From 853450a8a6ef47bd4163d450002e540003d4bfab Mon Sep 17 00:00:00 2001 From: Misagh Moayyed Date: Sun, 7 Jun 2015 17:05:47 -0700 Subject: [PATCH] added additional logs to proxy validation --- .../validation/Cas20ProxyTicketValidator.java | 21 ++++++++++++++++++- .../validation/Cas30ProxyTicketValidator.java | 2 +- .../cas/client/validation/ProxyList.java | 2 +- 3 files changed, 22 insertions(+), 3 deletions(-) diff --git a/cas-client-core/src/main/java/org/jasig/cas/client/validation/Cas20ProxyTicketValidator.java b/cas-client-core/src/main/java/org/jasig/cas/client/validation/Cas20ProxyTicketValidator.java index 592c330..c97cf21 100644 --- a/cas-client-core/src/main/java/org/jasig/cas/client/validation/Cas20ProxyTicketValidator.java +++ b/cas-client-core/src/main/java/org/jasig/cas/client/validation/Cas20ProxyTicketValidator.java @@ -18,6 +18,7 @@ */ package org.jasig.cas.client.validation; +import java.util.Arrays; import java.util.List; import org.jasig.cas.client.util.XmlUtils; @@ -53,8 +54,22 @@ public class Cas20ProxyTicketValidator extends Cas20ServiceTicketValidator { throws TicketValidationException { final List proxies = XmlUtils.getTextForElements(response, "proxy"); + if (proxies == null) { + throw new InvalidProxyChainTicketValidationException( + "Invalid proxy chain: No proxy could be retrieved from response. " + + "This indicates a problem with CAS validation. Review logs/configuration to find the root cause." + ); + } // this means there was nothing in the proxy chain, which is okay - if ((this.allowEmptyProxyChain && proxies.isEmpty()) || this.acceptAnyProxy) { + if ((this.allowEmptyProxyChain && proxies.isEmpty())) { + logger.debug("Found an empty proxy chain, permitted by client configuration"); + return; + } + + if (this.acceptAnyProxy) { + logger.debug("Client configuration accepts any proxy. " + + "It is generally dangerous to use a non-proxied CAS filter " + + "specially for protecting resources that require proxy access."); return; } @@ -63,6 +78,10 @@ public class Cas20ProxyTicketValidator extends Cas20ServiceTicketValidator { return; } + logger.warn("Proxies received from the CAS validation response are {}. " + + "However, none are allowed by allowed proxy chain of the client which is {}", + Arrays.toString(proxiedList), this.allowedProxyChains); + throw new InvalidProxyChainTicketValidationException("Invalid proxy chain: " + proxies.toString()); } diff --git a/cas-client-core/src/main/java/org/jasig/cas/client/validation/Cas30ProxyTicketValidator.java b/cas-client-core/src/main/java/org/jasig/cas/client/validation/Cas30ProxyTicketValidator.java index 2cdb641..6dfffc8 100644 --- a/cas-client-core/src/main/java/org/jasig/cas/client/validation/Cas30ProxyTicketValidator.java +++ b/cas-client-core/src/main/java/org/jasig/cas/client/validation/Cas30ProxyTicketValidator.java @@ -26,7 +26,7 @@ package org.jasig.cas.client.validation; */ public class Cas30ProxyTicketValidator extends Cas20ProxyTicketValidator { - public Cas30ProxyTicketValidator(String casServerUrlPrefix) { + public Cas30ProxyTicketValidator(final String casServerUrlPrefix) { super(casServerUrlPrefix); } diff --git a/cas-client-core/src/main/java/org/jasig/cas/client/validation/ProxyList.java b/cas-client-core/src/main/java/org/jasig/cas/client/validation/ProxyList.java index 3585d5b..35642d3 100644 --- a/cas-client-core/src/main/java/org/jasig/cas/client/validation/ProxyList.java +++ b/cas-client-core/src/main/java/org/jasig/cas/client/validation/ProxyList.java @@ -43,7 +43,7 @@ public final class ProxyList { this(new ArrayList()); } - public boolean contains(String[] proxiedList) { + public boolean contains(final String[] proxiedList) { for (final String[] list : this.proxyChains) { if (Arrays.equals(proxiedList, list)) { return true;