@Test public void verifyValidServiceTicketWithValidPgtAndProxyHandlerFailing() throws Exception { final TicketGrantingTicket tId = getCentralAuthenticationService() .createTicketGrantingTicket(TestUtils.getCredentialsWithSameUsernameAndPassword()); final ServiceTicket sId = getCentralAuthenticationService().grantServiceTicket(tId.getId(), TestUtils.getService()); final MockHttpServletRequest request = new MockHttpServletRequest(); request.addParameter("service", TestUtils.getService().getId()); request.addParameter("ticket", sId.getId()); request.addParameter("pgtUrl", "https://www.github.com"); this.serviceValidateController.setProxyHandler( new ProxyHandler() { @Override public String handle( final Credential credential, final TicketGrantingTicket proxyGrantingTicketId) { return null; } @Override public boolean canHandle(final Credential credential) { return true; } }); final ModelAndView modelAndView = this.serviceValidateController.handleRequestInternal( request, new MockHttpServletResponse()); assertEquals( ServiceValidateController.DEFAULT_SERVICE_FAILURE_VIEW_NAME, modelAndView.getViewName()); assertNull(modelAndView.getModel().get("pgtIou")); }
private HttpServletRequest getHttpServletRequest() throws Exception { final TicketGrantingTicket tId = getCentralAuthenticationService() .createTicketGrantingTicket(TestUtils.getCredentialsWithSameUsernameAndPassword()); getCentralAuthenticationService().grantServiceTicket(tId.getId(), TestUtils.getService()); final ServiceTicket sId2 = getCentralAuthenticationService().grantServiceTicket(tId.getId(), TestUtils.getService()); final MockHttpServletRequest request = new MockHttpServletRequest(); request.addParameter("service", TestUtils.getService().getId()); request.addParameter("ticket", sId2.getId()); request.addParameter("renew", "true"); return request; }
protected final ModelAndView getModelAndViewUponServiceValidationWithSecurePgtUrl() throws Exception { final TicketGrantingTicket tId = getCentralAuthenticationService() .createTicketGrantingTicket(TestUtils.getCredentialsWithSameUsernameAndPassword()); final ServiceTicket sId = getCentralAuthenticationService().grantServiceTicket(tId.getId(), TestUtils.getService()); final MockHttpServletRequest request = new MockHttpServletRequest(); request.addParameter("service", TestUtils.getService().getId()); request.addParameter("ticket", sId.getId()); request.addParameter("pgtUrl", "https://www.github.com"); return this.serviceValidateController.handleRequestInternal( request, new MockHttpServletResponse()); }
@Test public void verifyValidServiceTicket() throws Exception { final TicketGrantingTicket tId = getCentralAuthenticationService() .createTicketGrantingTicket(TestUtils.getCredentialsWithSameUsernameAndPassword()); final ServiceTicket sId = getCentralAuthenticationService().grantServiceTicket(tId.getId(), TestUtils.getService()); final MockHttpServletRequest request = new MockHttpServletRequest(); request.addParameter("service", TestUtils.getService().getId()); request.addParameter("ticket", sId.getId()); assertEquals( ServiceValidateController.DEFAULT_SERVICE_SUCCESS_VIEW_NAME, this.serviceValidateController .handleRequestInternal(request, new MockHttpServletResponse()) .getViewName()); }
@Test public void verifyValidServiceTicketWithValidPgtAndProxyHandling() throws Exception { final TicketGrantingTicket tId = getCentralAuthenticationService() .createTicketGrantingTicket(TestUtils.getCredentialsWithSameUsernameAndPassword()); final ServiceTicket sId = getCentralAuthenticationService().grantServiceTicket(tId.getId(), TestUtils.getService()); final MockHttpServletRequest request = new MockHttpServletRequest(); request.addParameter("service", TestUtils.getService().getId()); request.addParameter("ticket", sId.getId()); request.addParameter("pgtUrl", "https://www.github.com"); final ModelAndView modelAndView = this.serviceValidateController.handleRequestInternal( request, new MockHttpServletResponse()); assertEquals( ServiceValidateController.DEFAULT_SERVICE_SUCCESS_VIEW_NAME, modelAndView.getViewName()); assertNotNull(modelAndView.getModel().get("pgtIou")); }
@Test public void verifyValidServiceTicketWithDifferentEncoding() throws Exception { this.serviceValidateController.setProxyHandler(new Cas10ProxyHandler()); final TicketGrantingTicket tId = getCentralAuthenticationService() .createTicketGrantingTicket(TestUtils.getCredentialsWithSameUsernameAndPassword()); final String origSvc = "http://www.jasig.org?param=hello+world"; final ServiceTicket sId = getCentralAuthenticationService() .grantServiceTicket(tId.getId(), TestUtils.getService(origSvc)); final String reqSvc = "http://www.jasig.org?param=hello%20world"; final MockHttpServletRequest request = new MockHttpServletRequest(); request.addParameter("service", TestUtils.getService(reqSvc).getId()); request.addParameter("ticket", sId.getId()); assertEquals( ServiceValidateController.DEFAULT_SERVICE_SUCCESS_VIEW_NAME, this.serviceValidateController .handleRequestInternal(request, new MockHttpServletResponse()) .getViewName()); }
@Audit( action = "SERVICE_TICKET", actionResolverName = "GRANT_SERVICE_TICKET_RESOLVER", resourceResolverName = "GRANT_SERVICE_TICKET_RESOURCE_RESOLVER") @Timed(name = "GRANT_SERVICE_TICKET_TIMER") @Metered(name = "GRANT_SERVICE_TICKET_METER") @Counted(name = "GRANT_SERVICE_TICKET_COUNTER", monotonic = true) @Transactional(readOnly = false) @Override public ServiceTicket grantServiceTicket( final String ticketGrantingTicketId, final Service service, final Credential... credentials) throws AuthenticationException, TicketException { final TicketGrantingTicket ticketGrantingTicket = getTicket(ticketGrantingTicketId, TicketGrantingTicket.class); final RegisteredService registeredService = this.servicesManager.findServiceBy(service); verifyRegisteredServiceProperties(registeredService, service); final Set<Credential> sanitizedCredentials = sanitizeCredentials(credentials); Authentication currentAuthentication = null; if (sanitizedCredentials.size() > 0) { currentAuthentication = this.authenticationManager.authenticate( sanitizedCredentials.toArray(new Credential[] {})); final Authentication original = ticketGrantingTicket.getAuthentication(); if (!currentAuthentication.getPrincipal().equals(original.getPrincipal())) { throw new MixedPrincipalException( currentAuthentication, currentAuthentication.getPrincipal(), original.getPrincipal()); } ticketGrantingTicket.getSupplementalAuthentications().add(currentAuthentication); } if (currentAuthentication == null && !registeredService.getAccessStrategy().isServiceAccessAllowedForSso()) { logger.warn("ServiceManagement: Service [{}] is not allowed to use SSO.", service.getId()); throw new UnauthorizedSsoServiceException(); } final Service proxiedBy = ticketGrantingTicket.getProxiedBy(); if (proxiedBy != null) { logger.debug( "TGT is proxied by [{}]. Locating proxy service in registry...", proxiedBy.getId()); final RegisteredService proxyingService = servicesManager.findServiceBy(proxiedBy); if (proxyingService != null) { logger.debug("Located proxying service [{}] in the service registry", proxyingService); if (!proxyingService.getProxyPolicy().isAllowedToProxy()) { logger.warn( "Found proxying service {}, but it is not authorized to fulfill the proxy attempt made by {}", proxyingService.getId(), service.getId()); throw new UnauthorizedProxyingException( "Proxying is not allowed for registered service " + registeredService.getId()); } } else { logger.warn( "No proxying service found. Proxy attempt by service [{}] (registered service [{}]) is not allowed.", service.getId(), registeredService.getId()); throw new UnauthorizedProxyingException( "Proxying is not allowed for registered service " + registeredService.getId()); } } else { logger.trace("TGT is not proxied by another service"); } // Perform security policy check by getting the authentication that satisfies the configured // policy // This throws if no suitable policy is found getAuthenticationSatisfiedByPolicy( ticketGrantingTicket, new ServiceContext(service, registeredService)); final List<Authentication> authentications = ticketGrantingTicket.getChainedAuthentications(); final Principal principal = authentications.get(authentications.size() - 1).getPrincipal(); final Map<String, Object> principalAttrs = registeredService.getAttributeReleasePolicy().getAttributes(principal); if (!registeredService .getAccessStrategy() .doPrincipalAttributesAllowServiceAccess(principalAttrs)) { logger.warn( "ServiceManagement: Cannot grant service ticket because Service [{}] is not authorized for use by [{}].", service.getId(), principal); throw new UnauthorizedServiceForPrincipalException(); } final String uniqueTicketIdGenKey = service.getClass().getName(); logger.debug("Looking up service ticket id generator for [{}]", uniqueTicketIdGenKey); UniqueTicketIdGenerator serviceTicketUniqueTicketIdGenerator = this.uniqueTicketIdGeneratorsForService.get(uniqueTicketIdGenKey); if (serviceTicketUniqueTicketIdGenerator == null) { serviceTicketUniqueTicketIdGenerator = this.defaultServiceTicketIdGenerator; logger.debug( "Service ticket id generator not found for [{}]. Using the default generator...", uniqueTicketIdGenKey); } final String ticketPrefix = authentications.size() == 1 ? ServiceTicket.PREFIX : ServiceTicket.PROXY_TICKET_PREFIX; final String ticketId = serviceTicketUniqueTicketIdGenerator.getNewTicketId(ticketPrefix); final ServiceTicket serviceTicket = ticketGrantingTicket.grantServiceTicket( ticketId, service, this.serviceTicketExpirationPolicy, currentAuthentication != null); this.serviceTicketRegistry.addTicket(serviceTicket); logger.info( "Granted ticket [{}] for service [{}] for user [{}]", serviceTicket.getId(), service.getId(), principal.getId()); return serviceTicket; }
@Audit( action = "SERVICE_TICKET", actionResolverName = "GRANT_SERVICE_TICKET_RESOLVER", resourceResolverName = "GRANT_SERVICE_TICKET_RESOURCE_RESOLVER") @Profiled(tag = "GRANT_SERVICE_TICKET", logFailuresSeparately = false) @Transactional(readOnly = false) @Override public String grantServiceTicket( final String ticketGrantingTicketId, final Service service, final Credential... credentials) throws AuthenticationException, TicketException { Assert.notNull(ticketGrantingTicketId, "ticketGrantingticketId cannot be null"); Assert.notNull(service, "service cannot be null"); final TicketGrantingTicket ticketGrantingTicket = this.ticketRegistry.getTicket(ticketGrantingTicketId, TicketGrantingTicket.class); if (ticketGrantingTicket == null) { logger.debug( "TicketGrantingTicket [{}] cannot be found in the ticket registry.", ticketGrantingTicketId); throw new InvalidTicketException(ticketGrantingTicketId); } synchronized (ticketGrantingTicket) { if (ticketGrantingTicket.isExpired()) { this.ticketRegistry.deleteTicket(ticketGrantingTicketId); logger.debug( "TicketGrantingTicket[{}] has expired and is now deleted from the ticket registry.", ticketGrantingTicketId); throw new InvalidTicketException(ticketGrantingTicketId); } } final RegisteredService registeredService = this.servicesManager.findServiceBy(service); verifyRegisteredServiceProperties(registeredService, service); if (!registeredService.isSsoEnabled() && credentials == null && ticketGrantingTicket.getCountOfUses() > 0) { logger.warn("ServiceManagement: Service [{}] is not allowed to use SSO.", service.getId()); throw new UnauthorizedSsoServiceException(); } // CAS-1019 final List<Authentication> authns = ticketGrantingTicket.getChainedAuthentications(); if (authns.size() > 1) { if (!registeredService.isAllowedToProxy()) { final String message = String.format( "ServiceManagement: Proxy attempt by service [%s] (registered service [%s]) is not allowed.", service.getId(), registeredService.toString()); logger.warn(message); throw new UnauthorizedProxyingException(message); } } if (credentials != null) { final Authentication current = this.authenticationManager.authenticate(credentials); final Authentication original = ticketGrantingTicket.getAuthentication(); if (!current.getPrincipal().equals(original.getPrincipal())) { throw new MixedPrincipalException(current, current.getPrincipal(), original.getPrincipal()); } ticketGrantingTicket.getSupplementalAuthentications().add(current); } // Perform security policy check by getting the authentication that satisfies the configured // policy // This throws if no suitable policy is found getAuthenticationSatisfiedByPolicy( ticketGrantingTicket, new ServiceContext(service, registeredService)); final String uniqueTicketIdGenKey = service.getClass().getName(); if (!this.uniqueTicketIdGeneratorsForService.containsKey(uniqueTicketIdGenKey)) { logger.warn( "Cannot create service ticket because the key [{}] for service [{}] is not linked to a ticket id generator", uniqueTicketIdGenKey, service.getId()); throw new UnauthorizedSsoServiceException(); } final UniqueTicketIdGenerator serviceTicketUniqueTicketIdGenerator = this.uniqueTicketIdGeneratorsForService.get(uniqueTicketIdGenKey); final String generatedServiceTicketId = serviceTicketUniqueTicketIdGenerator.getNewTicketId(ServiceTicket.PREFIX); logger.debug( "Generated service ticket id [{}] for ticket granting ticket [{}]", generatedServiceTicketId, ticketGrantingTicket.getId()); final ServiceTicket serviceTicket = ticketGrantingTicket.grantServiceTicket( generatedServiceTicketId, service, this.serviceTicketExpirationPolicy, credentials != null); this.serviceTicketRegistry.addTicket(serviceTicket); if (logger.isInfoEnabled()) { final List<Authentication> authentications = serviceTicket.getGrantingTicket().getChainedAuthentications(); final String formatString = "Granted %s ticket [%s] for service [%s] for user [%s]"; final String type; final String principalId = authentications.get(authentications.size() - 1).getPrincipal().getId(); if (authentications.size() == 1) { type = "service"; } else { type = "proxy"; } logger.info( String.format(formatString, type, serviceTicket.getId(), service.getId(), principalId)); } return serviceTicket.getId(); }
@Override protected ModelAndView handleRequestInternal( final HttpServletRequest request, final HttpServletResponse response) throws Exception { final HttpSession session = request.getSession(); // get cas login service ticket final String serviceTicketId = request.getParameter(OAuthConstants.TICKET); LOGGER.debug("{} : {}", OAuthConstants.TICKET, serviceTicketId); // first time this url is requested the login ticket will be a query parameter if (serviceTicketId != null) { // create the login ticket granting ticket final ServiceTicket serviceTicket = (ServiceTicket) ticketRegistry.getTicket(serviceTicketId); // login service ticket should be valid if (serviceTicket == null || serviceTicket.isExpired()) { LOGGER.error("Service Ticket expired : {}", serviceTicketId); return OAuthUtils.writeTextError( response, OAuthConstants.INVALID_GRANT, HttpStatus.SC_BAD_REQUEST); } final TicketGrantingTicket ticketGrantingTicket = serviceTicket.getGrantingTicket(); // remove login service ticket ticketRegistry.deleteTicket(serviceTicket.getId()); // store the login tgt id in the user's session, used to create service tickets for validation // and // oauth credentials later in the flow. session.setAttribute(OAuthConstants.OAUTH20_LOGIN_TICKET_ID, ticketGrantingTicket.getId()); // redirect back to self, clears the service ticket from the url, allows the url to be // requested multiple // times w/o error return OAuthUtils.redirectTo(request.getRequestURL().toString()); } // get cas login service ticket from the session String ticketGrantingTicketId = (String) session.getAttribute(OAuthConstants.OAUTH20_LOGIN_TICKET_ID); LOGGER.debug("{} : {}", OAuthConstants.TICKET, ticketGrantingTicketId); if (StringUtils.isBlank(ticketGrantingTicketId)) { LOGGER.error("Missing Ticket Granting Ticket"); return OAuthUtils.writeTextError( response, OAuthConstants.INVALID_GRANT, HttpStatus.SC_BAD_REQUEST); } // verify the login ticket granting ticket is still valid TicketGrantingTicket ticketGrantingTicket = (TicketGrantingTicket) ticketRegistry.getTicket(ticketGrantingTicketId); if (ticketGrantingTicket == null || ticketGrantingTicket.isExpired()) { LOGGER.error("Ticket Granting Ticket expired : {}", ticketGrantingTicketId); return OAuthUtils.writeTextError( response, OAuthConstants.INVALID_GRANT, HttpStatus.SC_BAD_REQUEST); } String callbackUrl = request .getRequestURL() .toString() .replace( "/" + OAuthConstants.CALLBACK_AUTHORIZE_URL, "/" + OAuthConstants.CALLBACK_AUTHORIZE_ACTION_URL); LOGGER.debug("{} : {}", OAuthConstants.CALLBACK_AUTHORIZE_ACTION_URL, callbackUrl); String allowCallbackUrl = OAuthUtils.addParameter( callbackUrl, OAuthConstants.OAUTH20_APPROVAL_PROMPT_ACTION, OAuthConstants.OAUTH20_APPROVAL_PROMPT_ACTION_ALLOW); final Map<String, Object> model = new HashMap<>(); model.put("callbackUrl", callbackUrl); final Boolean bypassApprovalPrompt = (Boolean) session.getAttribute(OAuthConstants.BYPASS_APPROVAL_PROMPT); LOGGER.debug("bypassApprovalPrompt : {}", bypassApprovalPrompt); if (bypassApprovalPrompt != null && bypassApprovalPrompt) { return OAuthUtils.redirectTo(allowCallbackUrl); } final String clientId = (String) session.getAttribute(OAuthConstants.OAUTH20_CLIENT_ID); LOGGER.debug("{} : {}", OAuthConstants.CLIENT_ID, clientId); final Principal loginPrincipal = ticketGrantingTicket.getAuthentication().getPrincipal(); final String approvalPrompt = (String) session.getAttribute(OAuthConstants.OAUTH20_APPROVAL_PROMPT); LOGGER.debug("approvalPrompt : {}", approvalPrompt); if (StringUtils.isBlank(approvalPrompt) || !approvalPrompt.equalsIgnoreCase(OAuthConstants.APPROVAL_PROMPT_FORCE)) { final TicketGrantingTicket refreshToken = OAuthTokenUtils.getRefreshToken(centralAuthenticationService, clientId, loginPrincipal); if (refreshToken != null) { return OAuthUtils.redirectTo(allowCallbackUrl); } } // retrieve service name from session final String serviceName = (String) session.getAttribute(OAuthConstants.OAUTH20_SERVICE_NAME); LOGGER.debug("serviceName : {}", serviceName); model.put("serviceName", serviceName); return new ModelAndView(OAuthConstants.CONFIRM_VIEW, model); }