Java Code Examples for org.jasig.cas.ticket.InvalidTicketException

The following examples show how to use org.jasig.cas.ticket.InvalidTicketException. These examples are extracted from open source projects. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source Project: taoshop   Source File: CentralAuthenticationServiceImpl.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * {@inheritDoc}
 * Destroy a TicketGrantingTicket and perform back channel logout. This has the effect of invalidating any
 * Ticket that was derived from the TicketGrantingTicket being destroyed. May throw an
 * {@link IllegalArgumentException} if the TicketGrantingTicket ID is null.
 *
 * @param ticketGrantingTicketId the id of the ticket we want to destroy
 * @return the logout requests.
 */
@Audit(
        action = "TICKET_GRANTING_TICKET_DESTROYED",
        actionResolverName = "DESTROY_TICKET_GRANTING_TICKET_RESOLVER",
        resourceResolverName = "DESTROY_TICKET_GRANTING_TICKET_RESOURCE_RESOLVER")
@Timed(name = "DESTROY_TICKET_GRANTING_TICKET_TIMER")
@Metered(name = "DESTROY_TICKET_GRANTING_TICKET_METER")
@Counted(name = "DESTROY_TICKET_GRANTING_TICKET_COUNTER", monotonic = true)
@Override
public List<LogoutRequest> destroyTicketGrantingTicket(@NotNull final String ticketGrantingTicketId) {
    try {
        logger.debug("Removing ticket [{}] from registry...", ticketGrantingTicketId);
        final TicketGrantingTicket ticket = getTicket(ticketGrantingTicketId, TicketGrantingTicket.class);
        logger.debug("Ticket found. Processing logout requests and then deleting the ticket...");
        final List<LogoutRequest> logoutRequests = logoutManager.performLogout(ticket);
        this.ticketRegistry.deleteTicket(ticketGrantingTicketId);

        doPublishEvent(new CasTicketGrantingTicketDestroyedEvent(this, ticket));

        return logoutRequests;
    } catch (final InvalidTicketException e) {
        logger.debug("TicketGrantingTicket [{}] cannot be found in the ticket registry.", ticketGrantingTicketId);
    }
    return Collections.emptyList();
}
 
Example 2
/**
 * {@inheritDoc}
 * Destroy a TicketGrantingTicket and perform back channel logout. This has the effect of invalidating any
 * Ticket that was derived from the TicketGrantingTicket being destroyed. May throw an
 * {@link IllegalArgumentException} if the TicketGrantingTicket ID is null.
 *
 * @param ticketGrantingTicketId the id of the ticket we want to destroy
 * @return the logout requests.
 */
@Audit(
        action="TICKET_GRANTING_TICKET_DESTROYED",
        actionResolverName="DESTROY_TICKET_GRANTING_TICKET_RESOLVER",
        resourceResolverName="DESTROY_TICKET_GRANTING_TICKET_RESOURCE_RESOLVER")
@Timed(name = "DESTROY_TICKET_GRANTING_TICKET_TIMER")
@Metered(name="DESTROY_TICKET_GRANTING_TICKET_METER")
@Counted(name="DESTROY_TICKET_GRANTING_TICKET_COUNTER", monotonic=true)
@Override
public List<LogoutRequest> destroyTicketGrantingTicket(@NotNull final String ticketGrantingTicketId) {
    try {
        logger.debug("Removing ticket [{}] from registry...", ticketGrantingTicketId);
        final TicketGrantingTicket ticket = getTicket(ticketGrantingTicketId, TicketGrantingTicket.class);
        logger.debug("Ticket found. Processing logout requests and then deleting the ticket...");
        final List<LogoutRequest> logoutRequests = logoutManager.performLogout(ticket);
        this.ticketRegistry.deleteTicket(ticketGrantingTicketId);
        return logoutRequests;
    } catch (final InvalidTicketException e) {
        logger.debug("TicketGrantingTicket [{}] cannot be found in the ticket registry.", ticketGrantingTicketId);
    }
    return Collections.emptyList();
}
 
Example 3
/**
 * {@inheritDoc}
 */
@Timed(name = "GET_TICKET_TIMER")
@Metered(name = "GET_TICKET_METER")
@Counted(name="GET_TICKET_COUNTER", monotonic=true)
@Override
public <T extends Ticket> T getTicket(final String ticketId, final Class<? extends Ticket> clazz)
        throws InvalidTicketException {
    Assert.notNull(ticketId, "ticketId cannot be null");
    final Ticket ticket = this.ticketRegistry.getTicket(ticketId, clazz);

    if (ticket == null) {
        logger.debug("Ticket [{}] by type [{}] cannot be found in the ticket registry.", ticketId, clazz.getSimpleName());
        throw new InvalidTicketException(ticketId);
    }

    if (ticket instanceof TicketGrantingTicket) {
        synchronized (ticket) {
            if (ticket.isExpired()) {
                this.ticketRegistry.deleteTicket(ticketId);
                logger.debug("Ticket [{}] has expired and is now deleted from the ticket registry.", ticketId);
                throw new InvalidTicketException(ticketId);
            }
        }
    }
    return (T) ticket;
}
 
Example 4
@Test
public void verifyValidPrincipal() throws InvalidTicketException {
    final CentralAuthenticationService cas = mock(CentralAuthenticationService.class);
    final Authentication authn = mock(Authentication.class);
    when(authn.getPrincipal()).thenReturn(TestUtils.getPrincipal("cas"));
    final TicketGrantingTicket tgt = mock(TicketGrantingTicket.class);
    when(tgt.getAuthentication()).thenReturn(authn);



    when(cas.getTicket(any(String.class), any(Ticket.class.getClass()))).thenReturn(tgt);
    final GenericSuccessViewAction action = new GenericSuccessViewAction(cas);
    final Principal p = action.getAuthenticationPrincipal("TGT-1");
    assertNotNull(p);
    assertEquals(p.getId(), "cas");
}
 
Example 5
Source Project: taoshop   Source File: CentralAuthenticationServiceImpl.java    License: Apache License 2.0 5 votes vote down vote up
@Audit(
        action = "PROXY_GRANTING_TICKET",
        actionResolverName = "CREATE_PROXY_GRANTING_TICKET_RESOLVER",
        resourceResolverName = "CREATE_PROXY_GRANTING_TICKET_RESOURCE_RESOLVER")
@Timed(name = "CREATE_PROXY_GRANTING_TICKET_TIMER")
@Metered(name = "CREATE_PROXY_GRANTING_TICKET_METER")
@Counted(name = "CREATE_PROXY_GRANTING_TICKET_COUNTER", monotonic = true)
@Override
public ProxyGrantingTicket createProxyGrantingTicket(final String serviceTicketId, final AuthenticationContext context)
        throws AuthenticationException, AbstractTicketException {

    final ServiceTicket serviceTicket = this.ticketRegistry.getTicket(serviceTicketId, ServiceTicket.class);

    if (serviceTicket == null || serviceTicket.isExpired()) {
        logger.debug("ServiceTicket [{}] has expired or cannot be found in the ticket registry", serviceTicketId);
        throw new InvalidTicketException(serviceTicketId);
    }

    final RegisteredService registeredService = this.servicesManager
            .findServiceBy(serviceTicket.getService());

    verifyRegisteredServiceProperties(registeredService, serviceTicket.getService());

    if (!registeredService.getProxyPolicy().isAllowedToProxy()) {
        logger.warn("ServiceManagement: Service [{}] attempted to proxy, but is not allowed.", serviceTicket.getService().getId());
        throw new UnauthorizedProxyingException();
    }

    final Authentication authentication = context.getAuthentication();
    final ProxyGrantingTicketFactory factory = this.ticketFactory.get(ProxyGrantingTicket.class);
    final ProxyGrantingTicket proxyGrantingTicket = factory.create(serviceTicket, authentication);

    logger.debug("Generated proxy granting ticket [{}] based off of [{}]", proxyGrantingTicket, serviceTicketId);
    this.ticketRegistry.addTicket(proxyGrantingTicket);

    doPublishEvent(new CasProxyGrantingTicketCreatedEvent(this, proxyGrantingTicket));

    return proxyGrantingTicket;

}
 
Example 6
/**
 * Resolve the join point argument.
 *
 * @param arg1 the arg
 * @return the resolved string
 */
private String resolveArgument(final Object arg1) {
    LOGGER.debug("Resolving argument [{}] for audit", arg1.getClass().getSimpleName());

    if (arg1 instanceof Credential) {
        return arg1.toString();
    } else if (arg1 instanceof String) {
        try {
            final Ticket ticket = this.centralAuthenticationService.getTicket((String) arg1, Ticket.class);
            if (ticket instanceof ServiceTicket) {
                final ServiceTicket serviceTicket = (ServiceTicket) ticket;
                return serviceTicket.getGrantingTicket().getAuthentication().getPrincipal().getId();
            } else if (ticket instanceof TicketGrantingTicket) {
                final TicketGrantingTicket tgt = (TicketGrantingTicket) ticket;
                return tgt.getAuthentication().getPrincipal().getId();
            }
        } catch (final InvalidTicketException e) {
            LOGGER.trace(e.getMessage(), e);
        }
        LOGGER.debug("Could not locate ticket [{}] in the registry", arg1);
    } else {
        final SecurityContext securityContext = SecurityContextHolder.getContext();
        if (securityContext != null) {
            final Authentication authentication = securityContext.getAuthentication();

            if (authentication != null) {
                return ((UserDetails) authentication.getPrincipal()).getUsername();
            }
        }
    }
    LOGGER.debug("Unable to determine the audit argument. Returning [{}]", UNKNOWN_USER);
    return UNKNOWN_USER;
}
 
Example 7
@Audit(
    action="PROXY_GRANTING_TICKET",
    actionResolverName="GRANT_PROXY_GRANTING_TICKET_RESOLVER",
    resourceResolverName="GRANT_PROXY_GRANTING_TICKET_RESOURCE_RESOLVER")
@Timed(name="GRANT_PROXY_GRANTING_TICKET_TIMER")
@Metered(name="GRANT_PROXY_GRANTING_TICKET_METER")
@Counted(name="GRANT_PROXY_GRANTING_TICKET_COUNTER", monotonic=true)
@Override
public TicketGrantingTicket delegateTicketGrantingTicket(final String serviceTicketId, final Credential... credentials)
        throws AuthenticationException, TicketException {

    final ServiceTicket serviceTicket =  this.serviceTicketRegistry.getTicket(serviceTicketId, ServiceTicket.class);

    if (serviceTicket == null || serviceTicket.isExpired()) {
        logger.debug("ServiceTicket [{}] has expired or cannot be found in the ticket registry", serviceTicketId);
        throw new InvalidTicketException(serviceTicketId);
    }

    final RegisteredService registeredService = this.servicesManager
            .findServiceBy(serviceTicket.getService());

    verifyRegisteredServiceProperties(registeredService, serviceTicket.getService());
    
    if (!registeredService.getProxyPolicy().isAllowedToProxy()) {
        logger.warn("ServiceManagement: Service [{}] attempted to proxy, but is not allowed.", serviceTicket.getService().getId());
        throw new UnauthorizedProxyingException();
    }

    final Authentication authentication = this.authenticationManager.authenticate(credentials);

    final String pgtId = this.ticketGrantingTicketUniqueTicketIdGenerator.getNewTicketId(
            TicketGrantingTicket.PROXY_GRANTING_TICKET_PREFIX);
    final TicketGrantingTicket proxyGrantingTicket = serviceTicket.grantTicketGrantingTicket(pgtId,
                                authentication, this.ticketGrantingTicketExpirationPolicy);

    logger.debug("Generated proxy granting ticket [{}] based off of [{}]", proxyGrantingTicket, serviceTicketId);
    this.ticketRegistry.addTicket(proxyGrantingTicket);

    return proxyGrantingTicket;
}
 
Example 8
@Override
protected Credential constructCredentialsFromRequest(final RequestContext context) {
    final String ticketGrantingTicketId = WebUtils.getTicketGrantingTicketId(context);
    final String openidIdentityParameter = context.getRequestParameters().get(OpenIdConstants.OPENID_IDENTITY);
    String userName = null;
    if (OpenIdConstants.OPENID_IDENTIFIERSELECT.equals(openidIdentityParameter)) {
        userName = OpenIdConstants.OPENID_IDENTIFIERSELECT;
        context.getExternalContext().getSessionMap().remove(OpenIdConstants.OPENID_LOCALID);
        // already authenticated: retrieve the username from the authentication
        if (ticketGrantingTicketId != null) {
            try {
                final TicketGrantingTicket tgt = getCentralAuthenticationService()
                        .getTicket(ticketGrantingTicketId, TicketGrantingTicket.class);
                userName = tgt.getAuthentication().getPrincipal().getId();
            } catch (final InvalidTicketException e) {
                logger.error("Cannot get TGT", e);
            }
        }
    } else {
        userName = this.extractor.extractLocalUsernameFromUri(openidIdentityParameter);
        context.getExternalContext().getSessionMap().put(OpenIdConstants.OPENID_LOCALID, userName);
    }
    final Service service = WebUtils.getService(context);

    // clear the service because otherwise we can fake the username
    if (service instanceof OpenIdService && userName == null) {
        context.getFlowScope().remove("service");
    }

    if (ticketGrantingTicketId == null || userName == null) {
        return null;
    }

    return new OpenIdCredential(
            ticketGrantingTicketId, userName);
}
 
Example 9
@Test
public void creationOfSTWithInvalidTicketException() throws Throwable {
    configureCasMockSTCreationToThrow(new InvalidTicketException("TGT-1"));

    this.mockMvc.perform(post("/cas/v1/tickets/TGT-1")
            .param("service", "https://www.google.com"))
            .andExpect(status().isNotFound())
            .andExpect(content().string("TicketGrantingTicket could not be found"));
}
 
Example 10
/**
 * Gets authentication principal.
 *
 * @param ticketGrantingTicketId the ticket granting ticket id
 * @return the authentication principal, or {@link org.jasig.cas.authentication.principal.NullPrincipal}
 * if none was available.
 */
public Principal getAuthenticationPrincipal(final String ticketGrantingTicketId) {
    try {
        final TicketGrantingTicket ticketGrantingTicket =
                this.centralAuthenticationService.getTicket(ticketGrantingTicketId, TicketGrantingTicket.class);
        return ticketGrantingTicket.getAuthentication().getPrincipal();
    } catch (final InvalidTicketException e){
        logger.warn(e.getMessage());
    }
    logger.debug("In the absence of valid TGT, the authentication principal cannot be determined. Returning {}",
            NullPrincipal.class.getSimpleName());
    return NullPrincipal.getInstance();
}
 
Example 11
@Test
public void verifyPrincipalCanNotBeDetemined() throws InvalidTicketException {
    final CentralAuthenticationService cas = mock(CentralAuthenticationService.class);
    when(cas.getTicket(any(String.class), any(Ticket.class.getClass()))).thenThrow(new InvalidTicketException("TGT-1"));
    final GenericSuccessViewAction action = new GenericSuccessViewAction(cas);
    final Principal p = action.getAuthenticationPrincipal("TGT-1");
    assertNotNull(p);
    assertTrue(p instanceof NullPrincipal);
}
 
Example 12
@Timed(name = "GET_TICKET_TIMER")
@Metered(name = "GET_TICKET_METER")
@Counted(name="GET_TICKET_COUNTER", monotonic=true)
@Override
public <T extends Ticket> T getTicket(final String ticketId, final Class<? extends Ticket> clazz)
        throws InvalidTicketException {
    return delegate.getTicket(ticketId, clazz);

}
 
Example 13
Source Project: taoshop   Source File: CentralAuthenticationServiceImpl.java    License: Apache License 2.0 4 votes vote down vote up
@Audit(
        action = "SERVICE_TICKET_VALIDATE",
        actionResolverName = "VALIDATE_SERVICE_TICKET_RESOLVER",
        resourceResolverName = "VALIDATE_SERVICE_TICKET_RESOURCE_RESOLVER")
@Timed(name = "VALIDATE_SERVICE_TICKET_TIMER")
@Metered(name = "VALIDATE_SERVICE_TICKET_METER")
@Counted(name = "VALIDATE_SERVICE_TICKET_COUNTER", monotonic = true)
@Override
public Assertion validateServiceTicket(final String serviceTicketId, final Service service) throws AbstractTicketException {
    final RegisteredService registeredService = this.servicesManager.findServiceBy(service);
    verifyRegisteredServiceProperties(registeredService, service);

    final ServiceTicket serviceTicket = this.ticketRegistry.getTicket(serviceTicketId, ServiceTicket.class);

    if (serviceTicket == null) {
        logger.info("Service ticket [{}] does not exist.", serviceTicketId);
        throw new InvalidTicketException(serviceTicketId);
    }

    try {
        synchronized (serviceTicket) {
            if (serviceTicket.isExpired()) {
                logger.info("ServiceTicket [{}] has expired.", serviceTicketId);
                throw new InvalidTicketException(serviceTicketId);
            }

            if (!serviceTicket.isValidFor(service)) {
                logger.error("Service ticket [{}] with service [{}] does not match supplied service [{}]",
                        serviceTicketId, serviceTicket.getService().getId(), service);
                throw new UnrecognizableServiceForServiceTicketValidationException(serviceTicket.getService());
            }
        }

        final TicketGrantingTicket root = serviceTicket.getGrantingTicket().getRoot();
        final Authentication authentication = getAuthenticationSatisfiedByPolicy(
                root, new ServiceContext(serviceTicket.getService(), registeredService));
        final Principal principal = authentication.getPrincipal();

        final RegisteredServiceAttributeReleasePolicy attributePolicy = registeredService.getAttributeReleasePolicy();
        logger.debug("Attribute policy [{}] is associated with service [{}]", attributePolicy, registeredService);

        @SuppressWarnings("unchecked")
        final Map<String, Object> attributesToRelease = attributePolicy != null
                ? attributePolicy.getAttributes(principal) : Collections.EMPTY_MAP;

        final String principalId = registeredService.getUsernameAttributeProvider().resolveUsername(principal, service);
        final Principal modifiedPrincipal = this.principalFactory.createPrincipal(principalId, attributesToRelease);
        final AuthenticationBuilder builder = DefaultAuthenticationBuilder.newInstance(authentication);
        builder.setPrincipal(modifiedPrincipal);

        final Assertion assertion = new ImmutableAssertion(
                builder.build(),
                serviceTicket.getGrantingTicket().getChainedAuthentications(),
                serviceTicket.getService(),
                serviceTicket.isFromNewLogin());

        doPublishEvent(new CasServiceTicketValidatedEvent(this, serviceTicket, assertion));

        return assertion;

    } finally {
        if (serviceTicket.isExpired()) {
            this.ticketRegistry.deleteTicket(serviceTicketId);
        }
    }
}
 
Example 14
/**
 * {@inheritDoc}
 */
@Override
public <T extends Ticket> T getTicket(final String ticketId, final Class<? extends Ticket> clazz)
        throws InvalidTicketException {
    return this.centralAuthenticationService.getTicket(ticketId, clazz);
}
 
Example 15
@Audit(
    action="SERVICE_TICKET_VALIDATE",
    actionResolverName="VALIDATE_SERVICE_TICKET_RESOLVER",
    resourceResolverName="VALIDATE_SERVICE_TICKET_RESOURCE_RESOLVER")
@Timed(name="VALIDATE_SERVICE_TICKET_TIMER")
@Metered(name="VALIDATE_SERVICE_TICKET_METER")
@Counted(name="VALIDATE_SERVICE_TICKET_COUNTER", monotonic=true)
@Override
public Assertion validateServiceTicket(final String serviceTicketId, final Service service) throws TicketException {
    final RegisteredService registeredService = this.servicesManager.findServiceBy(service);
    verifyRegisteredServiceProperties(registeredService, service);

    final ServiceTicket serviceTicket =  this.serviceTicketRegistry.getTicket(serviceTicketId, ServiceTicket.class);

    if (serviceTicket == null) {
        logger.info("Service ticket [{}] does not exist.", serviceTicketId);
        throw new InvalidTicketException(serviceTicketId);
    }

    try {
        synchronized (serviceTicket) {
            if (serviceTicket.isExpired()) {
                logger.info("ServiceTicket [{}] has expired.", serviceTicketId);
                throw new InvalidTicketException(serviceTicketId);
            }

            if (!serviceTicket.isValidFor(service)) {
                logger.error("Service ticket [{}] with service [{}] does not match supplied service [{}]",
                        serviceTicketId, serviceTicket.getService().getId(), service);
                throw new UnrecognizableServiceForServiceTicketValidationException(serviceTicket.getService());
            }
        }

        final TicketGrantingTicket root = serviceTicket.getGrantingTicket().getRoot();
        final Authentication authentication = getAuthenticationSatisfiedByPolicy(
                root, new ServiceContext(serviceTicket.getService(), registeredService));
        final Principal principal = authentication.getPrincipal();

        final AttributeReleasePolicy attributePolicy = registeredService.getAttributeReleasePolicy();
        logger.debug("Attribute policy [{}] is associated with service [{}]", attributePolicy, registeredService);
        
        @SuppressWarnings("unchecked")
        final Map<String, Object> attributesToRelease = attributePolicy != null
                ? attributePolicy.getAttributes(principal) : Collections.EMPTY_MAP;
        
        final String principalId = registeredService.getUsernameAttributeProvider().resolveUsername(principal, service);
        final Principal modifiedPrincipal = this.principalFactory.createPrincipal(principalId, attributesToRelease);
        final AuthenticationBuilder builder = DefaultAuthenticationBuilder.newInstance(authentication);
        builder.setPrincipal(modifiedPrincipal);

        return new ImmutableAssertion(
                builder.build(),
                serviceTicket.getGrantingTicket().getChainedAuthentications(),
                serviceTicket.getService(),
                serviceTicket.isFromNewLogin());
    } finally {
        if (serviceTicket.isExpired()) {
            this.serviceTicketRegistry.deleteTicket(serviceTicketId);
        }
    }
}
 
Example 16
@Test
public void verifyLogging5() {
    logger.trace(getMarker("trace"), getMessageToLog(), new RuntimeException(ID1, new InvalidTicketException(ID2)));
    validateLogData();
}
 
Example 17
@Test
public void verifyLogging9() {
    logger.trace(getMessageToLog(), new RuntimeException(ID1, new InvalidTicketException(ID2)));
    validateLogData();
}
 
Example 18
@Test
public void verifyLogging51() {
    logger.debug(getMarker("debug"), getMessageToLog(), new RuntimeException(ID1, new InvalidTicketException(ID2)));
    validateLogData();
}
 
Example 19
@Test
public void verifyLogging91() {
    logger.debug(getMessageToLog(), new RuntimeException(ID1, new InvalidTicketException(ID2)));
    validateLogData();
}
 
Example 20
@Test
public void verifyLogging511() {
    logger.info(getMarker("info"), getMessageToLog(), new RuntimeException(ID1, new InvalidTicketException(ID2)));
    validateLogData();
}
 
Example 21
@Test
public void verifyLogging911() {
    logger.info(getMessageToLog(), new RuntimeException(ID1, new InvalidTicketException(ID2)));
    validateLogData();
}
 
Example 22
@Test
public void verifyLogging5111() {
    logger.warn(getMarker("warn"), getMessageToLog(), new RuntimeException(ID1, new InvalidTicketException(ID2)));
    validateLogData();
}
 
Example 23
@Test
public void verifyLogging9111() {
    logger.warn(getMessageToLog(), new RuntimeException(ID1, new InvalidTicketException(ID2)));
    validateLogData();
}
 
Example 24
@Test
public void verifyLogging51110() {
    logger.error(getMarker("error"), getMessageToLog(), new RuntimeException(ID1, new InvalidTicketException(ID2)));
    validateLogData();
}
 
Example 25
@Test
public void verifyLogging91110() {
    logger.error(getMessageToLog(), new RuntimeException(ID1, new InvalidTicketException(ID2)));
    validateLogData();
}
 
Example 26
@Test(expected=InvalidTicketException.class)
public void verifyNonExistentServiceWhenDelegatingTicketGrantingTicket() throws Exception {
    this.cas.delegateTicketGrantingTicket("bad-st", TestUtils.getCredentialsWithSameUsernameAndPassword());
}
 
Example 27
@Test(expected=IllegalArgumentException.class)
public void getTicketGrantingTicketIfTicketIdIsNull() throws InvalidTicketException {
    this.cas.getTicket(null, TicketGrantingTicket.class);
}
 
Example 28
@Test(expected=InvalidTicketException.class)
public void getTicketGrantingTicketIfTicketIdIsMissing() throws InvalidTicketException {
    this.cas.getTicket("TGT-9000", TicketGrantingTicket.class);
}
 
Example 29
/**
 * @throws IllegalArgumentException if ticketGrantingTicketId or service are null.
 */
@Audit(
    action="SERVICE_TICKET",
    actionResolverName="GRANT_SERVICE_TICKET_RESOLVER",
    resourceResolverName="GRANT_SERVICE_TICKET_RESOURCE_RESOLVER")
@Profiled(tag="GRANT_SERVICE_TICKET", logFailuresSeparately = false)
@Transactional(readOnly = false)
public String grantServiceTicket(
        final String ticketGrantingTicketId, final Service service, final Credential... credentials)
        throws AuthenticationException, TicketException {
    Assert.notNull(ticketGrantingTicketId, "ticketGrantingticketId cannot be null");
    Assert.notNull(service, "service cannot be null");

    final TicketGrantingTicket ticketGrantingTicket = this.ticketRegistry.getTicket(ticketGrantingTicketId, TicketGrantingTicket.class);

    if (ticketGrantingTicket == null) {
        logger.debug("TicketGrantingTicket [{}] cannot be found in the ticket registry.", ticketGrantingTicketId);
        throw new InvalidTicketException(ticketGrantingTicketId);
    }

    synchronized (ticketGrantingTicket) {
        if (ticketGrantingTicket.isExpired()) {
            this.ticketRegistry.deleteTicket(ticketGrantingTicketId);
            logger.debug("TicketGrantingTicket[{}] has expired and is now deleted from the ticket registry.", ticketGrantingTicketId);
            throw new InvalidTicketException(ticketGrantingTicketId);
        }
    }

    final RegisteredService registeredService = this.servicesManager.findServiceBy(service);

    verifyRegisteredServiceProperties(registeredService, service);
    
    if (!registeredService.isSsoEnabled() && credentials == null
        && ticketGrantingTicket.getCountOfUses() > 0) {
        logger.warn("ServiceManagement: Service [{}] is not allowed to use SSO.", service.getId());
        throw new UnauthorizedSsoServiceException();
    }

    //CAS-1019
    final List<Authentication> authns = ticketGrantingTicket.getChainedAuthentications();
    if(authns.size() > 1) {
        if (!registeredService.isAllowedToProxy()) {
            final String message = String.
                    format("ServiceManagement: Proxy attempt by service [%s] (registered service [%s]) is not allowed.",
                    service.getId(), registeredService.toString());
            logger.warn(message);
            throw new UnauthorizedProxyingException(message);
        }
    }

    if (credentials != null) {
        final Authentication current = this.authenticationManager.authenticate(credentials);
        final Authentication original = ticketGrantingTicket.getAuthentication();
        if (!current.getPrincipal().equals(original.getPrincipal())) {
            throw new MixedPrincipalException(current, current.getPrincipal(), original.getPrincipal());
        }
        ticketGrantingTicket.getSupplementalAuthentications().add(current);
    }

    // Perform security policy check by getting the authentication that satisfies the configured policy
    // This throws if no suitable policy is found
    getAuthenticationSatisfiedByPolicy(ticketGrantingTicket.getRoot(), new ServiceContext(service, registeredService));

    final String uniqueTicketIdGenKey = service.getClass().getName();
    if (!this.uniqueTicketIdGeneratorsForService.containsKey(uniqueTicketIdGenKey)) {
        logger.warn("Cannot create service ticket because the key [{}] for service [{}] is not linked to a ticket id generator",
                uniqueTicketIdGenKey, service.getId());
        throw new UnauthorizedSsoServiceException();
    }
    
    final UniqueTicketIdGenerator serviceTicketUniqueTicketIdGenerator =
            this.uniqueTicketIdGeneratorsForService.get(uniqueTicketIdGenKey);

    final String generatedServiceTicketId = serviceTicketUniqueTicketIdGenerator.getNewTicketId(ServiceTicket.PREFIX);
    logger.debug("Generated service ticket id [{}] for ticket granting ticket [{}]",
            generatedServiceTicketId, ticketGrantingTicket.getId());
    
    final ServiceTicket serviceTicket = ticketGrantingTicket.grantServiceTicket(generatedServiceTicketId, service,
            this.serviceTicketExpirationPolicy, credentials != null);

    this.serviceTicketRegistry.addTicket(serviceTicket);

    if (logger.isInfoEnabled()) {
        final List<Authentication> authentications = serviceTicket.getGrantingTicket().getChainedAuthentications();
        final String formatString = "Granted %s ticket [%s] for service [%s] for user [%s]";
        final String type;
        final String principalId = authentications.get(authentications.size() - 1).getPrincipal().getId();

        if (authentications.size() == 1) {
            type = "service";
        } else {
            type = "proxy";
        }

        logger.info(String.format(formatString, type, serviceTicket.getId(), service.getId(), principalId));
    }

    return serviceTicket.getId();
}
 
Example 30
/**
 * @throws IllegalArgumentException if the ServiceTicketId or the
 * Credential are null.
 */
@Audit(
    action="PROXY_GRANTING_TICKET",
    actionResolverName="GRANT_PROXY_GRANTING_TICKET_RESOLVER",
    resourceResolverName="GRANT_PROXY_GRANTING_TICKET_RESOURCE_RESOLVER")
@Profiled(tag="GRANT_PROXY_GRANTING_TICKET", logFailuresSeparately = false)
@Transactional(readOnly = false)
public String delegateTicketGrantingTicket(final String serviceTicketId, final Credential... credentials)
        throws AuthenticationException, TicketException {

    Assert.notNull(serviceTicketId, "serviceTicketId cannot be null");
    Assert.notNull(credentials, "credentials cannot be null");

    final ServiceTicket serviceTicket =  this.serviceTicketRegistry.getTicket(serviceTicketId, ServiceTicket.class);

    if (serviceTicket == null || serviceTicket.isExpired()) {
        logger.debug("ServiceTicket [{}] has expired or cannot be found in the ticket registry", serviceTicketId);
        throw new InvalidTicketException(serviceTicketId);
    }

    final RegisteredService registeredService = this.servicesManager
            .findServiceBy(serviceTicket.getService());

    verifyRegisteredServiceProperties(registeredService, serviceTicket.getService());
    
    if (!registeredService.isAllowedToProxy()) {
        logger.warn("ServiceManagement: Service [{}] attempted to proxy, but is not allowed.", serviceTicket.getService().getId());
        throw new UnauthorizedProxyingException();
    }

    final Authentication authentication = this.authenticationManager.authenticate(credentials);

    final TicketGrantingTicket ticketGrantingTicket = serviceTicket
            .grantTicketGrantingTicket(
                    this.ticketGrantingTicketUniqueTicketIdGenerator
                            .getNewTicketId(TicketGrantingTicket.PREFIX),
                    authentication, this.ticketGrantingTicketExpirationPolicy);

    this.ticketRegistry.addTicket(ticketGrantingTicket);

    return ticketGrantingTicket.getId();
}