Examples with Service org.apereo.cas.authentication.principal.Service used on opensource projects

Example 46 with Service

use of org.apereo.cas.authentication.principal.Service in project cas by apereo.

the class OidcIdTokenGeneratorService method produceIdTokenClaims.

/**
 * Produce id token claims jwt claims.
 *
 * @param request       the request
 * @param accessTokenId the access token id
 * @param timeout       the timeout
 * @param service       the service
 * @param profile       the user profile
 * @param context       the context
 * @param responseType  the response type
 * @return the jwt claims
 */
protected JwtClaims produceIdTokenClaims(final HttpServletRequest request, final AccessToken accessTokenId, final long timeout, final OidcRegisteredService service, final UserProfile profile, final J2EContext context, final OAuth20ResponseTypes responseType) {
    final Authentication authentication = accessTokenId.getAuthentication();
    final Principal principal = authentication.getPrincipal();
    final OidcProperties oidc = casProperties.getAuthn().getOidc();
    final JwtClaims claims = new JwtClaims();
    claims.setJwtId(getOAuthServiceTicket(accessTokenId.getTicketGrantingTicket()).getKey());
    claims.setIssuer(oidc.getIssuer());
    claims.setAudience(service.getClientId());
    final NumericDate expirationDate = NumericDate.now();
    expirationDate.addSeconds(timeout);
    claims.setExpirationTime(expirationDate);
    claims.setIssuedAtToNow();
    claims.setNotBeforeMinutesInThePast(oidc.getSkew());
    claims.setSubject(principal.getId());
    final MultifactorAuthenticationProperties mfa = casProperties.getAuthn().getMfa();
    final Map<String, Object> attributes = authentication.getAttributes();
    if (attributes.containsKey(mfa.getAuthenticationContextAttribute())) {
        final Collection<Object> val = CollectionUtils.toCollection(attributes.get(mfa.getAuthenticationContextAttribute()));
        claims.setStringClaim(OidcConstants.ACR, val.iterator().next().toString());
    }
    if (attributes.containsKey(AuthenticationHandler.SUCCESSFUL_AUTHENTICATION_HANDLERS)) {
        final Collection<Object> val = CollectionUtils.toCollection(attributes.get(AuthenticationHandler.SUCCESSFUL_AUTHENTICATION_HANDLERS));
        claims.setStringListClaim(OidcConstants.AMR, val.toArray(new String[] {}));
    }
    claims.setClaim(OAuth20Constants.STATE, attributes.get(OAuth20Constants.STATE));
    claims.setClaim(OAuth20Constants.NONCE, attributes.get(OAuth20Constants.NONCE));
    claims.setClaim(OidcConstants.CLAIM_AT_HASH, generateAccessTokenHash(accessTokenId, service));
    principal.getAttributes().entrySet().stream().filter(entry -> oidc.getClaims().contains(entry.getKey())).forEach(entry -> claims.setClaim(entry.getKey(), entry.getValue()));
    if (!claims.hasClaim(OidcConstants.CLAIM_PREFERRED_USERNAME)) {
        claims.setClaim(OidcConstants.CLAIM_PREFERRED_USERNAME, profile.getId());
    }
    return claims;
}

Example 47 with Service

use of org.apereo.cas.authentication.principal.Service in project cas by apereo.

the class OidcRegisteredServiceUIAction method doExecute.

@Override
protected Event doExecute(final RequestContext requestContext) {
    Service service = WebUtils.getService(requestContext);
    if (service != null) {
        service = serviceSelectionStrategy.resolveServiceFrom(service);
        final RegisteredService registeredService = this.servicesManager.findServiceBy(service);
        RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(service, registeredService);
        if (registeredService instanceof OidcRegisteredService) {
            final OidcRegisteredService oauthService = OidcRegisteredService.class.cast(registeredService);
            WebUtils.putServiceUserInterfaceMetadata(requestContext, new DefaultRegisteredServiceUserInterfaceInfo(oauthService));
        }
    }
    return success();
}

Example 48 with Service

use of org.apereo.cas.authentication.principal.Service in project cas by apereo.

the class DefaultSingleSignOnParticipationStrategy method isParticipating.

@Override
public boolean isParticipating(final RequestContext ctx) {
    if (renewEnabled && ctx.getRequestParameters().contains(CasProtocolConstants.PARAMETER_RENEW)) {
        LOGGER.debug("[{}] is specified for the request. The authentication session will be considered renewed.", CasProtocolConstants.PARAMETER_RENEW);
        return this.createSsoSessionCookieOnRenewAuthentications;
    }
    final Authentication authentication = WebUtils.getAuthentication(ctx);
    final Service service = WebUtils.getService(ctx);
    if (service != null) {
        final RegisteredService registeredService = this.servicesManager.findServiceBy(service);
        if (registeredService != null) {
            final Authentication ca = AuthenticationCredentialsThreadLocalBinder.getCurrentAuthentication();
            try {
                AuthenticationCredentialsThreadLocalBinder.bindCurrent(authentication);
                final boolean isAllowedForSso = registeredService.getAccessStrategy().isServiceAccessAllowedForSso();
                LOGGER.debug("Located [{}] in registry. Service access to participate in SSO is set to [{}]", registeredService.getServiceId(), isAllowedForSso);
                return isAllowedForSso;
            } finally {
                AuthenticationCredentialsThreadLocalBinder.bindCurrent(ca);
            }
        }
    }
    return true;
}

Example 49 with Service

use of org.apereo.cas.authentication.principal.Service in project cas by apereo.

the class AbstractCasWebflowEventResolver method handleAuthenticationTransactionAndGrantTicketGrantingTicket.

/**
 * Handle authentication transaction and grant ticket granting ticket.
 *
 * @param context the context
 * @return the set
 */
protected Set<Event> handleAuthenticationTransactionAndGrantTicketGrantingTicket(final RequestContext context) {
    try {
        final Credential credential = getCredentialFromContext(context);
        AuthenticationResultBuilder builder = WebUtils.getAuthenticationResultBuilder(context);
        LOGGER.debug("Handling authentication transaction for credential [{}]", credential);
        final Service service = WebUtils.getService(context);
        builder = this.authenticationSystemSupport.handleAuthenticationTransaction(service, builder, credential);
        LOGGER.debug("Issuing ticket-granting tickets for service [{}]", service);
        return CollectionUtils.wrapSet(grantTicketGrantingTicketToAuthenticationResult(context, builder, service));
    } catch (final Exception e) {
        LOGGER.error(e.getMessage(), e);
        final MessageContext messageContext = context.getMessageContext();
        messageContext.addMessage(new MessageBuilder().error().code(DEFAULT_MESSAGE_BUNDLE_PREFIX.concat(e.getClass().getSimpleName())).build());
        return CollectionUtils.wrapSet(new EventFactorySupport().error(this));
    }
}

Example 50 with Service

use of org.apereo.cas.authentication.principal.Service in project cas by apereo.

the class ServiceTicketRequestWebflowEventResolver method grantServiceTicket.

/**
 * Grant service ticket for the given credential based on the service and tgt
 * that are found in the request context.
 *
 * @param context the context
 * @return the resulting event. Warning, authentication failure or error.
 * @since 4.1.0
 */
protected Event grantServiceTicket(final RequestContext context) {
    final String ticketGrantingTicketId = WebUtils.getTicketGrantingTicketId(context);
    final Credential credential = getCredentialFromContext(context);
    try {
        final Service service = WebUtils.getService(context);
        final Authentication authn = ticketRegistrySupport.getAuthenticationFrom(ticketGrantingTicketId);
        final RegisteredService registeredService = this.servicesManager.findServiceBy(service);
        if (authn != null && registeredService != null) {
            LOGGER.debug("Enforcing access strategy policies for registered service [{}] and principal [{}]", registeredService, authn.getPrincipal());
            final AuditableContext audit = AuditableContext.builder().service(service).authentication(authn).registeredService(registeredService).retrievePrincipalAttributesFromReleasePolicy(Boolean.TRUE).build();
            final AuditableExecutionResult accessResult = this.registeredServiceAccessStrategyEnforcer.execute(audit);
            accessResult.throwExceptionIfNeeded();
        }
        final AuthenticationResult authenticationResult = this.authenticationSystemSupport.handleAndFinalizeSingleAuthenticationTransaction(service, credential);
        final ServiceTicket serviceTicketId = this.centralAuthenticationService.grantServiceTicket(ticketGrantingTicketId, service, authenticationResult);
        WebUtils.putServiceTicketInRequestScope(context, serviceTicketId);
        WebUtils.putWarnCookieIfRequestParameterPresent(this.warnCookieGenerator, context);
        return newEvent(CasWebflowConstants.TRANSITION_ID_WARN);
    } catch (final AuthenticationException | AbstractTicketException e) {
        return newEvent(CasWebflowConstants.TRANSITION_ID_AUTHENTICATION_FAILURE, e);
    }
}