/// <summary>
/// Validates a ticket contained in the URL, presumably generated by
/// the CAS server after a successful authentication. The actual ticket
/// validation is performed by the configured TicketValidator
/// (i.e., CAS 1.0, CAS 2.0, SAML 1.0). If the validation succeeds, the
/// request is authenticated and a FormsAuthenticationCookie and
/// corresponding CasAuthenticationTicket are created for the purpose of
/// authenticating subsequent requests (see ProcessTicketValidation
/// method). If the validation fails, the authentication status remains
/// unchanged (generally the user is and remains anonymous).
/// </summary>
internal static void ProcessTicketValidation()
{
HttpContext context = HttpContext.Current;
HttpApplication app = context.ApplicationInstance;
HttpRequest request = context.Request;
CasAuthenticationTicket casTicket;
ICasPrincipal principal;
string ticket = request[TicketValidator.ArtifactParameterName];
try
{
// Attempt to authenticate the ticket and resolve to an ICasPrincipal
principal = TicketValidator.Validate(ticket);
// Save the ticket in the FormsAuthTicket. Encrypt the ticket and send it as a cookie.
casTicket = new CasAuthenticationTicket(
ticket,
UrlUtil.RemoveCasArtifactsFromUrl(request.Url.AbsoluteUri),
request.UserHostAddress,
principal.Assertion
);
if (ProxyTicketManager != null && !string.IsNullOrEmpty(principal.ProxyGrantingTicket))
{
casTicket.ProxyGrantingTicketIou = principal.ProxyGrantingTicket;
casTicket.Proxies.AddRange(principal.Proxies);
string proxyGrantingTicket = ProxyTicketManager.GetProxyGrantingTicket(casTicket.ProxyGrantingTicketIou);
if (!string.IsNullOrEmpty(proxyGrantingTicket))
{
casTicket.ProxyGrantingTicket = proxyGrantingTicket;
}
}
// TODO: Check the last 2 parameters. We want to take the from/to dates from the FormsAuthenticationTicket. However, we may need to do some clock drift correction.
FormsAuthenticationTicket formsAuthTicket = CreateFormsAuthenticationTicket(principal.Identity.Name, FormsAuthentication.FormsCookiePath, ticket, null, null);
SetAuthCookie(formsAuthTicket);
// Also save the ticket in the server store (if configured)
if (ServiceTicketManager != null)
{
ServiceTicketManager.UpdateTicketExpiration(casTicket, formsAuthTicket.Expiration);
}
// Jump directly to EndRequest. Don't allow the Page and/or Handler to execute.
// EndRequest will redirect back without the ticket in the URL
app.CompleteRequest();
return;
}
catch (TicketValidationException e)
{
// Leave principal null. This might not have been a CAS service ticket.
protoLogger.Error("Ticket validation error: " + e);
}
}
private string GetTicketInfomation(CasAuthenticationTicket ticket)
{
PccMsg myMsg = new PccMsg();
string mail = string.Empty;
string depart = string.Empty;
string groupEmployeeID = string.Empty;
string company = string.Empty;
string name = string.Empty;
string empNo = string.Empty;
string userName = string.Empty;
string displayName = string.Empty;
string telephone = string.Empty;
System.Collections.Generic.IList<string> attlist;
try
{
ticket.Assertion.Attributes.TryGetValue("mail", out attlist);
if (attlist != null && !string.IsNullOrEmpty(attlist[0]))
{
mail = attlist[0];
}
}
catch { }
try
{
ticket.Assertion.Attributes.TryGetValue("depart", out attlist);
if (attlist != null && !string.IsNullOrEmpty(attlist[0]))
depart = attlist[0];
}
catch { }
try
{
ticket.Assertion.Attributes.TryGetValue("groupEmployeeID", out attlist);
if (attlist != null && !string.IsNullOrEmpty(attlist[0]))
groupEmployeeID = attlist[0];
}
catch { }
try
{
ticket.Assertion.Attributes.TryGetValue("company", out attlist);
if (attlist != null && !string.IsNullOrEmpty(attlist[0]))
company = attlist[0];
}
catch { }
try
{
ticket.Assertion.Attributes.TryGetValue("name", out attlist);
if (attlist != null && !string.IsNullOrEmpty(attlist[0]))
name = attlist[0];
}
catch { }
try
{
ticket.Assertion.Attributes.TryGetValue("empNo", out attlist);
if (attlist != null && !string.IsNullOrEmpty(attlist[0]))
empNo = attlist[0];
}
catch { }
try
{
ticket.Assertion.Attributes.TryGetValue("userName", out attlist);
if (attlist != null && !string.IsNullOrEmpty(attlist[0]))
userName = attlist[0];
}
catch { }
try
{
ticket.Assertion.Attributes.TryGetValue("displayName", out attlist);
if (attlist != null && !string.IsNullOrEmpty(attlist[0]))
displayName = attlist[0];
}
catch { }
try
{
ticket.Assertion.Attributes.TryGetValue("telephone", out attlist);
if (attlist != null && !string.IsNullOrEmpty(attlist[0]))
telephone = attlist[0];
}
catch { }
myMsg.CreateFirstNode("mail", mail);
myMsg.CreateFirstNode("depart", depart);
myMsg.CreateFirstNode("groupEmployeeID", groupEmployeeID);
myMsg.CreateFirstNode("company", company);
myMsg.CreateFirstNode("name", name);
myMsg.CreateFirstNode("empNo", empNo);
myMsg.CreateFirstNode("userName", userName);
myMsg.CreateFirstNode("displayName", displayName);
myMsg.CreateFirstNode("telephone", telephone);
return myMsg.GetXmlStr;
}
/// <summary>
/// Updates the expiration date and time for an existing ticket. If the ticket does
/// not exist in the ticket store, just return (do not throw an exception).
/// </summary>
/// <param name="casAuthenticationTicket">The CasAuthenticationTicket to insert</param>
/// <param name="newExpiration">The new expiration date and time</param>
/// <exception cref="ArgumentNullException">casAuthenticationTicket is null</exception>
public void UpdateTicketExpiration(CasAuthenticationTicket casAuthenticationTicket, DateTime newExpiration)
{
CommonUtils.AssertNotNull(casAuthenticationTicket, "casAuthenticationTicket parameter cannot be null.");
RevokeTicket(casAuthenticationTicket.ServiceTicket);
InsertTicket(casAuthenticationTicket, newExpiration);
}
/// <summary>
/// Verify that the supplied casAuthenticationTicket exists in the ticket store
/// </summary>
/// <param name="casAuthenticationTicket">The casAuthenticationTicket to verify</param>
/// <returns>
/// True if the ticket exists in the ticket store and the properties of that
/// ticket match the properties of the ticket in the ticket store.
/// </returns>
public bool VerifyClientTicket(CasAuthenticationTicket casAuthenticationTicket)
{
CommonUtils.AssertNotNull(casAuthenticationTicket, "casAuthenticationTicket parameter cannot be null.");
string incomingServiceTicket = casAuthenticationTicket.ServiceTicket;
CasAuthenticationTicket cacheAuthTicket = GetTicket(incomingServiceTicket);
if (cacheAuthTicket != null)
{
string cacheServiceTicket = cacheAuthTicket.ServiceTicket;
if (cacheServiceTicket == incomingServiceTicket)
{
if (String.Compare(cacheAuthTicket.NetId, casAuthenticationTicket.NetId, true) != 0)
{
log.Info("Username {0} in ticket {1} does not match cached value.",
casAuthenticationTicket.NetId, incomingServiceTicket);
return false;
}
if (String.Compare(cacheAuthTicket.Assertion.PrincipalName, casAuthenticationTicket.Assertion.PrincipalName, true) != 0)
{
log.Info("Principal name {0} in assertion of ticket {1} does not match cached value.",
casAuthenticationTicket.NetId, casAuthenticationTicket.Assertion.PrincipalName);
return false;
}
return true;
}
}
else
{
log.Info("Ticket {0} not found in cache. Never existed, expired, or removed via single sign out",
incomingServiceTicket);
return false;
}
return false;
}
/// <summary>
/// Inserts a CasAuthenticationTicket to the ticket store with a corresponding
/// ticket expiration date.
/// </summary>
/// <param name="casAuthenticationTicket">The CasAuthenticationTicket to insert</param>
/// <param name="expiration">The date and time at which the ticket expires</param>
/// <exception cref="ArgumentNullException">casAuthenticationTicket is null</exception>
public void InsertTicket(CasAuthenticationTicket casAuthenticationTicket, DateTime expiration)
{
CommonUtils.AssertNotNull(casAuthenticationTicket, "casAuthenticationTicket parameter cannot be null.");
log.Debug("Inserting service ticket:"+casAuthenticationTicket.ServiceTicket);
client.Store(StoreMode.Set, GetTicketKey(casAuthenticationTicket.ServiceTicket), casAuthenticationTicket, expiration);
}
