|
spring-security-cas | ||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
| SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | ||||||||
java.lang.Objectorg.springframework.web.filter.GenericFilterBean
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
org.springframework.security.cas.web.CasAuthenticationFilter
public class CasAuthenticationFilter
Processes a CAS service ticket, obtains proxy granting tickets, and processes proxy tickets.
A service ticket consists of an opaque ticket string. It arrives at this filter by the user's browser successfully
authenticating using CAS, and then receiving a HTTP redirect to a service. The opaque ticket string is
presented in the ticket request parameter.
This filter monitors the service URL so it can
receive the service ticket and process it. By default this filter processes the URL /j_spring_cas_security_check.
When processing this URL, the value of ServiceProperties.getService() is used as the service when validating
the ticket. This means that it is important that ServiceProperties.getService() specifies the same value
as the filterProcessesUrl.
Processing the service ticket involves creating a UsernamePasswordAuthenticationToken which
uses CAS_STATEFUL_IDENTIFIER for the principal and the opaque ticket string as the
credentials.
If specified, the filter can also monitor the proxyReceptorUrl. The filter will respond to requests matching
this url so that the CAS Server can provide a PGT to the filter. Note that in addition to the proxyReceptorUrl a non-null
proxyGrantingTicketStorage must be provided in order for the filter to respond to proxy receptor requests. By configuring
a shared ProxyGrantingTicketStorage between the TicketValidator and the CasAuthenticationFilter one can have the
CasAuthenticationFilter handle the proxying requirements for CAS.
The filter can process tickets present on any url. This is useful when wanting to process proxy tickets. In order for proxy
tickets to get processed ServiceProperties.isAuthenticateAllArtifacts() must return true. Additionally,
if the request is already authenticated, authentication will not occur. Last, AuthenticationDetailsSource.buildDetails(Object)
must return a ServiceAuthenticationDetails. This can be accomplished using the ServiceAuthenticationDetailsSource.
In this case ServiceAuthenticationDetails.getServiceUrl() will be used for the service url.
Processing the proxy ticket involves creating a UsernamePasswordAuthenticationToken which
uses CAS_STATELESS_IDENTIFIER for the principal and the opaque ticket string as the
credentials. When a proxy ticket is successfully authenticated, the FilterChain continues and the
authenticationSuccessHandler is not used.
AuthenticationManager
The configured AuthenticationManager is expected to provide a provider that can recognise
UsernamePasswordAuthenticationTokens containing this special principal name, and process
them accordingly by validation with the CAS server. Additionally, it should be capable of using the result of
ServiceAuthenticationDetails.getServiceUrl() as the service when validating the ticket.
An example configuration that supports service tickets, obtaining proxy granting tickets, and proxy tickets is illustrated below:
<b:bean id="serviceProperties"
class="org.springframework.security.cas.ServiceProperties"
p:service="https://service.example.com/cas-sample/j_spring_cas_security_check"
p:authenticateAllArtifacts="true"/>
<b:bean id="casEntryPoint"
class="org.springframework.security.cas.web.CasAuthenticationEntryPoint"
p:serviceProperties-ref="serviceProperties" p:loginUrl="https://login.example.org/cas/login" />
<b:bean id="casFilter"
class="org.springframework.security.cas.web.CasAuthenticationFilter"
p:authenticationManager-ref="authManager"
p:serviceProperties-ref="serviceProperties"
p:proxyGrantingTicketStorage-ref="pgtStorage"
p:proxyReceptorUrl="/j_spring_cas_security_proxyreceptor">
<b:property name="authenticationDetailsSource">
<b:bean class="org.springframework.security.cas.web.authentication.ServiceAuthenticationDetailsSource"/>
</b:property>
<b:property name="authenticationFailureHandler">
<b:bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"
p:defaultFailureUrl="/casfailed.jsp"/>
</b:property>
</b:bean>
<!--
NOTE: In a real application you should not use an in memory implementation. You will also want
to ensure to clean up expired tickets by calling ProxyGrantingTicketStorage.cleanup()
-->
<b:bean id="pgtStorage" class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl"/>
<b:bean id="casAuthProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider"
p:serviceProperties-ref="serviceProperties"
p:key="casAuthProviderKey">
<b:property name="authenticationUserDetailsService">
<b:bean
class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<b:constructor-arg ref="userService" />
</b:bean>
</b:property>
<b:property name="ticketValidator">
<b:bean
class="org.jasig.cas.client.validation.Cas20ProxyTicketValidator"
p:acceptAnyProxy="true"
p:proxyCallbackUrl="https://service.example.com/cas-sample/j_spring_cas_security_proxyreceptor"
p:proxyGrantingTicketStorage-ref="pgtStorage">
<b:constructor-arg value="https://login.example.org/cas" />
</b:bean>
</b:property>
<b:property name="statelessTicketCache">
<b:bean class="org.springframework.security.cas.authentication.EhCacheBasedTicketCache">
<b:property name="cache">
<b:bean class="net.sf.ehcache.Cache"
init-method="initialise"
destroy-method="dispose">
<b:constructor-arg value="casTickets"/>
<b:constructor-arg value="50"/>
<b:constructor-arg value="true"/>
<b:constructor-arg value="false"/>
<b:constructor-arg value="3600"/>
<b:constructor-arg value="900"/>
</b:bean>
</b:property>
</b:bean>
</b:property>
</b:bean>
| Field Summary | |
|---|---|
static String |
CAS_STATEFUL_IDENTIFIER
Used to identify a CAS request for a stateful user agent, such as a web browser. |
static String |
CAS_STATELESS_IDENTIFIER
Used to identify a CAS request for a stateless user agent, such as a remoting protocol client (e.g. |
| Fields inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter |
|---|
authenticationDetailsSource, eventPublisher, messages, SPRING_SECURITY_LAST_EXCEPTION_KEY |
| Fields inherited from class org.springframework.web.filter.GenericFilterBean |
|---|
logger |
| Constructor Summary | |
|---|---|
CasAuthenticationFilter()
|
|
| Method Summary | |
|---|---|
org.springframework.security.core.Authentication |
attemptAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
|
protected String |
obtainArtifact(javax.servlet.http.HttpServletRequest request)
If present, gets the artifact (CAS ticket) from the HttpServletRequest. |
protected boolean |
requiresAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Overridden to provide proxying capabilities. |
void |
setAuthenticationFailureHandler(org.springframework.security.web.authentication.AuthenticationFailureHandler failureHandler)
Wraps the AuthenticationFailureHandler to distinguish between
handling proxy ticket authentication failures and service ticket
failures. |
void |
setProxyAuthenticationFailureHandler(org.springframework.security.web.authentication.AuthenticationFailureHandler proxyFailureHandler)
Sets the AuthenticationFailureHandler for proxy requests. |
void |
setProxyGrantingTicketStorage(org.jasig.cas.client.proxy.ProxyGrantingTicketStorage proxyGrantingTicketStorage)
|
void |
setProxyReceptorUrl(String proxyReceptorUrl)
|
void |
setServiceProperties(ServiceProperties serviceProperties)
|
protected void |
successfulAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
javax.servlet.FilterChain chain,
org.springframework.security.core.Authentication authResult)
|
| Methods inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter |
|---|
afterPropertiesSet, doFilter, getAllowSessionCreation, getAuthenticationManager, getFailureHandler, getFilterProcessesUrl, getRememberMeServices, getSuccessHandler, setAllowSessionCreation, setApplicationEventPublisher, setAuthenticationDetailsSource, setAuthenticationManager, setAuthenticationSuccessHandler, setContinueChainBeforeSuccessfulAuthentication, setFilterProcessesUrl, setMessageSource, setRememberMeServices, setSessionAuthenticationStrategy, successfulAuthentication, unsuccessfulAuthentication |
| Methods inherited from class org.springframework.web.filter.GenericFilterBean |
|---|
addRequiredProperty, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setServletContext |
| Methods inherited from class java.lang.Object |
|---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
| Field Detail |
|---|
public static final String CAS_STATEFUL_IDENTIFIER
public static final String CAS_STATELESS_IDENTIFIER
HttpSession will result in a new authentication attempt on every request.
| Constructor Detail |
|---|
public CasAuthenticationFilter()
| Method Detail |
|---|
protected final void successfulAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
javax.servlet.FilterChain chain,
org.springframework.security.core.Authentication authResult)
throws IOException,
javax.servlet.ServletException
successfulAuthentication in class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilterIOException
javax.servlet.ServletException
public org.springframework.security.core.Authentication attemptAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
throws org.springframework.security.core.AuthenticationException,
IOException
attemptAuthentication in class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilterorg.springframework.security.core.AuthenticationException
IOExceptionprotected String obtainArtifact(javax.servlet.http.HttpServletRequest request)
HttpServletRequest.
request -
HttpServletRequest, else null
protected boolean requiresAuthentication(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
requiresAuthentication in class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilterpublic final void setProxyAuthenticationFailureHandler(org.springframework.security.web.authentication.AuthenticationFailureHandler proxyFailureHandler)
AuthenticationFailureHandler for proxy requests.
proxyFailureHandler - public final void setAuthenticationFailureHandler(org.springframework.security.web.authentication.AuthenticationFailureHandler failureHandler)
AuthenticationFailureHandler to distinguish between
handling proxy ticket authentication failures and service ticket
failures.
setAuthenticationFailureHandler in class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilterpublic final void setProxyReceptorUrl(String proxyReceptorUrl)
public final void setProxyGrantingTicketStorage(org.jasig.cas.client.proxy.ProxyGrantingTicketStorage proxyGrantingTicketStorage)
public final void setServiceProperties(ServiceProperties serviceProperties)
|
spring-security-cas | ||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
| SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | ||||||||