示例#1
0
        /**
         * Determines the principal id to use for a {@link RegisteredService} using the following rules:
         *
         * <ul>
         *  <li> If the service is marked to allow anonymous access, a persistent id is returned. </li>
         *  <li> If the attribute name matches {@link RegisteredService#DEFAULT_USERNAME_ATTRIBUTE}, then the default principal id is returned.</li>
         *  <li>If the service is set to ignore attributes, or the username attribute exists in the allowed attributes for the service,
         *      the corresponding attribute value will be returned.
         *  </li>
         *   <li>Otherwise, the default principal's id is returned as the username attribute with an additional warning.</li>
         * </ul>
         *
         * @param principal The principal object to be validated and constructed
         * @param registeredService Requesting service for which a principal is being validated.
         * @param serviceTicket An instance of the service ticket used for validation
         *
         * @return The principal id to use for the requesting registered service
         */
        private string determinePrincipalIdForRegisteredService(Principal principal, RegisteredService registeredService,
                                                                ServiceTicket serviceTicket)
        {
            string principalId = null;
            string serviceUsernameAttribute = registeredService.getUsernameAttribute();

            if (registeredService.isAnonymousAccess())
            {
                principalId = this.persistentIdGenerator.generate(principal, serviceTicket.getService());
            }
            else if (string.IsNullOrEmpty(serviceUsernameAttribute))
            {
                principalId = principal.getId();
            }
            else
            {
                if ((registeredService.isIgnoreAttributes() || registeredService.getAllowedAttributes().Contains(serviceUsernameAttribute)) &&
                    principal.getAttributes().ContainsKey(serviceUsernameAttribute))
                {
                    principalId = principal.getAttributes().First(x => x.Key == registeredService.getUsernameAttribute()).Value.ToString();
                }
                else
                {
                    principalId = principal.getId();
                    Object[] errorLogParameters = new Object[] { principalId, registeredService.getUsernameAttribute(),
                                                                 principal.getAttributes(), registeredService.getServiceId(), principalId };
                    //log.warn("Principal [{}] did not have attribute [{}] among attributes [{}] so CAS cannot "
                    //        + "provide on the validation response the user attribute the registered service [{}] expects. "
                    //        + "CAS will instead return the default username attribute [{}]", errorLogParameters);
                }
            }

            //log.debug("Principal id to return for service [{}] is [{}]. The default principal id is [{}].",
            //          new Object[] {registeredService.getName(), principal.getId(), principalId});
            return(principalId);
        }
        /**
     * Determines the principal id to use for a {@link RegisteredService} using the following rules: 
     * 
     * <ul>
     *  <li> If the service is marked to allow anonymous access, a persistent id is returned. </li>
     *  <li> If the attribute name matches {@link RegisteredService#DEFAULT_USERNAME_ATTRIBUTE}, then the default principal id is returned.</li>
     *  <li>If the service is set to ignore attributes, or the username attribute exists in the allowed attributes for the service, 
     *      the corresponding attribute value will be returned.
     *  </li>
     *   <li>Otherwise, the default principal's id is returned as the username attribute with an additional warning.</li>
     * </ul>
     * 
     * @param principal The principal object to be validated and constructed
     * @param registeredService Requesting service for which a principal is being validated. 
     * @param serviceTicket An instance of the service ticket used for validation
     * 
     * @return The principal id to use for the requesting registered service
     */
        private string determinePrincipalIdForRegisteredService(Principal principal, RegisteredService registeredService,
                                                                 ServiceTicket serviceTicket)
        {
            string principalId = null;
            string serviceUsernameAttribute = registeredService.getUsernameAttribute();

            if (registeredService.isAnonymousAccess())
            {
                principalId = this.persistentIdGenerator.generate(principal, serviceTicket.getService());
            }
            else if (string.IsNullOrEmpty(serviceUsernameAttribute))
            {
                principalId = principal.getId();
            }
            else
            {
                if ((registeredService.isIgnoreAttributes() || registeredService.getAllowedAttributes().Contains(serviceUsernameAttribute)) &&
                    principal.getAttributes().ContainsKey(serviceUsernameAttribute))
                {
                    principalId = principal.getAttributes().First(x => x.Key == registeredService.getUsernameAttribute()).Value.ToString();
                }
                else
                {
                    principalId = principal.getId();
                    Object[] errorLogParameters = new Object[] { principalId, registeredService.getUsernameAttribute(),
                                                                     principal.getAttributes(), registeredService.getServiceId(), principalId };
                    //log.warn("Principal [{}] did not have attribute [{}] among attributes [{}] so CAS cannot "
                    //        + "provide on the validation response the user attribute the registered service [{}] expects. "
                    //        + "CAS will instead return the default username attribute [{}]", errorLogParameters);
                }

            }

            //log.debug("Principal id to return for service [{}] is [{}]. The default principal id is [{}].", 
            //          new Object[] {registeredService.getName(), principal.getId(), principalId});
            return principalId;
        }
示例#3
0
        /**
         * @throws IllegalArgumentException if the ServiceTicketId or the Service
         * are null.
         */
        //@Audit(
        //    action="SERVICE_TICKET_VALIDATE",
        //    actionResolverName="VALIDATE_SERVICE_TICKET_RESOLVER",
        //    resourceResolverName="VALIDATE_SERVICE_TICKET_RESOURCE_RESOLVER")
        //@Profiled(tag="VALIDATE_SERVICE_TICKET",logFailuresSeparately = false)
        //@Transactional(readOnly = false)
        public Assertion validateServiceTicket(string serviceTicketId, Service service)
        {
            //Assert.notNull(serviceTicketId, "serviceTicketId cannot be null");
            //Assert.notNull(service, "service cannot be null");

            ServiceTicket serviceTicket = (ServiceTicket)this.serviceTicketRegistry.getTicket(serviceTicketId, typeof(ServiceTicket));

            RegisteredService registeredService = this.servicesManager.findServiceBy(service);

            if (registeredService == null || !registeredService.isEnabled())
            {
                //log.warn("ServiceManagement: Service does not exist is not enabled, and thus not allowed to validate tickets.   Service: [" + service.getId() + "]");
                throw new UnauthorizedServiceException("Service not allowed to validate tickets.");
            }

            if (serviceTicket == null)
            {
                //log.info("ServiceTicket [" + serviceTicketId + "] does not exist.");
                throw new InvalidTicketException();
            }

            try
            {
                lock (serviceTicket)
                {
                    if (serviceTicket.isExpired())
                    {
                        //log.info("ServiceTicket [" + serviceTicketId + "] has expired.");
                        throw new InvalidTicketException();
                    }

                    if (!serviceTicket.isValidFor(service))
                    {
                        //log.error("ServiceTicket [" + serviceTicketId + "] with service [" + serviceTicket.getService().getId() + " does not match supplied service [" + service + "]");
                        throw new TicketValidationException(serviceTicket.getService());
                    }
                }

                List <Authentication> chainedAuthenticationsList = serviceTicket.getGrantingTicket().getChainedAuthentications();
                Authentication        authentication             = chainedAuthenticationsList.ElementAt(chainedAuthenticationsList.Count() - 1);
                Principal             principal = authentication.getPrincipal();

                string         principalId = this.determinePrincipalIdForRegisteredService(principal, registeredService, serviceTicket);
                Authentication authToUse;

                if (!registeredService.isIgnoreAttributes())
                {
                    Dictionary <string, Object> attributes = new Dictionary <string, Object>();

                    foreach (string attribute in registeredService.getAllowedAttributes())
                    {
                        Object value = principal.getAttributes().FirstOrDefault(x => x.Key == attribute).Value;

                        if (value != null)
                        {
                            attributes.Add(attribute, value);
                        }
                    }

                    Principal             modifiedPrincipal     = new SimplePrincipal(principalId, attributes);
                    MutableAuthentication mutableAuthentication = new MutableAuthentication(modifiedPrincipal, authentication.getAuthenticatedDate());

                    var mutableAuthenticationattributes = mutableAuthentication.getAttributes();

                    var U = mutableAuthentication.getAttributes().Concat(authentication.getAttributes());



                    mutableAuthentication.Attributes = U.ToDictionary(x => x.Key, x => x.Value);

                    mutableAuthentication.AuthenticatedDate = authentication.getAuthenticatedDate();
                    //mutableAuthentication.getAuthenticatedDate() = authentication.getAuthenticatedDate();

                    authToUse = mutableAuthentication;
                }
                else
                {
                    Principal modifiedPrincipal = new SimplePrincipal(principalId, principal.getAttributes());
                    authToUse = new MutableAuthentication(modifiedPrincipal, authentication.getAuthenticatedDate());
                }

                List <Authentication> authentications = new List <Authentication>();

                for (int i = 0; i < chainedAuthenticationsList.Count() - 1; i++)
                {
                    authentications.Add(serviceTicket.getGrantingTicket().getChainedAuthentications().ElementAt(i));
                }
                authentications.Add(authToUse);

                return(new ImmutableAssertionImpl(authentications, serviceTicket.getService(), serviceTicket.isFromNewLogin()));
            }

            finally
            {
                if (serviceTicket.isExpired())
                {
                    this.serviceTicketRegistry.deleteTicket(serviceTicketId);
                }
            }
        }