org.jasig.cas.util.UniqueTicketIdGenerator Java Examples

/**
 * Build the central authentication service implementation.
 *
 * @param ticketRegistry the tickets registry.
 * @param serviceTicketRegistry the service tickets registry.
 * @param authenticationManager the authentication manager.
 * @param ticketGrantingTicketUniqueTicketIdGenerator the TGT id generator.
 * @param uniqueTicketIdGeneratorsForService the map with service and ticket id generators.
 * @param ticketGrantingTicketExpirationPolicy the TGT expiration policy.
 * @param serviceTicketExpirationPolicy the service ticket expiration policy.
 * @param servicesManager the services manager.
 * @param logoutManager the logout manager.
 */
public CentralAuthenticationServiceImpl(final TicketRegistry ticketRegistry,
                                        final TicketRegistry serviceTicketRegistry,
                                        final AuthenticationManager authenticationManager,
                                        final UniqueTicketIdGenerator ticketGrantingTicketUniqueTicketIdGenerator,
                                        final Map<String, UniqueTicketIdGenerator> uniqueTicketIdGeneratorsForService,
                                        final ExpirationPolicy ticketGrantingTicketExpirationPolicy,
                                        final ExpirationPolicy serviceTicketExpirationPolicy,
                                        final ServicesManager servicesManager,
                                        final LogoutManager logoutManager) {
    this.ticketRegistry = ticketRegistry;
    if (serviceTicketRegistry == null) {
        this.serviceTicketRegistry = ticketRegistry;
    } else {
        this.serviceTicketRegistry = serviceTicketRegistry;
    }
    this.authenticationManager = authenticationManager;
    this.ticketGrantingTicketUniqueTicketIdGenerator = ticketGrantingTicketUniqueTicketIdGenerator;
    this.uniqueTicketIdGeneratorsForService = uniqueTicketIdGeneratorsForService;
    this.ticketGrantingTicketExpirationPolicy = ticketGrantingTicketExpirationPolicy;
    this.serviceTicketExpirationPolicy = serviceTicketExpirationPolicy;
    this.servicesManager = servicesManager;
    this.logoutManager = logoutManager;
}
 

@Before
public void setUp() throws Exception {
    this.action = new X509CertificateCredentialsNonInteractiveAction();
    final Map<String, UniqueTicketIdGenerator> idGenerators = new HashMap<String, UniqueTicketIdGenerator>();
    idGenerators.put(SimpleWebApplicationServiceImpl.class.getName(), new DefaultUniqueTicketIdGenerator());


    final X509CredentialsAuthenticationHandler handler = new X509CredentialsAuthenticationHandler();
    handler.setTrustedIssuerDnPattern("CN=\\w+,DC=jasig,DC=org");

    final AuthenticationManager authenticationManager = new PolicyBasedAuthenticationManager(
            Collections.<AuthenticationHandler, PrincipalResolver>singletonMap(
                    handler, new X509SerialNumberPrincipalResolver()));

    final CentralAuthenticationServiceImpl centralAuthenticationService = new CentralAuthenticationServiceImpl(
            new DefaultTicketRegistry(), null, authenticationManager, new DefaultUniqueTicketIdGenerator(),
            idGenerators, new NeverExpiresExpirationPolicy(), new NeverExpiresExpirationPolicy(),
            mock(ServicesManager.class), mock(LogoutManager.class));

    this.action.setCentralAuthenticationService(centralAuthenticationService);
    this.action.afterPropertiesSet();
}
 

@Before
public void setUp() throws Exception {
    this.ticketRegistry = new DefaultTicketRegistry();
    final OpenIdCredentialsAuthenticationHandler handler = new OpenIdCredentialsAuthenticationHandler();
    handler.setTicketRegistry(this.ticketRegistry);
    this.authenticationManager = new PolicyBasedAuthenticationManager(
            Collections.<AuthenticationHandler, PrincipalResolver>singletonMap(
                    handler,
                    new OpenIdPrincipalResolver()));

    final Map<String, UniqueTicketIdGenerator> generator = new HashMap<>();
    generator.put(OpenIdService.class.getName(), new DefaultUniqueTicketIdGenerator());

    impl = new CentralAuthenticationServiceImpl(this.ticketRegistry, null, this.authenticationManager,
            new DefaultUniqueTicketIdGenerator(), generator, new NeverExpiresExpirationPolicy(),
            new NeverExpiresExpirationPolicy(),
            new DefaultServicesManagerImpl(new InMemoryServiceRegistryDaoImpl()), mock(LogoutManager.class));

    this.action = new OpenIdSingleSignOnAction();
    this.action.setCentralAuthenticationService(this.impl);
    this.action.setExtractor(new DefaultOpenIdUserNameExtractor());
    this.action.afterPropertiesSet();
}
 

@Before
public void setUp() throws Exception {
    this.action = new PrincipalFromRequestRemoteUserNonInteractiveCredentialsAction();

    final Map<String, UniqueTicketIdGenerator> idGenerators = new HashMap<>();
    idGenerators.put(SimpleWebApplicationServiceImpl.class.getName(), new DefaultUniqueTicketIdGenerator());


    final AuthenticationManager authenticationManager = new PolicyBasedAuthenticationManager(
            Collections.<AuthenticationHandler, PrincipalResolver>singletonMap(
                    new PrincipalBearingCredentialsAuthenticationHandler(),
                    new PrincipalBearingPrincipalResolver()));
    final CentralAuthenticationServiceImpl centralAuthenticationService = new CentralAuthenticationServiceImpl(
            new DefaultTicketRegistry(), null, authenticationManager, new DefaultUniqueTicketIdGenerator(),
            idGenerators, new NeverExpiresExpirationPolicy(), new NeverExpiresExpirationPolicy(),
            mock(ServicesManager.class), mock(LogoutManager.class));
    this.action.setCentralAuthenticationService(centralAuthenticationService);
}
 

@Before
public void setUp() throws Exception {
    this.action = new PrincipalFromRequestUserPrincipalNonInteractiveCredentialsAction();

    final Map<String, UniqueTicketIdGenerator> idGenerators = new HashMap<>();
    idGenerators.put(SimpleWebApplicationServiceImpl.class.getName(), new DefaultUniqueTicketIdGenerator());


    final AuthenticationManager authenticationManager = new PolicyBasedAuthenticationManager(
            Collections.<AuthenticationHandler, PrincipalResolver>singletonMap(
                    new PrincipalBearingCredentialsAuthenticationHandler(),
                    new PrincipalBearingPrincipalResolver()));

    final CentralAuthenticationServiceImpl centralAuthenticationService = new CentralAuthenticationServiceImpl(
            new DefaultTicketRegistry(), null, authenticationManager, new DefaultUniqueTicketIdGenerator(),
            idGenerators, new NeverExpiresExpirationPolicy(), new NeverExpiresExpirationPolicy(),
            mock(ServicesManager.class), mock(LogoutManager.class));

    this.action.setCentralAuthenticationService(centralAuthenticationService);
}
 

@Before
public void setUp() throws Exception {
    this.action = new PrincipalFromRequestUserPrincipalNonInteractiveCredentialsAction();

    final Map<String, UniqueTicketIdGenerator> idGenerators = new HashMap<String, UniqueTicketIdGenerator>();
    idGenerators.put(SimpleWebApplicationServiceImpl.class.getName(), new DefaultUniqueTicketIdGenerator());


    final AuthenticationManager authenticationManager = new PolicyBasedAuthenticationManager(
            Collections.<AuthenticationHandler, PrincipalResolver>singletonMap(
                    new PrincipalBearingCredentialsAuthenticationHandler(),
                    new PrincipalBearingPrincipalResolver()));

    final CentralAuthenticationServiceImpl centralAuthenticationService = new CentralAuthenticationServiceImpl(
            new DefaultTicketRegistry(), null, authenticationManager, new DefaultUniqueTicketIdGenerator(),
            idGenerators, new NeverExpiresExpirationPolicy(), new NeverExpiresExpirationPolicy(),
            mock(ServicesManager.class), mock(LogoutManager.class));

    this.action.setCentralAuthenticationService(centralAuthenticationService);
}
 

@Before
public void setUp() throws Exception {
    this.action = new X509CertificateCredentialsNonInteractiveAction();
    final Map<String, UniqueTicketIdGenerator> idGenerators = new HashMap<>();
    idGenerators.put(SimpleWebApplicationServiceImpl.class.getName(), new DefaultUniqueTicketIdGenerator());


    final X509CredentialsAuthenticationHandler handler = new X509CredentialsAuthenticationHandler();
    handler.setTrustedIssuerDnPattern("CN=\\w+,DC=jasig,DC=org");

    final AuthenticationManager authenticationManager = new PolicyBasedAuthenticationManager(
            Collections.<AuthenticationHandler, PrincipalResolver>singletonMap(
                    handler, new X509SerialNumberPrincipalResolver()));

    final CentralAuthenticationServiceImpl centralAuthenticationService = new CentralAuthenticationServiceImpl(
            new DefaultTicketRegistry(), null, authenticationManager, new DefaultUniqueTicketIdGenerator(),
            idGenerators, new NeverExpiresExpirationPolicy(), new NeverExpiresExpirationPolicy(),
            mock(ServicesManager.class), mock(LogoutManager.class));

    this.action.setCentralAuthenticationService(centralAuthenticationService);
    this.action.afterPropertiesSet();
}
 

@Before
public void setUp() throws Exception {
    this.action = new PrincipalFromRequestRemoteUserNonInteractiveCredentialsAction();

    final Map<String, UniqueTicketIdGenerator> idGenerators = new HashMap<String, UniqueTicketIdGenerator>();
    idGenerators.put(SimpleWebApplicationServiceImpl.class.getName(), new DefaultUniqueTicketIdGenerator());


    final AuthenticationManager authenticationManager = new PolicyBasedAuthenticationManager(
            Collections.<AuthenticationHandler, PrincipalResolver>singletonMap(
                    new PrincipalBearingCredentialsAuthenticationHandler(),
                    new PrincipalBearingPrincipalResolver()));
    final CentralAuthenticationServiceImpl centralAuthenticationService = new CentralAuthenticationServiceImpl(
            new DefaultTicketRegistry(), null, authenticationManager, new DefaultUniqueTicketIdGenerator(),
            idGenerators, new NeverExpiresExpirationPolicy(), new NeverExpiresExpirationPolicy(),
            mock(ServicesManager.class), mock(LogoutManager.class));
    this.action.setCentralAuthenticationService(centralAuthenticationService);
}
 

/**
 * Build the central authentication service implementation.
 *
 * @param ticketRegistry the tickets registry.
 * @param serviceTicketRegistry the service tickets registry.
 * @param authenticationManager the authentication manager.
 * @param ticketGrantingTicketUniqueTicketIdGenerator the TGT id generator.
 * @param uniqueTicketIdGeneratorsForService the map with service and ticket id generators.
 * @param ticketGrantingTicketExpirationPolicy the TGT expiration policy.
 * @param serviceTicketExpirationPolicy the service ticket expiration policy.
 * @param servicesManager the services manager.
 * @param logoutManager the logout manager.
 */
public CentralAuthenticationServiceImpl(final TicketRegistry ticketRegistry,
                                        final TicketRegistry serviceTicketRegistry,
                                        final AuthenticationManager authenticationManager,
                                        final UniqueTicketIdGenerator ticketGrantingTicketUniqueTicketIdGenerator,
                                        final Map<String, UniqueTicketIdGenerator> uniqueTicketIdGeneratorsForService,
                                        final ExpirationPolicy ticketGrantingTicketExpirationPolicy,
                                        final ExpirationPolicy serviceTicketExpirationPolicy,
                                        final ServicesManager servicesManager,
                                        final LogoutManager logoutManager) {
    this.ticketRegistry = ticketRegistry;
    if (serviceTicketRegistry == null) {
        this.serviceTicketRegistry = ticketRegistry;
    } else {
        this.serviceTicketRegistry = serviceTicketRegistry;
    }
    this.authenticationManager = authenticationManager;
    this.ticketGrantingTicketUniqueTicketIdGenerator = ticketGrantingTicketUniqueTicketIdGenerator;
    this.uniqueTicketIdGeneratorsForService = uniqueTicketIdGeneratorsForService;
    this.ticketGrantingTicketExpirationPolicy = ticketGrantingTicketExpirationPolicy;
    this.serviceTicketExpirationPolicy = serviceTicketExpirationPolicy;
    this.servicesManager = servicesManager;
    this.logoutManager = logoutManager;
}
 

@Before
public void setUp() throws Exception {
    this.ticketRegistry = new DefaultTicketRegistry();
    final OpenIdCredentialsAuthenticationHandler handler = new OpenIdCredentialsAuthenticationHandler();
    handler.setTicketRegistry(this.ticketRegistry);
    this.authenticationManager = new PolicyBasedAuthenticationManager(
            Collections.<AuthenticationHandler, PrincipalResolver>singletonMap(
                    handler,
                    new OpenIdPrincipalResolver()));

    final Map<String, UniqueTicketIdGenerator> generator = new HashMap<String, UniqueTicketIdGenerator>();
    generator.put(OpenIdService.class.getName(), new DefaultUniqueTicketIdGenerator());

    impl = new CentralAuthenticationServiceImpl(this.ticketRegistry, null, this.authenticationManager,
            new DefaultUniqueTicketIdGenerator(), generator, new NeverExpiresExpirationPolicy(),
            new NeverExpiresExpirationPolicy(),
            new DefaultServicesManagerImpl(new InMemoryServiceRegistryDaoImpl()), mock(LogoutManager.class));

    this.action = new OpenIdSingleSignOnAction();
    this.action.setCentralAuthenticationService(this.impl);
    this.action.setExtractor(new DefaultOpenIdUserNameExtractor());
    this.action.afterPropertiesSet();
}
 

@Override
public RegistryCleaner getNewRegistryCleaner(final TicketRegistry ticketRegistry) {
    this.centralAuthenticationService = new CentralAuthenticationServiceImpl(this.ticketRegistry, this.ticketRegistry,
            mock(AuthenticationManager.class), mock(UniqueTicketIdGenerator.class), Collections.EMPTY_MAP,
            new NeverExpiresExpirationPolicy(), new NeverExpiresExpirationPolicy(), mock(ServicesManager.class),
            mock(LogoutManager.class));

    return new DefaultTicketRegistryCleaner(this.centralAuthenticationService, this.ticketRegistry);
}
 

/**
 * @param uniqueTicketIdGenerator The uniqueTicketIdGenerator to set.
 */
public void setUniqueTicketIdGenerator(final UniqueTicketIdGenerator uniqueTicketIdGenerator) {
    this.uniqueTicketIdGenerator = uniqueTicketIdGenerator;
}
 

public void setTicketIdGenerator(final UniqueTicketIdGenerator generator) {
    this.ticketIdGenerator = generator;
}
 

@Before
public void prepareNewCAS() {
    this.authentication = mock(Authentication.class);
    when(this.authentication.getAuthenticatedDate()).thenReturn(new Date());
    final CredentialMetaData metadata = new BasicCredentialMetaData(TestUtils.getCredentialsWithSameUsernameAndPassword("principal"));
    final Map<String, HandlerResult> successes = new HashMap<String, HandlerResult>();
    successes.put("handler1", new HandlerResult(mock(AuthenticationHandler.class), metadata));
    when(this.authentication.getCredentials()).thenReturn(Arrays.asList(metadata));
    when(this.authentication.getSuccesses()).thenReturn(successes);
    when(this.authentication.getPrincipal()).thenReturn(new SimplePrincipal(PRINCIPAL));
    
    final ServiceTicket stMock = mock(ServiceTicket.class);
    when(stMock.getService()).thenReturn(TestUtils.getService());
    when(stMock.getId()).thenReturn(ST_ID);
    when(stMock.isValidFor(TestUtils.getService())).thenReturn(true);
    
    final TicketGrantingTicket tgtRootMock = mock(TicketGrantingTicket.class);
    when(tgtRootMock.isExpired()).thenReturn(false);
    when(tgtRootMock.getAuthentication()).thenReturn(this.authentication);
    
    final TicketGrantingTicket tgtMock = mock(TicketGrantingTicket.class);
    when(tgtMock.isExpired()).thenReturn(false);
    when(tgtMock.getId()).thenReturn(TGT_ID);
    when(tgtMock.grantServiceTicket(anyString(), argThat(new VerifyServiceByIdMatcher(TestUtils.getService().getId())),
            any(ExpirationPolicy.class), anyBoolean())).thenReturn(stMock);
    when(tgtMock.getRoot()).thenReturn(tgtRootMock);
            
    final List<Authentication> authnListMock = mock(List.class);
    //Size is required to be 2, so that we can simulate proxying capabilities
    when(authnListMock.size()).thenReturn(2);
    when(authnListMock.get(anyInt())).thenReturn(this.authentication);
    when(tgtMock.getChainedAuthentications()).thenReturn(authnListMock);
    when(stMock.getGrantingTicket()).thenReturn(tgtMock);
    
    final Service service2 = TestUtils.getService(SVC2_ID);
    final ServiceTicket stMock2 = mock(ServiceTicket.class);
    when(stMock2.getService()).thenReturn(service2);
    when(stMock2.getId()).thenReturn(ST2_ID);
    when(stMock2.isValidFor(service2)).thenReturn(true);
    
    final TicketGrantingTicket tgtMock2 = mock(TicketGrantingTicket.class);
    when(tgtMock2.isExpired()).thenReturn(false);
    when(tgtMock2.getId()).thenReturn(TGT2_ID);
    when(tgtMock2.grantServiceTicket(anyString(), argThat(new VerifyServiceByIdMatcher(service2.getId())),
            any(ExpirationPolicy.class), anyBoolean())).thenReturn(stMock2);
    when(tgtMock2.getRoot()).thenReturn(tgtRootMock);
    when(tgtMock2.getChainedAuthentications()).thenReturn(authnListMock);
    when(stMock2.getGrantingTicket()).thenReturn(tgtMock2);
    
    
    //Mock TicketRegistry
    final TicketRegistry ticketRegMock = mock(TicketRegistry.class);
    when(ticketRegMock.getTicket(eq(tgtMock.getId()), eq(TicketGrantingTicket.class))).thenReturn(tgtMock);
    when(ticketRegMock.getTicket(eq(tgtMock2.getId()), eq(TicketGrantingTicket.class))).thenReturn(tgtMock2);
    when(ticketRegMock.getTicket(eq(stMock.getId()), eq(ServiceTicket.class))).thenReturn(stMock);
    when(ticketRegMock.getTicket(eq(stMock2.getId()), eq(ServiceTicket.class))).thenReturn(stMock2);
    
    //Mock ServicesManager
    final RegisteredService mockRegSvc1 = mock(RegisteredService.class);
    when(mockRegSvc1.getServiceId()).thenReturn(SVC1_ID);
    when(mockRegSvc1.isEnabled()).thenReturn(true);
    when(mockRegSvc1.isAllowedToProxy()).thenReturn(false);
    when(mockRegSvc1.getName()).thenReturn(SVC1_ID);

    final RegisteredService mockRegSvc2 = mock(RegisteredService.class);
    when(mockRegSvc2.getServiceId()).thenReturn("test");
    when(mockRegSvc2.isEnabled()).thenReturn(false);
    when(mockRegSvc2.getName()).thenReturn("test");

    final RegisteredService mockRegSvc3 = mock(RegisteredService.class);
    when(mockRegSvc3.getServiceId()).thenReturn(service2.getId());
    when(mockRegSvc3.isEnabled()).thenReturn(true);
    when(mockRegSvc3.isAllowedToProxy()).thenReturn(true);
    when(mockRegSvc3.getName()).thenReturn(service2.getId());
    when(mockRegSvc3.matches(argThat(new VerifyServiceByIdMatcher(service2.getId())))).thenReturn(true);
    
    final ServicesManager smMock = mock(ServicesManager.class);
    when(smMock.findServiceBy(argThat(new VerifyServiceByIdMatcher(SVC1_ID)))).thenReturn(mockRegSvc1);
    when(smMock.findServiceBy(argThat(new VerifyServiceByIdMatcher("test")))).thenReturn(mockRegSvc2);
    when(smMock.findServiceBy(argThat(new VerifyServiceByIdMatcher(SVC2_ID)))).thenReturn(mockRegSvc3);
    
    final Map ticketIdGenForServiceMock = mock(Map.class);
    when(ticketIdGenForServiceMock.containsKey(any())).thenReturn(true);
    when(ticketIdGenForServiceMock.get(any())).thenReturn(new DefaultUniqueTicketIdGenerator());
    
    this.cas = new CentralAuthenticationServiceImpl(ticketRegMock, null, mock(AuthenticationManager.class),
            mock(UniqueTicketIdGenerator.class), ticketIdGenForServiceMock, mock(ExpirationPolicy.class),
            mock(ExpirationPolicy.class), smMock, mock(LogoutManager.class));
}
 

/**
 * @throws IllegalArgumentException if ticketGrantingTicketId or service are null.
 */
@Audit(
    action="SERVICE_TICKET",
    actionResolverName="GRANT_SERVICE_TICKET_RESOLVER",
    resourceResolverName="GRANT_SERVICE_TICKET_RESOURCE_RESOLVER")
@Profiled(tag="GRANT_SERVICE_TICKET", logFailuresSeparately = false)
@Transactional(readOnly = false)
public String grantServiceTicket(
        final String ticketGrantingTicketId, final Service service, final Credential... credentials)
        throws AuthenticationException, TicketException {
    Assert.notNull(ticketGrantingTicketId, "ticketGrantingticketId cannot be null");
    Assert.notNull(service, "service cannot be null");

    final TicketGrantingTicket ticketGrantingTicket = this.ticketRegistry.getTicket(ticketGrantingTicketId, TicketGrantingTicket.class);

    if (ticketGrantingTicket == null) {
        logger.debug("TicketGrantingTicket [{}] cannot be found in the ticket registry.", ticketGrantingTicketId);
        throw new InvalidTicketException(ticketGrantingTicketId);
    }

    synchronized (ticketGrantingTicket) {
        if (ticketGrantingTicket.isExpired()) {
            this.ticketRegistry.deleteTicket(ticketGrantingTicketId);
            logger.debug("TicketGrantingTicket[{}] has expired and is now deleted from the ticket registry.", ticketGrantingTicketId);
            throw new InvalidTicketException(ticketGrantingTicketId);
        }
    }

    final RegisteredService registeredService = this.servicesManager.findServiceBy(service);

    verifyRegisteredServiceProperties(registeredService, service);
    
    if (!registeredService.isSsoEnabled() && credentials == null
        && ticketGrantingTicket.getCountOfUses() > 0) {
        logger.warn("ServiceManagement: Service [{}] is not allowed to use SSO.", service.getId());
        throw new UnauthorizedSsoServiceException();
    }

    //CAS-1019
    final List<Authentication> authns = ticketGrantingTicket.getChainedAuthentications();
    if(authns.size() > 1) {
        if (!registeredService.isAllowedToProxy()) {
            final String message = String.
                    format("ServiceManagement: Proxy attempt by service [%s] (registered service [%s]) is not allowed.",
                    service.getId(), registeredService.toString());
            logger.warn(message);
            throw new UnauthorizedProxyingException(message);
        }
    }

    if (credentials != null) {
        final Authentication current = this.authenticationManager.authenticate(credentials);
        final Authentication original = ticketGrantingTicket.getAuthentication();
        if (!current.getPrincipal().equals(original.getPrincipal())) {
            throw new MixedPrincipalException(current, current.getPrincipal(), original.getPrincipal());
        }
        ticketGrantingTicket.getSupplementalAuthentications().add(current);
    }

    // Perform security policy check by getting the authentication that satisfies the configured policy
    // This throws if no suitable policy is found
    getAuthenticationSatisfiedByPolicy(ticketGrantingTicket.getRoot(), new ServiceContext(service, registeredService));

    final String uniqueTicketIdGenKey = service.getClass().getName();
    if (!this.uniqueTicketIdGeneratorsForService.containsKey(uniqueTicketIdGenKey)) {
        logger.warn("Cannot create service ticket because the key [{}] for service [{}] is not linked to a ticket id generator",
                uniqueTicketIdGenKey, service.getId());
        throw new UnauthorizedSsoServiceException();
    }
    
    final UniqueTicketIdGenerator serviceTicketUniqueTicketIdGenerator =
            this.uniqueTicketIdGeneratorsForService.get(uniqueTicketIdGenKey);

    final String generatedServiceTicketId = serviceTicketUniqueTicketIdGenerator.getNewTicketId(ServiceTicket.PREFIX);
    logger.debug("Generated service ticket id [{}] for ticket granting ticket [{}]",
            generatedServiceTicketId, ticketGrantingTicket.getId());
    
    final ServiceTicket serviceTicket = ticketGrantingTicket.grantServiceTicket(generatedServiceTicketId, service,
            this.serviceTicketExpirationPolicy, credentials != null);

    this.serviceTicketRegistry.addTicket(serviceTicket);

    if (logger.isInfoEnabled()) {
        final List<Authentication> authentications = serviceTicket.getGrantingTicket().getChainedAuthentications();
        final String formatString = "Granted %s ticket [%s] for service [%s] for user [%s]";
        final String type;
        final String principalId = authentications.get(authentications.size() - 1).getPrincipal().getId();

        if (authentications.size() == 1) {
            type = "service";
        } else {
            type = "proxy";
        }

        logger.info(String.format(formatString, type, serviceTicket.getId(), service.getId(), principalId));
    }

    return serviceTicket.getId();
}
 

/**
 * @param uniqueTicketIdGenerator The uniqueTicketIdGenerator to set.
 */
public void setUniqueTicketIdGenerator(final UniqueTicketIdGenerator uniqueTicketIdGenerator) {
    this.uniqueTicketIdGenerator = uniqueTicketIdGenerator;
}
 

public void setTicketIdGenerator(final UniqueTicketIdGenerator generator) {
    this.ticketIdGenerator = generator;
}
 

@Before
public void prepareNewCAS() {
    this.authentication = mock(Authentication.class);
    when(this.authentication.getAuthenticationDate()).thenReturn(new Date());
    final CredentialMetaData metadata = new BasicCredentialMetaData(TestUtils.getCredentialsWithSameUsernameAndPassword("principal"));
    final Map<String, HandlerResult> successes = new HashMap<>();
    successes.put("handler1", new DefaultHandlerResult(mock(AuthenticationHandler.class), metadata));
    when(this.authentication.getCredentials()).thenReturn(Arrays.asList(metadata));
    when(this.authentication.getSuccesses()).thenReturn(successes);
    when(this.authentication.getPrincipal()).thenReturn(new DefaultPrincipalFactory().createPrincipal(PRINCIPAL));
     
    final Service service1 = TestUtils.getService(SVC1_ID);
    final ServiceTicket stMock = createMockServiceTicket(ST_ID, service1); 
    
    final TicketGrantingTicket tgtRootMock = createRootTicketGrantingTicket();
    
    final TicketGrantingTicket tgtMock = createMockTicketGrantingTicket(TGT_ID, stMock, false,
            tgtRootMock, new ArrayList<Authentication>());
    when(tgtMock.getProxiedBy()).thenReturn(TestUtils.getService("proxiedBy"));

    final List<Authentication> authnListMock = mock(List.class);
    //Size is required to be 2, so that we can simulate proxying capabilities
    when(authnListMock.size()).thenReturn(2);
    when(authnListMock.get(anyInt())).thenReturn(this.authentication);
    when(tgtMock.getChainedAuthentications()).thenReturn(authnListMock);
    when(stMock.getGrantingTicket()).thenReturn(tgtMock);
    
    final Service service2 = TestUtils.getService(SVC2_ID);
    final ServiceTicket stMock2 = createMockServiceTicket(ST2_ID, service2);
    
    final TicketGrantingTicket tgtMock2 = createMockTicketGrantingTicket(TGT2_ID, stMock2, false, tgtRootMock, authnListMock);        
    
    //Mock TicketRegistry
    this.ticketRegMock = mock(TicketRegistry.class);
    when(ticketRegMock.getTicket(eq(tgtMock.getId()), eq(TicketGrantingTicket.class))).thenReturn(tgtMock);
    when(ticketRegMock.getTicket(eq(tgtMock2.getId()), eq(TicketGrantingTicket.class))).thenReturn(tgtMock2);
    when(ticketRegMock.getTicket(eq(stMock.getId()), eq(ServiceTicket.class))).thenReturn(stMock);
    when(ticketRegMock.getTicket(eq(stMock2.getId()), eq(ServiceTicket.class))).thenReturn(stMock2);
    when(ticketRegMock.getTickets()).thenReturn(Arrays.asList(tgtMock, tgtMock2, stMock, stMock2));

    //Mock ServicesManager
    final RegisteredService mockRegSvc1 = createMockRegisteredService(service1.getId(), true, getServiceProxyPolicy(false));
    final RegisteredService mockRegSvc2 = createMockRegisteredService("test", false, getServiceProxyPolicy(true)); 
    final RegisteredService mockRegSvc3 = createMockRegisteredService(service2.getId(), true, getServiceProxyPolicy(true)); 
    
    final ServicesManager smMock = mock(ServicesManager.class);
    when(smMock.findServiceBy(argThat(new VerifyServiceByIdMatcher(service1.getId())))).thenReturn(mockRegSvc1);
    when(smMock.findServiceBy(argThat(new VerifyServiceByIdMatcher("test")))).thenReturn(mockRegSvc2);
    when(smMock.findServiceBy(argThat(new VerifyServiceByIdMatcher(service2.getId())))).thenReturn(mockRegSvc3);
    
    final Map ticketIdGenForServiceMock = mock(Map.class);
    when(ticketIdGenForServiceMock.containsKey(any())).thenReturn(true);
    when(ticketIdGenForServiceMock.get(any())).thenReturn(new DefaultUniqueTicketIdGenerator());
    
    this.cas = new CentralAuthenticationServiceImpl(ticketRegMock, null, mock(AuthenticationManager.class),
            mock(UniqueTicketIdGenerator.class), ticketIdGenForServiceMock, mock(ExpirationPolicy.class),
            mock(ExpirationPolicy.class), smMock, mock(LogoutManager.class));
}
 

@Audit(
    action="SERVICE_TICKET",
    actionResolverName="GRANT_SERVICE_TICKET_RESOLVER",
    resourceResolverName="GRANT_SERVICE_TICKET_RESOURCE_RESOLVER")
@Timed(name="GRANT_SERVICE_TICKET_TIMER")
@Metered(name="GRANT_SERVICE_TICKET_METER")
@Counted(name="GRANT_SERVICE_TICKET_COUNTER", monotonic=true)
@Override
public ServiceTicket grantServiceTicket(
        final String ticketGrantingTicketId,
        final Service service, final Credential... credentials)
        throws AuthenticationException, TicketException {

    final TicketGrantingTicket ticketGrantingTicket = getTicket(ticketGrantingTicketId, TicketGrantingTicket.class);
    final RegisteredService registeredService = this.servicesManager.findServiceBy(service);

    verifyRegisteredServiceProperties(registeredService, service);
    final Set<Credential> sanitizedCredentials = sanitizeCredentials(credentials);

    Authentication currentAuthentication = null;
    if (sanitizedCredentials.size() > 0) {
        currentAuthentication = this.authenticationManager.authenticate(
                sanitizedCredentials.toArray(new Credential[] {}));
        final Authentication original = ticketGrantingTicket.getAuthentication();
        if (!currentAuthentication.getPrincipal().equals(original.getPrincipal())) {
            throw new MixedPrincipalException(
                    currentAuthentication, currentAuthentication.getPrincipal(), original.getPrincipal());
        }
        ticketGrantingTicket.getSupplementalAuthentications().add(currentAuthentication);
    }

    if (currentAuthentication == null && !registeredService.getAccessStrategy().isServiceAccessAllowedForSso()) {
        logger.warn("ServiceManagement: Service [{}] is not allowed to use SSO.", service.getId());
        throw new UnauthorizedSsoServiceException();
    }

    final Service proxiedBy = ticketGrantingTicket.getProxiedBy();
    if (proxiedBy != null) {
        logger.debug("TGT is proxied by [{}]. Locating proxy service in registry...", proxiedBy.getId());
        final RegisteredService proxyingService = servicesManager.findServiceBy(proxiedBy);

        if (proxyingService != null) {
            logger.debug("Located proxying service [{}] in the service registry", proxyingService);
            if (!proxyingService.getProxyPolicy().isAllowedToProxy()) {
                logger.warn("Found proxying service {}, but it is not authorized to fulfill the proxy attempt made by {}",
                        proxyingService.getId(), service.getId());
                throw new UnauthorizedProxyingException("Proxying is not allowed for registered service "
                        + registeredService.getId());
            }
        } else {
            logger.warn("No proxying service found. Proxy attempt by service [{}] (registered service [{}]) is not allowed.",
                    service.getId(), registeredService.getId());
            throw new UnauthorizedProxyingException("Proxying is not allowed for registered service "
                    + registeredService.getId());
        }
    } else {
        logger.trace("TGT is not proxied by another service");
    }

    // Perform security policy check by getting the authentication that satisfies the configured policy
    // This throws if no suitable policy is found
    getAuthenticationSatisfiedByPolicy(ticketGrantingTicket, new ServiceContext(service, registeredService));

    final List<Authentication> authentications = ticketGrantingTicket.getChainedAuthentications();
    final Principal principal = authentications.get(authentications.size() - 1).getPrincipal();

    final Map<String, Object> principalAttrs = registeredService.getAttributeReleasePolicy().getAttributes(principal);
    if (!registeredService.getAccessStrategy().doPrincipalAttributesAllowServiceAccess(principalAttrs)) {
        logger.warn("ServiceManagement: Cannot grant service ticket because Service [{}] is not authorized for use by [{}].",
                service.getId(), principal);
        throw new UnauthorizedServiceForPrincipalException();
    }

    final String uniqueTicketIdGenKey = service.getClass().getName();
    logger.debug("Looking up service ticket id generator for [{}]", uniqueTicketIdGenKey);
    UniqueTicketIdGenerator serviceTicketUniqueTicketIdGenerator =
            this.uniqueTicketIdGeneratorsForService.get(uniqueTicketIdGenKey);
    if (serviceTicketUniqueTicketIdGenerator == null) {
        serviceTicketUniqueTicketIdGenerator = this.defaultServiceTicketIdGenerator;
        logger.debug("Service ticket id generator not found for [{}]. Using the default generator...",
                uniqueTicketIdGenKey);
    }

    final String ticketPrefix = authentications.size() == 1 ? ServiceTicket.PREFIX : ServiceTicket.PROXY_TICKET_PREFIX;
    final String ticketId = serviceTicketUniqueTicketIdGenerator.getNewTicketId(ticketPrefix);
    final ServiceTicket serviceTicket = ticketGrantingTicket.grantServiceTicket(
            ticketId,
            service,
            this.serviceTicketExpirationPolicy,
            currentAuthentication != null);

    this.serviceTicketRegistry.addTicket(serviceTicket);

    logger.info("Granted ticket [{}] for service [{}] for user [{}]",
            serviceTicket.getId(), service.getId(), principal.getId());

    return serviceTicket;
}
 

/**
 * Inject a TGT unique ID generator.
 * @param uniqueTicketIdGenerator the non-null TGT unique ID generator.
 */
public void setTicketGrantingTicketUniqueTicketIdGenerator(final UniqueTicketIdGenerator uniqueTicketIdGenerator) {
    this.ticketGrantingTicketUniqueTicketIdGenerator = uniqueTicketIdGenerator;
}