use of org.apereo.cas.ticket.ServiceTicket in project cas by apereo.
the class MultifactorAuthenticationTests method verifyDeniesAccessToHighSecurityServiceWithOTP.
@Test
public void verifyDeniesAccessToHighSecurityServiceWithOTP() {
final AuthenticationResult ctx = processAuthenticationAttempt(HIGH_SERVICE, new OneTimePasswordCredential(ALICE, PASSWORD_31415));
final TicketGrantingTicket tgt = cas.createTicketGrantingTicket(ctx);
assertNotNull(tgt);
this.thrown.expect(UnsatisfiedAuthenticationPolicyException.class);
final ServiceTicket st = cas.grantServiceTicket(tgt.getId(), HIGH_SERVICE, ctx);
assertNotNull(st);
}
use of org.apereo.cas.ticket.ServiceTicket in project cas by apereo.
the class MultifactorAuthenticationTests method verifyAllowsAccessToHighSecurityServiceWithPasswordAndOTPViaRenew.
@Test
public void verifyAllowsAccessToHighSecurityServiceWithPasswordAndOTPViaRenew() {
// Note the original credential used to start SSO session does not satisfy security policy
final AuthenticationResult ctx2 = processAuthenticationAttempt(HIGH_SERVICE, newUserPassCredentials(ALICE, ALICE), new OneTimePasswordCredential(ALICE, PASSWORD_31415));
final TicketGrantingTicket tgt = cas.createTicketGrantingTicket(ctx2);
assertNotNull(tgt);
final ServiceTicket st = cas.grantServiceTicket(tgt.getId(), HIGH_SERVICE, ctx2);
assertNotNull(st);
// Confirm the authentication in the assertion is the one that satisfies security policy
final Assertion assertion = cas.validateServiceTicket(st.getId(), HIGH_SERVICE);
assertEquals(2, assertion.getPrimaryAuthentication().getSuccesses().size());
assertTrue(assertion.getPrimaryAuthentication().getSuccesses().containsKey(AcceptUsersAuthenticationHandler.class.getSimpleName()));
assertTrue(assertion.getPrimaryAuthentication().getSuccesses().containsKey(TestOneTimePasswordAuthenticationHandler.class.getSimpleName()));
assertTrue(assertion.getPrimaryAuthentication().getAttributes().containsKey(AuthenticationHandler.SUCCESSFUL_AUTHENTICATION_HANDLERS));
}
use of org.apereo.cas.ticket.ServiceTicket in project cas by apereo.
the class MultifactorAuthenticationTests method verifyAllowsAccessToHighSecurityServiceWithPasswordAndOTP.
@Test
public void verifyAllowsAccessToHighSecurityServiceWithPasswordAndOTP() {
final AuthenticationResult ctx = processAuthenticationAttempt(HIGH_SERVICE, newUserPassCredentials(ALICE, ALICE), new OneTimePasswordCredential(ALICE, PASSWORD_31415));
final TicketGrantingTicket tgt = cas.createTicketGrantingTicket(ctx);
assertNotNull(tgt);
final ServiceTicket st = cas.grantServiceTicket(tgt.getId(), HIGH_SERVICE, ctx);
assertNotNull(st);
}
use of org.apereo.cas.ticket.ServiceTicket in project cas by apereo.
the class GenerateServiceTicketAction method doExecute.
/**
* {@inheritDoc}
* <p>
* In the initial primary authentication flow, credentials are cached and available.
* Since they are authenticated as part of submission first, there is no need to doubly
* authenticate and verify credentials.
* <p>
* In subsequent authentication flows where a TGT is available and only an ST needs to be
* created, there are no cached copies of the credential, since we do have a TGT available.
* So we will simply grab the available authentication and produce the final result based on that.
*/
@Override
protected Event doExecute(final RequestContext context) {
final Service service = WebUtils.getService(context);
LOGGER.debug("Service asking for service ticket is [{}]", service);
final String ticketGrantingTicket = WebUtils.getTicketGrantingTicketId(context);
LOGGER.debug("Ticket-granting ticket found in the context is [{}]", ticketGrantingTicket);
try {
final Authentication authentication = this.ticketRegistrySupport.getAuthenticationFrom(ticketGrantingTicket);
if (authentication == null) {
throw new InvalidTicketException(new AuthenticationException("No authentication found for ticket " + ticketGrantingTicket), ticketGrantingTicket);
}
final Service selectedService = authenticationRequestServiceSelectionStrategies.resolveService(service);
final RegisteredService registeredService = servicesManager.findServiceBy(selectedService);
LOGGER.debug("Registered service asking for service ticket is [{}]", registeredService);
WebUtils.putRegisteredService(context, registeredService);
WebUtils.putService(context, service);
if (registeredService != null) {
final URI url = registeredService.getAccessStrategy().getUnauthorizedRedirectUrl();
if (url != null) {
LOGGER.debug("Registered service may redirect to [{}] for unauthorized access requests", url);
}
WebUtils.putUnauthorizedRedirectUrlIntoFlowScope(context, url);
}
if (WebUtils.getWarningCookie(context)) {
LOGGER.debug("Warning cookie is present in the request context. Routing result to [{}] state", CasWebflowConstants.STATE_ID_WARN);
return result(CasWebflowConstants.STATE_ID_WARN);
}
final Credential credential = WebUtils.getCredential(context);
final AuthenticationResultBuilder builder = this.authenticationSystemSupport.establishAuthenticationContextFromInitial(authentication, credential);
final AuthenticationResult authenticationResult = builder.build(service);
LOGGER.debug("Built the final authentication result [{}] to grant service ticket to [{}]", authenticationResult, service);
final ServiceTicket serviceTicketId = this.centralAuthenticationService.grantServiceTicket(ticketGrantingTicket, service, authenticationResult);
WebUtils.putServiceTicketInRequestScope(context, serviceTicketId);
LOGGER.debug("Granted service ticket [{}] and added it to the request scope", serviceTicketId);
return success();
} catch (final AbstractTicketException e) {
if (e instanceof InvalidTicketException) {
LOGGER.debug("CAS has determined ticket-granting ticket [{}] is invalid and must be destroyed", ticketGrantingTicket);
this.centralAuthenticationService.destroyTicketGrantingTicket(ticketGrantingTicket);
}
if (isGatewayPresent(context)) {
LOGGER.debug("Request indicates that it is gateway. Routing result to [{}] state", CasWebflowConstants.STATE_ID_GATEWAY);
return result(CasWebflowConstants.STATE_ID_GATEWAY);
}
LOGGER.warn("Could not grant service ticket [{}]. Routing to [{}]", e.getMessage(), CasWebflowConstants.TRANSITION_ID_AUTHENTICATION_FAILURE);
return newEvent(CasWebflowConstants.TRANSITION_ID_AUTHENTICATION_FAILURE, e);
}
}
use of org.apereo.cas.ticket.ServiceTicket in project cas by apereo.
the class ServiceWarningAction method doExecute.
@Override
protected Event doExecute(final RequestContext context) {
final HttpServletRequest request = WebUtils.getHttpServletRequestFromExternalWebflowContext(context);
final HttpServletResponse response = WebUtils.getHttpServletResponseFromExternalWebflowContext(context);
final Service service = WebUtils.getService(context);
final String ticketGrantingTicket = WebUtils.getTicketGrantingTicketId(context);
final Authentication authentication = this.ticketRegistrySupport.getAuthenticationFrom(ticketGrantingTicket);
if (authentication == null) {
throw new InvalidTicketException(new AuthenticationException("No authentication found for ticket " + ticketGrantingTicket), ticketGrantingTicket);
}
final Credential credential = WebUtils.getCredential(context);
final AuthenticationResultBuilder authenticationResultBuilder = authenticationSystemSupport.establishAuthenticationContextFromInitial(authentication, credential);
final AuthenticationResult authenticationResult = authenticationResultBuilder.build(service);
final ServiceTicket serviceTicketId = this.centralAuthenticationService.grantServiceTicket(ticketGrantingTicket, service, authenticationResult);
WebUtils.putServiceTicketInRequestScope(context, serviceTicketId);
if (request.getParameterMap().containsKey("ignorewarn")) {
if (Boolean.parseBoolean(request.getParameter("ignorewarn"))) {
this.warnCookieGenerator.removeCookie(response);
}
}
return new Event(this, CasWebflowConstants.STATE_ID_REDIRECT);
}
Aggregations