Search in sources :

Example 36 with TicketGrantingTicket

use of org.apereo.cas.ticket.TicketGrantingTicket in project cas by apereo.

the class CasKryoTranscoderTests method verifyEncodeDecodeNonRegisteredClass.

@Test
public void verifyEncodeDecodeNonRegisteredClass() {
    final TicketGrantingTicket tgt = new MockTicketGrantingTicket(USERNAME);
    final MockServiceTicket expectedST = new MockServiceTicket(ST_ID, RegisteredServiceTestUtils.getService(), tgt);
    // This class is not registered with Kryo
    final UnregisteredServiceTicketExpirationPolicy step = new UnregisteredServiceTicketExpirationPolicy(1, 600);
    expectedST.setExpiration(step);
    try {
        transcoder.encode(expectedST);
        throw new AssertionError("Unregistered class is not allowed by Kryo");
    } catch (final KryoException e) {
    } catch (final Exception e) {
        throw new AssertionError("Unexpected exception due to not resetting Kryo between de-serializations with unregistered class.");
    }
}
Also used : MockTicketGrantingTicket(org.apereo.cas.mock.MockTicketGrantingTicket) KryoException(com.esotericsoftware.kryo.KryoException) TicketGrantingTicket(org.apereo.cas.ticket.TicketGrantingTicket) MockTicketGrantingTicket(org.apereo.cas.mock.MockTicketGrantingTicket) MockServiceTicket(org.apereo.cas.mock.MockServiceTicket) KryoException(com.esotericsoftware.kryo.KryoException) AccountNotFoundException(javax.security.auth.login.AccountNotFoundException) Test(org.junit.Test)

Example 37 with TicketGrantingTicket

use of org.apereo.cas.ticket.TicketGrantingTicket in project cas by apereo.

the class OpenIdCredentialsAuthenticationHandlerTests method verifyTGTThatIsExpired.

@Test
public void verifyTGTThatIsExpired() throws Exception {
    final OpenIdCredential c = new OpenIdCredential(TGT_ID, USERNAME);
    final TicketGrantingTicket t = getTicketGrantingTicket();
    this.ticketRegistry.addTicket(t);
    t.markTicketExpired();
    this.ticketRegistry.updateTicket(t);
    this.thrown.expect(FailedLoginException.class);
    this.openIdCredentialsAuthenticationHandler.authenticate(c);
}
Also used : TicketGrantingTicket(org.apereo.cas.ticket.TicketGrantingTicket) OpenIdCredential(org.apereo.cas.support.openid.authentication.principal.OpenIdCredential) Test(org.junit.Test)

Example 38 with TicketGrantingTicket

use of org.apereo.cas.ticket.TicketGrantingTicket in project cas by apereo.

the class OpenIdSingleSignOnActionTests method verifySuccessfulServiceTicket.

@Test
public void verifySuccessfulServiceTicket() throws Exception {
    final MockRequestContext context = new MockRequestContext();
    final MockHttpServletRequest request = new MockHttpServletRequest();
    final Authentication authentication = CoreAuthenticationTestUtils.getAuthentication("scootman28");
    final TicketGrantingTicket t = new TicketGrantingTicketImpl("TGT-11", authentication, new NeverExpiresExpirationPolicy());
    this.ticketRegistry.addTicket(t);
    request.setParameter(OpenIdProtocolConstants.OPENID_IDENTITY, "http://openid.aol.com/scootman28");
    request.setParameter(OpenIdProtocolConstants.OPENID_RETURNTO, "http://www.cnn.com");
    final OpenIdService service = new OpenIdServiceFactory("").createService(request);
    context.getFlowScope().put("service", service);
    context.getFlowScope().put(WebUtils.PARAMETER_TICKET_GRANTING_TICKET_ID, t.getId());
    context.setExternalContext(new ServletExternalContext(new MockServletContext(), request, new MockHttpServletResponse()));
    assertEquals("success", this.action.execute(context).getId());
}
Also used : NeverExpiresExpirationPolicy(org.apereo.cas.ticket.support.NeverExpiresExpirationPolicy) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) Authentication(org.apereo.cas.authentication.Authentication) TicketGrantingTicket(org.apereo.cas.ticket.TicketGrantingTicket) OpenIdService(org.apereo.cas.support.openid.authentication.principal.OpenIdService) ServletExternalContext(org.springframework.webflow.context.servlet.ServletExternalContext) TicketGrantingTicketImpl(org.apereo.cas.ticket.TicketGrantingTicketImpl) MockRequestContext(org.springframework.webflow.test.MockRequestContext) OpenIdServiceFactory(org.apereo.cas.support.openid.authentication.principal.OpenIdServiceFactory) MockServletContext(org.springframework.mock.web.MockServletContext) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) Test(org.junit.Test)

Example 39 with TicketGrantingTicket

use of org.apereo.cas.ticket.TicketGrantingTicket in project cas by apereo.

the class DefaultCentralAuthenticationService method validateServiceTicket.

@Audit(action = "SERVICE_TICKET_VALIDATE", actionResolverName = "VALIDATE_SERVICE_TICKET_RESOLVER", resourceResolverName = "VALIDATE_SERVICE_TICKET_RESOURCE_RESOLVER")
@Timed(name = "VALIDATE_SERVICE_TICKET_TIMER")
@Metered(name = "VALIDATE_SERVICE_TICKET_METER")
@Counted(name = "VALIDATE_SERVICE_TICKET_COUNTER", monotonic = true)
@Override
public Assertion validateServiceTicket(final String serviceTicketId, final Service service) throws AbstractTicketException {
    if (!isTicketAuthenticityVerified(serviceTicketId)) {
        LOGGER.info("Service ticket [{}] is not a valid ticket issued by CAS.", serviceTicketId);
        throw new InvalidTicketException(serviceTicketId);
    }
    final ServiceTicket serviceTicket = this.ticketRegistry.getTicket(serviceTicketId, ServiceTicket.class);
    if (serviceTicket == null) {
        LOGGER.warn("Service ticket [{}] does not exist.", serviceTicketId);
        throw new InvalidTicketException(serviceTicketId);
    }
    try {
        /*
             * Synchronization on ticket object in case of cache based registry doesn't serialize
             * access to critical section. The reason is that cache pulls serialized data and
             * builds new object, most likely for each pull. Is this synchronization needed here?
             */
        synchronized (serviceTicket) {
            if (serviceTicket.isExpired()) {
                LOGGER.info("ServiceTicket [{}] has expired.", serviceTicketId);
                throw new InvalidTicketException(serviceTicketId);
            }
            if (!serviceTicket.isValidFor(service)) {
                LOGGER.error("Service ticket [{}] with service [{}] does not match supplied service [{}]", serviceTicketId, serviceTicket.getService().getId(), service);
                throw new UnrecognizableServiceForServiceTicketValidationException(serviceTicket.getService());
            }
        }
        final Service selectedService = resolveServiceFromAuthenticationRequest(serviceTicket.getService());
        LOGGER.debug("Resolved service [{}] from the authentication request", selectedService);
        final RegisteredService registeredService = this.servicesManager.findServiceBy(selectedService);
        LOGGER.debug("Located registered service definition [{}] from [{}] to handle validation request", registeredService, selectedService);
        RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(selectedService, registeredService);
        final TicketGrantingTicket root = serviceTicket.getTicketGrantingTicket().getRoot();
        final Authentication authentication = getAuthenticationSatisfiedByPolicy(root.getAuthentication(), new ServiceContext(selectedService, registeredService));
        final Principal principal = authentication.getPrincipal();
        final RegisteredServiceAttributeReleasePolicy attributePolicy = registeredService.getAttributeReleasePolicy();
        LOGGER.debug("Attribute policy [{}] is associated with service [{}]", attributePolicy, registeredService);
        final Map<String, Object> attributesToRelease = attributePolicy != null ? attributePolicy.getAttributes(principal, selectedService, registeredService) : new HashMap<>();
        LOGGER.debug("Calculated attributes for release per the release policy are [{}]", attributesToRelease.keySet());
        final String principalId = registeredService.getUsernameAttributeProvider().resolveUsername(principal, selectedService, registeredService);
        final Principal modifiedPrincipal = this.principalFactory.createPrincipal(principalId, attributesToRelease);
        final AuthenticationBuilder builder = DefaultAuthenticationBuilder.newInstance(authentication);
        builder.setPrincipal(modifiedPrincipal);
        LOGGER.debug("Principal determined for release to [{}] is [{}]", registeredService.getServiceId(), principalId);
        final Authentication finalAuthentication = builder.build();
        final AuditableContext audit = AuditableContext.builder().service(selectedService).authentication(finalAuthentication).registeredService(registeredService).retrievePrincipalAttributesFromReleasePolicy(Boolean.FALSE).build();
        final AuditableExecutionResult accessResult = this.registeredServiceAccessStrategyEnforcer.execute(audit);
        accessResult.throwExceptionIfNeeded();
        AuthenticationCredentialsThreadLocalBinder.bindCurrent(finalAuthentication);
        final Assertion assertion = new DefaultAssertionBuilder(finalAuthentication).with(selectedService).with(serviceTicket.getTicketGrantingTicket().getChainedAuthentications()).with(serviceTicket.isFromNewLogin()).build();
        doPublishEvent(new CasServiceTicketValidatedEvent(this, serviceTicket, assertion));
        return assertion;
    } finally {
        if (serviceTicket.isExpired()) {
            deleteTicket(serviceTicketId);
        } else {
            this.ticketRegistry.updateTicket(serviceTicket);
        }
    }
}
Also used : AuditableContext(org.apereo.cas.audit.AuditableContext) RegisteredService(org.apereo.cas.services.RegisteredService) DefaultAuthenticationBuilder(org.apereo.cas.authentication.DefaultAuthenticationBuilder) AuthenticationBuilder(org.apereo.cas.authentication.AuthenticationBuilder) TicketGrantingTicket(org.apereo.cas.ticket.TicketGrantingTicket) ServiceContext(org.apereo.cas.services.ServiceContext) UnrecognizableServiceForServiceTicketValidationException(org.apereo.cas.ticket.UnrecognizableServiceForServiceTicketValidationException) Assertion(org.apereo.cas.validation.Assertion) RegisteredService(org.apereo.cas.services.RegisteredService) Service(org.apereo.cas.authentication.principal.Service) ServiceTicket(org.apereo.cas.ticket.ServiceTicket) DefaultAssertionBuilder(org.apereo.cas.validation.DefaultAssertionBuilder) Authentication(org.apereo.cas.authentication.Authentication) CasServiceTicketValidatedEvent(org.apereo.cas.support.events.ticket.CasServiceTicketValidatedEvent) InvalidTicketException(org.apereo.cas.ticket.InvalidTicketException) AuditableExecutionResult(org.apereo.cas.audit.AuditableExecutionResult) Principal(org.apereo.cas.authentication.principal.Principal) RegisteredServiceAttributeReleasePolicy(org.apereo.cas.services.RegisteredServiceAttributeReleasePolicy) Audit(org.apereo.inspektr.audit.annotation.Audit) Counted(com.codahale.metrics.annotation.Counted) Metered(com.codahale.metrics.annotation.Metered) Timed(com.codahale.metrics.annotation.Timed)

Example 40 with TicketGrantingTicket

use of org.apereo.cas.ticket.TicketGrantingTicket in project cas by apereo.

the class DefaultCentralAuthenticationService method destroyTicketGrantingTicket.

@Audit(action = "TICKET_GRANTING_TICKET_DESTROYED", actionResolverName = "DESTROY_TICKET_GRANTING_TICKET_RESOLVER", resourceResolverName = "DESTROY_TICKET_GRANTING_TICKET_RESOURCE_RESOLVER")
@Timed(name = "DESTROY_TICKET_GRANTING_TICKET_TIMER")
@Metered(name = "DESTROY_TICKET_GRANTING_TICKET_METER")
@Counted(name = "DESTROY_TICKET_GRANTING_TICKET_COUNTER", monotonic = true)
@Override
public List<LogoutRequest> destroyTicketGrantingTicket(final String ticketGrantingTicketId) {
    try {
        LOGGER.debug("Removing ticket [{}] from registry...", ticketGrantingTicketId);
        final TicketGrantingTicket ticket = getTicket(ticketGrantingTicketId, TicketGrantingTicket.class);
        LOGGER.debug("Ticket found. Processing logout requests and then deleting the ticket...");
        AuthenticationCredentialsThreadLocalBinder.bindCurrent(ticket.getAuthentication());
        final List<LogoutRequest> logoutRequests = this.logoutManager.performLogout(ticket);
        deleteTicket(ticketGrantingTicketId);
        doPublishEvent(new CasTicketGrantingTicketDestroyedEvent(this, ticket));
        return logoutRequests;
    } catch (final InvalidTicketException e) {
        LOGGER.debug("TicketGrantingTicket [{}] cannot be found in the ticket registry.", ticketGrantingTicketId);
    }
    return new ArrayList<>(0);
}
Also used : TicketGrantingTicket(org.apereo.cas.ticket.TicketGrantingTicket) InvalidTicketException(org.apereo.cas.ticket.InvalidTicketException) ArrayList(java.util.ArrayList) CasTicketGrantingTicketDestroyedEvent(org.apereo.cas.support.events.ticket.CasTicketGrantingTicketDestroyedEvent) LogoutRequest(org.apereo.cas.logout.LogoutRequest) Audit(org.apereo.inspektr.audit.annotation.Audit) Counted(com.codahale.metrics.annotation.Counted) Metered(com.codahale.metrics.annotation.Metered) Timed(com.codahale.metrics.annotation.Timed)

Aggregations

TicketGrantingTicket (org.apereo.cas.ticket.TicketGrantingTicket)155 Test (org.junit.Test)119 AuthenticationResult (org.apereo.cas.authentication.AuthenticationResult)69 ServiceTicket (org.apereo.cas.ticket.ServiceTicket)67 Service (org.apereo.cas.authentication.principal.Service)43 MockTicketGrantingTicket (org.apereo.cas.mock.MockTicketGrantingTicket)35 MockHttpServletRequest (org.springframework.mock.web.MockHttpServletRequest)32 Credential (org.apereo.cas.authentication.Credential)26 MockHttpServletResponse (org.springframework.mock.web.MockHttpServletResponse)26 Authentication (org.apereo.cas.authentication.Authentication)24 UsernamePasswordCredential (org.apereo.cas.authentication.UsernamePasswordCredential)23 TicketGrantingTicketImpl (org.apereo.cas.ticket.TicketGrantingTicketImpl)21 NeverExpiresExpirationPolicy (org.apereo.cas.ticket.support.NeverExpiresExpirationPolicy)20 SpringBootTest (org.springframework.boot.test.context.SpringBootTest)18 AbstractWebApplicationService (org.apereo.cas.authentication.principal.AbstractWebApplicationService)16 MockServiceTicket (org.apereo.cas.mock.MockServiceTicket)16 ServletExternalContext (org.springframework.webflow.context.servlet.ServletExternalContext)14 Assertion (org.apereo.cas.validation.Assertion)13 CachedData (net.spy.memcached.CachedData)12 MockServletContext (org.springframework.mock.web.MockServletContext)12