java.lang.Object | |||
↳ | org.springframework.web.filter.GenericFilterBean | ||
↳ | org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter | ||
↳ | org.springframework.security.cas.web.CasAuthenticationFilter |
Processes a CAS service ticket, obtains proxy granting tickets, and processes proxy tickets.
A service ticket consists of an opaque ticket string. It arrives at this filter by the user's browser successfully
authenticating using CAS, and then receiving a HTTP redirect to a service
. The opaque ticket string is
presented in the ticket
request parameter.
This filter monitors the service
URL so it can
receive the service ticket and process it. By default this filter processes the URL /j_spring_cas_security_check.
When processing this URL, the value of getService()
is used as the service when validating
the ticket
. This means that it is important that getService()
specifies the same value
as the filterProcessesUrl.
Processing the service ticket involves creating a UsernamePasswordAuthenticationToken
which
uses CAS_STATEFUL_IDENTIFIER
for the principal
and the opaque ticket string as the
credentials
.
If specified, the filter can also monitor the proxyReceptorUrl
. The filter will respond to requests matching
this url so that the CAS Server can provide a PGT to the filter. Note that in addition to the proxyReceptorUrl
a non-null
proxyGrantingTicketStorage
must be provided in order for the filter to respond to proxy receptor requests. By configuring
a shared ProxyGrantingTicketStorage between the TicketValidator and the CasAuthenticationFilter one can have the
CasAuthenticationFilter handle the proxying requirements for CAS.
The filter can process tickets present on any url. This is useful when wanting to process proxy tickets. In order for proxy
tickets to get processed isAuthenticateAllArtifacts()
must return true
. Additionally,
if the request is already authenticated, authentication will not occur. Last, buildDetails(Object)
must return a ServiceAuthenticationDetails
. This can be accomplished using the ServiceAuthenticationDetailsSource
.
In this case getServiceUrl()
will be used for the service url.
Processing the proxy ticket involves creating a UsernamePasswordAuthenticationToken
which
uses CAS_STATELESS_IDENTIFIER
for the principal
and the opaque ticket string as the
credentials
. When a proxy ticket is successfully authenticated, the FilterChain continues and the
authenticationSuccessHandler
is not used.
AuthenticationManager
The configured AuthenticationManager
is expected to provide a provider that can recognise
UsernamePasswordAuthenticationToken
s containing this special principal
name, and process
them accordingly by validation with the CAS server. Additionally, it should be capable of using the result of
getServiceUrl()
as the service when validating the ticket.
An example configuration that supports service tickets, obtaining proxy granting tickets, and proxy tickets is illustrated below:
<b:bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties" p:service="https://service.example.com/cas-sample/j_spring_cas_security_check" p:authenticateAllArtifacts="true"/> <b:bean id="casEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint" p:serviceProperties-ref="serviceProperties" p:loginUrl="https://login.example.org/cas/login" /> <b:bean id="casFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter" p:authenticationManager-ref="authManager" p:serviceProperties-ref="serviceProperties" p:proxyGrantingTicketStorage-ref="pgtStorage" p:proxyReceptorUrl="/j_spring_cas_security_proxyreceptor"> <b:property name="authenticationDetailsSource"> <b:bean class="org.springframework.security.cas.web.authentication.ServiceAuthenticationDetailsSource"/> </b:property> <b:property name="authenticationFailureHandler"> <b:bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler" p:defaultFailureUrl="/casfailed.jsp"/> </b:property> </b:bean> <!-- NOTE: In a real application you should not use an in memory implementation. You will also want to ensure to clean up expired tickets by calling ProxyGrantingTicketStorage.cleanup() --> <b:bean id="pgtStorage" class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl"/> <b:bean id="casAuthProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider" p:serviceProperties-ref="serviceProperties" p:key="casAuthProviderKey"> <b:property name="authenticationUserDetailsService"> <b:bean class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper"> <b:constructor-arg ref="userService" /> </b:bean> </b:property> <b:property name="ticketValidator"> <b:bean class="org.jasig.cas.client.validation.Cas20ProxyTicketValidator" p:acceptAnyProxy="true" p:proxyCallbackUrl="https://service.example.com/cas-sample/j_spring_cas_security_proxyreceptor" p:proxyGrantingTicketStorage-ref="pgtStorage"> <b:constructor-arg value="https://login.example.org/cas" /> </b:bean> </b:property> <b:property name="statelessTicketCache"> <b:bean class="org.springframework.security.cas.authentication.EhCacheBasedTicketCache"> <b:property name="cache"> <b:bean class="net.sf.ehcache.Cache" init-method="initialise" destroy-method="dispose"> <b:constructor-arg value="casTickets"/> <b:constructor-arg value="50"/> <b:constructor-arg value="true"/> <b:constructor-arg value="false"/> <b:constructor-arg value="3600"/> <b:constructor-arg value="900"/> </b:bean> </b:property> </b:bean> </b:property> </b:bean>
Constants | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
String | CAS_STATEFUL_IDENTIFIER | Used to identify a CAS request for a stateful user agent, such as a web browser. | |||||||||
String | CAS_STATELESS_IDENTIFIER | Used to identify a CAS request for a stateless user agent, such as a remoting protocol client (e.g. |
[Expand]
Inherited Constants | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
From class
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
|
[Expand]
Inherited Fields | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
From class
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
| |||||||||||
From class
org.springframework.web.filter.GenericFilterBean
|
Public Constructors | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Public Methods | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Performs actual authentication.
| |||||||||||
Wraps the
AuthenticationFailureHandler to distinguish between
handling proxy ticket authentication failures and service ticket
failures. | |||||||||||
Sets the
AuthenticationFailureHandler for proxy requests. | |||||||||||
Protected Methods | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
If present, gets the artifact (CAS ticket) from the HttpServletRequest.
| |||||||||||
Overridden to provide proxying capabilities.
| |||||||||||
Default behaviour for successful authentication.
|
[Expand]
Inherited Methods | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
From class
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
| |||||||||||
From class
org.springframework.web.filter.GenericFilterBean
| |||||||||||
From class
java.lang.Object
| |||||||||||
From interface
javax.servlet.Filter
| |||||||||||
From interface
org.springframework.beans.factory.BeanNameAware
| |||||||||||
From interface
org.springframework.beans.factory.DisposableBean
| |||||||||||
From interface
org.springframework.beans.factory.InitializingBean
| |||||||||||
From interface
org.springframework.context.ApplicationEventPublisherAware
| |||||||||||
From interface
org.springframework.context.MessageSourceAware
| |||||||||||
From interface
org.springframework.web.context.ServletContextAware
|
Used to identify a CAS request for a stateful user agent, such as a web browser.
Used to identify a CAS request for a stateless user agent, such as a remoting protocol client (e.g.
Hessian, Burlap, SOAP etc). Results in a more aggressive caching strategy being used, as the absence of a
HttpSession
will result in a new authentication attempt on every request.
Performs actual authentication.
The implementation should do one of the following:
request | from which to extract parameters and perform the authentication |
---|---|
response | the response, which may be needed if the implementation has to do a redirect as part of a multi-stage authentication process (such as OpenID). |
Wraps the AuthenticationFailureHandler
to distinguish between
handling proxy ticket authentication failures and service ticket
failures.
Sets the AuthenticationFailureHandler
for proxy requests.
If present, gets the artifact (CAS ticket) from the HttpServletRequest.
Overridden to provide proxying capabilities.
true
if the filter should attempt authentication, false
otherwise.
Default behaviour for successful authentication.
SecurityContextHolder
SessionAuthenticationStrategy
to handle any session-related behaviour
(such as creating a new session to protect against session-fixation attacks).InteractiveAuthenticationSuccessEvent
via the configured
ApplicationEventPublisherAuthenticationSuccessHandler
.authResult | the object returned from the attemptAuthentication method. |
---|
IOException | |
---|---|
ServletException |