public class CasAuthenticationFilter extends AbstractAuthenticationProcessingFilter
A service ticket consists of an opaque ticket string. It arrives at this filter by the
user's browser successfully authenticating using CAS, and then receiving a HTTP
redirect to a service
. The opaque ticket string is presented in the
ticket
request parameter.
This filter monitors the service
URL so it can receive the service ticket
and process it. By default this filter processes the URL /login/cas. When
processing this URL, the value of ServiceProperties.getService()
is used as the
service when validating the ticket
. This means that it is
important that ServiceProperties.getService()
specifies the same value as the
filterProcessesUrl.
Processing the service ticket involves creating a
UsernamePasswordAuthenticationToken
which uses
CAS_STATEFUL_IDENTIFIER
for the principal
and the opaque ticket
string as the credentials
.
If specified, the filter can also monitor the proxyReceptorUrl
. The filter
will respond to requests matching this url so that the CAS Server can provide a PGT to
the filter. Note that in addition to the proxyReceptorUrl
a non-null
proxyGrantingTicketStorage
must be provided in order for the filter to
respond to proxy receptor requests. By configuring a shared
ProxyGrantingTicketStorage
between the TicketValidator
and the
CasAuthenticationFilter one can have the CasAuthenticationFilter handle the proxying
requirements for CAS.
The filter can process tickets present on any url. This is useful when wanting to
process proxy tickets. In order for proxy tickets to get processed
ServiceProperties.isAuthenticateAllArtifacts()
must return true
.
Additionally, if the request is already authenticated, authentication will not
occur. Last, AuthenticationDetailsSource.buildDetails(Object)
must return a
ServiceAuthenticationDetails
. This can be accomplished using the
ServiceAuthenticationDetailsSource
. In this case
ServiceAuthenticationDetails.getServiceUrl()
will be used for the service url.
Processing the proxy ticket involves creating a
UsernamePasswordAuthenticationToken
which uses
CAS_STATELESS_IDENTIFIER
for the principal
and the opaque ticket
string as the credentials
. When a proxy ticket is successfully
authenticated, the FilterChain continues and the
authenticationSuccessHandler
is not used.
AuthenticationManager
The configured AuthenticationManager
is expected to provide a provider
that can recognise UsernamePasswordAuthenticationToken
s containing this
special principal
name, and process them accordingly by validation with
the CAS server. Additionally, it should be capable of using the result of
ServiceAuthenticationDetails.getServiceUrl()
as the service when validating the
ticket.
An example configuration that supports service tickets, obtaining proxy granting tickets, and proxy tickets is illustrated below:
<b:bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties" p:service="https://service.example.com/cas-sample/login/cas" p:authenticateAllArtifacts="true"/> <b:bean id="casEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint" p:serviceProperties-ref="serviceProperties" p:loginUrl="https://login.example.org/cas/login" /> <b:bean id="casFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter" p:authenticationManager-ref="authManager" p:serviceProperties-ref="serviceProperties" p:proxyGrantingTicketStorage-ref="pgtStorage" p:proxyReceptorUrl="/login/cas/proxyreceptor"> <b:property name="authenticationDetailsSource"> <b:bean class="org.springframework.security.cas.web.authentication.ServiceAuthenticationDetailsSource"/> </b:property> <b:property name="authenticationFailureHandler"> <b:bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler" p:defaultFailureUrl="/casfailed.jsp"/> </b:property> </b:bean> <!-- NOTE: In a real application you should not use an in memory implementation. You will also want to ensure to clean up expired tickets by calling ProxyGrantingTicketStorage.cleanup() --> <b:bean id="pgtStorage" class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl"/> <b:bean id="casAuthProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider" p:serviceProperties-ref="serviceProperties" p:key="casAuthProviderKey"> <b:property name="authenticationUserDetailsService"> <b:bean class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper"> <b:constructor-arg ref="userService" /> </b:bean> </b:property> <b:property name="ticketValidator"> <b:bean class="org.jasig.cas.client.validation.Cas20ProxyTicketValidator" p:acceptAnyProxy="true" p:proxyCallbackUrl="https://service.example.com/cas-sample/login/cas/proxyreceptor" p:proxyGrantingTicketStorage-ref="pgtStorage"> <b:constructor-arg value="https://login.example.org/cas" /> </b:bean> </b:property> <b:property name="statelessTicketCache"> <b:bean class="org.springframework.security.cas.authentication.EhCacheBasedTicketCache"> <b:property name="cache"> <b:bean class="net.sf.ehcache.Cache" init-method="initialise" destroy-method="dispose"> <b:constructor-arg value="casTickets"/> <b:constructor-arg value="50"/> <b:constructor-arg value="true"/> <b:constructor-arg value="false"/> <b:constructor-arg value="3600"/> <b:constructor-arg value="900"/> </b:bean> </b:property> </b:bean> </b:property> </b:bean>
Modifier and Type | Field and Description |
---|---|
static String |
CAS_STATEFUL_IDENTIFIER
Used to identify a CAS request for a stateful user agent, such as a web browser.
|
static String |
CAS_STATELESS_IDENTIFIER
Used to identify a CAS request for a stateless user agent, such as a remoting
protocol client (e.g.
|
authenticationDetailsSource, eventPublisher, messages
logger
Constructor and Description |
---|
CasAuthenticationFilter() |
Modifier and Type | Method and Description |
---|---|
Authentication |
attemptAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Performs actual authentication.
|
protected String |
obtainArtifact(javax.servlet.http.HttpServletRequest request)
If present, gets the artifact (CAS ticket) from the
HttpServletRequest . |
protected boolean |
requiresAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Overridden to provide proxying capabilities.
|
void |
setAuthenticationFailureHandler(AuthenticationFailureHandler failureHandler)
Wraps the
AuthenticationFailureHandler to distinguish between handling
proxy ticket authentication failures and service ticket failures. |
void |
setProxyAuthenticationFailureHandler(AuthenticationFailureHandler proxyFailureHandler)
Sets the
AuthenticationFailureHandler for proxy requests. |
void |
setProxyGrantingTicketStorage(org.jasig.cas.client.proxy.ProxyGrantingTicketStorage proxyGrantingTicketStorage) |
void |
setProxyReceptorUrl(String proxyReceptorUrl) |
void |
setServiceProperties(ServiceProperties serviceProperties) |
protected void |
successfulAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
javax.servlet.FilterChain chain,
Authentication authResult)
Default behaviour for successful authentication.
|
afterPropertiesSet, doFilter, getAllowSessionCreation, getAuthenticationManager, getFailureHandler, getRememberMeServices, getSuccessHandler, setAllowSessionCreation, setApplicationEventPublisher, setAuthenticationDetailsSource, setAuthenticationManager, setAuthenticationSuccessHandler, setContinueChainBeforeSuccessfulAuthentication, setFilterProcessesUrl, setMessageSource, setRememberMeServices, setRequiresAuthenticationRequestMatcher, setSessionAuthenticationStrategy, unsuccessfulAuthentication
addRequiredProperty, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext
public static final String CAS_STATEFUL_IDENTIFIER
public static final String CAS_STATELESS_IDENTIFIER
HttpSession
will
result in a new authentication attempt on every request.protected final void successfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain chain, Authentication authResult) throws IOException, javax.servlet.ServletException
AbstractAuthenticationProcessingFilter
SecurityContextHolder
InteractiveAuthenticationSuccessEvent
via the configured
ApplicationEventPublisherAuthenticationSuccessHandler
.FilterChain
after
successful authentication.successfulAuthentication
in class AbstractAuthenticationProcessingFilter
authResult
- the object returned from the attemptAuthentication
method.IOException
javax.servlet.ServletException
public Authentication attemptAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws AuthenticationException, IOException
AbstractAuthenticationProcessingFilter
The implementation should do one of the following:
attemptAuthentication
in class AbstractAuthenticationProcessingFilter
request
- from which to extract parameters and perform the authenticationresponse
- the response, which may be needed if the implementation has to do a
redirect as part of a multi-stage authentication process (such as OpenID).AuthenticationException
- if authentication fails.IOException
protected String obtainArtifact(javax.servlet.http.HttpServletRequest request)
HttpServletRequest
.request
- HttpServletRequest
, else nullprotected boolean requiresAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
requiresAuthentication
in class AbstractAuthenticationProcessingFilter
true
if the filter should attempt authentication,
false
otherwise.public final void setProxyAuthenticationFailureHandler(AuthenticationFailureHandler proxyFailureHandler)
AuthenticationFailureHandler
for proxy requests.proxyFailureHandler
- public final void setAuthenticationFailureHandler(AuthenticationFailureHandler failureHandler)
AuthenticationFailureHandler
to distinguish between handling
proxy ticket authentication failures and service ticket failures.setAuthenticationFailureHandler
in class AbstractAuthenticationProcessingFilter
public final void setProxyReceptorUrl(String proxyReceptorUrl)
public final void setProxyGrantingTicketStorage(org.jasig.cas.client.proxy.ProxyGrantingTicketStorage proxyGrantingTicketStorage)
public final void setServiceProperties(ServiceProperties serviceProperties)