Spring Security Framework

Class CasProcessingFilter

  extended by org.springframework.security.ui.SpringSecurityFilter
      extended by org.springframework.security.ui.AbstractProcessingFilter
          extended by org.springframework.security.ui.cas.CasProcessingFilter
All Implemented Interfaces:
Filter, InitializingBean, ApplicationEventPublisherAware, MessageSourceAware, Ordered

public class CasProcessingFilter
extends AbstractProcessingFilter

Processes a CAS service ticket.

A service ticket consists of an opaque ticket string. It arrives at this filter by the user's browser successfully authenticating using CAS, and then receiving a HTTP redirect to a service. The opaque ticket string is presented in the ticket request parameter. This filter monitors the service URL so it can receive the service ticket and process it. The CAS server knows which service URL to use via the ServiceProperties.getService() method.

Processing the service ticket involves creating a UsernamePasswordAuthenticationToken which uses CAS_STATEFUL_IDENTIFIER for the principal and the opaque ticket string as the credentials.

The configured AuthenticationManager is expected to provide a provider that can recognise UsernamePasswordAuthenticationTokens containing this special principal name, and process them accordingly by validation with the CAS server.

By configuring a shared ProxyGrantingTicketStorage between the TicketValidator and the CasProcessingFilter one can have the CasProcessingFilter handle the proxying requirements for CAS. In addition, the URI endpoint for the proxying would also need to be configured (i.e. the part after protocol, hostname, and port).

Do not use this class directly. Instead configure web.xml to use the FilterToBeanProxy.

Ben Alex

Field Summary
          Used to identify a CAS request for a stateful user agent, such as a web browser.
          Used to identify a CAS request for a stateless user agent, such as a remoting protocol client (eg Hessian, Burlap, SOAP etc).
Fields inherited from class org.springframework.security.ui.AbstractProcessingFilter
authenticationDetailsSource, eventPublisher, messages, SPRING_SECURITY_LAST_EXCEPTION_KEY, SPRING_SECURITY_SAVED_REQUEST_KEY
Fields inherited from class org.springframework.security.ui.SpringSecurityFilter
Fields inherited from interface org.springframework.core.Ordered
Constructor Summary
Method Summary
 Authentication attemptAuthentication(HttpServletRequest request)
          Performs actual authentication.
 String getDefaultFilterProcessesUrl()
          This filter by default responds to /j_spring_cas_security_check.
 int getOrder()
protected  boolean requiresAuthentication(HttpServletRequest request, HttpServletResponse response)
          Overridden to provide proxying capabilities.
 void setProxyGrantingTicketStorage(org.jasig.cas.client.proxy.ProxyGrantingTicketStorage proxyGrantingTicketStorage)
 void setProxyReceptorUrl(String proxyReceptorUrl)
Methods inherited from class org.springframework.security.ui.AbstractProcessingFilter
afterPropertiesSet, determineFailureUrl, determineTargetUrl, doFilterHttp, getAllowSessionCreation, getAuthenticationDetailsSource, getAuthenticationFailureUrl, getAuthenticationManager, getDefaultTargetUrl, getExceptionMappings, getFilterProcessesUrl, getRememberMeServices, getTargetUrlResolver, obtainFullSavedRequestUrl, onPreAuthentication, onSuccessfulAuthentication, onUnsuccessfulAuthentication, sendRedirect, setAllowSessionCreation, setAlwaysUseDefaultTargetUrl, setApplicationEventPublisher, setAuthenticationDetailsSource, setAuthenticationFailureUrl, setAuthenticationManager, setContinueChainBeforeSuccessfulAuthentication, setDefaultTargetUrl, setExceptionMappings, setFilterProcessesUrl, setInvalidateSessionOnSuccessfulAuthentication, setMessageSource, setMigrateInvalidatedSessionAttributes, setRememberMeServices, setServerSideRedirect, setSessionRegistry, setTargetUrlResolver, setUseRelativeContext, successfulAuthentication, unsuccessfulAuthentication
Methods inherited from class org.springframework.security.ui.SpringSecurityFilter
destroy, doFilter, init, toString
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail


public static final String CAS_STATEFUL_IDENTIFIER
Used to identify a CAS request for a stateful user agent, such as a web browser.

See Also:
Constant Field Values


public static final String CAS_STATELESS_IDENTIFIER
Used to identify a CAS request for a stateless user agent, such as a remoting protocol client (eg Hessian, Burlap, SOAP etc). Results in a more aggressive caching strategy being used, as the absence of a HttpSession will result in a new authentication attempt on every request.

See Also:
Constant Field Values
Constructor Detail


public CasProcessingFilter()
Method Detail


public Authentication attemptAuthentication(HttpServletRequest request)
                                     throws AuthenticationException
Description copied from class: AbstractProcessingFilter
Performs actual authentication.

Specified by:
attemptAuthentication in class AbstractProcessingFilter
request - from which to extract parameters and perform the authentication
the authenticated user
AuthenticationException - if authentication fails


public String getDefaultFilterProcessesUrl()
This filter by default responds to /j_spring_cas_security_check.

Specified by:
getDefaultFilterProcessesUrl in class AbstractProcessingFilter
the default


public int getOrder()


protected boolean requiresAuthentication(HttpServletRequest request,
                                         HttpServletResponse response)
Overridden to provide proxying capabilities.

requiresAuthentication in class AbstractProcessingFilter
request - as received from the filter chain
response - as received from the filter chain
true if the filter should attempt authentication, false otherwise


public final void setProxyReceptorUrl(String proxyReceptorUrl)


public final void setProxyGrantingTicketStorage(org.jasig.cas.client.proxy.ProxyGrantingTicketStorage proxyGrantingTicketStorage)

Spring Security Framework

Copyright © 2004-2010 SpringSource, Inc. All Rights Reserved.