/** * Determines the principal id to use for a {@link RegisteredService} using the following rules: * * <ul> * <li> If the service is marked to allow anonymous access, a persistent id is returned. </li> * <li> If the attribute name matches {@link RegisteredService#DEFAULT_USERNAME_ATTRIBUTE}, then the default principal id is returned.</li> * <li>If the service is set to ignore attributes, or the username attribute exists in the allowed attributes for the service, * the corresponding attribute value will be returned. * </li> * <li>Otherwise, the default principal's id is returned as the username attribute with an additional warning.</li> * </ul> * * @param principal The principal object to be validated and constructed * @param registeredService Requesting service for which a principal is being validated. * @param serviceTicket An instance of the service ticket used for validation * * @return The principal id to use for the requesting registered service */ private string determinePrincipalIdForRegisteredService(Principal principal, RegisteredService registeredService, ServiceTicket serviceTicket) { string principalId = null; string serviceUsernameAttribute = registeredService.getUsernameAttribute(); if (registeredService.isAnonymousAccess()) { principalId = this.persistentIdGenerator.generate(principal, serviceTicket.getService()); } else if (string.IsNullOrEmpty(serviceUsernameAttribute)) { principalId = principal.getId(); } else { if ((registeredService.isIgnoreAttributes() || registeredService.getAllowedAttributes().Contains(serviceUsernameAttribute)) && principal.getAttributes().ContainsKey(serviceUsernameAttribute)) { principalId = principal.getAttributes().First(x => x.Key == registeredService.getUsernameAttribute()).Value.ToString(); } else { principalId = principal.getId(); Object[] errorLogParameters = new Object[] { principalId, registeredService.getUsernameAttribute(), principal.getAttributes(), registeredService.getServiceId(), principalId }; //log.warn("Principal [{}] did not have attribute [{}] among attributes [{}] so CAS cannot " // + "provide on the validation response the user attribute the registered service [{}] expects. " // + "CAS will instead return the default username attribute [{}]", errorLogParameters); } } //log.debug("Principal id to return for service [{}] is [{}]. The default principal id is [{}].", // new Object[] {registeredService.getName(), principal.getId(), principalId}); return(principalId); }
/** * Determines the principal id to use for a {@link RegisteredService} using the following rules: * * <ul> * <li> If the service is marked to allow anonymous access, a persistent id is returned. </li> * <li> If the attribute name matches {@link RegisteredService#DEFAULT_USERNAME_ATTRIBUTE}, then the default principal id is returned.</li> * <li>If the service is set to ignore attributes, or the username attribute exists in the allowed attributes for the service, * the corresponding attribute value will be returned. * </li> * <li>Otherwise, the default principal's id is returned as the username attribute with an additional warning.</li> * </ul> * * @param principal The principal object to be validated and constructed * @param registeredService Requesting service for which a principal is being validated. * @param serviceTicket An instance of the service ticket used for validation * * @return The principal id to use for the requesting registered service */ private string determinePrincipalIdForRegisteredService(Principal principal, RegisteredService registeredService, ServiceTicket serviceTicket) { string principalId = null; string serviceUsernameAttribute = registeredService.getUsernameAttribute(); if (registeredService.isAnonymousAccess()) { principalId = this.persistentIdGenerator.generate(principal, serviceTicket.getService()); } else if (string.IsNullOrEmpty(serviceUsernameAttribute)) { principalId = principal.getId(); } else { if ((registeredService.isIgnoreAttributes() || registeredService.getAllowedAttributes().Contains(serviceUsernameAttribute)) && principal.getAttributes().ContainsKey(serviceUsernameAttribute)) { principalId = principal.getAttributes().First(x => x.Key == registeredService.getUsernameAttribute()).Value.ToString(); } else { principalId = principal.getId(); Object[] errorLogParameters = new Object[] { principalId, registeredService.getUsernameAttribute(), principal.getAttributes(), registeredService.getServiceId(), principalId }; //log.warn("Principal [{}] did not have attribute [{}] among attributes [{}] so CAS cannot " // + "provide on the validation response the user attribute the registered service [{}] expects. " // + "CAS will instead return the default username attribute [{}]", errorLogParameters); } } //log.debug("Principal id to return for service [{}] is [{}]. The default principal id is [{}].", // new Object[] {registeredService.getName(), principal.getId(), principalId}); return principalId; }
/** * @throws IllegalArgumentException if the ServiceTicketId or the Service * are null. */ //@Audit( // action="SERVICE_TICKET_VALIDATE", // actionResolverName="VALIDATE_SERVICE_TICKET_RESOLVER", // resourceResolverName="VALIDATE_SERVICE_TICKET_RESOURCE_RESOLVER") //@Profiled(tag="VALIDATE_SERVICE_TICKET",logFailuresSeparately = false) //@Transactional(readOnly = false) public Assertion validateServiceTicket(string serviceTicketId, Service service) { //Assert.notNull(serviceTicketId, "serviceTicketId cannot be null"); //Assert.notNull(service, "service cannot be null"); ServiceTicket serviceTicket = (ServiceTicket)this.serviceTicketRegistry.getTicket(serviceTicketId, typeof(ServiceTicket)); RegisteredService registeredService = this.servicesManager.findServiceBy(service); if (registeredService == null || !registeredService.isEnabled()) { //log.warn("ServiceManagement: Service does not exist is not enabled, and thus not allowed to validate tickets. Service: [" + service.getId() + "]"); throw new UnauthorizedServiceException("Service not allowed to validate tickets."); } if (serviceTicket == null) { //log.info("ServiceTicket [" + serviceTicketId + "] does not exist."); throw new InvalidTicketException(); } try { lock (serviceTicket) { if (serviceTicket.isExpired()) { //log.info("ServiceTicket [" + serviceTicketId + "] has expired."); throw new InvalidTicketException(); } if (!serviceTicket.isValidFor(service)) { //log.error("ServiceTicket [" + serviceTicketId + "] with service [" + serviceTicket.getService().getId() + " does not match supplied service [" + service + "]"); throw new TicketValidationException(serviceTicket.getService()); } } List <Authentication> chainedAuthenticationsList = serviceTicket.getGrantingTicket().getChainedAuthentications(); Authentication authentication = chainedAuthenticationsList.ElementAt(chainedAuthenticationsList.Count() - 1); Principal principal = authentication.getPrincipal(); string principalId = this.determinePrincipalIdForRegisteredService(principal, registeredService, serviceTicket); Authentication authToUse; if (!registeredService.isIgnoreAttributes()) { Dictionary <string, Object> attributes = new Dictionary <string, Object>(); foreach (string attribute in registeredService.getAllowedAttributes()) { Object value = principal.getAttributes().FirstOrDefault(x => x.Key == attribute).Value; if (value != null) { attributes.Add(attribute, value); } } Principal modifiedPrincipal = new SimplePrincipal(principalId, attributes); MutableAuthentication mutableAuthentication = new MutableAuthentication(modifiedPrincipal, authentication.getAuthenticatedDate()); var mutableAuthenticationattributes = mutableAuthentication.getAttributes(); var U = mutableAuthentication.getAttributes().Concat(authentication.getAttributes()); mutableAuthentication.Attributes = U.ToDictionary(x => x.Key, x => x.Value); mutableAuthentication.AuthenticatedDate = authentication.getAuthenticatedDate(); //mutableAuthentication.getAuthenticatedDate() = authentication.getAuthenticatedDate(); authToUse = mutableAuthentication; } else { Principal modifiedPrincipal = new SimplePrincipal(principalId, principal.getAttributes()); authToUse = new MutableAuthentication(modifiedPrincipal, authentication.getAuthenticatedDate()); } List <Authentication> authentications = new List <Authentication>(); for (int i = 0; i < chainedAuthenticationsList.Count() - 1; i++) { authentications.Add(serviceTicket.getGrantingTicket().getChainedAuthentications().ElementAt(i)); } authentications.Add(authToUse); return(new ImmutableAssertionImpl(authentications, serviceTicket.getService(), serviceTicket.isFromNewLogin())); } finally { if (serviceTicket.isExpired()) { this.serviceTicketRegistry.deleteTicket(serviceTicketId); } } }