@Override
  protected ModelAndView handleRequestInternal(
      final HttpServletRequest request, final HttpServletResponse response) throws Exception {
    String accessToken = request.getParameter(OAuthConstants.ACCESS_TOKEN);
    if (StringUtils.isBlank(accessToken)) {
      final String authHeader = request.getHeader("Authorization");
      if (StringUtils.isNotBlank(authHeader)
          && authHeader.toLowerCase().startsWith(OAuthConstants.BEARER_TOKEN.toLowerCase() + ' ')) {
        accessToken = authHeader.substring(OAuthConstants.BEARER_TOKEN.length() + 1);
      }
    }
    LOGGER.debug("{} : {}", OAuthConstants.ACCESS_TOKEN, accessToken);

    try (final JsonGenerator jsonGenerator =
        this.jsonFactory.createJsonGenerator(response.getWriter())) {
      response.setContentType("application/json");
      // accessToken is required
      if (StringUtils.isBlank(accessToken)) {
        LOGGER.error("Missing {}", OAuthConstants.ACCESS_TOKEN);
        jsonGenerator.writeStartObject();
        jsonGenerator.writeStringField("error", OAuthConstants.MISSING_ACCESS_TOKEN);
        jsonGenerator.writeEndObject();
        return null;
      }
      // get ticket granting ticket
      final TicketGrantingTicket ticketGrantingTicket =
          (TicketGrantingTicket) this.ticketRegistry.getTicket(accessToken);
      if (ticketGrantingTicket == null || ticketGrantingTicket.isExpired()) {
        LOGGER.error("expired accessToken : {}", accessToken);
        jsonGenerator.writeStartObject();
        jsonGenerator.writeStringField("error", OAuthConstants.EXPIRED_ACCESS_TOKEN);
        jsonGenerator.writeEndObject();
        return null;
      }
      // generate profile : identifier + attributes
      final Principal principal = ticketGrantingTicket.getAuthentication().getPrincipal();
      jsonGenerator.writeStartObject();
      jsonGenerator.writeStringField(ID, principal.getId());
      jsonGenerator.writeObjectFieldStart(ATTRIBUTES);
      final Map<String, Object> attributes = principal.getAttributes();
      for (final Map.Entry<String, Object> entry : attributes.entrySet()) {
        //                jsonGenerator.writeStartObject();
        jsonGenerator.writeObjectField(entry.getKey(), entry.getValue());
        //                jsonGenerator.writeEndObject();
      }
      //            jsonGenerator.writeEndArray();
      jsonGenerator.writeEndObject();
      return null;
    } finally {
      response.flushBuffer();
    }
  }
コード例 #2
0
  @Audit(
      action = "SERVICE_TICKET",
      actionResolverName = "GRANT_SERVICE_TICKET_RESOLVER",
      resourceResolverName = "GRANT_SERVICE_TICKET_RESOURCE_RESOLVER")
  @Profiled(tag = "GRANT_SERVICE_TICKET", logFailuresSeparately = false)
  @Transactional(readOnly = false)
  @Override
  public String grantServiceTicket(
      final String ticketGrantingTicketId, final Service service, final Credential... credentials)
      throws AuthenticationException, TicketException {
    Assert.notNull(ticketGrantingTicketId, "ticketGrantingticketId cannot be null");
    Assert.notNull(service, "service cannot be null");

    final TicketGrantingTicket ticketGrantingTicket =
        this.ticketRegistry.getTicket(ticketGrantingTicketId, TicketGrantingTicket.class);

    if (ticketGrantingTicket == null) {
      logger.debug(
          "TicketGrantingTicket [{}] cannot be found in the ticket registry.",
          ticketGrantingTicketId);
      throw new InvalidTicketException(ticketGrantingTicketId);
    }

    synchronized (ticketGrantingTicket) {
      if (ticketGrantingTicket.isExpired()) {
        this.ticketRegistry.deleteTicket(ticketGrantingTicketId);
        logger.debug(
            "TicketGrantingTicket[{}] has expired and is now deleted from the ticket registry.",
            ticketGrantingTicketId);
        throw new InvalidTicketException(ticketGrantingTicketId);
      }
    }

    final RegisteredService registeredService = this.servicesManager.findServiceBy(service);

    verifyRegisteredServiceProperties(registeredService, service);

    if (!registeredService.isSsoEnabled()
        && credentials == null
        && ticketGrantingTicket.getCountOfUses() > 0) {
      logger.warn("ServiceManagement: Service [{}] is not allowed to use SSO.", service.getId());
      throw new UnauthorizedSsoServiceException();
    }

    // CAS-1019
    final List<Authentication> authns = ticketGrantingTicket.getChainedAuthentications();
    if (authns.size() > 1) {
      if (!registeredService.isAllowedToProxy()) {
        final String message =
            String.format(
                "ServiceManagement: Proxy attempt by service [%s] (registered service [%s]) is not allowed.",
                service.getId(), registeredService.toString());
        logger.warn(message);
        throw new UnauthorizedProxyingException(message);
      }
    }

    if (credentials != null) {
      final Authentication current = this.authenticationManager.authenticate(credentials);
      final Authentication original = ticketGrantingTicket.getAuthentication();
      if (!current.getPrincipal().equals(original.getPrincipal())) {
        throw new MixedPrincipalException(current, current.getPrincipal(), original.getPrincipal());
      }
      ticketGrantingTicket.getSupplementalAuthentications().add(current);
    }

    // Perform security policy check by getting the authentication that satisfies the configured
    // policy
    // This throws if no suitable policy is found
    getAuthenticationSatisfiedByPolicy(
        ticketGrantingTicket, new ServiceContext(service, registeredService));

    final String uniqueTicketIdGenKey = service.getClass().getName();
    if (!this.uniqueTicketIdGeneratorsForService.containsKey(uniqueTicketIdGenKey)) {
      logger.warn(
          "Cannot create service ticket because the key [{}] for service [{}] is not linked to a ticket id generator",
          uniqueTicketIdGenKey,
          service.getId());
      throw new UnauthorizedSsoServiceException();
    }

    final UniqueTicketIdGenerator serviceTicketUniqueTicketIdGenerator =
        this.uniqueTicketIdGeneratorsForService.get(uniqueTicketIdGenKey);

    final String generatedServiceTicketId =
        serviceTicketUniqueTicketIdGenerator.getNewTicketId(ServiceTicket.PREFIX);
    logger.debug(
        "Generated service ticket id [{}] for ticket granting ticket [{}]",
        generatedServiceTicketId,
        ticketGrantingTicket.getId());

    final ServiceTicket serviceTicket =
        ticketGrantingTicket.grantServiceTicket(
            generatedServiceTicketId,
            service,
            this.serviceTicketExpirationPolicy,
            credentials != null);

    this.serviceTicketRegistry.addTicket(serviceTicket);

    if (logger.isInfoEnabled()) {
      final List<Authentication> authentications =
          serviceTicket.getGrantingTicket().getChainedAuthentications();
      final String formatString = "Granted %s ticket [%s] for service [%s] for user [%s]";
      final String type;
      final String principalId =
          authentications.get(authentications.size() - 1).getPrincipal().getId();

      if (authentications.size() == 1) {
        type = "service";
      } else {
        type = "proxy";
      }

      logger.info(
          String.format(formatString, type, serviceTicket.getId(), service.getId(), principalId));
    }

    return serviceTicket.getId();
  }
コード例 #3
0
  @Override
  protected ModelAndView handleRequestInternal(
      final HttpServletRequest request, final HttpServletResponse response) throws Exception {
    final HttpSession session = request.getSession();

    // get cas login service ticket
    final String serviceTicketId = request.getParameter(OAuthConstants.TICKET);
    LOGGER.debug("{} : {}", OAuthConstants.TICKET, serviceTicketId);

    // first time this url is requested the login ticket will be a query parameter
    if (serviceTicketId != null) {
      // create the login ticket granting ticket
      final ServiceTicket serviceTicket = (ServiceTicket) ticketRegistry.getTicket(serviceTicketId);
      // login service ticket should be valid
      if (serviceTicket == null || serviceTicket.isExpired()) {
        LOGGER.error("Service Ticket expired : {}", serviceTicketId);
        return OAuthUtils.writeTextError(
            response, OAuthConstants.INVALID_GRANT, HttpStatus.SC_BAD_REQUEST);
      }
      final TicketGrantingTicket ticketGrantingTicket = serviceTicket.getGrantingTicket();
      // remove login service ticket
      ticketRegistry.deleteTicket(serviceTicket.getId());

      // store the login tgt id in the user's session, used to create service tickets for validation
      // and
      // oauth credentials later in the flow.
      session.setAttribute(OAuthConstants.OAUTH20_LOGIN_TICKET_ID, ticketGrantingTicket.getId());

      // redirect back to self, clears the service ticket from the url, allows the url to be
      // requested multiple
      // times w/o error
      return OAuthUtils.redirectTo(request.getRequestURL().toString());
    }

    // get cas login service ticket from the session
    String ticketGrantingTicketId =
        (String) session.getAttribute(OAuthConstants.OAUTH20_LOGIN_TICKET_ID);
    LOGGER.debug("{} : {}", OAuthConstants.TICKET, ticketGrantingTicketId);
    if (StringUtils.isBlank(ticketGrantingTicketId)) {
      LOGGER.error("Missing Ticket Granting Ticket");
      return OAuthUtils.writeTextError(
          response, OAuthConstants.INVALID_GRANT, HttpStatus.SC_BAD_REQUEST);
    }

    // verify the login ticket granting ticket is still valid
    TicketGrantingTicket ticketGrantingTicket =
        (TicketGrantingTicket) ticketRegistry.getTicket(ticketGrantingTicketId);
    if (ticketGrantingTicket == null || ticketGrantingTicket.isExpired()) {
      LOGGER.error("Ticket Granting Ticket expired : {}", ticketGrantingTicketId);
      return OAuthUtils.writeTextError(
          response, OAuthConstants.INVALID_GRANT, HttpStatus.SC_BAD_REQUEST);
    }

    String callbackUrl =
        request
            .getRequestURL()
            .toString()
            .replace(
                "/" + OAuthConstants.CALLBACK_AUTHORIZE_URL,
                "/" + OAuthConstants.CALLBACK_AUTHORIZE_ACTION_URL);
    LOGGER.debug("{} : {}", OAuthConstants.CALLBACK_AUTHORIZE_ACTION_URL, callbackUrl);

    String allowCallbackUrl =
        OAuthUtils.addParameter(
            callbackUrl,
            OAuthConstants.OAUTH20_APPROVAL_PROMPT_ACTION,
            OAuthConstants.OAUTH20_APPROVAL_PROMPT_ACTION_ALLOW);

    final Map<String, Object> model = new HashMap<>();
    model.put("callbackUrl", callbackUrl);

    final Boolean bypassApprovalPrompt =
        (Boolean) session.getAttribute(OAuthConstants.BYPASS_APPROVAL_PROMPT);
    LOGGER.debug("bypassApprovalPrompt : {}", bypassApprovalPrompt);
    if (bypassApprovalPrompt != null && bypassApprovalPrompt) {
      return OAuthUtils.redirectTo(allowCallbackUrl);
    }

    final String clientId = (String) session.getAttribute(OAuthConstants.OAUTH20_CLIENT_ID);
    LOGGER.debug("{} : {}", OAuthConstants.CLIENT_ID, clientId);

    final Principal loginPrincipal = ticketGrantingTicket.getAuthentication().getPrincipal();

    final String approvalPrompt =
        (String) session.getAttribute(OAuthConstants.OAUTH20_APPROVAL_PROMPT);
    LOGGER.debug("approvalPrompt : {}", approvalPrompt);
    if (StringUtils.isBlank(approvalPrompt)
        || !approvalPrompt.equalsIgnoreCase(OAuthConstants.APPROVAL_PROMPT_FORCE)) {
      final TicketGrantingTicket refreshToken =
          OAuthTokenUtils.getRefreshToken(centralAuthenticationService, clientId, loginPrincipal);
      if (refreshToken != null) {
        return OAuthUtils.redirectTo(allowCallbackUrl);
      }
    }

    // retrieve service name from session
    final String serviceName = (String) session.getAttribute(OAuthConstants.OAUTH20_SERVICE_NAME);
    LOGGER.debug("serviceName : {}", serviceName);
    model.put("serviceName", serviceName);

    return new ModelAndView(OAuthConstants.CONFIRM_VIEW, model);
  }