@Test
  public void verifyValidServiceTicketWithValidPgtAndProxyHandlerFailing() throws Exception {
    final TicketGrantingTicket tId =
        getCentralAuthenticationService()
            .createTicketGrantingTicket(TestUtils.getCredentialsWithSameUsernameAndPassword());
    final ServiceTicket sId =
        getCentralAuthenticationService().grantServiceTicket(tId.getId(), TestUtils.getService());

    final MockHttpServletRequest request = new MockHttpServletRequest();
    request.addParameter("service", TestUtils.getService().getId());
    request.addParameter("ticket", sId.getId());
    request.addParameter("pgtUrl", "https://www.github.com");

    this.serviceValidateController.setProxyHandler(
        new ProxyHandler() {
          @Override
          public String handle(
              final Credential credential, final TicketGrantingTicket proxyGrantingTicketId) {
            return null;
          }

          @Override
          public boolean canHandle(final Credential credential) {
            return true;
          }
        });

    final ModelAndView modelAndView =
        this.serviceValidateController.handleRequestInternal(
            request, new MockHttpServletResponse());
    assertEquals(
        ServiceValidateController.DEFAULT_SERVICE_FAILURE_VIEW_NAME, modelAndView.getViewName());
    assertNull(modelAndView.getModel().get("pgtIou"));
  }
  private HttpServletRequest getHttpServletRequest() throws Exception {
    final TicketGrantingTicket tId =
        getCentralAuthenticationService()
            .createTicketGrantingTicket(TestUtils.getCredentialsWithSameUsernameAndPassword());
    getCentralAuthenticationService().grantServiceTicket(tId.getId(), TestUtils.getService());
    final ServiceTicket sId2 =
        getCentralAuthenticationService().grantServiceTicket(tId.getId(), TestUtils.getService());

    final MockHttpServletRequest request = new MockHttpServletRequest();
    request.addParameter("service", TestUtils.getService().getId());
    request.addParameter("ticket", sId2.getId());
    request.addParameter("renew", "true");

    return request;
  }
  protected final ModelAndView getModelAndViewUponServiceValidationWithSecurePgtUrl()
      throws Exception {
    final TicketGrantingTicket tId =
        getCentralAuthenticationService()
            .createTicketGrantingTicket(TestUtils.getCredentialsWithSameUsernameAndPassword());
    final ServiceTicket sId =
        getCentralAuthenticationService().grantServiceTicket(tId.getId(), TestUtils.getService());

    final MockHttpServletRequest request = new MockHttpServletRequest();
    request.addParameter("service", TestUtils.getService().getId());
    request.addParameter("ticket", sId.getId());
    request.addParameter("pgtUrl", "https://www.github.com");

    return this.serviceValidateController.handleRequestInternal(
        request, new MockHttpServletResponse());
  }
  @Test
  public void verifyValidServiceTicket() throws Exception {
    final TicketGrantingTicket tId =
        getCentralAuthenticationService()
            .createTicketGrantingTicket(TestUtils.getCredentialsWithSameUsernameAndPassword());
    final ServiceTicket sId =
        getCentralAuthenticationService().grantServiceTicket(tId.getId(), TestUtils.getService());

    final MockHttpServletRequest request = new MockHttpServletRequest();
    request.addParameter("service", TestUtils.getService().getId());
    request.addParameter("ticket", sId.getId());

    assertEquals(
        ServiceValidateController.DEFAULT_SERVICE_SUCCESS_VIEW_NAME,
        this.serviceValidateController
            .handleRequestInternal(request, new MockHttpServletResponse())
            .getViewName());
  }
  @Override
  protected ModelAndView handleRequestInternal(
      final HttpServletRequest request, final HttpServletResponse response) throws Exception {
    // get CAS ticket
    final String ticket = request.getParameter(OAuthConstants.TICKET);
    log.debug("ticket : {}", ticket);

    ServiceTicket serviceTicket = (ServiceTicket) ticketRegistry.getTicket(ticket);
    TicketGrantingTicket grantingTicket = serviceTicket.getGrantingTicket();
    log.debug("granting ticket : {}", grantingTicket);
    if (grantingTicket == null) return null;

    // retrieve callback url from session
    final HttpSession session = request.getSession();
    String callbackUrl = (String) session.getAttribute(OAuthConstants.OAUTH20_CALLBACKURL);
    log.debug("callbackUrl : {}", callbackUrl);
    session.removeAttribute(OAuthConstants.OAUTH20_CALLBACKURL);
    // and state
    final String state = (String) session.getAttribute(OAuthConstants.OAUTH20_STATE);
    log.debug("state : {}", state);
    session.removeAttribute(OAuthConstants.OAUTH20_STATE);

    if (callbackUrl == null) return null;

    // return callback url with code & state
    callbackUrl = OAuthUtils.addParameter(callbackUrl, OAuthConstants.CODE, ticket);
    if (state != null) {
      callbackUrl = OAuthUtils.addParameter(callbackUrl, OAuthConstants.STATE, state);
    }
    log.debug("callbackUrl : {}", callbackUrl);

    final Map<String, Object> model = new HashMap<String, Object>();
    model.put("callbackUrl", callbackUrl);
    // retrieve service name from session
    final String serviceName = (String) session.getAttribute(OAuthConstants.OAUTH20_SERVICE_NAME);
    log.debug("serviceName : {}", serviceName);
    model.put("serviceName", serviceName);

    model.put("userId", grantingTicket.getAuthentication().getPrincipal().getId());

    return new ModelAndView(OAuthConstants.CONFIRM_VIEW, model);
  }
  @Test
  public void verifyValidServiceTicketWithValidPgtAndProxyHandling() throws Exception {
    final TicketGrantingTicket tId =
        getCentralAuthenticationService()
            .createTicketGrantingTicket(TestUtils.getCredentialsWithSameUsernameAndPassword());
    final ServiceTicket sId =
        getCentralAuthenticationService().grantServiceTicket(tId.getId(), TestUtils.getService());

    final MockHttpServletRequest request = new MockHttpServletRequest();
    request.addParameter("service", TestUtils.getService().getId());
    request.addParameter("ticket", sId.getId());
    request.addParameter("pgtUrl", "https://www.github.com");

    final ModelAndView modelAndView =
        this.serviceValidateController.handleRequestInternal(
            request, new MockHttpServletResponse());
    assertEquals(
        ServiceValidateController.DEFAULT_SERVICE_SUCCESS_VIEW_NAME, modelAndView.getViewName());
    assertNotNull(modelAndView.getModel().get("pgtIou"));
  }
  @Test
  public void verifyValidServiceTicketWithDifferentEncoding() throws Exception {
    this.serviceValidateController.setProxyHandler(new Cas10ProxyHandler());
    final TicketGrantingTicket tId =
        getCentralAuthenticationService()
            .createTicketGrantingTicket(TestUtils.getCredentialsWithSameUsernameAndPassword());

    final String origSvc = "http://www.jasig.org?param=hello+world";
    final ServiceTicket sId =
        getCentralAuthenticationService()
            .grantServiceTicket(tId.getId(), TestUtils.getService(origSvc));

    final String reqSvc = "http://www.jasig.org?param=hello%20world";

    final MockHttpServletRequest request = new MockHttpServletRequest();
    request.addParameter("service", TestUtils.getService(reqSvc).getId());
    request.addParameter("ticket", sId.getId());

    assertEquals(
        ServiceValidateController.DEFAULT_SERVICE_SUCCESS_VIEW_NAME,
        this.serviceValidateController
            .handleRequestInternal(request, new MockHttpServletResponse())
            .getViewName());
  }
  @Audit(
      action = "PROXY_GRANTING_TICKET",
      actionResolverName = "GRANT_PROXY_GRANTING_TICKET_RESOLVER",
      resourceResolverName = "GRANT_PROXY_GRANTING_TICKET_RESOURCE_RESOLVER")
  @Timed(name = "GRANT_PROXY_GRANTING_TICKET_TIMER")
  @Metered(name = "GRANT_PROXY_GRANTING_TICKET_METER")
  @Counted(name = "GRANT_PROXY_GRANTING_TICKET_COUNTER", monotonic = true)
  @Transactional(readOnly = false)
  @Override
  public TicketGrantingTicket delegateTicketGrantingTicket(
      final String serviceTicketId, final Credential... credentials)
      throws AuthenticationException, TicketException {

    final ServiceTicket serviceTicket =
        this.serviceTicketRegistry.getTicket(serviceTicketId, ServiceTicket.class);

    if (serviceTicket == null || serviceTicket.isExpired()) {
      logger.debug(
          "ServiceTicket [{}] has expired or cannot be found in the ticket registry",
          serviceTicketId);
      throw new InvalidTicketException(serviceTicketId);
    }

    final RegisteredService registeredService =
        this.servicesManager.findServiceBy(serviceTicket.getService());

    verifyRegisteredServiceProperties(registeredService, serviceTicket.getService());

    if (!registeredService.getProxyPolicy().isAllowedToProxy()) {
      logger.warn(
          "ServiceManagement: Service [{}] attempted to proxy, but is not allowed.",
          serviceTicket.getService().getId());
      throw new UnauthorizedProxyingException();
    }

    final Authentication authentication = this.authenticationManager.authenticate(credentials);

    final String pgtId =
        this.ticketGrantingTicketUniqueTicketIdGenerator.getNewTicketId(
            TicketGrantingTicket.PROXY_GRANTING_TICKET_PREFIX);
    final TicketGrantingTicket proxyGrantingTicket =
        serviceTicket.grantTicketGrantingTicket(
            pgtId, authentication, this.ticketGrantingTicketExpirationPolicy);

    logger.debug(
        "Generated proxy granting ticket [{}] based off of [{}]",
        proxyGrantingTicket,
        serviceTicketId);
    this.ticketRegistry.addTicket(proxyGrantingTicket);

    return proxyGrantingTicket;
  }
  @Audit(
      action = "PROXY_GRANTING_TICKET",
      actionResolverName = "GRANT_PROXY_GRANTING_TICKET_RESOLVER",
      resourceResolverName = "GRANT_PROXY_GRANTING_TICKET_RESOURCE_RESOLVER")
  @Profiled(tag = "GRANT_PROXY_GRANTING_TICKET", logFailuresSeparately = false)
  @Transactional(readOnly = false)
  @Override
  public String delegateTicketGrantingTicket(
      final String serviceTicketId, final Credential... credentials)
      throws AuthenticationException, TicketException {

    Assert.notNull(serviceTicketId, "serviceTicketId cannot be null");
    Assert.notNull(credentials, "credentials cannot be null");

    final ServiceTicket serviceTicket =
        this.serviceTicketRegistry.getTicket(serviceTicketId, ServiceTicket.class);

    if (serviceTicket == null || serviceTicket.isExpired()) {
      logger.debug(
          "ServiceTicket [{}] has expired or cannot be found in the ticket registry",
          serviceTicketId);
      throw new InvalidTicketException(serviceTicketId);
    }

    final RegisteredService registeredService =
        this.servicesManager.findServiceBy(serviceTicket.getService());

    verifyRegisteredServiceProperties(registeredService, serviceTicket.getService());

    if (!registeredService.isAllowedToProxy()) {
      logger.warn(
          "ServiceManagement: Service [{}] attempted to proxy, but is not allowed.",
          serviceTicket.getService().getId());
      throw new UnauthorizedProxyingException();
    }

    final Authentication authentication = this.authenticationManager.authenticate(credentials);

    final TicketGrantingTicket ticketGrantingTicket =
        serviceTicket.grantTicketGrantingTicket(
            this.ticketGrantingTicketUniqueTicketIdGenerator.getNewTicketId(
                TicketGrantingTicket.PREFIX),
            authentication,
            this.ticketGrantingTicketExpirationPolicy);

    this.ticketRegistry.addTicket(ticketGrantingTicket);

    return ticketGrantingTicket.getId();
  }
  /**
   * Determines the principal id to use for a {@link RegisteredService} using the following rules:
   *
   * <ul>
   *   <li>If the service is marked to allow anonymous access, a persistent id is returned.
   *   <li>If the {@link org.jasig.cas.services.RegisteredService#getUsernameAttribute()} is blank,
   *       then the default principal id is returned.
   *   <li>If the username attribute is available as part of the principal's attributes, the
   *       corresponding attribute value will be returned.
   *   <li>Otherwise, the default principal's id is returned as the username attribute with an
   *       additional warning.
   * </ul>
   *
   * @param principal The principal object to be validated and constructed
   * @param registeredService Requesting service for which a principal is being validated.
   * @param serviceTicket An instance of the service ticket used for validation
   * @return The principal id to use for the requesting registered service
   */
  private String determinePrincipalIdForRegisteredService(
      final Principal principal,
      final RegisteredService registeredService,
      final ServiceTicket serviceTicket) {
    String principalId = null;
    final String serviceUsernameAttribute = registeredService.getUsernameAttribute();

    if (registeredService.isAnonymousAccess()) {
      principalId = this.persistentIdGenerator.generate(principal, serviceTicket.getService());
    } else if (StringUtils.isBlank(serviceUsernameAttribute)) {
      principalId = principal.getId();
    } else {
      if (principal.getAttributes().containsKey(serviceUsernameAttribute)) {
        principalId = principal.getAttributes().get(serviceUsernameAttribute).toString();
      } else {
        principalId = principal.getId();
        final Object[] errorLogParameters =
            new Object[] {
              principalId,
              registeredService.getUsernameAttribute(),
              principal.getAttributes(),
              registeredService.getServiceId(),
              principalId
            };
        logger.warn(
            "Principal [{}] did not have attribute [{}] among attributes [{}] so CAS cannot "
                + "provide on the validation response the user attribute the registered service [{}] expects. "
                + "CAS will instead return the default username attribute [{}]",
            errorLogParameters);
      }
    }

    logger.debug(
        "Principal id to return for service [{}] is [{}]. The default principal id is [{}].",
        new Object[] {registeredService.getName(), principal.getId(), principalId});
    return principalId;
  }
  @Audit(
      action = "SERVICE_TICKET_VALIDATE",
      actionResolverName = "VALIDATE_SERVICE_TICKET_RESOLVER",
      resourceResolverName = "VALIDATE_SERVICE_TICKET_RESOURCE_RESOLVER")
  @Timed(name = "VALIDATE_SERVICE_TICKET_TIMER")
  @Metered(name = "VALIDATE_SERVICE_TICKET_METER")
  @Counted(name = "VALIDATE_SERVICE_TICKET_COUNTER", monotonic = true)
  @Transactional(readOnly = false)
  @Override
  public Assertion validateServiceTicket(final String serviceTicketId, final Service service)
      throws TicketException {
    final RegisteredService registeredService = this.servicesManager.findServiceBy(service);
    verifyRegisteredServiceProperties(registeredService, service);

    final ServiceTicket serviceTicket =
        this.serviceTicketRegistry.getTicket(serviceTicketId, ServiceTicket.class);

    if (serviceTicket == null) {
      logger.info("Service ticket [{}] does not exist.", serviceTicketId);
      throw new InvalidTicketException(serviceTicketId);
    }

    try {
      synchronized (serviceTicket) {
        if (serviceTicket.isExpired()) {
          logger.info("ServiceTicket [{}] has expired.", serviceTicketId);
          throw new InvalidTicketException(serviceTicketId);
        }

        if (!serviceTicket.isValidFor(service)) {
          logger.error(
              "Service ticket [{}] with service [{}] does not match supplied service [{}]",
              serviceTicketId,
              serviceTicket.getService().getId(),
              service);
          throw new UnrecognizableServiceForServiceTicketValidationException(
              serviceTicket.getService());
        }
      }

      final TicketGrantingTicket root = serviceTicket.getGrantingTicket().getRoot();
      final Authentication authentication =
          getAuthenticationSatisfiedByPolicy(
              root, new ServiceContext(serviceTicket.getService(), registeredService));
      final Principal principal = authentication.getPrincipal();

      final AttributeReleasePolicy attributePolicy = registeredService.getAttributeReleasePolicy();
      logger.debug(
          "Attribute policy [{}] is associated with service [{}]",
          attributePolicy,
          registeredService);

      @SuppressWarnings("unchecked")
      final Map<String, Object> attributesToRelease =
          attributePolicy != null
              ? attributePolicy.getAttributes(principal)
              : Collections.EMPTY_MAP;

      final String principalId =
          registeredService.getUsernameAttributeProvider().resolveUsername(principal, service);
      final Principal modifiedPrincipal =
          this.principalFactory.createPrincipal(principalId, attributesToRelease);
      final AuthenticationBuilder builder = AuthenticationBuilder.newInstance(authentication);
      builder.setPrincipal(modifiedPrincipal);

      return new ImmutableAssertion(
          builder.build(),
          serviceTicket.getGrantingTicket().getChainedAuthentications(),
          serviceTicket.getService(),
          serviceTicket.isFromNewLogin());
    } finally {
      if (serviceTicket.isExpired()) {
        this.serviceTicketRegistry.deleteTicket(serviceTicketId);
      }
    }
  }
  @Audit(
      action = "SERVICE_TICKET",
      actionResolverName = "GRANT_SERVICE_TICKET_RESOLVER",
      resourceResolverName = "GRANT_SERVICE_TICKET_RESOURCE_RESOLVER")
  @Timed(name = "GRANT_SERVICE_TICKET_TIMER")
  @Metered(name = "GRANT_SERVICE_TICKET_METER")
  @Counted(name = "GRANT_SERVICE_TICKET_COUNTER", monotonic = true)
  @Transactional(readOnly = false)
  @Override
  public ServiceTicket grantServiceTicket(
      final String ticketGrantingTicketId, final Service service, final Credential... credentials)
      throws AuthenticationException, TicketException {

    final TicketGrantingTicket ticketGrantingTicket =
        getTicket(ticketGrantingTicketId, TicketGrantingTicket.class);
    final RegisteredService registeredService = this.servicesManager.findServiceBy(service);

    verifyRegisteredServiceProperties(registeredService, service);
    final Set<Credential> sanitizedCredentials = sanitizeCredentials(credentials);

    Authentication currentAuthentication = null;
    if (sanitizedCredentials.size() > 0) {
      currentAuthentication =
          this.authenticationManager.authenticate(
              sanitizedCredentials.toArray(new Credential[] {}));
      final Authentication original = ticketGrantingTicket.getAuthentication();
      if (!currentAuthentication.getPrincipal().equals(original.getPrincipal())) {
        throw new MixedPrincipalException(
            currentAuthentication, currentAuthentication.getPrincipal(), original.getPrincipal());
      }
      ticketGrantingTicket.getSupplementalAuthentications().add(currentAuthentication);
    }

    if (currentAuthentication == null
        && !registeredService.getAccessStrategy().isServiceAccessAllowedForSso()) {
      logger.warn("ServiceManagement: Service [{}] is not allowed to use SSO.", service.getId());
      throw new UnauthorizedSsoServiceException();
    }

    final Service proxiedBy = ticketGrantingTicket.getProxiedBy();
    if (proxiedBy != null) {
      logger.debug(
          "TGT is proxied by [{}]. Locating proxy service in registry...", proxiedBy.getId());
      final RegisteredService proxyingService = servicesManager.findServiceBy(proxiedBy);

      if (proxyingService != null) {
        logger.debug("Located proxying service [{}] in the service registry", proxyingService);
        if (!proxyingService.getProxyPolicy().isAllowedToProxy()) {
          logger.warn(
              "Found proxying service {}, but it is not authorized to fulfill the proxy attempt made by {}",
              proxyingService.getId(),
              service.getId());
          throw new UnauthorizedProxyingException(
              "Proxying is not allowed for registered service " + registeredService.getId());
        }
      } else {
        logger.warn(
            "No proxying service found. Proxy attempt by service [{}] (registered service [{}]) is not allowed.",
            service.getId(),
            registeredService.getId());
        throw new UnauthorizedProxyingException(
            "Proxying is not allowed for registered service " + registeredService.getId());
      }
    } else {
      logger.trace("TGT is not proxied by another service");
    }

    // Perform security policy check by getting the authentication that satisfies the configured
    // policy
    // This throws if no suitable policy is found
    getAuthenticationSatisfiedByPolicy(
        ticketGrantingTicket, new ServiceContext(service, registeredService));

    final List<Authentication> authentications = ticketGrantingTicket.getChainedAuthentications();
    final Principal principal = authentications.get(authentications.size() - 1).getPrincipal();

    final Map<String, Object> principalAttrs =
        registeredService.getAttributeReleasePolicy().getAttributes(principal);
    if (!registeredService
        .getAccessStrategy()
        .doPrincipalAttributesAllowServiceAccess(principalAttrs)) {
      logger.warn(
          "ServiceManagement: Cannot grant service ticket because Service [{}] is not authorized for use by [{}].",
          service.getId(),
          principal);
      throw new UnauthorizedServiceForPrincipalException();
    }

    final String uniqueTicketIdGenKey = service.getClass().getName();
    logger.debug("Looking up service ticket id generator for [{}]", uniqueTicketIdGenKey);
    UniqueTicketIdGenerator serviceTicketUniqueTicketIdGenerator =
        this.uniqueTicketIdGeneratorsForService.get(uniqueTicketIdGenKey);
    if (serviceTicketUniqueTicketIdGenerator == null) {
      serviceTicketUniqueTicketIdGenerator = this.defaultServiceTicketIdGenerator;
      logger.debug(
          "Service ticket id generator not found for [{}]. Using the default generator...",
          uniqueTicketIdGenKey);
    }

    final String ticketPrefix =
        authentications.size() == 1 ? ServiceTicket.PREFIX : ServiceTicket.PROXY_TICKET_PREFIX;
    final String ticketId = serviceTicketUniqueTicketIdGenerator.getNewTicketId(ticketPrefix);
    final ServiceTicket serviceTicket =
        ticketGrantingTicket.grantServiceTicket(
            ticketId, service, this.serviceTicketExpirationPolicy, currentAuthentication != null);

    this.serviceTicketRegistry.addTicket(serviceTicket);

    logger.info(
        "Granted ticket [{}] for service [{}] for user [{}]",
        serviceTicket.getId(),
        service.getId(),
        principal.getId());

    return serviceTicket;
  }
  @Audit(
      action = "SERVICE_TICKET",
      actionResolverName = "GRANT_SERVICE_TICKET_RESOLVER",
      resourceResolverName = "GRANT_SERVICE_TICKET_RESOURCE_RESOLVER")
  @Profiled(tag = "GRANT_SERVICE_TICKET", logFailuresSeparately = false)
  @Transactional(readOnly = false)
  @Override
  public String grantServiceTicket(
      final String ticketGrantingTicketId, final Service service, final Credential... credentials)
      throws AuthenticationException, TicketException {
    Assert.notNull(ticketGrantingTicketId, "ticketGrantingticketId cannot be null");
    Assert.notNull(service, "service cannot be null");

    final TicketGrantingTicket ticketGrantingTicket =
        this.ticketRegistry.getTicket(ticketGrantingTicketId, TicketGrantingTicket.class);

    if (ticketGrantingTicket == null) {
      logger.debug(
          "TicketGrantingTicket [{}] cannot be found in the ticket registry.",
          ticketGrantingTicketId);
      throw new InvalidTicketException(ticketGrantingTicketId);
    }

    synchronized (ticketGrantingTicket) {
      if (ticketGrantingTicket.isExpired()) {
        this.ticketRegistry.deleteTicket(ticketGrantingTicketId);
        logger.debug(
            "TicketGrantingTicket[{}] has expired and is now deleted from the ticket registry.",
            ticketGrantingTicketId);
        throw new InvalidTicketException(ticketGrantingTicketId);
      }
    }

    final RegisteredService registeredService = this.servicesManager.findServiceBy(service);

    verifyRegisteredServiceProperties(registeredService, service);

    if (!registeredService.isSsoEnabled()
        && credentials == null
        && ticketGrantingTicket.getCountOfUses() > 0) {
      logger.warn("ServiceManagement: Service [{}] is not allowed to use SSO.", service.getId());
      throw new UnauthorizedSsoServiceException();
    }

    // CAS-1019
    final List<Authentication> authns = ticketGrantingTicket.getChainedAuthentications();
    if (authns.size() > 1) {
      if (!registeredService.isAllowedToProxy()) {
        final String message =
            String.format(
                "ServiceManagement: Proxy attempt by service [%s] (registered service [%s]) is not allowed.",
                service.getId(), registeredService.toString());
        logger.warn(message);
        throw new UnauthorizedProxyingException(message);
      }
    }

    if (credentials != null) {
      final Authentication current = this.authenticationManager.authenticate(credentials);
      final Authentication original = ticketGrantingTicket.getAuthentication();
      if (!current.getPrincipal().equals(original.getPrincipal())) {
        throw new MixedPrincipalException(current, current.getPrincipal(), original.getPrincipal());
      }
      ticketGrantingTicket.getSupplementalAuthentications().add(current);
    }

    // Perform security policy check by getting the authentication that satisfies the configured
    // policy
    // This throws if no suitable policy is found
    getAuthenticationSatisfiedByPolicy(
        ticketGrantingTicket, new ServiceContext(service, registeredService));

    final String uniqueTicketIdGenKey = service.getClass().getName();
    if (!this.uniqueTicketIdGeneratorsForService.containsKey(uniqueTicketIdGenKey)) {
      logger.warn(
          "Cannot create service ticket because the key [{}] for service [{}] is not linked to a ticket id generator",
          uniqueTicketIdGenKey,
          service.getId());
      throw new UnauthorizedSsoServiceException();
    }

    final UniqueTicketIdGenerator serviceTicketUniqueTicketIdGenerator =
        this.uniqueTicketIdGeneratorsForService.get(uniqueTicketIdGenKey);

    final String generatedServiceTicketId =
        serviceTicketUniqueTicketIdGenerator.getNewTicketId(ServiceTicket.PREFIX);
    logger.debug(
        "Generated service ticket id [{}] for ticket granting ticket [{}]",
        generatedServiceTicketId,
        ticketGrantingTicket.getId());

    final ServiceTicket serviceTicket =
        ticketGrantingTicket.grantServiceTicket(
            generatedServiceTicketId,
            service,
            this.serviceTicketExpirationPolicy,
            credentials != null);

    this.serviceTicketRegistry.addTicket(serviceTicket);

    if (logger.isInfoEnabled()) {
      final List<Authentication> authentications =
          serviceTicket.getGrantingTicket().getChainedAuthentications();
      final String formatString = "Granted %s ticket [%s] for service [%s] for user [%s]";
      final String type;
      final String principalId =
          authentications.get(authentications.size() - 1).getPrincipal().getId();

      if (authentications.size() == 1) {
        type = "service";
      } else {
        type = "proxy";
      }

      logger.info(
          String.format(formatString, type, serviceTicket.getId(), service.getId(), principalId));
    }

    return serviceTicket.getId();
  }
  @Override
  protected ModelAndView handleRequestInternal(
      final HttpServletRequest request, final HttpServletResponse response) throws Exception {
    final HttpSession session = request.getSession();

    // get cas login service ticket
    final String serviceTicketId = request.getParameter(OAuthConstants.TICKET);
    LOGGER.debug("{} : {}", OAuthConstants.TICKET, serviceTicketId);

    // first time this url is requested the login ticket will be a query parameter
    if (serviceTicketId != null) {
      // create the login ticket granting ticket
      final ServiceTicket serviceTicket = (ServiceTicket) ticketRegistry.getTicket(serviceTicketId);
      // login service ticket should be valid
      if (serviceTicket == null || serviceTicket.isExpired()) {
        LOGGER.error("Service Ticket expired : {}", serviceTicketId);
        return OAuthUtils.writeTextError(
            response, OAuthConstants.INVALID_GRANT, HttpStatus.SC_BAD_REQUEST);
      }
      final TicketGrantingTicket ticketGrantingTicket = serviceTicket.getGrantingTicket();
      // remove login service ticket
      ticketRegistry.deleteTicket(serviceTicket.getId());

      // store the login tgt id in the user's session, used to create service tickets for validation
      // and
      // oauth credentials later in the flow.
      session.setAttribute(OAuthConstants.OAUTH20_LOGIN_TICKET_ID, ticketGrantingTicket.getId());

      // redirect back to self, clears the service ticket from the url, allows the url to be
      // requested multiple
      // times w/o error
      return OAuthUtils.redirectTo(request.getRequestURL().toString());
    }

    // get cas login service ticket from the session
    String ticketGrantingTicketId =
        (String) session.getAttribute(OAuthConstants.OAUTH20_LOGIN_TICKET_ID);
    LOGGER.debug("{} : {}", OAuthConstants.TICKET, ticketGrantingTicketId);
    if (StringUtils.isBlank(ticketGrantingTicketId)) {
      LOGGER.error("Missing Ticket Granting Ticket");
      return OAuthUtils.writeTextError(
          response, OAuthConstants.INVALID_GRANT, HttpStatus.SC_BAD_REQUEST);
    }

    // verify the login ticket granting ticket is still valid
    TicketGrantingTicket ticketGrantingTicket =
        (TicketGrantingTicket) ticketRegistry.getTicket(ticketGrantingTicketId);
    if (ticketGrantingTicket == null || ticketGrantingTicket.isExpired()) {
      LOGGER.error("Ticket Granting Ticket expired : {}", ticketGrantingTicketId);
      return OAuthUtils.writeTextError(
          response, OAuthConstants.INVALID_GRANT, HttpStatus.SC_BAD_REQUEST);
    }

    String callbackUrl =
        request
            .getRequestURL()
            .toString()
            .replace(
                "/" + OAuthConstants.CALLBACK_AUTHORIZE_URL,
                "/" + OAuthConstants.CALLBACK_AUTHORIZE_ACTION_URL);
    LOGGER.debug("{} : {}", OAuthConstants.CALLBACK_AUTHORIZE_ACTION_URL, callbackUrl);

    String allowCallbackUrl =
        OAuthUtils.addParameter(
            callbackUrl,
            OAuthConstants.OAUTH20_APPROVAL_PROMPT_ACTION,
            OAuthConstants.OAUTH20_APPROVAL_PROMPT_ACTION_ALLOW);

    final Map<String, Object> model = new HashMap<>();
    model.put("callbackUrl", callbackUrl);

    final Boolean bypassApprovalPrompt =
        (Boolean) session.getAttribute(OAuthConstants.BYPASS_APPROVAL_PROMPT);
    LOGGER.debug("bypassApprovalPrompt : {}", bypassApprovalPrompt);
    if (bypassApprovalPrompt != null && bypassApprovalPrompt) {
      return OAuthUtils.redirectTo(allowCallbackUrl);
    }

    final String clientId = (String) session.getAttribute(OAuthConstants.OAUTH20_CLIENT_ID);
    LOGGER.debug("{} : {}", OAuthConstants.CLIENT_ID, clientId);

    final Principal loginPrincipal = ticketGrantingTicket.getAuthentication().getPrincipal();

    final String approvalPrompt =
        (String) session.getAttribute(OAuthConstants.OAUTH20_APPROVAL_PROMPT);
    LOGGER.debug("approvalPrompt : {}", approvalPrompt);
    if (StringUtils.isBlank(approvalPrompt)
        || !approvalPrompt.equalsIgnoreCase(OAuthConstants.APPROVAL_PROMPT_FORCE)) {
      final TicketGrantingTicket refreshToken =
          OAuthTokenUtils.getRefreshToken(centralAuthenticationService, clientId, loginPrincipal);
      if (refreshToken != null) {
        return OAuthUtils.redirectTo(allowCallbackUrl);
      }
    }

    // retrieve service name from session
    final String serviceName = (String) session.getAttribute(OAuthConstants.OAUTH20_SERVICE_NAME);
    LOGGER.debug("serviceName : {}", serviceName);
    model.put("serviceName", serviceName);

    return new ModelAndView(OAuthConstants.CONFIRM_VIEW, model);
  }