Class CasAuthenticationFilter
- java.lang.Object
-
- org.springframework.web.filter.GenericFilterBean
-
- org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
-
- org.springframework.security.cas.web.CasAuthenticationFilter
-
- All Implemented Interfaces:
javax.servlet.Filter
,org.springframework.beans.factory.Aware
,org.springframework.beans.factory.BeanNameAware
,org.springframework.beans.factory.DisposableBean
,org.springframework.beans.factory.InitializingBean
,org.springframework.context.ApplicationEventPublisherAware
,org.springframework.context.EnvironmentAware
,org.springframework.context.MessageSourceAware
,org.springframework.core.env.EnvironmentCapable
,org.springframework.web.context.ServletContextAware
public class CasAuthenticationFilter extends AbstractAuthenticationProcessingFilter
Processes a CAS service ticket, obtains proxy granting tickets, and processes proxy tickets.Service Tickets
A service ticket consists of an opaque ticket string. It arrives at this filter by the user's browser successfully authenticating using CAS, and then receiving a HTTP redirect to a
service
. The opaque ticket string is presented in theticket
request parameter.This filter monitors the
service
URL so it can receive the service ticket and process it. By default this filter processes the URL /login/cas. When processing this URL, the value ofServiceProperties.getService()
is used as the service when validating theticket
. This means that it is important thatServiceProperties.getService()
specifies the same value as the filterProcessesUrl.Processing the service ticket involves creating a
UsernamePasswordAuthenticationToken
which usesCAS_STATEFUL_IDENTIFIER
for theprincipal
and the opaque ticket string as thecredentials
.Obtaining Proxy Granting Tickets
If specified, the filter can also monitor the
proxyReceptorUrl
. The filter will respond to requests matching this url so that the CAS Server can provide a PGT to the filter. Note that in addition to theproxyReceptorUrl
a non-nullproxyGrantingTicketStorage
must be provided in order for the filter to respond to proxy receptor requests. By configuring a sharedProxyGrantingTicketStorage
between theTicketValidator
and the CasAuthenticationFilter one can have the CasAuthenticationFilter handle the proxying requirements for CAS.Proxy Tickets
The filter can process tickets present on any url. This is useful when wanting to process proxy tickets. In order for proxy tickets to get processed
ServiceProperties.isAuthenticateAllArtifacts()
must returntrue
. Additionally, if the request is already authenticated, authentication will not occur. Last,AuthenticationDetailsSource.buildDetails(Object)
must return aServiceAuthenticationDetails
. This can be accomplished using theServiceAuthenticationDetailsSource
. In this caseServiceAuthenticationDetails.getServiceUrl()
will be used for the service url.Processing the proxy ticket involves creating a
UsernamePasswordAuthenticationToken
which usesCAS_STATELESS_IDENTIFIER
for theprincipal
and the opaque ticket string as thecredentials
. When a proxy ticket is successfully authenticated, the FilterChain continues and theauthenticationSuccessHandler
is not used.Notes about the
AuthenticationManager
The configured
AuthenticationManager
is expected to provide a provider that can recogniseUsernamePasswordAuthenticationToken
s containing this specialprincipal
name, and process them accordingly by validation with the CAS server. Additionally, it should be capable of using the result ofServiceAuthenticationDetails.getServiceUrl()
as the service when validating the ticket.Example Configuration
An example configuration that supports service tickets, obtaining proxy granting tickets, and proxy tickets is illustrated below:
<b:bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties" p:service="https://service.example.com/cas-sample/login/cas" p:authenticateAllArtifacts="true"/> <b:bean id="casEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint" p:serviceProperties-ref="serviceProperties" p:loginUrl="https://login.example.org/cas/login" /> <b:bean id="casFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter" p:authenticationManager-ref="authManager" p:serviceProperties-ref="serviceProperties" p:proxyGrantingTicketStorage-ref="pgtStorage" p:proxyReceptorUrl="/login/cas/proxyreceptor"> <b:property name="authenticationDetailsSource"> <b:bean class="org.springframework.security.cas.web.authentication.ServiceAuthenticationDetailsSource"/> </b:property> <b:property name="authenticationFailureHandler"> <b:bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler" p:defaultFailureUrl="/casfailed.jsp"/> </b:property> </b:bean> <!-- NOTE: In a real application you should not use an in memory implementation. You will also want to ensure to clean up expired tickets by calling ProxyGrantingTicketStorage.cleanup() --> <b:bean id="pgtStorage" class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl"/> <b:bean id="casAuthProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider" p:serviceProperties-ref="serviceProperties" p:key="casAuthProviderKey"> <b:property name="authenticationUserDetailsService"> <b:bean class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper"> <b:constructor-arg ref="userService" /> </b:bean> </b:property> <b:property name="ticketValidator"> <b:bean class="org.jasig.cas.client.validation.Cas20ProxyTicketValidator" p:acceptAnyProxy="true" p:proxyCallbackUrl="https://service.example.com/cas-sample/login/cas/proxyreceptor" p:proxyGrantingTicketStorage-ref="pgtStorage"> <b:constructor-arg value="https://login.example.org/cas" /> </b:bean> </b:property> <b:property name="statelessTicketCache"> <b:bean class="org.springframework.security.cas.authentication.EhCacheBasedTicketCache"> <b:property name="cache"> <b:bean class="net.sf.ehcache.Cache" init-method="initialise" destroy-method="dispose"> <b:constructor-arg value="casTickets"/> <b:constructor-arg value="50"/> <b:constructor-arg value="true"/> <b:constructor-arg value="false"/> <b:constructor-arg value="3600"/> <b:constructor-arg value="900"/> </b:bean> </b:property> </b:bean> </b:property> </b:bean>
-
-
Field Summary
Fields Modifier and Type Field Description static java.lang.String
CAS_STATEFUL_IDENTIFIER
Used to identify a CAS request for a stateful user agent, such as a web browser.static java.lang.String
CAS_STATELESS_IDENTIFIER
Used to identify a CAS request for a stateless user agent, such as a remoting protocol client (e.g.-
Fields inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
authenticationDetailsSource, eventPublisher, messages
-
-
Constructor Summary
Constructors Constructor Description CasAuthenticationFilter()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description Authentication
attemptAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
Performs actual authentication.protected java.lang.String
obtainArtifact(javax.servlet.http.HttpServletRequest request)
If present, gets the artifact (CAS ticket) from theHttpServletRequest
.protected boolean
requiresAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
Overridden to provide proxying capabilities.void
setAuthenticationFailureHandler(AuthenticationFailureHandler failureHandler)
Wraps theAuthenticationFailureHandler
to distinguish between handling proxy ticket authentication failures and service ticket failures.void
setProxyAuthenticationFailureHandler(AuthenticationFailureHandler proxyFailureHandler)
Sets theAuthenticationFailureHandler
for proxy requests.void
setProxyGrantingTicketStorage(org.jasig.cas.client.proxy.ProxyGrantingTicketStorage proxyGrantingTicketStorage)
void
setProxyReceptorUrl(java.lang.String proxyReceptorUrl)
void
setServiceProperties(ServiceProperties serviceProperties)
protected void
successfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain chain, Authentication authResult)
Default behaviour for successful authentication.-
Methods inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
afterPropertiesSet, doFilter, getAllowSessionCreation, getAuthenticationManager, getFailureHandler, getRememberMeServices, getSuccessHandler, setAllowSessionCreation, setApplicationEventPublisher, setAuthenticationDetailsSource, setAuthenticationManager, setAuthenticationSuccessHandler, setContinueChainBeforeSuccessfulAuthentication, setFilterProcessesUrl, setMessageSource, setRememberMeServices, setRequiresAuthenticationRequestMatcher, setSessionAuthenticationStrategy, unsuccessfulAuthentication
-
-
-
-
Field Detail
-
CAS_STATEFUL_IDENTIFIER
public static final java.lang.String CAS_STATEFUL_IDENTIFIER
Used to identify a CAS request for a stateful user agent, such as a web browser.- See Also:
- Constant Field Values
-
CAS_STATELESS_IDENTIFIER
public static final java.lang.String CAS_STATELESS_IDENTIFIER
Used to identify a CAS request for a stateless user agent, such as a remoting protocol client (e.g. Hessian, Burlap, SOAP etc). Results in a more aggressive caching strategy being used, as the absence of aHttpSession
will result in a new authentication attempt on every request.- See Also:
- Constant Field Values
-
-
Method Detail
-
successfulAuthentication
protected final void successfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain chain, Authentication authResult) throws java.io.IOException, javax.servlet.ServletException
Description copied from class:AbstractAuthenticationProcessingFilter
Default behaviour for successful authentication.- Sets the successful Authentication object on the
SecurityContextHolder
- Informs the configured RememberMeServices of the successful login
- Fires an
InteractiveAuthenticationSuccessEvent
via the configured ApplicationEventPublisher - Delegates additional behaviour to the
AuthenticationSuccessHandler
.
FilterChain
after successful authentication.- Overrides:
successfulAuthentication
in classAbstractAuthenticationProcessingFilter
authResult
- the object returned from the attemptAuthentication method.- Throws:
java.io.IOException
javax.servlet.ServletException
- Sets the successful Authentication object on the
-
attemptAuthentication
public Authentication attemptAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws AuthenticationException, java.io.IOException
Description copied from class:AbstractAuthenticationProcessingFilter
Performs actual authentication.The implementation should do one of the following:
- Return a populated authentication token for the authenticated user, indicating successful authentication
- Return null, indicating that the authentication process is still in progress. Before returning, the implementation should perform any additional work required to complete the process.
- Throw an AuthenticationException if the authentication process fails
- Specified by:
attemptAuthentication
in classAbstractAuthenticationProcessingFilter
- Parameters:
request
- from which to extract parameters and perform the authenticationresponse
- the response, which may be needed if the implementation has to do a redirect as part of a multi-stage authentication process (such as OpenID).- Returns:
- the authenticated user token, or null if authentication is incomplete.
- Throws:
AuthenticationException
- if authentication fails.java.io.IOException
-
obtainArtifact
protected java.lang.String obtainArtifact(javax.servlet.http.HttpServletRequest request)
If present, gets the artifact (CAS ticket) from theHttpServletRequest
.- Parameters:
request
-- Returns:
- if present the artifact from the
HttpServletRequest
, else null
-
requiresAuthentication
protected boolean requiresAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
Overridden to provide proxying capabilities.- Overrides:
requiresAuthentication
in classAbstractAuthenticationProcessingFilter
- Returns:
true
if the filter should attempt authentication,false
otherwise.
-
setProxyAuthenticationFailureHandler
public final void setProxyAuthenticationFailureHandler(AuthenticationFailureHandler proxyFailureHandler)
Sets theAuthenticationFailureHandler
for proxy requests.- Parameters:
proxyFailureHandler
-
-
setAuthenticationFailureHandler
public final void setAuthenticationFailureHandler(AuthenticationFailureHandler failureHandler)
Wraps theAuthenticationFailureHandler
to distinguish between handling proxy ticket authentication failures and service ticket failures.- Overrides:
setAuthenticationFailureHandler
in classAbstractAuthenticationProcessingFilter
-
setProxyReceptorUrl
public final void setProxyReceptorUrl(java.lang.String proxyReceptorUrl)
-
setProxyGrantingTicketStorage
public final void setProxyGrantingTicketStorage(org.jasig.cas.client.proxy.ProxyGrantingTicketStorage proxyGrantingTicketStorage)
-
setServiceProperties
public final void setServiceProperties(ServiceProperties serviceProperties)
-
-