public class CasAuthenticationFilter
extends org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
A service ticket consists of an opaque ticket string. It arrives at this filter by the
user's browser successfully authenticating using CAS, and then receiving a HTTP
redirect to a service. The opaque ticket string is presented in the
ticket request parameter.
This filter monitors the service URL so it can receive the service ticket
and process it. By default this filter processes the URL /login/cas. When
processing this URL, the value of ServiceProperties.getService() is used as the
service when validating the ticket. This means that it is
important that ServiceProperties.getService() specifies the same value as the
filterProcessesUrl.
Processing the service ticket involves creating a
UsernamePasswordAuthenticationToken which uses
CAS_STATEFUL_IDENTIFIER for the principal and the opaque ticket
string as the credentials.
If specified, the filter can also monitor the proxyReceptorUrl. The filter
will respond to requests matching this url so that the CAS Server can provide a PGT to
the filter. Note that in addition to the proxyReceptorUrl a non-null
proxyGrantingTicketStorage must be provided in order for the filter to
respond to proxy receptor requests. By configuring a shared
ProxyGrantingTicketStorage between the TicketValidator and the
CasAuthenticationFilter one can have the CasAuthenticationFilter handle the proxying
requirements for CAS.
The filter can process tickets present on any url. This is useful when wanting to
process proxy tickets. In order for proxy tickets to get processed
ServiceProperties.isAuthenticateAllArtifacts() must return true.
Additionally, if the request is already authenticated, authentication will not
occur. Last, AuthenticationDetailsSource.buildDetails(Object) must return a
ServiceAuthenticationDetails. This can be accomplished using the
ServiceAuthenticationDetailsSource. In this case
ServiceAuthenticationDetails.getServiceUrl() will be used for the service url.
Processing the proxy ticket involves creating a
UsernamePasswordAuthenticationToken which uses
CAS_STATELESS_IDENTIFIER for the principal and the opaque ticket
string as the credentials. When a proxy ticket is successfully
authenticated, the FilterChain continues and the
authenticationSuccessHandler is not used.
AuthenticationManager
The configured AuthenticationManager is expected to provide a provider
that can recognise UsernamePasswordAuthenticationTokens containing this
special principal name, and process them accordingly by validation with
the CAS server. Additionally, it should be capable of using the result of
ServiceAuthenticationDetails.getServiceUrl() as the service when validating the
ticket.
An example configuration that supports service tickets, obtaining proxy granting tickets, and proxy tickets is illustrated below:
<b:bean id="serviceProperties"
class="org.springframework.security.cas.ServiceProperties"
p:service="https://service.example.com/cas-sample/login/cas"
p:authenticateAllArtifacts="true"/>
<b:bean id="casEntryPoint"
class="org.springframework.security.cas.web.CasAuthenticationEntryPoint"
p:serviceProperties-ref="serviceProperties" p:loginUrl="https://login.example.org/cas/login" />
<b:bean id="casFilter"
class="org.springframework.security.cas.web.CasAuthenticationFilter"
p:authenticationManager-ref="authManager"
p:serviceProperties-ref="serviceProperties"
p:proxyGrantingTicketStorage-ref="pgtStorage"
p:proxyReceptorUrl="/login/cas/proxyreceptor">
<b:property name="authenticationDetailsSource">
<b:bean class="org.springframework.security.cas.web.authentication.ServiceAuthenticationDetailsSource"/>
</b:property>
<b:property name="authenticationFailureHandler">
<b:bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"
p:defaultFailureUrl="/casfailed.jsp"/>
</b:property>
</b:bean>
<!--
NOTE: In a real application you should not use an in memory implementation. You will also want
to ensure to clean up expired tickets by calling ProxyGrantingTicketStorage.cleanup()
-->
<b:bean id="pgtStorage" class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl"/>
<b:bean id="casAuthProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider"
p:serviceProperties-ref="serviceProperties"
p:key="casAuthProviderKey">
<b:property name="authenticationUserDetailsService">
<b:bean
class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<b:constructor-arg ref="userService" />
</b:bean>
</b:property>
<b:property name="ticketValidator">
<b:bean
class="org.jasig.cas.client.validation.Cas20ProxyTicketValidator"
p:acceptAnyProxy="true"
p:proxyCallbackUrl="https://service.example.com/cas-sample/login/cas/proxyreceptor"
p:proxyGrantingTicketStorage-ref="pgtStorage">
<b:constructor-arg value="https://login.example.org/cas" />
</b:bean>
</b:property>
<b:property name="statelessTicketCache">
<b:bean class="org.springframework.security.cas.authentication.EhCacheBasedTicketCache">
<b:property name="cache">
<b:bean class="net.sf.ehcache.Cache"
init-method="initialise"
destroy-method="dispose">
<b:constructor-arg value="casTickets"/>
<b:constructor-arg value="50"/>
<b:constructor-arg value="true"/>
<b:constructor-arg value="false"/>
<b:constructor-arg value="3600"/>
<b:constructor-arg value="900"/>
</b:bean>
</b:property>
</b:bean>
</b:property>
</b:bean>
| Modifier and Type | Field and Description |
|---|---|
static String |
CAS_STATEFUL_IDENTIFIER
Used to identify a CAS request for a stateful user agent, such as a web browser.
|
static String |
CAS_STATELESS_IDENTIFIER
Used to identify a CAS request for a stateless user agent, such as a remoting
protocol client (e.g.
|
authenticationDetailsSource, eventPublisher, messageslogger| Constructor and Description |
|---|
CasAuthenticationFilter() |
| Modifier and Type | Method and Description |
|---|---|
org.springframework.security.core.Authentication |
attemptAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response) |
protected String |
obtainArtifact(javax.servlet.http.HttpServletRequest request)
If present, gets the artifact (CAS ticket) from the
HttpServletRequest. |
protected boolean |
requiresAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Overridden to provide proxying capabilities.
|
void |
setAuthenticationFailureHandler(org.springframework.security.web.authentication.AuthenticationFailureHandler failureHandler)
Wraps the
AuthenticationFailureHandler to distinguish between handling
proxy ticket authentication failures and service ticket failures. |
void |
setProxyAuthenticationFailureHandler(org.springframework.security.web.authentication.AuthenticationFailureHandler proxyFailureHandler)
Sets the
AuthenticationFailureHandler for proxy requests. |
void |
setProxyGrantingTicketStorage(org.jasig.cas.client.proxy.ProxyGrantingTicketStorage proxyGrantingTicketStorage) |
void |
setProxyReceptorUrl(String proxyReceptorUrl) |
void |
setServiceProperties(ServiceProperties serviceProperties) |
protected void |
successfulAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
javax.servlet.FilterChain chain,
org.springframework.security.core.Authentication authResult) |
afterPropertiesSet, doFilter, getAllowSessionCreation, getAuthenticationManager, getFailureHandler, getRememberMeServices, getSuccessHandler, setAllowSessionCreation, setApplicationEventPublisher, setAuthenticationDetailsSource, setAuthenticationManager, setAuthenticationSuccessHandler, setContinueChainBeforeSuccessfulAuthentication, setFilterProcessesUrl, setMessageSource, setRememberMeServices, setRequiresAuthenticationRequestMatcher, setSessionAuthenticationStrategy, unsuccessfulAuthenticationaddRequiredProperty, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContextpublic static final String CAS_STATEFUL_IDENTIFIER
public static final String CAS_STATELESS_IDENTIFIER
HttpSession will
result in a new authentication attempt on every request.protected final void successfulAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
javax.servlet.FilterChain chain,
org.springframework.security.core.Authentication authResult)
throws IOException,
javax.servlet.ServletException
successfulAuthentication in class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilterIOExceptionjavax.servlet.ServletExceptionpublic org.springframework.security.core.Authentication attemptAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
throws org.springframework.security.core.AuthenticationException,
IOException
attemptAuthentication in class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilterorg.springframework.security.core.AuthenticationExceptionIOExceptionprotected String obtainArtifact(javax.servlet.http.HttpServletRequest request)
HttpServletRequest.request - HttpServletRequest, else nullprotected boolean requiresAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
requiresAuthentication in class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilterpublic final void setProxyAuthenticationFailureHandler(org.springframework.security.web.authentication.AuthenticationFailureHandler proxyFailureHandler)
AuthenticationFailureHandler for proxy requests.proxyFailureHandler - public final void setAuthenticationFailureHandler(org.springframework.security.web.authentication.AuthenticationFailureHandler failureHandler)
AuthenticationFailureHandler to distinguish between handling
proxy ticket authentication failures and service ticket failures.setAuthenticationFailureHandler in class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilterpublic final void setProxyReceptorUrl(String proxyReceptorUrl)
public final void setProxyGrantingTicketStorage(org.jasig.cas.client.proxy.ProxyGrantingTicketStorage proxyGrantingTicketStorage)
public final void setServiceProperties(ServiceProperties serviceProperties)