Package org.springframework.security.cas.web

Class CasAuthenticationFilter

  • All Implemented Interfaces:
    javax.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.ApplicationEventPublisherAware, org.springframework.context.EnvironmentAware, org.springframework.context.MessageSourceAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware
    public class CasAuthenticationFilter
extends org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
    Processes a CAS service ticket, obtains proxy granting tickets, and processes proxy tickets.

    Service Tickets

    A service ticket consists of an opaque ticket string. It arrives at this filter by the user's browser successfully authenticating using CAS, and then receiving a HTTP redirect to a service. The opaque ticket string is presented in the ticket request parameter.

    This filter monitors the service URL so it can receive the service ticket and process it. By default this filter processes the URL /login/cas. When processing this URL, the value of ServiceProperties.getService() is used as the service when validating the ticket. This means that it is important that ServiceProperties.getService() specifies the same value as the filterProcessesUrl.

    Processing the service ticket involves creating a UsernamePasswordAuthenticationToken which uses CAS_STATEFUL_IDENTIFIER for the principal and the opaque ticket string as the credentials.

    Obtaining Proxy Granting Tickets

    If specified, the filter can also monitor the proxyReceptorUrl. The filter will respond to requests matching this url so that the CAS Server can provide a PGT to the filter. Note that in addition to the proxyReceptorUrl a non-null proxyGrantingTicketStorage must be provided in order for the filter to respond to proxy receptor requests. By configuring a shared ProxyGrantingTicketStorage between the TicketValidator and the CasAuthenticationFilter one can have the CasAuthenticationFilter handle the proxying requirements for CAS.

    Proxy Tickets

    The filter can process tickets present on any url. This is useful when wanting to process proxy tickets. In order for proxy tickets to get processed ServiceProperties.isAuthenticateAllArtifacts() must return true. Additionally, if the request is already authenticated, authentication will not occur. Last, AuthenticationDetailsSource.buildDetails(Object) must return a ServiceAuthenticationDetails. This can be accomplished using the ServiceAuthenticationDetailsSource. In this case ServiceAuthenticationDetails.getServiceUrl() will be used for the service url.

    Processing the proxy ticket involves creating a UsernamePasswordAuthenticationToken which uses CAS_STATELESS_IDENTIFIER for the principal and the opaque ticket string as the credentials. When a proxy ticket is successfully authenticated, the FilterChain continues and the authenticationSuccessHandler is not used.

    Notes about the AuthenticationManager

    The configured AuthenticationManager is expected to provide a provider that can recognise UsernamePasswordAuthenticationTokens containing this special principal name, and process them accordingly by validation with the CAS server. Additionally, it should be capable of using the result of ServiceAuthenticationDetails.getServiceUrl() as the service when validating the ticket.

    Example Configuration

    An example configuration that supports service tickets, obtaining proxy granting tickets, and proxy tickets is illustrated below: 

     <b:bean id="serviceProperties"
     class="org.springframework.security.cas.ServiceProperties"
     p:service="https://service.example.com/cas-sample/login/cas"
     p:authenticateAllArtifacts="true"/>
 <b:bean id="casEntryPoint"
     class="org.springframework.security.cas.web.CasAuthenticationEntryPoint"
     p:serviceProperties-ref="serviceProperties" p:loginUrl="https://login.example.org/cas/login" />
 <b:bean id="casFilter"
     class="org.springframework.security.cas.web.CasAuthenticationFilter"
     p:authenticationManager-ref="authManager"
     p:serviceProperties-ref="serviceProperties"
     p:proxyGrantingTicketStorage-ref="pgtStorage"
     p:proxyReceptorUrl="/login/cas/proxyreceptor">
     <b:property name="authenticationDetailsSource">
         <b:bean class="org.springframework.security.cas.web.authentication.ServiceAuthenticationDetailsSource"/>
     </b:property>
     <b:property name="authenticationFailureHandler">
         <b:bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"
             p:defaultFailureUrl="/casfailed.jsp"/>
     </b:property>
 </b:bean>
 <!--
     NOTE: In a real application you should not use an in memory implementation. You will also want
           to ensure to clean up expired tickets by calling ProxyGrantingTicketStorage.cleanup()
  -->
 <b:bean id="pgtStorage" class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl"/>
 <b:bean id="casAuthProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider"
     p:serviceProperties-ref="serviceProperties"
     p:key="casAuthProviderKey">
     <b:property name="authenticationUserDetailsService">
         <b:bean
             class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
             <b:constructor-arg ref="userService" />
         </b:bean>
     </b:property>
     <b:property name="ticketValidator">
         <b:bean
             class="org.jasig.cas.client.validation.Cas20ProxyTicketValidator"
             p:acceptAnyProxy="true"
             p:proxyCallbackUrl="https://service.example.com/cas-sample/login/cas/proxyreceptor"
             p:proxyGrantingTicketStorage-ref="pgtStorage">
             <b:constructor-arg value="https://login.example.org/cas" />
         </b:bean>
     </b:property>
     <b:property name="statelessTicketCache">
         <b:bean class="org.springframework.security.cas.authentication.EhCacheBasedTicketCache">
             <b:property name="cache">
                 <b:bean class="net.sf.ehcache.Cache"
                   init-method="initialise"
                   destroy-method="dispose">
                     <b:constructor-arg value="casTickets"/>
                     <b:constructor-arg value="50"/>
                     <b:constructor-arg value="true"/>
                     <b:constructor-arg value="false"/>
                     <b:constructor-arg value="3600"/>
                     <b:constructor-arg value="900"/>
                 </b:bean>
             </b:property>
         </b:bean>
     </b:property>
 </b:bean>

    • Field Summary

      Fields 
      Modifier and Type Field Description
      static java.lang.String CAS_STATEFUL_IDENTIFIER
      Used to identify a CAS request for a stateful user agent, such as a web browser.
      static java.lang.String CAS_STATELESS_IDENTIFIER
      Used to identify a CAS request for a stateless user agent, such as a remoting protocol client (e.g.

      • Fields inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter

        authenticationDetailsSource, eventPublisher, messages

      • Fields inherited from class org.springframework.web.filter.GenericFilterBean

        logger

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      org.springframework.security.core.Authentication attemptAuthentication​(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)  
      protected java.lang.String obtainArtifact​(javax.servlet.http.HttpServletRequest request)
      If present, gets the artifact (CAS ticket) from the HttpServletRequest.
      protected boolean requiresAuthentication​(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
      Overridden to provide proxying capabilities.
      void setAuthenticationFailureHandler​(org.springframework.security.web.authentication.AuthenticationFailureHandler failureHandler)
      Wraps the AuthenticationFailureHandler to distinguish between handling proxy ticket authentication failures and service ticket failures.
      void setProxyAuthenticationFailureHandler​(org.springframework.security.web.authentication.AuthenticationFailureHandler proxyFailureHandler)
      Sets the AuthenticationFailureHandler for proxy requests.
      void setProxyGrantingTicketStorage​(org.jasig.cas.client.proxy.ProxyGrantingTicketStorage proxyGrantingTicketStorage)  
      void setProxyReceptorUrl​(java.lang.String proxyReceptorUrl)  
      void setServiceProperties​(ServiceProperties serviceProperties)  
      protected void successfulAuthentication​(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, javax.servlet.FilterChain chain, org.springframework.security.core.Authentication authResult)  

      • Methods inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter

        afterPropertiesSet, doFilter, getAllowSessionCreation, getAuthenticationManager, getFailureHandler, getRememberMeServices, getSuccessHandler, setAllowSessionCreation, setApplicationEventPublisher, setAuthenticationDetailsSource, setAuthenticationManager, setAuthenticationSuccessHandler, setContinueChainBeforeSuccessfulAuthentication, setFilterProcessesUrl, setMessageSource, setRememberMeServices, setRequiresAuthenticationRequestMatcher, setSessionAuthenticationStrategy, unsuccessfulAuthentication

      • Methods inherited from class org.springframework.web.filter.GenericFilterBean

        addRequiredProperty, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Field Detail

      • CAS_STATEFUL_IDENTIFIER

        public static final java.lang.String CAS_STATEFUL_IDENTIFIER
        Used to identify a CAS request for a stateful user agent, such as a web browser.
        See Also:
        Constant Field Values

      • CAS_STATELESS_IDENTIFIER

        public static final java.lang.String CAS_STATELESS_IDENTIFIER
        Used to identify a CAS request for a stateless user agent, such as a remoting protocol client (e.g. Hessian, Burlap, SOAP etc). Results in a more aggressive caching strategy being used, as the absence of a HttpSession will result in a new authentication attempt on every request.
        See Also:
        Constant Field Values

    • Constructor Detail

      • CasAuthenticationFilter

        public CasAuthenticationFilter()

    • Method Detail

      • successfulAuthentication

        protected final void successfulAuthentication​(javax.servlet.http.HttpServletRequest request,
                                              javax.servlet.http.HttpServletResponse response,
                                              javax.servlet.FilterChain chain,
                                              org.springframework.security.core.Authentication authResult)
                                       throws java.io.IOException,
                                              javax.servlet.ServletException
        Overrides:
        successfulAuthentication in class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
        Throws:
        java.io.IOException
        javax.servlet.ServletException

      • attemptAuthentication

        public org.springframework.security.core.Authentication attemptAuthentication​(javax.servlet.http.HttpServletRequest request,
                                                                              javax.servlet.http.HttpServletResponse response)
                                                                       throws org.springframework.security.core.AuthenticationException,
                                                                              java.io.IOException
        Specified by:
        attemptAuthentication in class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
        Throws:
        org.springframework.security.core.AuthenticationException
        java.io.IOException

      • obtainArtifact

        protected java.lang.String obtainArtifact​(javax.servlet.http.HttpServletRequest request)
        If present, gets the artifact (CAS ticket) from the HttpServletRequest.
        Parameters:
        request -
        Returns:
        if present the artifact from the HttpServletRequest, else null

      • requiresAuthentication

        protected boolean requiresAuthentication​(javax.servlet.http.HttpServletRequest request,
                                         javax.servlet.http.HttpServletResponse response)
        Overridden to provide proxying capabilities.
        Overrides:
        requiresAuthentication in class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter

      • setProxyAuthenticationFailureHandler

        public final void setProxyAuthenticationFailureHandler​(org.springframework.security.web.authentication.AuthenticationFailureHandler proxyFailureHandler)
        Sets the AuthenticationFailureHandler for proxy requests.
        Parameters:
        proxyFailureHandler -

      • setAuthenticationFailureHandler

        public final void setAuthenticationFailureHandler​(org.springframework.security.web.authentication.AuthenticationFailureHandler failureHandler)
        Wraps the AuthenticationFailureHandler to distinguish between handling proxy ticket authentication failures and service ticket failures.
        Overrides:
        setAuthenticationFailureHandler in class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter

      • setProxyReceptorUrl

        public final void setProxyReceptorUrl​(java.lang.String proxyReceptorUrl)

      • setProxyGrantingTicketStorage

        public final void setProxyGrantingTicketStorage​(org.jasig.cas.client.proxy.ProxyGrantingTicketStorage proxyGrantingTicketStorage)

      • setServiceProperties

        public final void setServiceProperties​(ServiceProperties serviceProperties)