Search in sources :

Example 61 with ServiceTicket

use of org.apereo.cas.ticket.ServiceTicket in project cas by apereo.

the class MultifactorAuthenticationTests method verifyDeniesAccessToHighSecurityServiceWithOTP.

@Test
public void verifyDeniesAccessToHighSecurityServiceWithOTP() {
    final AuthenticationResult ctx = processAuthenticationAttempt(HIGH_SERVICE, new OneTimePasswordCredential(ALICE, PASSWORD_31415));
    final TicketGrantingTicket tgt = cas.createTicketGrantingTicket(ctx);
    assertNotNull(tgt);
    this.thrown.expect(UnsatisfiedAuthenticationPolicyException.class);
    final ServiceTicket st = cas.grantServiceTicket(tgt.getId(), HIGH_SERVICE, ctx);
    assertNotNull(st);
}
Also used : TicketGrantingTicket(org.apereo.cas.ticket.TicketGrantingTicket) ServiceTicket(org.apereo.cas.ticket.ServiceTicket) OneTimePasswordCredential(org.apereo.cas.authentication.OneTimePasswordCredential) AuthenticationResult(org.apereo.cas.authentication.AuthenticationResult) SpringBootTest(org.springframework.boot.test.context.SpringBootTest) Test(org.junit.Test)

Example 62 with ServiceTicket

use of org.apereo.cas.ticket.ServiceTicket in project cas by apereo.

the class MultifactorAuthenticationTests method verifyAllowsAccessToHighSecurityServiceWithPasswordAndOTPViaRenew.

@Test
public void verifyAllowsAccessToHighSecurityServiceWithPasswordAndOTPViaRenew() {
    // Note the original credential used to start SSO session does not satisfy security policy
    final AuthenticationResult ctx2 = processAuthenticationAttempt(HIGH_SERVICE, newUserPassCredentials(ALICE, ALICE), new OneTimePasswordCredential(ALICE, PASSWORD_31415));
    final TicketGrantingTicket tgt = cas.createTicketGrantingTicket(ctx2);
    assertNotNull(tgt);
    final ServiceTicket st = cas.grantServiceTicket(tgt.getId(), HIGH_SERVICE, ctx2);
    assertNotNull(st);
    // Confirm the authentication in the assertion is the one that satisfies security policy
    final Assertion assertion = cas.validateServiceTicket(st.getId(), HIGH_SERVICE);
    assertEquals(2, assertion.getPrimaryAuthentication().getSuccesses().size());
    assertTrue(assertion.getPrimaryAuthentication().getSuccesses().containsKey(AcceptUsersAuthenticationHandler.class.getSimpleName()));
    assertTrue(assertion.getPrimaryAuthentication().getSuccesses().containsKey(TestOneTimePasswordAuthenticationHandler.class.getSimpleName()));
    assertTrue(assertion.getPrimaryAuthentication().getAttributes().containsKey(AuthenticationHandler.SUCCESSFUL_AUTHENTICATION_HANDLERS));
}
Also used : TicketGrantingTicket(org.apereo.cas.ticket.TicketGrantingTicket) Assertion(org.apereo.cas.validation.Assertion) ServiceTicket(org.apereo.cas.ticket.ServiceTicket) OneTimePasswordCredential(org.apereo.cas.authentication.OneTimePasswordCredential) AuthenticationResult(org.apereo.cas.authentication.AuthenticationResult) SpringBootTest(org.springframework.boot.test.context.SpringBootTest) Test(org.junit.Test)

Example 63 with ServiceTicket

use of org.apereo.cas.ticket.ServiceTicket in project cas by apereo.

the class MultifactorAuthenticationTests method verifyAllowsAccessToHighSecurityServiceWithPasswordAndOTP.

@Test
public void verifyAllowsAccessToHighSecurityServiceWithPasswordAndOTP() {
    final AuthenticationResult ctx = processAuthenticationAttempt(HIGH_SERVICE, newUserPassCredentials(ALICE, ALICE), new OneTimePasswordCredential(ALICE, PASSWORD_31415));
    final TicketGrantingTicket tgt = cas.createTicketGrantingTicket(ctx);
    assertNotNull(tgt);
    final ServiceTicket st = cas.grantServiceTicket(tgt.getId(), HIGH_SERVICE, ctx);
    assertNotNull(st);
}
Also used : TicketGrantingTicket(org.apereo.cas.ticket.TicketGrantingTicket) ServiceTicket(org.apereo.cas.ticket.ServiceTicket) OneTimePasswordCredential(org.apereo.cas.authentication.OneTimePasswordCredential) AuthenticationResult(org.apereo.cas.authentication.AuthenticationResult) SpringBootTest(org.springframework.boot.test.context.SpringBootTest) Test(org.junit.Test)

Example 64 with ServiceTicket

use of org.apereo.cas.ticket.ServiceTicket in project cas by apereo.

the class GenerateServiceTicketAction method doExecute.

/**
 * {@inheritDoc}
 * <p>
 * In the initial primary authentication flow, credentials are cached and available.
 * Since they are authenticated as part of submission first, there is no need to doubly
 * authenticate and verify credentials.
 * <p>
 * In subsequent authentication flows where a TGT is available and only an ST needs to be
 * created, there are no cached copies of the credential, since we do have a TGT available.
 * So we will simply grab the available authentication and produce the final result based on that.
 */
@Override
protected Event doExecute(final RequestContext context) {
    final Service service = WebUtils.getService(context);
    LOGGER.debug("Service asking for service ticket is [{}]", service);
    final String ticketGrantingTicket = WebUtils.getTicketGrantingTicketId(context);
    LOGGER.debug("Ticket-granting ticket found in the context is [{}]", ticketGrantingTicket);
    try {
        final Authentication authentication = this.ticketRegistrySupport.getAuthenticationFrom(ticketGrantingTicket);
        if (authentication == null) {
            throw new InvalidTicketException(new AuthenticationException("No authentication found for ticket " + ticketGrantingTicket), ticketGrantingTicket);
        }
        final Service selectedService = authenticationRequestServiceSelectionStrategies.resolveService(service);
        final RegisteredService registeredService = servicesManager.findServiceBy(selectedService);
        LOGGER.debug("Registered service asking for service ticket is [{}]", registeredService);
        WebUtils.putRegisteredService(context, registeredService);
        WebUtils.putService(context, service);
        if (registeredService != null) {
            final URI url = registeredService.getAccessStrategy().getUnauthorizedRedirectUrl();
            if (url != null) {
                LOGGER.debug("Registered service may redirect to [{}] for unauthorized access requests", url);
            }
            WebUtils.putUnauthorizedRedirectUrlIntoFlowScope(context, url);
        }
        if (WebUtils.getWarningCookie(context)) {
            LOGGER.debug("Warning cookie is present in the request context. Routing result to [{}] state", CasWebflowConstants.STATE_ID_WARN);
            return result(CasWebflowConstants.STATE_ID_WARN);
        }
        final Credential credential = WebUtils.getCredential(context);
        final AuthenticationResultBuilder builder = this.authenticationSystemSupport.establishAuthenticationContextFromInitial(authentication, credential);
        final AuthenticationResult authenticationResult = builder.build(service);
        LOGGER.debug("Built the final authentication result [{}] to grant service ticket to [{}]", authenticationResult, service);
        final ServiceTicket serviceTicketId = this.centralAuthenticationService.grantServiceTicket(ticketGrantingTicket, service, authenticationResult);
        WebUtils.putServiceTicketInRequestScope(context, serviceTicketId);
        LOGGER.debug("Granted service ticket [{}] and added it to the request scope", serviceTicketId);
        return success();
    } catch (final AbstractTicketException e) {
        if (e instanceof InvalidTicketException) {
            LOGGER.debug("CAS has determined ticket-granting ticket [{}] is invalid and must be destroyed", ticketGrantingTicket);
            this.centralAuthenticationService.destroyTicketGrantingTicket(ticketGrantingTicket);
        }
        if (isGatewayPresent(context)) {
            LOGGER.debug("Request indicates that it is gateway. Routing result to [{}] state", CasWebflowConstants.STATE_ID_GATEWAY);
            return result(CasWebflowConstants.STATE_ID_GATEWAY);
        }
        LOGGER.warn("Could not grant service ticket [{}]. Routing to [{}]", e.getMessage(), CasWebflowConstants.TRANSITION_ID_AUTHENTICATION_FAILURE);
        return newEvent(CasWebflowConstants.TRANSITION_ID_AUTHENTICATION_FAILURE, e);
    }
}
Also used : Credential(org.apereo.cas.authentication.Credential) RegisteredService(org.apereo.cas.services.RegisteredService) AuthenticationException(org.apereo.cas.authentication.AuthenticationException) Authentication(org.apereo.cas.authentication.Authentication) InvalidTicketException(org.apereo.cas.ticket.InvalidTicketException) CentralAuthenticationService(org.apereo.cas.CentralAuthenticationService) RegisteredService(org.apereo.cas.services.RegisteredService) Service(org.apereo.cas.authentication.principal.Service) ServiceTicket(org.apereo.cas.ticket.ServiceTicket) AbstractTicketException(org.apereo.cas.ticket.AbstractTicketException) AuthenticationResultBuilder(org.apereo.cas.authentication.AuthenticationResultBuilder) URI(java.net.URI) AuthenticationResult(org.apereo.cas.authentication.AuthenticationResult)

Example 65 with ServiceTicket

use of org.apereo.cas.ticket.ServiceTicket in project cas by apereo.

the class ServiceWarningAction method doExecute.

@Override
protected Event doExecute(final RequestContext context) {
    final HttpServletRequest request = WebUtils.getHttpServletRequestFromExternalWebflowContext(context);
    final HttpServletResponse response = WebUtils.getHttpServletResponseFromExternalWebflowContext(context);
    final Service service = WebUtils.getService(context);
    final String ticketGrantingTicket = WebUtils.getTicketGrantingTicketId(context);
    final Authentication authentication = this.ticketRegistrySupport.getAuthenticationFrom(ticketGrantingTicket);
    if (authentication == null) {
        throw new InvalidTicketException(new AuthenticationException("No authentication found for ticket " + ticketGrantingTicket), ticketGrantingTicket);
    }
    final Credential credential = WebUtils.getCredential(context);
    final AuthenticationResultBuilder authenticationResultBuilder = authenticationSystemSupport.establishAuthenticationContextFromInitial(authentication, credential);
    final AuthenticationResult authenticationResult = authenticationResultBuilder.build(service);
    final ServiceTicket serviceTicketId = this.centralAuthenticationService.grantServiceTicket(ticketGrantingTicket, service, authenticationResult);
    WebUtils.putServiceTicketInRequestScope(context, serviceTicketId);
    if (request.getParameterMap().containsKey("ignorewarn")) {
        if (Boolean.parseBoolean(request.getParameter("ignorewarn"))) {
            this.warnCookieGenerator.removeCookie(response);
        }
    }
    return new Event(this, CasWebflowConstants.STATE_ID_REDIRECT);
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) Credential(org.apereo.cas.authentication.Credential) AuthenticationException(org.apereo.cas.authentication.AuthenticationException) Authentication(org.apereo.cas.authentication.Authentication) InvalidTicketException(org.apereo.cas.ticket.InvalidTicketException) HttpServletResponse(javax.servlet.http.HttpServletResponse) CentralAuthenticationService(org.apereo.cas.CentralAuthenticationService) Service(org.apereo.cas.authentication.principal.Service) Event(org.springframework.webflow.execution.Event) ServiceTicket(org.apereo.cas.ticket.ServiceTicket) AuthenticationResultBuilder(org.apereo.cas.authentication.AuthenticationResultBuilder) AuthenticationResult(org.apereo.cas.authentication.AuthenticationResult)

Aggregations

ServiceTicket (org.apereo.cas.ticket.ServiceTicket)79 TicketGrantingTicket (org.apereo.cas.ticket.TicketGrantingTicket)65 Test (org.junit.Test)59 AuthenticationResult (org.apereo.cas.authentication.AuthenticationResult)49 Service (org.apereo.cas.authentication.principal.Service)38 Authentication (org.apereo.cas.authentication.Authentication)22 MockHttpServletRequest (org.springframework.mock.web.MockHttpServletRequest)15 AbstractWebApplicationService (org.apereo.cas.authentication.principal.AbstractWebApplicationService)14 MockServiceTicket (org.apereo.cas.mock.MockServiceTicket)14 MockTicketGrantingTicket (org.apereo.cas.mock.MockTicketGrantingTicket)14 TicketGrantingTicketImpl (org.apereo.cas.ticket.TicketGrantingTicketImpl)13 NeverExpiresExpirationPolicy (org.apereo.cas.ticket.support.NeverExpiresExpirationPolicy)13 Assertion (org.apereo.cas.validation.Assertion)13 MockHttpServletResponse (org.springframework.mock.web.MockHttpServletResponse)12 SpringBootTest (org.springframework.boot.test.context.SpringBootTest)11 Credential (org.apereo.cas.authentication.Credential)10 UsernamePasswordCredential (org.apereo.cas.authentication.UsernamePasswordCredential)8 ProxyGrantingTicket (org.apereo.cas.ticket.proxy.ProxyGrantingTicket)8 CentralAuthenticationService (org.apereo.cas.CentralAuthenticationService)7 RegisteredService (org.apereo.cas.services.RegisteredService)7