicket = proxyGrantingTicket; } } // TODO: Check the last 2 parameters. We want to take the from/to dates from the FormsAuthenticationTicket. However, we may need to do some clock drift correction. FormsAuthenticationTicket formsAuthTicket = CreateFormsAuthenticationTicket(principal.Identity.Name, FormsAuthentication.FormsCookiePath, ticket, null, null); SetAuthCookie(formsAuthTicket); // Also save the ticket in the server store (if configured) if (ServiceTicketManager != null) { ServiceTicketManager.UpdateTicketExpiration(casTicket, formsAuthTicket.Expiration); } // Jump directly to EndRequest. Don't allow the Page and/or Handler to execute. // EndRequest will redirect back without the ticket in the URL app.CompleteRequest(); return; } catch (TicketValidationException e) { // Leave principal null. This might not have been a CAS service ticket. protoLogger.Error("Ticket validation error: " + e); } }
private string GetTicketInfomation(CasAuthenticationTicket ticket) { PccMsg myMsg = new PccMsg(); string mail = string.Empty; string depart = string.Empty; string groupEmployeeID = string.Empty; string company = string.Empty; string name = string.Empty; string empNo = string.Empty; string userName = string.Empty; string displayName = string.Empty; string telephone = string.Empty; System.Collections.Generic.IList<string> attlist; try { ticket.Assertion.Attributes.TryGetValue("mail", out attlist); if (attlist != null && !string.IsNullOrEmpty(attlist[0])) { mail = attlist[0]; } } catch { } try { ticket.Assertion.Attributes.TryGetValue("depart", out attlist); if (attlist != null && !string.IsNullOrEmpty(attlist[0])) depart = attlist[0]; } catch { } try { ticket.Assertion.Attributes.TryGetValue("groupEmployeeID", out attlist); if (attlist != null && !string.IsNullOrEmpty(attlist[0])) groupEmployeeID = attlist[0]; } catch { } try { ticket.Assertion.Attributes.TryGetValue("company", out attlist); if (attlist != null && !string.IsNullOrEmpty(attlist[0])) company = attlist[0]; } catch { } try { ticket.Assertion.Attributes.TryGetValue("name", out attlist); if (attlist != null && !string.IsNullOrEmpty(attlist[0])) name = attlist[0]; } catch { } try { ticket.Assertion.Attributes.TryGetValue("empNo", out attlist); if (attlist != null && !string.IsNullOrEmpty(attlist[0])) empNo = attlist[0]; } catch { } try { ticket.Assertion.Attributes.TryGetValue("userName", out attlist); if (attlist != null && !string.IsNullOrEmpty(attlist[0])) userName = attlist[0]; } catch { } try { ticket.Assertion.Attributes.TryGetValue("displayName", out attlist); if (attlist != null && !string.IsNullOrEmpty(attlist[0])) displayName = attlist[0]; } catch { } try { ticket.Assertion.Attributes.TryGetValue("telephone", out attlist); if (attlist != null && !string.IsNullOrEmpty(attlist[0])) telephone = attlist[0]; } catch { } myMsg.CreateFirstNode("mail", mail); myMsg.CreateFirstNode("depart", depart); myMsg.CreateFirstNode("groupEmployeeID", groupEmployeeID); myMsg.CreateFirstNode("company", company); myMsg.CreateFirstNode("name", name); myMsg.CreateFirstNode("empNo", empNo); myMsg.CreateFirstNode("userName", userName); myMsg.CreateFirstNode("displayName", displayName); myMsg.CreateFirstNode("telephone", telephone); return myMsg.GetXmlStr; }
/// <summary> /// Updates the expiration date and time for an existing ticket. If the ticket does /// not exist in the ticket store, just return (do not throw an exception). /// </summary> /// <param name="casAuthenticationTicket">The CasAuthenticationTicket to insert</param> /// <param name="newExpiration">The new expiration date and time</param> /// <exception cref="ArgumentNullException">casAuthenticationTicket is null</exception> public void UpdateTicketExpiration(CasAuthenticationTicket casAuthenticationTicket, DateTime newExpiration) { CommonUtils.AssertNotNull(casAuthenticationTicket, "casAuthenticationTicket parameter cannot be null."); RevokeTicket(casAuthenticationTicket.ServiceTicket); InsertTicket(casAuthenticationTicket, newExpiration); }
/// <summary> /// Verify that the supplied casAuthenticationTicket exists in the ticket store /// </summary> /// <param name="casAuthenticationTicket">The casAuthenticationTicket to verify</param> /// <returns> /// True if the ticket exists in the ticket store and the properties of that /// ticket match the properties of the ticket in the ticket store. /// </returns> public bool VerifyClientTicket(CasAuthenticationTicket casAuthenticationTicket) { CommonUtils.AssertNotNull(casAuthenticationTicket, "casAuthenticationTicket parameter cannot be null."); string incomingServiceTicket = casAuthenticationTicket.ServiceTicket; CasAuthenticationTicket cacheAuthTicket = GetTicket(incomingServiceTicket); if (cacheAuthTicket != null) { string cacheServiceTicket = cacheAuthTicket.ServiceTicket; if (cacheServiceTicket == incomingServiceTicket) { if (String.Compare(cacheAuthTicket.NetId, casAuthenticationTicket.NetId, true) != 0) { log.Info("Username {0} in ticket {1} does not match cached value.", casAuthenticationTicket.NetId, incomingServiceTicket); return false; } if (String.Compare(cacheAuthTicket.Assertion.PrincipalName, casAuthenticationTicket.Assertion.PrincipalName, true) != 0) { log.Info("Principal name {0} in assertion of ticket {1} does not match cached value.", casAuthenticationTicket.NetId, casAuthenticationTicket.Assertion.PrincipalName); return false; } return true; } } else { log.Info("Ticket {0} not found in cache. Never existed, expired, or removed via single sign out", incomingServiceTicket); return false; } return false; }
/// <summary> /// Inserts a CasAuthenticationTicket to the ticket store with a corresponding /// ticket expiration date. /// </summary> /// <param name="casAuthenticationTicket">The CasAuthenticationTicket to insert</param> /// <param name="expiration">The date and time at which the ticket expires</param> /// <exception cref="ArgumentNullException">casAuthenticationTicket is null</exception> public void InsertTicket(CasAuthenticationTicket casAuthenticationTicket, DateTime expiration) { CommonUtils.AssertNotNull(casAuthenticationTicket, "casAuthenticationTicket parameter cannot be null."); log.Debug("Inserting service ticket:"+casAuthenticationTicket.ServiceTicket); client.Store(StoreMode.Set, GetTicketKey(casAuthenticationTicket.ServiceTicket), casAuthenticationTicket, expiration); }