diff --git a/.travis.yml b/.travis.yml index 8357e8e..e5c3fda 100644 --- a/.travis.yml +++ b/.travis.yml @@ -23,8 +23,6 @@ before_install: language: java -sudo: false - script: "mvn install --settings travis/settings.xml" jdk: diff --git a/NOTICE b/NOTICE index 1011bab..cde5123 100644 --- a/NOTICE +++ b/NOTICE @@ -39,6 +39,7 @@ This project includes: Jasig CAS Client for Java - SAML Protocol Support under Apache License Version 2.0 Jasig CAS Client for Java - Tomcat 6.x Integration under Apache License Version 2.0 Jasig CAS Client for Java - Tomcat 7.x Integration under Apache License Version 2.0 + Jasig CAS Client for Java - Tomcat 8.x Integration under Apache License Version 2.0 Java Servlet API under CDDL + GPLv2 with classpath exception JavaBeans Activation Framework (JAF) under Common Development and Distribution License (CDDL) v1.0 JavaMail API under Common Development and Distribution License (CDDL) v1.0 diff --git a/README.md b/README.md index 91d9fbb..ebdfe9f 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# Java Apereo CAS Client [![Maven Central](https://maven-badges.herokuapp.com/maven-central/org.jasig.cas.client/cas-client-core/badge.svg?style=flat)](https://maven-badges.herokuapp.com/maven-central/org.jasig.cas/cas-server) +# Java Apereo CAS Client [![Maven Central](https://maven-badges.herokuapp.com/maven-central/org.jasig.cas.client/cas-client-core/badge.svg?style=flat)](https://maven-badges.herokuapp.com/maven-central/org.jasig.cas.client/cas-client) ## Intro @@ -10,7 +10,7 @@ All client artifacts are published to Maven central. Depending on functionality, ## Build [![Build Status](https://travis-ci.org/Jasig/java-cas-client.png?branch=master)](https://travis-ci.org/Jasig/java-cas-client) ```bash -git clone git@github.com:Jasig/java-cas-client.git +git clone git@github.com:apereo/java-cas-client.git cd java-cas-client mvn clean package ``` @@ -36,7 +36,7 @@ files in the modules (`cas-client-integration-jboss` and `cas-client-support-dis ```xml - org.jasig.cas + org.jasig.cas.client cas-client-support-saml ${java.cas.client.version} @@ -46,7 +46,7 @@ files in the modules (`cas-client-integration-jboss` and `cas-client-support-dis ```xml - org.jasig.cas + org.jasig.cas.client cas-client-support-distributed-ehcache ${java.cas.client.version} @@ -56,7 +56,7 @@ files in the modules (`cas-client-integration-jboss` and `cas-client-support-dis ```xml - org.jasig.cas + org.jasig.cas.client cas-client-support-distributed-memcached ${java.cas.client.version} @@ -66,7 +66,7 @@ files in the modules (`cas-client-integration-jboss` and `cas-client-support-dis ```xml - org.jasig.cas + org.jasig.cas.client cas-client-integration-atlassian ${java.cas.client.version} @@ -76,7 +76,7 @@ files in the modules (`cas-client-integration-jboss` and `cas-client-support-dis ```xml - org.jasig.cas + org.jasig.cas.client cas-client-integration-jboss ${java.cas.client.version} @@ -86,7 +86,7 @@ files in the modules (`cas-client-integration-jboss` and `cas-client-support-dis ```xml - org.jasig.cas + org.jasig.cas.client cas-client-integration-tomcat-v6 ${java.cas.client.version} @@ -96,12 +96,21 @@ files in the modules (`cas-client-integration-jboss` and `cas-client-support-dis ```xml - org.jasig.cas + org.jasig.cas.client cas-client-integration-tomcat-v7 ${java.cas.client.version} ``` +- Tomcat 8 is provided by this dependency: + +```xml + + org.jasig.cas.client + cas-client-integration-tomcat-v8 + ${java.cas.client.version} + +``` ## Configuration @@ -220,7 +229,7 @@ The SAML 1.1 `AuthenticationFilter` is what detects whether a user needs to be a | `encodeServiceUrl ` | Whether the client should auto encode the service url. Defaults to `true` | No -####org.jasig.cas.client.validation.Cas10TicketValidationFilter +#### org.jasig.cas.client.validation.Cas10TicketValidationFilter Validates tickets using the CAS 1.0 Protocol. ```xml @@ -421,12 +430,42 @@ Places the `Assertion` in a `ThreadLocal` for portions of the application that n ``` + +#### org.jasig.cas.client.util.ErrorRedirectFilter +Filters that redirects to the supplied url based on an exception. Exceptions and the urls are configured via init filter name/param values. + +| Property | Description | Required +|----------|-------|----------- +| `defaultErrorRedirectPage` | Default url to redirect to, in case no erorr matches are found. | Yes +| `java.lang.Exception` | Fully qualified exception name. Its value must be redirection url | No + + +```xml + + CAS Error Redirect Filter + org.jasig.cas.client.util.ErrorRedirectFilter + + java.lang.Exception + /error.jsp + + + defaultErrorRedirectPage + /defaulterror.jsp + + + + CAS Error Redirect Filter + /* + +``` + + ### Client Configuration Using Spring Configuration via Spring IoC will depend heavily on `DelegatingFilterProxy` class. For each filter that will be configured for CAS via Spring, a corresponding `DelegatingFilterProxy` is needed in the web.xml. -As the `SingleSignOutFilter`, `HttpServletRequestWrapperFilter` and `AssertionThreadLocalFilter` have no configuration options, we recommend you just configure them in the `web.xml` +As the `HttpServletRequestWrapperFilter` and `AssertionThreadLocalFilter` have no configuration options, we recommend you just configure them in the `web.xml` ```xml @@ -614,6 +653,10 @@ The `SingleSignOutFilter` can affect character encoding. This becomes most obvio CAS Single Sign Out Filter org.jasig.cas.client.session.SingleSignOutFilter + + casServerUrlPrefix + https://cas.example.com/cas + ... @@ -637,6 +680,10 @@ The `SingleSignOutFilter` can affect character encoding. This becomes most obvio artifactParameterName SAMLart + + casServerUrlPrefix + https://cas.example.com/cas + ... @@ -783,27 +830,27 @@ If you have any trouble, you can enable the log of cas in `jboss-logging.xml` by ``` - -## Tomcat 6/7 Integration + +## Tomcat 6/7/8 Integration The client supports container-based CAS authentication and authorization support for the Tomcat servlet container. Suppose a single Tomcat container hosts multiple Web applications with similar authentication and authorization needs. Prior to Tomcat container support, each application would require a similar configuration of CAS servlet filters and authorization configuration in the `web.xml` servlet descriptor. Using the new container-based authentication/authorization feature, a single CAS configuration can be applied to the container and leveraged by all Web applications hosted by the container. -CAS authentication support for Tomcat is based on the Tomcat-specific Realm component. The Realm component has a fairly broad surface area and RealmBase is provided as a convenient superclass for custom implementations; the CAS realm implementations derive from `RealmBase`. Unfortunately RealmBase and related components have proven to change over both major and minor number releases, which requires version-specific CAS components for integration. We have provided two packages with similar components with the hope of supporting all 6.x and 7.x versions. **No support for 5.x is provided.** +CAS authentication support for Tomcat is based on the Tomcat-specific Realm component. The Realm component has a fairly broad surface area and RealmBase is provided as a convenient superclass for custom implementations; the CAS realm implementations derive from `RealmBase`. Unfortunately RealmBase and related components have proven to change over both major and minor number releases, which requires version-specific CAS components for integration. We have provided 3 packages with similar components with the hope of supporting all 6.x, 7.x and 8.x versions. **No support for 5.x is provided.** ### Component Overview -In the following discussion of components, only the Tomcat 6.x components are mentioned. The Tomcat 7.0.x components have exactly the same name, but **are in the tomcat.v7 package**, e.g. `org.jasig.cas.client.tomcat.v7.Cas20CasAuthenticator`. +In the following discussion of components, only the Tomcat 8.x components are mentioned. The Tomcat 7.0.x and 6.0.x components have exactly the same name, but **are in the tomcat.v7 and tomcat.v6 packages**, e.g. `org.jasig.cas.client.tomcat.v7.Cas20CasAuthenticator` or `org.jasig.cas.client.tomcat.v6.Cas20CasAuthenticator`. #### Authenticators Authenticators are responsible for performing CAS authentication using a particular protocol. All protocols supported by the Jasig Java CAS client are supported: CAS 1.0, CAS 2.0, and SAML 1.1. The following components provide protocol-specific support: ``` -org.jasig.cas.client.tomcat.v6.Cas10CasAuthenticator -org.jasig.cas.client.tomcat.v6.Cas20CasAuthenticator -org.jasig.cas.client.tomcat.v6.Cas20ProxyCasAuthenticator -org.jasig.cas.client.tomcat.v6.Saml11Authenticator +org.jasig.cas.client.tomcat.v8.Cas10CasAuthenticator +org.jasig.cas.client.tomcat.v8.Cas20CasAuthenticator +org.jasig.cas.client.tomcat.v8.Cas20ProxyCasAuthenticator +org.jasig.cas.client.tomcat.v8.Saml11Authenticator ``` @@ -811,8 +858,8 @@ org.jasig.cas.client.tomcat.v6.Saml11Authenticator In terms of CAS configuration, Tomcat realms serve as containers for users and role definitions. The roles defined in a Tomcat realm may be referenced in the web.xml servlet descriptor to define authorization constraints on Web applications hosted by the container. Two sources of user/role data are supported: ``` -org.jasig.cas.client.tomcat.v6.PropertiesCasRealm -org.jasig.cas.client.tomcat.v6.AssertionCasRealm +org.jasig.cas.client.tomcat.v8.PropertiesCasRealm +org.jasig.cas.client.tomcat.v8.AssertionCasRealm ``` `PropertiesCasRealm` uses a Java properties file as a source of static user/role information. This component is conceptually similar to the `MemoryRealm` component that ships with Tomcat and defines user/role data via XML configuration. The PropertiesCasRealm is different in that it explicitly lacks support for passwords, which have no use with CAS. @@ -827,15 +874,15 @@ A number of Tomcat valves are provided to handle functionality outside Realms an Logout valves provide a way of destroying the CAS authentication state bound to the container for a particular user/session; the destruction of authenticated state is synonymous with logout for the container and its hosted applications. (Note this does not destroy the CAS SSO session.) The implementations provide various strategies to map a URI onto the state-destroying logout function. ``` -org.jasig.cas.client.tomcat.v6.StaticUriLogoutValve -org.jasig.cas.client.tomcat.v6.RegexUriLogoutValve +org.jasig.cas.client.tomcat.v8.StaticUriLogoutValve +org.jasig.cas.client.tomcat.v8.RegexUriLogoutValve ``` ##### SingleSignOutValve -The `org.jasig.cas.client.tomcat.v6.SingleSignOutValve` allows the container to participate in CAS single sign-out. In particular this valve handles the SAML LogoutRequest message sent from the CAS server that is delivered when the CAS SSO session ends. +The `org.jasig.cas.client.tomcat.v8.SingleSignOutValve` allows the container to participate in CAS single sign-out. In particular this valve handles the SAML LogoutRequest message sent from the CAS server that is delivered when the CAS SSO session ends. ##### ProxyCallbackValve -The `org.jasig.cas.client.tomcat.v6.ProxyCallbackValve` provides a handler for watching request URIs for requests that contain a proxy callback request in support of the CAS 2.0 protocol proxy feature. +The `org.jasig.cas.client.tomcat.v8.ProxyCallbackValve` provides a handler for watching request URIs for requests that contain a proxy callback request in support of the CAS 2.0 protocol proxy feature. ### Container Setup @@ -865,11 +912,11 @@ Alternatively, CAS configuration can be applied to individual Web applications t This example also configures the container for CAS single sign-out. --> @@ -888,11 +935,11 @@ Alternatively, CAS configuration can be applied to individual Web applications t --> @@ -910,11 +957,11 @@ The following example shows how to configure a Context for dynamic role data pro The attribute used for role data is "memberOf". --> ``` + +## Jetty Integration +Since version 3.4.2, the Java CAS Client supports Jetty container integration via the following module: + +```xml + + org.jasig.cas.client + cas-client-integration-jetty + ${cas-client.version} + +``` + +Both programmatic (embedded) and context configuration are supported. + +### Jetty Embedded Configuration +``` +# CAS configuration parameters +String hostName = "app.example.com"; +String casServerBaseUrl = "cas.example.com/cas"; +String casRoleAttribute = "memberOf"; +boolean casRenew = false; +int casTolerance = 5000; + +# Jetty wiring +WebAppContext context = new WebAppContext("/path/to/context", "contextPath"); +context.setTempDirectory("/tmp/jetty/work")); +context.setInitParameter("org.eclipse.jetty.servlet.Default.dirAllowed", "false"); +SessionCookieConfig config = context.getSessionHandler().getSessionManager().getSessionCookieConfig(); +config.setHttpOnly(true); +config.setSecure(true); +Saml11TicketValidator validator = new Saml11TicketValidator(casServerBaseUrl); +validator.setRenew(casRenew); +validator.setTolerance(casTolerance); +CasAuthenticator authenticator = new CasAuthenticator(); +authenticator.setRoleAttribute(casRoleAttribute); +authenticator.setServerNames(hostName); +authenticator.setTicketValidator(validator); +context.getSecurityHandler().setAuthenticator(authenticator); +``` + +### Jetty Context Configuration +```xml + + + + + / + /webapps/yourapp + + + + app.example.com + + + https://cas.example.com/cas + + + + + + + +``` + ## Atlassian Integration The clien includes Atlassian Confluence and JIRA support. Support is enabled by a custom CAS authenticator that extends the default authenticators. @@ -1079,6 +1190,10 @@ This configuration tested against the sample application that is included with S CAS Single Sign Out Filter org.jasig.cas.client.session.SingleSignOutFilter + + casServerUrlPrefix + https://cas.example.com/cas + diff --git a/cas-client-core/pom.xml b/cas-client-core/pom.xml index 441269d..ed838b2 100644 --- a/cas-client-core/pom.xml +++ b/cas-client-core/pom.xml @@ -5,7 +5,6 @@ cas-client 4.0.0 - org.jasig.cas.client cas-client-core jar Jasig CAS Client for Java - Core @@ -36,14 +35,6 @@ true - - commons-codec - commons-codec - 1.4 - jar - true - - org.springframework spring-beans diff --git a/cas-client-core/src/main/java/org/jasig/cas/client/authentication/AuthenticationFilter.java b/cas-client-core/src/main/java/org/jasig/cas/client/authentication/AuthenticationFilter.java index d5e7fe4..f460c88 100644 --- a/cas-client-core/src/main/java/org/jasig/cas/client/authentication/AuthenticationFilter.java +++ b/cas-client-core/src/main/java/org/jasig/cas/client/authentication/AuthenticationFilter.java @@ -212,4 +212,10 @@ public class AuthenticationFilter extends AbstractCasFilter { final String requestUri = urlBuffer.toString(); return this.ignoreUrlPatternMatcherStrategyClass.matches(requestUri); } + + public final void setIgnoreUrlPatternMatcherStrategyClass( + final UrlPatternMatcherStrategy ignoreUrlPatternMatcherStrategyClass) { + this.ignoreUrlPatternMatcherStrategyClass = ignoreUrlPatternMatcherStrategyClass; + } + } diff --git a/cas-client-core/src/main/java/org/jasig/cas/client/configuration/ConfigurationKey.java b/cas-client-core/src/main/java/org/jasig/cas/client/configuration/ConfigurationKey.java index da6a3a1..3e22b2e 100644 --- a/cas-client-core/src/main/java/org/jasig/cas/client/configuration/ConfigurationKey.java +++ b/cas-client-core/src/main/java/org/jasig/cas/client/configuration/ConfigurationKey.java @@ -60,4 +60,9 @@ public final class ConfigurationKey { public E getDefaultValue() { return this.defaultValue; } + + @Override + public String toString() { + return getName(); + } } diff --git a/cas-client-core/src/main/java/org/jasig/cas/client/configuration/ConfigurationKeys.java b/cas-client-core/src/main/java/org/jasig/cas/client/configuration/ConfigurationKeys.java index 14ec120..109aadd 100644 --- a/cas-client-core/src/main/java/org/jasig/cas/client/configuration/ConfigurationKeys.java +++ b/cas-client-core/src/main/java/org/jasig/cas/client/configuration/ConfigurationKeys.java @@ -77,6 +77,5 @@ public interface ConfigurationKeys { ConfigurationKey ALLOWED_PROXY_CHAINS = new ConfigurationKey("allowedProxyChains", null); ConfigurationKey> TICKET_VALIDATOR_CLASS = new ConfigurationKey>("ticketValidatorClass", null); ConfigurationKey PROXY_CALLBACK_URL = new ConfigurationKey("proxyCallbackUrl", null); - ConfigurationKey FRONT_LOGOUT_PARAMETER_NAME = new ConfigurationKey("frontLogoutParameterName", "SAMLRequest"); ConfigurationKey RELAY_STATE_PARAMETER_NAME = new ConfigurationKey("relayStateParameterName", "RelayState"); } diff --git a/cas-client-core/src/main/java/org/jasig/cas/client/configuration/ConfigurationStrategyName.java b/cas-client-core/src/main/java/org/jasig/cas/client/configuration/ConfigurationStrategyName.java index 2d3146f..b298d99 100644 --- a/cas-client-core/src/main/java/org/jasig/cas/client/configuration/ConfigurationStrategyName.java +++ b/cas-client-core/src/main/java/org/jasig/cas/client/configuration/ConfigurationStrategyName.java @@ -62,7 +62,7 @@ public enum ConfigurationStrategyName { try { final Class clazz = Class.forName(value); - if (clazz.isAssignableFrom(ConfigurationStrategy.class)) { + if (ConfigurationStrategy.class.isAssignableFrom(clazz)) { return (Class) clazz; } } catch (final ClassNotFoundException e) { diff --git a/cas-client-core/src/main/java/org/jasig/cas/client/proxy/Cas20ProxyRetriever.java b/cas-client-core/src/main/java/org/jasig/cas/client/proxy/Cas20ProxyRetriever.java index e80304a..21c770b 100644 --- a/cas-client-core/src/main/java/org/jasig/cas/client/proxy/Cas20ProxyRetriever.java +++ b/cas-client-core/src/main/java/org/jasig/cas/client/proxy/Cas20ProxyRetriever.java @@ -94,7 +94,9 @@ public final class Cas20ProxyRetriever implements ProxyRetriever { return null; } - return XmlUtils.getTextForElement(response, "proxyTicket"); + final String ticket = XmlUtils.getTextForElement(response, "proxyTicket"); + logger.debug("Got proxy ticket {}", ticket); + return ticket; } private URL constructUrl(final String proxyGrantingTicketId, final String targetService) { diff --git a/cas-client-core/src/main/java/org/jasig/cas/client/session/SingleSignOutFilter.java b/cas-client-core/src/main/java/org/jasig/cas/client/session/SingleSignOutFilter.java index 5720a69..25d645c 100644 --- a/cas-client-core/src/main/java/org/jasig/cas/client/session/SingleSignOutFilter.java +++ b/cas-client-core/src/main/java/org/jasig/cas/client/session/SingleSignOutFilter.java @@ -46,7 +46,6 @@ public final class SingleSignOutFilter extends AbstractConfigurationFilter { if (!isIgnoreInitConfiguration()) { setArtifactParameterName(getString(ConfigurationKeys.ARTIFACT_PARAMETER_NAME)); setLogoutParameterName(getString(ConfigurationKeys.LOGOUT_PARAMETER_NAME)); - setFrontLogoutParameterName(getString(ConfigurationKeys.FRONT_LOGOUT_PARAMETER_NAME)); setRelayStateParameterName(getString(ConfigurationKeys.RELAY_STATE_PARAMETER_NAME)); setCasServerUrlPrefix(getString(ConfigurationKeys.CAS_SERVER_URL_PREFIX)); HANDLER.setArtifactParameterOverPost(getBoolean(ConfigurationKeys.ARTIFACT_PARAMETER_OVER_POST)); @@ -63,11 +62,7 @@ public final class SingleSignOutFilter extends AbstractConfigurationFilter { public void setLogoutParameterName(final String name) { HANDLER.setLogoutParameterName(name); } - - public void setFrontLogoutParameterName(final String name) { - HANDLER.setFrontLogoutParameterName(name); - } - + public void setRelayStateParameterName(final String name) { HANDLER.setRelayStateParameterName(name); } diff --git a/cas-client-core/src/main/java/org/jasig/cas/client/session/SingleSignOutHandler.java b/cas-client-core/src/main/java/org/jasig/cas/client/session/SingleSignOutHandler.java index 5d07095..26932db 100644 --- a/cas-client-core/src/main/java/org/jasig/cas/client/session/SingleSignOutHandler.java +++ b/cas-client-core/src/main/java/org/jasig/cas/client/session/SingleSignOutHandler.java @@ -19,6 +19,7 @@ package org.jasig.cas.client.session; import java.util.Arrays; +import java.util.Collections; import java.util.List; import java.util.zip.Inflater; @@ -26,8 +27,8 @@ import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; +import javax.xml.bind.DatatypeConverter; -import org.apache.commons.codec.binary.Base64; import org.jasig.cas.client.Protocol; import org.jasig.cas.client.configuration.ConfigurationKeys; import org.jasig.cas.client.util.CommonUtils; @@ -56,12 +57,9 @@ public final class SingleSignOutHandler { /** The name of the artifact parameter. This is used to capture the session identifier. */ private String artifactParameterName = Protocol.CAS2.getArtifactParameterName(); - /** Parameter name that stores logout request for back channel SLO */ + /** Parameter name that stores logout request for SLO */ private String logoutParameterName = ConfigurationKeys.LOGOUT_PARAMETER_NAME.getDefaultValue(); - - /** Parameter name that stores logout request for front channel SLO */ - private String frontLogoutParameterName = ConfigurationKeys.FRONT_LOGOUT_PARAMETER_NAME.getDefaultValue(); - + /** Parameter name that stores the state of the CAS server webflow for the callback */ private String relayStateParameterName = ConfigurationKeys.RELAY_STATE_PARAMETER_NAME.getDefaultValue(); @@ -74,7 +72,7 @@ public final class SingleSignOutHandler { private List safeParameters; - private LogoutStrategy logoutStrategy = isServlet30() ? new Servlet30LogoutStrategy() : new Servlet25LogoutStrategy(); + private final LogoutStrategy logoutStrategy = isServlet30() ? new Servlet30LogoutStrategy() : new Servlet25LogoutStrategy(); public void setSessionMappingStorage(final SessionMappingStorage storage) { this.sessionMappingStorage = storage; @@ -96,7 +94,7 @@ public final class SingleSignOutHandler { } /** - * @param name Name of parameter containing CAS logout request message for back channel SLO. + * @param name Name of parameter containing CAS logout request message for SLO. */ public void setLogoutParameterName(final String name) { this.logoutParameterName = name; @@ -108,14 +106,7 @@ public final class SingleSignOutHandler { public void setCasServerUrlPrefix(final String casServerUrlPrefix) { this.casServerUrlPrefix = casServerUrlPrefix; } - - /** - * @param name Name of parameter containing CAS logout request message for front channel SLO. - */ - public void setFrontLogoutParameterName(final String name) { - this.frontLogoutParameterName = name; - } - + /** * @param name Name of parameter containing the state of the CAS server webflow. */ @@ -134,7 +125,6 @@ public final class SingleSignOutHandler { if (this.safeParameters == null) { CommonUtils.assertNotNull(this.artifactParameterName, "artifactParameterName cannot be null."); CommonUtils.assertNotNull(this.logoutParameterName, "logoutParameterName cannot be null."); - CommonUtils.assertNotNull(this.frontLogoutParameterName, "frontLogoutParameterName cannot be null."); CommonUtils.assertNotNull(this.sessionMappingStorage, "sessionMappingStorage cannot be null."); CommonUtils.assertNotNull(this.relayStateParameterName, "relayStateParameterName cannot be null."); CommonUtils.assertNotNull(this.casServerUrlPrefix, "casServerUrlPrefix cannot be null."); @@ -146,7 +136,7 @@ public final class SingleSignOutHandler { if (this.artifactParameterOverPost) { this.safeParameters = Arrays.asList(this.logoutParameterName, this.artifactParameterName); } else { - this.safeParameters = Arrays.asList(this.logoutParameterName); + this.safeParameters = Collections.singletonList(this.logoutParameterName); } } } @@ -164,32 +154,25 @@ public final class SingleSignOutHandler { } /** - * Determines whether the given request is a CAS back channel logout request. + * Determines whether the given request is a CAS logout request. * * @param request HTTP request. * * @return True if request is logout request, false otherwise. */ - private boolean isBackChannelLogoutRequest(final HttpServletRequest request) { - return "POST".equals(request.getMethod()) - && !isMultipartRequest(request) - && CommonUtils.isNotBlank(CommonUtils.safeGetParameter(request, this.logoutParameterName, - this.safeParameters)); + private boolean isLogoutRequest(final HttpServletRequest request) { + if ("POST".equalsIgnoreCase(request.getMethod())) { + return !isMultipartRequest(request) + && CommonUtils.isNotBlank(CommonUtils.safeGetParameter(request, this.logoutParameterName, + this.safeParameters)); + } + + if ("GET".equalsIgnoreCase(request.getMethod())) { + return CommonUtils.isNotBlank(CommonUtils.safeGetParameter(request, this.logoutParameterName, this.safeParameters)); + } + return false; } - - /** - * Determines whether the given request is a CAS front channel logout request. Front Channel log out requests are only supported - * when the 'casServerUrlPrefix' value is set. - * - * @param request HTTP request. - * - * @return True if request is logout request, false otherwise. - */ - private boolean isFrontChannelLogoutRequest(final HttpServletRequest request) { - return "GET".equals(request.getMethod()) && CommonUtils.isNotBlank(this.casServerUrlPrefix) - && CommonUtils.isNotBlank(CommonUtils.safeGetParameter(request, this.frontLogoutParameterName)); - } - + /** * Process a request regarding the SLO process: record the session or destroy it. * @@ -202,26 +185,15 @@ public final class SingleSignOutHandler { logger.trace("Received a token request"); recordSession(request); return true; - - } else if (isBackChannelLogoutRequest(request)) { - logger.trace("Received a back channel logout request"); + } + + if (isLogoutRequest(request)) { + logger.trace("Received a logout request"); destroySession(request); return false; - - } else if (isFrontChannelLogoutRequest(request)) { - logger.trace("Received a front channel logout request"); - destroySession(request); - // redirection url to the CAS server - final String redirectionUrl = computeRedirectionToServer(request); - if (redirectionUrl != null) { - CommonUtils.sendRedirect(response, redirectionUrl); - } - return false; - - } else { - logger.trace("Ignoring URI for logout: {}", request.getRequestURI()); - return true; - } + } + logger.trace("Ignoring URI for logout: {}", request.getRequestURI()); + return true; } /** @@ -244,7 +216,7 @@ public final class SingleSignOutHandler { try { this.sessionMappingStorage.removeBySessionById(session.getId()); } catch (final Exception e) { - // ignore if the session is already marked as invalid. Nothing we can do! + // ignore if the session is already marked as invalid. Nothing we can do! } sessionMappingStorage.addSessionById(token, session); } @@ -256,7 +228,7 @@ public final class SingleSignOutHandler { * @return the uncompressed logout message. */ private String uncompressLogoutMessage(final String originalMessage) { - final byte[] binaryMessage = Base64.decodeBase64(originalMessage); + final byte[] binaryMessage = DatatypeConverter.parseBase64Binary(originalMessage); Inflater decompresser = null; try { @@ -285,16 +257,17 @@ public final class SingleSignOutHandler { * @param request HTTP request containing a CAS logout message. */ private void destroySession(final HttpServletRequest request) { - final String logoutMessage; - // front channel logout -> the message needs to be base64 decoded + decompressed - if (isFrontChannelLogoutRequest(request)) { - logoutMessage = uncompressLogoutMessage(CommonUtils.safeGetParameter(request, - this.frontLogoutParameterName)); - } else { - logoutMessage = CommonUtils.safeGetParameter(request, this.logoutParameterName, this.safeParameters); + String logoutMessage = CommonUtils.safeGetParameter(request, this.logoutParameterName, this.safeParameters); + if (CommonUtils.isBlank(logoutMessage)) { + logger.error("Could not locate logout message of the request from {}", this.logoutParameterName); + return; } + + if (!logoutMessage.contains("SessionIndex")) { + logoutMessage = uncompressLogoutMessage(logoutMessage); + } + logger.trace("Logout request:\n{}", logoutMessage); - final String token = XmlUtils.getTextForElement(logoutMessage, "SessionIndex"); if (CommonUtils.isNotBlank(token)) { final HttpSession session = this.sessionMappingStorage.removeSessionByMappingId(token); @@ -313,33 +286,6 @@ public final class SingleSignOutHandler { } } - /** - * Compute the redirection url to the CAS server when it's a front channel SLO - * (depending on the relay state parameter). - * - * @param request The HTTP request. - * @return the redirection url to the CAS server. - */ - private String computeRedirectionToServer(final HttpServletRequest request) { - final String relayStateValue = CommonUtils.safeGetParameter(request, this.relayStateParameterName); - // if we have a state value -> redirect to the CAS server to continue the logout process - if (CommonUtils.isNotBlank(relayStateValue)) { - final StringBuilder buffer = new StringBuilder(); - buffer.append(casServerUrlPrefix); - if (!this.casServerUrlPrefix.endsWith("/")) { - buffer.append("/"); - } - buffer.append("logout?_eventId=next&"); - buffer.append(this.relayStateParameterName); - buffer.append("="); - buffer.append(CommonUtils.urlEncode(relayStateValue)); - final String redirectUrl = buffer.toString(); - logger.debug("Redirection url to the CAS server: {}", redirectUrl); - return redirectUrl; - } - return null; - } - private boolean isMultipartRequest(final HttpServletRequest request) { return request.getContentType() != null && request.getContentType().toLowerCase().startsWith("multipart"); } diff --git a/cas-client-core/src/main/java/org/jasig/cas/client/util/CommonUtils.java b/cas-client-core/src/main/java/org/jasig/cas/client/util/CommonUtils.java index a95fb9a..7a11e8e 100644 --- a/cas-client-core/src/main/java/org/jasig/cas/client/util/CommonUtils.java +++ b/cas-client-core/src/main/java/org/jasig/cas/client/util/CommonUtils.java @@ -26,6 +26,8 @@ import java.net.URLEncoder; import java.util.*; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; + +import org.jasig.cas.client.Protocol; import org.jasig.cas.client.proxy.ProxyGrantingTicketStorage; import org.jasig.cas.client.ssl.HttpURLConnectionFactory; import org.jasig.cas.client.ssl.HttpsURLConnectionFactory; @@ -57,10 +59,21 @@ public final class CommonUtils { private static final HttpURLConnectionFactory DEFAULT_URL_CONNECTION_FACTORY = new HttpsURLConnectionFactory(); + private static final String SERVICE_PARAMETER_NAMES; + private CommonUtils() { // nothing to do } + static { + final Set serviceParameterSet = new HashSet(4); + for (final Protocol protocol : Protocol.values()) { + serviceParameterSet.add(protocol.getServiceParameterName()); + } + SERVICE_PARAMETER_NAMES = serviceParameterSet.toString() + .replaceAll("\\[|\\]", "") + .replaceAll("\\s", ""); + } /** * Check whether the object is null or not. If it is, throw an exception and * display the message. @@ -122,7 +135,7 @@ public final class CommonUtils { * @return true if its null or length of 0, false otherwise. */ public static boolean isEmpty(final String string) { - return string == null || string.length() == 0; + return string == null || string.isEmpty(); } /** @@ -144,7 +157,7 @@ public final class CommonUtils { * @return true if its blank, false otherwise. */ public static boolean isBlank(final String string) { - return isEmpty(string) || string.trim().length() == 0; + return isEmpty(string) || string.trim().isEmpty(); } /** @@ -180,7 +193,7 @@ public final class CommonUtils { * @param value the value to encode. * @return the encoded value. */ - public static String urlEncode(String value) { + public static String urlEncode(final String value) { try { return URLEncoder.encode(value, "UTF-8"); } catch (final UnsupportedEncodingException e) { @@ -215,7 +228,7 @@ public final class CommonUtils { protected static String findMatchingServerName(final HttpServletRequest request, final String serverName) { final String[] serverNames = serverName.split(" "); - if (serverNames == null || serverNames.length == 0 || serverNames.length == 1) { + if (serverNames.length == 0 || serverNames.length == 1) { return serverName; } @@ -259,6 +272,30 @@ public final class CommonUtils { return serverPort == 80 || serverPort == 443; } + /** + * Constructs a service url from the HttpServletRequest or from the given + * serviceUrl. Prefers the serviceUrl provided if both a serviceUrl and a + * serviceName. Compiles a list of all service parameters for supported protocols + * and removes them all from the query string. + * + * @param request the HttpServletRequest + * @param response the HttpServletResponse + * @param service the configured service url (this will be used if not null) + * @param serverNames the server name to use to construct the service url if the service param is empty. Note, prior to CAS Client 3.3, this was a single value. + * As of 3.3, it can be a space-separated value. We keep it as a single value, but will convert it to an array internally to get the matching value. This keeps backward compatability with anything using this public + * method. + * @param artifactParameterName the artifact parameter name to remove (i.e. ticket) + * @param encode whether to encode the url or not (i.e. Jsession). + * @return the service url to use. + */ + @Deprecated + public static String constructServiceUrl(final HttpServletRequest request, final HttpServletResponse response, + final String service, final String serverNames, + final String artifactParameterName, final boolean encode) { + return constructServiceUrl(request, response, service, serverNames, SERVICE_PARAMETER_NAMES + , artifactParameterName, encode); + } + /** * Constructs a service url from the HttpServletRequest or from the given * serviceUrl. Prefers the serviceUrl provided if both a serviceUrl and a @@ -267,7 +304,7 @@ public final class CommonUtils { * @param request the HttpServletRequest * @param response the HttpServletResponse * @param service the configured service url (this will be used if not null) - * @param serverNames the server name to use to constuct the service url if the service param is empty. Note, prior to CAS Client 3.3, this was a single value. + * @param serverNames the server name to use to construct the service url if the service param is empty. Note, prior to CAS Client 3.3, this was a single value. * As of 3.3, it can be a space-separated value. We keep it as a single value, but will convert it to an array internally to get the matching value. This keeps backward compatability with anything using this public * method. * @param serviceParameterName the service parameter name to remove (i.e. service) @@ -286,7 +323,7 @@ public final class CommonUtils { final URIBuilder originalRequestUrl = new URIBuilder(request.getRequestURL().toString(), encode); originalRequestUrl.setParameters(request.getQueryString()); - URIBuilder builder = null; + final URIBuilder builder; boolean containsScheme = true; if (!serverName.startsWith("https://") && !serverName.startsWith("http://")) { @@ -305,9 +342,12 @@ public final class CommonUtils { builder.setEncodedPath(request.getRequestURI()); - for (final URIBuilder.BasicNameValuePair pair : originalRequestUrl.getQueryParams()) { - if (!pair.getName().equals(artifactParameterName) && !pair.getName().equals(serviceParameterName)) { - builder.addParameter(pair.getName(), pair.getValue()); + final List serviceParameterNames = Arrays.asList(serviceParameterName.split(",")); + if (!serviceParameterNames.isEmpty() && !originalRequestUrl.getQueryParams().isEmpty()) { + for (final URIBuilder.BasicNameValuePair pair : originalRequestUrl.getQueryParams()) { + if (!pair.getName().equals(artifactParameterName) && !serviceParameterNames.contains(pair.getName())) { + builder.addParameter(pair.getName(), pair.getValue()); + } } } diff --git a/cas-client-core/src/main/java/org/jasig/cas/client/util/ReflectUtils.java b/cas-client-core/src/main/java/org/jasig/cas/client/util/ReflectUtils.java index 1ec2116..8759593 100644 --- a/cas-client-core/src/main/java/org/jasig/cas/client/util/ReflectUtils.java +++ b/cas-client-core/src/main/java/org/jasig/cas/client/util/ReflectUtils.java @@ -22,6 +22,7 @@ import java.beans.BeanInfo; import java.beans.IntrospectionException; import java.beans.Introspector; import java.beans.PropertyDescriptor; +import java.lang.reflect.Field; import java.lang.reflect.InvocationTargetException; /** @@ -148,4 +149,35 @@ public final class ReflectUtils { throw new RuntimeException("Error setting property " + propertyName, e); } } + + /** + * Gets the value of the given declared field on the target object or any of its superclasses. + * + * @param fieldName Name of field to get. + * @param target Target object that possesses field. + * + * @return Field value. + */ + public static Object getField(final String fieldName, final Object target) { + Class clazz = target.getClass(); + Field field = null; + do { + try { + field = clazz.getDeclaredField(fieldName); + } catch (NoSuchFieldException e) { + clazz = clazz.getSuperclass(); + } + } while (field == null && clazz != null); + if (field == null) { + throw new IllegalArgumentException(fieldName + " does not exist on " + target); + } + try { + if (!field.isAccessible()) { + field.setAccessible(true); + } + return field.get(target); + } catch (Exception e) { + throw new IllegalArgumentException("Error getting field " + fieldName, e); + } + } } diff --git a/cas-client-core/src/main/java/org/jasig/cas/client/util/URIBuilder.java b/cas-client-core/src/main/java/org/jasig/cas/client/util/URIBuilder.java index ef0db52..7a6874a 100644 --- a/cas-client-core/src/main/java/org/jasig/cas/client/util/URIBuilder.java +++ b/cas-client-core/src/main/java/org/jasig/cas/client/util/URIBuilder.java @@ -126,7 +126,7 @@ public final class URIBuilder { } catch (final UnsupportedEncodingException e) { LOGGER.error(e.getMessage(), e); } - return Collections.emptyList(); + return new ArrayList(); } /** @@ -238,8 +238,9 @@ public final class URIBuilder { return this.encode ? CommonUtils.urlEncode(fragment) : fragment; } - public void setEncode(boolean encode) { + public URIBuilder setEncode(boolean encode) { this.encode = encode; + return this; } /** @@ -469,6 +470,18 @@ public final class URIBuilder { return this; } + public URIBuilder setEncodedFragment(final String fragment) { + this.fragment = null; + this.encodedFragment = fragment; + return this; + } + + public URIBuilder setEncodedQuery(final String query) { + this.query = null; + this.encodedFragment = query; + return this; + } + public boolean isAbsolute() { return this.scheme != null; } @@ -531,6 +544,54 @@ public final class URIBuilder { return s; } + @Override + public boolean equals(final Object o) { + if (this == o) return true; + if (o == null || getClass() != o.getClass()) return false; + + final URIBuilder that = (URIBuilder) o; + + if (port != that.port) return false; + if (encode != that.encode) return false; + if (scheme != null ? !scheme.equals(that.scheme) : that.scheme != null) return false; + if (encodedSchemeSpecificPart != null ? !encodedSchemeSpecificPart.equals(that.encodedSchemeSpecificPart) : that.encodedSchemeSpecificPart != null) + return false; + if (encodedAuthority != null ? !encodedAuthority.equals(that.encodedAuthority) : that.encodedAuthority != null) + return false; + if (userInfo != null ? !userInfo.equals(that.userInfo) : that.userInfo != null) return false; + if (encodedUserInfo != null ? !encodedUserInfo.equals(that.encodedUserInfo) : that.encodedUserInfo != null) + return false; + if (host != null ? !host.equals(that.host) : that.host != null) return false; + if (path != null ? !path.equals(that.path) : that.path != null) return false; + if (encodedPath != null ? !encodedPath.equals(that.encodedPath) : that.encodedPath != null) return false; + if (encodedQuery != null ? !encodedQuery.equals(that.encodedQuery) : that.encodedQuery != null) return false; + if (queryParams != null ? !queryParams.equals(that.queryParams) : that.queryParams != null) return false; + if (query != null ? !query.equals(that.query) : that.query != null) return false; + if (fragment != null ? !fragment.equals(that.fragment) : that.fragment != null) return false; + return !(encodedFragment != null ? !encodedFragment.equals(that.encodedFragment) : that.encodedFragment != null); + + } + + @Override + public int hashCode() { + int result = scheme != null ? scheme.hashCode() : 0; + result = 31 * result + (encodedSchemeSpecificPart != null ? encodedSchemeSpecificPart.hashCode() : 0); + result = 31 * result + (encodedAuthority != null ? encodedAuthority.hashCode() : 0); + result = 31 * result + (userInfo != null ? userInfo.hashCode() : 0); + result = 31 * result + (encodedUserInfo != null ? encodedUserInfo.hashCode() : 0); + result = 31 * result + (host != null ? host.hashCode() : 0); + result = 31 * result + port; + result = 31 * result + (path != null ? path.hashCode() : 0); + result = 31 * result + (encodedPath != null ? encodedPath.hashCode() : 0); + result = 31 * result + (encodedQuery != null ? encodedQuery.hashCode() : 0); + result = 31 * result + (queryParams != null ? queryParams.hashCode() : 0); + result = 31 * result + (query != null ? query.hashCode() : 0); + result = 31 * result + (encode ? 1 : 0); + result = 31 * result + (fragment != null ? fragment.hashCode() : 0); + result = 31 * result + (encodedFragment != null ? encodedFragment.hashCode() : 0); + return result; + } + public static class BasicNameValuePair implements Cloneable, Serializable { private static final long serialVersionUID = -6437800749411518984L; diff --git a/cas-client-core/src/main/java/org/jasig/cas/client/validation/AssertionImpl.java b/cas-client-core/src/main/java/org/jasig/cas/client/validation/AssertionImpl.java index 86e286f..da40aba 100644 --- a/cas-client-core/src/main/java/org/jasig/cas/client/validation/AssertionImpl.java +++ b/cas-client-core/src/main/java/org/jasig/cas/client/validation/AssertionImpl.java @@ -101,32 +101,39 @@ public final class AssertionImpl implements Assertion { CommonUtils.assertNotNull(this.attributes, "attributes cannot be null."); } + @Override public Date getAuthenticationDate() { return this.authenticationDate; } + @Override public Date getValidFromDate() { return this.validFromDate; } + @Override public Date getValidUntilDate() { return this.validUntilDate; } + @Override public Map getAttributes() { return this.attributes; } + @Override public AttributePrincipal getPrincipal() { return this.principal; } + @Override public boolean isValid() { if (this.validFromDate == null) { return true; } final Date now = new Date(); - return this.validFromDate.before(now) && (this.validUntilDate == null || this.validUntilDate.after(now)); + return (this.validFromDate.before(now) || this.validFromDate.equals(now)) + && (this.validUntilDate == null || this.validUntilDate.after(now) || this.validUntilDate.equals(now)); } } diff --git a/cas-client-core/src/main/java/org/jasig/cas/client/validation/Cas20ProxyReceivingTicketValidationFilter.java b/cas-client-core/src/main/java/org/jasig/cas/client/validation/Cas20ProxyReceivingTicketValidationFilter.java index 5fe1337..22cb830 100644 --- a/cas-client-core/src/main/java/org/jasig/cas/client/validation/Cas20ProxyReceivingTicketValidationFilter.java +++ b/cas-client-core/src/main/java/org/jasig/cas/client/validation/Cas20ProxyReceivingTicketValidationFilter.java @@ -54,7 +54,7 @@ public class Cas20ProxyReceivingTicketValidationFilter extends AbstractTicketVal TOLERANCE.getName(), IGNORE_PATTERN.getName(), IGNORE_URL_PATTERN_TYPE.getName(), HOSTNAME_VERIFIER.getName(), HOSTNAME_VERIFIER_CONFIG.getName(), EXCEPTION_ON_VALIDATION_FAILURE.getName(), REDIRECT_AFTER_VALIDATION.getName(), USE_SESSION.getName(), SECRET_KEY.getName(), CIPHER_ALGORITHM.getName(), PROXY_RECEPTOR_URL.getName(), PROXY_GRANTING_TICKET_STORAGE_CLASS.getName(), MILLIS_BETWEEN_CLEAN_UPS.getName(), ACCEPT_ANY_PROXY.getName(), ALLOWED_PROXY_CHAINS.getName(), TICKET_VALIDATOR_CLASS.getName(), - PROXY_CALLBACK_URL.getName(), FRONT_LOGOUT_PARAMETER_NAME.getName(), RELAY_STATE_PARAMETER_NAME.getName() + PROXY_CALLBACK_URL.getName(), RELAY_STATE_PARAMETER_NAME.getName() }; /** diff --git a/cas-client-core/src/test/java/org/jasig/cas/client/configuration/ConfigurationStrategyNameTests.java b/cas-client-core/src/test/java/org/jasig/cas/client/configuration/ConfigurationStrategyNameTests.java index 5c2da1e..449ace5 100644 --- a/cas-client-core/src/test/java/org/jasig/cas/client/configuration/ConfigurationStrategyNameTests.java +++ b/cas-client-core/src/test/java/org/jasig/cas/client/configuration/ConfigurationStrategyNameTests.java @@ -20,6 +20,9 @@ package org.jasig.cas.client.configuration; import org.junit.Test; +import javax.servlet.Filter; +import javax.servlet.FilterConfig; + import static org.junit.Assert.*; public final class ConfigurationStrategyNameTests { @@ -33,4 +36,22 @@ public final class ConfigurationStrategyNameTests { assertEquals(LegacyConfigurationStrategyImpl.class, ConfigurationStrategyName.resolveToConfigurationStrategy(ConfigurationStrategyName.DEFAULT.name())); assertEquals(LegacyConfigurationStrategyImpl.class, ConfigurationStrategyName.resolveToConfigurationStrategy("bleh!")); } + + + @Test + public void resolveToClass() { + assertEquals(TestClass.class, ConfigurationStrategyName.resolveToConfigurationStrategy(TestClass.class.getName())); + } + + private class TestClass extends BaseConfigurationStrategy { + + @Override + protected String get(ConfigurationKey configurationKey) { + return null; + } + + public void init(FilterConfig filterConfig, Class filterClazz) { + + } + } } diff --git a/cas-client-core/src/test/java/org/jasig/cas/client/session/LogoutMessageGenerator.java b/cas-client-core/src/test/java/org/jasig/cas/client/session/LogoutMessageGenerator.java index 861fffc..84b9a8d 100644 --- a/cas-client-core/src/test/java/org/jasig/cas/client/session/LogoutMessageGenerator.java +++ b/cas-client-core/src/test/java/org/jasig/cas/client/session/LogoutMessageGenerator.java @@ -18,12 +18,11 @@ */ package org.jasig.cas.client.session; +import javax.xml.bind.DatatypeConverter; import java.nio.charset.Charset; import java.util.Date; import java.util.zip.Deflater; -import org.apache.commons.codec.binary.Base64; - /** * Logout message generator to perform tests on Single Sign Out feature. * Greatly inspired by the source code in the CAS server itself. @@ -51,6 +50,6 @@ public final class LogoutMessageGenerator { final int resultSize = deflater.deflate(buffer); final byte[] output = new byte[resultSize]; System.arraycopy(buffer, 0, output, 0, resultSize); - return Base64.encodeBase64String(output); + return DatatypeConverter.printBase64Binary(output); } } diff --git a/cas-client-core/src/test/java/org/jasig/cas/client/session/SingleSignOutFilterTests.java b/cas-client-core/src/test/java/org/jasig/cas/client/session/SingleSignOutFilterTests.java index 93fd665..a5af91a 100644 --- a/cas-client-core/src/test/java/org/jasig/cas/client/session/SingleSignOutFilterTests.java +++ b/cas-client-core/src/test/java/org/jasig/cas/client/session/SingleSignOutFilterTests.java @@ -87,8 +87,8 @@ public class SingleSignOutFilterTests { @Test public void frontChannelRequest() throws IOException, ServletException { final String logoutMessage = LogoutMessageGenerator.generateFrontChannelLogoutMessage(TICKET); - request.setParameter(ConfigurationKeys.FRONT_LOGOUT_PARAMETER_NAME.getDefaultValue(), logoutMessage); - request.setQueryString(ConfigurationKeys.FRONT_LOGOUT_PARAMETER_NAME.getDefaultValue() + "=" + logoutMessage); + request.setParameter(ConfigurationKeys.LOGOUT_PARAMETER_NAME.getDefaultValue(), logoutMessage); + request.setQueryString(ConfigurationKeys.LOGOUT_PARAMETER_NAME.getDefaultValue() + "=" + logoutMessage); request.setMethod("GET"); final MockHttpSession session = new MockHttpSession(); SingleSignOutFilter.getSingleSignOutHandler().getSessionMappingStorage().addSessionById(TICKET, session); @@ -100,16 +100,14 @@ public class SingleSignOutFilterTests { @Test public void frontChannelRequestRelayState() throws IOException, ServletException { final String logoutMessage = LogoutMessageGenerator.generateFrontChannelLogoutMessage(TICKET); - request.setParameter(ConfigurationKeys.FRONT_LOGOUT_PARAMETER_NAME.getDefaultValue(), logoutMessage); + request.setParameter(ConfigurationKeys.LOGOUT_PARAMETER_NAME.getDefaultValue(), logoutMessage); request.setParameter(ConfigurationKeys.RELAY_STATE_PARAMETER_NAME.getDefaultValue(), RELAY_STATE); - request.setQueryString(ConfigurationKeys.FRONT_LOGOUT_PARAMETER_NAME.getDefaultValue() + "=" + logoutMessage + "&" + + request.setQueryString(ConfigurationKeys.LOGOUT_PARAMETER_NAME.getDefaultValue() + "=" + logoutMessage + "&" + ConfigurationKeys.RELAY_STATE_PARAMETER_NAME.getDefaultValue() + "=" + RELAY_STATE); request.setMethod("GET"); final MockHttpSession session = new MockHttpSession(); SingleSignOutFilter.getSingleSignOutHandler().getSessionMappingStorage().addSessionById(TICKET, session); filter.doFilter(request, response, filterChain); assertNull(SingleSignOutFilter.getSingleSignOutHandler().getSessionMappingStorage().removeSessionByMappingId(TICKET)); - assertEquals(CAS_SERVER_URL_PREFIX + "/logout?_eventId=next&" + - ConfigurationKeys.RELAY_STATE_PARAMETER_NAME.getDefaultValue() + "=" + RELAY_STATE, response.getRedirectedUrl()); } } diff --git a/cas-client-core/src/test/java/org/jasig/cas/client/session/SingleSignOutHandlerTests.java b/cas-client-core/src/test/java/org/jasig/cas/client/session/SingleSignOutHandlerTests.java index 365a25e..164a362 100644 --- a/cas-client-core/src/test/java/org/jasig/cas/client/session/SingleSignOutHandlerTests.java +++ b/cas-client-core/src/test/java/org/jasig/cas/client/session/SingleSignOutHandlerTests.java @@ -31,7 +31,6 @@ import org.springframework.mock.web.MockHttpSession; /** * @author Matt Brown - * @version $Revision$ $Date$ * @since 3.2.1 */ public final class SingleSignOutHandlerTests { @@ -39,9 +38,8 @@ public final class SingleSignOutHandlerTests { private final static String ANOTHER_PARAMETER = "anotherParameter"; private final static String TICKET = "ST-xxxxxxxx"; private final static String URL = "http://mycasserver"; - private final static String LOGOUT_PARAMETER_NAME = "logoutRequest2"; - private final static String FRONT_LOGOUT_PARAMETER_NAME = "SAMLRequest2"; - private final static String RELAY_STATE_PARAMETER_NAME = "RelayState2"; + private final static String LOGOUT_PARAMETER_NAME = "logoutRequest"; + private final static String RELAY_STATE_PARAMETER_NAME = "RelayState"; private final static String ARTIFACT_PARAMETER_NAME = "ticket2"; private SingleSignOutHandler handler; @@ -52,7 +50,6 @@ public final class SingleSignOutHandlerTests { public void setUp() throws Exception { handler = new SingleSignOutHandler(); handler.setLogoutParameterName(LOGOUT_PARAMETER_NAME); - handler.setFrontLogoutParameterName(FRONT_LOGOUT_PARAMETER_NAME); handler.setRelayStateParameterName(RELAY_STATE_PARAMETER_NAME); handler.setArtifactParameterName(ARTIFACT_PARAMETER_NAME); handler.setCasServerUrlPrefix(URL); @@ -143,8 +140,8 @@ public final class SingleSignOutHandlerTests { @Test public void frontChannelLogoutFailsIfNoSessionIndex() { final String logoutMessage = LogoutMessageGenerator.generateFrontChannelLogoutMessage(""); - request.setParameter(FRONT_LOGOUT_PARAMETER_NAME, logoutMessage); - request.setQueryString(FRONT_LOGOUT_PARAMETER_NAME + "=" + logoutMessage); + request.setParameter(LOGOUT_PARAMETER_NAME, logoutMessage); + request.setQueryString(LOGOUT_PARAMETER_NAME + "=" + logoutMessage); request.setMethod("GET"); final MockHttpSession session = new MockHttpSession(); handler.getSessionMappingStorage().addSessionById(TICKET, session); @@ -155,8 +152,8 @@ public final class SingleSignOutHandlerTests { @Test public void frontChannelLogoutOK() { final String logoutMessage = LogoutMessageGenerator.generateFrontChannelLogoutMessage(TICKET); - request.setParameter(FRONT_LOGOUT_PARAMETER_NAME, logoutMessage); - request.setQueryString(FRONT_LOGOUT_PARAMETER_NAME + "=" + logoutMessage); + request.setParameter(LOGOUT_PARAMETER_NAME, logoutMessage); + request.setQueryString(LOGOUT_PARAMETER_NAME + "=" + logoutMessage); request.setMethod("GET"); final MockHttpSession session = new MockHttpSession(); handler.getSessionMappingStorage().addSessionById(TICKET, session); @@ -168,15 +165,13 @@ public final class SingleSignOutHandlerTests { @Test public void frontChannelLogoutRelayStateOK() { final String logoutMessage = LogoutMessageGenerator.generateFrontChannelLogoutMessage(TICKET); - request.setParameter(FRONT_LOGOUT_PARAMETER_NAME, logoutMessage); + request.setParameter(LOGOUT_PARAMETER_NAME, logoutMessage); request.setParameter(RELAY_STATE_PARAMETER_NAME, TICKET); - request.setQueryString(FRONT_LOGOUT_PARAMETER_NAME + "=" + logoutMessage + "&" + RELAY_STATE_PARAMETER_NAME + "=" + TICKET); + request.setQueryString(LOGOUT_PARAMETER_NAME + "=" + logoutMessage + "&" + RELAY_STATE_PARAMETER_NAME + "=" + TICKET); request.setMethod("GET"); final MockHttpSession session = new MockHttpSession(); handler.getSessionMappingStorage().addSessionById(TICKET, session); assertFalse(handler.process(request, response)); assertTrue(session.isInvalid()); - assertEquals(URL + "/logout?_eventId=next&" + RELAY_STATE_PARAMETER_NAME + "=" + TICKET, - response.getRedirectedUrl()); } } diff --git a/cas-client-core/src/test/java/org/jasig/cas/client/util/CommonUtilsTests.java b/cas-client-core/src/test/java/org/jasig/cas/client/util/CommonUtilsTests.java index aaac4e6..b2a9d13 100644 --- a/cas-client-core/src/test/java/org/jasig/cas/client/util/CommonUtilsTests.java +++ b/cas-client-core/src/test/java/org/jasig/cas/client/util/CommonUtilsTests.java @@ -152,6 +152,20 @@ public final class CommonUtilsTests extends TestCase { assertEquals("https://www.myserver.com/hello/hithere/?custom=custom", constructedUrl); } + public void testConstructServiceUrlWithParamsCasAndServerNameWithSchema() { + final String CONST_MY_URL = "https://www.myserver.com/hello/hithere/"; + final MockHttpServletRequest request = new MockHttpServletRequest("GET", "/hello/hithere/"); + request.setScheme("https"); + request.setSecure(true); + request.setQueryString("service=this&ticket=that&custom=custom"); + + final MockHttpServletResponse response = new MockHttpServletResponse(); + final String constructedUrl = CommonUtils.constructServiceUrl(request, response, null, "https://www.myserver.com", + Protocol.CAS3.getServiceParameterName(), Protocol.CAS3.getArtifactParameterName() , false); + + assertEquals("https://www.myserver.com/hello/hithere/?custom=custom", constructedUrl); + } + public void testConstructServiceUrlWithParamsSaml() { final String CONST_MY_URL = "https://www.myserver.com/hello/hithere/"; @@ -181,6 +195,20 @@ public final class CommonUtilsTests extends TestCase { assertEquals("https://www.myserver.com/hello/hithere/?custom=custom", constructedUrl); } + public void testConstructServiceUrlWithNoServiceParametersPassed() { + final String CONST_MY_URL = "https://www.myserver.com/hello/hithere/"; + final MockHttpServletRequest request = new MockHttpServletRequest("GET", "/hello/hithere/"); + request.setScheme("https"); + request.setSecure(true); + request.setQueryString("TARGET=Test1&service=Test2&custom=custom"); + + final MockHttpServletResponse response = new MockHttpServletResponse(); + final String constructedUrl = CommonUtils.constructServiceUrl(request, response, null, "www.myserver.com", + Protocol.SAML11.getArtifactParameterName() , true); + + assertEquals("https://www.myserver.com/hello/hithere/?custom=custom", constructedUrl); + } + public void testConstructServiceUrlWithEncodedParams2Saml() { final String CONST_MY_URL = "https://www.myserver.com/hello/hithere/"; final MockHttpServletRequest request = new MockHttpServletRequest("GET", "/hello/hithere/"); diff --git a/cas-client-core/src/test/java/org/jasig/cas/client/util/ReflectUtilsTests.java b/cas-client-core/src/test/java/org/jasig/cas/client/util/ReflectUtilsTests.java index d39e3bb..57d741c 100644 --- a/cas-client-core/src/test/java/org/jasig/cas/client/util/ReflectUtilsTests.java +++ b/cas-client-core/src/test/java/org/jasig/cas/client/util/ReflectUtilsTests.java @@ -54,6 +54,18 @@ public class ReflectUtilsTests extends TestCase { assertTrue(bean.isFlag()); } + public void testGetField() { + final TestBean bean = new TestBean(); + bean.setName("bob"); + assertEquals(bean.getName(), ReflectUtils.getField("name", bean)); + } + + public void testGetFieldSuperclass() { + final TestSubBean bean = new TestSubBean(); + bean.setName("bob"); + assertEquals(bean.getName(), ReflectUtils.getField("name", bean)); + } + static class TestBean { private int count; private boolean flag; @@ -102,4 +114,16 @@ public class ReflectUtilsTests extends TestCase { } } + + static class TestSubBean extends TestBean { + private String state; + + public String getState() { + return state; + } + + public void setState(String state) { + this.state = state; + } + } } diff --git a/cas-client-core/src/test/java/org/jasig/cas/client/util/URIBuilderTests.java b/cas-client-core/src/test/java/org/jasig/cas/client/util/URIBuilderTests.java new file mode 100644 index 0000000..e41ca27 --- /dev/null +++ b/cas-client-core/src/test/java/org/jasig/cas/client/util/URIBuilderTests.java @@ -0,0 +1,334 @@ +/* + * Licensed to Jasig under one or more contributor license + * agreements. See the NOTICE file distributed with this work + * for additional information regarding copyright ownership. + * Jasig licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file + * except in compliance with the License. You may obtain a + * copy of the License at the following location: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +/* + + * Licensed to Jasig under one or more contributor license + * agreements. See the NOTICE file distributed with this work + * for additional information regarding copyright ownership. + * Jasig licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file + * except in compliance with the License. You may obtain a + * copy of the License at the following location: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + + */ + +package org.jasig.cas.client.util; + +import org.junit.Test; + +import java.net.URI; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; + +import static org.junit.Assert.*; + +/** + * @author Misagh Moayyed + */ +public class URIBuilderTests { + + @Test + public void allPartsUsed() { + URIBuilder builder = new URIBuilder() + .setScheme("http") + .setHost("apache.org") + .setPath("/shindig") + .setCustomQuery("hello=world") + .setFragment("foo"); + assertEquals("http://apache.org/shindig?hello=world#foo", builder.toString()); + } + + @Test + public void noSchemeUsed() { + URIBuilder builder = new URIBuilder() + .setHost("apache.org") + .setPath("/shindig") + .setCustomQuery("hello=world") + .setFragment("foo"); + assertEquals("//apache.org/shindig?hello=world#foo", builder.toString()); + } + + @Test + public void noAuthorityUsed() { + URIBuilder builder = new URIBuilder() + .setScheme("http") + .setPath("/shindig") + .setCustomQuery("hello=world") + .setFragment("foo"); + assertEquals("http:/shindig?hello=world#foo", builder.toString()); + } + + @Test + public void noPathUsed() { + URIBuilder builder = new URIBuilder() + .setScheme("http") + .setHost("apache.org") + .setCustomQuery("hello=world") + .setFragment("foo"); + assertEquals("http://apache.org?hello=world#foo", builder.toString()); + } + + @Test + public void noQueryUsed() { + URIBuilder builder = new URIBuilder() + .setScheme("http") + .setHost("apache.org") + .setPath("/shindig") + .setFragment("foo"); + assertEquals("http://apache.org/shindig#foo", builder.toString()); + } + + @Test + public void noFragmentUsed() { + URIBuilder builder = new URIBuilder() + .setScheme("http") + .setHost("apache.org") + .setPath("/shindig") + .setCustomQuery("hello=world"); + assertEquals("http://apache.org/shindig?hello=world", builder.toString()); + } + + @Test + public void hostRelativePaths() { + URIBuilder builder = new URIBuilder() + .setPath("/shindig") + .setCustomQuery("hello=world") + .setFragment("foo"); + assertEquals("/shindig?hello=world#foo", builder.toString()); + } + + @Test + public void relativePaths() { + URIBuilder builder = new URIBuilder() + .setPath("foo") + .setCustomQuery("hello=world") + .setFragment("foo"); + assertEquals("foo?hello=world#foo", builder.toString()); + } + + @Test + public void noPathNoHostNoAuthority() { + URIBuilder builder = new URIBuilder() + .setCustomQuery("hello=world") + .setFragment("foo"); + assertEquals("?hello=world#foo", builder.toString()); + } + + @Test + public void justSchemeAndAuthority() { + URIBuilder builder = new URIBuilder() + .setScheme("http") + .setHost("apache.org"); + assertEquals("http://apache.org", builder.toString()); + } + + @Test + public void justPath() { + URIBuilder builder = new URIBuilder() + .setPath("/shindig"); + assertEquals("/shindig", builder.toString()); + } + + @Test + public void justAuthorityAndPath() { + URIBuilder builder = new URIBuilder() + .setHost("apache.org") + .setPath("/shindig"); + assertEquals("//apache.org/shindig", builder.toString()); + } + + @Test + public void justQuery() { + URIBuilder builder = new URIBuilder() + .setCustomQuery("hello=world"); + assertEquals("?hello=world", builder.toString()); + } + + @Test + public void justFragment() { + URIBuilder builder = new URIBuilder() + .setFragment("foo"); + assertEquals("#foo", builder.toString()); + } + + @Test + public void addSingleQueryParameter() { + URIBuilder builder = new URIBuilder() + .setScheme("http") + .setHost("apache.org") + .setPath("/shindig") + .addParameter("hello", "world") + .setFragment("foo"); + assertEquals("http://apache.org/shindig?hello=world#foo", builder.toString()); + } + + @Test + public void addTwoQueryParameters() { + URIBuilder builder = new URIBuilder() + .setScheme("http") + .setHost("apache.org") + .setPath("/shindig") + .addParameter("hello", "world") + .addParameter("foo", "bar") + .setFragment("foo"); + assertEquals("http://apache.org/shindig?hello=world&foo=bar#foo", builder.toString()); + } + + @Test + public void iterableQueryParameters() { + List list = new ArrayList(); + list.add(new URIBuilder.BasicNameValuePair("hello", "world")); + list.add(new URIBuilder.BasicNameValuePair("hello", "monde")); + URIBuilder builder = new URIBuilder() + .setScheme("http") + .setHost("apache.org") + .setPath("/shindig") + .addParameters(list) + .setFragment("foo"); + assertEquals("http://apache.org/shindig?hello=world&hello=monde#foo", builder.toString()); + } + + @Test + public void removeQueryParameter() { + URIBuilder uri = new URIBuilder("http://www.example.com/foo?bar=baz&quux=baz"); + uri.removeQuery(); + assertEquals("http://www.example.com/foo", uri.toString()); + } + + @Test + public void addIdenticalParameters() { + URIBuilder builder = new URIBuilder() + .setScheme("http") + .setHost("apache.org") + .setPath("/shindig") + .addParameter("hello", "world") + .addParameter("hello", "goodbye") + .setFragment("foo"); + assertEquals("http://apache.org/shindig?hello=world&hello=goodbye#foo", builder.toString()); + } + + @Test + public void queryStringIsUnescaped() { + URIBuilder builder = new URIBuilder() + .setScheme("http") + .setHost("apache.org") + .setPath("/shindig") + .setCustomQuery("hello+world=world%26bar"); + assertEquals("world&bar", builder.build().getQuery().split("=")[1]); + } + + @Test + public void queryParamsAreEscaped() { + URIBuilder builder = new URIBuilder(true) + .setScheme("http") + .setHost("apache.org") + .setEncodedPath("/shindig") + .addParameter("hello world", "foo&bar") + .setFragment("foo"); + assertEquals("http://apache.org/shindig?hello+world=foo%26bar#foo", builder.toString()); + assertEquals("hello+world=foo&bar", builder.build().getQuery()); + } + + @Test + public void addSingleFragmentParameter() { + URIBuilder builder = new URIBuilder() + .setScheme("http") + .setHost("apache.org") + .setPath("/shindig") + .setFragment("hello=world") + .setCustomQuery("foo"); + assertEquals("http://apache.org/shindig?foo#hello=world", builder.toString()); + } + + @Test + public void fragmentStringIsUnescaped() { + URIBuilder builder = new URIBuilder(true) + .setScheme("http") + .setHost("apache.org") + .setPath("/shindig") + .setEncodedFragment("hello+world=world%26bar"); + + assertEquals("world&bar", builder.build().getFragment().split("=")[1]); + } + + @Test + public void parse() { + URIBuilder builder = new URIBuilder() + .digestURI(URI.create("http://apache.org/shindig?foo=bar%26baz&foo=three#blah")); + + assertEquals("http", builder.getScheme()); + assertEquals("apache.org", builder.getHost()); + assertEquals("/shindig", builder.getPath()); + + List list = builder.getQueryParams(); + for (URIBuilder.BasicNameValuePair pair : list) { + assertEquals(pair.getName(), "foo"); + assertTrue(pair.getValue().equals("three") || pair.getValue().equals("bar")); + } + assertEquals(list.size(), 2); + assertEquals("blah", builder.getFragment()); + } + + @Test + public void constructFromUriAndBack() { + URI uri = URI.create("http://apache.org/foo/bar?foo=bar&a=b&c=d&y=z&foo=zoo#foo"); + URIBuilder builder = new URIBuilder(uri); + + assertEquals(uri, builder.build()); + } + + @Test + public void constructFromUriAndModify() { + URI uri = URI.create("http://apache.org/foo/bar?foo=bar#foo"); + URIBuilder builder = new URIBuilder(uri); + + builder.setHost("example.org"); + builder.addParameter("bar", "foo"); + + assertEquals("http://example.org/foo/bar?foo=bar&bar=foo#foo", builder.toString()); + } + + @Test + public void equalsAndHashCodeOk() { + URIBuilder uri = new URIBuilder().digestURI(URI.create("http://example.org/foo/bar/baz?blah=blah#boo")); + URIBuilder uri2 = new URIBuilder(URI.create("http://example.org/foo/bar/baz?blah=blah#boo")); + + assertEquals(uri, uri2); + assertEquals(uri2, uri); + + assertEquals(uri, uri); + + assertNotNull(uri); + assertNotSame(uri, "http://example.org/foo/bar/baz?blah=blah#boo"); + assertNotSame(uri, URI.create("http://example.org/foo/bar/baz?blah=blah#boo")); + assertEquals(uri.hashCode(), uri2.hashCode()); + } + + +} diff --git a/cas-client-core/src/test/java/org/jasig/cas/client/validation/AssertionImplTests.java b/cas-client-core/src/test/java/org/jasig/cas/client/validation/AssertionImplTests.java index de6e856..335dbe6 100644 --- a/cas-client-core/src/test/java/org/jasig/cas/client/validation/AssertionImplTests.java +++ b/cas-client-core/src/test/java/org/jasig/cas/client/validation/AssertionImplTests.java @@ -18,6 +18,7 @@ */ package org.jasig.cas.client.validation; +import java.util.Date; import java.util.HashMap; import java.util.Map; import junit.framework.TestCase; @@ -49,6 +50,11 @@ public final class AssertionImplTests extends TestCase { assertNull(assertion.getPrincipal().getProxyTicketFor("test")); } + public void testAssertionValidity() throws Exception { + final Assertion assertion = new AssertionImpl(CONST_PRINCIPAL, new Date(), new Date(), new Date(), CONST_ATTRIBUTES); + assertTrue(assertion.isValid()); + } + public void testCompleteConstructor() { final Assertion assertion = new AssertionImpl(CONST_PRINCIPAL, CONST_ATTRIBUTES); diff --git a/cas-client-integration-atlassian/pom.xml b/cas-client-integration-atlassian/pom.xml index df787e6..9c1c7b0 100644 --- a/cas-client-integration-atlassian/pom.xml +++ b/cas-client-integration-atlassian/pom.xml @@ -5,7 +5,6 @@ cas-client 4.0.0 - org.jasig.cas.client cas-client-integration-atlassian jar Jasig CAS Client for Java - Atlassian Integration diff --git a/cas-client-integration-jboss/pom.xml b/cas-client-integration-jboss/pom.xml index 1e97cd9..2cf256d 100644 --- a/cas-client-integration-jboss/pom.xml +++ b/cas-client-integration-jboss/pom.xml @@ -5,7 +5,6 @@ cas-client 4.0.0 - org.jasig.cas.client cas-client-integration-jboss jar Jasig CAS Client for Java - JBoss Integration diff --git a/cas-client-integration-jetty/pom.xml b/cas-client-integration-jetty/pom.xml new file mode 100644 index 0000000..2faefd2 --- /dev/null +++ b/cas-client-integration-jetty/pom.xml @@ -0,0 +1,72 @@ + + + + cas-client + org.jasig.cas.client + 3.5.0-SNAPSHOT + + 4.0.0 + + cas-client-integration-jetty + jar + Jasig CAS Client for Java - Jetty Container Integration + + + + 9.2.14.v20151106 + + + + + org.jasig.cas.client + cas-client-core + ${project.version} + + + org.eclipse.jetty + jetty-security + ${jetty.version} + + + + + org.jasig.cas.client + cas-client-core + ${project.version} + test-jar + test + + + org.eclipse.jetty + jetty-webapp + ${jetty.version} + test + + + org.eclipse.jetty + jetty-plus + ${jetty.version} + test + + + org.eclipse.jetty + jetty-annotations + ${jetty.version} + test + + + org.eclipse.jetty + apache-jsp + ${jetty.version} + test + + + javax.servlet + javax.servlet-api + 3.1.0 + provided + + + + + diff --git a/cas-client-integration-jetty/src/main/java/org/jasig/cas/client/jetty/CasAuthentication.java b/cas-client-integration-jetty/src/main/java/org/jasig/cas/client/jetty/CasAuthentication.java new file mode 100644 index 0000000..831ec75 --- /dev/null +++ b/cas-client-integration-jetty/src/main/java/org/jasig/cas/client/jetty/CasAuthentication.java @@ -0,0 +1,46 @@ +package org.jasig.cas.client.jetty; + +import org.eclipse.jetty.security.UserAuthentication; +import org.jasig.cas.client.util.CommonUtils; +import org.jasig.cas.client.validation.Assertion; + +/** + * CAS-specific user authentication. + * + * @author Marvin S. Addison + */ +public class CasAuthentication extends UserAuthentication { + + /** CAS authenticator that produced this authentication. */ + private final CasAuthenticator authenticator; + + /** CAS ticket that was successfully validated to permit authentication. */ + private final String ticket; + + + /** + * Creates a new instance. + * + * @param authenticator The authenticator that produced this authentication. + * @param ticket The CAS ticket that was successfully validated to permit authentication. + * @param assertion The CAS assertion produced from successful ticket validation. + */ + public CasAuthentication(final CasAuthenticator authenticator, final String ticket, final Assertion assertion) { + super(authenticator.getAuthMethod(), new CasUserIdentity(assertion, authenticator.getRoleAttribute())); + CommonUtils.assertNotNull(ticket, "Ticket cannot be null"); + CommonUtils.assertNotNull(authenticator, "CasAuthenticator cannot be null"); + this.authenticator = authenticator; + this.ticket = ticket; + } + + /** @return The CAS ticket that was successfully validated to permit authentication. */ + public String getTicket() { + return ticket; + } + + @Override + public void logout() { + super.logout(); + this.authenticator.clearCachedAuthentication(ticket); + } +} diff --git a/cas-client-integration-jetty/src/main/java/org/jasig/cas/client/jetty/CasAuthenticator.java b/cas-client-integration-jetty/src/main/java/org/jasig/cas/client/jetty/CasAuthenticator.java new file mode 100644 index 0000000..21d4c51 --- /dev/null +++ b/cas-client-integration-jetty/src/main/java/org/jasig/cas/client/jetty/CasAuthenticator.java @@ -0,0 +1,248 @@ +/* + * Licensed to Jasig under one or more contributor license + * agreements. See the NOTICE file distributed with this work + * for additional information regarding copyright ownership. + * Jasig licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file + * except in compliance with the License. You may obtain a + * copy of the License at the following location: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.jasig.cas.client.jetty; + +import org.eclipse.jetty.security.Authenticator; +import org.eclipse.jetty.security.ServerAuthException; +import org.eclipse.jetty.server.Authentication; +import org.eclipse.jetty.util.component.AbstractLifeCycle; +import org.jasig.cas.client.Protocol; +import org.jasig.cas.client.util.CommonUtils; +import org.jasig.cas.client.util.ReflectUtils; +import org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator; +import org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator; +import org.jasig.cas.client.validation.Assertion; +import org.jasig.cas.client.validation.TicketValidator; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; +import java.io.IOException; +import java.lang.ref.WeakReference; +import java.util.concurrent.ConcurrentHashMap; +import java.util.concurrent.ConcurrentMap; + +/** + * Jetty authenticator component for container-managed CAS authentication. + *

NOTE: This component does not support CAS gateway mode.

+ * + * @author Marvin S. Addison + * @since 3.4.2 + */ +public class CasAuthenticator extends AbstractLifeCycle implements Authenticator { + + /** Name of authentication method provided by this authenticator. */ + public static final String AUTH_METHOD = "CAS"; + + /** Session attribute used to cache CAS authentication data. */ + private static final String CACHED_AUTHN_ATTRIBUTE = "org.jasig.cas.client.jetty.Authentication"; + + /** Logger instance. */ + private final Logger logger = LoggerFactory.getLogger(CasAuthenticator.class); + + /** Map of tickets to sessions. */ + private final ConcurrentMap> sessionMap = + new ConcurrentHashMap>(); + + /** CAS ticket validator component. */ + private TicketValidator ticketValidator; + + /** Space-delimited list of server names. */ + private String serverNames; + + /** CAS principal attribute containing role data. */ + private String roleAttribute; + + /** URL to /login URI on CAS server. */ + private String casServerLoginUrl; + + /** Protocol used by ticket validator. */ + private Protocol protocol; + + /** CAS renew parameter. */ + private boolean renew; + + + /** + * Sets the CAS ticket validator component. + * + * @param ticketValidator Ticket validator, MUST NOT be null. + */ + public void setTicketValidator(final TicketValidator ticketValidator) { + CommonUtils.assertNotNull(ticketValidator, "TicketValidator cannot be null"); + if (ticketValidator instanceof AbstractUrlBasedTicketValidator) { + if (ticketValidator instanceof AbstractCasProtocolUrlBasedTicketValidator) { + protocol = Protocol.CAS2; + } else { + protocol = Protocol.SAML11; + } + casServerLoginUrl = ReflectUtils.getField("casServerUrlPrefix", ticketValidator) + "/login"; + renew = (Boolean) ReflectUtils.getField("renew", ticketValidator); + } else { + throw new IllegalArgumentException("Unsupported ticket validator " + ticketValidator); + } + this.ticketValidator = ticketValidator; + } + + /** + * Sets the names of the server host running Jetty. + * + * @param nameList Space-delimited list of one or more server names, e.g. "www1.example.com www2.example.com". + * MUST NOT be blank. + */ + public void setServerNames(final String nameList) { + CommonUtils.isNotBlank(nameList); + this.serverNames = nameList; + } + + /** @return The name of the CAS principal attribute that contains role data. */ + public String getRoleAttribute() { + return roleAttribute; + } + + /** + * Sets the name of the CAS principal attribute that contains role data. + * + * @param roleAttribute Role attribute name. MUST NOT be blank. + */ + public void setRoleAttribute(final String roleAttribute) { + CommonUtils.isNotBlank(roleAttribute); + this.roleAttribute = roleAttribute; + } + + @Override + public void setConfiguration(final AuthConfiguration configuration) { + // Nothing to do + // All configuration must be via CAS-specific setter methods + } + + @Override + public String getAuthMethod() { + return AUTH_METHOD; + } + + @Override + public void prepareRequest(final ServletRequest request) { + // Nothing to do + } + + @Override + public Authentication validateRequest( + final ServletRequest servletRequest, final ServletResponse servletResponse, final boolean mandatory) + throws ServerAuthException { + + final HttpServletRequest request = (HttpServletRequest) servletRequest; + final HttpServletResponse response = (HttpServletResponse) servletResponse; + + CasAuthentication authentication = fetchCachedAuthentication(request); + if (authentication != null) { + return authentication; + } + + final String ticket = request.getParameter(protocol.getArtifactParameterName()); + if (ticket != null && mandatory) { + try { + logger.debug("Attempting to validate {}", ticket); + final Assertion assertion = ticketValidator.validate(ticket, serviceUrl(request, response)); + logger.info("Successfully authenticated {}", assertion.getPrincipal()); + authentication = new CasAuthentication(this, ticket, assertion); + cacheAuthentication(request, authentication); + } catch (Exception e) { + throw new ServerAuthException("CAS ticket validation failed", e); + } + } + if (authentication != null) { + return authentication; + } else if (mandatory) { + redirectToCas(request, response); + return Authentication.SEND_CONTINUE; + } + return Authentication.UNAUTHENTICATED; + } + + @Override + public boolean secureResponse( + final ServletRequest request, + final ServletResponse response, + final boolean mandatory, + final Authentication.User user) throws ServerAuthException { + return true; + } + + @Override + protected void doStart() throws Exception { + if (ticketValidator == null) { + throw new RuntimeException("TicketValidator cannot be null"); + } + if (serverNames == null) { + throw new RuntimeException("ServerNames cannot be null"); + } + } + + protected void clearCachedAuthentication(final String ticket) { + final WeakReference sessionRef = sessionMap.remove(ticket); + if (sessionRef != null && sessionRef.get() != null) { + sessionRef.get().removeAttribute(CACHED_AUTHN_ATTRIBUTE); + } + } + + private void cacheAuthentication(final HttpServletRequest request, final CasAuthentication authentication) { + final HttpSession session = request.getSession(true); + if (session != null) { + session.setAttribute(CACHED_AUTHN_ATTRIBUTE, authentication); + sessionMap.put(authentication.getTicket(), new WeakReference(session)); + } + } + + private CasAuthentication fetchCachedAuthentication(final HttpServletRequest request) { + final HttpSession session = request.getSession(false); + if (session != null) { + return (CasAuthentication) session.getAttribute(CACHED_AUTHN_ATTRIBUTE); + } + return null; + } + + private String serviceUrl(final HttpServletRequest request, final HttpServletResponse response) { + return CommonUtils.constructServiceUrl( + request, + response, + null, + serverNames, + protocol.getServiceParameterName(), + protocol.getArtifactParameterName(), + true); + } + + private void redirectToCas( + final HttpServletRequest request, final HttpServletResponse response) throws ServerAuthException { + try { + final String redirectUrl = CommonUtils.constructRedirectUrl( + casServerLoginUrl, protocol.getServiceParameterName(), serviceUrl(request, response), renew, false); + logger.debug("Redirecting to {}", redirectUrl); + response.sendRedirect(redirectUrl); + } catch (IOException e) { + logger.debug("Redirect to CAS failed with error: {}", e); + throw new ServerAuthException("Redirect to CAS failed", e); + } + } +} diff --git a/cas-client-integration-jetty/src/main/java/org/jasig/cas/client/jetty/CasUserIdentity.java b/cas-client-integration-jetty/src/main/java/org/jasig/cas/client/jetty/CasUserIdentity.java new file mode 100644 index 0000000..aee4212 --- /dev/null +++ b/cas-client-integration-jetty/src/main/java/org/jasig/cas/client/jetty/CasUserIdentity.java @@ -0,0 +1,67 @@ +package org.jasig.cas.client.jetty; + +import org.eclipse.jetty.server.UserIdentity; +import org.jasig.cas.client.authentication.AttributePrincipal; +import org.jasig.cas.client.util.CommonUtils; +import org.jasig.cas.client.validation.Assertion; + +import javax.security.auth.Subject; +import java.security.Principal; +import java.util.Collection; + +/** + * CAS user identity backed by assertion data. + * + * @author Marvin S. Addison + */ +public class CasUserIdentity implements UserIdentity { + + /** CAS principal. */ + private AttributePrincipal principal; + + /** Assertion attribute containing role data. */ + private String roleAttribute; + + + /** + * Creates a new instance from a CAS assertion containing principal information. + * + * @param assertion CAS assertion resulting from successful ticket validation. + * @param roleAttribute Principal attribute containing role data. + */ + public CasUserIdentity(final Assertion assertion, final String roleAttribute) { + CommonUtils.assertNotNull(assertion, "Assertion cannot be null"); + this.principal = assertion.getPrincipal(); + this.roleAttribute = roleAttribute; + } + + @Override + public Subject getSubject() { + final Subject subject = new Subject(); + subject.getPrincipals().add(principal); + return subject; + } + + @Override + public Principal getUserPrincipal() { + return principal; + } + + @Override + public boolean isUserInRole(final String role, final Scope scope) { + if (roleAttribute != null) { + final Object value = principal.getAttributes().get(roleAttribute); + if (value instanceof Collection) { + return ((Collection) value).contains(role); + } else if (value instanceof String) { + return value.equals(role); + } + } + return false; + } + + @Override + public String toString() { + return principal.getName(); + } +} diff --git a/cas-client-integration-jetty/src/test/java/org/jasig/cas/client/jetty/CasAuthenticatorTest.java b/cas-client-integration-jetty/src/test/java/org/jasig/cas/client/jetty/CasAuthenticatorTest.java new file mode 100644 index 0000000..462f353 --- /dev/null +++ b/cas-client-integration-jetty/src/test/java/org/jasig/cas/client/jetty/CasAuthenticatorTest.java @@ -0,0 +1,210 @@ +package org.jasig.cas.client.jetty; + +import org.apache.tomcat.InstanceManager; +import org.apache.tomcat.SimpleInstanceManager; +import org.eclipse.jetty.annotations.ServletContainerInitializersStarter; +import org.eclipse.jetty.apache.jsp.JettyJasperInitializer; +import org.eclipse.jetty.jsp.JettyJspServlet; +import org.eclipse.jetty.plus.annotation.ContainerInitializer; +import org.eclipse.jetty.security.ConstraintMapping; +import org.eclipse.jetty.security.ConstraintSecurityHandler; +import org.eclipse.jetty.server.Server; +import org.eclipse.jetty.servlet.ServletHolder; +import org.eclipse.jetty.util.security.Constraint; +import org.eclipse.jetty.webapp.WebAppContext; +import org.jasig.cas.client.PublicTestHttpServer; +import org.jasig.cas.client.validation.Cas20ServiceTicketValidator; +import org.junit.AfterClass; +import org.junit.BeforeClass; +import org.junit.Test; + +import java.io.*; +import java.net.HttpURLConnection; +import java.net.URL; +import java.net.URLConnection; +import java.nio.CharBuffer; +import java.nio.charset.StandardCharsets; +import java.util.Collections; +import java.util.List; + +import static org.junit.Assert.*; + +/** + * Unit test for {@link CasAuthenticator}. + * + * @author Marvin S. Addison + */ +public class CasAuthenticatorTest { + + private static final Server server = new Server(8080); + private static final CasAuthenticator authenticator = new CasAuthenticator(); + + @BeforeClass + public static void beforeClass() throws Exception { + final WebAppContext context = new WebAppContext(); + context.setContextPath("/webapp"); + String workingDir = new File(".").getAbsolutePath(); + workingDir = workingDir.substring(0, workingDir.length() - 2); + final String webappDir; + if (workingDir.endsWith("/cas-client-integration-jetty")) { + webappDir = workingDir + "/src/test/webapp"; + } else { + webappDir = workingDir + "/cas-client-integration-jetty/src/test/webapp"; + } + context.setWar(webappDir); + + + // JSP config from https://github.com/jetty-project/embedded-jetty-jsp/ + System.setProperty("org.apache.jasper.compiler.disablejsr199", "false"); + context.setAttribute("javax.servlet.context.tempdir", getScratchDir()); + context.setAttribute("org.eclipse.jetty.server.webapp.ContainerIncludeJarPattern", + ".*/[^/]*servlet-api-[^/]*\\.jar$|.*/javax.servlet.jsp.jstl-.*\\.jar$|.*/.*taglibs.*\\.jar$"); + context.setAttribute("org.eclipse.jetty.containerInitializers", jspInitializers()); + context.setAttribute(InstanceManager.class.getName(), new SimpleInstanceManager()); + context.addBean(new ServletContainerInitializersStarter(context), true); + context.addServlet(jspServletHolder(), "*.jsp"); + + // Wire up CAS authentication + authenticator.setServerNames("localhost:8080"); + authenticator.setTicketValidator(new Cas20ServiceTicketValidator("http://localhost:8081/cas")); + + // Configure security handling for webapp context + final ConstraintSecurityHandler securityHandler = new ConstraintSecurityHandler(); + final Constraint constraint = new Constraint("CasRealm", Constraint.ANY_AUTH); + constraint.setAuthenticate(true); + final ConstraintMapping secureMapping = new ConstraintMapping(); + secureMapping.setPathSpec("/secure.jsp"); + secureMapping.setConstraint(constraint); + securityHandler.addConstraintMapping(secureMapping); + securityHandler.setAuthenticator(authenticator); + context.setSecurityHandler(securityHandler); + + // Add webapp context and start the server + server.setHandler(context); + server.start(); + } + + @Test + public void testValidateRequestPublicPageNoTicket() throws Exception { + final HttpURLConnection uc = openConnection("http://localhost:8080/webapp/"); + try { + assertEquals(200, uc.getResponseCode()); + assertTrue(readOutput(uc).contains("Welcome everyone")); + } finally { + uc.disconnect(); + } + } + + @Test + public void testValidateRequestPublicPageWithTicket() throws Exception { + final HttpURLConnection uc = openConnection("http://localhost:8080/webapp/?ticket=ST-12345"); + try { + assertEquals(200, uc.getResponseCode()); + assertTrue(readOutput(uc).contains("Welcome everyone")); + } finally { + uc.disconnect(); + } + } + + @Test + public void testValidateRequestSecurePageNoTicket() throws Exception { + final HttpURLConnection uc = openConnection("http://localhost:8080/webapp/secure.jsp"); + try { + assertEquals(302, uc.getResponseCode()); + assertEquals( + "http://localhost:8081/cas/login?service=http%3A%2F%2Flocalhost%3A8080%2Fwebapp%2Fsecure.jsp", + uc.getHeaderField("Location")); + } finally { + uc.disconnect(); + } + } + + @Test + public void testValidateRequestSecurePageWithTicket() throws Exception { + final String successResponse = "" + + "" + + "bob" + + "" + + ""; + final PublicTestHttpServer server = PublicTestHttpServer.instance(8081); + server.content = successResponse.getBytes(StandardCharsets.UTF_8); + final HttpURLConnection uc = openConnection("http://localhost:8080/webapp/secure.jsp?ticket=ST-12345"); + try { + assertEquals(200, uc.getResponseCode()); + assertTrue(readOutput(uc).contains("Hello bob")); + } finally { + uc.disconnect(); + } + } + + @AfterClass + public static void afterClass() throws Exception { + server.stop(); + } + + private String readOutput(final URLConnection connection) throws IOException { + final InputStreamReader reader = new InputStreamReader(connection.getInputStream()); + final StringBuilder builder = new StringBuilder(); + final CharBuffer buffer = CharBuffer.allocate(1024); + try { + while (reader.read(buffer) > 0) { + builder.append(buffer.flip()); + buffer.clear(); + } + } finally { + reader.close(); + } + return builder.toString(); + } + + private static File getScratchDir() throws IOException + { + final File tempDir = new File(System.getProperty("java.io.tmpdir")); + final File scratchDir = new File(tempDir.toString(), "embedded-jetty-jsp"); + + if (!scratchDir.exists()) + { + if (!scratchDir.mkdirs()) + { + throw new IOException("Unable to create scratch directory: " + scratchDir); + } + } + return scratchDir; + } + + /** + * Ensure the jsp engine is initialized correctly + */ + private static List jspInitializers() + { + return Collections.singletonList(new ContainerInitializer(new JettyJasperInitializer(), null)); + } + + /** + * Create JSP Servlet (must be named "jsp") + */ + private static ServletHolder jspServletHolder() + { + final ServletHolder holderJsp = new ServletHolder("jsp", JettyJspServlet.class); + holderJsp.setInitOrder(0); + holderJsp.setInitParameter("logVerbosityLevel", "DEBUG"); + holderJsp.setInitParameter("fork", "false"); + holderJsp.setInitParameter("xpoweredBy", "false"); + holderJsp.setInitParameter("compilerTargetVM", "1.7"); + holderJsp.setInitParameter("compilerSourceVM", "1.7"); + holderJsp.setInitParameter("keepgenerated", "true"); + return holderJsp; + } + + private static HttpURLConnection openConnection(final String url) throws IOException { + final HttpURLConnection uc; + try { + uc = (HttpURLConnection) new URL(url).openConnection(); + } catch (IOException e) { + throw new RuntimeException("Invalid URL: " + url, e); + } + uc.setInstanceFollowRedirects(false); + uc.connect(); + return uc; + } +} \ No newline at end of file diff --git a/cas-client-integration-jetty/src/test/resources/jetty/context-cas2.xml b/cas-client-integration-jetty/src/test/resources/jetty/context-cas2.xml new file mode 100644 index 0000000..a786496 --- /dev/null +++ b/cas-client-integration-jetty/src/test/resources/jetty/context-cas2.xml @@ -0,0 +1,20 @@ + + + + + / + /webapps/yourapp + + + + app.example.com + + + https://cas.example.com/cas + + + + + + + diff --git a/cas-client-integration-jetty/src/test/resources/jetty/context-saml11.xml b/cas-client-integration-jetty/src/test/resources/jetty/context-saml11.xml new file mode 100644 index 0000000..5e1d5ad --- /dev/null +++ b/cas-client-integration-jetty/src/test/resources/jetty/context-saml11.xml @@ -0,0 +1,21 @@ + + + + + / + /webapps/yourapp + + + + app.example.com + memberOf + + + https://cas.example.com/cas + + + + + + + diff --git a/cas-client-integration-jetty/src/test/webapp/index.jsp b/cas-client-integration-jetty/src/test/webapp/index.jsp new file mode 100644 index 0000000..6d505bb --- /dev/null +++ b/cas-client-integration-jetty/src/test/webapp/index.jsp @@ -0,0 +1,9 @@ + + + + + Welcome Page + +

Welcome everyone

+ + \ No newline at end of file diff --git a/cas-client-integration-jetty/src/test/webapp/secure.jsp b/cas-client-integration-jetty/src/test/webapp/secure.jsp new file mode 100644 index 0000000..9add84e --- /dev/null +++ b/cas-client-integration-jetty/src/test/webapp/secure.jsp @@ -0,0 +1,9 @@ + + + + + Secure Page + +

Hello <%=request.getUserPrincipal()%>

+ + \ No newline at end of file diff --git a/cas-client-integration-tomcat-common/pom.xml b/cas-client-integration-tomcat-common/pom.xml index fb9fd2f..d2016f7 100644 --- a/cas-client-integration-tomcat-common/pom.xml +++ b/cas-client-integration-tomcat-common/pom.xml @@ -7,7 +7,6 @@ 4.0.0 - org.jasig.cas.client cas-client-integration-tomcat-common jar Jasig CAS Client for Java - Common Tomcat Integration Support diff --git a/cas-client-integration-tomcat-v6/pom.xml b/cas-client-integration-tomcat-v6/pom.xml index 83d9b4a..a9763b4 100644 --- a/cas-client-integration-tomcat-v6/pom.xml +++ b/cas-client-integration-tomcat-v6/pom.xml @@ -7,7 +7,6 @@ 4.0.0 - org.jasig.cas.client cas-client-integration-tomcat-v6 jar Jasig CAS Client for Java - Tomcat 6.x Integration diff --git a/cas-client-integration-tomcat-v6/src/main/java/org/jasig/cas/client/tomcat/v6/SingleSignOutValve.java b/cas-client-integration-tomcat-v6/src/main/java/org/jasig/cas/client/tomcat/v6/SingleSignOutValve.java index 9941651..00c63dc 100644 --- a/cas-client-integration-tomcat-v6/src/main/java/org/jasig/cas/client/tomcat/v6/SingleSignOutValve.java +++ b/cas-client-integration-tomcat-v6/src/main/java/org/jasig/cas/client/tomcat/v6/SingleSignOutValve.java @@ -51,11 +51,7 @@ public class SingleSignOutValve extends AbstractLifecycleValve implements Sessio public void setLogoutParameterName(final String name) { this.handler.setLogoutParameterName(name); } - - public void setFrontLogoutParameterName(final String name) { - this.handler.setFrontLogoutParameterName(name); - } - + public void setRelayStateParameterName(final String name) { this.handler.setRelayStateParameterName(name); } diff --git a/cas-client-integration-tomcat-v7/pom.xml b/cas-client-integration-tomcat-v7/pom.xml index a612ed4..e52d26e 100644 --- a/cas-client-integration-tomcat-v7/pom.xml +++ b/cas-client-integration-tomcat-v7/pom.xml @@ -7,7 +7,6 @@ 4.0.0 - org.jasig.cas.client cas-client-integration-tomcat-v7 jar Jasig CAS Client for Java - Tomcat 7.x Integration diff --git a/cas-client-integration-tomcat-v7/src/main/java/org/jasig/cas/client/tomcat/v7/SingleSignOutValve.java b/cas-client-integration-tomcat-v7/src/main/java/org/jasig/cas/client/tomcat/v7/SingleSignOutValve.java index 62ac214..e7cd85d 100644 --- a/cas-client-integration-tomcat-v7/src/main/java/org/jasig/cas/client/tomcat/v7/SingleSignOutValve.java +++ b/cas-client-integration-tomcat-v7/src/main/java/org/jasig/cas/client/tomcat/v7/SingleSignOutValve.java @@ -55,11 +55,7 @@ public class SingleSignOutValve extends ValveBase implements SessionListener { public void setLogoutParameterName(final String name) { this.handler.setLogoutParameterName(name); } - - public void setFrontLogoutParameterName(final String name) { - this.handler.setFrontLogoutParameterName(name); - } - + public void setRelayStateParameterName(final String name) { this.handler.setRelayStateParameterName(name); } diff --git a/cas-client-integration-tomcat-v8/NOTICE b/cas-client-integration-tomcat-v8/NOTICE new file mode 100644 index 0000000..4348c0c --- /dev/null +++ b/cas-client-integration-tomcat-v8/NOTICE @@ -0,0 +1,30 @@ +Licensed to Apereo under one or more contributor license +agreements. See the NOTICE file distributed with this work +for additional information regarding copyright ownership. +Apereo licenses this file to you under the Apache License, +Version 2.0 (the "License"); you may not use this file +except in compliance with the License. You may obtain a +copy of the License at the following location: + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, +software distributed under the License is distributed on an +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +KIND, either express or implied. See the License for the +specific language governing permissions and limitations +under the License. + +This project includes: + Jasig CAS Client for Java - Common Tomcat Integration Support under Apache License Version 2.0 + Jasig CAS Client for Java - Core under Apache License Version 2.0 + Jasig CAS Client for Java - SAML Protocol Support under Apache License Version 2.0 + Jasig CAS Client for Java - Tomcat 8.x Integration under Apache License Version 2.0 + Java Servlet API under CDDL + GPLv2 with classpath exception + JCL 1.1.1 implemented over SLF4J under MIT License + Joda-Time under Apache 2 + JUnit under Common Public License Version 1.0 + SLF4J API Module under MIT License + SLF4J Simple Binding under MIT License + tomcat-catalina under Apache License, Version 2.0 + diff --git a/cas-client-integration-tomcat-v8/pom.xml b/cas-client-integration-tomcat-v8/pom.xml new file mode 100644 index 0000000..aba323b --- /dev/null +++ b/cas-client-integration-tomcat-v8/pom.xml @@ -0,0 +1,69 @@ + + + + cas-client + org.jasig.cas.client + 3.5.0-SNAPSHOT + + 4.0.0 + + cas-client-integration-tomcat-v8 + jar + Jasig CAS Client for Java - Tomcat 8.x Integration + + + + org.jasig.cas.client + cas-client-integration-tomcat-common + ${project.version} + jar + compile + + + org.jasig.cas.client + cas-client-support-saml + ${project.version} + jar + compile + true + + + org.apache.tomcat + tomcat-catalina + 8.0.1 + jar + provided + + + org.apache.tomcat + tomcat-servlet-api + + + org.apache.tomcat + tomcat-juli + + + org.apache.tomcat + tomcat-annotations-api + + + org.apache.tomcat + tomcat-api + + + org.apache.tomcat + tomcat-util + + + + + + org.jasig.cas.client + cas-client-core + ${project.version} + jar + compile + + + + diff --git a/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/AbstractAuthenticator.java b/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/AbstractAuthenticator.java new file mode 100644 index 0000000..6ad0d4b --- /dev/null +++ b/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/AbstractAuthenticator.java @@ -0,0 +1,198 @@ +/* + * Licensed to Jasig under one or more contributor license + * agreements. See the NOTICE file distributed with this work + * for additional information regarding copyright ownership. + * Jasig licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file + * except in compliance with the License. You may obtain a + * copy of the License at the following location: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.jasig.cas.client.tomcat.v8; + +import java.io.IOException; +import java.security.Principal; + +import javax.servlet.http.HttpServletResponse; + +import org.apache.catalina.*; +import org.apache.catalina.authenticator.AuthenticatorBase; +import org.apache.catalina.connector.Request; +import org.jasig.cas.client.tomcat.AuthenticatorDelegate; +import org.jasig.cas.client.tomcat.CasRealm; +import org.jasig.cas.client.util.CommonUtils; +import org.jasig.cas.client.validation.TicketValidator; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** + * Base authenticator for all authentication protocols supported by CAS. + * + * @author Scott Battaglia + * @version $Revision$ $Date$ + * @since 3.1.12 + */ +public abstract class AbstractAuthenticator extends AuthenticatorBase implements LifecycleListener { + + protected final Logger logger = LoggerFactory.getLogger(getClass()); + + private final AuthenticatorDelegate delegate = new AuthenticatorDelegate(); + + private String casServerUrlPrefix; + + private String encoding; + + private boolean encode; + + private boolean renew; + + protected abstract String getAuthenticationMethod(); + + /** + * Provided for Tomcat 7.0.8 support. + * + * @return the authentication method. + */ + protected String getAuthMethod() { + return getAuthenticationMethod(); + } + + /** + * Abstract method that subclasses should use to provide the name of the artifact parameter (i.e. ticket) + * + * @return the artifact parameter name. CANNOT be NULL. + */ + protected abstract String getArtifactParameterName(); + + /** + * Abstract method that subclasses should use to provide the name of the service parameter (i.e. service) + * + * @return the service parameter name. CANNOT be NULL. + */ + protected abstract String getServiceParameterName(); + + /** + * Returns the single instance of the ticket validator to use to validate tickets. Sub classes should include + * the one appropriate for the + * + * @return a fully configured ticket validator. CANNOT be NULL. + */ + protected abstract TicketValidator getTicketValidator(); + + protected void startInternal() throws LifecycleException { + super.startInternal(); + logger.debug("{} starting.", getName()); + final Realm realm = this.context.getRealm(); + try { + CommonUtils.assertTrue(realm instanceof CasRealm, "Expected CasRealm but got " + realm.getClass()); + CommonUtils.assertNotNull(this.casServerUrlPrefix, "casServerUrlPrefix cannot be null."); + CommonUtils.assertNotNull(this.delegate.getCasServerLoginUrl(), "casServerLoginUrl cannot be null."); + CommonUtils.assertTrue(this.delegate.getServerName() != null || this.delegate.getServiceUrl() != null, + "either serverName or serviceUrl must be set."); + this.delegate.setRealm((CasRealm) realm); + } catch (final Exception e) { + throw new LifecycleException(e); + } + // Complete delegate initialization after the component is started. + // See #lifecycleEvent() method. + addLifecycleListener(this); + } + + protected final String getCasServerUrlPrefix() { + return this.casServerUrlPrefix; + } + + public final void setCasServerUrlPrefix(final String casServerUrlPrefix) { + this.casServerUrlPrefix = casServerUrlPrefix; + } + + public final void setCasServerLoginUrl(final String casServerLoginUrl) { + this.delegate.setCasServerLoginUrl(casServerLoginUrl); + } + + public final boolean isEncode() { + return this.encode; + } + + public final void setEncode(final boolean encode) { + this.encode = encode; + } + + protected final boolean isRenew() { + return this.renew; + } + + public void setRenew(final boolean renew) { + this.renew = renew; + } + + public final void setServerName(final String serverName) { + this.delegate.setServerName(serverName); + } + + public final void setServiceUrl(final String serviceUrl) { + this.delegate.setServiceUrl(serviceUrl); + } + + protected final String getEncoding() { + return this.encoding; + } + + public final void setEncoding(final String encoding) { + this.encoding = encoding; + } + + /** {@inheritDoc} */ + public final boolean authenticate(final Request request, final HttpServletResponse response) throws IOException { + Principal principal = request.getUserPrincipal(); + boolean result = false; + if (principal == null) { + // Authentication sets the response headers for status and redirect if needed + principal = this.delegate.authenticate(request.getRequest(), response); + if (principal != null) { + register(request, response, principal, getAuthenticationMethod(), null, null); + result = true; + } + } else { + result = true; + } + return result; + } + + /** {@inheritDoc} */ + public void lifecycleEvent(final LifecycleEvent event) { + if (AFTER_START_EVENT.equals(event.getType())) { + logger.debug("{} processing lifecycle event {}", getName(), AFTER_START_EVENT); + this.delegate.setTicketValidator(getTicketValidator()); + this.delegate.setArtifactParameterName(getArtifactParameterName()); + this.delegate.setServiceParameterName(getServiceParameterName()); + } + } + + /** {@inheritDoc} */ + public String getInfo() { + return getName() + "/1.0"; + } + + /** {@inheritDoc} + * @throws LifecycleException */ + protected synchronized void setState(LifecycleState state, Object data) throws LifecycleException { + super.setState(state, data); + if (LifecycleState.STARTED.equals(state)) { + logger.info("{} started.", getName()); + } + } + + /** + * @return Authenticator descriptive name. + */ + protected abstract String getName(); +} diff --git a/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/AbstractCasAuthenticator.java b/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/AbstractCasAuthenticator.java new file mode 100644 index 0000000..3be3db8 --- /dev/null +++ b/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/AbstractCasAuthenticator.java @@ -0,0 +1,47 @@ +/* + * Licensed to Jasig under one or more contributor license + * agreements. See the NOTICE file distributed with this work + * for additional information regarding copyright ownership. + * Jasig licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file + * except in compliance with the License. You may obtain a + * copy of the License at the following location: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.jasig.cas.client.tomcat.v8; + +/** + * Base class for all CAS protocol authenticators. + * + * @author Scott Battaglia + * @version $Revision$ $Date$ + * @since 3.1.12 + */ +public abstract class AbstractCasAuthenticator extends AbstractAuthenticator { + + private String proxyCallbackUrl; + + protected final String getProxyCallbackUrl() { + return this.proxyCallbackUrl; + } + + public final void setProxyCallbackUrl(final String proxyCallbackUrl) { + this.proxyCallbackUrl = proxyCallbackUrl; + } + + protected final String getArtifactParameterName() { + return "ticket"; + } + + protected final String getServiceParameterName() { + return "service"; + } +} diff --git a/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/AbstractCasRealm.java b/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/AbstractCasRealm.java new file mode 100644 index 0000000..c3b2144 --- /dev/null +++ b/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/AbstractCasRealm.java @@ -0,0 +1,85 @@ +/* + * Licensed to Jasig under one or more contributor license + * agreements. See the NOTICE file distributed with this work + * for additional information regarding copyright ownership. + * Jasig licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file + * except in compliance with the License. You may obtain a + * copy of the License at the following location: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.jasig.cas.client.tomcat.v8; + +import java.security.Principal; +import org.apache.catalina.Wrapper; +import org.apache.catalina.realm.RealmBase; +import org.jasig.cas.client.tomcat.CasRealm; + +/** + * Base Realm implementation for all CAS realms. + * + * @author Marvin S. Addison + * @version $Revision$ + * + */ +public abstract class AbstractCasRealm extends RealmBase implements CasRealm { + + /** {@inheritDoc} */ + public Principal authenticate(final Principal p) { + return getDelegate().authenticate(p); + } + + /** {@inheritDoc} */ + public String[] getRoles(final Principal p) { + return getDelegate().getRoles(p); + } + + public boolean hasRole(final Principal principal, final String role) { + return getDelegate().hasRole(principal, role); + } + + /** + * Tomcat 7.0.8 changed their APIs so {@link #hasRole(java.security.Principal, String)} is only valid for 7.0.7 and below. + */ + public boolean hasRole(final Wrapper wrapper, final Principal principal, final String role) { + return hasRole(principal, role); + } + + /** {@inheritDoc} */ + public String toString() { + return getName(); + } + + /** {@inheritDoc} */ + public String getInfo() { + return getClass().getName() + "/1.0"; + } + + /** {@inheritDoc} */ + protected String getName() { + return getClass().getSimpleName(); + } + + /** {@inheritDoc} */ + protected String getPassword(final String userName) { + throw new UnsupportedOperationException(); + } + + /** {@inheritDoc} */ + protected Principal getPrincipal(final String userName) { + throw new UnsupportedOperationException(); + } + + /** + * @return Delegate that all {@link CasRealm} operations are delegated to. + */ + protected abstract CasRealm getDelegate(); +} diff --git a/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/AbstractLogoutValve.java b/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/AbstractLogoutValve.java new file mode 100644 index 0000000..4264c0d --- /dev/null +++ b/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/AbstractLogoutValve.java @@ -0,0 +1,55 @@ +/* + * Licensed to Jasig under one or more contributor license + * agreements. See the NOTICE file distributed with this work + * for additional information regarding copyright ownership. + * Jasig licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file + * except in compliance with the License. You may obtain a + * copy of the License at the following location: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.jasig.cas.client.tomcat.v8; + +import java.io.IOException; +import javax.servlet.ServletException; +import org.apache.catalina.connector.Request; +import org.apache.catalina.connector.Response; +import org.apache.catalina.valves.ValveBase; +import org.jasig.cas.client.tomcat.LogoutHandler; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** + * Abstract base class for Container-managed log out. Removes the attributes + * from the session. + * + * @author Scott Battaglia + * @author Marvin S. Addison + * @version $Revision$ $Date$ + * @since 3.1.12 + */ +public abstract class AbstractLogoutValve extends ValveBase { + + protected final Logger logger = LoggerFactory.getLogger(getClass()); + + public final void invoke(final Request request, final Response response) throws IOException, ServletException { + if (getLogoutHandler().isLogoutRequest(request)) { + getLogoutHandler().logout(request, response); + // Do not proceed up valve chain + return; + } + + logger.debug("URI is not a logout request: {}", request.getRequestURI()); + getNext().invoke(request, response); + } + + protected abstract LogoutHandler getLogoutHandler(); +} diff --git a/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/AssertionCasRealm.java b/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/AssertionCasRealm.java new file mode 100644 index 0000000..422f48a --- /dev/null +++ b/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/AssertionCasRealm.java @@ -0,0 +1,49 @@ +/* + * Licensed to Jasig under one or more contributor license + * agreements. See the NOTICE file distributed with this work + * for additional information regarding copyright ownership. + * Jasig licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file + * except in compliance with the License. You may obtain a + * copy of the License at the following location: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.jasig.cas.client.tomcat.v8; + +import org.jasig.cas.client.tomcat.AssertionCasRealmDelegate; +import org.jasig.cas.client.tomcat.CasRealm; + +/** + * Tomcat Realm that implements {@link CasRealm} for principal and + * role data backed by the CAS {@link org.jasig.cas.client.validation.Assertion}. + *

+ * Authentication always succeeds and simply returns the given principal. + * + * @author Marvin S. Addison + * @version $Revision$ + * + */ +public class AssertionCasRealm extends AbstractCasRealm { + + private final AssertionCasRealmDelegate delegate = new AssertionCasRealmDelegate(); + + /** + * @param name Name of the attribute in the principal that contains role data. + */ + public void setRoleAttributeName(final String name) { + delegate.setRoleAttributeName(name); + } + + /** {@inheritDoc} */ + protected CasRealm getDelegate() { + return delegate; + } +} diff --git a/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/Cas10CasAuthenticator.java b/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/Cas10CasAuthenticator.java new file mode 100644 index 0000000..a518343 --- /dev/null +++ b/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/Cas10CasAuthenticator.java @@ -0,0 +1,56 @@ +/* + * Licensed to Jasig under one or more contributor license + * agreements. See the NOTICE file distributed with this work + * for additional information regarding copyright ownership. + * Jasig licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file + * except in compliance with the License. You may obtain a + * copy of the License at the following location: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.jasig.cas.client.tomcat.v8; + +import org.apache.catalina.LifecycleException; +import org.jasig.cas.client.validation.Cas10TicketValidator; +import org.jasig.cas.client.validation.TicketValidator; + +/** + * Authenticator that handles CAS 1.0 protocol. + * + * @author Scott Battaglia + * @version $Revision$ $Date$ + * @since 3.1.12 + */ +public final class Cas10CasAuthenticator extends AbstractCasAuthenticator { + + public static final String AUTH_METHOD = "CAS10"; + + private static final String NAME = Cas10CasAuthenticator.class.getName(); + + private Cas10TicketValidator ticketValidator; + + protected TicketValidator getTicketValidator() { + return this.ticketValidator; + } + + protected String getAuthenticationMethod() { + return AUTH_METHOD; + } + + protected String getName() { + return NAME; + } + + protected void startInternal() throws LifecycleException { + super.startInternal(); + this.ticketValidator = new Cas10TicketValidator(getCasServerUrlPrefix()); + } +} diff --git a/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/Cas20CasAuthenticator.java b/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/Cas20CasAuthenticator.java new file mode 100644 index 0000000..86d40b4 --- /dev/null +++ b/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/Cas20CasAuthenticator.java @@ -0,0 +1,62 @@ +/* + * Licensed to Jasig under one or more contributor license + * agreements. See the NOTICE file distributed with this work + * for additional information regarding copyright ownership. + * Jasig licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file + * except in compliance with the License. You may obtain a + * copy of the License at the following location: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.jasig.cas.client.tomcat.v8; + +import org.apache.catalina.LifecycleException; +import org.jasig.cas.client.validation.Cas20ServiceTicketValidator; +import org.jasig.cas.client.validation.TicketValidator; + +/** + * Authenticator that handles the CAS 2.0 protocol. + * + * @author Scott Battaglia + * @version $Revision$ $Date$ + * @since 3.1.12 + */ +public final class Cas20CasAuthenticator extends AbstractCasAuthenticator { + + public static final String AUTH_METHOD = "CAS20"; + + private static final String NAME = Cas20CasAuthenticator.class.getName(); + + private Cas20ServiceTicketValidator ticketValidator; + + protected TicketValidator getTicketValidator() { + return this.ticketValidator; + } + + protected String getAuthenticationMethod() { + return AUTH_METHOD; + } + + protected String getName() { + return NAME; + } + + protected void startInternal() throws LifecycleException { + super.startInternal(); + this.ticketValidator = new Cas20ServiceTicketValidator(getCasServerUrlPrefix()); + if (getEncoding() != null) { + this.ticketValidator.setEncoding(getEncoding()); + } + this.ticketValidator.setProxyCallbackUrl(getProxyCallbackUrl()); + this.ticketValidator.setProxyGrantingTicketStorage(ProxyCallbackValve.getProxyGrantingTicketStorage()); + this.ticketValidator.setRenew(isRenew()); + } +} diff --git a/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/Cas20ProxyCasAuthenticator.java b/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/Cas20ProxyCasAuthenticator.java new file mode 100644 index 0000000..b5fa702 --- /dev/null +++ b/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/Cas20ProxyCasAuthenticator.java @@ -0,0 +1,77 @@ +/* + * Licensed to Jasig under one or more contributor license + * agreements. See the NOTICE file distributed with this work + * for additional information regarding copyright ownership. + * Jasig licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file + * except in compliance with the License. You may obtain a + * copy of the License at the following location: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.jasig.cas.client.tomcat.v8; + +import org.apache.catalina.LifecycleException; +import org.jasig.cas.client.util.CommonUtils; +import org.jasig.cas.client.validation.Cas20ProxyTicketValidator; +import org.jasig.cas.client.validation.TicketValidator; + +/** + * Authenticator that handles the CAS 2.0 protocol with proxying support. + * + * @author Scott Battaglia + * @version $Revision$ $Date$ + * @since 3.1.12 + */ +public final class Cas20ProxyCasAuthenticator extends AbstractCasAuthenticator { + + public static final String AUTH_METHOD = "CAS20-PROXY"; + + private static final String NAME = Cas20ProxyCasAuthenticator.class.getName(); + + private Cas20ProxyTicketValidator ticketValidator; + + private boolean acceptAnyProxy; + + private String allowedProxyChains; + + public void setAcceptAnyProxy(final boolean acceptAnyProxy) { + this.acceptAnyProxy = acceptAnyProxy; + } + + public void setAllowedProxyChains(final String allowedProxyChains) { + this.allowedProxyChains = allowedProxyChains; + } + + protected TicketValidator getTicketValidator() { + return this.ticketValidator; + } + + protected String getAuthenticationMethod() { + return AUTH_METHOD; + } + + protected String getName() { + return NAME; + } + + protected void startInternal() throws LifecycleException { + super.startInternal(); + this.ticketValidator = new Cas20ProxyTicketValidator(getCasServerUrlPrefix()); + this.ticketValidator.setRenew(isRenew()); + this.ticketValidator.setProxyCallbackUrl(getProxyCallbackUrl()); + this.ticketValidator.setProxyGrantingTicketStorage(ProxyCallbackValve.getProxyGrantingTicketStorage()); + this.ticketValidator.setAcceptAnyProxy(this.acceptAnyProxy); + this.ticketValidator.setAllowedProxyChains(CommonUtils.createProxyList(this.allowedProxyChains)); + if (getEncoding() != null) { + this.ticketValidator.setEncoding(getEncoding()); + } + } +} diff --git a/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/PropertiesCasRealm.java b/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/PropertiesCasRealm.java new file mode 100644 index 0000000..9cbe8ea --- /dev/null +++ b/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/PropertiesCasRealm.java @@ -0,0 +1,63 @@ +/* + * Licensed to Jasig under one or more contributor license + * agreements. See the NOTICE file distributed with this work + * for additional information regarding copyright ownership. + * Jasig licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file + * except in compliance with the License. You may obtain a + * copy of the License at the following location: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.jasig.cas.client.tomcat.v8; + +import org.apache.catalina.LifecycleException; +import org.jasig.cas.client.tomcat.CasRealm; +import org.jasig.cas.client.tomcat.PropertiesCasRealmDelegate; + +/** + * Tomcat Realm that implements {@link CasRealm} backed by properties file + * containing usernames/and roles of the following format: + * 

+ * username1=role1,role2,role3
+ * username2=role1
+ * username3=role2,role3
+ *
+ * User authentication succeeds if the name of the given principal exists as + * a username in the properties file. + * + * @author Marvin S. Addison + * @version $Revision$ + * @since 3.1.12 + * + */ +public class PropertiesCasRealm extends AbstractCasRealm { + + private final PropertiesCasRealmDelegate delegate = new PropertiesCasRealmDelegate(); + + /** + * @param path Path to properties file container username/role data. + */ + public void setPropertiesFilePath(final String path) { + this.delegate.setPropertiesFilePath(path); + } + + /** {@inheritDoc} */ + protected void startInternal() throws LifecycleException { + super.startInternal(); + this.delegate.readProperties(); + } + + /** {@inheritDoc} */ + protected CasRealm getDelegate() { + return this.delegate; + } + +} diff --git a/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/ProxyCallbackValve.java b/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/ProxyCallbackValve.java new file mode 100644 index 0000000..adc98cc --- /dev/null +++ b/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/ProxyCallbackValve.java @@ -0,0 +1,90 @@ +/* + * Licensed to Jasig under one or more contributor license + * agreements. See the NOTICE file distributed with this work + * for additional information regarding copyright ownership. + * Jasig licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file + * except in compliance with the License. You may obtain a + * copy of the License at the following location: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.jasig.cas.client.tomcat.v8; + +import java.io.IOException; +import javax.servlet.ServletException; +import org.apache.catalina.LifecycleException; +import org.apache.catalina.connector.Request; +import org.apache.catalina.connector.Response; +import org.apache.catalina.valves.ValveBase; +import org.jasig.cas.client.proxy.ProxyGrantingTicketStorage; +import org.jasig.cas.client.util.CommonUtils; +import org.jasig.cas.client.util.ReflectUtils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** + * Handles watching a url for the proxy callback. + *

+ * Because its tough to share state between valves, we expose the storage mechanism via a static variable. + *

+ * This valve should be ordered before the authentication valves. + * + * @author Scott Battaglia + * @version $Revision$ $Date$ + * @since 3.1.12 + */ +public final class ProxyCallbackValve extends ValveBase { + + private static ProxyGrantingTicketStorage PROXY_GRANTING_TICKET_STORAGE; + + /** Logger instance */ + private final Logger logger = LoggerFactory.getLogger(getClass()); + + private String proxyGrantingTicketStorageClass; + + private String proxyCallbackUrl; + + public static ProxyGrantingTicketStorage getProxyGrantingTicketStorage() { + return PROXY_GRANTING_TICKET_STORAGE; + } + + public void setProxyGrantingTicketStorageClass(final String proxyGrantingTicketStorageClass) { + this.proxyGrantingTicketStorageClass = proxyGrantingTicketStorageClass; + } + + public void setProxyCallbackUrl(final String proxyCallbackUrl) { + this.proxyCallbackUrl = proxyCallbackUrl; + } + + protected void startInternal() throws LifecycleException { + super.startInternal(); + + try { + CommonUtils.assertNotNull(this.proxyCallbackUrl, "the proxy callback url cannot be null"); + CommonUtils.assertTrue(this.proxyCallbackUrl.startsWith("/"), "proxy callback url must start with \"/\""); + + PROXY_GRANTING_TICKET_STORAGE = ReflectUtils.newInstance(proxyGrantingTicketStorageClass); + } catch (final Exception e) { + throw new LifecycleException(e); + } + logger.info("Startup completed."); + } + + public void invoke(final Request request, final Response response) throws IOException, ServletException { + if (this.proxyCallbackUrl.equals(request.getRequestURI())) { + logger.debug("Processing proxy callback request."); + CommonUtils.readAndRespondToProxyReceptorRequest(request, response, PROXY_GRANTING_TICKET_STORAGE); + return; + } + + getNext().invoke(request, response); + } +} diff --git a/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/RegexUriLogoutValve.java b/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/RegexUriLogoutValve.java new file mode 100644 index 0000000..fc8999f --- /dev/null +++ b/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/RegexUriLogoutValve.java @@ -0,0 +1,55 @@ +/* + * Licensed to Jasig under one or more contributor license + * agreements. See the NOTICE file distributed with this work + * for additional information regarding copyright ownership. + * Jasig licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file + * except in compliance with the License. You may obtain a + * copy of the License at the following location: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.jasig.cas.client.tomcat.v8; + +import org.apache.catalina.LifecycleException; +import org.jasig.cas.client.tomcat.LogoutHandler; +import org.jasig.cas.client.tomcat.RegexUriLogoutHandler; + +/** + * Performs CAS logout when the request URI matches a regular expression. + * + * @author Scott Battaglia + * @author Marvin S. Addison + * @version $Revision$ $Date$ + * @since 3.1.12 + */ +public final class RegexUriLogoutValve extends AbstractLogoutValve { + + private RegexUriLogoutHandler logoutHandler = new RegexUriLogoutHandler(); + + public void setRedirectUrl(final String redirectUrl) { + this.logoutHandler.setRedirectUrl(redirectUrl); + } + + public void setLogoutUriRegex(final String regex) { + this.logoutHandler.setLogoutUriRegex(regex); + } + + protected void startInternal() throws LifecycleException { + super.startInternal(); + this.logoutHandler.init(); + logger.info("Startup completed."); + } + + /** {@inheritDoc} */ + protected LogoutHandler getLogoutHandler() { + return this.logoutHandler; + } +} diff --git a/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/Saml11Authenticator.java b/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/Saml11Authenticator.java new file mode 100644 index 0000000..fc44569 --- /dev/null +++ b/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/Saml11Authenticator.java @@ -0,0 +1,84 @@ +/* + * Licensed to Jasig under one or more contributor license + * agreements. See the NOTICE file distributed with this work + * for additional information regarding copyright ownership. + * Jasig licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file + * except in compliance with the License. You may obtain a + * copy of the License at the following location: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.jasig.cas.client.tomcat.v8; + +import org.apache.catalina.LifecycleException; +import org.jasig.cas.client.validation.Saml11TicketValidator; +import org.jasig.cas.client.validation.TicketValidator; + +/** + * CAS authenticator that uses the SAML 1.1 protocol. + * + * @author Marvin S. Addison + * @version $Revision$ + * @since 3.1.12 + * + */ +public final class Saml11Authenticator extends AbstractAuthenticator { + + public static final String AUTH_METHOD = "SAML11"; + + private static final String NAME = Saml11Authenticator.class.getName(); + + private Saml11TicketValidator ticketValidator; + + /** SAML protocol clock drift tolerance in ms */ + private int tolerance = -1; + + /** + * @param ms SAML clock drift tolerance in milliseconds. + */ + public void setTolerance(final int ms) { + this.tolerance = ms; + } + + protected void startInternal() throws LifecycleException { + super.startInternal(); + this.ticketValidator = new Saml11TicketValidator(getCasServerUrlPrefix()); + if (this.tolerance > -1) { + this.ticketValidator.setTolerance(this.tolerance); + } + if (getEncoding() != null) { + this.ticketValidator.setEncoding(getEncoding()); + } + this.ticketValidator.setRenew(isRenew()); + } + + protected TicketValidator getTicketValidator() { + return this.ticketValidator; + } + + protected String getAuthenticationMethod() { + return AUTH_METHOD; + } + + /** {@inheritDoc} */ + protected String getArtifactParameterName() { + return "SAMLart"; + } + + /** {@inheritDoc} */ + protected String getServiceParameterName() { + return "TARGET"; + } + + protected String getName() { + return NAME; + } +} diff --git a/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/SingleSignOutValve.java b/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/SingleSignOutValve.java new file mode 100644 index 0000000..de77527 --- /dev/null +++ b/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/SingleSignOutValve.java @@ -0,0 +1,93 @@ +/* + * Licensed to Jasig under one or more contributor license + * agreements. See the NOTICE file distributed with this work + * for additional information regarding copyright ownership. + * Jasig licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file + * except in compliance with the License. You may obtain a + * copy of the License at the following location: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.jasig.cas.client.tomcat.v8; + +import java.io.IOException; +import javax.servlet.ServletException; +import org.apache.catalina.LifecycleException; +import org.apache.catalina.Session; +import org.apache.catalina.SessionEvent; +import org.apache.catalina.SessionListener; +import org.apache.catalina.connector.Request; +import org.apache.catalina.connector.Response; +import org.apache.catalina.valves.ValveBase; +import org.jasig.cas.client.session.SessionMappingStorage; +import org.jasig.cas.client.session.SingleSignOutHandler; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** + * Handles logout request messages sent from the CAS server by ending the current + * HTTP session. + * + * @author Marvin S. Addison + * @version $Revision$ $Date$ + * @since 3.1.12 + * + */ +public class SingleSignOutValve extends ValveBase implements SessionListener { + + /** Logger instance */ + private final Logger logger = LoggerFactory.getLogger(getClass()); + + private final SingleSignOutHandler handler = new SingleSignOutHandler(); + + public void setArtifactParameterName(final String name) { + this.handler.setArtifactParameterName(name); + } + + public void setLogoutParameterName(final String name) { + this.handler.setLogoutParameterName(name); + } + + public void setRelayStateParameterName(final String name) { + this.handler.setRelayStateParameterName(name); + } + + public void setCasServerUrlPrefix(final String casServerUrlPrefix) { + this.handler.setCasServerUrlPrefix(casServerUrlPrefix); + } + + public void setSessionMappingStorage(final SessionMappingStorage storage) { + this.handler.setSessionMappingStorage(storage); + } + + /** {@inheritDoc} */ + public void invoke(final Request request, final Response response) throws IOException, ServletException { + if (this.handler.process(request, response)) { + getNext().invoke(request, response); + } + } + + /** {@inheritDoc} */ + public void sessionEvent(final SessionEvent event) { + if (Session.SESSION_DESTROYED_EVENT.equals(event.getType())) { + logger.debug("Cleaning up SessionMappingStorage on destroySession event"); + this.handler.getSessionMappingStorage().removeBySessionById(event.getSession().getId()); + } + } + + /** {@inheritDoc} */ + protected void startInternal() throws LifecycleException { + super.startInternal(); + logger.info("Starting..."); + this.handler.init(); + logger.info("Startup completed."); + } +} diff --git a/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/StaticUriLogoutValve.java b/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/StaticUriLogoutValve.java new file mode 100644 index 0000000..516f331 --- /dev/null +++ b/cas-client-integration-tomcat-v8/src/main/java/org/jasig/cas/client/tomcat/v8/StaticUriLogoutValve.java @@ -0,0 +1,55 @@ +/* + * Licensed to Jasig under one or more contributor license + * agreements. See the NOTICE file distributed with this work + * for additional information regarding copyright ownership. + * Jasig licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file + * except in compliance with the License. You may obtain a + * copy of the License at the following location: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.jasig.cas.client.tomcat.v8; + +import org.apache.catalina.LifecycleException; +import org.jasig.cas.client.tomcat.LogoutHandler; +import org.jasig.cas.client.tomcat.StaticUriLogoutHandler; + +/** + * Monitors a specific request URI for logout requests. + * + * @author Scott Battaglia + * @author Marvin S. Addison + * @version $Revision$ $Date$ + * @since 3.1.12 + */ +public final class StaticUriLogoutValve extends AbstractLogoutValve { + + private StaticUriLogoutHandler logoutHandler = new StaticUriLogoutHandler(); + + public void setRedirectUrl(final String redirectUrl) { + this.logoutHandler.setRedirectUrl(redirectUrl); + } + + public void setLogoutUri(final String logoutUri) { + this.logoutHandler.setLogoutUri(logoutUri); + } + + protected void startInternal() throws LifecycleException { + super.startInternal(); + this.logoutHandler.init(); + logger.info("Startup completed."); + } + + /** {@inheritDoc} */ + protected LogoutHandler getLogoutHandler() { + return this.logoutHandler; + } +} diff --git a/cas-client-support-distributed-memcached/pom.xml b/cas-client-support-distributed-memcached/pom.xml index f1b8ae1..1f749b8 100644 --- a/cas-client-support-distributed-memcached/pom.xml +++ b/cas-client-support-distributed-memcached/pom.xml @@ -7,7 +7,6 @@ 4.0.0 - org.jasig.cas.client jar cas-client-support-distributed-memcached Jasig CAS Client for Java - Distributed Proxy Storage Support: diff --git a/cas-client-support-saml/pom.xml b/cas-client-support-saml/pom.xml index f18ca75..234e580 100644 --- a/cas-client-support-saml/pom.xml +++ b/cas-client-support-saml/pom.xml @@ -5,7 +5,6 @@ cas-client 4.0.0 - org.jasig.cas.client cas-client-support-saml jar Jasig CAS Client for Java - SAML Protocol Support diff --git a/cas-client-support-saml/src/main/java/org/jasig/cas/client/validation/Saml11TicketValidator.java b/cas-client-support-saml/src/main/java/org/jasig/cas/client/validation/Saml11TicketValidator.java index 4a59081..8e9561a 100644 --- a/cas-client-support-saml/src/main/java/org/jasig/cas/client/validation/Saml11TicketValidator.java +++ b/cas-client-support-saml/src/main/java/org/jasig/cas/client/validation/Saml11TicketValidator.java @@ -198,7 +198,6 @@ public final class Saml11TicketValidator extends AbstractUrlBasedTicketValidator conn = this.getURLConnectionFactory().buildHttpURLConnection(validationUrl.openConnection()); conn.setRequestMethod("POST"); conn.setRequestProperty("Content-Type", "text/xml"); - conn.setRequestProperty("Content-Length", Integer.toString(request.length())); conn.setRequestProperty("SOAPAction", "http://www.oasis-open.org/committees/security"); conn.setUseCaches(false); conn.setDoInput(true); @@ -208,8 +207,6 @@ public final class Saml11TicketValidator extends AbstractUrlBasedTicketValidator final Charset charset = CommonUtils.isNotBlank(getEncoding()) ? Charset.forName(getEncoding()) : IOUtils.UTF8; conn.getOutputStream().write(request.getBytes(charset)); - conn.getOutputStream().flush(); - return IOUtils.readString(conn.getInputStream(), charset); } catch (final IOException e) { throw new RuntimeException("IO error sending HTTP request to /samlValidate", e); diff --git a/pom.xml b/pom.xml index c161137..46ca4ae 100644 --- a/pom.xml +++ b/pom.xml @@ -252,6 +252,8 @@ cas-client-integration-tomcat-common cas-client-integration-tomcat-v6 cas-client-integration-tomcat-v7 + cas-client-integration-tomcat-v8 + cas-client-integration-jetty diff --git a/travis/deploy-to-sonatype.sh b/travis/deploy-to-sonatype.sh index 80f2154..63b409e 100644 --- a/travis/deploy-to-sonatype.sh +++ b/travis/deploy-to-sonatype.sh @@ -1,4 +1,23 @@ #!/bin/bash +# +# Licensed to Jasig under one or more contributor license +# agreements. See the NOTICE file distributed with this work +# for additional information regarding copyright ownership. +# Jasig licenses this file to you under the Apache License, +# Version 2.0 (the "License"); you may not use this file +# except in compliance with the License. You may obtain a +# copy of the License at the following location: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + # Only invoke the deployment to Sonatype when it's not a PR and only for master if [ "$TRAVIS_PULL_REQUEST" == "false" ] && [ "$TRAVIS_BRANCH" == "master" ]; then diff --git a/travis/settings.xml b/travis/settings.xml index de99f77..32a6804 100644 --- a/travis/settings.xml +++ b/travis/settings.xml @@ -1,3 +1,23 @@ +