public class CasAuthenticationFilter extends AbstractAuthenticationProcessingFilter
A service ticket consists of an opaque ticket string. It arrives at this filter by the user's browser successfully
authenticating using CAS, and then receiving a HTTP redirect to a service. The opaque ticket string is
presented in the ticket request parameter.
This filter monitors the service URL so it can
receive the service ticket and process it. By default this filter processes the URL /j_spring_cas_security_check.
When processing this URL, the value of ServiceProperties.getService() is used as the service when validating
the ticket. This means that it is important that ServiceProperties.getService() specifies the same value
as the filterProcessesUrl.
Processing the service ticket involves creating a UsernamePasswordAuthenticationToken which
uses CAS_STATEFUL_IDENTIFIER for the principal and the opaque ticket string as the
credentials.
If specified, the filter can also monitor the proxyReceptorUrl. The filter will respond to requests matching
this url so that the CAS Server can provide a PGT to the filter. Note that in addition to the proxyReceptorUrl a non-null
proxyGrantingTicketStorage must be provided in order for the filter to respond to proxy receptor requests. By configuring
a shared ProxyGrantingTicketStorage between the TicketValidator and the CasAuthenticationFilter one can have the
CasAuthenticationFilter handle the proxying requirements for CAS.
The filter can process tickets present on any url. This is useful when wanting to process proxy tickets. In order for proxy
tickets to get processed ServiceProperties.isAuthenticateAllArtifacts() must return true. Additionally,
if the request is already authenticated, authentication will not occur. Last, AuthenticationDetailsSource.buildDetails(Object)
must return a ServiceAuthenticationDetails. This can be accomplished using the ServiceAuthenticationDetailsSource.
In this case ServiceAuthenticationDetails.getServiceUrl() will be used for the service url.
Processing the proxy ticket involves creating a UsernamePasswordAuthenticationToken which
uses CAS_STATELESS_IDENTIFIER for the principal and the opaque ticket string as the
credentials. When a proxy ticket is successfully authenticated, the FilterChain continues and the
authenticationSuccessHandler is not used.
AuthenticationManager
The configured AuthenticationManager is expected to provide a provider that can recognise
UsernamePasswordAuthenticationTokens containing this special principal name, and process
them accordingly by validation with the CAS server. Additionally, it should be capable of using the result of
ServiceAuthenticationDetails.getServiceUrl() as the service when validating the ticket.
An example configuration that supports service tickets, obtaining proxy granting tickets, and proxy tickets is illustrated below:
<b:bean id="serviceProperties"
class="org.springframework.security.cas.ServiceProperties"
p:service="https://service.example.com/cas-sample/j_spring_cas_security_check"
p:authenticateAllArtifacts="true"/>
<b:bean id="casEntryPoint"
class="org.springframework.security.cas.web.CasAuthenticationEntryPoint"
p:serviceProperties-ref="serviceProperties" p:loginUrl="https://login.example.org/cas/login" />
<b:bean id="casFilter"
class="org.springframework.security.cas.web.CasAuthenticationFilter"
p:authenticationManager-ref="authManager"
p:serviceProperties-ref="serviceProperties"
p:proxyGrantingTicketStorage-ref="pgtStorage"
p:proxyReceptorUrl="/j_spring_cas_security_proxyreceptor">
<b:property name="authenticationDetailsSource">
<b:bean class="org.springframework.security.cas.web.authentication.ServiceAuthenticationDetailsSource"/>
</b:property>
<b:property name="authenticationFailureHandler">
<b:bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"
p:defaultFailureUrl="/casfailed.jsp"/>
</b:property>
</b:bean>
<!--
NOTE: In a real application you should not use an in memory implementation. You will also want
to ensure to clean up expired tickets by calling ProxyGrantingTicketStorage.cleanup()
-->
<b:bean id="pgtStorage" class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl"/>
<b:bean id="casAuthProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider"
p:serviceProperties-ref="serviceProperties"
p:key="casAuthProviderKey">
<b:property name="authenticationUserDetailsService">
<b:bean
class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<b:constructor-arg ref="userService" />
</b:bean>
</b:property>
<b:property name="ticketValidator">
<b:bean
class="org.jasig.cas.client.validation.Cas20ProxyTicketValidator"
p:acceptAnyProxy="true"
p:proxyCallbackUrl="https://service.example.com/cas-sample/j_spring_cas_security_proxyreceptor"
p:proxyGrantingTicketStorage-ref="pgtStorage">
<b:constructor-arg value="https://login.example.org/cas" />
</b:bean>
</b:property>
<b:property name="statelessTicketCache">
<b:bean class="org.springframework.security.cas.authentication.EhCacheBasedTicketCache">
<b:property name="cache">
<b:bean class="net.sf.ehcache.Cache"
init-method="initialise"
destroy-method="dispose">
<b:constructor-arg value="casTickets"/>
<b:constructor-arg value="50"/>
<b:constructor-arg value="true"/>
<b:constructor-arg value="false"/>
<b:constructor-arg value="3600"/>
<b:constructor-arg value="900"/>
</b:bean>
</b:property>
</b:bean>
</b:property>
</b:bean>
| Modifier and Type | Field and Description |
|---|---|
static String |
CAS_STATEFUL_IDENTIFIER
Used to identify a CAS request for a stateful user agent, such as a web browser.
|
static String |
CAS_STATELESS_IDENTIFIER
Used to identify a CAS request for a stateless user agent, such as a remoting protocol client (e.g.
|
authenticationDetailsSource, eventPublisher, messages, SPRING_SECURITY_LAST_EXCEPTION_KEYlogger| Constructor and Description |
|---|
CasAuthenticationFilter() |
| Modifier and Type | Method and Description |
|---|---|
Authentication |
attemptAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Performs actual authentication.
|
protected String |
obtainArtifact(javax.servlet.http.HttpServletRequest request)
If present, gets the artifact (CAS ticket) from the
HttpServletRequest. |
protected boolean |
requiresAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Overridden to provide proxying capabilities.
|
void |
setAuthenticationFailureHandler(AuthenticationFailureHandler failureHandler)
Wraps the
AuthenticationFailureHandler to distinguish between
handling proxy ticket authentication failures and service ticket
failures. |
void |
setProxyAuthenticationFailureHandler(AuthenticationFailureHandler proxyFailureHandler)
Sets the
AuthenticationFailureHandler for proxy requests. |
void |
setProxyGrantingTicketStorage(org.jasig.cas.client.proxy.ProxyGrantingTicketStorage proxyGrantingTicketStorage) |
void |
setProxyReceptorUrl(String proxyReceptorUrl) |
void |
setServiceProperties(ServiceProperties serviceProperties) |
protected void |
successfulAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
javax.servlet.FilterChain chain,
Authentication authResult)
Default behaviour for successful authentication.
|
afterPropertiesSet, doFilter, getAllowSessionCreation, getAuthenticationManager, getFailureHandler, getFilterProcessesUrl, getRememberMeServices, getSuccessHandler, setAllowSessionCreation, setApplicationEventPublisher, setAuthenticationDetailsSource, setAuthenticationManager, setAuthenticationSuccessHandler, setContinueChainBeforeSuccessfulAuthentication, setFilterProcessesUrl, setMessageSource, setRememberMeServices, setRequiresAuthenticationRequestMatcher, setSessionAuthenticationStrategy, successfulAuthentication, unsuccessfulAuthenticationaddRequiredProperty, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContextpublic static final String CAS_STATEFUL_IDENTIFIER
public static final String CAS_STATELESS_IDENTIFIER
HttpSession will result in a new authentication attempt on every request.protected final void successfulAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
javax.servlet.FilterChain chain,
Authentication authResult)
throws IOException,
javax.servlet.ServletException
AbstractAuthenticationProcessingFilterSecurityContextHolderInteractiveAuthenticationSuccessEvent via the configured
ApplicationEventPublisherAuthenticationSuccessHandler.FilterChain after successful authentication.successfulAuthentication in class AbstractAuthenticationProcessingFilterauthResult - the object returned from the attemptAuthentication method.IOExceptionjavax.servlet.ServletExceptionpublic Authentication attemptAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws AuthenticationException, IOException
AbstractAuthenticationProcessingFilterThe implementation should do one of the following:
attemptAuthentication in class AbstractAuthenticationProcessingFilterrequest - from which to extract parameters and perform the authenticationresponse - the response, which may be needed if the implementation has to do a redirect as part of a
multi-stage authentication process (such as OpenID).AuthenticationException - if authentication fails.IOExceptionprotected String obtainArtifact(javax.servlet.http.HttpServletRequest request)
HttpServletRequest.request - HttpServletRequest, else nullprotected boolean requiresAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
requiresAuthentication in class AbstractAuthenticationProcessingFiltertrue if the filter should attempt authentication, false otherwise.public final void setProxyAuthenticationFailureHandler(AuthenticationFailureHandler proxyFailureHandler)
AuthenticationFailureHandler for proxy requests.proxyFailureHandler - public final void setAuthenticationFailureHandler(AuthenticationFailureHandler failureHandler)
AuthenticationFailureHandler to distinguish between
handling proxy ticket authentication failures and service ticket
failures.setAuthenticationFailureHandler in class AbstractAuthenticationProcessingFilterpublic final void setProxyReceptorUrl(String proxyReceptorUrl)
public final void setProxyGrantingTicketStorage(org.jasig.cas.client.proxy.ProxyGrantingTicketStorage proxyGrantingTicketStorage)
public final void setServiceProperties(ServiceProperties serviceProperties)