public class CasAuthenticationFilter extends AbstractAuthenticationProcessingFilter
A service ticket consists of an opaque ticket string. It arrives at this filter by the user's browser successfully
authenticating using CAS, and then receiving a HTTP redirect to a service
. The opaque ticket string is
presented in the ticket
request parameter.
This filter monitors the service
URL so it can
receive the service ticket and process it. By default this filter processes the URL /j_spring_cas_security_check.
When processing this URL, the value of ServiceProperties.getService()
is used as the service when validating
the ticket
. This means that it is important that ServiceProperties.getService()
specifies the same value
as the filterProcessesUrl.
Processing the service ticket involves creating a UsernamePasswordAuthenticationToken
which
uses CAS_STATEFUL_IDENTIFIER
for the principal
and the opaque ticket string as the
credentials
.
If specified, the filter can also monitor the proxyReceptorUrl
. The filter will respond to requests matching
this url so that the CAS Server can provide a PGT to the filter. Note that in addition to the proxyReceptorUrl
a non-null
proxyGrantingTicketStorage
must be provided in order for the filter to respond to proxy receptor requests. By configuring
a shared ProxyGrantingTicketStorage
between the TicketValidator
and the CasAuthenticationFilter one can have the
CasAuthenticationFilter handle the proxying requirements for CAS.
The filter can process tickets present on any url. This is useful when wanting to process proxy tickets. In order for proxy
tickets to get processed ServiceProperties.isAuthenticateAllArtifacts()
must return true
. Additionally,
if the request is already authenticated, authentication will not occur. Last, AuthenticationDetailsSource.buildDetails(Object)
must return a ServiceAuthenticationDetails
. This can be accomplished using the ServiceAuthenticationDetailsSource
.
In this case ServiceAuthenticationDetails.getServiceUrl()
will be used for the service url.
Processing the proxy ticket involves creating a UsernamePasswordAuthenticationToken
which
uses CAS_STATELESS_IDENTIFIER
for the principal
and the opaque ticket string as the
credentials
. When a proxy ticket is successfully authenticated, the FilterChain continues and the
authenticationSuccessHandler
is not used.
AuthenticationManager
The configured AuthenticationManager
is expected to provide a provider that can recognise
UsernamePasswordAuthenticationToken
s containing this special principal
name, and process
them accordingly by validation with the CAS server. Additionally, it should be capable of using the result of
ServiceAuthenticationDetails.getServiceUrl()
as the service when validating the ticket.
An example configuration that supports service tickets, obtaining proxy granting tickets, and proxy tickets is illustrated below:
<b:bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties" p:service="https://service.example.com/cas-sample/j_spring_cas_security_check" p:authenticateAllArtifacts="true"/> <b:bean id="casEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint" p:serviceProperties-ref="serviceProperties" p:loginUrl="https://login.example.org/cas/login" /> <b:bean id="casFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter" p:authenticationManager-ref="authManager" p:serviceProperties-ref="serviceProperties" p:proxyGrantingTicketStorage-ref="pgtStorage" p:proxyReceptorUrl="/j_spring_cas_security_proxyreceptor"> <b:property name="authenticationDetailsSource"> <b:bean class="org.springframework.security.cas.web.authentication.ServiceAuthenticationDetailsSource"/> </b:property> <b:property name="authenticationFailureHandler"> <b:bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler" p:defaultFailureUrl="/casfailed.jsp"/> </b:property> </b:bean> <!-- NOTE: In a real application you should not use an in memory implementation. You will also want to ensure to clean up expired tickets by calling ProxyGrantingTicketStorage.cleanup() --> <b:bean id="pgtStorage" class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl"/> <b:bean id="casAuthProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider" p:serviceProperties-ref="serviceProperties" p:key="casAuthProviderKey"> <b:property name="authenticationUserDetailsService"> <b:bean class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper"> <b:constructor-arg ref="userService" /> </b:bean> </b:property> <b:property name="ticketValidator"> <b:bean class="org.jasig.cas.client.validation.Cas20ProxyTicketValidator" p:acceptAnyProxy="true" p:proxyCallbackUrl="https://service.example.com/cas-sample/j_spring_cas_security_proxyreceptor" p:proxyGrantingTicketStorage-ref="pgtStorage"> <b:constructor-arg value="https://login.example.org/cas" /> </b:bean> </b:property> <b:property name="statelessTicketCache"> <b:bean class="org.springframework.security.cas.authentication.EhCacheBasedTicketCache"> <b:property name="cache"> <b:bean class="net.sf.ehcache.Cache" init-method="initialise" destroy-method="dispose"> <b:constructor-arg value="casTickets"/> <b:constructor-arg value="50"/> <b:constructor-arg value="true"/> <b:constructor-arg value="false"/> <b:constructor-arg value="3600"/> <b:constructor-arg value="900"/> </b:bean> </b:property> </b:bean> </b:property> </b:bean>
Modifier and Type | Field and Description |
---|---|
static String |
CAS_STATEFUL_IDENTIFIER
Used to identify a CAS request for a stateful user agent, such as a web browser.
|
static String |
CAS_STATELESS_IDENTIFIER
Used to identify a CAS request for a stateless user agent, such as a remoting protocol client (e.g.
|
authenticationDetailsSource, eventPublisher, messages, SPRING_SECURITY_LAST_EXCEPTION_KEY
logger
Constructor and Description |
---|
CasAuthenticationFilter() |
Modifier and Type | Method and Description |
---|---|
Authentication |
attemptAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Performs actual authentication.
|
protected String |
obtainArtifact(javax.servlet.http.HttpServletRequest request)
If present, gets the artifact (CAS ticket) from the
HttpServletRequest . |
protected boolean |
requiresAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Overridden to provide proxying capabilities.
|
void |
setAuthenticationFailureHandler(AuthenticationFailureHandler failureHandler)
Wraps the
AuthenticationFailureHandler to distinguish between
handling proxy ticket authentication failures and service ticket
failures. |
void |
setProxyAuthenticationFailureHandler(AuthenticationFailureHandler proxyFailureHandler)
Sets the
AuthenticationFailureHandler for proxy requests. |
void |
setProxyGrantingTicketStorage(org.jasig.cas.client.proxy.ProxyGrantingTicketStorage proxyGrantingTicketStorage) |
void |
setProxyReceptorUrl(String proxyReceptorUrl) |
void |
setServiceProperties(ServiceProperties serviceProperties) |
protected void |
successfulAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
javax.servlet.FilterChain chain,
Authentication authResult)
Default behaviour for successful authentication.
|
afterPropertiesSet, doFilter, getAllowSessionCreation, getAuthenticationManager, getFailureHandler, getFilterProcessesUrl, getRememberMeServices, getSuccessHandler, setAllowSessionCreation, setApplicationEventPublisher, setAuthenticationDetailsSource, setAuthenticationManager, setAuthenticationSuccessHandler, setContinueChainBeforeSuccessfulAuthentication, setFilterProcessesUrl, setMessageSource, setRememberMeServices, setSessionAuthenticationStrategy, successfulAuthentication, unsuccessfulAuthentication
addRequiredProperty, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setServletContext
public static final String CAS_STATEFUL_IDENTIFIER
public static final String CAS_STATELESS_IDENTIFIER
HttpSession
will result in a new authentication attempt on every request.protected final void successfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain chain, Authentication authResult) throws IOException, javax.servlet.ServletException
AbstractAuthenticationProcessingFilter
SecurityContextHolder
SessionAuthenticationStrategy
to handle any session-related behaviour
(such as creating a new session to protect against session-fixation attacks).InteractiveAuthenticationSuccessEvent
via the configured
ApplicationEventPublisherAuthenticationSuccessHandler
.FilterChain
after successful authentication.successfulAuthentication
in class AbstractAuthenticationProcessingFilter
authResult
- the object returned from the attemptAuthentication method.IOException
javax.servlet.ServletException
public Authentication attemptAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws AuthenticationException, IOException
AbstractAuthenticationProcessingFilter
The implementation should do one of the following:
attemptAuthentication
in class AbstractAuthenticationProcessingFilter
request
- from which to extract parameters and perform the authenticationresponse
- the response, which may be needed if the implementation has to do a redirect as part of a
multi-stage authentication process (such as OpenID).AuthenticationException
- if authentication fails.IOException
protected String obtainArtifact(javax.servlet.http.HttpServletRequest request)
HttpServletRequest
.request
- HttpServletRequest
, else nullprotected boolean requiresAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
requiresAuthentication
in class AbstractAuthenticationProcessingFilter
true
if the filter should attempt authentication, false
otherwise.public final void setProxyAuthenticationFailureHandler(AuthenticationFailureHandler proxyFailureHandler)
AuthenticationFailureHandler
for proxy requests.proxyFailureHandler
- public final void setAuthenticationFailureHandler(AuthenticationFailureHandler failureHandler)
AuthenticationFailureHandler
to distinguish between
handling proxy ticket authentication failures and service ticket
failures.setAuthenticationFailureHandler
in class AbstractAuthenticationProcessingFilter
public final void setProxyReceptorUrl(String proxyReceptorUrl)
public final void setProxyGrantingTicketStorage(org.jasig.cas.client.proxy.ProxyGrantingTicketStorage proxyGrantingTicketStorage)
public final void setServiceProperties(ServiceProperties serviceProperties)