@Override protected Event doExecute(final RequestContext context) throws Exception { final Service service = WebUtils.getService(context); // No service == plain /login request. Return success indicating transition to the login form if (service == null) { return success(); } final RegisteredService registeredService = this.servicesManager.findServiceBy(service); if (registeredService == null) { logger.warn( "Unauthorized Service Access for Service: [ {} ] - service is not defined in the service registry.", service.getId()); throw new UnauthorizedServiceException(); } else if (!registeredService.isEnabled()) { logger.warn( "Unauthorized Service Access for Service: [ {} ] - service is not enabled in the service registry.", service.getId()); if (registeredService instanceof RegisteredServiceWithAttributes) { String disabledServiceUrl = (String) RegisteredServiceWithAttributes.class .cast(registeredService) .getExtraAttributes() .get(DISABLED_SERVICE_URL_ATTRIBUTE); if (disabledServiceUrl != null) { context.getRequestScope().put(DISABLED_SERVICE_URL_ATTRIBUTE, disabledServiceUrl); return no(); } } throw new UnauthorizedServiceException(); } return success(); }
/** * Normalize the path of a service by removing the query string and everything after a semi-colon. * * @param service the service to normalize * @return the normalized path */ private static String normalizePath(final Service service) { String path = service.getId(); path = StringUtils.substringBefore(path, "?"); path = StringUtils.substringBefore(path, ";"); path = StringUtils.substringBefore(path, "#"); return path; }
@Override protected Event doExecute(final RequestContext context) throws Exception { final Service service = WebUtils.getService(context); if (service == null) { logger.debug("No service found in the request context, so resuming normally."); return success(); } final RegisteredService registeredService = this.servicesManager.findServiceBy(service); if (registeredService == null) { logger.warn( "Unauthorized Service Access for Service: [{}] - service is not defined in the service registry.", service.getId()); throw new UnauthorizedServiceException(); } if (!registeredService.isEnabled()) { logger.warn( "Unauthorized Service Access for Service: [{}] - service is not enabled in the service registry.", service.getId()); throw new UnauthorizedServiceException(); } if (registeredService instanceof RegisteredServiceWithAttributes) { final RegisteredServiceWithAttributes regSvcWithAttr = RegisteredServiceWithAttributes.class.cast(registeredService); final String redirectToUrl = (String) regSvcWithAttr.getExtraAttributes().get(REDIRECT_TO_URL_ATTRIBUTE); if (redirectToUrl != null && this.redirectionAdvisor.shouldRedirectServiceRequest( context, regSvcWithAttr, redirectToUrl)) { logger.info("Redirecting to url [{}] for service [{}]", redirectToUrl, service.getId()); context.getRequestScope().put(REDIRECT_TO_URL_ATTRIBUTE, redirectToUrl); return yes(); } } logger.debug( "No redirect url is configured, or redirection for service [{}] is not needed", service.getId()); return success(); }
@Override protected Event doExecute(final RequestContext context) throws Exception { final Service service = WebUtils.getService(context); final boolean match = this.servicesManager.matchesExistingService(service); if (match) { return success(); } throw new UnauthorizedServiceException( String.format("Service [%s] is not authorized to use CAS.", service.getId())); }
/** * Ensure that the service is found and enabled in the service registry. * * @param registeredService the located entry in the registry * @param service authenticating service * @throws UnauthorizedServiceException */ private void verifyRegisteredServiceProperties( final RegisteredService registeredService, final Service service) { if (registeredService == null) { final String msg = String.format( "ServiceManagement: Unauthorized Service Access. " + "Service [%s] is not found in service registry.", service.getId()); logger.warn(msg); throw new UnauthorizedServiceException( UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, msg); } if (!registeredService.getAccessStrategy().isServiceAccessAllowed()) { final String msg = String.format( "ServiceManagement: Unauthorized Service Access. " + "Service [%s] is not enabled in service registry.", service.getId()); logger.warn(msg); throw new UnauthorizedServiceException( UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, msg); } }
@Override protected void prepareResponse(final Response response, final Map<String, Object> model) { final DateTime issuedAt = response.getIssueInstant(); final Service service = getAssertionFrom(model).getService(); final Authentication authentication = getPrimaryAuthenticationFrom(model); final String authenticationMethod = (String) authentication .getAttributes() .get(SamlAuthenticationMetaDataPopulator.ATTRIBUTE_AUTHENTICATION_METHOD); final AuthenticationStatement authnStatement = this.samlObjectBuilder.newAuthenticationStatement( authentication.getAuthenticationDate(), authenticationMethod, getPrincipal(model).getId()); final Assertion assertion = this.samlObjectBuilder.newAssertion( authnStatement, this.issuer, issuedAt, this.samlObjectBuilder.generateSecureRandomId()); final Conditions conditions = this.samlObjectBuilder.newConditions(issuedAt, service.getId(), this.issueLength); assertion.setConditions(conditions); final Subject subject = this.samlObjectBuilder.newSubject(getPrincipal(model).getId()); final Map<String, Object> attributesToSend = prepareSamlAttributes(model, service); if (!attributesToSend.isEmpty()) { assertion .getAttributeStatements() .add( this.samlObjectBuilder.newAttributeStatement( subject, attributesToSend, VALIDATION_SAML_ATTRIBUTE_NAMESPACE)); } response.setStatus(this.samlObjectBuilder.newStatus(StatusCode.SUCCESS, null)); response.getAssertions().add(assertion); }
@Test public void verifyValidServiceTicketAndPgtUrlMismatch() throws Exception { final TicketGrantingTicket tId = getCentralAuthenticationService() .createTicketGrantingTicket(TestUtils.getCredentialsWithSameUsernameAndPassword()); final Service svc = TestUtils.getService("proxyService"); final ServiceTicket sId = getCentralAuthenticationService().grantServiceTicket(tId.getId(), svc); final MockHttpServletRequest request = new MockHttpServletRequest(); request.addParameter("service", svc.getId()); request.addParameter("ticket", sId.getId()); request.addParameter("pgtUrl", "http://www.github.com"); final ModelAndView modelAndView = this.serviceValidateController.handleRequestInternal( request, new MockHttpServletResponse()); assertEquals( ServiceValidateController.DEFAULT_SERVICE_FAILURE_VIEW_NAME, modelAndView.getViewName()); assertNull(modelAndView.getModel().get("pgtIou")); }
@Audit( action = "SERVICE_TICKET", actionResolverName = "GRANT_SERVICE_TICKET_RESOLVER", resourceResolverName = "GRANT_SERVICE_TICKET_RESOURCE_RESOLVER") @Timed(name = "GRANT_SERVICE_TICKET_TIMER") @Metered(name = "GRANT_SERVICE_TICKET_METER") @Counted(name = "GRANT_SERVICE_TICKET_COUNTER", monotonic = true) @Transactional(readOnly = false) @Override public ServiceTicket grantServiceTicket( final String ticketGrantingTicketId, final Service service, final Credential... credentials) throws AuthenticationException, TicketException { final TicketGrantingTicket ticketGrantingTicket = getTicket(ticketGrantingTicketId, TicketGrantingTicket.class); final RegisteredService registeredService = this.servicesManager.findServiceBy(service); verifyRegisteredServiceProperties(registeredService, service); final Set<Credential> sanitizedCredentials = sanitizeCredentials(credentials); Authentication currentAuthentication = null; if (sanitizedCredentials.size() > 0) { currentAuthentication = this.authenticationManager.authenticate( sanitizedCredentials.toArray(new Credential[] {})); final Authentication original = ticketGrantingTicket.getAuthentication(); if (!currentAuthentication.getPrincipal().equals(original.getPrincipal())) { throw new MixedPrincipalException( currentAuthentication, currentAuthentication.getPrincipal(), original.getPrincipal()); } ticketGrantingTicket.getSupplementalAuthentications().add(currentAuthentication); } if (currentAuthentication == null && !registeredService.getAccessStrategy().isServiceAccessAllowedForSso()) { logger.warn("ServiceManagement: Service [{}] is not allowed to use SSO.", service.getId()); throw new UnauthorizedSsoServiceException(); } final Service proxiedBy = ticketGrantingTicket.getProxiedBy(); if (proxiedBy != null) { logger.debug( "TGT is proxied by [{}]. Locating proxy service in registry...", proxiedBy.getId()); final RegisteredService proxyingService = servicesManager.findServiceBy(proxiedBy); if (proxyingService != null) { logger.debug("Located proxying service [{}] in the service registry", proxyingService); if (!proxyingService.getProxyPolicy().isAllowedToProxy()) { logger.warn( "Found proxying service {}, but it is not authorized to fulfill the proxy attempt made by {}", proxyingService.getId(), service.getId()); throw new UnauthorizedProxyingException( "Proxying is not allowed for registered service " + registeredService.getId()); } } else { logger.warn( "No proxying service found. Proxy attempt by service [{}] (registered service [{}]) is not allowed.", service.getId(), registeredService.getId()); throw new UnauthorizedProxyingException( "Proxying is not allowed for registered service " + registeredService.getId()); } } else { logger.trace("TGT is not proxied by another service"); } // Perform security policy check by getting the authentication that satisfies the configured // policy // This throws if no suitable policy is found getAuthenticationSatisfiedByPolicy( ticketGrantingTicket, new ServiceContext(service, registeredService)); final List<Authentication> authentications = ticketGrantingTicket.getChainedAuthentications(); final Principal principal = authentications.get(authentications.size() - 1).getPrincipal(); final Map<String, Object> principalAttrs = registeredService.getAttributeReleasePolicy().getAttributes(principal); if (!registeredService .getAccessStrategy() .doPrincipalAttributesAllowServiceAccess(principalAttrs)) { logger.warn( "ServiceManagement: Cannot grant service ticket because Service [{}] is not authorized for use by [{}].", service.getId(), principal); throw new UnauthorizedServiceForPrincipalException(); } final String uniqueTicketIdGenKey = service.getClass().getName(); logger.debug("Looking up service ticket id generator for [{}]", uniqueTicketIdGenKey); UniqueTicketIdGenerator serviceTicketUniqueTicketIdGenerator = this.uniqueTicketIdGeneratorsForService.get(uniqueTicketIdGenKey); if (serviceTicketUniqueTicketIdGenerator == null) { serviceTicketUniqueTicketIdGenerator = this.defaultServiceTicketIdGenerator; logger.debug( "Service ticket id generator not found for [{}]. Using the default generator...", uniqueTicketIdGenKey); } final String ticketPrefix = authentications.size() == 1 ? ServiceTicket.PREFIX : ServiceTicket.PROXY_TICKET_PREFIX; final String ticketId = serviceTicketUniqueTicketIdGenerator.getNewTicketId(ticketPrefix); final ServiceTicket serviceTicket = ticketGrantingTicket.grantServiceTicket( ticketId, service, this.serviceTicketExpirationPolicy, currentAuthentication != null); this.serviceTicketRegistry.addTicket(serviceTicket); logger.info( "Granted ticket [{}] for service [{}] for user [{}]", serviceTicket.getId(), service.getId(), principal.getId()); return serviceTicket; }
public boolean matches(final Service service) { if (servicePattern == null) { servicePattern = createPattern(serviceId); } return service != null && servicePattern.matcher(service.getId()).matches(); }
@Override protected void renderMergedOutputModel( final Map model, final HttpServletRequest request, final HttpServletResponse response) throws Exception { try { final Assertion assertion = getAssertionFrom(model); final Authentication authentication = assertion.getChainedAuthentications().get(0); final Date currentDate = new Date(); final String authenticationMethod = (String) authentication .getAttributes() .get(SamlAuthenticationMetaDataPopulator.ATTRIBUTE_AUTHENTICATION_METHOD); final Service service = assertion.getService(); final SAMLResponse samlResponse = new SAMLResponse(null, service.getId(), new ArrayList<Object>(), null); final boolean isRemembered = (authentication .getAttributes() .get(RememberMeCredentials.AUTHENTICATION_ATTRIBUTE_REMEMBER_ME) == Boolean.TRUE && !assertion.isFromNewLogin()); samlResponse.setIssueInstant(currentDate); // this should be true, but we never enforced it, so we need to check to be safe if (service instanceof SamlService) { final SamlService samlService = (SamlService) service; if (samlService.getRequestID() != null) { samlResponse.setInResponseTo(samlService.getRequestID()); } } final SAMLAssertion samlAssertion = new SAMLAssertion(); samlAssertion.setIssueInstant(currentDate); samlAssertion.setIssuer(this.issuer); samlAssertion.setNotBefore(currentDate); samlAssertion.setNotOnOrAfter(new Date(currentDate.getTime() + this.issueLength)); final SAMLAudienceRestrictionCondition samlAudienceRestrictionCondition = new SAMLAudienceRestrictionCondition(); samlAudienceRestrictionCondition.addAudience(service.getId()); final SAMLAuthenticationStatement samlAuthenticationStatement = new SAMLAuthenticationStatement(); samlAuthenticationStatement.setAuthInstant(authentication.getAuthenticatedDate()); samlAuthenticationStatement.setAuthMethod( authenticationMethod != null ? authenticationMethod : SAMLAuthenticationStatement.AuthenticationMethod_Unspecified); samlAuthenticationStatement.setSubject(getSamlSubject(authentication)); if (!authentication.getPrincipal().getAttributes().isEmpty() || isRemembered) { final SAMLAttributeStatement attributeStatement = new SAMLAttributeStatement(); attributeStatement.setSubject(getSamlSubject(authentication)); samlAssertion.addStatement(attributeStatement); for (final Entry<String, Object> e : authentication.getPrincipal().getAttributes().entrySet()) { final SAMLAttribute attribute = new SAMLAttribute(); attribute.setName(e.getKey()); attribute.setNamespace(NAMESPACE); if (e.getValue() instanceof Collection<?>) { final Collection<?> c = (Collection<?>) e.getValue(); if (c.isEmpty()) { // 100323 bnoordhuis: don't add the attribute, it causes a // org.opensaml.MalformedException continue; } attribute.setValues(c); } else { attribute.addValue(e.getValue()); } attributeStatement.addAttribute(attribute); } if (isRemembered) { final SAMLAttribute attribute = new SAMLAttribute(); attribute.setName(REMEMBER_ME_ATTRIBUTE_NAME); attribute.setNamespace(NAMESPACE); attribute.addValue(true); attributeStatement.addAttribute(attribute); } } samlAssertion.addStatement(samlAuthenticationStatement); samlAssertion.addCondition(samlAudienceRestrictionCondition); samlResponse.addAssertion(samlAssertion); final String xmlResponse = samlResponse.toString(); response.setContentType("text/xml; charset=" + this.encoding); response.getWriter().print("<?xml version=\"1.0\" encoding=\"" + this.encoding + "\"?>"); response .getWriter() .print( "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\"><SOAP-ENV:Header/><SOAP-ENV:Body>"); response.getWriter().print(xmlResponse); response.getWriter().print("</SOAP-ENV:Body></SOAP-ENV:Envelope>"); response.flushBuffer(); } catch (final Exception e) { log.error(e.getMessage(), e); throw e; } }
@Audit( action = "SERVICE_TICKET", actionResolverName = "GRANT_SERVICE_TICKET_RESOLVER", resourceResolverName = "GRANT_SERVICE_TICKET_RESOURCE_RESOLVER") @Profiled(tag = "GRANT_SERVICE_TICKET", logFailuresSeparately = false) @Transactional(readOnly = false) @Override public String grantServiceTicket( final String ticketGrantingTicketId, final Service service, final Credential... credentials) throws AuthenticationException, TicketException { Assert.notNull(ticketGrantingTicketId, "ticketGrantingticketId cannot be null"); Assert.notNull(service, "service cannot be null"); final TicketGrantingTicket ticketGrantingTicket = this.ticketRegistry.getTicket(ticketGrantingTicketId, TicketGrantingTicket.class); if (ticketGrantingTicket == null) { logger.debug( "TicketGrantingTicket [{}] cannot be found in the ticket registry.", ticketGrantingTicketId); throw new InvalidTicketException(ticketGrantingTicketId); } synchronized (ticketGrantingTicket) { if (ticketGrantingTicket.isExpired()) { this.ticketRegistry.deleteTicket(ticketGrantingTicketId); logger.debug( "TicketGrantingTicket[{}] has expired and is now deleted from the ticket registry.", ticketGrantingTicketId); throw new InvalidTicketException(ticketGrantingTicketId); } } final RegisteredService registeredService = this.servicesManager.findServiceBy(service); verifyRegisteredServiceProperties(registeredService, service); if (!registeredService.isSsoEnabled() && credentials == null && ticketGrantingTicket.getCountOfUses() > 0) { logger.warn("ServiceManagement: Service [{}] is not allowed to use SSO.", service.getId()); throw new UnauthorizedSsoServiceException(); } // CAS-1019 final List<Authentication> authns = ticketGrantingTicket.getChainedAuthentications(); if (authns.size() > 1) { if (!registeredService.isAllowedToProxy()) { final String message = String.format( "ServiceManagement: Proxy attempt by service [%s] (registered service [%s]) is not allowed.", service.getId(), registeredService.toString()); logger.warn(message); throw new UnauthorizedProxyingException(message); } } if (credentials != null) { final Authentication current = this.authenticationManager.authenticate(credentials); final Authentication original = ticketGrantingTicket.getAuthentication(); if (!current.getPrincipal().equals(original.getPrincipal())) { throw new MixedPrincipalException(current, current.getPrincipal(), original.getPrincipal()); } ticketGrantingTicket.getSupplementalAuthentications().add(current); } // Perform security policy check by getting the authentication that satisfies the configured // policy // This throws if no suitable policy is found getAuthenticationSatisfiedByPolicy( ticketGrantingTicket, new ServiceContext(service, registeredService)); final String uniqueTicketIdGenKey = service.getClass().getName(); if (!this.uniqueTicketIdGeneratorsForService.containsKey(uniqueTicketIdGenKey)) { logger.warn( "Cannot create service ticket because the key [{}] for service [{}] is not linked to a ticket id generator", uniqueTicketIdGenKey, service.getId()); throw new UnauthorizedSsoServiceException(); } final UniqueTicketIdGenerator serviceTicketUniqueTicketIdGenerator = this.uniqueTicketIdGeneratorsForService.get(uniqueTicketIdGenKey); final String generatedServiceTicketId = serviceTicketUniqueTicketIdGenerator.getNewTicketId(ServiceTicket.PREFIX); logger.debug( "Generated service ticket id [{}] for ticket granting ticket [{}]", generatedServiceTicketId, ticketGrantingTicket.getId()); final ServiceTicket serviceTicket = ticketGrantingTicket.grantServiceTicket( generatedServiceTicketId, service, this.serviceTicketExpirationPolicy, credentials != null); this.serviceTicketRegistry.addTicket(serviceTicket); if (logger.isInfoEnabled()) { final List<Authentication> authentications = serviceTicket.getGrantingTicket().getChainedAuthentications(); final String formatString = "Granted %s ticket [%s] for service [%s] for user [%s]"; final String type; final String principalId = authentications.get(authentications.size() - 1).getPrincipal().getId(); if (authentications.size() == 1) { type = "service"; } else { type = "proxy"; } logger.info( String.format(formatString, type, serviceTicket.getId(), service.getId(), principalId)); } return serviceTicket.getId(); }
public boolean matches(final Service service) { return service != null && PATH_MATCHER.match(this.serviceId.toLowerCase(), service.getId().toLowerCase()); }