Search in sources :

Example 1 with UnsatisfiedAuthenticationContextTicketValidationException

use of org.apereo.cas.ticket.UnsatisfiedAuthenticationContextTicketValidationException in project cas by apereo.

the class AbstractServiceValidateController method handleTicketValidation.

/**
 * Handle ticket validation model and view.
 *
 * @param request         the request
 * @param service         the service
 * @param serviceTicketId the service ticket id
 * @return the model and view
 */
protected ModelAndView handleTicketValidation(final HttpServletRequest request, final WebApplicationService service, final String serviceTicketId) {
    TicketGrantingTicket proxyGrantingTicketId = null;
    final Credential serviceCredential = getServiceCredentialsFromRequest(service, request);
    if (serviceCredential != null) {
        try {
            proxyGrantingTicketId = handleProxyGrantingTicketDelivery(serviceTicketId, serviceCredential);
        } catch (final AuthenticationException e) {
            LOGGER.warn("Failed to authenticate service credential [{}]", serviceCredential);
            return generateErrorView(CasProtocolConstants.ERROR_CODE_INVALID_PROXY_CALLBACK, new Object[] { serviceCredential.getId() }, request, service);
        } catch (final InvalidTicketException e) {
            LOGGER.error("Failed to create proxy granting ticket due to an invalid ticket for [{}]", serviceCredential, e);
            return generateErrorView(e.getCode(), new Object[] { serviceTicketId }, request, service);
        } catch (final AbstractTicketException e) {
            LOGGER.error("Failed to create proxy granting ticket for [{}]", serviceCredential, e);
            return generateErrorView(e.getCode(), new Object[] { serviceCredential.getId() }, request, service);
        }
    }
    final Assertion assertion = this.centralAuthenticationService.validateServiceTicket(serviceTicketId, service);
    if (!validateAssertion(request, serviceTicketId, assertion, service)) {
        return generateErrorView(CasProtocolConstants.ERROR_CODE_INVALID_TICKET, new Object[] { serviceTicketId }, request, service);
    }
    final Pair<Boolean, Optional<MultifactorAuthenticationProvider>> ctxResult = validateAuthenticationContext(assertion, request);
    if (!ctxResult.getKey()) {
        throw new UnsatisfiedAuthenticationContextTicketValidationException(assertion.getService());
    }
    String proxyIou = null;
    if (serviceCredential != null && this.proxyHandler != null && this.proxyHandler.canHandle(serviceCredential)) {
        proxyIou = handleProxyIouDelivery(serviceCredential, proxyGrantingTicketId);
        if (StringUtils.isEmpty(proxyIou)) {
            return generateErrorView(CasProtocolConstants.ERROR_CODE_INVALID_PROXY_CALLBACK, new Object[] { serviceCredential.getId() }, request, service);
        }
    } else {
        LOGGER.debug("No service credentials specified, and/or the proxy handler [{}] cannot handle credentials", this.proxyHandler);
    }
    onSuccessfulValidation(serviceTicketId, assertion);
    LOGGER.debug("Successfully validated service ticket [{}] for service [{}]", serviceTicketId, service.getId());
    return generateSuccessView(assertion, proxyIou, service, request, ctxResult.getValue(), proxyGrantingTicketId);
}
Also used : Credential(org.apereo.cas.authentication.Credential) HttpBasedServiceCredential(org.apereo.cas.authentication.HttpBasedServiceCredential) Optional(java.util.Optional) AuthenticationException(org.apereo.cas.authentication.AuthenticationException) TicketGrantingTicket(org.apereo.cas.ticket.TicketGrantingTicket) InvalidTicketException(org.apereo.cas.ticket.InvalidTicketException) Assertion(org.apereo.cas.validation.Assertion) AbstractTicketException(org.apereo.cas.ticket.AbstractTicketException) UnsatisfiedAuthenticationContextTicketValidationException(org.apereo.cas.ticket.UnsatisfiedAuthenticationContextTicketValidationException)

Example 2 with UnsatisfiedAuthenticationContextTicketValidationException

use of org.apereo.cas.ticket.UnsatisfiedAuthenticationContextTicketValidationException in project cas by apereo.

the class DefaultMultifactorAuthenticationProviderResolverTests method verifyMultipleProvidersWithPrincipalAttributes.

@Test
public void verifyMultipleProvidersWithPrincipalAttributes() {
    val applicationContext = new StaticApplicationContext();
    applicationContext.refresh();
    val casProperties = new CasConfigurationProperties();
    casProperties.getAuthn().getMfa().getTriggers().getPrincipal().setGlobalPrincipalAttributeNameTriggers("mfa-principal");
    val resolver = new DefaultMultifactorAuthenticationProviderResolver(MultifactorAuthenticationPrincipalResolver.identical());
    val trigger = new PrincipalAttributeMultifactorAuthenticationTrigger(casProperties, resolver, applicationContext);
    assertProviderResolutionFromManyProviders(trigger, applicationContext, true);
    assertThrows(UnsatisfiedAuthenticationContextTicketValidationException.class, () -> {
        throw new UnsatisfiedAuthenticationContextTicketValidationException(MultifactorAuthenticationTestUtils.getService("id"));
    });
}
Also used : lombok.val(lombok.val) StaticApplicationContext(org.springframework.context.support.StaticApplicationContext) PrincipalAttributeMultifactorAuthenticationTrigger(org.apereo.cas.authentication.mfa.trigger.PrincipalAttributeMultifactorAuthenticationTrigger) CasConfigurationProperties(org.apereo.cas.configuration.CasConfigurationProperties) UnsatisfiedAuthenticationContextTicketValidationException(org.apereo.cas.ticket.UnsatisfiedAuthenticationContextTicketValidationException) Test(org.junit.jupiter.api.Test)

Example 3 with UnsatisfiedAuthenticationContextTicketValidationException

use of org.apereo.cas.ticket.UnsatisfiedAuthenticationContextTicketValidationException in project cas by apereo.

the class AbstractServiceValidateController method handleTicketValidation.

/**
 * Handle ticket validation model and view.
 *
 * @param request         the request
 * @param response        the response
 * @param service         the service
 * @param serviceTicketId the service ticket id
 * @return the model and view
 */
protected ModelAndView handleTicketValidation(final HttpServletRequest request, final HttpServletResponse response, final WebApplicationService service, final String serviceTicketId) {
    var proxyGrantingTicketId = (ProxyGrantingTicket) null;
    val serviceCredential = getServiceCredentialsFromRequest(service, request);
    if (serviceCredential != null) {
        try {
            proxyGrantingTicketId = handleProxyGrantingTicketDelivery(serviceTicketId, serviceCredential);
        } catch (final AuthenticationException e) {
            LOGGER.warn("Failed to authenticate service credential [{}]", serviceCredential);
            val description = getTicketValidationErrorDescription(CasProtocolConstants.ERROR_CODE_INVALID_PROXY_CALLBACK, new Object[] { serviceCredential.getId() }, request);
            return generateErrorView(CasProtocolConstants.ERROR_CODE_INVALID_PROXY_CALLBACK, description, request, service);
        } catch (final InvalidTicketException e) {
            LOGGER.error("Failed to create proxy granting ticket due to an invalid ticket for [{}]", serviceCredential);
            LoggingUtils.error(LOGGER, e);
            val description = getTicketValidationErrorDescription(e.getCode(), new Object[] { serviceTicketId }, request);
            return generateErrorView(e.getCode(), description, request, service);
        } catch (final AbstractTicketException e) {
            LOGGER.error("Failed to create proxy granting ticket for [{}]", serviceCredential);
            LoggingUtils.error(LOGGER, e);
            val description = getTicketValidationErrorDescription(e.getCode(), new Object[] { serviceCredential.getId() }, request);
            return generateErrorView(e.getCode(), description, request, service);
        }
    }
    val assertion = validateServiceTicket(service, serviceTicketId);
    if (!validateAssertion(request, serviceTicketId, assertion, service)) {
        val description = getTicketValidationErrorDescription(CasProtocolConstants.ERROR_CODE_INVALID_TICKET, new Object[] { serviceTicketId }, request);
        return generateErrorView(CasProtocolConstants.ERROR_CODE_INVALID_TICKET, description, request, service);
    }
    val ctxResult = serviceValidateConfigurationContext.getRequestedContextValidator().validateAuthenticationContext(assertion, request, response);
    if (!ctxResult.isSuccess()) {
        throw new UnsatisfiedAuthenticationContextTicketValidationException(assertion.getService());
    }
    var proxyIou = StringUtils.EMPTY;
    val proxyHandler = serviceValidateConfigurationContext.getProxyHandler();
    if (serviceCredential != null && proxyHandler != null && proxyHandler.canHandle(serviceCredential)) {
        val registeredService = ((HttpBasedServiceCredential) serviceCredential).getService();
        val authorizedToReleaseProxyGrantingTicket = registeredService.getAttributeReleasePolicy().isAuthorizedToReleaseProxyGrantingTicket();
        if (!authorizedToReleaseProxyGrantingTicket) {
            LOGGER.debug("Service [{}] is not authorized to release the PGT directly, make a proxy callback", registeredService);
            proxyIou = handleProxyIouDelivery(serviceCredential, proxyGrantingTicketId);
            if (StringUtils.isEmpty(proxyIou)) {
                val description = getTicketValidationErrorDescription(CasProtocolConstants.ERROR_CODE_INVALID_PROXY_CALLBACK, new Object[] { serviceCredential.getId() }, request);
                return generateErrorView(CasProtocolConstants.ERROR_CODE_INVALID_PROXY_CALLBACK, description, request, service);
            }
        } else {
            LOGGER.debug("Service [{}] is authorized to release the PGT directly, skip the proxy callback", registeredService);
        }
    } else {
        LOGGER.debug("No service credentials specified, and/or the proxy handler [{}] cannot handle credentials", proxyHandler);
    }
    onSuccessfulValidation(serviceTicketId, assertion);
    LOGGER.debug("Successfully validated service ticket [{}] for service [{}]", serviceTicketId, service.getId());
    return generateSuccessView(assertion, proxyIou, service, request, ctxResult.getContextId(), proxyGrantingTicketId);
}
Also used : lombok.val(lombok.val) HttpBasedServiceCredential(org.apereo.cas.authentication.credential.HttpBasedServiceCredential) AuthenticationException(org.apereo.cas.authentication.AuthenticationException) InvalidTicketException(org.apereo.cas.ticket.InvalidTicketException) ProxyGrantingTicket(org.apereo.cas.ticket.proxy.ProxyGrantingTicket) AbstractTicketException(org.apereo.cas.ticket.AbstractTicketException) UnsatisfiedAuthenticationContextTicketValidationException(org.apereo.cas.ticket.UnsatisfiedAuthenticationContextTicketValidationException)

Aggregations

UnsatisfiedAuthenticationContextTicketValidationException (org.apereo.cas.ticket.UnsatisfiedAuthenticationContextTicketValidationException)3 lombok.val (lombok.val)2 AuthenticationException (org.apereo.cas.authentication.AuthenticationException)2 AbstractTicketException (org.apereo.cas.ticket.AbstractTicketException)2 InvalidTicketException (org.apereo.cas.ticket.InvalidTicketException)2 Optional (java.util.Optional)1 Credential (org.apereo.cas.authentication.Credential)1 HttpBasedServiceCredential (org.apereo.cas.authentication.HttpBasedServiceCredential)1 HttpBasedServiceCredential (org.apereo.cas.authentication.credential.HttpBasedServiceCredential)1 PrincipalAttributeMultifactorAuthenticationTrigger (org.apereo.cas.authentication.mfa.trigger.PrincipalAttributeMultifactorAuthenticationTrigger)1 CasConfigurationProperties (org.apereo.cas.configuration.CasConfigurationProperties)1 TicketGrantingTicket (org.apereo.cas.ticket.TicketGrantingTicket)1 ProxyGrantingTicket (org.apereo.cas.ticket.proxy.ProxyGrantingTicket)1 Assertion (org.apereo.cas.validation.Assertion)1 Test (org.junit.jupiter.api.Test)1 StaticApplicationContext (org.springframework.context.support.StaticApplicationContext)1