TouchInstinct
/
java-cas-client
307
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Issue #152 Prevent dupe ticket validations. 

The ticket parameter can linger in the URL after authentication.
Don't attempt ticket validation if we are already authenticated.
Fixes ticket validation failures on refresh and similar cases.
This commit is contained in:
Marvin S. Addison 2016-02-12 16:20:56 -05:00
parent f09ee1c0e7
commit 5a68c92268
1 changed files with 8 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
cas-client-integration-jetty/src/main/java/org/jasig/cas/client/jetty/CasAuthenticator.java
View File

@ -155,15 +155,12 @@ public class CasAuthenticator extends AbstractLifeCycle implements Authenticator
final HttpServletResponse response = (HttpServletResponse) servletResponse;
CasAuthentication authentication = fetchCachedAuthentication(request);
if (!mandatory) {
if (authentication != null) {
return authentication;
}
return Authentication.UNAUTHENTICATED;
if (authentication != null) {
return authentication;
}
final String ticket = extractTicket(request);
if (ticket != null) {
if (ticket != null && mandatory) {
try {
logger.debug("Attempting to validate {}", ticket);
final Assertion assertion = ticketValidator.validate(ticket, serviceUrl(request, response));
@ -176,9 +173,11 @@ public class CasAuthenticator extends AbstractLifeCycle implements Authenticator
}
if (authentication != null) {
return authentication;
} else if (mandatory) {
redirectToCas(request, response);
return Authentication.SEND_CONTINUE;
}
redirectToCas(request, response);
return Authentication.SEND_CONTINUE;
return Authentication.UNAUTHENTICATED;
}
@Override
@ -208,7 +207,7 @@ public class CasAuthenticator extends AbstractLifeCycle implements Authenticator
}
private void cacheAuthentication(final HttpServletRequest request, final CasAuthentication authentication) {
final HttpSession session = request.getSession(false);
final HttpSession session = request.getSession(true);
if (session != null) {
session.setAttribute(CACHED_AUTHN_ATTRIBUTE, authentication);
sessionMap.put(authentication.getTicket(), new WeakReference<HttpSession>(session));