org.jasig.cas.client.validation.Assertion Java Examples

public void updateUserInfo(Assertion assertion) {
    String username = assertion.getPrincipal().getName();
    String nickName = (String) assertion.getPrincipal().getAttributes()
            .get("nickName");

    if (nickName == null) {
        nickName = username;
    }

    UserDTO userDto = new UserDTO();
    userDto.setRef(username);
    userDto.setUsername(username);
    userDto.setDisplayName(nickName);
    userDto.setNickName(nickName);
    userSyncConnector.updateUser(userDto);
}
 

@RequestMapping(value = "/caslogin", method = RequestMethod.GET)
public void caslogin() throws IOException {
    HttpSession session = request.getSession();
    Assertion assertion = (Assertion) session.getAttribute(AbstractCasFilter.CONST_CAS_ASSERTION);
    if (assertion != null) {
        //获取登录用户名
        String username = assertion.getPrincipal().getName();
        System.out.println("user ---------> " + username);
        User temp = userService.findByUsername(username);
        System.out.println("TEMP user ---------> " + (temp.getUsername()));
        if (temp != null) {
            session.setAttribute(WebSecurityConfig.SESSION_LOGIN, temp);

            String jsessionid = session.getId();

            System.out.println("jsessionid ------> " + jsessionid);

            // 使用url传递参数,跳转到前端
            // response.sendRedirect("http://front.anumbrella.net:8000/home?jsessionid=" + jsessionid);

            // 使用nginx代理,跳转到前端
            response.sendRedirect("http://nginx.anumbrella.net:81/home");
        }
    }
}
 

@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws IOException {
    HttpSession session = request.getSession(false);

    if (session != null) {
        System.out.println("requst path " + request.getServletPath());

        Assertion assertion = (Assertion) session.getAttribute(AbstractCasFilter.CONST_CAS_ASSERTION);

        if (assertion != null) {
            System.out.println("cas user ---------> " + assertion.getPrincipal().getName());
        }

        User value = (User) session.getAttribute(SESSION_LOGIN);

        System.out.println("security session = null ---------> " + (value == null));

        if (value != null) {
            return true;
        }
    }

    response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
    return false;
}
 

@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws IOException {
    HttpSession session = request.getSession();


    //获取cas给我们传递回来的对象，这个东西放到了session中
    //session的 key是 _const_cas_assertion_
    Assertion assertion = (Assertion) request.getSession().getAttribute(AbstractCasFilter.CONST_CAS_ASSERTION);

    //获取登录用户名
    String loginName = assertion.getPrincipal().getName();
    System.out.printf("登录用户名:%s\r\n", loginName);


    // 判断是否已有该用户登录的session
    if (session.getAttribute(SESSION_KEY) != null) {
        return true;
    }


    // 跳转到登录页
    String url = "/login";
    response.sendRedirect(url);
    return false;
}
 

@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws IOException {
    HttpSession session = request.getSession();


    //获取cas给我们传递回来的对象，这个东西放到了session中
    //session的 key是 _const_cas_assertion_
    Assertion assertion = (Assertion) request.getSession().getAttribute(AbstractCasFilter.CONST_CAS_ASSERTION);

    //获取登录用户名
    String loginName = assertion.getPrincipal().getName();
    System.out.printf("登录用户名:%s\r\n", loginName);


    // 判断是否已有该用户登录的session
    if (session.getAttribute(SESSION_KEY) != null) {
        return true;
    }


    // 跳转到登录页
    String url = "/login";
    response.sendRedirect(url);
    return false;
}
 

/**
 * Get a new ticket.
 * 
 * @param session HttpSession
 * 
 * @return String
 * 
 * @throws IOException Signals that an I/O exception has occurred.
 */
public String readTicket(HttpSession session) throws IOException{
 logger.debug("IN");
 String ticket=null;
 String spagoBiServerURL = EnginConf.getInstance().getSpagoBiServerUrl();
 logger.debug("Read spagoBiServerURL=" + spagoBiServerURL);
 SourceBean engineConfig = EnginConf.getInstance().getConfig();
 SourceBean sourceBeanConf = (SourceBean) engineConfig.getAttribute("FILTER_RECEIPT");
 String filterReceipt = (String) sourceBeanConf.getCharacters();
 logger.debug("Read filterReceipt=" + filterReceipt);
 filterReceipt = spagoBiServerURL + filterReceipt;
 
 Assertion assertion = (Assertion) session.getAttribute(AbstractCasFilter.CONST_CAS_ASSERTION);
 ticket=assertion.getPrincipal().getProxyTicketFor(filterReceipt);

 logger.debug("OUT.ticket="+ticket);
 return ticket;
}
 

public String readUserIdentifier(HttpServletRequest request){
   HttpSession session=request.getSession();
   Assertion assertion = (Assertion) session.getAttribute(AbstractCasFilter.CONST_CAS_ASSERTION);
   if (assertion == null) {
   	return super.readUserIdentifier(request);
   }
   String userInSession=assertion.getPrincipal().getName();

//String user=(String)request.getRemoteUser();
//logger.debug("CAS user in HttpServletRequest:"+user);
logger.debug("CAS user in HttpSession:"+userInSession);
Calendar calendar = Calendar.getInstance();
calendar.add(Calendar.HOUR, 10);
Date expiresAt = calendar.getTime();
	
String jwtToken = JWTSsoService.userId2jwtToken(userInSession, expiresAt);
logger.debug("JWT-TOKEN " + jwtToken);
	
return jwtToken;
  }
 

private void validatevalidateCasTicket(final HttpServletRequest request, final HttpServletResponse response, final String ticket,
                                       final String authenticationKey, final boolean force) throws ExternalAuthenticationException, IOException {
    try {
        ticketValidator.setRenew(force);
        final String serviceUrl = constructServiceUrl(request, response, true);
        logger.debug("validating ticket: {} with service url: {}", ticket, serviceUrl);
        final Assertion assertion = ticketValidator.validate(ticket, serviceUrl);
        if (assertion == null) {
            throw new TicketValidationException("Validation failed. Assertion could not be retrieved for ticket " + ticket);
        }
        for (final CasToShibTranslator casToShibTranslator : translators) {
            casToShibTranslator.doTranslation(request, response, assertion, authenticationKey);
        }
    } catch (final Exception e) {
        logger.error("Ticket validation failed, returning InvalidTicket", e);
        request.setAttribute(ExternalAuthentication.AUTHENTICATION_ERROR_KEY, "InvalidTicket");
    }
    ExternalAuthentication.finishExternalAuthentication(authenticationKey, request, response);
}
 

private void validatevalidateCasTicket(final HttpServletRequest request, final HttpServletResponse response, final String ticket,
                                       final String authenticationKey, final boolean force) throws ExternalAuthenticationException, IOException {
    try {
        ticketValidator.setRenew(force);
        final String serviceUrl = constructServiceUrl(request, response, true);
        logger.debug("validating ticket: {} with service url: {}", ticket, serviceUrl);
        final Assertion assertion = ticketValidator.validate(ticket, serviceUrl);
        if (assertion == null) {
            throw new TicketValidationException("Validation failed. Assertion could not be retrieved for ticket " + ticket);
        }
        for (final CasToShibTranslator casToShibTranslator : translators) {
            casToShibTranslator.doTranslation(request, response, assertion, authenticationKey);
        }
    } catch (final Exception e) {
        logger.error("Ticket validation failed, returning InvalidTicket", e);
        request.setAttribute(ExternalAuthentication.AUTHENTICATION_ERROR_KEY, "InvalidTicket");
    }
    ExternalAuthentication.finishExternalAuthentication(authenticationKey, request, response);
}
 

@Test
public void testDoGetPassiveAndForced() throws Exception {
    //Mock some objects.
    final HttpServletRequest request = createDoGetHttpServletRequest(CONVERSATION_TICKET_GATEWAY_ATTEMPTED, TICKET, "true");
    final HttpServletResponse response = createMockHttpServletResponse();
    final Assertion assertion = createMockAssertion();

    final Cas20ServiceTicketValidator ticketValidator = PowerMockito.mock(Cas30ServiceTicketValidator.class);
    PowerMockito.when(ticketValidator.validate(TICKET, URL_WITH_CONVERSATION_GATEWAY_ATTEMPTED)).thenReturn(assertion);

    PowerMockito.mockStatic(ExternalAuthentication.class);
    BDDMockito.given(ExternalAuthentication.startExternalAuthentication(request)).willReturn(E1S1);

    //Prep our object
    final ShibcasAuthServlet shibcasAuthServlet = createShibcasAuthServlet();

    //Override the internal Cas30TicketValidator because we don't want it to call a real server
    MemberModifier.field(ShibcasAuthServlet.class, "ticketValidator").set(shibcasAuthServlet, ticketValidator);

    //Passive and forced request/response
    BDDMockito.given(request.getAttribute(ExternalAuthentication.FORCE_AUTHN_PARAM)).willReturn("true");
    BDDMockito.given(request.getAttribute(ExternalAuthentication.PASSIVE_AUTHN_PARAM)).willReturn("true");
    shibcasAuthServlet.doGet(request, response);

    //Verify
    verify(request).setAttribute(ExternalAuthentication.PRINCIPAL_NAME_KEY, JDOE);
}
 

@Test
public void testDoGetPassiveAuthenticated() throws Exception {
    //Mock some objects.
    final HttpServletRequest request = createDoGetHttpServletRequest(CONVERSATION_TICKET + "&gatewayAttempted=true", TICKET, "true");
    final HttpServletResponse response = createMockHttpServletResponse();
    final Assertion assertion = createMockAssertion();

    final Cas20ServiceTicketValidator ticketValidator = PowerMockito.mock(Cas20ServiceTicketValidator.class);
    PowerMockito.when(ticketValidator.validate(TICKET, URL_WITH_CONVERSATION_GATEWAY_ATTEMPTED)).thenReturn(assertion);

    PowerMockito.mockStatic(ExternalAuthentication.class);
    BDDMockito.given(ExternalAuthentication.startExternalAuthentication(request)).willReturn(E1S1);

    //Prep our object
    final ShibcasAuthServlet shibcasAuthServlet = createShibcasAuthServlet();

    //Override the internal Cas20TicketValidator because we don't want it to call a real server
    MemberModifier.field(ShibcasAuthServlet.class, "ticketValidator").set(shibcasAuthServlet, ticketValidator);

    //Passive request/response with authenticated user
    BDDMockito.given(request.getAttribute(ExternalAuthentication.FORCE_AUTHN_PARAM)).willReturn("false");
    BDDMockito.given(request.getAttribute(ExternalAuthentication.PASSIVE_AUTHN_PARAM)).willReturn("true");
    shibcasAuthServlet.doGet(request, response);

    //Verify
    verify(request).setAttribute(ExternalAuthentication.PRINCIPAL_NAME_KEY, JDOE);
}
 

private Assertion createMockAssertion() {
    final Assertion assertion = Mockito.mock(Assertion.class);
    final AttributePrincipal attributePrincipal = Mockito.mock(AttributePrincipal.class);

    BDDMockito.given(attributePrincipal.getName()).willReturn(JDOE);
    BDDMockito.given(assertion.getPrincipal()).willReturn(attributePrincipal);

    return assertion;
}
 

@Override
protected UserDetails loadUserDetails(Assertion assertion) {
    if (assertion == null) {
        throw new CredentialsExpiredException("bad assertion");
    }
    ManagedUser user = parseUserDetails(assertion);
    // create user if not exists
    KylinUserManager kylinUserManager = KylinUserManager.getInstance(KylinConfig.getInstanceFromEnv());
    ManagedUser existUser = kylinUserManager.get(user.getUsername());
    if (existUser == null) {
        kylinUserManager.update(user);
    }
    return kylinUserManager.get(user.getUsername());
}
 

protected ManagedUser parseUserDetails(Assertion assertion) {
    AttributePrincipal principal = assertion.getPrincipal();
    List<GrantedAuthority> grantedAuthorities = Stream.of(defaultAuthorities)
            .map(SimpleGrantedAuthority::new)
            .collect(Collectors.toList());
    return new ManagedUser(principal.getName(), NON_EXISTENT_PASSWORD_VALUE, true, grantedAuthorities);
}
 

@Override
public void doTranslation(final HttpServletRequest request, final HttpServletResponse response,
                          final Assertion assertion, final String authenticationKey) {
    if (assertion == null || assertion.getPrincipal() == null) {
        logger.error("No valid assertion or principal could be found to translate");
        return;
    }
    final AttributePrincipal casPrincipal = assertion.getPrincipal();
    logger.debug("principalName found and being passed on: {}", casPrincipal.getName());

    // Pass authenticated principal back to IdP to finish its part of authentication request processing
    final Collection<IdPAttributePrincipal> assertionAttributes = produceIdpAttributePrincipal(assertion.getAttributes());
    final Collection<IdPAttributePrincipal> principalAttributes = produceIdpAttributePrincipal(casPrincipal.getAttributes());

    if (!assertionAttributes.isEmpty() || !principalAttributes.isEmpty()) {
        logger.debug("Found attributes from CAS. Processing...");
        final Set<Principal> principals = new HashSet<>();

        principals.addAll(assertionAttributes);
        principals.addAll(principalAttributes);
        principals.add(new UsernamePrincipal(casPrincipal.getName()));

        request.setAttribute(ExternalAuthentication.SUBJECT_KEY, new Subject(false, principals,
            Collections.emptySet(), Collections.emptySet()));
        logger.info("Created an IdP subject instance with principals containing attributes for {} ", casPrincipal.getName());

    } else {
        logger.debug("No attributes released from CAS. Creating an IdP principal for {}", casPrincipal.getName());
        request.setAttribute(ExternalAuthentication.PRINCIPAL_NAME_KEY, casPrincipal.getName());
    }
}
 

@Test
public void testDoGetStandard() throws Exception {
    //Mock some objects.
    final HttpServletRequest request = createDoGetHttpServletRequest(CONVERSATION_TICKET, TICKET, null);
    final HttpServletResponse response = createMockHttpServletResponse();
    final Assertion assertion = createMockAssertion();

    final Cas20ServiceTicketValidator ticketValidator = PowerMockito.mock(Cas20ServiceTicketValidator.class);
    PowerMockito.when(ticketValidator.validate(TICKET, URL_WITH_CONVERSATION)).thenReturn(assertion);

    PowerMockito.mockStatic(ExternalAuthentication.class);
    BDDMockito.given(ExternalAuthentication.startExternalAuthentication(request)).willReturn(E1S1);

    //Prep our object
    final ShibcasAuthServlet shibcasAuthServlet = createShibcasAuthServlet();

    //Override the internal Cas20TicketValidator because we don't want it to call a real server
    MemberModifier.field(ShibcasAuthServlet.class, "ticketValidator").set(shibcasAuthServlet, ticketValidator);

    //Standard request/response
    BDDMockito.given(request.getAttribute(ExternalAuthentication.FORCE_AUTHN_PARAM)).willReturn("false");
    BDDMockito.given(request.getAttribute(ExternalAuthentication.PASSIVE_AUTHN_PARAM)).willReturn("false");
    shibcasAuthServlet.doGet(request, response);

    //Verify
    verify(request).setAttribute(ExternalAuthentication.PRINCIPAL_NAME_KEY, JDOE);
}
 

@Test
public void testDoGetPassiveAuthenticated() throws Exception {
    //Mock some objects.
    final HttpServletRequest request = createDoGetHttpServletRequest(CONVERSATION_TICKET + "&gatewayAttempted=true", TICKET, "true");
    final HttpServletResponse response = createMockHttpServletResponse();
    final Assertion assertion = createMockAssertion();

    final Cas20ServiceTicketValidator ticketValidator = PowerMockito.mock(Cas20ServiceTicketValidator.class);
    PowerMockito.when(ticketValidator.validate(TICKET, URL_WITH_CONVERSATION_GATEWAY_ATTEMPTED)).thenReturn(assertion);

    PowerMockito.mockStatic(ExternalAuthentication.class);
    BDDMockito.given(ExternalAuthentication.startExternalAuthentication(request)).willReturn(E1S1);

    //Prep our object
    final ShibcasAuthServlet shibcasAuthServlet = createShibcasAuthServlet();

    //Override the internal Cas20TicketValidator because we don't want it to call a real server
    MemberModifier.field(ShibcasAuthServlet.class, "ticketValidator").set(shibcasAuthServlet, ticketValidator);

    //Passive request/response with authenticated user
    BDDMockito.given(request.getAttribute(ExternalAuthentication.FORCE_AUTHN_PARAM)).willReturn("false");
    BDDMockito.given(request.getAttribute(ExternalAuthentication.PASSIVE_AUTHN_PARAM)).willReturn("true");
    shibcasAuthServlet.doGet(request, response);

    //Verify
    verify(request).setAttribute(ExternalAuthentication.PRINCIPAL_NAME_KEY, JDOE);
}
 

@Test
public void testDoGetForced() throws Exception {
    //Mock some objects.
    final HttpServletRequest request = createDoGetHttpServletRequest(CONVERSATION_TICKET, TICKET, null);
    final HttpServletResponse response = createMockHttpServletResponse();
    final Assertion assertion = createMockAssertion();

    final Cas20ServiceTicketValidator ticketValidator = PowerMockito.mock(Cas20ServiceTicketValidator.class);
    PowerMockito.when(ticketValidator.validate(TICKET, URL_WITH_CONVERSATION)).thenReturn(assertion);

    PowerMockito.mockStatic(ExternalAuthentication.class);
    BDDMockito.given(ExternalAuthentication.startExternalAuthentication(request)).willReturn(E1S1);

    //Prep our object
    final ShibcasAuthServlet shibcasAuthServlet = createShibcasAuthServlet();

    //Override the internal Cas20TicketValidator because we don't want it to call a real server
    MemberModifier.field(ShibcasAuthServlet.class, "ticketValidator").set(shibcasAuthServlet, ticketValidator);

    //Forced request/response
    BDDMockito.given(request.getAttribute(ExternalAuthentication.FORCE_AUTHN_PARAM)).willReturn("true");
    BDDMockito.given(request.getAttribute(ExternalAuthentication.PASSIVE_AUTHN_PARAM)).willReturn("false");
    shibcasAuthServlet.doGet(request, response);

    //Verify
    verify(request).setAttribute(ExternalAuthentication.PRINCIPAL_NAME_KEY, JDOE);
}
 

@Test
public void testDoGetPassiveAndForced() throws Exception {
    //Mock some objects.
    final HttpServletRequest request = createDoGetHttpServletRequest(CONVERSATION_TICKET_GATEWAY_ATTEMPTED, TICKET, "true");
    final HttpServletResponse response = createMockHttpServletResponse();
    final Assertion assertion = createMockAssertion();

    final Cas20ServiceTicketValidator ticketValidator = PowerMockito.mock(Cas30ServiceTicketValidator.class);
    PowerMockito.when(ticketValidator.validate(TICKET, URL_WITH_CONVERSATION_GATEWAY_ATTEMPTED)).thenReturn(assertion);

    PowerMockito.mockStatic(ExternalAuthentication.class);
    BDDMockito.given(ExternalAuthentication.startExternalAuthentication(request)).willReturn(E1S1);

    //Prep our object
    final ShibcasAuthServlet shibcasAuthServlet = createShibcasAuthServlet();

    //Override the internal Cas30TicketValidator because we don't want it to call a real server
    MemberModifier.field(ShibcasAuthServlet.class, "ticketValidator").set(shibcasAuthServlet, ticketValidator);

    //Passive and forced request/response
    BDDMockito.given(request.getAttribute(ExternalAuthentication.FORCE_AUTHN_PARAM)).willReturn("true");
    BDDMockito.given(request.getAttribute(ExternalAuthentication.PASSIVE_AUTHN_PARAM)).willReturn("true");
    shibcasAuthServlet.doGet(request, response);

    //Verify
    verify(request).setAttribute(ExternalAuthentication.PRINCIPAL_NAME_KEY, JDOE);
}
 

private Assertion createMockAssertion() {
    final Assertion assertion = Mockito.mock(Assertion.class);
    final AttributePrincipal attributePrincipal = Mockito.mock(AttributePrincipal.class);

    BDDMockito.given(attributePrincipal.getName()).willReturn(JDOE);
    BDDMockito.given(assertion.getPrincipal()).willReturn(attributePrincipal);

    return assertion;
}
 

@Override
protected UserDetails loadUserDetails(Assertion assertion) {
    if (assertion == null) {
        throw new CredentialsExpiredException("bad assertion");
    }
    ManagedUser user = parseUserDetails(assertion);
    // create user if not exists
    KylinUserManager kylinUserManager = KylinUserManager.getInstance(KylinConfig.getInstanceFromEnv());
    ManagedUser existUser = kylinUserManager.get(user.getUsername());
    if (existUser == null) {
        kylinUserManager.update(user);
    }
    return kylinUserManager.get(user.getUsername());
}
 

protected ManagedUser parseUserDetails(Assertion assertion) {
    AttributePrincipal principal = assertion.getPrincipal();
    List<GrantedAuthority> grantedAuthorities = Stream.of(defaultAuthorities)
            .map(SimpleGrantedAuthority::new)
            .collect(Collectors.toList());
    return new ManagedUser(principal.getName(), NON_EXISTENT_PASSWORD_VALUE, true, grantedAuthorities);
}
 

/**
    * Read user id.
    * 
    * @param session HttpSession
    * 
    * @return String
    */
   public String readUserIdentifier(HttpServletRequest request){
   HttpSession session=request.getSession();
   Assertion assertion = (Assertion) session.getAttribute(AbstractCasFilter.CONST_CAS_ASSERTION);
   String userInSession=assertion.getPrincipal().getName();
//String user=(String)request.getRemoteUser();
//logger.debug("CAS user in HttpServletRequest:"+user);
logger.debug("CAS user in HttpSession:"+userInSession);
return userInSession;
   }
 

/**
    * Read user id.
    * 
    * @param session HttpSession
    * 
    * @return String
    */
   public String readUserIdentifier(HttpServletRequest request){
   HttpSession session=request.getSession();
   Assertion assertion = (Assertion) session.getAttribute(AbstractCasFilter.CONST_CAS_ASSERTION);
   String userInSession=assertion.getPrincipal().getName();
String user=(String)request.getRemoteUser();
logger.debug("CAS user in HttpServletRequest:"+user);
logger.debug("CAS user in HttpSession:"+userInSession);
return user!=null? user:userInSession;
   }
 

public void doGetPost(MCRServletJob job) throws Exception {
    HttpServletRequest req = job.getRequest();
    HttpServletResponse res = job.getResponse();

    String ticket = req.getParameter("ticket");
    if ((ticket == null) || (ticket.trim().length() == 0)) {
        res.sendError(HttpServletResponse.SC_BAD_REQUEST);
        return;
    }

    // Validate ticket at CAS server
    Cas20ProxyTicketValidator sv = new Cas20ProxyTicketValidator(serverURL);
    sv.setAcceptAnyProxy(true);
    Assertion a = sv.validate(ticket, clientURL);
    AttributePrincipal principal = a.getPrincipal();

    // Get user name logged in
    String userName = principal.getName();
    LOGGER.info("Login {}", userName);

    MCRUser user;
    boolean userExists = MCRUserManager.exists(userName, realmID);
    if (userExists) {
        user = MCRUserManager.getUser(userName, realmID);
    } else {
        user = new MCRUser(userName, realmID);
    }

    // Get user properties from LDAP server
    boolean userChanged = MCRLDAPClient.instance().updateUserProperties(user);
    if (userChanged && userExists) {
        MCRUserManager.updateUser(user);
    }

    // Store login user in session and redirect browser to target url
    MCRSessionMgr.getCurrentSession().setUserInformation(user);
    // MCR-1154
    req.changeSessionId();
    MCRLoginServlet.redirect(res);
}
 

@Override
public void doTranslation(final HttpServletRequest request, final HttpServletResponse response,
                          final Assertion assertion, final String authenticationKey) {
    if (assertion == null || assertion.getPrincipal() == null) {
        logger.error("No valid assertion or principal could be found to translate");
        return;
    }
    final AttributePrincipal casPrincipal = assertion.getPrincipal();
    logger.debug("principalName found and being passed on: {}", casPrincipal.getName());

    // Pass authenticated principal back to IdP to finish its part of authentication request processing
    final Collection<IdPAttributePrincipal> assertionAttributes = produceIdpAttributePrincipal(assertion.getAttributes());
    final Collection<IdPAttributePrincipal> principalAttributes = produceIdpAttributePrincipal(casPrincipal.getAttributes());

    if (!assertionAttributes.isEmpty() || !principalAttributes.isEmpty()) {
        logger.debug("Found attributes from CAS. Processing...");
        final Set<Principal> principals = new HashSet<>();

        principals.addAll(assertionAttributes);
        principals.addAll(principalAttributes);
        principals.add(new UsernamePrincipal(casPrincipal.getName()));

        request.setAttribute(ExternalAuthentication.SUBJECT_KEY, new Subject(false, principals,
            Collections.emptySet(), Collections.emptySet()));
        logger.info("Created an IdP subject instance with principals containing attributes for {} ", casPrincipal.getName());

    } else {
        logger.debug("No attributes released from CAS. Creating an IdP principal for {}", casPrincipal.getName());
        request.setAttribute(ExternalAuthentication.PRINCIPAL_NAME_KEY, casPrincipal.getName());
    }
}
 

@Test
public void testDoGetStandard() throws Exception {
    //Mock some objects.
    final HttpServletRequest request = createDoGetHttpServletRequest(CONVERSATION_TICKET, TICKET, null);
    final HttpServletResponse response = createMockHttpServletResponse();
    final Assertion assertion = createMockAssertion();

    final Cas20ServiceTicketValidator ticketValidator = PowerMockito.mock(Cas20ServiceTicketValidator.class);
    PowerMockito.when(ticketValidator.validate(TICKET, URL_WITH_CONVERSATION)).thenReturn(assertion);

    PowerMockito.mockStatic(ExternalAuthentication.class);
    BDDMockito.given(ExternalAuthentication.startExternalAuthentication(request)).willReturn(E1S1);

    //Prep our object
    final ShibcasAuthServlet shibcasAuthServlet = createShibcasAuthServlet();

    //Override the internal Cas20TicketValidator because we don't want it to call a real server
    MemberModifier.field(ShibcasAuthServlet.class, "ticketValidator").set(shibcasAuthServlet, ticketValidator);

    //Standard request/response
    BDDMockito.given(request.getAttribute(ExternalAuthentication.FORCE_AUTHN_PARAM)).willReturn("false");
    BDDMockito.given(request.getAttribute(ExternalAuthentication.PASSIVE_AUTHN_PARAM)).willReturn("false");
    shibcasAuthServlet.doGet(request, response);

    //Verify
    verify(request).setAttribute(ExternalAuthentication.PRINCIPAL_NAME_KEY, JDOE);
}
 

@Test
public void testDoGetForced() throws Exception {
    //Mock some objects.
    final HttpServletRequest request = createDoGetHttpServletRequest(CONVERSATION_TICKET, TICKET, null);
    final HttpServletResponse response = createMockHttpServletResponse();
    final Assertion assertion = createMockAssertion();

    final Cas20ServiceTicketValidator ticketValidator = PowerMockito.mock(Cas20ServiceTicketValidator.class);
    PowerMockito.when(ticketValidator.validate(TICKET, URL_WITH_CONVERSATION)).thenReturn(assertion);

    PowerMockito.mockStatic(ExternalAuthentication.class);
    BDDMockito.given(ExternalAuthentication.startExternalAuthentication(request)).willReturn(E1S1);

    //Prep our object
    final ShibcasAuthServlet shibcasAuthServlet = createShibcasAuthServlet();

    //Override the internal Cas20TicketValidator because we don't want it to call a real server
    MemberModifier.field(ShibcasAuthServlet.class, "ticketValidator").set(shibcasAuthServlet, ticketValidator);

    //Forced request/response
    BDDMockito.given(request.getAttribute(ExternalAuthentication.FORCE_AUTHN_PARAM)).willReturn("true");
    BDDMockito.given(request.getAttribute(ExternalAuthentication.PASSIVE_AUTHN_PARAM)).willReturn("false");
    shibcasAuthServlet.doGet(request, response);

    //Verify
    verify(request).setAttribute(ExternalAuthentication.PRINCIPAL_NAME_KEY, JDOE);
}
 

@Override
public void doTranslation(final HttpServletRequest request, final HttpServletResponse response, final Assertion assertion, final String authenticationKey) throws Exception {

    final ProfileRequestContext prc = ExternalAuthentication.getProfileRequestContext(authenticationKey, request);
    final AuthenticationContext authnContext = prc.getSubcontext(AuthenticationContext.class, true);
    if (authnContext == null) {
        logger.debug("No authentication context is available");
        return;
    }
    final RequestedPrincipalContext principalCtx = authnContext.getSubcontext(RequestedPrincipalContext.class, true);
    if (principalCtx == null || principalCtx.getRequestedPrincipals().isEmpty()) {
        logger.debug("No requested principal context is available in the authentication context; Overriding class to {}", AuthnContext.PPT_AUTHN_CTX);
        overrideAuthnContextClass(AuthnContext.PPT_AUTHN_CTX, request, authenticationKey);
        return;
    }

    final Principal principal = new AuthnContextClassRefPrincipal(REFEDS);
    final Principal attribute = principalCtx.getRequestedPrincipals().stream().filter(p -> p.equals(principal)).findFirst().orElse(null);
    if (attribute == null) {
        logger.debug("No authn context class ref principal is found in the requested principals; overriding to {}", AuthnContext.PPT_AUTHN_CTX);
        overrideAuthnContextClass(AuthnContext.PPT_AUTHN_CTX, request, authenticationKey);
        return;
    }
    final String authnMethod = attribute.getName();
    logger.debug("Requested authn method provided by IdP is {}", authnMethod);
    if (!assertion.getPrincipal().getAttributes().containsKey("authnContextClass")) {
        logger.debug("No authentication context class is provided by CAS; Overriding context class to {}", AuthnContext.PPT_AUTHN_CTX);
        overrideAuthnContextClass(AuthnContext.PPT_AUTHN_CTX, request, authenticationKey);
        return;
    }

    final Object clazz = assertion.getPrincipal().getAttributes().get("authnContextClass");
    logger.debug("Located asserted authentication context class [{}]", clazz);

    if (clazz.equals("mfa-duo")) {
        overrideAuthnContextClass(REFEDS, request, authenticationKey);
        logger.info("Validation payload successfully asserts the authentication context class for mfa-duo; Context class is set to {}", REFEDS);
        return;
    }
    logger.debug("Authentication context class [{}] provided by CAS is not one by Duo Security. "
        + "The requested authentication method to be used shall be {} and is left unmodified", clazz, authnMethod);
    overrideAuthnContextClass(clazz.toString(), request, authenticationKey);
}
 

@Override
public void doTranslation(final HttpServletRequest request, final HttpServletResponse response, final Assertion assertion, final String authenticationKey) throws Exception {

    final ProfileRequestContext prc = ExternalAuthentication.getProfileRequestContext(authenticationKey, request);
    final AuthenticationContext authnContext = prc.getSubcontext(AuthenticationContext.class, true);
    if (authnContext == null) {
        logger.debug("No authentication context is available");
        return;
    }
    final RequestedPrincipalContext principalCtx = authnContext.getSubcontext(RequestedPrincipalContext.class, true);
    if (principalCtx == null || principalCtx.getRequestedPrincipals().isEmpty()) {
        logger.debug("No requested principal context is available in the authentication context; Overriding class to {}", AuthnContext.PPT_AUTHN_CTX);
        overrideAuthnContextClass(AuthnContext.PPT_AUTHN_CTX, request, authenticationKey);
        return;
    }

    final Principal principal = new AuthnContextClassRefPrincipal(REFEDS);
    final Principal attribute = principalCtx.getRequestedPrincipals().stream().filter(p -> p.equals(principal)).findFirst().orElse(null);
    if (attribute == null) {
        logger.debug("No authn context class ref principal is found in the requested principals; overriding to {}", AuthnContext.PPT_AUTHN_CTX);
        overrideAuthnContextClass(AuthnContext.PPT_AUTHN_CTX, request, authenticationKey);
        return;
    }
    final String authnMethod = attribute.getName();
    logger.debug("Requested authn method provided by IdP is {}", authnMethod);
    if (!assertion.getPrincipal().getAttributes().containsKey("authnContextClass")) {
        logger.debug("No authentication context class is provided by CAS; Overriding context class to {}", AuthnContext.PPT_AUTHN_CTX);
        overrideAuthnContextClass(AuthnContext.PPT_AUTHN_CTX, request, authenticationKey);
        return;
    }

    final Object clazz = assertion.getPrincipal().getAttributes().get("authnContextClass");
    logger.debug("Located asserted authentication context class [{}]", clazz);

    if (clazz.equals("mfa-duo")) {
        overrideAuthnContextClass(REFEDS, request, authenticationKey);
        logger.info("Validation payload successfully asserts the authentication context class for mfa-duo; Context class is set to {}", REFEDS);
        return;
    }
    logger.debug("Authentication context class [{}] provided by CAS is not one by Duo Security. "
        + "The requested authentication method to be used shall be {} and is left unmodified", clazz, authnMethod);
    overrideAuthnContextClass(clazz.toString(), request, authenticationKey);
}