CAS-Client客户端研究--Cas20ProxyReceivingTicketValidationFilter

  • renew - specifies whether renew=true should be sent to the CAS server. Valid values are either "true" or "false" (or no value at all).
  • gateway - specifies whether gateway=true should be sent to the CAS server. Valid values are either "true" or "false" (or no value at all).
  • artifactParameterName - specifies the name of the request parameter on where to find the artifact (i.e. "ticket").
  • serviceParameterName - specifies the name of the request parameter on where to find the service (i.e. "service").
  • renew - specifies whether renew=true should be sent to the CAS server. Valid values are either "true" or "false" (or no value at all).
  • gateway - specifies whether gateway=true should be sent to the CAS server. Valid values are either "true" or "false" (or no value at all).
  • artifactParameterName - specifies the name of the request parameter on where to find the artifact (i.e. "ticket").
  • serviceParameterName - specifies the name of the request parameter on where to find the service (i.e. "service").



    public final void doFilter(final ServletRequest servletRequest, final ServletResponse servletResponse, final FilterChain filterChain) throws IOException, ServletException {
    
            if (!preFilter(servletRequest, servletResponse, filterChain)) {
                return;
            }
    
            final HttpServletRequest request = (HttpServletRequest) servletRequest;
            final HttpServletResponse response = (HttpServletResponse) servletResponse;
            final String ticket = CommonUtils.safeGetParameter(request, getArtifactParameterName());
    
            if (CommonUtils.isNotBlank(ticket)) {
                if (log.isDebugEnabled()) {
                    log.debug("Attempting to validate ticket: " + ticket);
                }
    
                try {
                    final Assertion assertion = this.ticketValidator.validate(ticket, constructServiceUrl(request, response));
    
                    if (log.isDebugEnabled()) {
                        log.debug("Successfully authenticated user: " + assertion.getPrincipal().getName());
                    }
    
                    request.setAttribute(CONST_CAS_ASSERTION, assertion);
    
                    if (this.useSession) {
                        request.getSession().setAttribute(CONST_CAS_ASSERTION, assertion);
                    }
                    onSuccessfulValidation(request, response, assertion);
    
                    if (this.redirectAfterValidation) {
                        log. debug("Redirecting after successful ticket validation.");
                        response.sendRedirect(constructServiceUrl(request, response));
                        return;
                    }
                } catch (final TicketValidationException e) {
                    response.setStatus(HttpServletResponse.SC_FORBIDDEN);
                    log.warn(e, e);
    
                    onFailedValidation(request, response);
    
                    if (this.exceptionOnValidationFailure) {
                        throw new ServletException(e);
                    }
    
                    return;
                }
            }
    
            filterChain.doFilter(request, response);
    
        }
    



    在验证前需要:如果请求参数中带有pgtid和pgtiou只需要缓存pgtio与pgtid映射关系

        protected final boolean preFilter(final ServletRequest servletRequest, final ServletResponse servletResponse, final FilterChain filterChain) throws IOException, ServletException {
            final HttpServletRequest request = (HttpServletRequest) servletRequest;
            final HttpServletResponse response = (HttpServletResponse) servletResponse;
            final String requestUri = request.getRequestURI();
    
            if (CommonUtils.isEmpty(this.proxyReceptorUrl) || !requestUri.endsWith(this.proxyReceptorUrl)) {
                return true;
            }
    
            try {
                CommonUtils.readAndRespondToProxyReceptorRequest(request, response, this.proxyGrantingTicketStorage);
            } catch (final RuntimeException e) {
                log.error(e.getMessage(), e);
                throw e;
            }
    
            return false;
        }

    public static void readAndRespondToProxyReceptorRequest(final HttpServletRequest request, final HttpServletResponse response, final ProxyGrantingTicketStorage proxyGrantingTicketStorage) throws IOException {
                    final String proxyGrantingTicketIou = request.getParameter(PARAM_PROXY_GRANTING_TICKET_IOU);
    
    		final String proxyGrantingTicket = request.getParameter(PARAM_PROXY_GRANTING_TICKET);
    
    		if (CommonUtils.isBlank(proxyGrantingTicket) || CommonUtils.isBlank(proxyGrantingTicketIou)) {
    		    response.getWriter().write("");
    		    return;
    		}
    
    		proxyGrantingTicketStorage.save(proxyGrantingTicketIou, proxyGrantingTicket);
    
            	
    		response.getWriter().write("<?xml version=\"1.0\"?>");
    		response.getWriter().write("<casClient:proxySuccess xmlns:casClient=\"http://www.yale.edu/tp/casClient\" />");
        }

    验证类:

        protected final TicketValidator getTicketValidator(final FilterConfig filterConfig) {
            final String allowAnyProxy = getPropertyFromInitParams(filterConfig, "acceptAnyProxy", null);
            final String allowedProxyChains = getPropertyFromInitParams(filterConfig, "allowedProxyChains", null);
            final String casServerUrlPrefix = getPropertyFromInitParams(filterConfig, "casServerUrlPrefix", null);
            final Cas20ServiceTicketValidator validator;
    
            if (CommonUtils.isNotBlank(allowAnyProxy) || CommonUtils.isNotBlank(allowedProxyChains)) {//被代理的
                final Cas20ProxyTicketValidator v = new Cas20ProxyTicketValidator(casServerUrlPrefix);
                v.setAcceptAnyProxy(parseBoolean(allowAnyProxy));
                v.setAllowedProxyChains(CommonUtils.createProxyList(allowedProxyChains));
                validator = v;
            } else {//代理的,即中间人
                validator = new Cas20ServiceTicketValidator(casServerUrlPrefix);
            }
            validator.setProxyCallbackUrl(getPropertyFromInitParams(filterConfig, "proxyCallbackUrl", null));
            validator.setProxyGrantingTicketStorage(this.proxyGrantingTicketStorage);
            validator.setProxyRetriever(new Cas20ProxyRetriever(casServerUrlPrefix, getPropertyFromInitParams(filterConfig, "encoding", null)));
            validator.setRenew(parseBoolean(getPropertyFromInitParams(filterConfig, "renew", "false")));
            validator.setEncoding(getPropertyFromInitParams(filterConfig, "encoding", null));
    
            final Map<String,String> additionalParameters = new HashMap<String,String>();
            final List<String> params = Arrays.asList(RESERVED_INIT_PARAMS);
    
            for (final Enumeration<?> e = filterConfig.getInitParameterNames(); e.hasMoreElements();) {
                final String s = (String) e.nextElement();
    
                if (!params.contains(s)) {
                    additionalParameters.put(s, filterConfig.getInitParameter(s));
                }
            }
    
            validator.setCustomParameters(additionalParameters);
            validator.setHostnameVerifier(getHostnameVerifier(filterConfig));
    
            return validator;
        }

    验证过程:

        public Assertion validate(final String ticket, final String service) throws TicketValidationException {
    
    
            final String validationUrl = constructValidationUrl(ticket, service);
           
            try {
            	  final String serverResponse = retrieveResponseFromServer(new URL(validationUrl), ticket);
    
                if (serverResponse == null) {
                    throw new TicketValidationException("The CAS server returned no response.");
                }
                
    
                return parseResponseFromServer(serverResponse);
            } catch (final MalformedURLException e) {
                throw new TicketValidationException(e);
            }
        }
        
        protected final String constructValidationUrl(final String ticket, final String serviceUrl) {
            final Map<String,String> urlParameters = new HashMap<String,String>();
    
            urlParameters.put("ticket", ticket);
            urlParameters.put("service", encodeUrl(serviceUrl));
    
            if (this.renew) {
                urlParameters.put("renew", "true");
            }
    
            populateUrlAttributeMap(urlParameters);
    
            if (this.customParameters != null) {
                urlParameters.putAll(this.customParameters);
            }
    
            urlParameters.put("pgtUrl", encodeUrl(this.proxyCallbackUrl));
            
            final String suffix = getUrlSuffix();
            final StringBuilder buffer = new StringBuilder(urlParameters.size()*10 + this.casServerUrlPrefix.length() + suffix.length() +1);
    
            int i = 0;
    
            buffer.append(this.casServerUrlPrefix);
            if (!this.casServerUrlPrefix.endsWith("/")) {
                buffer.append("/");
            }
            buffer.append(suffix);
    
            for (Map.Entry<String,String> entry : urlParameters.entrySet()) {
                final String key = entry.getKey();
                final String value = entry.getValue();
    
                if (value != null) {
                    buffer.append(i++ == 0 ? "?" : "&");
                    buffer.append(key);
                    buffer.append("=");
                    buffer.append(value);
                }
            }
    
            return buffer.toString();
    
        }
        
            protected final Assertion parseResponseFromServer(final String response) throws TicketValidationException {
            final String error = XmlUtils.getTextForElement(response,
                    "authenticationFailure");
    
            if (CommonUtils.isNotBlank(error)) {
                throw new TicketValidationException(error);
            }
    
            final String principal = XmlUtils.getTextForElement(response, "user");
            final String proxyGrantingTicketIou = XmlUtils.getTextForElement(response, "proxyGrantingTicket");
            final String proxyGrantingTicket = this.proxyGrantingTicketStorage != null ? this.proxyGrantingTicketStorage.retrieve(proxyGrantingTicketIou) : null;
    
            if (CommonUtils.isEmpty(principal)) {
                throw new TicketValidationException("No principal was found in the response from the CAS server.");
            }
    
            final Assertion assertion;
            final Map<String,Object> attributes = extractCustomAttributes(response);
            if (CommonUtils.isNotBlank(proxyGrantingTicket)) {
                final AttributePrincipal attributePrincipal = new AttributePrincipalImpl(principal, attributes, proxyGrantingTicket, this.proxyRetriever);
                assertion = new AssertionImpl(attributePrincipal);
            } else {
                assertion = new AssertionImpl(new AttributePrincipalImpl(principal, attributes));
            }
    
            customParseResponse(response, assertion);
    
            return assertion;
        }




  • 你可能感兴趣的:(CAS-Client客户端研究--Cas20ProxyReceivingTicketValidationFilter)