org.jasig.cas.ticket.InvalidTicketException Java Examples

The following examples show how to use org.jasig.cas.ticket.InvalidTicketException. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: CentralAuthenticationServiceImpl.java    From taoshop with Apache License 2.0 6 votes vote down vote up
/**
 * {@inheritDoc}
 * Destroy a TicketGrantingTicket and perform back channel logout. This has the effect of invalidating any
 * Ticket that was derived from the TicketGrantingTicket being destroyed. May throw an
 * {@link IllegalArgumentException} if the TicketGrantingTicket ID is null.
 *
 * @param ticketGrantingTicketId the id of the ticket we want to destroy
 * @return the logout requests.
 */
@Audit(
        action = "TICKET_GRANTING_TICKET_DESTROYED",
        actionResolverName = "DESTROY_TICKET_GRANTING_TICKET_RESOLVER",
        resourceResolverName = "DESTROY_TICKET_GRANTING_TICKET_RESOURCE_RESOLVER")
@Timed(name = "DESTROY_TICKET_GRANTING_TICKET_TIMER")
@Metered(name = "DESTROY_TICKET_GRANTING_TICKET_METER")
@Counted(name = "DESTROY_TICKET_GRANTING_TICKET_COUNTER", monotonic = true)
@Override
public List<LogoutRequest> destroyTicketGrantingTicket(@NotNull final String ticketGrantingTicketId) {
    try {
        logger.debug("Removing ticket [{}] from registry...", ticketGrantingTicketId);
        final TicketGrantingTicket ticket = getTicket(ticketGrantingTicketId, TicketGrantingTicket.class);
        logger.debug("Ticket found. Processing logout requests and then deleting the ticket...");
        final List<LogoutRequest> logoutRequests = logoutManager.performLogout(ticket);
        this.ticketRegistry.deleteTicket(ticketGrantingTicketId);

        doPublishEvent(new CasTicketGrantingTicketDestroyedEvent(this, ticket));

        return logoutRequests;
    } catch (final InvalidTicketException e) {
        logger.debug("TicketGrantingTicket [{}] cannot be found in the ticket registry.", ticketGrantingTicketId);
    }
    return Collections.emptyList();
}
 
Example #2
Source File: GenericSuccessViewActionTests.java    From springboot-shiro-cas-mybatis with MIT License 6 votes vote down vote up
@Test
public void verifyValidPrincipal() throws InvalidTicketException {
    final CentralAuthenticationService cas = mock(CentralAuthenticationService.class);
    final Authentication authn = mock(Authentication.class);
    when(authn.getPrincipal()).thenReturn(TestUtils.getPrincipal("cas"));
    final TicketGrantingTicket tgt = mock(TicketGrantingTicket.class);
    when(tgt.getAuthentication()).thenReturn(authn);



    when(cas.getTicket(any(String.class), any(Ticket.class.getClass()))).thenReturn(tgt);
    final GenericSuccessViewAction action = new GenericSuccessViewAction(cas);
    final Principal p = action.getAuthenticationPrincipal("TGT-1");
    assertNotNull(p);
    assertEquals(p.getId(), "cas");
}
 
Example #3
Source File: CentralAuthenticationServiceImpl.java    From springboot-shiro-cas-mybatis with MIT License 6 votes vote down vote up
/**
 * {@inheritDoc}
 * Destroy a TicketGrantingTicket and perform back channel logout. This has the effect of invalidating any
 * Ticket that was derived from the TicketGrantingTicket being destroyed. May throw an
 * {@link IllegalArgumentException} if the TicketGrantingTicket ID is null.
 *
 * @param ticketGrantingTicketId the id of the ticket we want to destroy
 * @return the logout requests.
 */
@Audit(
        action="TICKET_GRANTING_TICKET_DESTROYED",
        actionResolverName="DESTROY_TICKET_GRANTING_TICKET_RESOLVER",
        resourceResolverName="DESTROY_TICKET_GRANTING_TICKET_RESOURCE_RESOLVER")
@Timed(name = "DESTROY_TICKET_GRANTING_TICKET_TIMER")
@Metered(name="DESTROY_TICKET_GRANTING_TICKET_METER")
@Counted(name="DESTROY_TICKET_GRANTING_TICKET_COUNTER", monotonic=true)
@Override
public List<LogoutRequest> destroyTicketGrantingTicket(@NotNull final String ticketGrantingTicketId) {
    try {
        logger.debug("Removing ticket [{}] from registry...", ticketGrantingTicketId);
        final TicketGrantingTicket ticket = getTicket(ticketGrantingTicketId, TicketGrantingTicket.class);
        logger.debug("Ticket found. Processing logout requests and then deleting the ticket...");
        final List<LogoutRequest> logoutRequests = logoutManager.performLogout(ticket);
        this.ticketRegistry.deleteTicket(ticketGrantingTicketId);
        return logoutRequests;
    } catch (final InvalidTicketException e) {
        logger.debug("TicketGrantingTicket [{}] cannot be found in the ticket registry.", ticketGrantingTicketId);
    }
    return Collections.emptyList();
}
 
Example #4
Source File: CentralAuthenticationServiceImpl.java    From springboot-shiro-cas-mybatis with MIT License 6 votes vote down vote up
/**
 * {@inheritDoc}
 */
@Timed(name = "GET_TICKET_TIMER")
@Metered(name = "GET_TICKET_METER")
@Counted(name="GET_TICKET_COUNTER", monotonic=true)
@Override
public <T extends Ticket> T getTicket(final String ticketId, final Class<? extends Ticket> clazz)
        throws InvalidTicketException {
    Assert.notNull(ticketId, "ticketId cannot be null");
    final Ticket ticket = this.ticketRegistry.getTicket(ticketId, clazz);

    if (ticket == null) {
        logger.debug("Ticket [{}] by type [{}] cannot be found in the ticket registry.", ticketId, clazz.getSimpleName());
        throw new InvalidTicketException(ticketId);
    }

    if (ticket instanceof TicketGrantingTicket) {
        synchronized (ticket) {
            if (ticket.isExpired()) {
                this.ticketRegistry.deleteTicket(ticketId);
                logger.debug("Ticket [{}] has expired and is now deleted from the ticket registry.", ticketId);
                throw new InvalidTicketException(ticketId);
            }
        }
    }
    return (T) ticket;
}
 
Example #5
Source File: CentralAuthenticationServiceImpl.java    From taoshop with Apache License 2.0 5 votes vote down vote up
@Audit(
        action = "PROXY_GRANTING_TICKET",
        actionResolverName = "CREATE_PROXY_GRANTING_TICKET_RESOLVER",
        resourceResolverName = "CREATE_PROXY_GRANTING_TICKET_RESOURCE_RESOLVER")
@Timed(name = "CREATE_PROXY_GRANTING_TICKET_TIMER")
@Metered(name = "CREATE_PROXY_GRANTING_TICKET_METER")
@Counted(name = "CREATE_PROXY_GRANTING_TICKET_COUNTER", monotonic = true)
@Override
public ProxyGrantingTicket createProxyGrantingTicket(final String serviceTicketId, final AuthenticationContext context)
        throws AuthenticationException, AbstractTicketException {

    final ServiceTicket serviceTicket = this.ticketRegistry.getTicket(serviceTicketId, ServiceTicket.class);

    if (serviceTicket == null || serviceTicket.isExpired()) {
        logger.debug("ServiceTicket [{}] has expired or cannot be found in the ticket registry", serviceTicketId);
        throw new InvalidTicketException(serviceTicketId);
    }

    final RegisteredService registeredService = this.servicesManager
            .findServiceBy(serviceTicket.getService());

    verifyRegisteredServiceProperties(registeredService, serviceTicket.getService());

    if (!registeredService.getProxyPolicy().isAllowedToProxy()) {
        logger.warn("ServiceManagement: Service [{}] attempted to proxy, but is not allowed.", serviceTicket.getService().getId());
        throw new UnauthorizedProxyingException();
    }

    final Authentication authentication = context.getAuthentication();
    final ProxyGrantingTicketFactory factory = this.ticketFactory.get(ProxyGrantingTicket.class);
    final ProxyGrantingTicket proxyGrantingTicket = factory.create(serviceTicket, authentication);

    logger.debug("Generated proxy granting ticket [{}] based off of [{}]", proxyGrantingTicket, serviceTicketId);
    this.ticketRegistry.addTicket(proxyGrantingTicket);

    doPublishEvent(new CasProxyGrantingTicketCreatedEvent(this, proxyGrantingTicket));

    return proxyGrantingTicket;

}
 
Example #6
Source File: MultiFactorAwareCentralAuthenticationService.java    From cas-mfa with Apache License 2.0 5 votes vote down vote up
@Timed(name = "GET_TICKET_TIMER")
@Metered(name = "GET_TICKET_METER")
@Counted(name="GET_TICKET_COUNTER", monotonic=true)
@Override
public <T extends Ticket> T getTicket(final String ticketId, final Class<? extends Ticket> clazz)
        throws InvalidTicketException {
    return delegate.getTicket(ticketId, clazz);

}
 
Example #7
Source File: GenericSuccessViewActionTests.java    From springboot-shiro-cas-mybatis with MIT License 5 votes vote down vote up
@Test
public void verifyPrincipalCanNotBeDetemined() throws InvalidTicketException {
    final CentralAuthenticationService cas = mock(CentralAuthenticationService.class);
    when(cas.getTicket(any(String.class), any(Ticket.class.getClass()))).thenThrow(new InvalidTicketException("TGT-1"));
    final GenericSuccessViewAction action = new GenericSuccessViewAction(cas);
    final Principal p = action.getAuthenticationPrincipal("TGT-1");
    assertNotNull(p);
    assertTrue(p instanceof NullPrincipal);
}
 
Example #8
Source File: GenericSuccessViewAction.java    From springboot-shiro-cas-mybatis with MIT License 5 votes vote down vote up
/**
 * Gets authentication principal.
 *
 * @param ticketGrantingTicketId the ticket granting ticket id
 * @return the authentication principal, or {@link org.jasig.cas.authentication.principal.NullPrincipal}
 * if none was available.
 */
public Principal getAuthenticationPrincipal(final String ticketGrantingTicketId) {
    try {
        final TicketGrantingTicket ticketGrantingTicket =
                this.centralAuthenticationService.getTicket(ticketGrantingTicketId, TicketGrantingTicket.class);
        return ticketGrantingTicket.getAuthentication().getPrincipal();
    } catch (final InvalidTicketException e){
        logger.warn(e.getMessage());
    }
    logger.debug("In the absence of valid TGT, the authentication principal cannot be determined. Returning {}",
            NullPrincipal.class.getSimpleName());
    return NullPrincipal.getInstance();
}
 
Example #9
Source File: TicketsResourceTests.java    From springboot-shiro-cas-mybatis with MIT License 5 votes vote down vote up
@Test
public void creationOfSTWithInvalidTicketException() throws Throwable {
    configureCasMockSTCreationToThrow(new InvalidTicketException("TGT-1"));

    this.mockMvc.perform(post("/cas/v1/tickets/TGT-1")
            .param("service", "https://www.google.com"))
            .andExpect(status().isNotFound())
            .andExpect(content().string("TicketGrantingTicket could not be found"));
}
 
Example #10
Source File: OpenIdSingleSignOnAction.java    From springboot-shiro-cas-mybatis with MIT License 5 votes vote down vote up
@Override
protected Credential constructCredentialsFromRequest(final RequestContext context) {
    final String ticketGrantingTicketId = WebUtils.getTicketGrantingTicketId(context);
    final String openidIdentityParameter = context.getRequestParameters().get(OpenIdConstants.OPENID_IDENTITY);
    String userName = null;
    if (OpenIdConstants.OPENID_IDENTIFIERSELECT.equals(openidIdentityParameter)) {
        userName = OpenIdConstants.OPENID_IDENTIFIERSELECT;
        context.getExternalContext().getSessionMap().remove(OpenIdConstants.OPENID_LOCALID);
        // already authenticated: retrieve the username from the authentication
        if (ticketGrantingTicketId != null) {
            try {
                final TicketGrantingTicket tgt = getCentralAuthenticationService()
                        .getTicket(ticketGrantingTicketId, TicketGrantingTicket.class);
                userName = tgt.getAuthentication().getPrincipal().getId();
            } catch (final InvalidTicketException e) {
                logger.error("Cannot get TGT", e);
            }
        }
    } else {
        userName = this.extractor.extractLocalUsernameFromUri(openidIdentityParameter);
        context.getExternalContext().getSessionMap().put(OpenIdConstants.OPENID_LOCALID, userName);
    }
    final Service service = WebUtils.getService(context);

    // clear the service because otherwise we can fake the username
    if (service instanceof OpenIdService && userName == null) {
        context.getFlowScope().remove("service");
    }

    if (ticketGrantingTicketId == null || userName == null) {
        return null;
    }

    return new OpenIdCredential(
            ticketGrantingTicketId, userName);
}
 
Example #11
Source File: TicketOrCredentialPrincipalResolver.java    From springboot-shiro-cas-mybatis with MIT License 5 votes vote down vote up
/**
 * Resolve the join point argument.
 *
 * @param arg1 the arg
 * @return the resolved string
 */
private String resolveArgument(final Object arg1) {
    LOGGER.debug("Resolving argument [{}] for audit", arg1.getClass().getSimpleName());

    if (arg1 instanceof Credential) {
        return arg1.toString();
    } else if (arg1 instanceof String) {
        try {
            final Ticket ticket = this.centralAuthenticationService.getTicket((String) arg1, Ticket.class);
            if (ticket instanceof ServiceTicket) {
                final ServiceTicket serviceTicket = (ServiceTicket) ticket;
                return serviceTicket.getGrantingTicket().getAuthentication().getPrincipal().getId();
            } else if (ticket instanceof TicketGrantingTicket) {
                final TicketGrantingTicket tgt = (TicketGrantingTicket) ticket;
                return tgt.getAuthentication().getPrincipal().getId();
            }
        } catch (final InvalidTicketException e) {
            LOGGER.trace(e.getMessage(), e);
        }
        LOGGER.debug("Could not locate ticket [{}] in the registry", arg1);
    } else {
        final SecurityContext securityContext = SecurityContextHolder.getContext();
        if (securityContext != null) {
            final Authentication authentication = securityContext.getAuthentication();

            if (authentication != null) {
                return ((UserDetails) authentication.getPrincipal()).getUsername();
            }
        }
    }
    LOGGER.debug("Unable to determine the audit argument. Returning [{}]", UNKNOWN_USER);
    return UNKNOWN_USER;
}
 
Example #12
Source File: CentralAuthenticationServiceImpl.java    From springboot-shiro-cas-mybatis with MIT License 5 votes vote down vote up
@Audit(
    action="PROXY_GRANTING_TICKET",
    actionResolverName="GRANT_PROXY_GRANTING_TICKET_RESOLVER",
    resourceResolverName="GRANT_PROXY_GRANTING_TICKET_RESOURCE_RESOLVER")
@Timed(name="GRANT_PROXY_GRANTING_TICKET_TIMER")
@Metered(name="GRANT_PROXY_GRANTING_TICKET_METER")
@Counted(name="GRANT_PROXY_GRANTING_TICKET_COUNTER", monotonic=true)
@Override
public TicketGrantingTicket delegateTicketGrantingTicket(final String serviceTicketId, final Credential... credentials)
        throws AuthenticationException, TicketException {

    final ServiceTicket serviceTicket =  this.serviceTicketRegistry.getTicket(serviceTicketId, ServiceTicket.class);

    if (serviceTicket == null || serviceTicket.isExpired()) {
        logger.debug("ServiceTicket [{}] has expired or cannot be found in the ticket registry", serviceTicketId);
        throw new InvalidTicketException(serviceTicketId);
    }

    final RegisteredService registeredService = this.servicesManager
            .findServiceBy(serviceTicket.getService());

    verifyRegisteredServiceProperties(registeredService, serviceTicket.getService());
    
    if (!registeredService.getProxyPolicy().isAllowedToProxy()) {
        logger.warn("ServiceManagement: Service [{}] attempted to proxy, but is not allowed.", serviceTicket.getService().getId());
        throw new UnauthorizedProxyingException();
    }

    final Authentication authentication = this.authenticationManager.authenticate(credentials);

    final String pgtId = this.ticketGrantingTicketUniqueTicketIdGenerator.getNewTicketId(
            TicketGrantingTicket.PROXY_GRANTING_TICKET_PREFIX);
    final TicketGrantingTicket proxyGrantingTicket = serviceTicket.grantTicketGrantingTicket(pgtId,
                                authentication, this.ticketGrantingTicketExpirationPolicy);

    logger.debug("Generated proxy granting ticket [{}] based off of [{}]", proxyGrantingTicket, serviceTicketId);
    this.ticketRegistry.addTicket(proxyGrantingTicket);

    return proxyGrantingTicket;
}
 
Example #13
Source File: CentralAuthenticationServiceImplWithMockitoTests.java    From springboot-shiro-cas-mybatis with MIT License 4 votes vote down vote up
@Test(expected=InvalidTicketException.class)
public void getTicketGrantingTicketIfTicketIdIsMissing() throws InvalidTicketException {
    this.cas.getTicket("TGT-9000", TicketGrantingTicket.class);
}
 
Example #14
Source File: CentralAuthenticationServiceImpl.java    From taoshop with Apache License 2.0 4 votes vote down vote up
@Audit(
        action = "SERVICE_TICKET_VALIDATE",
        actionResolverName = "VALIDATE_SERVICE_TICKET_RESOLVER",
        resourceResolverName = "VALIDATE_SERVICE_TICKET_RESOURCE_RESOLVER")
@Timed(name = "VALIDATE_SERVICE_TICKET_TIMER")
@Metered(name = "VALIDATE_SERVICE_TICKET_METER")
@Counted(name = "VALIDATE_SERVICE_TICKET_COUNTER", monotonic = true)
@Override
public Assertion validateServiceTicket(final String serviceTicketId, final Service service) throws AbstractTicketException {
    final RegisteredService registeredService = this.servicesManager.findServiceBy(service);
    verifyRegisteredServiceProperties(registeredService, service);

    final ServiceTicket serviceTicket = this.ticketRegistry.getTicket(serviceTicketId, ServiceTicket.class);

    if (serviceTicket == null) {
        logger.info("Service ticket [{}] does not exist.", serviceTicketId);
        throw new InvalidTicketException(serviceTicketId);
    }

    try {
        synchronized (serviceTicket) {
            if (serviceTicket.isExpired()) {
                logger.info("ServiceTicket [{}] has expired.", serviceTicketId);
                throw new InvalidTicketException(serviceTicketId);
            }

            if (!serviceTicket.isValidFor(service)) {
                logger.error("Service ticket [{}] with service [{}] does not match supplied service [{}]",
                        serviceTicketId, serviceTicket.getService().getId(), service);
                throw new UnrecognizableServiceForServiceTicketValidationException(serviceTicket.getService());
            }
        }

        final TicketGrantingTicket root = serviceTicket.getGrantingTicket().getRoot();
        final Authentication authentication = getAuthenticationSatisfiedByPolicy(
                root, new ServiceContext(serviceTicket.getService(), registeredService));
        final Principal principal = authentication.getPrincipal();

        final RegisteredServiceAttributeReleasePolicy attributePolicy = registeredService.getAttributeReleasePolicy();
        logger.debug("Attribute policy [{}] is associated with service [{}]", attributePolicy, registeredService);

        @SuppressWarnings("unchecked")
        final Map<String, Object> attributesToRelease = attributePolicy != null
                ? attributePolicy.getAttributes(principal) : Collections.EMPTY_MAP;

        final String principalId = registeredService.getUsernameAttributeProvider().resolveUsername(principal, service);
        final Principal modifiedPrincipal = this.principalFactory.createPrincipal(principalId, attributesToRelease);
        final AuthenticationBuilder builder = DefaultAuthenticationBuilder.newInstance(authentication);
        builder.setPrincipal(modifiedPrincipal);

        final Assertion assertion = new ImmutableAssertion(
                builder.build(),
                serviceTicket.getGrantingTicket().getChainedAuthentications(),
                serviceTicket.getService(),
                serviceTicket.isFromNewLogin());

        doPublishEvent(new CasServiceTicketValidatedEvent(this, serviceTicket, assertion));

        return assertion;

    } finally {
        if (serviceTicket.isExpired()) {
            this.ticketRegistry.deleteTicket(serviceTicketId);
        }
    }
}
 
Example #15
Source File: CentralAuthenticationServiceImplWithMokitoTests.java    From cas4.0.x-server-wechat with Apache License 2.0 4 votes vote down vote up
@Test(expected=InvalidTicketException.class)
public void testNonExistentServiceWhenDelegatingTicketGrantingTicket() throws Exception {
    this.cas.delegateTicketGrantingTicket("bad-st", TestUtils.getCredentialsWithSameUsernameAndPassword());
}
 
Example #16
Source File: CentralAuthenticationServiceImpl.java    From cas4.0.x-server-wechat with Apache License 2.0 4 votes vote down vote up
/**
 * @throws IllegalArgumentException if the ServiceTicketId or the Service
 * are null.
 */
@Audit(
    action="SERVICE_TICKET_VALIDATE",
    actionResolverName="VALIDATE_SERVICE_TICKET_RESOLVER",
    resourceResolverName="VALIDATE_SERVICE_TICKET_RESOURCE_RESOLVER")
@Profiled(tag="VALIDATE_SERVICE_TICKET", logFailuresSeparately = false)
@Transactional(readOnly = false)
public Assertion validateServiceTicket(final String serviceTicketId, final Service service) throws TicketException {
    Assert.notNull(serviceTicketId, "serviceTicketId cannot be null");
    Assert.notNull(service, "service cannot be null");
 
    final ServiceTicket serviceTicket =  this.serviceTicketRegistry.getTicket(serviceTicketId, ServiceTicket.class);

    if (serviceTicket == null) {
        logger.info("ServiceTicket [{}] does not exist.", serviceTicketId);
        throw new InvalidTicketException(serviceTicketId);
    }

    final RegisteredService registeredService = this.servicesManager.findServiceBy(service);

    verifyRegisteredServiceProperties(registeredService, serviceTicket.getService());
    
    try {
        synchronized (serviceTicket) {
            if (serviceTicket.isExpired()) {
                logger.info("ServiceTicket [{}] has expired.", serviceTicketId);
                throw new InvalidTicketException(serviceTicketId);
            }

            if (!serviceTicket.isValidFor(service)) {
                logger.error("ServiceTicket [{}] with service [{}] does not match supplied service [{}]",
                        serviceTicketId, serviceTicket.getService().getId(), service);
                throw new TicketValidationException(serviceTicket.getService());
            }
        }

        final TicketGrantingTicket root = serviceTicket.getGrantingTicket().getRoot();
        final Authentication authentication = getAuthenticationSatisfiedByPolicy(
                root, new ServiceContext(serviceTicket.getService(), registeredService));
        final Principal principal = authentication.getPrincipal();

        Map<String, Object> attributesToRelease = this.defaultAttributeFilter.filter(principal.getId(),
                principal.getAttributes(), registeredService);
        if (registeredService.getAttributeFilter() != null) {
            attributesToRelease = registeredService.getAttributeFilter().filter(principal.getId(),
                    attributesToRelease, registeredService);
        }

        final String principalId = determinePrincipalIdForRegisteredService(principal, registeredService, serviceTicket);
        final Principal modifiedPrincipal = new SimplePrincipal(principalId, attributesToRelease);
        final AuthenticationBuilder builder = AuthenticationBuilder.newInstance(authentication);
        builder.setPrincipal(modifiedPrincipal);

        return new ImmutableAssertion(
                builder.build(),
                serviceTicket.getGrantingTicket().getChainedAuthentications(),
                serviceTicket.getService(),
                serviceTicket.isFromNewLogin());
    } finally {
        if (serviceTicket.isExpired()) {
            this.serviceTicketRegistry.deleteTicket(serviceTicketId);
        }
    }
}
 
Example #17
Source File: CentralAuthenticationServiceImpl.java    From cas4.0.x-server-wechat with Apache License 2.0 4 votes vote down vote up
/**
 * @throws IllegalArgumentException if the ServiceTicketId or the
 * Credential are null.
 */
@Audit(
    action="PROXY_GRANTING_TICKET",
    actionResolverName="GRANT_PROXY_GRANTING_TICKET_RESOLVER",
    resourceResolverName="GRANT_PROXY_GRANTING_TICKET_RESOURCE_RESOLVER")
@Profiled(tag="GRANT_PROXY_GRANTING_TICKET", logFailuresSeparately = false)
@Transactional(readOnly = false)
public String delegateTicketGrantingTicket(final String serviceTicketId, final Credential... credentials)
        throws AuthenticationException, TicketException {

    Assert.notNull(serviceTicketId, "serviceTicketId cannot be null");
    Assert.notNull(credentials, "credentials cannot be null");

    final ServiceTicket serviceTicket =  this.serviceTicketRegistry.getTicket(serviceTicketId, ServiceTicket.class);

    if (serviceTicket == null || serviceTicket.isExpired()) {
        logger.debug("ServiceTicket [{}] has expired or cannot be found in the ticket registry", serviceTicketId);
        throw new InvalidTicketException(serviceTicketId);
    }

    final RegisteredService registeredService = this.servicesManager
            .findServiceBy(serviceTicket.getService());

    verifyRegisteredServiceProperties(registeredService, serviceTicket.getService());
    
    if (!registeredService.isAllowedToProxy()) {
        logger.warn("ServiceManagement: Service [{}] attempted to proxy, but is not allowed.", serviceTicket.getService().getId());
        throw new UnauthorizedProxyingException();
    }

    final Authentication authentication = this.authenticationManager.authenticate(credentials);

    final TicketGrantingTicket ticketGrantingTicket = serviceTicket
            .grantTicketGrantingTicket(
                    this.ticketGrantingTicketUniqueTicketIdGenerator
                            .getNewTicketId(TicketGrantingTicket.PREFIX),
                    authentication, this.ticketGrantingTicketExpirationPolicy);

    this.ticketRegistry.addTicket(ticketGrantingTicket);

    return ticketGrantingTicket.getId();
}
 
Example #18
Source File: CentralAuthenticationServiceImpl.java    From cas4.0.x-server-wechat with Apache License 2.0 4 votes vote down vote up
/**
 * @throws IllegalArgumentException if ticketGrantingTicketId or service are null.
 */
@Audit(
    action="SERVICE_TICKET",
    actionResolverName="GRANT_SERVICE_TICKET_RESOLVER",
    resourceResolverName="GRANT_SERVICE_TICKET_RESOURCE_RESOLVER")
@Profiled(tag="GRANT_SERVICE_TICKET", logFailuresSeparately = false)
@Transactional(readOnly = false)
public String grantServiceTicket(
        final String ticketGrantingTicketId, final Service service, final Credential... credentials)
        throws AuthenticationException, TicketException {
    Assert.notNull(ticketGrantingTicketId, "ticketGrantingticketId cannot be null");
    Assert.notNull(service, "service cannot be null");

    final TicketGrantingTicket ticketGrantingTicket = this.ticketRegistry.getTicket(ticketGrantingTicketId, TicketGrantingTicket.class);

    if (ticketGrantingTicket == null) {
        logger.debug("TicketGrantingTicket [{}] cannot be found in the ticket registry.", ticketGrantingTicketId);
        throw new InvalidTicketException(ticketGrantingTicketId);
    }

    synchronized (ticketGrantingTicket) {
        if (ticketGrantingTicket.isExpired()) {
            this.ticketRegistry.deleteTicket(ticketGrantingTicketId);
            logger.debug("TicketGrantingTicket[{}] has expired and is now deleted from the ticket registry.", ticketGrantingTicketId);
            throw new InvalidTicketException(ticketGrantingTicketId);
        }
    }

    final RegisteredService registeredService = this.servicesManager.findServiceBy(service);

    verifyRegisteredServiceProperties(registeredService, service);
    
    if (!registeredService.isSsoEnabled() && credentials == null
        && ticketGrantingTicket.getCountOfUses() > 0) {
        logger.warn("ServiceManagement: Service [{}] is not allowed to use SSO.", service.getId());
        throw new UnauthorizedSsoServiceException();
    }

    //CAS-1019
    final List<Authentication> authns = ticketGrantingTicket.getChainedAuthentications();
    if(authns.size() > 1) {
        if (!registeredService.isAllowedToProxy()) {
            final String message = String.
                    format("ServiceManagement: Proxy attempt by service [%s] (registered service [%s]) is not allowed.",
                    service.getId(), registeredService.toString());
            logger.warn(message);
            throw new UnauthorizedProxyingException(message);
        }
    }

    if (credentials != null) {
        final Authentication current = this.authenticationManager.authenticate(credentials);
        final Authentication original = ticketGrantingTicket.getAuthentication();
        if (!current.getPrincipal().equals(original.getPrincipal())) {
            throw new MixedPrincipalException(current, current.getPrincipal(), original.getPrincipal());
        }
        ticketGrantingTicket.getSupplementalAuthentications().add(current);
    }

    // Perform security policy check by getting the authentication that satisfies the configured policy
    // This throws if no suitable policy is found
    getAuthenticationSatisfiedByPolicy(ticketGrantingTicket.getRoot(), new ServiceContext(service, registeredService));

    final String uniqueTicketIdGenKey = service.getClass().getName();
    if (!this.uniqueTicketIdGeneratorsForService.containsKey(uniqueTicketIdGenKey)) {
        logger.warn("Cannot create service ticket because the key [{}] for service [{}] is not linked to a ticket id generator",
                uniqueTicketIdGenKey, service.getId());
        throw new UnauthorizedSsoServiceException();
    }
    
    final UniqueTicketIdGenerator serviceTicketUniqueTicketIdGenerator =
            this.uniqueTicketIdGeneratorsForService.get(uniqueTicketIdGenKey);

    final String generatedServiceTicketId = serviceTicketUniqueTicketIdGenerator.getNewTicketId(ServiceTicket.PREFIX);
    logger.debug("Generated service ticket id [{}] for ticket granting ticket [{}]",
            generatedServiceTicketId, ticketGrantingTicket.getId());
    
    final ServiceTicket serviceTicket = ticketGrantingTicket.grantServiceTicket(generatedServiceTicketId, service,
            this.serviceTicketExpirationPolicy, credentials != null);

    this.serviceTicketRegistry.addTicket(serviceTicket);

    if (logger.isInfoEnabled()) {
        final List<Authentication> authentications = serviceTicket.getGrantingTicket().getChainedAuthentications();
        final String formatString = "Granted %s ticket [%s] for service [%s] for user [%s]";
        final String type;
        final String principalId = authentications.get(authentications.size() - 1).getPrincipal().getId();

        if (authentications.size() == 1) {
            type = "service";
        } else {
            type = "proxy";
        }

        logger.info(String.format(formatString, type, serviceTicket.getId(), service.getId(), principalId));
    }

    return serviceTicket.getId();
}
 
Example #19
Source File: RemoteCentralAuthenticationService.java    From springboot-shiro-cas-mybatis with MIT License 4 votes vote down vote up
/**
 * {@inheritDoc}
 */
@Override
public <T extends Ticket> T getTicket(final String ticketId, final Class<? extends Ticket> clazz)
        throws InvalidTicketException {
    return this.centralAuthenticationService.getTicket(ticketId, clazz);
}
 
Example #20
Source File: CentralAuthenticationServiceImpl.java    From springboot-shiro-cas-mybatis with MIT License 4 votes vote down vote up
@Audit(
    action="SERVICE_TICKET_VALIDATE",
    actionResolverName="VALIDATE_SERVICE_TICKET_RESOLVER",
    resourceResolverName="VALIDATE_SERVICE_TICKET_RESOURCE_RESOLVER")
@Timed(name="VALIDATE_SERVICE_TICKET_TIMER")
@Metered(name="VALIDATE_SERVICE_TICKET_METER")
@Counted(name="VALIDATE_SERVICE_TICKET_COUNTER", monotonic=true)
@Override
public Assertion validateServiceTicket(final String serviceTicketId, final Service service) throws TicketException {
    final RegisteredService registeredService = this.servicesManager.findServiceBy(service);
    verifyRegisteredServiceProperties(registeredService, service);

    final ServiceTicket serviceTicket =  this.serviceTicketRegistry.getTicket(serviceTicketId, ServiceTicket.class);

    if (serviceTicket == null) {
        logger.info("Service ticket [{}] does not exist.", serviceTicketId);
        throw new InvalidTicketException(serviceTicketId);
    }

    try {
        synchronized (serviceTicket) {
            if (serviceTicket.isExpired()) {
                logger.info("ServiceTicket [{}] has expired.", serviceTicketId);
                throw new InvalidTicketException(serviceTicketId);
            }

            if (!serviceTicket.isValidFor(service)) {
                logger.error("Service ticket [{}] with service [{}] does not match supplied service [{}]",
                        serviceTicketId, serviceTicket.getService().getId(), service);
                throw new UnrecognizableServiceForServiceTicketValidationException(serviceTicket.getService());
            }
        }

        final TicketGrantingTicket root = serviceTicket.getGrantingTicket().getRoot();
        final Authentication authentication = getAuthenticationSatisfiedByPolicy(
                root, new ServiceContext(serviceTicket.getService(), registeredService));
        final Principal principal = authentication.getPrincipal();

        final AttributeReleasePolicy attributePolicy = registeredService.getAttributeReleasePolicy();
        logger.debug("Attribute policy [{}] is associated with service [{}]", attributePolicy, registeredService);
        
        @SuppressWarnings("unchecked")
        final Map<String, Object> attributesToRelease = attributePolicy != null
                ? attributePolicy.getAttributes(principal) : Collections.EMPTY_MAP;
        
        final String principalId = registeredService.getUsernameAttributeProvider().resolveUsername(principal, service);
        final Principal modifiedPrincipal = this.principalFactory.createPrincipal(principalId, attributesToRelease);
        final AuthenticationBuilder builder = DefaultAuthenticationBuilder.newInstance(authentication);
        builder.setPrincipal(modifiedPrincipal);

        return new ImmutableAssertion(
                builder.build(),
                serviceTicket.getGrantingTicket().getChainedAuthentications(),
                serviceTicket.getService(),
                serviceTicket.isFromNewLogin());
    } finally {
        if (serviceTicket.isExpired()) {
            this.serviceTicketRegistry.deleteTicket(serviceTicketId);
        }
    }
}
 
Example #21
Source File: CasLoggerFactoryTests.java    From springboot-shiro-cas-mybatis with MIT License 4 votes vote down vote up
@Test
public void verifyLogging5() {
    logger.trace(getMarker("trace"), getMessageToLog(), new RuntimeException(ID1, new InvalidTicketException(ID2)));
    validateLogData();
}
 
Example #22
Source File: CasLoggerFactoryTests.java    From springboot-shiro-cas-mybatis with MIT License 4 votes vote down vote up
@Test
public void verifyLogging9() {
    logger.trace(getMessageToLog(), new RuntimeException(ID1, new InvalidTicketException(ID2)));
    validateLogData();
}
 
Example #23
Source File: CentralAuthenticationServiceImplWithMockitoTests.java    From springboot-shiro-cas-mybatis with MIT License 4 votes vote down vote up
@Test(expected=IllegalArgumentException.class)
public void getTicketGrantingTicketIfTicketIdIsNull() throws InvalidTicketException {
    this.cas.getTicket(null, TicketGrantingTicket.class);
}
 
Example #24
Source File: CentralAuthenticationServiceImplWithMockitoTests.java    From springboot-shiro-cas-mybatis with MIT License 4 votes vote down vote up
@Test(expected=InvalidTicketException.class)
public void verifyNonExistentServiceWhenDelegatingTicketGrantingTicket() throws Exception {
    this.cas.delegateTicketGrantingTicket("bad-st", TestUtils.getCredentialsWithSameUsernameAndPassword());
}
 
Example #25
Source File: CasLoggerFactoryTests.java    From springboot-shiro-cas-mybatis with MIT License 4 votes vote down vote up
@Test
public void verifyLogging91110() {
    logger.error(getMessageToLog(), new RuntimeException(ID1, new InvalidTicketException(ID2)));
    validateLogData();
}
 
Example #26
Source File: CasLoggerFactoryTests.java    From springboot-shiro-cas-mybatis with MIT License 4 votes vote down vote up
@Test
public void verifyLogging51110() {
    logger.error(getMarker("error"), getMessageToLog(), new RuntimeException(ID1, new InvalidTicketException(ID2)));
    validateLogData();
}
 
Example #27
Source File: CasLoggerFactoryTests.java    From springboot-shiro-cas-mybatis with MIT License 4 votes vote down vote up
@Test
public void verifyLogging9111() {
    logger.warn(getMessageToLog(), new RuntimeException(ID1, new InvalidTicketException(ID2)));
    validateLogData();
}
 
Example #28
Source File: CasLoggerFactoryTests.java    From springboot-shiro-cas-mybatis with MIT License 4 votes vote down vote up
@Test
public void verifyLogging5111() {
    logger.warn(getMarker("warn"), getMessageToLog(), new RuntimeException(ID1, new InvalidTicketException(ID2)));
    validateLogData();
}
 
Example #29
Source File: CasLoggerFactoryTests.java    From springboot-shiro-cas-mybatis with MIT License 4 votes vote down vote up
@Test
public void verifyLogging911() {
    logger.info(getMessageToLog(), new RuntimeException(ID1, new InvalidTicketException(ID2)));
    validateLogData();
}
 
Example #30
Source File: CasLoggerFactoryTests.java    From springboot-shiro-cas-mybatis with MIT License 4 votes vote down vote up
@Test
public void verifyLogging511() {
    logger.info(getMarker("info"), getMessageToLog(), new RuntimeException(ID1, new InvalidTicketException(ID2)));
    validateLogData();
}