/**
* Grants a service ticket for the given service, using the given TicketGrantingTicket. If no
* 'service' is specified, simply forward to message conveying generic success.
*
* @param request request
* @param response response
* @param t t
* @param serviceId serviceId
* @param first first
* @throws ServletException ServletException
* @throws IOException IOException
*/
private void grantForService(
final HttpServletRequest request,
final HttpServletResponse response,
final TicketGrantingTicket t,
final String serviceId,
final boolean first)
throws ServletException, IOException {
try {
String actualServiceId = serviceId != null ? serviceId : "http://www.lvmama.com/";
if (actualServiceId.contains("&")) {
// log("service=="+actualServiceId);
actualServiceId = actualServiceId.replaceAll("&", "&");
}
ServiceTicket st = new ServiceTicket(t, actualServiceId, first);
String token = stCache.addTicket(st);
request.setAttribute("serviceId", actualServiceId);
request.setAttribute("token", token);
if (!first) {
if (privacyRequested(request)) {
app.getRequestDispatcher(confirmService).forward(request, response);
} else {
request.setAttribute("first", "false");
Cookie unCookie = null;
Cookie[] cookies = request.getCookies();
if (null != cookies) {
for (int i = 0; i < cookies.length; i++) {
if (cookies[i].getName().equals("UN")) {
unCookie = cookies[i];
}
}
}
if (null == unCookie) {
unCookie = new Cookie("UN", null);
unCookie.setDomain(DomainConstant.DOMAIN);
unCookie.setMaxAge(
StringUtils.isNotEmpty(keepLogin)
? Integer.parseInt(app.getInitParameter("UNCookieTimeOut"))
: -1);
unCookie.setPath("/");
unCookie.setValue(
URLEncoder.encode(new String(InfoBase64Coding.decrypt(t.getUsername())), "UTF-8"));
response.addCookie(unCookie);
}
app.getRequestDispatcher(serviceSuccess).forward(request, response);
}
} else {
request.setAttribute("first", "true");
Cookie unCookie = null;
Cookie[] cookies = request.getCookies();
if (null != cookies) {
for (int i = 0; i < cookies.length; i++) {
if (cookies[i].getName().equals("UN")) {
unCookie = cookies[i];
}
}
}
if (null == unCookie) {
unCookie = new Cookie("UN", null);
unCookie.setDomain(DomainConstant.DOMAIN);
unCookie.setMaxAge(
StringUtils.isNotEmpty(keepLogin)
? Integer.parseInt(app.getInitParameter("UNCookieTimeOut"))
: -1);
unCookie.setPath("/");
unCookie.setValue(
URLEncoder.encode(new String(InfoBase64Coding.decrypt(t.getUsername())), "UTF-8"));
response.addCookie(unCookie);
}
app.getRequestDispatcher(serviceSuccess).forward(request, response);
}
} catch (TicketException ex) {
throw new ServletException(ex.toString());
}
}
/**
* doGet
*
* @param request request
* @param response response
* @throws ServletException ServletException
* @throws IOException IOException
*/
public void doGet(final HttpServletRequest request, final HttpServletResponse response)
throws ServletException, IOException {
// avoid caching (in the stupidly numerous ways we must)
// response.setHeader("Pragma", "no-cache");
// response.setHeader("Cache-Control", "no-store");
// response.setDateHeader("Expires", -1);
keepLogin = request.getParameter("keepLogin");
// check to see whether we've been sent a valid TGC
Cookie[] cookies = request.getCookies();
TicketGrantingTicket tgt = null;
if (cookies != null) {
for (int i = 0; i < cookies.length; i++) {
if (cookies[i].getName().equals(TGC_ID)) {
tgt = (TicketGrantingTicket) tgcCache.getTicket(cookies[i].getValue());
if (tgt == null) {
continue;
}
// unless RENEW is set, let the user through to the service.
// otherwise, fall through and we'll be handled by
// authentication
// below. Note that tgt is still active.
if (request.getParameter(RENEW) == null
&& null != ServletUtil.getSession(request, response, Constant.SESSION_FRONT_USER)) {
grantForService(request, response, tgt, request.getParameter(SERVICE), false);
return;
}
}
}
}
// if not, but if we're passed "gateway", then simply bounce back
if (request.getParameter(SERVICE) != null && request.getParameter(GATEWAY) != null) {
request.setAttribute("serviceId", request.getParameter(SERVICE));
app.getRequestDispatcher(redirect).forward(request, response);
return;
}
boolean needCheckVerifyCode = SSOUtil.needCheckVerifyCode(request);
// if not, then see if our AuthHandler can help
if (handler instanceof TrustHandler) {
// try to get a trusted username by interpreting the request
String trustedUsername = ((TrustHandler) handler).getUsername(request);
if (trustedUsername != null) {
// success: send a new TGC if we don't have a valid TGT from
// above
if (tgt == null) {
tgt = sendTgc(trustedUsername, request, response);
} else if (!tgt.getUsername().equals(trustedUsername)) {
// we're coming into a renew=true as a different user...
// expire the old tgt
tgt.expire();
// and send a new one
tgt = sendTgc(trustedUsername, request, response);
}
sendPrivacyCookie(request, response);
grantForService(request, response, tgt, request.getParameter(SERVICE), true);
return;
} else {
// failure: nothing else to be done
throw new ServletException("unable to authenticate user");
}
} else if (handler instanceof PasswordHandler
&& StringUtils.isNotBlank(request.getParameter("username"))
&& StringUtils.isNotBlank(request.getParameter("password"))
&& (!needCheckVerifyCode || StringUtils.isNotBlank(request.getParameter("verifycode")))
&& request.getParameter("lt") != null) {
if (!SSOUtil.checkLoginErrorCount(request)) {
// 同一个IP登录次数过于频繁
request.setAttribute("edu.yale.its.tp.cas.loginCount2many", "");
} else {
String userName = request.getParameter("username");
String password = request.getParameter("password");
String verifycode = request.getParameter("verifycode");
// 登录4位验证码检查
if (SSOUtil.needCheckVerifyCode(request)
&& !SSOUtil.checkKaptchaCode(request, verifycode, true)) {
// failure: record failed verifycode authentication
request.setAttribute("edu.yale.its.tp.cas.badVerifyCode", "");
}
// do we have a valid login ticket?
else if (ltCache.getTicket(request.getParameter("lt")) != null) {
// do we have a valid username and password?
UserUser user =
((PasswordHandler) handler)
.authenticate(request, response, userName, password, "Front");
if (null != user) {
// SSOUtil.clearLoginErrorCount(request);
// success: send a new TGC if we don't have a valid TGT from
// above
String tgtUsername = user.getUserName() + "^!^" + user.getUserNo();
if (tgt == null) {
tgt = sendTgc(tgtUsername, request, response);
} else if (!tgt.getUsername().equals(tgtUsername)) {
// we're coming into a renew=true as a different user...
// expire the old tgt
tgt.expire();
// and send a new one
tgt = sendTgc(tgtUsername, request, response);
}
// 用户邮箱未登记或者未验证的标识
if (StringUtils.isBlank(user.getEmail())) {
Cookie tck = new Cookie("EMV", "E");
// tck.setSecure(false);
tck.setMaxAge(-1);
tck.setDomain(DomainConstant.DOMAIN);
tck.setPath("/");
response.addCookie(tck);
}
if (StringUtils.isNotBlank(user.getEmail()) && !"Y".equals(user.getIsEmailChecked())) {
Cookie tck = new Cookie("EMV", "U");
// tck.setSecure(false);
tck.setMaxAge(-1);
tck.setDomain(DomainConstant.DOMAIN);
tck.setPath("/");
response.addCookie(tck);
}
sendPrivacyCookie(request, response);
grantForService(request, response, tgt, request.getParameter(SERVICE), true);
return;
} else {
SSOUtil.addLoginErrorCount(request);
// failure: record failed password authentication
request.setAttribute("edu.yale.its.tp.cas.badUsernameOrPassword", "");
request.setAttribute("userName", request.getParameter("username"));
}
} else {
SSOUtil.addLoginErrorCount(request);
// failure: record invalid login ticket
request.setAttribute("edu.yale.its.tp.cas.badLoginTicket", "");
// horrible way of logging, I know
}
}
}
// record the service in the request
request.setAttribute("edu.yale.its.tp.cas.service", request.getParameter(SERVICE));
// no success yet, so generate a login ticket and forward to the
// login form
try {
String lt = ltCache.addTicket();
request.setAttribute("edu.yale.its.tp.cas.lt", lt);
} catch (TicketException ex) {
throw new ServletException(ex);
}
request.setAttribute("needCheckVerifyCode", SSOUtil.needCheckVerifyCode(request));
app.getRequestDispatcher(loginForm).forward(request, response);
}
