From 3378c5741d11fb13431ff2a34356cc313c439f15 Mon Sep 17 00:00:00 2001 From: "Marvin S. Addison" Date: Fri, 12 Feb 2016 16:20:56 -0500 Subject: [PATCH] Issue #152 Prevent dupe ticket validations. The ticket parameter can linger in the URL after authentication. Don't attempt ticket validation if we are already authenticated. Fixes ticket validation failures on refresh and similar cases. --- .../cas/client/jetty/CasAuthenticator.java | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/cas-client-integration-jetty/src/main/java/org/jasig/cas/client/jetty/CasAuthenticator.java b/cas-client-integration-jetty/src/main/java/org/jasig/cas/client/jetty/CasAuthenticator.java index 0cb10a0..513ff55 100644 --- a/cas-client-integration-jetty/src/main/java/org/jasig/cas/client/jetty/CasAuthenticator.java +++ b/cas-client-integration-jetty/src/main/java/org/jasig/cas/client/jetty/CasAuthenticator.java @@ -155,15 +155,12 @@ public class CasAuthenticator extends AbstractLifeCycle implements Authenticator final HttpServletResponse response = (HttpServletResponse) servletResponse; CasAuthentication authentication = fetchCachedAuthentication(request); - if (!mandatory) { - if (authentication != null) { - return authentication; - } - return Authentication.UNAUTHENTICATED; + if (authentication != null) { + return authentication; } final String ticket = extractTicket(request); - if (ticket != null) { + if (ticket != null && mandatory) { try { logger.debug("Attempting to validate {}", ticket); final Assertion assertion = ticketValidator.validate(ticket, serviceUrl(request, response)); @@ -176,9 +173,11 @@ public class CasAuthenticator extends AbstractLifeCycle implements Authenticator } if (authentication != null) { return authentication; + } else if (mandatory) { + redirectToCas(request, response); + return Authentication.SEND_CONTINUE; } - redirectToCas(request, response); - return Authentication.SEND_CONTINUE; + return Authentication.UNAUTHENTICATED; } @Override @@ -208,7 +207,7 @@ public class CasAuthenticator extends AbstractLifeCycle implements Authenticator } private void cacheAuthentication(final HttpServletRequest request, final CasAuthentication authentication) { - final HttpSession session = request.getSession(false); + final HttpSession session = request.getSession(true); if (session != null) { session.setAttribute(CACHED_AUTHN_ATTRIBUTE, authentication); sessionMap.put(authentication.getTicket(), new WeakReference(session));