/** * {@inheritDoc} * * @return ModelAndView containing a view name of either <code>casProxyFailureView</code> or * <code>casProxySuccessView</code> */ @Override protected ModelAndView handleRequestInternal( final HttpServletRequest request, final HttpServletResponse response) throws Exception { final String ticket = request.getParameter("pgt"); final Service targetService = getTargetService(request); if (!StringUtils.hasText(ticket) || targetService == null) { return generateErrorView("INVALID_REQUEST", "INVALID_REQUEST_PROXY", null); } try { return new ModelAndView( CONST_PROXY_SUCCESS, MODEL_SERVICE_TICKET, this.centralAuthenticationService.grantServiceTicket(ticket, targetService)); } catch (final TicketException e) { return generateErrorView(e.getCode(), e.getCode(), new Object[] {ticket}); } catch (final UnauthorizedServiceException e) { return generateErrorView( "UNAUTHORIZED_SERVICE", "UNAUTHORIZED_SERVICE_PROXY", new Object[] {targetService}); } }
/** * Handle the request. Specially, abides by the default behavior specified in the {@link * org.jasig.cas.web.ServiceValidateController} and then, invokes the {@link #getCommandClass()} * method to delegate the task of spec validation. * * @param request request object * @param response response object * @return A {@link ModelAndView} object pointing to either {@link #setSuccessView(String)} or * {@link #setFailureView(String)} * @throws Exception In case the authentication method cannot be retrieved by the binder from the * incoming request. */ @Override protected final ModelAndView handleRequestInternal( final HttpServletRequest request, final HttpServletResponse response) throws Exception { final WebApplicationService service = this.argumentExtractor.extractService(request); final String serviceTicketId = service != null ? service.getArtifactId() : null; final String authnMethod = getAuthenticationMethodFromRequest(request); if (service == null || serviceTicketId == null) { logger.debug( String.format( "Could not process request; Service: %s, Service Ticket Id: %s", service, serviceTicketId)); return generateErrorView("INVALID_REQUEST", "INVALID_REQUEST", authnMethod, null); } try { final Credential serviceCredentials = getServiceCredentialsFromRequest(request); String proxyGrantingTicketId = null; if (serviceCredentials != null) { try { proxyGrantingTicketId = this.centralAuthenticationService.delegateTicketGrantingTicket( serviceTicketId, serviceCredentials); } catch (final TicketException e) { logger.error("TicketException generating ticket for: " + serviceCredentials, e); } } final Assertion assertion = this.centralAuthenticationService.validateServiceTicket(serviceTicketId, service); final AbstractMultiFactorAuthenticationProtocolValidationSpecification validationSpecification = this.getCommandClass(); final ServletRequestDataBinder binder = new ServletRequestDataBinder(validationSpecification, "validationSpecification"); initBinder(request, binder); binder.bind(request); /** * The binder does not support field aliases. This means that the request parameter names must * exactly match the validation spec fields, or the match fails. Since the validation request * per the modified protocol will use 'authn_method', we could either create a matching field * inside the validation object, create a custom data binder object that does the conversion, * or simply bind the parameter manually. * * <p>This implementation opts for the latter choice. */ validationSpecification.setAuthenticationMethod(authnMethod); try { if (!validationSpecification.isSatisfiedBy(assertion)) { logger.debug( "ServiceTicket [" + serviceTicketId + "] does not satisfy validation specification."); return generateErrorView("INVALID_TICKET", "INVALID_TICKET_SPEC", authnMethod, null); } } catch (final UnrecognizedMultiFactorAuthenticationMethodException e) { logger.debug(e.getMessage(), e); return generateErrorView( e.getCode(), e.getMessage(), authnMethod, new Object[] {e.getAuthenticationMethod()}); } catch (final UnacceptableMultiFactorAuthenticationMethodException e) { logger.debug(e.getMessage(), e); return generateErrorView( e.getCode(), e.getMessage(), authnMethod, new Object[] {serviceTicketId, e.getAuthenticationMethod()}); } onSuccessfulValidation(serviceTicketId, assertion); final ModelAndView success = new ModelAndView(this.successView); success.addObject(MODEL_ASSERTION, assertion); if (serviceCredentials != null && proxyGrantingTicketId != null) { final String proxyIou = this.proxyHandler.handle(serviceCredentials, proxyGrantingTicketId); success.addObject(MODEL_PROXY_GRANTING_TICKET_IOU, proxyIou); } final String authnMethods = MultiFactorUtils.getFulfilledAuthenticationMethodsAsString(assertion); if (StringUtils.isNotBlank(authnMethods)) { success.addObject(MODEL_AUTHN_METHOD, authnMethods); } logger.debug(String.format("Successfully validated service ticket: %s", serviceTicketId)); return success; } catch (final TicketValidationException e) { return generateErrorView( e.getCode(), e.getCode(), authnMethod, new Object[] {serviceTicketId, e.getOriginalService().getId(), service.getId()}); } catch (final TicketException te) { return generateErrorView( te.getCode(), te.getCode(), authnMethod, new Object[] {serviceTicketId}); } catch (final UnauthorizedServiceException e) { return generateErrorView(e.getMessage(), e.getMessage(), authnMethod, null); } }
protected final ModelAndView handleRequestInternal( final HttpServletRequest request, final HttpServletResponse response) throws Exception { final WebApplicationService service = this.argumentExtractor.extractService(request); final String serviceTicketId = service != null ? service.getArtifactId() : null; if (service == null || serviceTicketId == null) { logger.debug( String.format( "Could not process request; Service: %s, Service Ticket Id: %s", service, serviceTicketId)); return generateErrorView("INVALID_REQUEST", "INVALID_REQUEST", null); } try { final Credentials serviceCredentials = getServiceCredentialsFromRequest(request); String proxyGrantingTicketId = null; // XXX should be able to validate AND THEN use if (serviceCredentials != null) { try { proxyGrantingTicketId = this.centralAuthenticationService.delegateTicketGrantingTicket( serviceTicketId, serviceCredentials); } catch (final TicketException e) { logger.error("TicketException generating ticket for: " + serviceCredentials, e); } } final Assertion assertion = this.centralAuthenticationService.validateServiceTicket(serviceTicketId, service); final ValidationSpecification validationSpecification = this.getCommandClass(); final ServletRequestDataBinder binder = new ServletRequestDataBinder(validationSpecification, "validationSpecification"); initBinder(request, binder); binder.bind(request); if (!validationSpecification.isSatisfiedBy(assertion)) { if (logger.isDebugEnabled()) { logger.debug( "ServiceTicket [" + serviceTicketId + "] does not satisfy validation specification."); } return generateErrorView("INVALID_TICKET", "INVALID_TICKET_SPEC", null); } onSuccessfulValidation(serviceTicketId, assertion); final ModelAndView success = new ModelAndView(this.successView); success.addObject(MODEL_ASSERTION, assertion); if (serviceCredentials != null && proxyGrantingTicketId != null) { final String proxyIou = this.proxyHandler.handle(serviceCredentials, proxyGrantingTicketId); success.addObject(MODEL_PROXY_GRANTING_TICKET_IOU, proxyIou); } if (logger.isDebugEnabled()) { logger.debug( String.format( "Successfully validated service ticket [%s] for service [%s]", serviceTicketId, service.getId())); } return success; } catch (final TicketValidationException e) { return generateErrorView( e.getCode(), e.getCode(), new Object[] {serviceTicketId, e.getOriginalService().getId(), service.getId()}); } catch (final TicketException te) { return generateErrorView(te.getCode(), te.getCode(), new Object[] {serviceTicketId}); } catch (final UnauthorizedServiceException e) { return generateErrorView(e.getMessage(), e.getMessage(), null); } }