public class

CasAuthenticationFilter

extends AbstractAuthenticationProcessingFilter
java.lang.Object
   ↳ org.springframework.web.filter.GenericFilterBean
     ↳ org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
       ↳ org.springframework.security.cas.web.CasAuthenticationFilter

Class Overview

Processes a CAS service ticket, obtains proxy granting tickets, and processes proxy tickets.

Service Tickets

A service ticket consists of an opaque ticket string. It arrives at this filter by the user's browser successfully authenticating using CAS, and then receiving a HTTP redirect to a service. The opaque ticket string is presented in the ticket request parameter.

This filter monitors the service URL so it can receive the service ticket and process it. By default this filter processes the URL /j_spring_cas_security_check. When processing this URL, the value of getService() is used as the service when validating the ticket. This means that it is important that getService() specifies the same value as the filterProcessesUrl.

Processing the service ticket involves creating a UsernamePasswordAuthenticationToken which uses CAS_STATEFUL_IDENTIFIER for the principal and the opaque ticket string as the credentials.

Obtaining Proxy Granting Tickets

If specified, the filter can also monitor the proxyReceptorUrl. The filter will respond to requests matching this url so that the CAS Server can provide a PGT to the filter. Note that in addition to the proxyReceptorUrl a non-null proxyGrantingTicketStorage must be provided in order for the filter to respond to proxy receptor requests. By configuring a shared ProxyGrantingTicketStorage between the TicketValidator and the CasAuthenticationFilter one can have the CasAuthenticationFilter handle the proxying requirements for CAS.

Proxy Tickets

The filter can process tickets present on any url. This is useful when wanting to process proxy tickets. In order for proxy tickets to get processed isAuthenticateAllArtifacts() must return true. Additionally, if the request is already authenticated, authentication will not occur. Last, buildDetails(Object) must return a ServiceAuthenticationDetails. This can be accomplished using the ServiceAuthenticationDetailsSource. In this case getServiceUrl() will be used for the service url.

Processing the proxy ticket involves creating a UsernamePasswordAuthenticationToken which uses CAS_STATELESS_IDENTIFIER for the principal and the opaque ticket string as the credentials. When a proxy ticket is successfully authenticated, the FilterChain continues and the authenticationSuccessHandler is not used.

Notes about the AuthenticationManager

The configured AuthenticationManager is expected to provide a provider that can recognise UsernamePasswordAuthenticationTokens containing this special principal name, and process them accordingly by validation with the CAS server. Additionally, it should be capable of using the result of getServiceUrl() as the service when validating the ticket.

Example Configuration

An example configuration that supports service tickets, obtaining proxy granting tickets, and proxy tickets is illustrated below: 

 <b:bean id="serviceProperties"
     class="org.springframework.security.cas.ServiceProperties"
     p:service="https://service.example.com/cas-sample/j_spring_cas_security_check"
     p:authenticateAllArtifacts="true"/>
 <b:bean id="casEntryPoint"
     class="org.springframework.security.cas.web.CasAuthenticationEntryPoint"
     p:serviceProperties-ref="serviceProperties" p:loginUrl="https://login.example.org/cas/login" />
 <b:bean id="casFilter"
     class="org.springframework.security.cas.web.CasAuthenticationFilter"
     p:authenticationManager-ref="authManager"
     p:serviceProperties-ref="serviceProperties"
     p:proxyGrantingTicketStorage-ref="pgtStorage"
     p:proxyReceptorUrl="/j_spring_cas_security_proxyreceptor">
     <b:property name="authenticationDetailsSource">
         <b:bean class="org.springframework.security.cas.web.authentication.ServiceAuthenticationDetailsSource"/>
     </b:property>
     <b:property name="authenticationFailureHandler">
         <b:bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"
             p:defaultFailureUrl="/casfailed.jsp"/>
     </b:property>
 </b:bean>
 <!--
     NOTE: In a real application you should not use an in memory implementation. You will also want
           to ensure to clean up expired tickets by calling ProxyGrantingTicketStorage.cleanup()
  -->
 <b:bean id="pgtStorage" class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl"/>
 <b:bean id="casAuthProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider"
     p:serviceProperties-ref="serviceProperties"
     p:key="casAuthProviderKey">
     <b:property name="authenticationUserDetailsService">
         <b:bean
             class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
             <b:constructor-arg ref="userService" />
         </b:bean>
     </b:property>
     <b:property name="ticketValidator">
         <b:bean
             class="org.jasig.cas.client.validation.Cas20ProxyTicketValidator"
             p:acceptAnyProxy="true"
             p:proxyCallbackUrl="https://service.example.com/cas-sample/j_spring_cas_security_proxyreceptor"
             p:proxyGrantingTicketStorage-ref="pgtStorage">
             <b:constructor-arg value="https://login.example.org/cas" />
         </b:bean>
     </b:property>
     <b:property name="statelessTicketCache">
         <b:bean class="org.springframework.security.cas.authentication.EhCacheBasedTicketCache">
             <b:property name="cache">
                 <b:bean class="net.sf.ehcache.Cache"
                   init-method="initialise"
                   destroy-method="dispose">
                     <b:constructor-arg value="casTickets"/>
                     <b:constructor-arg value="50"/>
                     <b:constructor-arg value="true"/>
                     <b:constructor-arg value="false"/>
                     <b:constructor-arg value="3600"/>
                     <b:constructor-arg value="900"/>
                 </b:bean>
             </b:property>
         </b:bean>
     </b:property>
 </b:bean>

Summary

Constants
String CAS_STATEFUL_IDENTIFIER Used to identify a CAS request for a stateful user agent, such as a web browser.
String CAS_STATELESS_IDENTIFIER Used to identify a CAS request for a stateless user agent, such as a remoting protocol client (e.g.
[Expand]
Inherited Constants
From class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
[Expand]
Inherited Fields
From class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
From class org.springframework.web.filter.GenericFilterBean
Public Constructors
CasAuthenticationFilter()
Public Methods
Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
Performs actual authentication.
final void setAuthenticationFailureHandler(AuthenticationFailureHandler failureHandler)
Wraps the AuthenticationFailureHandler to distinguish between handling proxy ticket authentication failures and service ticket failures.
final void setProxyAuthenticationFailureHandler(AuthenticationFailureHandler proxyFailureHandler)
Sets the AuthenticationFailureHandler for proxy requests.
final void setProxyGrantingTicketStorage(ProxyGrantingTicketStorage proxyGrantingTicketStorage)
final void setProxyReceptorUrl(String proxyReceptorUrl)
final void setServiceProperties(ServiceProperties serviceProperties)
Protected Methods
String obtainArtifact(HttpServletRequest request)
If present, gets the artifact (CAS ticket) from the HttpServletRequest.
boolean requiresAuthentication(HttpServletRequest request, HttpServletResponse response)
Overridden to provide proxying capabilities.
final void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult)
Default behaviour for successful authentication.
[Expand]
Inherited Methods
From class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
From class org.springframework.web.filter.GenericFilterBean
From class java.lang.Object
From interface javax.servlet.Filter
From interface org.springframework.beans.factory.BeanNameAware
From interface org.springframework.beans.factory.DisposableBean
From interface org.springframework.beans.factory.InitializingBean
From interface org.springframework.context.ApplicationEventPublisherAware
From interface org.springframework.context.MessageSourceAware
From interface org.springframework.web.context.ServletContextAware

Constants

public static final String CAS_STATEFUL_IDENTIFIER

Used to identify a CAS request for a stateful user agent, such as a web browser.

Constant Value: "_cas_stateful_"

public static final String CAS_STATELESS_IDENTIFIER

Used to identify a CAS request for a stateless user agent, such as a remoting protocol client (e.g. Hessian, Burlap, SOAP etc). Results in a more aggressive caching strategy being used, as the absence of a HttpSession will result in a new authentication attempt on every request.

Constant Value: "_cas_stateless_"

Public Constructors

public CasAuthenticationFilter ()

Public Methods

public Authentication attemptAuthentication (HttpServletRequest request, HttpServletResponse response)

Performs actual authentication.

The implementation should do one of the following:

  1. Return a populated authentication token for the authenticated user, indicating successful authentication
  2. Return null, indicating that the authentication process is still in progress. Before returning, the implementation should perform any additional work required to complete the process.
  3. Throw an AuthenticationException if the authentication process fails

Parameters
request from which to extract parameters and perform the authentication
response the response, which may be needed if the implementation has to do a redirect as part of a multi-stage authentication process (such as OpenID).
Returns
  • the authenticated user token, or null if authentication is incomplete.
Throws
AuthenticationException
IOException

public final void setAuthenticationFailureHandler (AuthenticationFailureHandler failureHandler)

Wraps the AuthenticationFailureHandler to distinguish between handling proxy ticket authentication failures and service ticket failures.

public final void setProxyAuthenticationFailureHandler (AuthenticationFailureHandler proxyFailureHandler)

Sets the AuthenticationFailureHandler for proxy requests.

public final void setProxyGrantingTicketStorage (ProxyGrantingTicketStorage proxyGrantingTicketStorage)

public final void setProxyReceptorUrl (String proxyReceptorUrl)

public final void setServiceProperties (ServiceProperties serviceProperties)

Protected Methods

protected String obtainArtifact (HttpServletRequest request)

If present, gets the artifact (CAS ticket) from the HttpServletRequest.

Returns
  • if present the artifact from the HttpServletRequest, else null

protected boolean requiresAuthentication (HttpServletRequest request, HttpServletResponse response)

Overridden to provide proxying capabilities.

Returns
  • true if the filter should attempt authentication, false otherwise.

protected final void successfulAuthentication (HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult)

Default behaviour for successful authentication.

  1. Sets the successful Authentication object on the SecurityContextHolder
  2. Invokes the configured SessionAuthenticationStrategy to handle any session-related behaviour (such as creating a new session to protect against session-fixation attacks).
  3. Informs the configured RememberMeServices of the successful login
  4. Fires an InteractiveAuthenticationSuccessEvent via the configured ApplicationEventPublisher
  5. Delegates additional behaviour to the AuthenticationSuccessHandler.
Subclasses can override this method to continue the FilterChain after successful authentication.

Parameters
authResult the object returned from the attemptAuthentication method.
Throws
IOException
ServletException