Class CasAuthenticationFilter

  extended by org.springframework.web.filter.GenericFilterBean
      extended by
          extended by
All Implemented Interfaces:
javax.servlet.Filter, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.ApplicationEventPublisherAware, org.springframework.context.MessageSourceAware, org.springframework.web.context.ServletContextAware

public class CasAuthenticationFilter
extends AbstractAuthenticationProcessingFilter

Processes a CAS service ticket.

A service ticket consists of an opaque ticket string. It arrives at this filter by the user's browser successfully authenticating using CAS, and then receiving a HTTP redirect to a service. The opaque ticket string is presented in the ticket request parameter. This filter monitors the service URL so it can receive the service ticket and process it. The CAS server knows which service URL to use via the ServiceProperties.getService() method.

Processing the service ticket involves creating a UsernamePasswordAuthenticationToken which uses CAS_STATEFUL_IDENTIFIER for the principal and the opaque ticket string as the credentials.

The configured AuthenticationManager is expected to provide a provider that can recognise UsernamePasswordAuthenticationTokens containing this special principal name, and process them accordingly by validation with the CAS server.

By configuring a shared ProxyGrantingTicketStorage between the TicketValidator and the CasAuthenticationFilter one can have the CasAuthenticationFilter handle the proxying requirements for CAS. In addition, the URI endpoint for the proxying would also need to be configured (i.e. the part after protocol, hostname, and port).

By default this filter processes the URL /j_spring_cas_security_check.

Field Summary
static java.lang.String CAS_STATEFUL_IDENTIFIER
          Used to identify a CAS request for a stateful user agent, such as a web browser.
static java.lang.String CAS_STATELESS_IDENTIFIER
          Used to identify a CAS request for a stateless user agent, such as a remoting protocol client (e.g.
Fields inherited from class
authenticationDetailsSource, eventPublisher, messages, SPRING_SECURITY_LAST_EXCEPTION_KEY
Fields inherited from class org.springframework.web.filter.GenericFilterBean
Constructor Summary
Method Summary
 Authentication attemptAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
          Performs actual authentication.
protected  boolean requiresAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
          Overridden to provide proxying capabilities.
 void setProxyGrantingTicketStorage(org.jasig.cas.client.proxy.ProxyGrantingTicketStorage proxyGrantingTicketStorage)
 void setProxyReceptorUrl(java.lang.String proxyReceptorUrl)
 void setServiceProperties(ServiceProperties serviceProperties)
Methods inherited from class
afterPropertiesSet, doFilter, getAllowSessionCreation, getAuthenticationDetailsSource, getAuthenticationManager, getFilterProcessesUrl, getRememberMeServices, setAllowSessionCreation, setApplicationEventPublisher, setAuthenticationDetailsSource, setAuthenticationFailureHandler, setAuthenticationManager, setAuthenticationSuccessHandler, setContinueChainBeforeSuccessfulAuthentication, setFilterProcessesUrl, setMessageSource, setRememberMeServices, setSessionAuthenticationStrategy, successfulAuthentication, unsuccessfulAuthentication
Methods inherited from class org.springframework.web.filter.GenericFilterBean
addRequiredProperty, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setServletContext
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail


public static final java.lang.String CAS_STATEFUL_IDENTIFIER
Used to identify a CAS request for a stateful user agent, such as a web browser.

See Also:
Constant Field Values


public static final java.lang.String CAS_STATELESS_IDENTIFIER
Used to identify a CAS request for a stateless user agent, such as a remoting protocol client (e.g. Hessian, Burlap, SOAP etc). Results in a more aggressive caching strategy being used, as the absence of a HttpSession will result in a new authentication attempt on every request.

See Also:
Constant Field Values
Constructor Detail


public CasAuthenticationFilter()
Method Detail


public Authentication attemptAuthentication(javax.servlet.http.HttpServletRequest request,
                                            javax.servlet.http.HttpServletResponse response)
                                     throws AuthenticationException,
Description copied from class: AbstractAuthenticationProcessingFilter
Performs actual authentication.

The implementation should do one of the following:

  1. Return a populated authentication token for the authenticated user, indicating successful authentication
  2. Return null, indicating that the authentication process is still in progress. Before returning, the implementation should perform any additional work required to complete the process.
  3. Throw an AuthenticationException if the authentication process fails

Specified by:
attemptAuthentication in class AbstractAuthenticationProcessingFilter
request - from which to extract parameters and perform the authentication
response - the response, which may be needed if the implementation has to do a redirect as part of a multi-stage authentication process (such as OpenID).
the authenticated user token, or null if authentication is incomplete.
AuthenticationException - if authentication fails.


protected boolean requiresAuthentication(javax.servlet.http.HttpServletRequest request,
                                         javax.servlet.http.HttpServletResponse response)
Overridden to provide proxying capabilities.

requiresAuthentication in class AbstractAuthenticationProcessingFilter
true if the filter should attempt authentication, false otherwise.


public final void setProxyReceptorUrl(java.lang.String proxyReceptorUrl)


public final void setProxyGrantingTicketStorage(org.jasig.cas.client.proxy.ProxyGrantingTicketStorage proxyGrantingTicketStorage)


public final void setServiceProperties(ServiceProperties serviceProperties)