Example #1
0
  /**
   * Grants a service ticket for the given service, using the given TicketGrantingTicket. If no
   * 'service' is specified, simply forward to message conveying generic success.
   *
   * @param request request
   * @param response response
   * @param t t
   * @param serviceId serviceId
   * @param first first
   * @throws ServletException ServletException
   * @throws IOException IOException
   */
  private void grantForService(
      final HttpServletRequest request,
      final HttpServletResponse response,
      final TicketGrantingTicket t,
      final String serviceId,
      final boolean first)
      throws ServletException, IOException {
    try {
      String actualServiceId = serviceId != null ? serviceId : "http://www.lvmama.com/";
      if (actualServiceId.contains("&")) {
        // log("service=="+actualServiceId);
        actualServiceId = actualServiceId.replaceAll("&", "&");
      }
      ServiceTicket st = new ServiceTicket(t, actualServiceId, first);
      String token = stCache.addTicket(st);
      request.setAttribute("serviceId", actualServiceId);
      request.setAttribute("token", token);
      if (!first) {
        if (privacyRequested(request)) {
          app.getRequestDispatcher(confirmService).forward(request, response);
        } else {
          request.setAttribute("first", "false");
          Cookie unCookie = null;
          Cookie[] cookies = request.getCookies();
          if (null != cookies) {
            for (int i = 0; i < cookies.length; i++) {
              if (cookies[i].getName().equals("UN")) {
                unCookie = cookies[i];
              }
            }
          }
          if (null == unCookie) {
            unCookie = new Cookie("UN", null);
            unCookie.setDomain(DomainConstant.DOMAIN);
            unCookie.setMaxAge(
                StringUtils.isNotEmpty(keepLogin)
                    ? Integer.parseInt(app.getInitParameter("UNCookieTimeOut"))
                    : -1);
            unCookie.setPath("/");

            unCookie.setValue(
                URLEncoder.encode(new String(InfoBase64Coding.decrypt(t.getUsername())), "UTF-8"));

            response.addCookie(unCookie);
          }

          app.getRequestDispatcher(serviceSuccess).forward(request, response);
        }
      } else {
        request.setAttribute("first", "true");
        Cookie unCookie = null;
        Cookie[] cookies = request.getCookies();
        if (null != cookies) {
          for (int i = 0; i < cookies.length; i++) {
            if (cookies[i].getName().equals("UN")) {
              unCookie = cookies[i];
            }
          }
        }
        if (null == unCookie) {
          unCookie = new Cookie("UN", null);
          unCookie.setDomain(DomainConstant.DOMAIN);
          unCookie.setMaxAge(
              StringUtils.isNotEmpty(keepLogin)
                  ? Integer.parseInt(app.getInitParameter("UNCookieTimeOut"))
                  : -1);
          unCookie.setPath("/");
          unCookie.setValue(
              URLEncoder.encode(new String(InfoBase64Coding.decrypt(t.getUsername())), "UTF-8"));
          response.addCookie(unCookie);
        }
        app.getRequestDispatcher(serviceSuccess).forward(request, response);
      }
    } catch (TicketException ex) {
      throw new ServletException(ex.toString());
    }
  }
Example #2
0
  /**
   * doGet
   *
   * @param request request
   * @param response response
   * @throws ServletException ServletException
   * @throws IOException IOException
   */
  public void doGet(final HttpServletRequest request, final HttpServletResponse response)
      throws ServletException, IOException {
    // avoid caching (in the stupidly numerous ways we must)
    //		response.setHeader("Pragma", "no-cache");
    //		response.setHeader("Cache-Control", "no-store");
    //		response.setDateHeader("Expires", -1);

    keepLogin = request.getParameter("keepLogin");

    // check to see whether we've been sent a valid TGC
    Cookie[] cookies = request.getCookies();
    TicketGrantingTicket tgt = null;
    if (cookies != null) {
      for (int i = 0; i < cookies.length; i++) {
        if (cookies[i].getName().equals(TGC_ID)) {
          tgt = (TicketGrantingTicket) tgcCache.getTicket(cookies[i].getValue());
          if (tgt == null) {
            continue;
          }
          // unless RENEW is set, let the user through to the service.
          // otherwise, fall through and we'll be handled by
          // authentication
          // below. Note that tgt is still active.
          if (request.getParameter(RENEW) == null
              && null != ServletUtil.getSession(request, response, Constant.SESSION_FRONT_USER)) {
            grantForService(request, response, tgt, request.getParameter(SERVICE), false);

            return;
          }
        }
      }
    }

    // if not, but if we're passed "gateway", then simply bounce back
    if (request.getParameter(SERVICE) != null && request.getParameter(GATEWAY) != null) {
      request.setAttribute("serviceId", request.getParameter(SERVICE));
      app.getRequestDispatcher(redirect).forward(request, response);
      return;
    }
    boolean needCheckVerifyCode = SSOUtil.needCheckVerifyCode(request);
    // if not, then see if our AuthHandler can help
    if (handler instanceof TrustHandler) {
      // try to get a trusted username by interpreting the request
      String trustedUsername = ((TrustHandler) handler).getUsername(request);
      if (trustedUsername != null) {
        // success: send a new TGC if we don't have a valid TGT from
        // above
        if (tgt == null) {
          tgt = sendTgc(trustedUsername, request, response);
        } else if (!tgt.getUsername().equals(trustedUsername)) {
          // we're coming into a renew=true as a different user...
          // expire the old tgt
          tgt.expire();
          // and send a new one
          tgt = sendTgc(trustedUsername, request, response);
        }
        sendPrivacyCookie(request, response);
        grantForService(request, response, tgt, request.getParameter(SERVICE), true);
        return;
      } else {
        // failure: nothing else to be done
        throw new ServletException("unable to authenticate user");
      }
    } else if (handler instanceof PasswordHandler
        && StringUtils.isNotBlank(request.getParameter("username"))
        && StringUtils.isNotBlank(request.getParameter("password"))
        && (!needCheckVerifyCode || StringUtils.isNotBlank(request.getParameter("verifycode")))
        && request.getParameter("lt") != null) {
      if (!SSOUtil.checkLoginErrorCount(request)) {
        // 同一个IP登录次数过于频繁
        request.setAttribute("edu.yale.its.tp.cas.loginCount2many", "");
      } else {
        String userName = request.getParameter("username");
        String password = request.getParameter("password");
        String verifycode = request.getParameter("verifycode");

        // 登录4位验证码检查
        if (SSOUtil.needCheckVerifyCode(request)
            && !SSOUtil.checkKaptchaCode(request, verifycode, true)) {
          // failure: record failed verifycode authentication
          request.setAttribute("edu.yale.its.tp.cas.badVerifyCode", "");
        }
        // do we have a valid login ticket?
        else if (ltCache.getTicket(request.getParameter("lt")) != null) {
          // do we have a valid username and password?
          UserUser user =
              ((PasswordHandler) handler)
                  .authenticate(request, response, userName, password, "Front");
          if (null != user) {
            //						SSOUtil.clearLoginErrorCount(request);
            // success: send a new TGC if we don't have a valid TGT from
            // above
            String tgtUsername = user.getUserName() + "^!^" + user.getUserNo();
            if (tgt == null) {
              tgt = sendTgc(tgtUsername, request, response);
            } else if (!tgt.getUsername().equals(tgtUsername)) {
              // we're coming into a renew=true as a different user...
              // expire the old tgt
              tgt.expire();
              // and send a new one
              tgt = sendTgc(tgtUsername, request, response);
            }
            // 用户邮箱未登记或者未验证的标识
            if (StringUtils.isBlank(user.getEmail())) {
              Cookie tck = new Cookie("EMV", "E");
              // tck.setSecure(false);
              tck.setMaxAge(-1);
              tck.setDomain(DomainConstant.DOMAIN);
              tck.setPath("/");
              response.addCookie(tck);
            }
            if (StringUtils.isNotBlank(user.getEmail()) && !"Y".equals(user.getIsEmailChecked())) {
              Cookie tck = new Cookie("EMV", "U");
              // tck.setSecure(false);
              tck.setMaxAge(-1);
              tck.setDomain(DomainConstant.DOMAIN);
              tck.setPath("/");
              response.addCookie(tck);
            }
            sendPrivacyCookie(request, response);
            grantForService(request, response, tgt, request.getParameter(SERVICE), true);

            return;
          } else {
            SSOUtil.addLoginErrorCount(request);
            // failure: record failed password authentication
            request.setAttribute("edu.yale.its.tp.cas.badUsernameOrPassword", "");
            request.setAttribute("userName", request.getParameter("username"));
          }
        } else {
          SSOUtil.addLoginErrorCount(request);
          // failure: record invalid login ticket
          request.setAttribute("edu.yale.its.tp.cas.badLoginTicket", "");
          // horrible way of logging, I know
        }
      }
    }
    // record the service in the request
    request.setAttribute("edu.yale.its.tp.cas.service", request.getParameter(SERVICE));

    // no success yet, so generate a login ticket and forward to the
    // login form
    try {
      String lt = ltCache.addTicket();
      request.setAttribute("edu.yale.its.tp.cas.lt", lt);
    } catch (TicketException ex) {
      throw new ServletException(ex);
    }
    request.setAttribute("needCheckVerifyCode", SSOUtil.needCheckVerifyCode(request));
    app.getRequestDispatcher(loginForm).forward(request, response);
  }