org.jasig.cas.ticket.InvalidTicketException Java Examples

/**
 * {@inheritDoc}
 * Destroy a TicketGrantingTicket and perform back channel logout. This has the effect of invalidating any
 * Ticket that was derived from the TicketGrantingTicket being destroyed. May throw an
 * {@link IllegalArgumentException} if the TicketGrantingTicket ID is null.
 *
 * @param ticketGrantingTicketId the id of the ticket we want to destroy
 * @return the logout requests.
 */
@Audit(
        action = "TICKET_GRANTING_TICKET_DESTROYED",
        actionResolverName = "DESTROY_TICKET_GRANTING_TICKET_RESOLVER",
        resourceResolverName = "DESTROY_TICKET_GRANTING_TICKET_RESOURCE_RESOLVER")
@Timed(name = "DESTROY_TICKET_GRANTING_TICKET_TIMER")
@Metered(name = "DESTROY_TICKET_GRANTING_TICKET_METER")
@Counted(name = "DESTROY_TICKET_GRANTING_TICKET_COUNTER", monotonic = true)
@Override
public List<LogoutRequest> destroyTicketGrantingTicket(@NotNull final String ticketGrantingTicketId) {
    try {
        logger.debug("Removing ticket [{}] from registry...", ticketGrantingTicketId);
        final TicketGrantingTicket ticket = getTicket(ticketGrantingTicketId, TicketGrantingTicket.class);
        logger.debug("Ticket found. Processing logout requests and then deleting the ticket...");
        final List<LogoutRequest> logoutRequests = logoutManager.performLogout(ticket);
        this.ticketRegistry.deleteTicket(ticketGrantingTicketId);

        doPublishEvent(new CasTicketGrantingTicketDestroyedEvent(this, ticket));

        return logoutRequests;
    } catch (final InvalidTicketException e) {
        logger.debug("TicketGrantingTicket [{}] cannot be found in the ticket registry.", ticketGrantingTicketId);
    }
    return Collections.emptyList();
}
 

@Test
public void verifyValidPrincipal() throws InvalidTicketException {
    final CentralAuthenticationService cas = mock(CentralAuthenticationService.class);
    final Authentication authn = mock(Authentication.class);
    when(authn.getPrincipal()).thenReturn(TestUtils.getPrincipal("cas"));
    final TicketGrantingTicket tgt = mock(TicketGrantingTicket.class);
    when(tgt.getAuthentication()).thenReturn(authn);



    when(cas.getTicket(any(String.class), any(Ticket.class.getClass()))).thenReturn(tgt);
    final GenericSuccessViewAction action = new GenericSuccessViewAction(cas);
    final Principal p = action.getAuthenticationPrincipal("TGT-1");
    assertNotNull(p);
    assertEquals(p.getId(), "cas");
}
 

/**
 * {@inheritDoc}
 * Destroy a TicketGrantingTicket and perform back channel logout. This has the effect of invalidating any
 * Ticket that was derived from the TicketGrantingTicket being destroyed. May throw an
 * {@link IllegalArgumentException} if the TicketGrantingTicket ID is null.
 *
 * @param ticketGrantingTicketId the id of the ticket we want to destroy
 * @return the logout requests.
 */
@Audit(
        action="TICKET_GRANTING_TICKET_DESTROYED",
        actionResolverName="DESTROY_TICKET_GRANTING_TICKET_RESOLVER",
        resourceResolverName="DESTROY_TICKET_GRANTING_TICKET_RESOURCE_RESOLVER")
@Timed(name = "DESTROY_TICKET_GRANTING_TICKET_TIMER")
@Metered(name="DESTROY_TICKET_GRANTING_TICKET_METER")
@Counted(name="DESTROY_TICKET_GRANTING_TICKET_COUNTER", monotonic=true)
@Override
public List<LogoutRequest> destroyTicketGrantingTicket(@NotNull final String ticketGrantingTicketId) {
    try {
        logger.debug("Removing ticket [{}] from registry...", ticketGrantingTicketId);
        final TicketGrantingTicket ticket = getTicket(ticketGrantingTicketId, TicketGrantingTicket.class);
        logger.debug("Ticket found. Processing logout requests and then deleting the ticket...");
        final List<LogoutRequest> logoutRequests = logoutManager.performLogout(ticket);
        this.ticketRegistry.deleteTicket(ticketGrantingTicketId);
        return logoutRequests;
    } catch (final InvalidTicketException e) {
        logger.debug("TicketGrantingTicket [{}] cannot be found in the ticket registry.", ticketGrantingTicketId);
    }
    return Collections.emptyList();
}
 

/**
 * {@inheritDoc}
 */
@Timed(name = "GET_TICKET_TIMER")
@Metered(name = "GET_TICKET_METER")
@Counted(name="GET_TICKET_COUNTER", monotonic=true)
@Override
public <T extends Ticket> T getTicket(final String ticketId, final Class<? extends Ticket> clazz)
        throws InvalidTicketException {
    Assert.notNull(ticketId, "ticketId cannot be null");
    final Ticket ticket = this.ticketRegistry.getTicket(ticketId, clazz);

    if (ticket == null) {
        logger.debug("Ticket [{}] by type [{}] cannot be found in the ticket registry.", ticketId, clazz.getSimpleName());
        throw new InvalidTicketException(ticketId);
    }

    if (ticket instanceof TicketGrantingTicket) {
        synchronized (ticket) {
            if (ticket.isExpired()) {
                this.ticketRegistry.deleteTicket(ticketId);
                logger.debug("Ticket [{}] has expired and is now deleted from the ticket registry.", ticketId);
                throw new InvalidTicketException(ticketId);
            }
        }
    }
    return (T) ticket;
}
 

@Audit(
        action = "PROXY_GRANTING_TICKET",
        actionResolverName = "CREATE_PROXY_GRANTING_TICKET_RESOLVER",
        resourceResolverName = "CREATE_PROXY_GRANTING_TICKET_RESOURCE_RESOLVER")
@Timed(name = "CREATE_PROXY_GRANTING_TICKET_TIMER")
@Metered(name = "CREATE_PROXY_GRANTING_TICKET_METER")
@Counted(name = "CREATE_PROXY_GRANTING_TICKET_COUNTER", monotonic = true)
@Override
public ProxyGrantingTicket createProxyGrantingTicket(final String serviceTicketId, final AuthenticationContext context)
        throws AuthenticationException, AbstractTicketException {

    final ServiceTicket serviceTicket = this.ticketRegistry.getTicket(serviceTicketId, ServiceTicket.class);

    if (serviceTicket == null || serviceTicket.isExpired()) {
        logger.debug("ServiceTicket [{}] has expired or cannot be found in the ticket registry", serviceTicketId);
        throw new InvalidTicketException(serviceTicketId);
    }

    final RegisteredService registeredService = this.servicesManager
            .findServiceBy(serviceTicket.getService());

    verifyRegisteredServiceProperties(registeredService, serviceTicket.getService());

    if (!registeredService.getProxyPolicy().isAllowedToProxy()) {
        logger.warn("ServiceManagement: Service [{}] attempted to proxy, but is not allowed.", serviceTicket.getService().getId());
        throw new UnauthorizedProxyingException();
    }

    final Authentication authentication = context.getAuthentication();
    final ProxyGrantingTicketFactory factory = this.ticketFactory.get(ProxyGrantingTicket.class);
    final ProxyGrantingTicket proxyGrantingTicket = factory.create(serviceTicket, authentication);

    logger.debug("Generated proxy granting ticket [{}] based off of [{}]", proxyGrantingTicket, serviceTicketId);
    this.ticketRegistry.addTicket(proxyGrantingTicket);

    doPublishEvent(new CasProxyGrantingTicketCreatedEvent(this, proxyGrantingTicket));

    return proxyGrantingTicket;

}
 

@Timed(name = "GET_TICKET_TIMER")
@Metered(name = "GET_TICKET_METER")
@Counted(name="GET_TICKET_COUNTER", monotonic=true)
@Override
public <T extends Ticket> T getTicket(final String ticketId, final Class<? extends Ticket> clazz)
        throws InvalidTicketException {
    return delegate.getTicket(ticketId, clazz);

}
 

@Test
public void verifyPrincipalCanNotBeDetemined() throws InvalidTicketException {
    final CentralAuthenticationService cas = mock(CentralAuthenticationService.class);
    when(cas.getTicket(any(String.class), any(Ticket.class.getClass()))).thenThrow(new InvalidTicketException("TGT-1"));
    final GenericSuccessViewAction action = new GenericSuccessViewAction(cas);
    final Principal p = action.getAuthenticationPrincipal("TGT-1");
    assertNotNull(p);
    assertTrue(p instanceof NullPrincipal);
}
 

/**
 * Gets authentication principal.
 *
 * @param ticketGrantingTicketId the ticket granting ticket id
 * @return the authentication principal, or {@link org.jasig.cas.authentication.principal.NullPrincipal}
 * if none was available.
 */
public Principal getAuthenticationPrincipal(final String ticketGrantingTicketId) {
    try {
        final TicketGrantingTicket ticketGrantingTicket =
                this.centralAuthenticationService.getTicket(ticketGrantingTicketId, TicketGrantingTicket.class);
        return ticketGrantingTicket.getAuthentication().getPrincipal();
    } catch (final InvalidTicketException e){
        logger.warn(e.getMessage());
    }
    logger.debug("In the absence of valid TGT, the authentication principal cannot be determined. Returning {}",
            NullPrincipal.class.getSimpleName());
    return NullPrincipal.getInstance();
}
 

@Test
public void creationOfSTWithInvalidTicketException() throws Throwable {
    configureCasMockSTCreationToThrow(new InvalidTicketException("TGT-1"));

    this.mockMvc.perform(post("/cas/v1/tickets/TGT-1")
            .param("service", "https://www.google.com"))
            .andExpect(status().isNotFound())
            .andExpect(content().string("TicketGrantingTicket could not be found"));
}
 

@Override
protected Credential constructCredentialsFromRequest(final RequestContext context) {
    final String ticketGrantingTicketId = WebUtils.getTicketGrantingTicketId(context);
    final String openidIdentityParameter = context.getRequestParameters().get(OpenIdConstants.OPENID_IDENTITY);
    String userName = null;
    if (OpenIdConstants.OPENID_IDENTIFIERSELECT.equals(openidIdentityParameter)) {
        userName = OpenIdConstants.OPENID_IDENTIFIERSELECT;
        context.getExternalContext().getSessionMap().remove(OpenIdConstants.OPENID_LOCALID);
        // already authenticated: retrieve the username from the authentication
        if (ticketGrantingTicketId != null) {
            try {
                final TicketGrantingTicket tgt = getCentralAuthenticationService()
                        .getTicket(ticketGrantingTicketId, TicketGrantingTicket.class);
                userName = tgt.getAuthentication().getPrincipal().getId();
            } catch (final InvalidTicketException e) {
                logger.error("Cannot get TGT", e);
            }
        }
    } else {
        userName = this.extractor.extractLocalUsernameFromUri(openidIdentityParameter);
        context.getExternalContext().getSessionMap().put(OpenIdConstants.OPENID_LOCALID, userName);
    }
    final Service service = WebUtils.getService(context);

    // clear the service because otherwise we can fake the username
    if (service instanceof OpenIdService && userName == null) {
        context.getFlowScope().remove("service");
    }

    if (ticketGrantingTicketId == null || userName == null) {
        return null;
    }

    return new OpenIdCredential(
            ticketGrantingTicketId, userName);
}
 

/**
 * Resolve the join point argument.
 *
 * @param arg1 the arg
 * @return the resolved string
 */
private String resolveArgument(final Object arg1) {
    LOGGER.debug("Resolving argument [{}] for audit", arg1.getClass().getSimpleName());

    if (arg1 instanceof Credential) {
        return arg1.toString();
    } else if (arg1 instanceof String) {
        try {
            final Ticket ticket = this.centralAuthenticationService.getTicket((String) arg1, Ticket.class);
            if (ticket instanceof ServiceTicket) {
                final ServiceTicket serviceTicket = (ServiceTicket) ticket;
                return serviceTicket.getGrantingTicket().getAuthentication().getPrincipal().getId();
            } else if (ticket instanceof TicketGrantingTicket) {
                final TicketGrantingTicket tgt = (TicketGrantingTicket) ticket;
                return tgt.getAuthentication().getPrincipal().getId();
            }
        } catch (final InvalidTicketException e) {
            LOGGER.trace(e.getMessage(), e);
        }
        LOGGER.debug("Could not locate ticket [{}] in the registry", arg1);
    } else {
        final SecurityContext securityContext = SecurityContextHolder.getContext();
        if (securityContext != null) {
            final Authentication authentication = securityContext.getAuthentication();

            if (authentication != null) {
                return ((UserDetails) authentication.getPrincipal()).getUsername();
            }
        }
    }
    LOGGER.debug("Unable to determine the audit argument. Returning [{}]", UNKNOWN_USER);
    return UNKNOWN_USER;
}
 

@Audit(
    action="PROXY_GRANTING_TICKET",
    actionResolverName="GRANT_PROXY_GRANTING_TICKET_RESOLVER",
    resourceResolverName="GRANT_PROXY_GRANTING_TICKET_RESOURCE_RESOLVER")
@Timed(name="GRANT_PROXY_GRANTING_TICKET_TIMER")
@Metered(name="GRANT_PROXY_GRANTING_TICKET_METER")
@Counted(name="GRANT_PROXY_GRANTING_TICKET_COUNTER", monotonic=true)
@Override
public TicketGrantingTicket delegateTicketGrantingTicket(final String serviceTicketId, final Credential... credentials)
        throws AuthenticationException, TicketException {

    final ServiceTicket serviceTicket =  this.serviceTicketRegistry.getTicket(serviceTicketId, ServiceTicket.class);

    if (serviceTicket == null || serviceTicket.isExpired()) {
        logger.debug("ServiceTicket [{}] has expired or cannot be found in the ticket registry", serviceTicketId);
        throw new InvalidTicketException(serviceTicketId);
    }

    final RegisteredService registeredService = this.servicesManager
            .findServiceBy(serviceTicket.getService());

    verifyRegisteredServiceProperties(registeredService, serviceTicket.getService());
    
    if (!registeredService.getProxyPolicy().isAllowedToProxy()) {
        logger.warn("ServiceManagement: Service [{}] attempted to proxy, but is not allowed.", serviceTicket.getService().getId());
        throw new UnauthorizedProxyingException();
    }

    final Authentication authentication = this.authenticationManager.authenticate(credentials);

    final String pgtId = this.ticketGrantingTicketUniqueTicketIdGenerator.getNewTicketId(
            TicketGrantingTicket.PROXY_GRANTING_TICKET_PREFIX);
    final TicketGrantingTicket proxyGrantingTicket = serviceTicket.grantTicketGrantingTicket(pgtId,
                                authentication, this.ticketGrantingTicketExpirationPolicy);

    logger.debug("Generated proxy granting ticket [{}] based off of [{}]", proxyGrantingTicket, serviceTicketId);
    this.ticketRegistry.addTicket(proxyGrantingTicket);

    return proxyGrantingTicket;
}
 

@Test(expected=InvalidTicketException.class)
public void getTicketGrantingTicketIfTicketIdIsMissing() throws InvalidTicketException {
    this.cas.getTicket("TGT-9000", TicketGrantingTicket.class);
}
 

@Audit(
        action = "SERVICE_TICKET_VALIDATE",
        actionResolverName = "VALIDATE_SERVICE_TICKET_RESOLVER",
        resourceResolverName = "VALIDATE_SERVICE_TICKET_RESOURCE_RESOLVER")
@Timed(name = "VALIDATE_SERVICE_TICKET_TIMER")
@Metered(name = "VALIDATE_SERVICE_TICKET_METER")
@Counted(name = "VALIDATE_SERVICE_TICKET_COUNTER", monotonic = true)
@Override
public Assertion validateServiceTicket(final String serviceTicketId, final Service service) throws AbstractTicketException {
    final RegisteredService registeredService = this.servicesManager.findServiceBy(service);
    verifyRegisteredServiceProperties(registeredService, service);

    final ServiceTicket serviceTicket = this.ticketRegistry.getTicket(serviceTicketId, ServiceTicket.class);

    if (serviceTicket == null) {
        logger.info("Service ticket [{}] does not exist.", serviceTicketId);
        throw new InvalidTicketException(serviceTicketId);
    }

    try {
        synchronized (serviceTicket) {
            if (serviceTicket.isExpired()) {
                logger.info("ServiceTicket [{}] has expired.", serviceTicketId);
                throw new InvalidTicketException(serviceTicketId);
            }

            if (!serviceTicket.isValidFor(service)) {
                logger.error("Service ticket [{}] with service [{}] does not match supplied service [{}]",
                        serviceTicketId, serviceTicket.getService().getId(), service);
                throw new UnrecognizableServiceForServiceTicketValidationException(serviceTicket.getService());
            }
        }

        final TicketGrantingTicket root = serviceTicket.getGrantingTicket().getRoot();
        final Authentication authentication = getAuthenticationSatisfiedByPolicy(
                root, new ServiceContext(serviceTicket.getService(), registeredService));
        final Principal principal = authentication.getPrincipal();

        final RegisteredServiceAttributeReleasePolicy attributePolicy = registeredService.getAttributeReleasePolicy();
        logger.debug("Attribute policy [{}] is associated with service [{}]", attributePolicy, registeredService);

        @SuppressWarnings("unchecked")
        final Map<String, Object> attributesToRelease = attributePolicy != null
                ? attributePolicy.getAttributes(principal) : Collections.EMPTY_MAP;

        final String principalId = registeredService.getUsernameAttributeProvider().resolveUsername(principal, service);
        final Principal modifiedPrincipal = this.principalFactory.createPrincipal(principalId, attributesToRelease);
        final AuthenticationBuilder builder = DefaultAuthenticationBuilder.newInstance(authentication);
        builder.setPrincipal(modifiedPrincipal);

        final Assertion assertion = new ImmutableAssertion(
                builder.build(),
                serviceTicket.getGrantingTicket().getChainedAuthentications(),
                serviceTicket.getService(),
                serviceTicket.isFromNewLogin());

        doPublishEvent(new CasServiceTicketValidatedEvent(this, serviceTicket, assertion));

        return assertion;

    } finally {
        if (serviceTicket.isExpired()) {
            this.ticketRegistry.deleteTicket(serviceTicketId);
        }
    }
}
 

@Test(expected=InvalidTicketException.class)
public void testNonExistentServiceWhenDelegatingTicketGrantingTicket() throws Exception {
    this.cas.delegateTicketGrantingTicket("bad-st", TestUtils.getCredentialsWithSameUsernameAndPassword());
}
 

/**
 * @throws IllegalArgumentException if the ServiceTicketId or the Service
 * are null.
 */
@Audit(
    action="SERVICE_TICKET_VALIDATE",
    actionResolverName="VALIDATE_SERVICE_TICKET_RESOLVER",
    resourceResolverName="VALIDATE_SERVICE_TICKET_RESOURCE_RESOLVER")
@Profiled(tag="VALIDATE_SERVICE_TICKET", logFailuresSeparately = false)
@Transactional(readOnly = false)
public Assertion validateServiceTicket(final String serviceTicketId, final Service service) throws TicketException {
    Assert.notNull(serviceTicketId, "serviceTicketId cannot be null");
    Assert.notNull(service, "service cannot be null");
 
    final ServiceTicket serviceTicket =  this.serviceTicketRegistry.getTicket(serviceTicketId, ServiceTicket.class);

    if (serviceTicket == null) {
        logger.info("ServiceTicket [{}] does not exist.", serviceTicketId);
        throw new InvalidTicketException(serviceTicketId);
    }

    final RegisteredService registeredService = this.servicesManager.findServiceBy(service);

    verifyRegisteredServiceProperties(registeredService, serviceTicket.getService());
    
    try {
        synchronized (serviceTicket) {
            if (serviceTicket.isExpired()) {
                logger.info("ServiceTicket [{}] has expired.", serviceTicketId);
                throw new InvalidTicketException(serviceTicketId);
            }

            if (!serviceTicket.isValidFor(service)) {
                logger.error("ServiceTicket [{}] with service [{}] does not match supplied service [{}]",
                        serviceTicketId, serviceTicket.getService().getId(), service);
                throw new TicketValidationException(serviceTicket.getService());
            }
        }

        final TicketGrantingTicket root = serviceTicket.getGrantingTicket().getRoot();
        final Authentication authentication = getAuthenticationSatisfiedByPolicy(
                root, new ServiceContext(serviceTicket.getService(), registeredService));
        final Principal principal = authentication.getPrincipal();

        Map<String, Object> attributesToRelease = this.defaultAttributeFilter.filter(principal.getId(),
                principal.getAttributes(), registeredService);
        if (registeredService.getAttributeFilter() != null) {
            attributesToRelease = registeredService.getAttributeFilter().filter(principal.getId(),
                    attributesToRelease, registeredService);
        }

        final String principalId = determinePrincipalIdForRegisteredService(principal, registeredService, serviceTicket);
        final Principal modifiedPrincipal = new SimplePrincipal(principalId, attributesToRelease);
        final AuthenticationBuilder builder = AuthenticationBuilder.newInstance(authentication);
        builder.setPrincipal(modifiedPrincipal);

        return new ImmutableAssertion(
                builder.build(),
                serviceTicket.getGrantingTicket().getChainedAuthentications(),
                serviceTicket.getService(),
                serviceTicket.isFromNewLogin());
    } finally {
        if (serviceTicket.isExpired()) {
            this.serviceTicketRegistry.deleteTicket(serviceTicketId);
        }
    }
}
 

/**
 * @throws IllegalArgumentException if the ServiceTicketId or the
 * Credential are null.
 */
@Audit(
    action="PROXY_GRANTING_TICKET",
    actionResolverName="GRANT_PROXY_GRANTING_TICKET_RESOLVER",
    resourceResolverName="GRANT_PROXY_GRANTING_TICKET_RESOURCE_RESOLVER")
@Profiled(tag="GRANT_PROXY_GRANTING_TICKET", logFailuresSeparately = false)
@Transactional(readOnly = false)
public String delegateTicketGrantingTicket(final String serviceTicketId, final Credential... credentials)
        throws AuthenticationException, TicketException {

    Assert.notNull(serviceTicketId, "serviceTicketId cannot be null");
    Assert.notNull(credentials, "credentials cannot be null");

    final ServiceTicket serviceTicket =  this.serviceTicketRegistry.getTicket(serviceTicketId, ServiceTicket.class);

    if (serviceTicket == null || serviceTicket.isExpired()) {
        logger.debug("ServiceTicket [{}] has expired or cannot be found in the ticket registry", serviceTicketId);
        throw new InvalidTicketException(serviceTicketId);
    }

    final RegisteredService registeredService = this.servicesManager
            .findServiceBy(serviceTicket.getService());

    verifyRegisteredServiceProperties(registeredService, serviceTicket.getService());
    
    if (!registeredService.isAllowedToProxy()) {
        logger.warn("ServiceManagement: Service [{}] attempted to proxy, but is not allowed.", serviceTicket.getService().getId());
        throw new UnauthorizedProxyingException();
    }

    final Authentication authentication = this.authenticationManager.authenticate(credentials);

    final TicketGrantingTicket ticketGrantingTicket = serviceTicket
            .grantTicketGrantingTicket(
                    this.ticketGrantingTicketUniqueTicketIdGenerator
                            .getNewTicketId(TicketGrantingTicket.PREFIX),
                    authentication, this.ticketGrantingTicketExpirationPolicy);

    this.ticketRegistry.addTicket(ticketGrantingTicket);

    return ticketGrantingTicket.getId();
}
 

/**
 * @throws IllegalArgumentException if ticketGrantingTicketId or service are null.
 */
@Audit(
    action="SERVICE_TICKET",
    actionResolverName="GRANT_SERVICE_TICKET_RESOLVER",
    resourceResolverName="GRANT_SERVICE_TICKET_RESOURCE_RESOLVER")
@Profiled(tag="GRANT_SERVICE_TICKET", logFailuresSeparately = false)
@Transactional(readOnly = false)
public String grantServiceTicket(
        final String ticketGrantingTicketId, final Service service, final Credential... credentials)
        throws AuthenticationException, TicketException {
    Assert.notNull(ticketGrantingTicketId, "ticketGrantingticketId cannot be null");
    Assert.notNull(service, "service cannot be null");

    final TicketGrantingTicket ticketGrantingTicket = this.ticketRegistry.getTicket(ticketGrantingTicketId, TicketGrantingTicket.class);

    if (ticketGrantingTicket == null) {
        logger.debug("TicketGrantingTicket [{}] cannot be found in the ticket registry.", ticketGrantingTicketId);
        throw new InvalidTicketException(ticketGrantingTicketId);
    }

    synchronized (ticketGrantingTicket) {
        if (ticketGrantingTicket.isExpired()) {
            this.ticketRegistry.deleteTicket(ticketGrantingTicketId);
            logger.debug("TicketGrantingTicket[{}] has expired and is now deleted from the ticket registry.", ticketGrantingTicketId);
            throw new InvalidTicketException(ticketGrantingTicketId);
        }
    }

    final RegisteredService registeredService = this.servicesManager.findServiceBy(service);

    verifyRegisteredServiceProperties(registeredService, service);
    
    if (!registeredService.isSsoEnabled() && credentials == null
        && ticketGrantingTicket.getCountOfUses() > 0) {
        logger.warn("ServiceManagement: Service [{}] is not allowed to use SSO.", service.getId());
        throw new UnauthorizedSsoServiceException();
    }

    //CAS-1019
    final List<Authentication> authns = ticketGrantingTicket.getChainedAuthentications();
    if(authns.size() > 1) {
        if (!registeredService.isAllowedToProxy()) {
            final String message = String.
                    format("ServiceManagement: Proxy attempt by service [%s] (registered service [%s]) is not allowed.",
                    service.getId(), registeredService.toString());
            logger.warn(message);
            throw new UnauthorizedProxyingException(message);
        }
    }

    if (credentials != null) {
        final Authentication current = this.authenticationManager.authenticate(credentials);
        final Authentication original = ticketGrantingTicket.getAuthentication();
        if (!current.getPrincipal().equals(original.getPrincipal())) {
            throw new MixedPrincipalException(current, current.getPrincipal(), original.getPrincipal());
        }
        ticketGrantingTicket.getSupplementalAuthentications().add(current);
    }

    // Perform security policy check by getting the authentication that satisfies the configured policy
    // This throws if no suitable policy is found
    getAuthenticationSatisfiedByPolicy(ticketGrantingTicket.getRoot(), new ServiceContext(service, registeredService));

    final String uniqueTicketIdGenKey = service.getClass().getName();
    if (!this.uniqueTicketIdGeneratorsForService.containsKey(uniqueTicketIdGenKey)) {
        logger.warn("Cannot create service ticket because the key [{}] for service [{}] is not linked to a ticket id generator",
                uniqueTicketIdGenKey, service.getId());
        throw new UnauthorizedSsoServiceException();
    }
    
    final UniqueTicketIdGenerator serviceTicketUniqueTicketIdGenerator =
            this.uniqueTicketIdGeneratorsForService.get(uniqueTicketIdGenKey);

    final String generatedServiceTicketId = serviceTicketUniqueTicketIdGenerator.getNewTicketId(ServiceTicket.PREFIX);
    logger.debug("Generated service ticket id [{}] for ticket granting ticket [{}]",
            generatedServiceTicketId, ticketGrantingTicket.getId());
    
    final ServiceTicket serviceTicket = ticketGrantingTicket.grantServiceTicket(generatedServiceTicketId, service,
            this.serviceTicketExpirationPolicy, credentials != null);

    this.serviceTicketRegistry.addTicket(serviceTicket);

    if (logger.isInfoEnabled()) {
        final List<Authentication> authentications = serviceTicket.getGrantingTicket().getChainedAuthentications();
        final String formatString = "Granted %s ticket [%s] for service [%s] for user [%s]";
        final String type;
        final String principalId = authentications.get(authentications.size() - 1).getPrincipal().getId();

        if (authentications.size() == 1) {
            type = "service";
        } else {
            type = "proxy";
        }

        logger.info(String.format(formatString, type, serviceTicket.getId(), service.getId(), principalId));
    }

    return serviceTicket.getId();
}
 

/**
 * {@inheritDoc}
 */
@Override
public <T extends Ticket> T getTicket(final String ticketId, final Class<? extends Ticket> clazz)
        throws InvalidTicketException {
    return this.centralAuthenticationService.getTicket(ticketId, clazz);
}
 

@Audit(
    action="SERVICE_TICKET_VALIDATE",
    actionResolverName="VALIDATE_SERVICE_TICKET_RESOLVER",
    resourceResolverName="VALIDATE_SERVICE_TICKET_RESOURCE_RESOLVER")
@Timed(name="VALIDATE_SERVICE_TICKET_TIMER")
@Metered(name="VALIDATE_SERVICE_TICKET_METER")
@Counted(name="VALIDATE_SERVICE_TICKET_COUNTER", monotonic=true)
@Override
public Assertion validateServiceTicket(final String serviceTicketId, final Service service) throws TicketException {
    final RegisteredService registeredService = this.servicesManager.findServiceBy(service);
    verifyRegisteredServiceProperties(registeredService, service);

    final ServiceTicket serviceTicket =  this.serviceTicketRegistry.getTicket(serviceTicketId, ServiceTicket.class);

    if (serviceTicket == null) {
        logger.info("Service ticket [{}] does not exist.", serviceTicketId);
        throw new InvalidTicketException(serviceTicketId);
    }

    try {
        synchronized (serviceTicket) {
            if (serviceTicket.isExpired()) {
                logger.info("ServiceTicket [{}] has expired.", serviceTicketId);
                throw new InvalidTicketException(serviceTicketId);
            }

            if (!serviceTicket.isValidFor(service)) {
                logger.error("Service ticket [{}] with service [{}] does not match supplied service [{}]",
                        serviceTicketId, serviceTicket.getService().getId(), service);
                throw new UnrecognizableServiceForServiceTicketValidationException(serviceTicket.getService());
            }
        }

        final TicketGrantingTicket root = serviceTicket.getGrantingTicket().getRoot();
        final Authentication authentication = getAuthenticationSatisfiedByPolicy(
                root, new ServiceContext(serviceTicket.getService(), registeredService));
        final Principal principal = authentication.getPrincipal();

        final AttributeReleasePolicy attributePolicy = registeredService.getAttributeReleasePolicy();
        logger.debug("Attribute policy [{}] is associated with service [{}]", attributePolicy, registeredService);
        
        @SuppressWarnings("unchecked")
        final Map<String, Object> attributesToRelease = attributePolicy != null
                ? attributePolicy.getAttributes(principal) : Collections.EMPTY_MAP;
        
        final String principalId = registeredService.getUsernameAttributeProvider().resolveUsername(principal, service);
        final Principal modifiedPrincipal = this.principalFactory.createPrincipal(principalId, attributesToRelease);
        final AuthenticationBuilder builder = DefaultAuthenticationBuilder.newInstance(authentication);
        builder.setPrincipal(modifiedPrincipal);

        return new ImmutableAssertion(
                builder.build(),
                serviceTicket.getGrantingTicket().getChainedAuthentications(),
                serviceTicket.getService(),
                serviceTicket.isFromNewLogin());
    } finally {
        if (serviceTicket.isExpired()) {
            this.serviceTicketRegistry.deleteTicket(serviceTicketId);
        }
    }
}
 

@Test
public void verifyLogging5() {
    logger.trace(getMarker("trace"), getMessageToLog(), new RuntimeException(ID1, new InvalidTicketException(ID2)));
    validateLogData();
}
 

@Test
public void verifyLogging9() {
    logger.trace(getMessageToLog(), new RuntimeException(ID1, new InvalidTicketException(ID2)));
    validateLogData();
}
 

@Test(expected=IllegalArgumentException.class)
public void getTicketGrantingTicketIfTicketIdIsNull() throws InvalidTicketException {
    this.cas.getTicket(null, TicketGrantingTicket.class);
}
 

@Test(expected=InvalidTicketException.class)
public void verifyNonExistentServiceWhenDelegatingTicketGrantingTicket() throws Exception {
    this.cas.delegateTicketGrantingTicket("bad-st", TestUtils.getCredentialsWithSameUsernameAndPassword());
}
 

@Test
public void verifyLogging91110() {
    logger.error(getMessageToLog(), new RuntimeException(ID1, new InvalidTicketException(ID2)));
    validateLogData();
}
 

@Test
public void verifyLogging51110() {
    logger.error(getMarker("error"), getMessageToLog(), new RuntimeException(ID1, new InvalidTicketException(ID2)));
    validateLogData();
}
 

@Test
public void verifyLogging9111() {
    logger.warn(getMessageToLog(), new RuntimeException(ID1, new InvalidTicketException(ID2)));
    validateLogData();
}
 

@Test
public void verifyLogging5111() {
    logger.warn(getMarker("warn"), getMessageToLog(), new RuntimeException(ID1, new InvalidTicketException(ID2)));
    validateLogData();
}
 

@Test
public void verifyLogging911() {
    logger.info(getMessageToLog(), new RuntimeException(ID1, new InvalidTicketException(ID2)));
    validateLogData();
}
 

@Test
public void verifyLogging511() {
    logger.info(getMarker("info"), getMessageToLog(), new RuntimeException(ID1, new InvalidTicketException(ID2)));
    validateLogData();
}