Examples with Credential org.apereo.cas.authentication.Credential used on opensource projects

Example 51 with Credential

use of org.apereo.cas.authentication.Credential in project cas by apereo.

the class GenerateServiceTicketAction method doExecute.

/**
 * {@inheritDoc}
 * <p>
 * In the initial primary authentication flow, credentials are cached and available.
 * Since they are authenticated as part of submission first, there is no need to doubly
 * authenticate and verify credentials.
 * <p>
 * In subsequent authentication flows where a TGT is available and only an ST needs to be
 * created, there are no cached copies of the credential, since we do have a TGT available.
 * So we will simply grab the available authentication and produce the final result based on that.
 */
@Override
protected Event doExecute(final RequestContext context) {
    final Service service = WebUtils.getService(context);
    LOGGER.debug("Service asking for service ticket is [{}]", service);
    final String ticketGrantingTicket = WebUtils.getTicketGrantingTicketId(context);
    LOGGER.debug("Ticket-granting ticket found in the context is [{}]", ticketGrantingTicket);
    try {
        final Authentication authentication = this.ticketRegistrySupport.getAuthenticationFrom(ticketGrantingTicket);
        if (authentication == null) {
            throw new InvalidTicketException(new AuthenticationException("No authentication found for ticket " + ticketGrantingTicket), ticketGrantingTicket);
        }
        final Service selectedService = authenticationRequestServiceSelectionStrategies.resolveService(service);
        final RegisteredService registeredService = servicesManager.findServiceBy(selectedService);
        LOGGER.debug("Registered service asking for service ticket is [{}]", registeredService);
        WebUtils.putRegisteredService(context, registeredService);
        WebUtils.putService(context, service);
        if (registeredService != null) {
            final URI url = registeredService.getAccessStrategy().getUnauthorizedRedirectUrl();
            if (url != null) {
                LOGGER.debug("Registered service may redirect to [{}] for unauthorized access requests", url);
            }
            WebUtils.putUnauthorizedRedirectUrlIntoFlowScope(context, url);
        }
        if (WebUtils.getWarningCookie(context)) {
            LOGGER.debug("Warning cookie is present in the request context. Routing result to [{}] state", CasWebflowConstants.STATE_ID_WARN);
            return result(CasWebflowConstants.STATE_ID_WARN);
        }
        final Credential credential = WebUtils.getCredential(context);
        final AuthenticationResultBuilder builder = this.authenticationSystemSupport.establishAuthenticationContextFromInitial(authentication, credential);
        final AuthenticationResult authenticationResult = builder.build(service);
        LOGGER.debug("Built the final authentication result [{}] to grant service ticket to [{}]", authenticationResult, service);
        final ServiceTicket serviceTicketId = this.centralAuthenticationService.grantServiceTicket(ticketGrantingTicket, service, authenticationResult);
        WebUtils.putServiceTicketInRequestScope(context, serviceTicketId);
        LOGGER.debug("Granted service ticket [{}] and added it to the request scope", serviceTicketId);
        return success();
    } catch (final AbstractTicketException e) {
        if (e instanceof InvalidTicketException) {
            LOGGER.debug("CAS has determined ticket-granting ticket [{}] is invalid and must be destroyed", ticketGrantingTicket);
            this.centralAuthenticationService.destroyTicketGrantingTicket(ticketGrantingTicket);
        }
        if (isGatewayPresent(context)) {
            LOGGER.debug("Request indicates that it is gateway. Routing result to [{}] state", CasWebflowConstants.STATE_ID_GATEWAY);
            return result(CasWebflowConstants.STATE_ID_GATEWAY);
        }
        LOGGER.warn("Could not grant service ticket [{}]. Routing to [{}]", e.getMessage(), CasWebflowConstants.TRANSITION_ID_AUTHENTICATION_FAILURE);
        return newEvent(CasWebflowConstants.TRANSITION_ID_AUTHENTICATION_FAILURE, e);
    }
}

Example 52 with Credential

use of org.apereo.cas.authentication.Credential in project cas by apereo.

the class ServiceWarningAction method doExecute.

@Override
protected Event doExecute(final RequestContext context) {
    final HttpServletRequest request = WebUtils.getHttpServletRequestFromExternalWebflowContext(context);
    final HttpServletResponse response = WebUtils.getHttpServletResponseFromExternalWebflowContext(context);
    final Service service = WebUtils.getService(context);
    final String ticketGrantingTicket = WebUtils.getTicketGrantingTicketId(context);
    final Authentication authentication = this.ticketRegistrySupport.getAuthenticationFrom(ticketGrantingTicket);
    if (authentication == null) {
        throw new InvalidTicketException(new AuthenticationException("No authentication found for ticket " + ticketGrantingTicket), ticketGrantingTicket);
    }
    final Credential credential = WebUtils.getCredential(context);
    final AuthenticationResultBuilder authenticationResultBuilder = authenticationSystemSupport.establishAuthenticationContextFromInitial(authentication, credential);
    final AuthenticationResult authenticationResult = authenticationResultBuilder.build(service);
    final ServiceTicket serviceTicketId = this.centralAuthenticationService.grantServiceTicket(ticketGrantingTicket, service, authenticationResult);
    WebUtils.putServiceTicketInRequestScope(context, serviceTicketId);
    if (request.getParameterMap().containsKey("ignorewarn")) {
        if (Boolean.parseBoolean(request.getParameter("ignorewarn"))) {
            this.warnCookieGenerator.removeCookie(response);
        }
    }
    return new Event(this, CasWebflowConstants.STATE_ID_REDIRECT);
}

Example 53 with Credential

use of org.apereo.cas.authentication.Credential in project cas by apereo.

the class AbstractNonInteractiveCredentialsAction method doPreExecute.

@Override
protected Event doPreExecute(final RequestContext context) throws Exception {
    final Credential credential = constructCredentialsFromRequest(context);
    if (credential == null) {
        LOGGER.warn("No credentials detected. Navigating to error...");
        return error();
    }
    WebUtils.putCredential(context, credential);
    return super.doPreExecute(context);
}

Example 54 with Credential

use of org.apereo.cas.authentication.Credential in project cas by apereo.

the class InitialAuthenticationAttemptWebflowEventResolver method resolveInternal.

@Override
public Set<Event> resolveInternal(final RequestContext context) {
    try {
        final Credential credential = getCredentialFromContext(context);
        final Service service = WebUtils.getService(context);
        if (credential != null) {
            final AuthenticationResultBuilder builder = this.authenticationSystemSupport.handleInitialAuthenticationTransaction(service, credential);
            if (builder.getInitialAuthentication().isPresent()) {
                WebUtils.putAuthenticationResultBuilder(builder, context);
                WebUtils.putAuthentication(builder.getInitialAuthentication().get(), context);
            }
        }
        final RegisteredService registeredService = determineRegisteredServiceForEvent(context, service);
        LOGGER.debug("Attempting to resolve candidate authentication events for service [{}]", service);
        final Set<Event> resolvedEvents = resolveCandidateAuthenticationEvents(context, service, registeredService);
        if (!resolvedEvents.isEmpty()) {
            LOGGER.debug("The set of authentication events resolved for [{}] are [{}]. Beginning to select the final event...", service, resolvedEvents);
            putResolvedEventsAsAttribute(context, resolvedEvents);
            final Event finalResolvedEvent = this.selectiveResolver.resolveSingle(context);
            LOGGER.debug("The final authentication event resolved for [{}] is [{}]", service, finalResolvedEvent);
            if (finalResolvedEvent != null) {
                return CollectionUtils.wrapSet(finalResolvedEvent);
            }
        }
        final AuthenticationResultBuilder builder = WebUtils.getAuthenticationResultBuilder(context);
        if (builder == null) {
            throw new IllegalArgumentException("No authentication result builder can be located in the context");
        }
        return CollectionUtils.wrapSet(grantTicketGrantingTicketToAuthenticationResult(context, builder, service));
    } catch (final Exception e) {
        Event event = returnAuthenticationExceptionEventIfNeeded(e);
        if (event == null) {
            LOGGER.warn(e.getMessage(), e);
            event = newEvent(CasWebflowConstants.TRANSITION_ID_ERROR, e);
        }
        final HttpServletResponse response = WebUtils.getHttpServletResponseFromExternalWebflowContext(context);
        response.setStatus(HttpStatus.UNAUTHORIZED.value());
        return CollectionUtils.wrapSet(event);
    }
}

Example 55 with Credential

use of org.apereo.cas.authentication.Credential in project cas by apereo.

the class RankedAuthenticationProviderWebflowEventResolver method resolveInternal.

@Override
public Set<Event> resolveInternal(final RequestContext context) {
    final String tgt = WebUtils.getTicketGrantingTicketId(context);
    final RegisteredService service = WebUtils.getRegisteredService(context);
    if (service == null) {
        LOGGER.debug("No service is available to determine event for principal");
        return resumeFlow();
    }
    if (StringUtils.isBlank(tgt)) {
        LOGGER.trace("TGT is blank; proceed with flow normally.");
        return resumeFlow();
    }
    final Authentication authentication = this.ticketRegistrySupport.getAuthenticationFrom(tgt);
    if (authentication == null) {
        LOGGER.trace("TGT has no authentication and is blank; proceed with flow normally.");
        return resumeFlow();
    }
    final Credential credential = WebUtils.getCredential(context);
    final AuthenticationResultBuilder builder = this.authenticationSystemSupport.establishAuthenticationContextFromInitial(authentication, credential);
    LOGGER.debug("Recording and tracking initial authentication results in the request context");
    WebUtils.putAuthenticationResultBuilder(builder, context);
    WebUtils.putAuthentication(authentication, context);
    final Event event = this.initialAuthenticationAttemptWebflowEventResolver.resolveSingle(context);
    if (event == null) {
        LOGGER.trace("Request does not indicate a requirement for authentication policy; proceed with flow normally.");
        return resumeFlow();
    }
    final String id = event.getId();
    LOGGER.debug("Resolved from the initial authentication leg is [{}]", id);
    if (id.equals(CasWebflowConstants.TRANSITION_ID_ERROR) || id.equals(CasWebflowConstants.TRANSITION_ID_AUTHENTICATION_FAILURE) || id.equals(CasWebflowConstants.TRANSITION_ID_SUCCESS) || id.equals(CasWebflowConstants.TRANSITION_ID_SUCCESS_WITH_WARNINGS)) {
        LOGGER.debug("Returning webflow event as [{}]", id);
        return CollectionUtils.wrapSet(event);
    }
    LOGGER.debug("Validating authentication context for event [{}] and service [{}]", id, service);
    final Pair<Boolean, Optional<MultifactorAuthenticationProvider>> result = this.authenticationContextValidator.validate(authentication, id, service);
    if (result.getKey()) {
        LOGGER.debug("Authentication context is successfully validated by [{}] for service [{}]", id, service);
        return resumeFlow();
    }
    if (result.getValue().isPresent()) {
        return CollectionUtils.wrapSet(validateEventIdForMatchingTransitionInContext(id, context, buildEventAttributeMap(authentication.getPrincipal(), service, result.getValue().get())));
    }
    LOGGER.warn("The authentication context cannot be satisfied and the requested event [{}] is unrecognized", id);
    return CollectionUtils.wrapSet(new Event(this, CasWebflowConstants.TRANSITION_ID_ERROR));
}