spring-projects · miremond · Aug 8, 2013 · rwinch · Aug 24, 2013 · obozek
diff --git a/...main/java/org/springframework/security/cas/authentication/TriggerCasGatewayException.java b/...main/java/org/springframework/security/cas/authentication/TriggerCasGatewayException.java
@@ -0,0 +1,52 @@
+/*
+ * Copyright 2013-2013 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.cas.authentication;
+
+import org.springframework.security.cas.web.CasAuthenticationEntryPoint;
+import org.springframework.security.core.AuthenticationException;
+
+/**
+ * Exception used to indicate the {@link CasAuthenticationEntryPoint} to make a CAS gateway authentication request.
+ *
+ * @author Michael Remond
+ *
+ */
+public class TriggerCasGatewayException extends
+        AuthenticationException {
+
+    //~ Constructors ===================================================================================================
+
+    /**
+     * Constructs an {@code InitiateCasGatewayAuthenticationException} with the specified message and no root cause.
+     *
+     * @param msg the detail message
+     */
+    public TriggerCasGatewayException(String msg) {
+        super(msg);
+    }
+
+    /**
+     * Constructs an {@code InitiateCasGatewayAuthenticationException} with the specified message and root cause.
+     *
+     * @param msg the detail message
+     * @param t the root cause
+     */
+    public TriggerCasGatewayException(String msg, Throwable t) {
+        super(msg, t);
+    }
+
+}
diff --git a/cas/src/main/java/org/springframework/security/cas/web/CasAuthenticationEntryPoint.java b/cas/src/main/java/org/springframework/security/cas/web/CasAuthenticationEntryPoint.java
@@ -1,4 +1,4 @@
-/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
+/* Copyright 2004, 2005, 2006, 2013 Acegi Technology Pty Limited
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -22,10 +22,11 @@
 import javax.servlet.http.HttpServletResponse;
 
 import org.jasig.cas.client.util.CommonUtils;
+import org.springframework.beans.factory.InitializingBean;
 import org.springframework.security.cas.ServiceProperties;
+import org.springframework.security.cas.authentication.TriggerCasGatewayException;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.web.AuthenticationEntryPoint;
-import org.springframework.beans.factory.InitializingBean;
 import org.springframework.util.Assert;
 
 
@@ -38,6 +39,9 @@
  * redirect to the page indicated by the <code>service</code> property. The <code>service</code> is a HTTP URL
  * belonging to the current application. The <code>service</code> URL is monitored by the {@link CasAuthenticationFilter},
  * which will validate the CAS login was successful.
+ * <p>
+ * If the raised exception is {@link TriggerCasGatewayException}, the parameter <code>gateway</code> is set
+ * to true on the redirect url.
  *
  * @author Ben Alex
  * @author Scott Battaglia
@@ -72,7 +76,7 @@ public final void commence(final HttpServletRequest servletRequest, final HttpSe
             final AuthenticationException authenticationException) throws IOException, ServletException {
 
         final String urlEncodedService = createServiceUrl(servletRequest, response);
-        final String redirectUrl = createRedirectUrl(urlEncodedService);
+        final String redirectUrl = createRedirectUrl(servletRequest, response, authenticationException, urlEncodedService);
 
         preCommence(servletRequest, response);
 
@@ -95,8 +99,24 @@ protected String createServiceUrl(final HttpServletRequest request, final HttpSe
      * @param serviceUrl the service url that should be included.
      * @return the redirect url.  CANNOT be NULL.
      */
+    @Deprecated
     protected String createRedirectUrl(final String serviceUrl) {
-        return CommonUtils.constructRedirectUrl(this.loginUrl, this.serviceProperties.getServiceParameter(), serviceUrl, this.serviceProperties.isSendRenew(), false);
+        return createRedirectUrl(null, null, null, serviceUrl);
+    }
+
+    /**
+     * Constructs the Url for Redirection to the CAS server.  Default implementation relies on the CAS client to do the bulk of the work.
+     * Parameter gateway is infered from authenticationException class.
+     *
+     * @param request the HttpServletRequest
+     * @param response the HttpServletResponse
+     * @param authenticationException the authentication Exception that triggers CasAuthenticationEntryPoint
+     * @param serviceUrl the service url that should be included.
+     * @return the redirect url. CANNOT be NULL.
+     */
+    protected String createRedirectUrl(HttpServletRequest request, HttpServletResponse response, final AuthenticationException authenticationException, final String serviceUrl) {
+        boolean gateway = authenticationException instanceof TriggerCasGatewayException;
+        return CommonUtils.constructRedirectUrl(this.loginUrl, this.serviceProperties.getServiceParameter(), serviceUrl, this.serviceProperties.isSendRenew(), gateway);
     }
 
     /**

diff --git a/cas/src/main/java/org/springframework/security/cas/web/CasAuthenticationFilter.java b/cas/src/main/java/org/springframework/security/cas/web/CasAuthenticationFilter.java
@@ -1,4 +1,4 @@
-/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
+/* Copyright 2004, 2005, 2006, 2013 Acegi Technology Pty Limited
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -35,10 +35,16 @@
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.DefaultRedirectStrategy;
+import org.springframework.security.web.RedirectStrategy;
 import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
 import org.springframework.security.web.authentication.AuthenticationFailureHandler;
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
+import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
+import org.springframework.security.web.savedrequest.RequestCache;
+import org.springframework.security.web.savedrequest.SavedRequest;
 import org.springframework.util.Assert;
+import org.springframework.util.StringUtils;
 
 /**
  * Processes a CAS service ticket, obtains proxy granting tickets, and processes proxy tickets.
@@ -183,6 +189,10 @@ public class CasAuthenticationFilter extends AbstractAuthenticationProcessingFil
 
     private AuthenticationFailureHandler proxyFailureHandler = new SimpleUrlAuthenticationFailureHandler();
 
+    private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
+
+    private RequestCache requestCache = new HttpSessionRequestCache();
+
     //~ Constructors ===================================================================================================
 
     public CasAuthenticationFilter() {
@@ -216,6 +226,25 @@ protected final void successfulAuthentication(HttpServletRequest request,
         chain.doFilter(request, response);
     }
 
+    /**
+     * We override this method because we don't want to clear the rememberMe in case of an unsuccessfull CAS gateway request.
+     */
+    @Override
+    protected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response,
+            AuthenticationException failed) throws IOException, ServletException {
+
+        // if the request had a non empty artifact, we really encounter an unsuccessful authentication
+        // else it is probably an CAS gateway request with no SSO session, we redirect to the saved url
+        if (StringUtils.hasText(obtainArtifact(request))) {
+            super.unsuccessfulAuthentication(request, response, failed);
+        } else {
+            SavedRequest savedRequest = requestCache.getRequest(request, response);
+            if (savedRequest != null) {
+                redirectStrategy.sendRedirect(request, response, savedRequest.getRedirectUrl());
+            }
+        }
+    }
+
     @Override
     public Authentication attemptAuthentication(final HttpServletRequest request, final HttpServletResponse response)
             throws AuthenticationException, IOException {
@@ -299,6 +328,16 @@ public final void setServiceProperties(final ServiceProperties serviceProperties
         this.authenticateAllArtifacts = serviceProperties.isAuthenticateAllArtifacts();
     }
 
+    public final void setRedirectStrategy(RedirectStrategy redirectStrategy) {
+        Assert.notNull(redirectStrategy,"redirectStrategy cannot be null");
+        this.redirectStrategy = redirectStrategy;
+    }
+
+    public final void setRequestCache(RequestCache requestCache) {
+        Assert.notNull(requestCache,"requestCache cannot be null");
+        this.requestCache = requestCache;
+    }
+
     /**
      * Indicates if the request is elgible to process a service ticket. This method exists for readability.
      * @param request

diff --git a/cas/src/main/java/org/springframework/security/cas/web/DefaultCasGatewayRequestMatcher.java b/cas/src/main/java/org/springframework/security/cas/web/DefaultCasGatewayRequestMatcher.java
@@ -0,0 +1,103 @@
+package org.springframework.security.cas.web;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.jasig.cas.client.authentication.DefaultGatewayResolverImpl;
+import org.jasig.cas.client.authentication.GatewayResolver;
+import org.springframework.security.cas.ServiceProperties;
+import org.springframework.security.cas.authentication.CasAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.util.RequestMatcher;
+import org.springframework.util.Assert;
+
+/**
+ * Default RequestMatcher implementation for the {@link TriggerCasGatewayFilter}.
+ * 
+ * This RequestMatcher returns <code>true</code> iff :
+ * <ul>
+ * <li>
+ * User is not already authenticated (see {@link #isAuthenticated})</li>
+ * <li>
+ * The request was not previously gatewayed</li>
+ * <li>
+ * The request matches additional criteria (see {@link #performGatewayAuthentication})</li>
+ * </ul>
+ * 
+ * Implementors can override this class to customize the authentication check and the gateway criteria.
+ * <p>
+ * The request is marked as "gatewayed" using the configured {@link GatewayResolver} to avoid infinite loop.
+ * 
+ * @author Michael Remond
+ * 
+ */
+public class DefaultCasGatewayRequestMatcher implements RequestMatcher {
+
+    // ~ Instance fields
+    // ================================================================================================
+
+    private ServiceProperties serviceProperties;
+
+    private GatewayResolver gatewayStorage = new DefaultGatewayResolverImpl();
+
+    // ~ Constructors
+    // ===================================================================================================
+
+    public DefaultCasGatewayRequestMatcher(ServiceProperties serviceProperties) {
+        Assert.notNull(serviceProperties, "serviceProperties cannot be null");
+        this.serviceProperties = serviceProperties;
+    }
+
+    public final boolean matches(HttpServletRequest request) {
+
+        // Test if we are already authenticated
+        if (isAuthenticated(request)) {
+            return false;
+        }
+
+        // Test if the request was already gatewayed to avoid infinite loop
+        final boolean wasGatewayed = this.gatewayStorage.hasGatewayedAlready(request, serviceProperties.getService());
+
+        if (wasGatewayed) {
+            return false;
+        }
+
+        // If request matches gateway criteria, we mark the request as gatewayed and return true to trigger a CAS
+        // gateway authentication
+        if (performGatewayAuthentication(request)) {
+            gatewayStorage.storeGatewayInformation(request, serviceProperties.getService());
+            return true;
+        } else {
+            return false;
+        }
+    }
+
+    /**
+     * Test if the user is authenticated in Spring Security. Default implementation test if the user is CAS
+     * authenticated.
+     * 
+     * @param request
+     * @return true if the user is authenticated
+     */
+    protected boolean isAuthenticated(HttpServletRequest request) {
+        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+        return authentication instanceof CasAuthenticationToken;
+    }
+
+    /**
+     * Method that determines if the current request triggers a CAS gateway authentication. Default implementation
+     * always returns <code>true</code>.
+     * 
+     * @param request
+     * @return true if the request must trigger a CAS gateway authentication
+     */
+    protected boolean performGatewayAuthentication(HttpServletRequest request) {
+        return true;
+    }
+
+    public void setGatewayStorage(GatewayResolver gatewayStorage) {
+        Assert.notNull(gatewayStorage, "gatewayStorage cannot be null");
+        this.gatewayStorage = gatewayStorage;
+    }
+
+}
diff --git a/cas/src/main/java/org/springframework/security/cas/web/TriggerCasGatewayFilter.java b/cas/src/main/java/org/springframework/security/cas/web/TriggerCasGatewayFilter.java
@@ -0,0 +1,78 @@
+/*
+ * Copyright 2013-2013 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.cas.web;
+
+import java.io.IOException;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.security.cas.authentication.TriggerCasGatewayException;
+import org.springframework.security.web.util.RequestMatcher;
+import org.springframework.util.Assert;
+import org.springframework.web.filter.GenericFilterBean;
+
+/**
+ * Triggers a CAS gateway authentication attempt.
+ * <p>
+ * This filter must be placed after the <code>ExceptionTranslationFilter</code> in the filter chain in order to start
+ * the authentication process. Throws a {@link TriggerCasGatewayException} when the current request matches against the
+ * configured {@link RequestMatcher}.
+ * <p>
+ * The default implementation you can use is {@link DefaultCasGatewayRequestMatcher}.
+ * 
+ * @author Michael Remond
+ */
+public class TriggerCasGatewayFilter extends GenericFilterBean {
+
+    // ~ Instance fields
+    // ================================================================================================
+
+    private RequestMatcher requestMatcher;
+
+    // ~ Constructors
+    // ===================================================================================================
+
+    public TriggerCasGatewayFilter(RequestMatcher requestMatcher) {
+        Assert.notNull(requestMatcher, "requestMatcher cannot be null");
+        this.requestMatcher = requestMatcher;
+    }
+
+    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException,
+            ServletException {
+
+        HttpServletRequest request = (HttpServletRequest) req;
+        HttpServletResponse response = (HttpServletResponse) res;
+
+        if (requestMatcher.matches(request)) {
+            throw new TriggerCasGatewayException("Try a CAS gateway authentication");
+        } else {
+            // Continue in the chain
+            chain.doFilter(request, response);
+        }
+
+    }
+
+    public void setRequestMatcher(RequestMatcher requestMatcher) {
+        this.requestMatcher = requestMatcher;
+    }
+
+}