Example 1 with TransientSessionTicket
use of org.apereo.cas.ticket.TransientSessionTicket in project cas by apereo.
the class DelegatedClientWebflowManager method store.
/**
* Store.
*
* @param webContext the web context
* @param client the client
* @return the ticket
*/
public Ticket store(final WebContext webContext, final BaseClient client) {
final Map<String, Serializable> properties = new LinkedHashMap<>();
final Service service = determineService(webContext);
properties.put(CasProtocolConstants.PARAMETER_SERVICE, service);
properties.put(this.themeParamName, StringUtils.defaultString(webContext.getRequestParameter(this.themeParamName)));
properties.put(this.localParamName, StringUtils.defaultString(webContext.getRequestParameter(this.localParamName)));
properties.put(CasProtocolConstants.PARAMETER_METHOD, StringUtils.defaultString(webContext.getRequestParameter(CasProtocolConstants.PARAMETER_METHOD)));
final TransientSessionTicketFactory transientFactory = (TransientSessionTicketFactory) this.ticketFactory.get(TransientSessionTicket.class);
final TransientSessionTicket ticket = transientFactory.create(service, properties);
LOGGER.debug("Storing delegated authentication request ticket [{}] for service [{}] with properties [{}]", ticket.getId(), ticket.getService(), ticket.getProperties());
this.ticketRegistry.addTicket(ticket);
webContext.setRequestAttribute(PARAMETER_CLIENT_ID, ticket.getId());
if (client instanceof SAML2Client) {
webContext.getSessionStore().set(webContext, SAML2Client.SAML_RELAY_STATE_ATTRIBUTE, ticket.getId());
}
if (client instanceof OAuth20Client) {
final OAuth20Client oauthClient = (OAuth20Client) client;
oauthClient.getConfiguration().setWithState(true);
oauthClient.getConfiguration().setStateData(ticket.getId());
}
if (client instanceof OidcClient) {
final OidcClient oidcClient = (OidcClient) client;
oidcClient.getConfiguration().setCustomParams(CollectionUtils.wrap(PARAMETER_CLIENT_ID, ticket.getId()));
oidcClient.getConfiguration().setWithState(true);
oidcClient.getConfiguration().setStateData(ticket.getId());
}
if (client instanceof CasClient) {
final CasClient casClient = (CasClient) client;
casClient.getConfiguration().addCustomParam(DelegatedClientWebflowManager.PARAMETER_CLIENT_ID, ticket.getId());
}
return ticket;
}
Also used :
TransientSessionTicket(org.apereo.cas.ticket.TransientSessionTicket)
OAuth20Client(org.pac4j.oauth.client.OAuth20Client)
Serializable(java.io.Serializable)
OidcClient(org.pac4j.oidc.client.OidcClient)
WebApplicationService(org.apereo.cas.authentication.principal.WebApplicationService)
Service(org.apereo.cas.authentication.principal.Service)
SAML2Client(org.pac4j.saml.client.SAML2Client)
TransientSessionTicketFactory(org.apereo.cas.ticket.TransientSessionTicketFactory)
LinkedHashMap(java.util.LinkedHashMap)
CasClient(org.pac4j.cas.client.CasClient)
Example 2 with TransientSessionTicket
use of org.apereo.cas.ticket.TransientSessionTicket in project cas by apereo.
the class ValidateAccountRegistrationTokenAction method doExecute.
@Override
protected Event doExecute(final RequestContext requestContext) throws Exception {
var accountRegTicket = (TransientSessionTicket) null;
try {
val activationToken = requestContext.getRequestParameters().getRequired(AccountRegistrationUtils.REQUEST_PARAMETER_ACCOUNT_REGISTRATION_ACTIVATION_TOKEN);
accountRegTicket = centralAuthenticationService.getTicket(activationToken, TransientSessionTicket.class);
val token = accountRegTicket.getProperty(AccountRegistrationUtils.PROPERTY_ACCOUNT_REGISTRATION_ACTIVATION_TOKEN, String.class);
val registrationRequest = accountRegistrationService.validateToken(token);
accountRegTicket.update();
val username = accountRegistrationService.getAccountRegistrationUsernameBuilder().build(registrationRequest);
AccountRegistrationUtils.putAccountRegistrationRequest(requestContext, registrationRequest);
AccountRegistrationUtils.putAccountRegistrationRequestUsername(requestContext, username);
return success(registrationRequest);
} catch (final Exception e) {
LoggingUtils.warn(LOGGER, e);
requestContext.getFlashScope().put(CasWebflowConstants.ATTRIBUTE_ERROR_ROOT_CAUSE_EXCEPTION, RootCasException.withCode("screen.error.page.invalidrequest.desc"));
return error(e);
} finally {
if (accountRegTicket != null && accountRegTicket.isExpired()) {
centralAuthenticationService.deleteTicket(accountRegTicket);
}
}
}
Also used :
lombok.val(lombok.val)
TransientSessionTicket(org.apereo.cas.ticket.TransientSessionTicket)
RootCasException(org.apereo.cas.authentication.RootCasException)
Example 3 with TransientSessionTicket
use of org.apereo.cas.ticket.TransientSessionTicket in project cas by apereo.
the class DefaultDelegatedClientAuthenticationWebflowManager method storeDelegatedClientAuthenticationRequest.
/**
* Store delegated client authentication request.
*
* @param webContext the web context
* @return the transient session ticket
* @throws Exception the exception
*/
protected TransientSessionTicket storeDelegatedClientAuthenticationRequest(final JEEContext webContext) throws Exception {
val properties = buildTicketProperties(webContext);
val originalService = configContext.getArgumentExtractor().extractService(webContext.getNativeRequest());
val service = configContext.getAuthenticationRequestServiceSelectionStrategies().resolveService(originalService);
properties.put(CasProtocolConstants.PARAMETER_SERVICE, originalService);
properties.put(CasProtocolConstants.PARAMETER_TARGET_SERVICE, service);
val registeredService = configContext.getServicesManager().findServiceBy(service);
webContext.getRequestParameter(RedirectionActionBuilder.ATTRIBUTE_FORCE_AUTHN).or(() -> Optional.of(Boolean.toString(RegisteredServiceProperties.DELEGATED_AUTHN_FORCE_AUTHN.isAssignedTo(registeredService)))).filter(value -> StringUtils.equalsIgnoreCase(value, "true")).ifPresent(attr -> properties.put(RedirectionActionBuilder.ATTRIBUTE_FORCE_AUTHN, true));
webContext.getRequestParameter(RedirectionActionBuilder.ATTRIBUTE_PASSIVE).or(() -> Optional.of(Boolean.toString(RegisteredServiceProperties.DELEGATED_AUTHN_PASSIVE_AUTHN.isAssignedTo(registeredService)))).filter(value -> StringUtils.equalsIgnoreCase(value, "true")).ifPresent(attr -> properties.put(RedirectionActionBuilder.ATTRIBUTE_PASSIVE, true));
val transientFactory = (TransientSessionTicketFactory) configContext.getTicketFactory().get(TransientSessionTicket.class);
val ticket = transientFactory.create(originalService, properties);
LOGGER.debug("Storing delegated authentication request ticket [{}] for service [{}] with properties [{}]", ticket.getId(), ticket.getService(), ticket.getProperties());
configContext.getCentralAuthenticationService().addTicket(ticket);
webContext.setRequestAttribute(PARAMETER_CLIENT_ID, ticket.getId());
if (properties.containsKey(RedirectionActionBuilder.ATTRIBUTE_FORCE_AUTHN)) {
webContext.setRequestAttribute(RedirectionActionBuilder.ATTRIBUTE_FORCE_AUTHN, true);
}
if (properties.containsKey(RedirectionActionBuilder.ATTRIBUTE_PASSIVE)) {
webContext.setRequestAttribute(RedirectionActionBuilder.ATTRIBUTE_PASSIVE, true);
}
return ticket;
}
Also used :
lombok.val(lombok.val)
CasClient(org.pac4j.cas.client.CasClient)
Getter(lombok.Getter)
RegisteredServiceProperties(org.apereo.cas.services.RegisteredServiceProperty.RegisteredServiceProperties)
RequiredArgsConstructor(lombok.RequiredArgsConstructor)
SAML2Client(org.pac4j.saml.client.SAML2Client)
HashMap(java.util.HashMap)
DelegatedClientAuthenticationWebflowManager(org.apereo.cas.web.flow.DelegatedClientAuthenticationWebflowManager)
StringUtils(org.apache.commons.lang3.StringUtils)
RequestContext(org.springframework.webflow.execution.RequestContext)
SAML2StateGenerator(org.pac4j.saml.state.SAML2StateGenerator)
WebContext(org.pac4j.core.context.WebContext)
TransientSessionTicketFactory(org.apereo.cas.ticket.TransientSessionTicketFactory)
OidcClient(org.pac4j.oidc.client.OidcClient)
Client(org.pac4j.core.client.Client)
Map(java.util.Map)
JEEContext(org.pac4j.core.context.JEEContext)
RedirectionActionBuilder(org.pac4j.core.redirect.RedirectionActionBuilder)
CasProtocolConstants(org.apereo.cas.CasProtocolConstants)
TransientSessionTicket(org.apereo.cas.ticket.TransientSessionTicket)
UnauthorizedServiceException(org.apereo.cas.services.UnauthorizedServiceException)
lombok.val(lombok.val)
Serializable(java.io.Serializable)
SamlProtocolConstants(org.apereo.cas.support.saml.SamlProtocolConstants)
Slf4j(lombok.extern.slf4j.Slf4j)
OAuth10Client(org.pac4j.oauth.client.OAuth10Client)
Service(org.apereo.cas.authentication.principal.Service)
DelegatedClientAuthenticationConfigurationContext(org.apereo.cas.web.flow.DelegatedClientAuthenticationConfigurationContext)
Optional(java.util.Optional)
WebUtils(org.apereo.cas.web.support.WebUtils)
OAuth20Client(org.pac4j.oauth.client.OAuth20Client)
Transactional(org.springframework.transaction.annotation.Transactional)
TransientSessionTicket(org.apereo.cas.ticket.TransientSessionTicket)
TransientSessionTicketFactory(org.apereo.cas.ticket.TransientSessionTicketFactory)
Example 4 with TransientSessionTicket
use of org.apereo.cas.ticket.TransientSessionTicket in project cas by apereo.
the class VerifyPasswordResetRequestAction method doExecute.
@Override
protected Event doExecute(final RequestContext requestContext) throws Exception {
val request = WebUtils.getHttpServletRequestFromExternalWebflowContext(requestContext);
val transientTicket = request.getParameter(PasswordManagementWebflowUtils.REQUEST_PARAMETER_NAME_PASSWORD_RESET_TOKEN);
if (StringUtils.isBlank(transientTicket)) {
LOGGER.error("Password reset token is missing");
return error();
}
var passwordResetTicket = (TransientSessionTicket) null;
try {
passwordResetTicket = centralAuthenticationService.getTicket(transientTicket, TransientSessionTicket.class);
passwordResetTicket.update();
val token = passwordResetTicket.getProperties().get(PasswordManagementWebflowUtils.FLOWSCOPE_PARAMETER_NAME_TOKEN).toString();
val username = passwordManagementService.parseToken(token);
val query = PasswordManagementQuery.builder().username(username).build();
PasswordManagementWebflowUtils.putPasswordResetToken(requestContext, token);
val pm = casProperties.getAuthn().getPm();
if (pm.getReset().isSecurityQuestionsEnabled()) {
val questions = canonicalizeSecurityQuestions(passwordManagementService.getSecurityQuestions(query));
if (questions.isEmpty()) {
LOGGER.warn("No security questions could be found for [{}]", username);
return error();
}
PasswordManagementWebflowUtils.putPasswordResetSecurityQuestions(requestContext, questions);
} else {
LOGGER.debug("Security questions are not enabled");
}
PasswordManagementWebflowUtils.putPasswordResetUsername(requestContext, username);
PasswordManagementWebflowUtils.putPasswordResetSecurityQuestionsEnabled(requestContext, pm.getReset().isSecurityQuestionsEnabled());
if (pm.getReset().isSecurityQuestionsEnabled()) {
LOGGER.trace("Security questions are enabled; proceeding...");
return success();
}
return new EventFactorySupport().event(this, EVENT_ID_SECURITY_QUESTIONS_DISABLED);
} catch (final Exception e) {
LoggingUtils.error(LOGGER, "Password reset token could not be located or verified", e);
return error();
} finally {
if (passwordResetTicket != null && passwordResetTicket.isExpired()) {
centralAuthenticationService.deleteTicket(passwordResetTicket);
}
}
}
Also used :
lombok.val(lombok.val)
TransientSessionTicket(org.apereo.cas.ticket.TransientSessionTicket)
EventFactorySupport(org.springframework.webflow.action.EventFactorySupport)
Example 5 with TransientSessionTicket
use of org.apereo.cas.ticket.TransientSessionTicket in project cas by apereo.
the class DelegatedClientWebflowManager method retrieve.
/**
* Retrieve service.
*
* @param requestContext the request context
* @param webContext the web context
* @param client the client
* @return the service
*/
public Service retrieve(final RequestContext requestContext, final WebContext webContext, final BaseClient client) {
final String clientId = getDelegatedClientId(webContext, client);
final TransientSessionTicket ticket = this.ticketRegistry.getTicket(clientId, TransientSessionTicket.class);
if (ticket == null) {
LOGGER.error("Delegated client identifier cannot be located in the authentication request [{}]", webContext.getFullRequestURL());
throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, StringUtils.EMPTY);
}
if (ticket.isExpired()) {
LOGGER.error("Delegated client identifier [{}] has expired in the authentication request", ticket.getId());
this.ticketRegistry.deleteTicket(ticket.getId());
throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, StringUtils.EMPTY);
}
LOGGER.debug("Located delegated client identifier as [{}]", ticket.getId());
restoreDelegatedAuthenticationRequest(requestContext, webContext, ticket);
LOGGER.debug("Removing delegated client identifier [{}} from registry", ticket.getId());
this.ticketRegistry.deleteTicket(ticket.getId());
return ticket.getService();
}
Also used :
TransientSessionTicket(org.apereo.cas.ticket.TransientSessionTicket)
UnauthorizedServiceException(org.apereo.cas.services.UnauthorizedServiceException)
Aggregations
TransientSessionTicket (org.apereo.cas.ticket.TransientSessionTicket)9
lombok.val (lombok.val)7
Optional (java.util.Optional)3
Getter (lombok.Getter)3
RequiredArgsConstructor (lombok.RequiredArgsConstructor)3
Slf4j (lombok.extern.slf4j.Slf4j)3
RegisteredServiceProperties (org.apereo.cas.services.RegisteredServiceProperty.RegisteredServiceProperties)3
DelegatedClientAuthenticationConfigurationContext (org.apereo.cas.web.flow.DelegatedClientAuthenticationConfigurationContext)3
WebContext (org.pac4j.core.context.WebContext)3
RedirectionActionBuilder (org.pac4j.core.redirect.RedirectionActionBuilder)3
Serializable (java.io.Serializable)2
Arrays (java.util.Arrays)2
List (java.util.List)2
Collectors (java.util.stream.Collectors)2
HttpServletRequest (javax.servlet.http.HttpServletRequest)2
AccessLevel (lombok.AccessLevel)2
URIBuilder (org.apache.http.client.utils.URIBuilder)2
AuditableContext (org.apereo.cas.audit.AuditableContext)2
Authentication (org.apereo.cas.authentication.Authentication)2
Service (org.apereo.cas.authentication.principal.Service)2
