Class CasAuthenticationFilter
- All Implemented Interfaces:
jakarta.servlet.Filter
,org.springframework.beans.factory.Aware
,org.springframework.beans.factory.BeanNameAware
,org.springframework.beans.factory.DisposableBean
,org.springframework.beans.factory.InitializingBean
,org.springframework.context.ApplicationEventPublisherAware
,org.springframework.context.EnvironmentAware
,org.springframework.context.MessageSourceAware
,org.springframework.core.env.EnvironmentCapable
,org.springframework.web.context.ServletContextAware
Service Tickets
A service ticket consists of an opaque ticket string. It arrives at this filter by the
user's browser successfully authenticating using CAS, and then receiving an HTTP
redirect to a service
. The opaque ticket string is presented in the
ticket
request parameter.
This filter monitors the service
URL so that it can receive the service
ticket and process it. By default, this filter processes the URL /login/cas.
When processing this URL, the value of ServiceProperties.getService()
is used
as the service when validating the ticket
. This means that it is
important that ServiceProperties.getService()
specifies the same value as the
filterProcessesUrl.
Processing the service ticket involves creating a
CasServiceTicketAuthenticationToken
which uses
CasServiceTicketAuthenticationToken.CAS_STATEFUL_IDENTIFIER
for the
principal
and the opaque ticket string as the credentials
.
Obtaining Proxy Granting Tickets
If specified, the filter can also monitor the proxyReceptorUrl
. The filter
will respond to the requests matching this url so that the CAS Server can provide a PGT
to the filter. Note that in addition to the proxyReceptorUrl
a non-null
proxyGrantingTicketStorage
must be provided in order for the filter to
respond to proxy receptor requests. By configuring a shared
ProxyGrantingTicketStorage
between the TicketValidator
and the
CasAuthenticationFilter
, one can have the
CasAuthenticationFilter
handling the proxying requirements for CAS.
Proxy Tickets
The filter can process tickets present on any url. This is useful when one wants to
process proxy tickets. In order for proxy tickets to get processed,
ServiceProperties.isAuthenticateAllArtifacts()
must return true
.
Additionally, if the request is already authenticated, authentication will not
occur. Last, AuthenticationDetailsSource.buildDetails(Object)
must return a
ServiceAuthenticationDetails
. This can be accomplished using the
ServiceAuthenticationDetailsSource
. In this case,
ServiceAuthenticationDetails.getServiceUrl()
will be used for the service url.
Processing the proxy ticket involves creating a
CasServiceTicketAuthenticationToken
which uses
CasServiceTicketAuthenticationToken.CAS_STATELESS_IDENTIFIER
for the
principal
and the opaque ticket string as the credentials
.
When a proxy ticket is successfully authenticated, the FilterChain continues and the
authenticationSuccessHandler
is not used.
Notes about the AuthenticationManager
The configured AuthenticationManager
is expected to provide a provider
that can recognise CasServiceTicketAuthenticationToken
s containing this
special principal
name, and process them accordingly by validation with
the CAS server. Additionally, it should be capable of using the result of
ServiceAuthenticationDetails.getServiceUrl()
as the service when validating the
ticket.
Example Configuration
An example configuration that supports service tickets, obtaining proxy granting tickets, and proxy tickets is illustrated below:
<b:bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties" p:service="https://service.example.com/cas-sample/login/cas" p:authenticateAllArtifacts="true"/> <b:bean id="casEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint" p:serviceProperties-ref="serviceProperties" p:loginUrl="https://login.example.org/cas/login" /> <b:bean id="casFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter" p:authenticationManager-ref="authManager" p:serviceProperties-ref="serviceProperties" p:proxyGrantingTicketStorage-ref="pgtStorage" p:proxyReceptorUrl="/login/cas/proxyreceptor"> <b:property name="authenticationDetailsSource"> <b:bean class="org.springframework.security.cas.web.authentication.ServiceAuthenticationDetailsSource"/> </b:property> <b:property name="authenticationFailureHandler"> <b:bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler" p:defaultFailureUrl="/casfailed.jsp"/> </b:property> </b:bean> <!-- NOTE: In a real application you should not use an in memory implementation. You will also want to ensure to clean up expired tickets by calling ProxyGrantingTicketStorage.cleanup() --> <b:bean id="pgtStorage" class="org.apereo.cas.client.proxy.ProxyGrantingTicketStorageImpl"/> <b:bean id="casAuthProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider" p:serviceProperties-ref="serviceProperties" p:key="casAuthProviderKey"> <b:property name="authenticationUserDetailsService"> <b:bean class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper"> <b:constructor-arg ref="userService" /> </b:bean> </b:property> <b:property name="ticketValidator"> <b:bean class="org.apereo.cas.client.validation.Cas20ProxyTicketValidator" p:acceptAnyProxy="true" p:proxyCallbackUrl="https://service.example.com/cas-sample/login/cas/proxyreceptor" p:proxyGrantingTicketStorage-ref="pgtStorage"> <b:constructor-arg value="https://login.example.org/cas" /> </b:bean> </b:property> <b:property name="statelessTicketCache"> <b:bean class="org.springframework.security.cas.authentication.EhCacheBasedTicketCache"> <b:property name="cache"> <b:bean class="net.sf.ehcache.Cache" init-method="initialise" destroy-method="dispose"> <b:constructor-arg value="casTickets"/> <b:constructor-arg value="50"/> <b:constructor-arg value="true"/> <b:constructor-arg value="false"/> <b:constructor-arg value="3600"/> <b:constructor-arg value="900"/> </b:bean> </b:property> </b:bean> </b:property> </b:bean>
-
Field Summary
Fields inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
authenticationDetailsSource, eventPublisher, messages
Fields inherited from class org.springframework.web.filter.GenericFilterBean
logger
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionattemptAuthentication
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) Performs actual authentication.protected String
obtainArtifact
(jakarta.servlet.http.HttpServletRequest request) If present, gets the artifact (CAS ticket) from theHttpServletRequest
.protected boolean
requiresAuthentication
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) Overridden to provide proxying capabilities.final void
setAuthenticationFailureHandler
(AuthenticationFailureHandler failureHandler) Wraps theAuthenticationFailureHandler
to distinguish between handling proxy ticket authentication failures and service ticket failures.final void
setProxyAuthenticationFailureHandler
(AuthenticationFailureHandler proxyFailureHandler) Sets theAuthenticationFailureHandler
for proxy requests.final void
setProxyGrantingTicketStorage
(org.apereo.cas.client.proxy.ProxyGrantingTicketStorage proxyGrantingTicketStorage) final void
setProxyReceptorUrl
(String proxyReceptorUrl) final void
setRedirectStrategy
(RedirectStrategy redirectStrategy) Set theRedirectStrategy
used to redirect to the saved request if there is one saved.final void
setRequestCache
(RequestCache requestCache) TheRequestCache
used to retrieve the saved request in failed gateway authentication scenarios.void
setSecurityContextHolderStrategy
(SecurityContextHolderStrategy securityContextHolderStrategy) Sets theSecurityContextHolderStrategy
to use.void
setSecurityContextRepository
(SecurityContextRepository securityContextRepository) Sets theSecurityContextRepository
to save theSecurityContext
on authentication success.final void
setServiceProperties
(ServiceProperties serviceProperties) protected final void
successfulAuthentication
(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.FilterChain chain, Authentication authResult) Default behaviour for successful authentication.Methods inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
afterPropertiesSet, doFilter, getAllowSessionCreation, getAuthenticationManager, getFailureHandler, getRememberMeServices, getSuccessHandler, setAllowSessionCreation, setApplicationEventPublisher, setAuthenticationDetailsSource, setAuthenticationManager, setAuthenticationSuccessHandler, setContinueChainBeforeSuccessfulAuthentication, setFilterProcessesUrl, setMessageSource, setRememberMeServices, setRequiresAuthenticationRequestMatcher, setSessionAuthenticationStrategy, unsuccessfulAuthentication
Methods inherited from class org.springframework.web.filter.GenericFilterBean
addRequiredProperty, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext
-
Constructor Details
-
CasAuthenticationFilter
public CasAuthenticationFilter()
-
-
Method Details
-
successfulAuthentication
protected final void successfulAuthentication(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.FilterChain chain, Authentication authResult) throws IOException, jakarta.servlet.ServletException Description copied from class:AbstractAuthenticationProcessingFilter
Default behaviour for successful authentication.- Sets the successful Authentication object on the
SecurityContextHolder
- Informs the configured RememberMeServices of the successful login
- Fires an
InteractiveAuthenticationSuccessEvent
via the configured ApplicationEventPublisher - Delegates additional behaviour to the
AuthenticationSuccessHandler
.
FilterChain
after successful authentication.- Overrides:
successfulAuthentication
in classAbstractAuthenticationProcessingFilter
authResult
- the object returned from the attemptAuthentication method.- Throws:
IOException
jakarta.servlet.ServletException
- Sets the successful Authentication object on the
-
attemptAuthentication
public Authentication attemptAuthentication(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) throws AuthenticationException, IOException Description copied from class:AbstractAuthenticationProcessingFilter
Performs actual authentication.The implementation should do one of the following:
- Return a populated authentication token for the authenticated user, indicating successful authentication
- Return null, indicating that the authentication process is still in progress. Before returning, the implementation should perform any additional work required to complete the process.
- Throw an AuthenticationException if the authentication process fails
- Specified by:
attemptAuthentication
in classAbstractAuthenticationProcessingFilter
- Parameters:
request
- from which to extract parameters and perform the authenticationresponse
- the response, which may be needed if the implementation has to do a redirect as part of a multi-stage authentication process (such as OIDC).- Returns:
- the authenticated user token, or null if authentication is incomplete.
- Throws:
AuthenticationException
- if authentication fails.IOException
-
obtainArtifact
If present, gets the artifact (CAS ticket) from theHttpServletRequest
.- Parameters:
request
-- Returns:
- if present the artifact from the
HttpServletRequest
, else null
-
requiresAuthentication
protected boolean requiresAuthentication(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) Overridden to provide proxying capabilities.- Overrides:
requiresAuthentication
in classAbstractAuthenticationProcessingFilter
- Returns:
true
if the filter should attempt authentication,false
otherwise.
-
setProxyAuthenticationFailureHandler
public final void setProxyAuthenticationFailureHandler(AuthenticationFailureHandler proxyFailureHandler) Sets theAuthenticationFailureHandler
for proxy requests.- Parameters:
proxyFailureHandler
-
-
setAuthenticationFailureHandler
Wraps theAuthenticationFailureHandler
to distinguish between handling proxy ticket authentication failures and service ticket failures.- Overrides:
setAuthenticationFailureHandler
in classAbstractAuthenticationProcessingFilter
-
setProxyReceptorUrl
-
setProxyGrantingTicketStorage
public final void setProxyGrantingTicketStorage(org.apereo.cas.client.proxy.ProxyGrantingTicketStorage proxyGrantingTicketStorage) -
setServiceProperties
-
setSecurityContextRepository
Description copied from class:AbstractAuthenticationProcessingFilter
Sets theSecurityContextRepository
to save theSecurityContext
on authentication success. The default action is not to save theSecurityContext
.- Overrides:
setSecurityContextRepository
in classAbstractAuthenticationProcessingFilter
- Parameters:
securityContextRepository
- theSecurityContextRepository
to use. Cannot be null.
-
setSecurityContextHolderStrategy
public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy) Description copied from class:AbstractAuthenticationProcessingFilter
Sets theSecurityContextHolderStrategy
to use. The default action is to use theSecurityContextHolderStrategy
stored inSecurityContextHolder
.- Overrides:
setSecurityContextHolderStrategy
in classAbstractAuthenticationProcessingFilter
-
setRedirectStrategy
Set theRedirectStrategy
used to redirect to the saved request if there is one saved. Defaults toDefaultRedirectStrategy
.- Parameters:
redirectStrategy
- the redirect strategy to use- Since:
- 6.3
-
setRequestCache
TheRequestCache
used to retrieve the saved request in failed gateway authentication scenarios.- Parameters:
requestCache
- the request cache to use- Since:
- 6.3
-