Merge pull request #1 from TouchInstinct/feature/skip-internal-ip

support internal requests skip
2019-12-27 18:49:12 +03:00 · 2019-12-27 17:53:03 +03:00 · 2019-12-24 05:46:06 +00:00 · 2019-12-23 05:41:20 +00:00 · 2019-12-17 09:33:26 +00:00 · 2019-12-16 21:42:40 +00:00
278 changed files with 8525 additions and 2649 deletions
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@ -0,0 +1,20 @@
+#
+# Licensed to Apereo under one or more contributor license
+# agreements. See the NOTICE file distributed with this work
+# for additional information regarding copyright ownership.
+# Apereo licenses this file to you under the Apache License,
+# Version 2.0 (the "License"); you may not use this file
+# except in compliance with the License.  You may obtain a
+# copy of the License at the following location:
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+custom: ['https://www.apereo.org/content/apereo-membership']
--- a/.github/renovate.json
+++ b/.github/renovate.json
@ -0,0 +1,11 @@
+{
+  "extends": [
+    "config:base",
+    ":preserveSemverRanges",
+    ":rebaseStalePrs",
+    ":disableRateLimiting",
+    ":semanticCommits",
+    ":semanticCommitTypeAll(renovatebot)"
+  ],
+  "labels": ["dependencies", "bot"]
+}
--- a/.github/stale.yml
+++ b/.github/stale.yml
@ -0,0 +1,73 @@
+#
+# Licensed to Apereo under one or more contributor license
+# agreements. See the NOTICE file distributed with this work
+# for additional information regarding copyright ownership.
+# Apereo licenses this file to you under the Apache License,
+# Version 2.0 (the "License"); you may not use this file
+# except in compliance with the License.  You may obtain a
+# copy of the License at the following location:
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+# Configuration for probot-stale - https://github.com/probot/stale
+
+# Number of days of inactivity before an Issue or Pull Request becomes stale
+daysUntilStale: 7
+
+# Number of days of inactivity before a stale Issue or Pull Request is closed.
+# Set to false to disable. If disabled, issues still need to be closed manually, but will remain marked as stale.
+daysUntilClose: 7
+
+# Issues or Pull Requests with these labels will never be considered stale. Set to `[]` to disable
+exemptLabels:
+  
+# Set to true to ignore issues in a project (defaults to false)
+exemptProjects: false
+
+# Set to true to ignore issues in a milestone (defaults to false)
+exemptMilestones: false
+
+# Label to use when marking as stale
+staleLabel: Pending
+
+# Comment to post when marking as stale. Set to `false` to disable
+markComment: >
+  This patch has been automatically marked as stale because it has not had
+  recent activity. It will be closed if no further activity occurs. Thank you
+  for your contributions.
+  
+# Comment to post when removing the stale label.
+# unmarkComment: >
+#   Your comment here.
+
+# Comment to post when closing a stale Issue or Pull Request.
+closeComment: >
+  This patch has been automatically closed because it has not had
+  recent activity. If you wish to resume work, please re-open the pull request
+  and continue as usual. Thank you for your contributions.
+
+# Limit the number of actions per hour, from 1-30. Default is 30
+limitPerRun: 30
+
+# Limit to only `issues` or `pulls`
+# only: pulls
+
+# Optionally, specify configuration settings that are specific to just 'issues' or 'pulls':
+# pulls:
+#   daysUntilStale: 30
+#   markComment: >
+#     This pull request has been automatically marked as stale because it has not had
+#     recent activity. It will be closed if no further activity occurs. Thank you
+#     for your contributions.
+
+# issues:
+#   exemptLabels:
+#     - confirmed
--- a/.mergify.yml
+++ b/.mergify.yml
@ -0,0 +1,44 @@
+#
+# Licensed to Apereo under one or more contributor license
+# agreements. See the NOTICE file distributed with this work
+# for additional information regarding copyright ownership.
+# Apereo licenses this file to you under the Apache License,
+# Version 2.0 (the "License"); you may not use this file
+# except in compliance with the License.  You may obtain a
+# copy of the License at the following location:
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+pull_request_rules:
+- name: automatic merge by dependabot
+  conditions:
+    - status-success=continuous-integration/travis-ci/pr
+    - status-success=WIP
+    - "#changes-requested-reviews-by=0"
+    - base=master
+    - label=dependencies
+  actions:
+    merge:
+      method: squash
+      strict: false
+    delete_head_branch:
+- name: automatic merge by renovate
+  conditions:
+    - status-success=continuous-integration/travis-ci/pr
+    - status-success=WIP
+    - "#changes-requested-reviews-by=0"
+    - base=master
+    - label=dependencies
+  actions:
+    merge:
+      method: squash
+      strict: false
+    delete_head_branch:
--- a/.travis.yml
+++ b/.travis.yml
@ -17,17 +17,17 @@
 # under the License.
 #

-before_install:
- mvn -v
- java -version
-
 language: java
-
+sudo: required
+branches:
+  only:
+  - master
+cache:
+  directories:
+  - "$HOME/.m2/repository"
 script: "mvn install --settings travis/settings.xml"
-
 jdk:
-  - oraclejdk7
-
+  - openjdk8
 env:
  global:
  - secure: "JM/FMiec3GYShrMlJQSW2QG208+V0GCAj2bsP5eF8q4yzgp6o4rT+r57KDIDD6MapRN+G1Pnl3WPcS0aQYnwOhPg4tA2De1bFUPaJltP47eHFfblpjZeHMxcauCQ6BwFFr8yuC0ORsYCW3TOK00Mxq4CRlTlg5iclzHyS/pnkLI="
--- a/88
+++ b/88
@ -16,46 +16,86 @@ specific language governing permissions and limitations
 under the License.

 This project includes:
-  AOP alliance under Public Domain
+  Apache Commons Codec under Apache License, Version 2.0
  Apache Log4j under The Apache Software License, Version 2.0
+  Apache Log4j API under Apache License, Version 2.0
+  Apache Log4j to SLF4J Adapter under Apache License, Version 2.0
  Apache XML Security under The Apache Software License, Version 2.0
-  Atlassian Event under Atlassian End User License
-  Atlassian JIRA - Code - Core under Atlassian End User License
-  Atlassian Seraph under Atlassian End User License
-  atlassian-osuser under Atlassian End User License
+  Apereo CAS Client for Java under Apache License Version 2.0
+  asm under BSD
+  asm-analysis under BSD
+  asm-commons under BSD
+  asm-tree under BSD
+  Bouncy Castle PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP, and CRMF APIs under Bouncy Castle Licence
+  Bouncy Castle Provider under Bouncy Castle Licence
  catalina under Apache License, Version 2.0
-  Commons Codec under The Apache Software License, Version 2.0
-  Confluence Core under Atlassian End User License
+  coyote under Apache License, Version 2.0
+  Eclipse Compiler for Java(TM) under Eclipse Public License - v 2.0
  Ehcache Core under The Apache Software License, Version 2.0
-  Google Collections Library under The Apache Software License, Version 2.0
-  Jasig CAS Client for Java under Apache License Version 2.0
-  Jasig CAS Client for Java - Atlassian Integration under Apache License Version 2.0
+  Hamcrest Core under New BSD License
+  Jackson-annotations under The Apache Software License, Version 2.0
+  Jackson-core under The Apache Software License, Version 2.0
+  jackson-databind under The Apache Software License, Version 2.0
  Jasig CAS Client for Java - Common Tomcat Integration Support under Apache License Version 2.0
  Jasig CAS Client for Java - Core under Apache License Version 2.0
-  Jasig CAS Client for Java - Distributed Proxy Storage Support:
-        Memcached under Apache License Version 2.0
  Jasig CAS Client for Java - Distributed Proxy Storage Support: EhCache under Apache License Version 2.0
+  Jasig CAS Client for Java - Distributed Proxy Storage Support: Memcached under Apache License Version 2.0
  Jasig CAS Client for Java - JBoss Integration under Apache License Version 2.0
+  Jasig CAS Client for Java - Jetty Container Integration under Apache License Version 2.0
  Jasig CAS Client for Java - SAML Protocol Support under Apache License Version 2.0
+  Jasig CAS Client for Java - Spring Boot Support under Apache License Version 2.0
  Jasig CAS Client for Java - Tomcat 6.x Integration under Apache License Version 2.0
  Jasig CAS Client for Java - Tomcat 7.x Integration under Apache License Version 2.0
+  Jasig CAS Client for Java - Tomcat 8.5.x Integration under Apache License Version 2.0
  Jasig CAS Client for Java - Tomcat 8.x Integration under Apache License Version 2.0
+  Jasig CAS Client for Java - Tomcat 9.0.x Integration under Apache License Version 2.0
  Java Servlet API under CDDL + GPLv2 with classpath exception
-  JavaBeans Activation Framework (JAF) under Common Development and Distribution License (CDDL) v1.0
-  JavaMail API under Common Development and Distribution License (CDDL) v1.0
+  javax.annotation API under CDDL + GPLv2 with classpath exception
  JBoss Application Server Tomcat under lgpl
-  JCL 1.1.1 implemented over SLF4J under MIT License
-  Joda-Time under Apache 2
-  JUnit under Common Public License Version 1.0
+  JCL 1.2 implemented over SLF4J under MIT License
+  Jetty :: Apache JSP Implementation under Apache Software License - Version 2.0 or Eclipse Public License - Version 1.0
+  Jetty :: Http Utility under Apache Software License - Version 2.0 or Eclipse Public License - Version 1.0
+  Jetty :: IO Utility under Apache Software License - Version 2.0 or Eclipse Public License - Version 1.0
+  Jetty :: JNDI Naming under Apache Software License - Version 2.0 or Eclipse Public License - Version 1.0
+  Jetty :: Plus under Apache Software License - Version 2.0 or Eclipse Public License - Version 1.0
+  Jetty :: Schemas under Apache Software License - Version 2.0 or Eclipse Public License - Version 1.0
+  Jetty :: Security under Apache Software License - Version 2.0 or Eclipse Public License - Version 1.0
+  Jetty :: Server Core under Apache Software License - Version 2.0 or Eclipse Public License - Version 1.0
+  Jetty :: Servlet Annotations under Apache Software License - Version 2.0 or Eclipse Public License - Version 1.0
+  Jetty :: Servlet Handling under Apache Software License - Version 2.0 or Eclipse Public License - Version 1.0
+  Jetty :: Utilities under Apache Software License - Version 2.0 or Eclipse Public License - Version 1.0
+  Jetty :: Webapp Application Support under Apache Software License - Version 2.0 or Eclipse Public License - Version 1.0
+  Jetty :: XML utilities under Apache Software License - Version 2.0 or Eclipse Public License - Version 1.0
+  Joda-Time under Apache License, Version 2.0
+  JUL to SLF4J bridge under MIT License
+  JUnit under Eclipse Public License 1.0
+  Logback Classic Module under Eclipse Public License - v 1.0 or GNU Lesser General Public License
+  Logback Core Module under Eclipse Public License - v 1.0 or GNU Lesser General Public License
+  MortBay :: Apache EL :: API and Implementation under Apache License Version 2.0
+  MortBay :: Apache Jasper :: JSP Implementation under Apache License Version 2.0
  SLF4J API Module under MIT License
  SLF4J Simple Binding under MIT License
-  spring-aop under The Apache Software License, Version 2.0
-  spring-asm under The Apache Software License, Version 2.0
-  spring-beans under The Apache Software License, Version 2.0
-  spring-context under The Apache Software License, Version 2.0
-  spring-core under The Apache Software License, Version 2.0
-  spring-expression under The Apache Software License, Version 2.0
-  spring-test under The Apache Software License, Version 2.0
+  SnakeYAML under Apache License, Version 2.0
+  Spring AOP under Apache License, Version 2.0
+  Spring Beans under Apache License, Version 2.0
+  Spring Boot under Apache License, Version 2.0
+  Spring Boot AutoConfigure under Apache License, Version 2.0
+  Spring Boot Logging Starter under Apache License, Version 2.0
+  Spring Boot Starter under Apache License, Version 2.0
+  Spring Commons Logging Bridge under Apache License, Version 2.0
+  Spring Context under Apache License, Version 2.0
+  Spring Core under Apache License, Version 2.0
+  Spring Expression Language (SpEL) under Apache License, Version 2.0
+  Spring TestContext Framework under Apache License, Version 2.0
+  Spring Web under Apache License, Version 2.0
  Spymemcached under The Apache Software License, Version 2.0
+  tomcat-annotations-api under Apache License, Version 2.0
  tomcat-catalina under Apache License, Version 2.0
+  tomcat-coyote under Apache License, Version 2.0
+  tomcat-el-api under Apache License, Version 2.0
+  tomcat-embed-core under Apache License, Version 2.0
+  tomcat-jaspic-api under Apache License, Version 2.0
+  tomcat-jni under Apache License, Version 2.0
+  tomcat-jsp-api under Apache License, Version 2.0
+  tomcat-util-scan under Apache License, Version 2.0

--- a/README.md
+++ b/README.md
@ -7,7 +7,7 @@ This is the official home of the Java Apereo CAS client. The client consists of
 All client artifacts are published to Maven central. Depending on functionality, applications will need include one or more of the listed dependencies in their configuration.

 <a name="build"></a>
-## Build [![Build Status](https://travis-ci.org/Jasig/java-cas-client.png?branch=master)](https://travis-ci.org/Jasig/java-cas-client)
+## Build [![Build Status](https://travis-ci.org/apereo/java-cas-client.png?branch=master)](https://travis-ci.org/apereo/java-cas-client)

 ```bash
 git clone git@github.com:apereo/java-cas-client.git
@ -26,9 +26,9 @@ files in the modules (`cas-client-integration-jboss` and `cas-client-support-dis

 ```xml
 <dependency>
-	<groupId>org.jasig.cas.client</groupId>
-	<artifactId>cas-client-core</artifactId>
-	<version>${java.cas.client.version}</version>
+    <groupId>org.jasig.cas.client</groupId>
+    <artifactId>cas-client-core</artifactId>
+    <version>${java.cas.client.version}</version>
 </dependency>
 ```

@ -62,7 +62,7 @@ files in the modules (`cas-client-integration-jboss` and `cas-client-support-dis
 </dependency>
 ```

- Atlassian integration is provided by this dependency:
+- Atlassian integration (Deprecated) is provided by this dependency:

 ```xml
 <dependency>
@ -102,7 +102,7 @@ files in the modules (`cas-client-integration-jboss` and `cas-client-support-dis
 </dependency>
 ```

- Tomcat 8 is provided by this dependency:
+- Tomcat 8.0.x is provided by this dependency:

 ```xml
 <dependency>
@ -111,7 +111,38 @@ files in the modules (`cas-client-integration-jboss` and `cas-client-support-dis
   <version>${java.cas.client.version}</version>
 </dependency>
 ```
-<a name="configurtion"></a>
+
+- Tomcat 8.5.x is provided by this dependency:
+
+```xml
+<dependency>
+   <groupId>org.jasig.cas.client</groupId>
+   <artifactId>cas-client-integration-tomcat-v85</artifactId>
+   <version>${java.cas.client.version}</version>
+</dependency>
+```
+
+- Tomcat 9.0.x is provided by this dependency:
+
+```xml
+<dependency>
+   <groupId>org.jasig.cas.client</groupId>
+   <artifactId>cas-client-integration-tomcat-v90</artifactId>
+   <version>${java.cas.client.version}</version>
+</dependency>
+```
+
+- Spring Boot AutoConfiguration is provided by this dependency:
+
+```xml
+<dependency>
+   <groupId>org.jasig.cas.client</groupId>
+   <artifactId>cas-client-support-springboot</artifactId>
+   <version>${java.cas.client.version}</version>
+</dependency>
+```
+
+<a name="configuration"></a>
 ## Configuration

 ### Strategies
@ -165,8 +196,8 @@ The `AuthenticationFilter` is what detects whether a user needs to be authentica
  <filter-name>CAS Authentication Filter</filter-name>
  <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
  <init-param>
-    <param-name>casServerLoginUrl</param-name>
-    <param-value>https://battags.ad.ess.rutgers.edu:8443/cas/login</param-value>
+    <param-name>casServerUrlPrefix</param-name>
+    <param-value>https://battags.ad.ess.rutgers.edu:8443/cas</param-value>
  </init-param>
  <init-param>
    <param-name>serverName</param-name>
@ -181,7 +212,8 @@ The `AuthenticationFilter` is what detects whether a user needs to be authentica

 | Property | Description | Required
 |----------|-------|-----------
-| `casServerLoginUrl` | Defines the location of the CAS server login URL, i.e. `https://localhost:8443/cas/login` | Yes
+| `casServerUrlPrefix` | The start of the CAS server URL, i.e. `https://localhost:8443/cas` | Yes (unless `casServerLoginUrl` is set)
+| `casServerLoginUrl` | Defines the location of the CAS server login URL, i.e. `https://localhost:8443/cas/login`. This overrides `casServerUrlPrefix`, if set. | Yes (unless `casServerUrlPrefix` is set)
 | `serverName` | The name of the server this application is hosted on. Service URL will be dynamically constructed using this, i.e. https://localhost:8443 (you must include the protocol, but port is optional if it's a standard port). | Yes
 | `service` | The service URL to send to the CAS server, i.e. `https://localhost:8443/yourwebapp/index.html` | No
 | `renew` | specifies whether `renew=true` should be sent to the CAS server. Valid values are either `true/false` (or no value at all). Note that `renew` cannot be specified as local `init-param` setting. | No
@ -190,9 +222,22 @@ The `AuthenticationFilter` is what detects whether a user needs to be authentica
 | `serviceParameterName ` | specifies the name of the request parameter on where to find the service (i.e. `service`) | No
 | `encodeServiceUrl ` | Whether the client should auto encode the service url. Defaults to `true` | No
 | `ignorePattern` | Defines the url pattern to ignore, when intercepting authentication requests. | No
-| `ignoreUrlPatternType` | Defines the type of the pattern specified. Defaults to `REGEX`. Other types are `CONTAINS`, `EXACT`. | No
+| `ignoreUrlPatternType` | Defines the type of the pattern specified. Defaults to `REGEX`. Other types are `CONTAINS`, `EXACT`, `FULL_REGEX`. Can also accept a fully-qualified class name that implements `UrlPatternMatcherStrategy`. | No
 | `gatewayStorageClass` | The storage class used to record gateway requests | No
 | `authenticationRedirectStrategyClass` | The class name of the component to decide how to handle authn redirects to CAS | No
+| `method` | The method used by the CAS server to send the user back to the application. Defaults to `null` | No
+
+##### Ignore Patterns
+
+The following types are supported:
+
+| Type | Description 
+|----------|-------
+| `REGEX` | Matches the URL the `ignorePattern` using `Matcher#find()`. It matches the next occurrence within the substring that matches the regex.
+| `CONTAINS` | Uses the `String#contains()` operation to determine if the url contains the specified pattern. Behavior is case-sensitive.
+| `EXACT` | Uses the `String#equals()` operation to determine if the url exactly equals the specified pattern. Behavior is case-sensitive.
+| `FULL_REGEX` | Matches the URL the `ignorePattern` using `Matcher#matches()`. It matches the expression against the entire string as it implicitly add a `^` at the start and `$` at the end of the pattern, so it will not match substring or part of the string. `^` and `$` are meta characters that represents start of the string and end of the string respectively.
+

 <a name="orgjasigcasclientauthenticationsaml11authenticationfilter"></a>
 #### org.jasig.cas.client.authentication.Saml11AuthenticationFilter
@ -219,7 +264,8 @@ The SAML 1.1 `AuthenticationFilter` is what detects whether a user needs to be a

 | Property | Description | Required
 |----------|-------|-----------
-| `casServerLoginUrl` | Defines the location of the CAS server login URL, i.e. `https://localhost:8443/cas/login` | Yes
+| `casServerUrlPrefix` | The start of the CAS server URL, i.e. `https://localhost:8443/cas` | Yes (unless `casServerLoginUrl` is set)
+| `casServerLoginUrl` | Defines the location of the CAS server login URL, i.e. `https://localhost:8443/cas/login`. This overrides `casServerUrlPrefix`, if set. | Yes (unless `casServerUrlPrefix` is set)
 | `serverName` | The name of the server this application is hosted on. Service URL will be dynamically constructed using this, i.e. https://localhost:8443 (you must include the protocol, but port is optional if it's a standard port). | Yes
 | `service` | The service URL to send to the CAS server, i.e. `https://localhost:8443/yourwebapp/index.html` | No
 | `renew` | specifies whether `renew=true` should be sent to the CAS server. Valid values are either `true/false` (or no value at all). Note that `renew` cannot be specified as local `init-param` setting. | No
@ -227,9 +273,10 @@ The SAML 1.1 `AuthenticationFilter` is what detects whether a user needs to be a
 | `artifactParameterName ` | specifies the name of the request parameter on where to find the artifact (i.e. `SAMLart`). | No
 | `serviceParameterName ` | specifies the name of the request parameter on where to find the service (i.e. `TARGET`) | No
 | `encodeServiceUrl ` | Whether the client should auto encode the service url. Defaults to `true` | No
+| `method` | The method used by the CAS server to send the user back to the application. Defaults to `null` | No

 <a name="rgjasigcasclientvalidationcas10ticketvalidationfilter"></a>
-####org.jasig.cas.client.validation.Cas10TicketValidationFilter
+#### org.jasig.cas.client.validation.Cas10TicketValidationFilter
 Validates tickets using the CAS 1.0 Protocol.

 ```xml
@ -240,6 +287,10 @@ Validates tickets using the CAS 1.0 Protocol.
    <param-name>casServerUrlPrefix</param-name>
    <param-value>https://somewhere.cas.edu:8443/cas</param-value>
  </init-param>
+  <init-param>
+    <param-name>serverName</param-name>
+    <param-value>http://www.the-client.com</param-value>
+  </init-param>    
 </filter>
 <filter-mapping>
    <filter-name>CAS Validation Filter</filter-name>
@ -340,9 +391,19 @@ Validates the tickets using the CAS 2.0 protocol. If you provide either the `acc
 | `millisBetweenCleanUps` | Startup delay for the cleanup task to remove expired tickets from the storage. Defaults to `60000 msec` | No
 | `ticketValidatorClass` | Ticket validator class to use/create | No
 | `hostnameVerifier` | Hostname verifier class name, used when making back-channel calls | No
+| `privateKeyPath` | The path to a private key to decrypt PGTs directly sent encrypted as an attribute | No
+| `privateKeyAlgorithm` | The algorithm of the private key. Defaults to `RSA` | No

 #### org.jasig.cas.client.validation.Cas30ProxyReceivingTicketValidationFilter
-Validates the tickets using the CAS 3.0 protocol. If you provide either the `acceptAnyProxy` or the `allowedProxyChains` parameters, a `Cas30ProxyTicketValidator` will be constructed. Otherwise a general `Cas30ServiceTicketValidator` will be constructed that does not accept proxy tickets. Supports all configurations that are available for `Cas20ProxyReceivingTicketValidationFilter`.
+Validates the tickets using the CAS 3.0 protocol. If you provide either the `acceptAnyProxy` or the `allowedProxyChains` parameters, 
+a `Cas30ProxyTicketValidator` will be constructed. Otherwise a general `Cas30ServiceTicketValidator` will be constructed that does not 
+accept proxy tickets. Supports all configurations that are available for `Cas20ProxyReceivingTicketValidationFilter`.
+
+#### org.jasig.cas.client.validation.json.Cas30JsonProxyReceivingTicketValidationFilter
+Indentical to `Cas30ProxyReceivingTicketValidationFilter`, yet the filter is able to accept validation responses from CAS
+that are formatted as JSON per guidelines laid out by the CAS protocol. 
+See the [protocol documentation](https://apereo.github.io/cas/5.1.x/protocol/CAS-Protocol-Specification.html)
+for more info.

 ##### Proxy Authentication vs. Distributed Caching
 The client has support for clustering and distributing the TGT state among application nodes that are behind a load balancer. In order to do so, the parameter needs to be defined as such for the filter.
@ -436,7 +497,7 @@ Filters that redirects to the supplied url based on an exception.  Exceptions an

 | Property | Description | Required
 |----------|-------|-----------
-| `defaultErrorRedirectPage` | Default url to redirect to, in case no erorr matches are found. | Yes
+| `defaultErrorRedirectPage` | Default url to redirect to, in case no error matches are found. | Yes
 | `java.lang.Exception` | Fully qualified exception name. Its value must be redirection url | No


@ -598,6 +659,107 @@ Configuration to accept Proxy Ticket from a chain (and Proxy Granting Tickets):

 The specific filters can be configured in the following ways. Please see the JavaDocs included in the distribution for specific required and optional properties:

+<a name="springboot-autoconfiguration"></a>
+## Spring Boot AutoConfiguration
+
+### Usage 
+
+* Define a dependency:
+
+> Maven:
+
+```xml
+<dependency>
+   <groupId>org.jasig.cas.client</groupId>
+   <artifactId>cas-client-support-springboot</artifactId>
+   <version>${java.cas.client.version}</version>
+</dependency>
+```
+
+> Gradle:
+
+```groovy
+dependencies {
+    ...
+    compile 'org.jasig.cas.client:cas-client-support-springboot:${java.cas.client.version}'
+    ...
+}
+```
+
+* Add the following required properties in Spring Boot's `application.properties` or `application.yml`:
+
+```properties
+cas.server-url-prefix=https://cashost.com/cas
+cas.server-login-url=https://cashost.com/cas/login
+cas.client-host-url=https://casclient.com
+```
+
+* Annotate Spring Boot application (or any @Configuration class) with `@EnableCasClient` annotation
+
+```java
+@SpringBootApplication
+@Controller
+@EnableCasClient
+public class MyApplication { .. }
+```
+
+> For CAS3 protocol (authentication and validation filters) - which is default if nothing is specified
+
+```properties
+cas.validation-type=CAS3
+```
+
+> For CAS2 protocol (authentication and validation filters)
+
+```properties
+cas.validation-type=CAS
+```
+
+> For SAML protocol (authentication and validation filters)
+
+```properties
+cas.validation-type=SAML
+```
+
+### Available optional properties
+
+* `cas.single-logout.enabled`
+* `cas.authentication-url-patterns`
+* `cas.validation-url-patterns`
+* `cas.request-wrapper-url-patterns`
+* `cas.assertion-thread-local-url-patterns`
+* `cas.gateway`
+* `cas.use-session`
+* `cas.redirect-after-validation`
+* `cas.allowed-proxy-chains`
+* `cas.proxy-callback-url`
+* `cas.proxy-receptor-url`
+* `cas.accept-any-proxy`
+* `server.context-parameters.renew`
+
+### Advanced configuration
+
+This module does not expose ALL the CAS client configuration options via standard Spring property sources, but only most commonly used ones.
+If there is a need however, to set any number of not exposed, 'exotic' properties, you can implement the `CasClientConfigurer`
+class in your `@EnableCasClient` annotated class and override appropriate configuration method(s) for CAS client filter(s) in question.
+For example:
+
+```java
+@SpringBootApplication
+@EnableCasClient
+class CasProtectedApplication implements CasClientConfigurer {    
+    @Override
+    void configureValidationFilter(FilterRegistrationBean validationFilter) {           
+        validationFilter.getInitParameters().put("millisBetweenCleanUps", "120000");
+    }        
+    @Override
+    void configureAuthenticationFilter(FilterRegistrationBean authenticationFilter) {
+        authenticationFilter.getInitParameters().put("artifactParameterName", "casTicket");
+        authenticationFilter.getInitParameters().put("serviceParameterName", "targetService");
+    }                                
+}
+``` 
+

 <a name="client-configuration-using-jndi"></a>
 ### Client Configuration Using JNDI
@ -632,7 +794,7 @@ type="java.lang.String" value="https://www.apereo.org/cas"/>
 ### Configuring Single Sign Out
 The Single Sign Out support in CAS consists of configuring one `SingleSignOutFilter` and one `ContextListener`. Please note that if you have configured the CAS Client for Java as Web filters, this filter must come before the other filters as described.

-The `SingleSignOutFilter` can affect character encoding. This becomes most obvious when used in conjunction with applications such as Atlassian Confluence. Its recommended you explicitly configure either the [VT Character Encoding Filter](http://code.google.com/p/vt-middleware/wiki/vtservletfilters#CharacterEncodingFilter) or the [Spring Character Encoding Filter](http://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/web/filter/CharacterEncodingFilter.html) with explicit encodings.
+The `SingleSignOutFilter` can affect character encoding. This becomes most obvious when used in conjunction with applications such as Atlassian Confluence. It's recommended you explicitly configure either the [VT Character Encoding Filter](http://code.google.com/p/vt-middleware/wiki/vtservletfilters#CharacterEncodingFilter) or the [Spring Character Encoding Filter](http://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/web/filter/CharacterEncodingFilter.html) with explicit encodings.

 #### Configuration

@ -640,11 +802,10 @@ The `SingleSignOutFilter` can affect character encoding. This becomes most obvio
 |----------|-------|-----------
 | `artifactParameterName` | The ticket artifact parameter name. Defaults to `ticket`| No
 | `logoutParameterName` | Defaults to `logoutRequest` | No
-| `frontLogoutParameterName` | Defaults to `SAMLRequest` | No
 | `relayStateParameterName` | Defaults to `RelayState` | No
 | `eagerlyCreateSessions` | Defaults to `true` | No
 | `artifactParameterOverPost` | Defaults to  `false` | No
-| `casServerUrlPrefix` | URL to root of CAS Web application context. | Yes
+| `logoutCallbackPath` | The path which is expected to receive logout callback requests from the CAS server. This is necessary if your app needs access to the raw input stream when handling form posts. If not configured, the default behavior will check every form post for a logout parameter. | No

 <a name="cas-protocol"></a>
 #### CAS Protocol
@ -653,10 +814,6 @@ The `SingleSignOutFilter` can affect character encoding. This becomes most obvio
 <filter>
   <filter-name>CAS Single Sign Out Filter</filter-name>
   <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
-   <init-param>
-      <param-name>casServerUrlPrefix</param-name>
-      <param-value>https://cas.example.com/cas</param-value>
-   </init-param>
 </filter>
 ...
 <filter-mapping>
@ -680,10 +837,6 @@ The `SingleSignOutFilter` can affect character encoding. This becomes most obvio
      <param-name>artifactParameterName</param-name>
      <param-value>SAMLart</param-value>
   </init-param>
-   <init-param>
-      <param-name>casServerUrlPrefix</param-name>
-      <param-value>https://cas.example.com/cas</param-value>
-   </init-param>
 </filter>
 ...
 <filter-mapping>
@ -709,7 +862,7 @@ To log out of all applications, click here. (provide link to CAS server's logout

 <a name="jaas"></a>
 ## JAAS
-The client supports the Java Authentication and Authorization Service (JAAS) framework, which provides authnz facilities to CAS-enabled JEE applications.
+The client supports the Java Authentication and Authorization Service (JAAS) framework, which provides authn facilities to CAS-enabled JEE applications.

 A general JAAS authentication module, `CasLoginModule`, is available with the specific purpose of providing authentication and authorization services to CAS-enabled JEE applications. The design of the module is simple: given a service URL and a service ticket in a `NameCallback` and `PasswordCallback`, respectively, the module contacts the CAS server and attempts to validate the ticket. In keeping with CAS integration for Java applications, a JEE container-specific servlet filter is needed to protect JEE Web applications. The JAAS support should be extensible to any JEE container.

@ -778,17 +931,17 @@ The `WebAuthenticationFilter` performs these operations for the JBoss AS contain
 ```xml
 ...
 <filter>
-	<filter-name>CASWebAuthenticationFilter</filter-name>
-	<filter-class>org.jasig.cas.client.jboss.authentication.WebAuthenticationFilter</filter-class>
+    <filter-name>CASWebAuthenticationFilter</filter-name>
+    <filter-class>org.jasig.cas.client.jboss.authentication.WebAuthenticationFilter</filter-class>
 </filter>

 <filter>
-	<filter-name>CASAuthenticationFilter</filter-name>
-	<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
-	<init-param>
-	  <param-name>casServerLoginUrl</param-name>
-	  <param-value>https://cas.example.com/cas/login</param-value>
-	</init-param>
+    <filter-name>CASAuthenticationFilter</filter-name>
+    <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
+    <init-param>
+      <param-name>casServerLoginUrl</param-name>
+      <param-value>https://cas.example.com/cas/login</param-value>
+    </init-param>
 </filter>
 ...
 <!-- one filter-mapping for each filter as seen in the examples above -->
@ -828,10 +981,10 @@ If you have any trouble, you can enable the log of cas in `jboss-logging.xml` by
 <logger category="org.jasig">
   <level name="DEBUG" />
 </logger>
-``` 
+```       

 <a name="tomcat-678-integration"></a>
-## Tomcat 6/7/8 Integration
+## Tomcat 6/7/8/9 Integration
 The client supports container-based CAS authentication and authorization support for the Tomcat servlet container. 

 Suppose a single Tomcat container hosts multiple Web applications with similar authentication and authorization needs. Prior to Tomcat container support, each application would require a similar configuration of CAS servlet filters and authorization configuration in the `web.xml` servlet descriptor. Using the new container-based authentication/authorization feature, a single CAS configuration can be applied to the container and leveraged by all Web applications hosted by the container.
@ -840,7 +993,12 @@ CAS authentication support for Tomcat is based on the Tomcat-specific Realm comp

 <a name="component-overview"></a>
 ### Component Overview
-In the following discussion of components, only the Tomcat 8.x components are mentioned. The Tomcat 7.0.x and 6.0.x components have exactly the same name, but **are in the tomcat.v7 and tomcat.v6 packages**, e.g. `org.jasig.cas.client.tomcat.v7.Cas20CasAuthenticator` or `org.jasig.cas.client.tomcat.v6.Cas20CasAuthenticator`.
+In the following discussion of components, only the Tomcat 8.x components are mentioned. Tomcat 8.0.x components are housed inside
+`org.jasig.cas.client.tomcat.v8` while Tomcat 8.5.x components are inside `org.jasig.cas.client.tomcat.v85`. Tomcat 9 packages are
+available at `org.jasig.cas.client.tomcat.v90`. You should be able to use the same exact configuration between the two modules provided package names are adjusted for each release. 
+
+The Tomcat 7.0.x and 6.0.x components have exactly the same name, but **are in the tomcat.v7 and tomcat.v6 packages**, e.g. 
+`org.jasig.cas.client.tomcat.v7.Cas20CasAuthenticator` or `org.jasig.cas.client.tomcat.v6.Cas20CasAuthenticator`.

 <a name="authenticators"></a>
 #### Authenticators
--- a/assembly.xml
+++ b/assembly.xml
@ -1,9 +1,9 @@
 <!--

-    Licensed to Jasig under one or more contributor license
+    Licensed to Apereo under one or more contributor license
    agreements. See the NOTICE file distributed with this work
    for additional information regarding copyright ownership.
-    Jasig licenses this file to you under the Apache License,
+    Apereo licenses this file to you under the Apache License,
    Version 2.0 (the "License"); you may not use this file
    except in compliance with the License.  You may obtain a
    copy of the License at the following location:
--- a/cas-client-core/LICENSE.txt
+++ b/cas-client-core/LICENSE.txt
@ -1,18 +1,18 @@
 ====
-    Licensed to Jasig under one or more contributor license
+    Licensed to Apereo under one or more contributor license
    agreements. See the NOTICE file distributed with this work
    for additional information regarding copyright ownership.
-    Jasig licenses this file to you under the Apache License,
+    Apereo licenses this file to you under the Apache License,
    Version 2.0 (the "License"); you may not use this file
-    except in compliance with the License. You may obtain a
-    copy of the License at:
+    except in compliance with the License.  You may obtain a
+    copy of the License at the following location:

-    http://www.apache.org/licenses/LICENSE-2.0
+      http://www.apache.org/licenses/LICENSE-2.0

    Unless required by applicable law or agreed to in writing,
-    software distributed under the License is distributed on
-    an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-    KIND, either express or implied. See the License for the
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
    specific language governing permissions and limitations
    under the License.
 ====
--- a/cas-client-core/NOTICE
+++ b/cas-client-core/NOTICE
@ -16,23 +16,27 @@ specific language governing permissions and limitations
 under the License.

 This project includes:
-  AOP alliance under Public Domain
+  Apache Commons Codec under Apache License, Version 2.0
  Apache Log4j under The Apache Software License, Version 2.0
  Apache XML Security under The Apache Software License, Version 2.0
-  Commons Codec under The Apache Software License, Version 2.0
+  Bouncy Castle PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP, and CRMF APIs under Bouncy Castle Licence
+  Bouncy Castle Provider under Bouncy Castle Licence
+  Hamcrest Core under New BSD License
+  Jackson-annotations under The Apache Software License, Version 2.0
+  Jackson-core under The Apache Software License, Version 2.0
+  jackson-databind under The Apache Software License, Version 2.0
  Jasig CAS Client for Java - Core under Apache License Version 2.0
  Java Servlet API under CDDL + GPLv2 with classpath exception
-  JavaBeans Activation Framework (JAF) under Common Development and Distribution License (CDDL) v1.0
-  JavaMail API under Common Development and Distribution License (CDDL) v1.0
-  JCL 1.1.1 implemented over SLF4J under MIT License
-  JUnit under Common Public License Version 1.0
+  JCL 1.2 implemented over SLF4J under MIT License
+  JUnit under Eclipse Public License 1.0
  SLF4J API Module under MIT License
  SLF4J Simple Binding under MIT License
-  spring-aop under The Apache Software License, Version 2.0
-  spring-asm under The Apache Software License, Version 2.0
-  spring-beans under The Apache Software License, Version 2.0
-  spring-context under The Apache Software License, Version 2.0
-  spring-core under The Apache Software License, Version 2.0
-  spring-expression under The Apache Software License, Version 2.0
-  spring-test under The Apache Software License, Version 2.0
+  Spring AOP under Apache License, Version 2.0
+  Spring Beans under Apache License, Version 2.0
+  Spring Commons Logging Bridge under Apache License, Version 2.0
+  Spring Context under Apache License, Version 2.0
+  Spring Core under Apache License, Version 2.0
+  Spring Expression Language (SpEL) under Apache License, Version 2.0
+  Spring TestContext Framework under Apache License, Version 2.0
+  Spring Web under Apache License, Version 2.0

--- a/cas-client-core/pom.xml
+++ b/cas-client-core/pom.xml
@ -1,7 +1,27 @@
+<!--
+
+    Licensed to Apereo under one or more contributor license
+    agreements. See the NOTICE file distributed with this work
+    for additional information regarding copyright ownership.
+    Apereo licenses this file to you under the Apache License,
+    Version 2.0 (the "License"); you may not use this file
+    except in compliance with the License.  You may obtain a
+    copy of the License at the following location:
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+
+-->
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
    <parent>
        <groupId>org.jasig.cas.client</groupId>
-        <version>3.4.2-SNAPSHOT</version>
+        <version>3.6.2-SNAPSHOT</version>
        <artifactId>cas-client</artifactId>
    </parent>
    <modelVersion>4.0.0</modelVersion>
@ -14,7 +34,7 @@
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-jar-plugin</artifactId>
-                <version>2.6</version>
+                <version>3.1.1</version>
                <executions>
                    <execution>
                        <goals>
@ -35,6 +55,11 @@
            <optional>true</optional>
        </dependency>

+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-databind</artifactId>
+        </dependency>
+        
        <dependency>
            <groupId>org.springframework</groupId>
            <artifactId>spring-beans</artifactId>
@ -42,6 +67,12 @@
            <scope>provided</scope>
        </dependency>

+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-web</artifactId>
+            <scope>provided</scope>
+        </dependency>
+        
        <dependency>
            <groupId>org.springframework</groupId>
            <artifactId>spring-test</artifactId>
@ -64,7 +95,7 @@
            <groupId>log4j</groupId>
            <artifactId>log4j</artifactId>
            <scope>test</scope>
-            <version>1.2.15</version>
+            <version>1.2.17</version>
            <exclusions>
                <exclusion>
                    <artifactId>jmxri</artifactId>
--- a/cas-client-core/src/main/java/org/jasig/cas/client/Protocol.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/Protocol.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
--- a/cas-client-core/src/main/java/org/jasig/cas/client/authentication/AttributePrincipal.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/authentication/AttributePrincipal.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
--- a/cas-client-core/src/main/java/org/jasig/cas/client/authentication/AttributePrincipalImpl.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/authentication/AttributePrincipalImpl.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -96,11 +96,13 @@ public class AttributePrincipalImpl extends SimplePrincipal implements Attribute
        CommonUtils.assertNotNull(this.attributes, "attributes cannot be null.");
    }

+    @Override
    public Map<String, Object> getAttributes() {
        return this.attributes;
    }

-    public String getProxyTicketFor(String service) {
+    @Override
+    public String getProxyTicketFor(final String service) {
        if (proxyGrantingTicket != null) {
            return this.proxyRetriever.getProxyTicketIdFor(this.proxyGrantingTicket, service);
        }
--- a/cas-client-core/src/main/java/org/jasig/cas/client/authentication/AuthenticationFilter.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/authentication/AuthenticationFilter.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -18,15 +18,6 @@
 */
 package org.jasig.cas.client.authentication;

-import java.io.IOException;
-import java.util.HashMap;
-import java.util.Map;
-
-import javax.servlet.*;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpSession;
-
 import org.jasig.cas.client.Protocol;
 import org.jasig.cas.client.configuration.ConfigurationKeys;
 import org.jasig.cas.client.util.AbstractCasFilter;
@ -34,6 +25,18 @@ import org.jasig.cas.client.util.CommonUtils;
 import org.jasig.cas.client.util.ReflectUtils;
 import org.jasig.cas.client.validation.Assertion;

+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
 /**
 * Filter implementation to intercept all requests and attempt to authenticate
 * the user by redirecting them to CAS (unless the user has a ticket).
@ -43,6 +46,7 @@ import org.jasig.cas.client.validation.Assertion;
 * <li><code>casServerLoginUrl</code> - the url to log into CAS, i.e. https://cas.rutgers.edu/login</li>
 * <li><code>renew</code> - true/false on whether to use renew or not.</li>
 * <li><code>gateway</code> - true/false on whether to use gateway or not.</li>
+ * <li><code>method</code> - the method used by the CAS server to send the user back to the application (redirect or post).</li>
 * </ul>
 *
 * <p>Please see AbstractCasFilter for additional properties.</p>
@ -67,18 +71,28 @@ public class AuthenticationFilter extends AbstractCasFilter {
     */
    private boolean gateway = false;

+    /**
+     * The method used by the CAS server to send the user back to the application.
+     */
+    private String method;
+
    private GatewayResolver gatewayStorage = new DefaultGatewayResolverImpl();

    private AuthenticationRedirectStrategy authenticationRedirectStrategy = new DefaultAuthenticationRedirectStrategy();
-    
+
    private UrlPatternMatcherStrategy ignoreUrlPatternMatcherStrategyClass = null;
-    
+
+    private String internalIp = null;
+
+    private static final String X_REAL_IP = "x-real-ip";
+
    private static final Map<String, Class<? extends UrlPatternMatcherStrategy>> PATTERN_MATCHER_TYPES =
-            new HashMap<String, Class<? extends UrlPatternMatcherStrategy>>();
-    
+        new HashMap<String, Class<? extends UrlPatternMatcherStrategy>>();
+
    static {
        PATTERN_MATCHER_TYPES.put("CONTAINS", ContainsPatternUrlPatternMatcherStrategy.class);
        PATTERN_MATCHER_TYPES.put("REGEX", RegexUrlPatternMatcherStrategy.class);
+        PATTERN_MATCHER_TYPES.put("FULL_REGEX", EntireRegionRegexUrlPatternMatcherStrategy.class);
        PATTERN_MATCHER_TYPES.put("EXACT", ExactUrlPatternMatcherStrategy.class);
    }

@ -89,17 +103,27 @@ public class AuthenticationFilter extends AbstractCasFilter {
    protected AuthenticationFilter(final Protocol protocol) {
        super(protocol);
    }
-    
+
+    @Override
    protected void initInternal(final FilterConfig filterConfig) throws ServletException {
        if (!isIgnoreInitConfiguration()) {
            super.initInternal(filterConfig);
-            setCasServerLoginUrl(getString(ConfigurationKeys.CAS_SERVER_LOGIN_URL));
+
+            final String loginUrl = getString(ConfigurationKeys.CAS_SERVER_LOGIN_URL);
+            if (loginUrl != null) {
+                setCasServerLoginUrl(loginUrl);
+            } else {
+                setCasServerUrlPrefix(getString(ConfigurationKeys.CAS_SERVER_URL_PREFIX));
+            }
+
            setRenew(getBoolean(ConfigurationKeys.RENEW));
            setGateway(getBoolean(ConfigurationKeys.GATEWAY));
-                       
+            setMethod(getString(ConfigurationKeys.METHOD));
+            setInternalIp(getString(ConfigurationKeys.INTERNAL_IP));
+
            final String ignorePattern = getString(ConfigurationKeys.IGNORE_PATTERN);
            final String ignoreUrlPatternType = getString(ConfigurationKeys.IGNORE_URL_PATTERN_TYPE);
-            
+
            if (ignorePattern != null) {
                final Class<? extends UrlPatternMatcherStrategy> ignoreUrlMatcherClass = PATTERN_MATCHER_TYPES.get(ignoreUrlPatternType);
                if (ignoreUrlMatcherClass != null) {
@ -116,13 +140,13 @@ public class AuthenticationFilter extends AbstractCasFilter {
                    this.ignoreUrlPatternMatcherStrategyClass.setPattern(ignorePattern);
                }
            }
-            
+
            final Class<? extends GatewayResolver> gatewayStorageClass = getClass(ConfigurationKeys.GATEWAY_STORAGE_CLASS);

            if (gatewayStorageClass != null) {
                setGatewayStorage(ReflectUtils.newInstance(gatewayStorageClass));
            }
-            
+
            final Class<? extends AuthenticationRedirectStrategy> authenticationRedirectStrategyClass = getClass(ConfigurationKeys.AUTHENTICATION_REDIRECT_STRATEGY_CLASS);

            if (authenticationRedirectStrategyClass != null) {
@ -131,23 +155,37 @@ public class AuthenticationFilter extends AbstractCasFilter {
        }
    }

+    @Override
    public void init() {
        super.init();
-        CommonUtils.assertNotNull(this.casServerLoginUrl, "casServerLoginUrl cannot be null.");
+
+        final String message = String.format(
+            "one of %s and %s must not be null.",
+            ConfigurationKeys.CAS_SERVER_LOGIN_URL.getName(),
+            ConfigurationKeys.CAS_SERVER_URL_PREFIX.getName());
+
+        CommonUtils.assertNotNull(this.casServerLoginUrl, message);
    }

+    @Override
    public final void doFilter(final ServletRequest servletRequest, final ServletResponse servletResponse,
-            final FilterChain filterChain) throws IOException, ServletException {
-        
+                               final FilterChain filterChain) throws IOException, ServletException {
+
        final HttpServletRequest request = (HttpServletRequest) servletRequest;
        final HttpServletResponse response = (HttpServletResponse) servletResponse;
-        
+
+        if (isInternalRequest(request)) {
+            logger.debug("Request is ignored [internal].");
+            filterChain.doFilter(request, response);
+            return;
+        }
+
        if (isRequestUrlExcluded(request)) {
            logger.debug("Request is ignored.");
            filterChain.doFilter(request, response);
            return;
        }
-        
+
        final HttpSession session = request.getSession(false);
        final Assertion assertion = session != null ? (Assertion) session.getAttribute(CONST_CAS_ASSERTION) : null;

@ -178,7 +216,7 @@ public class AuthenticationFilter extends AbstractCasFilter {
        logger.debug("Constructed service url: {}", modifiedServiceUrl);

        final String urlToRedirectTo = CommonUtils.constructRedirectUrl(this.casServerLoginUrl,
-                getProtocol().getServiceParameterName(), modifiedServiceUrl, this.renew, this.gateway);
+            getProtocol().getServiceParameterName(), modifiedServiceUrl, this.renew, this.gateway, this.method);

        logger.debug("redirecting to \"{}\"", urlToRedirectTo);
        this.authenticationRedirectStrategy.redirect(request, response, urlToRedirectTo);
@ -192,19 +230,41 @@ public class AuthenticationFilter extends AbstractCasFilter {
        this.gateway = gateway;
    }

+    public void setMethod(final String method) {
+        this.method = method;
+    }
+
+    public final void setCasServerUrlPrefix(final String casServerUrlPrefix) {
+        setCasServerLoginUrl(CommonUtils.addTrailingSlash(casServerUrlPrefix) + "login");
+    }
+
    public final void setCasServerLoginUrl(final String casServerLoginUrl) {
        this.casServerLoginUrl = casServerLoginUrl;
    }

+    public void setInternalIp(String internalIp) {
+        this.internalIp = internalIp;
+    }
+
    public final void setGatewayStorage(final GatewayResolver gatewayStorage) {
        this.gatewayStorage = gatewayStorage;
    }
-        
+
+    private boolean isInternalRequest(final HttpServletRequest request) {
+        if (this.internalIp == null) {
+            return false;
+        }
+
+        String realIp = request.getHeader(X_REAL_IP);
+
+        return this.internalIp.equals(realIp);
+    }
+
    private boolean isRequestUrlExcluded(final HttpServletRequest request) {
        if (this.ignoreUrlPatternMatcherStrategyClass == null) {
            return false;
        }
-        
+
        final StringBuffer urlBuffer = request.getRequestURL();
        if (request.getQueryString() != null) {
            urlBuffer.append("?").append(request.getQueryString());
@ -212,4 +272,10 @@ public class AuthenticationFilter extends AbstractCasFilter {
        final String requestUri = urlBuffer.toString();
        return this.ignoreUrlPatternMatcherStrategyClass.matches(requestUri);
    }
+
+    public final void setIgnoreUrlPatternMatcherStrategyClass(
+        final UrlPatternMatcherStrategy ignoreUrlPatternMatcherStrategyClass) {
+        this.ignoreUrlPatternMatcherStrategyClass = ignoreUrlPatternMatcherStrategyClass;
+    }
+
 }
--- a/cas-client-core/src/main/java/org/jasig/cas/client/authentication/AuthenticationRedirectStrategy.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/authentication/AuthenticationRedirectStrategy.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
--- a/cas-client-core/src/main/java/org/jasig/cas/client/authentication/ContainsPatternUrlPatternMatcherStrategy.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/authentication/ContainsPatternUrlPatternMatcherStrategy.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -28,10 +28,12 @@ public final class ContainsPatternUrlPatternMatcherStrategy implements UrlPatter

    private String pattern;
    
+    @Override
    public boolean matches(final String url) {
        return url.contains(this.pattern);
    }

+    @Override
    public void setPattern(final String pattern) {
        this.pattern = pattern;
    }
--- a/cas-client-core/src/main/java/org/jasig/cas/client/authentication/DefaultAuthenticationRedirectStrategy.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/authentication/DefaultAuthenticationRedirectStrategy.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -30,8 +30,9 @@ import javax.servlet.http.HttpServletResponse;
 */
 public final class DefaultAuthenticationRedirectStrategy implements AuthenticationRedirectStrategy {

+    @Override
    public void redirect(final HttpServletRequest request, final HttpServletResponse response,
-            final String potentialRedirectUrl) throws IOException {
+                         final String potentialRedirectUrl) throws IOException {
        response.sendRedirect(potentialRedirectUrl);
    }
 }
--- a/cas-client-core/src/main/java/org/jasig/cas/client/authentication/DefaultGatewayResolverImpl.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/authentication/DefaultGatewayResolverImpl.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -25,6 +25,7 @@ public final class DefaultGatewayResolverImpl implements GatewayResolver {

    public static final String CONST_CAS_GATEWAY = "_const_cas_gateway_";

+    @Override
    public boolean hasGatewayedAlready(final HttpServletRequest request, final String serviceUrl) {
        final HttpSession session = request.getSession(false);

@ -33,10 +34,10 @@ public final class DefaultGatewayResolverImpl implements GatewayResolver {
        }

        final boolean result = session.getAttribute(CONST_CAS_GATEWAY) != null;
-        session.removeAttribute(CONST_CAS_GATEWAY);
        return result;
    }

+    @Override
    public String storeGatewayInformation(final HttpServletRequest request, final String serviceUrl) {
        request.getSession(true).setAttribute(CONST_CAS_GATEWAY, "yes");
        return serviceUrl;
--- a/cas-client-core/src/main/java/org/jasig/cas/client/authentication/EntireRegionRegexUrlPatternMatcherStrategy.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/authentication/EntireRegionRegexUrlPatternMatcherStrategy.java
@ -0,0 +1,53 @@
+/**
+ * Licensed to Apereo under one or more contributor license
+ * agreements. See the NOTICE file distributed with this work
+ * for additional information regarding copyright ownership.
+ * Apereo licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file
+ * except in compliance with the License.  You may obtain a
+ * copy of the License at the following location:
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.jasig.cas.client.authentication;
+
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * A pattern matcher that looks inside the url to find the pattern, that
+ * is assumed to have been specified via regular expressions syntax.
+ * The match behavior is based on {@link Matcher#matches()}:
+ * Attempts to match the entire region against the pattern.
+ *
+ * @author Misagh Moayyed
+ * @since 3.5
+ */
+public final class EntireRegionRegexUrlPatternMatcherStrategy implements UrlPatternMatcherStrategy {
+
+    private Pattern pattern;
+
+    public EntireRegionRegexUrlPatternMatcherStrategy() {
+    }
+
+    public EntireRegionRegexUrlPatternMatcherStrategy(final String pattern) {
+        this.setPattern(pattern);
+    }
+
+    @Override
+    public boolean matches(final String url) {
+        return this.pattern.matcher(url).matches();
+    }
+
+    @Override
+    public void setPattern(final String pattern) {
+        this.pattern = Pattern.compile(pattern);
+    }
+}
--- a/cas-client-core/src/main/java/org/jasig/cas/client/authentication/ExactUrlPatternMatcherStrategy.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/authentication/ExactUrlPatternMatcherStrategy.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -35,10 +35,12 @@ public final class ExactUrlPatternMatcherStrategy implements UrlPatternMatcherSt
        this.setPattern(pattern);
    }

+    @Override
    public boolean matches(final String url) {
        return url.equals(this.pattern);
    }

+    @Override
    public void setPattern(final String pattern) {
        this.pattern = pattern;
    }
--- a/cas-client-core/src/main/java/org/jasig/cas/client/authentication/FacesCompatibleAuthenticationRedirectStrategy.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/authentication/FacesCompatibleAuthenticationRedirectStrategy.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -34,8 +34,9 @@ public final class FacesCompatibleAuthenticationRedirectStrategy implements Auth

    private static final String FACES_PARTIAL_AJAX_PARAMETER = "javax.faces.partial.ajax";

+    @Override
    public void redirect(final HttpServletRequest request, final HttpServletResponse response,
-            final String potentialRedirectUrl) throws IOException {
+                         final String potentialRedirectUrl) throws IOException {

        if (CommonUtils.isNotBlank(request.getParameter(FACES_PARTIAL_AJAX_PARAMETER))) {
            // this is an ajax request - redirect ajaxly
--- a/cas-client-core/src/main/java/org/jasig/cas/client/authentication/GatewayResolver.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/authentication/GatewayResolver.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
--- a/cas-client-core/src/main/java/org/jasig/cas/client/authentication/RegexUrlPatternMatcherStrategy.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/authentication/RegexUrlPatternMatcherStrategy.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -18,12 +18,19 @@
 */
 package org.jasig.cas.client.authentication;

+import java.util.regex.Matcher;
 import java.util.regex.Pattern;

 /**
- * A pattern matcher that looks inside the url to find the pattern,. that
+ * A pattern matcher that looks inside the url to find the pattern, that
 * is assumed to have been specified via regular expressions syntax.
- * 
+ * The match behavior is based on {@link Matcher#find()}:
+ * Attempts to find the next subsequence of the input sequence that matches
+ * the pattern. This method starts at the beginning of this matcher's region, or, if
+ * a previous invocation of the method was successful and the matcher has
+ * not since been reset, at the first character not matched by the previous
+ * match.
+ *
 * @author Misagh Moayyed
 * @since 3.3.1
 */
@ -31,16 +38,19 @@ public final class RegexUrlPatternMatcherStrategy implements UrlPatternMatcherSt

    private Pattern pattern;

-    public RegexUrlPatternMatcherStrategy() {}
+    public RegexUrlPatternMatcherStrategy() {
+    }

    public RegexUrlPatternMatcherStrategy(final String pattern) {
        this.setPattern(pattern);
    }
-    
+
+    @Override
    public boolean matches(final String url) {
        return this.pattern.matcher(url).find();
    }

+    @Override
    public void setPattern(final String pattern) {
        this.pattern = Pattern.compile(pattern);
    }
--- a/cas-client-core/src/main/java/org/jasig/cas/client/authentication/SimpleGroup.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/authentication/SimpleGroup.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -49,18 +49,22 @@ public final class SimpleGroup extends SimplePrincipal implements Group {
        super(name);
    }

+    @Override
    public boolean addMember(final Principal user) {
        return this.members.add(user);
    }

+    @Override
    public boolean isMember(final Principal member) {
        return this.members.contains(member);
    }

+    @Override
    public Enumeration<? extends Principal> members() {
        return Collections.enumeration(this.members);
    }

+    @Override
    public boolean removeMember(final Principal user) {
        return this.members.remove(user);
    }
--- a/cas-client-core/src/main/java/org/jasig/cas/client/authentication/SimplePrincipal.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/authentication/SimplePrincipal.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -47,6 +47,7 @@ public class SimplePrincipal implements Principal, Serializable {
        CommonUtils.assertNotNull(this.name, "name cannot be null.");
    }

+    @Override
    public final String getName() {
        return this.name;
    }
--- a/cas-client-core/src/main/java/org/jasig/cas/client/authentication/UrlPatternMatcherStrategy.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/authentication/UrlPatternMatcherStrategy.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
--- a/cas-client-core/src/main/java/org/jasig/cas/client/configuration/BaseConfigurationStrategy.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/configuration/BaseConfigurationStrategy.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -33,40 +33,50 @@ public abstract class BaseConfigurationStrategy implements ConfigurationStrategy

    protected final Logger logger = LoggerFactory.getLogger(getClass());

+    @Override
    public final boolean getBoolean(final ConfigurationKey<Boolean> configurationKey) {
        return getValue(configurationKey, new Parser<Boolean>() {
+            @Override
            public Boolean parse(final String value) {
                return CommonUtils.toBoolean(value);
            }
        });
    }

+    @Override
    public final long getLong(final ConfigurationKey<Long> configurationKey) {
        return getValue(configurationKey, new Parser<Long>() {
+            @Override
            public Long parse(final String value) {
                return CommonUtils.toLong(value, configurationKey.getDefaultValue());
            }
        });
    }

+    @Override
    public final int getInt(final ConfigurationKey<Integer> configurationKey) {
        return getValue(configurationKey, new Parser<Integer>() {
+            @Override
            public Integer parse(final String value) {
                return CommonUtils.toInt(value, configurationKey.getDefaultValue());
            }
        });
    }

+    @Override
    public final String getString(final ConfigurationKey<String> configurationKey) {
        return getValue(configurationKey, new Parser<String>() {
+            @Override
            public String parse(final String value) {
                return value;
            }
        });
    }

+    @Override
    public <T> Class<? extends T> getClass(final ConfigurationKey<Class<? extends T>> configurationKey) {
        return getValue(configurationKey, new Parser<Class<? extends T>>() {
+            @Override
            public Class<? extends T> parse(final String value) {
                try {
                    return ReflectUtils.loadClass(value);
--- a/cas-client-core/src/main/java/org/jasig/cas/client/configuration/ConfigurationKey.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/configuration/ConfigurationKey.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -60,4 +60,9 @@ public final class ConfigurationKey<E> {
    public E getDefaultValue() {
        return this.defaultValue;
    }
+    
+    @Override
+    public String toString() {
+        return getName();
+    }
 }
--- a/cas-client-core/src/main/java/org/jasig/cas/client/configuration/ConfigurationKeys.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/configuration/ConfigurationKeys.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -49,11 +49,14 @@ public interface ConfigurationKeys {
    ConfigurationKey<Boolean> IGNORE_CASE = new ConfigurationKey<Boolean>("ignoreCase", Boolean.FALSE);
    ConfigurationKey<String> CAS_SERVER_LOGIN_URL = new ConfigurationKey<String>("casServerLoginUrl", null);
    ConfigurationKey<Boolean> GATEWAY = new ConfigurationKey<Boolean>("gateway", Boolean.FALSE);
+    ConfigurationKey<String> METHOD = new ConfigurationKey<String>("method", null);
    ConfigurationKey<Class<? extends AuthenticationRedirectStrategy>> AUTHENTICATION_REDIRECT_STRATEGY_CLASS = new ConfigurationKey<Class<? extends AuthenticationRedirectStrategy>>("authenticationRedirectStrategyClass", null);
    ConfigurationKey<Class<? extends GatewayResolver>> GATEWAY_STORAGE_CLASS = new ConfigurationKey<Class<? extends GatewayResolver>>("gatewayStorageClass", DefaultGatewayResolverImpl.class);
    ConfigurationKey<String> CAS_SERVER_URL_PREFIX = new ConfigurationKey<String>("casServerUrlPrefix", null);
    ConfigurationKey<String> ENCODING = new ConfigurationKey<String>("encoding", null);
    ConfigurationKey<Long> TOLERANCE = new ConfigurationKey<Long>("tolerance", 1000L);
+    ConfigurationKey<String> PRIVATE_KEY_PATH = new ConfigurationKey<String>("privateKeyPath", null);
+    ConfigurationKey<String> PRIVATE_KEY_ALGORITHM = new ConfigurationKey<String>("privateKeyAlgorithm", "RSA");

    /**
     * @deprecated As of 3.4. This constant is not used by the client and will
@ -61,6 +64,7 @@ public interface ConfigurationKeys {
     */
    @Deprecated
    ConfigurationKey<Boolean> DISABLE_XML_SCHEMA_VALIDATION = new ConfigurationKey<Boolean>("disableXmlSchemaValidation", Boolean.FALSE);
+    ConfigurationKey<String> INTERNAL_IP = new ConfigurationKey<String>("internalIp", null);
    ConfigurationKey<String> IGNORE_PATTERN = new ConfigurationKey<String>("ignorePattern", null);
    ConfigurationKey<String> IGNORE_URL_PATTERN_TYPE = new ConfigurationKey<String>("ignoreUrlPatternType", "REGEX");
    ConfigurationKey<Class<? extends HostnameVerifier>> HOSTNAME_VERIFIER = new ConfigurationKey<Class<? extends HostnameVerifier>>("hostnameVerifier", null);
@ -77,6 +81,6 @@ public interface ConfigurationKeys {
    ConfigurationKey<String> ALLOWED_PROXY_CHAINS = new ConfigurationKey<String>("allowedProxyChains", null);
    ConfigurationKey<Class<? extends Cas20ServiceTicketValidator>> TICKET_VALIDATOR_CLASS = new ConfigurationKey<Class<? extends Cas20ServiceTicketValidator>>("ticketValidatorClass", null);
    ConfigurationKey<String> PROXY_CALLBACK_URL = new ConfigurationKey<String>("proxyCallbackUrl", null);
-    ConfigurationKey<String> FRONT_LOGOUT_PARAMETER_NAME = new ConfigurationKey<String>("frontLogoutParameterName", "SAMLRequest");
    ConfigurationKey<String> RELAY_STATE_PARAMETER_NAME = new ConfigurationKey<String>("relayStateParameterName", "RelayState");
+    ConfigurationKey<String> LOGOUT_CALLBACK_PATH = new ConfigurationKey<String>("logoutCallbackPath", null);
 }
--- a/cas-client-core/src/main/java/org/jasig/cas/client/configuration/ConfigurationStrategy.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/configuration/ConfigurationStrategy.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
--- a/cas-client-core/src/main/java/org/jasig/cas/client/configuration/ConfigurationStrategyName.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/configuration/ConfigurationStrategyName.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
--- a/cas-client-core/src/main/java/org/jasig/cas/client/configuration/JndiConfigurationStrategyImpl.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/configuration/JndiConfigurationStrategyImpl.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -82,6 +82,7 @@ public class JndiConfigurationStrategyImpl extends BaseConfigurationStrategy {
    }


+    @Override
    public final void init(final FilterConfig filterConfig, final Class<? extends Filter> clazz) {
        this.simpleFilterName = clazz.getSimpleName();
        try {
--- a/cas-client-core/src/main/java/org/jasig/cas/client/configuration/LegacyConfigurationStrategyImpl.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/configuration/LegacyConfigurationStrategyImpl.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -36,11 +36,13 @@ public final class LegacyConfigurationStrategyImpl extends BaseConfigurationStra

    private final JndiConfigurationStrategyImpl jndiConfigurationStrategy = new JndiConfigurationStrategyImpl();

-    public void init(FilterConfig filterConfig, Class<? extends Filter> filterClazz) {
+    @Override
+    public void init(final FilterConfig filterConfig, final Class<? extends Filter> filterClazz) {
        this.webXmlConfigurationStrategy.init(filterConfig, filterClazz);
        this.jndiConfigurationStrategy.init(filterConfig, filterClazz);
    }

+    @Override
    protected String get(final ConfigurationKey key) {
        final String value1 = this.webXmlConfigurationStrategy.get(key);

--- a/cas-client-core/src/main/java/org/jasig/cas/client/configuration/PropertiesConfigurationStrategyImpl.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/configuration/PropertiesConfigurationStrategyImpl.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -24,7 +24,6 @@ import org.slf4j.LoggerFactory;

 import javax.servlet.Filter;
 import javax.servlet.FilterConfig;
-import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.util.Properties;
@ -50,7 +49,7 @@ public final class PropertiesConfigurationStrategyImpl extends BaseConfiguration

    private String simpleFilterName;

-    private Properties properties = new Properties();
+    private final Properties properties = new Properties();

    @Override
    protected String get(final ConfigurationKey configurationKey) {
@ -66,6 +65,7 @@ public final class PropertiesConfigurationStrategyImpl extends BaseConfiguration
        return this.properties.getProperty(property);
    }

+    @Override
    public void init(final FilterConfig filterConfig, final Class<? extends Filter> filterClazz) {
        this.simpleFilterName = filterClazz.getSimpleName();
        final String fileLocationFromFilterConfig = filterConfig.getInitParameter(CONFIGURATION_FILE_LOCATION);
--- a/cas-client-core/src/main/java/org/jasig/cas/client/configuration/SystemPropertiesConfigurationStrategyImpl.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/configuration/SystemPropertiesConfigurationStrategyImpl.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -29,11 +29,12 @@ import javax.servlet.FilterConfig;
 */
 public class SystemPropertiesConfigurationStrategyImpl extends BaseConfigurationStrategy {

-    public void init(FilterConfig filterConfig, Class<? extends Filter> filterClazz) {
+    @Override
+    public void init(final FilterConfig filterConfig, final Class<? extends Filter> filterClazz) {
    }

    @Override
-    protected String get(ConfigurationKey configurationKey) {
+    protected String get(final ConfigurationKey configurationKey) {
        return System.getProperty(configurationKey.getName());
    }
 }
--- a/cas-client-core/src/main/java/org/jasig/cas/client/configuration/WebXmlConfigurationStrategyImpl.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/configuration/WebXmlConfigurationStrategyImpl.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -34,6 +34,7 @@ public final class WebXmlConfigurationStrategyImpl extends BaseConfigurationStra

    private FilterConfig filterConfig;

+    @Override
    protected String get(final ConfigurationKey configurationKey) {
        final String value = this.filterConfig.getInitParameter(configurationKey.getName());

@ -54,6 +55,7 @@ public final class WebXmlConfigurationStrategyImpl extends BaseConfigurationStra
        return null;
    }

+    @Override
    public void init(final FilterConfig filterConfig, final Class<? extends Filter> clazz) {
        this.filterConfig = filterConfig;
    }
--- a/cas-client-core/src/main/java/org/jasig/cas/client/jaas/AssertionPrincipal.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/jaas/AssertionPrincipal.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -36,7 +36,7 @@ public class AssertionPrincipal extends SimplePrincipal implements Serializable
    private static final long serialVersionUID = 2288520214366461693L;

    /** CAS assertion describing authenticated state */
-    private Assertion assertion;
+    private final Assertion assertion;

    /**
     * Creates a new principal containing the CAS assertion.
--- a/cas-client-core/src/main/java/org/jasig/cas/client/jaas/CasLoginModule.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/jaas/CasLoginModule.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -162,7 +162,7 @@ public class CasLoginModule implements LoginModule {
    protected String[] defaultRoles;

    /** Names of attributes in the CAS assertion that should be used for role data */
-    protected Set<String> roleAttributeNames = new HashSet<String>();
+    protected final Set<String> roleAttributeNames = new HashSet<String>();

    /** Name of JAAS Group containing caller principal */
    protected String principalGroupName = DEFAULT_PRINCIPAL_GROUP_NAME;
@ -203,8 +203,9 @@ public class CasLoginModule implements LoginModule {
     *      names, e.g. DAYS, HOURS, MINUTES, SECONDS, MILLISECONDS. Default unit is MINUTES.</li>
     * </ul>
     */
+    @Override
    public final void initialize(final Subject subject, final CallbackHandler handler, final Map<String, ?> state,
-            final Map<String, ?> options) {
+                                 final Map<String, ?> options) {

        this.assertion = null;
        this.callbackHandler = handler;
@ -277,6 +278,7 @@ public class CasLoginModule implements LoginModule {
        // template method
    }

+    @Override
    public final boolean login() throws LoginException {
        logger.debug("Performing login.");

@ -292,10 +294,10 @@ public class CasLoginModule implements LoginModule {
            try {
                this.callbackHandler.handle(new Callback[] { ticketCallback, serviceCallback });
            } catch (final IOException e) {
-                logger.info("Login failed due to IO exception in callback handler: {}", e);
+                logger.info("Login failed due to IO exception in callback handler", e);
                throw (LoginException) new LoginException("IO exception in callback handler: " + e).initCause(e);
            } catch (final UnsupportedCallbackException e) {
-                logger.info("Login failed due to unsupported callback: {}", e);
+                logger.info("Login failed due to unsupported callback", e);
                throw (LoginException) new LoginException(
                        "Callback handler does not support PasswordCallback and TextInputCallback.").initCause(e);
            }
@ -325,7 +327,7 @@ public class CasLoginModule implements LoginModule {
                        this.assertion = this.ticketValidator.validate(this.ticket.getName(), service);

                    } catch (final Exception e) {
-                        logger.info("Login failed due to CAS ticket validation failure: {}", e);
+                        logger.info("Login failed due to CAS ticket validation failure", e);
                        throw (LoginException) new LoginException("CAS ticket validation failed: " + e).initCause(e);
                    }
                }
@ -341,6 +343,7 @@ public class CasLoginModule implements LoginModule {
        return result;
    }

+    @Override
    public final boolean abort() throws LoginException {
        if (this.ticket != null) {
            this.ticket = null;
@ -369,6 +372,7 @@ public class CasLoginModule implements LoginModule {
        // template method
    }

+    @Override
    public final boolean commit() throws LoginException {

        if (!preCommit()) {
@ -439,6 +443,7 @@ public class CasLoginModule implements LoginModule {
        return result;
    }

+    @Override
    public final boolean logout() throws LoginException {
        logger.debug("Performing logout.");

--- a/cas-client-core/src/main/java/org/jasig/cas/client/jaas/ServiceAndTicketCallbackHandler.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/jaas/ServiceAndTicketCallbackHandler.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -50,6 +50,7 @@ public class ServiceAndTicketCallbackHandler implements CallbackHandler {
        this.ticket = ticket;
    }

+    @Override
    public void handle(final Callback[] callbacks) throws IOException, UnsupportedCallbackException {
        for (final Callback callback : callbacks) {
            if (callback instanceof NameCallback) {
--- a/cas-client-core/src/main/java/org/jasig/cas/client/jaas/Servlet3AuthenticationFilter.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/jaas/Servlet3AuthenticationFilter.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -55,8 +55,9 @@ public final class Servlet3AuthenticationFilter extends AbstractCasFilter {
        super(Protocol.CAS2);
    }

+    @Override
    public void doFilter(final ServletRequest servletRequest, final ServletResponse servletResponse,
-            final FilterChain chain) throws IOException, ServletException {
+                         final FilterChain chain) throws IOException, ServletException {
        final HttpServletRequest request = (HttpServletRequest) servletRequest;
        final HttpServletResponse response = (HttpServletResponse) servletResponse;
        final HttpSession session = request.getSession();
--- a/cas-client-core/src/main/java/org/jasig/cas/client/jaas/TicketCredential.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/jaas/TicketCredential.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -34,7 +34,7 @@ public final class TicketCredential implements Principal {
    private static final int HASHCODE_SEED = 17;

    /** Ticket ID string */
-    private String ticket;
+    private final String ticket;

    /**
     * Creates a new instance that wraps the given ticket.
@ -44,6 +44,7 @@ public final class TicketCredential implements Principal {
        this.ticket = ticket;
    }

+    @Override
    public String getName() {
        return this.ticket;
    }
@ -52,7 +53,7 @@ public final class TicketCredential implements Principal {
        return this.ticket;
    }

-    public boolean equals(Object o) {
+    public boolean equals(final Object o) {
        if (this == o)
            return true;
        if (o == null || getClass() != o.getClass())
--- a/cas-client-core/src/main/java/org/jasig/cas/client/proxy/AbstractEncryptedProxyGrantingTicketStorageImpl.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/proxy/AbstractEncryptedProxyGrantingTicketStorageImpl.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -60,10 +60,12 @@ public abstract class AbstractEncryptedProxyGrantingTicketStorageImpl implements
        this.cipherAlgorithm = cipherAlgorithm;
    }

+    @Override
    public final void save(final String proxyGrantingTicketIou, final String proxyGrantingTicket) {
        saveInternal(proxyGrantingTicketIou, encrypt(proxyGrantingTicket));
    }

+    @Override
    public final String retrieve(final String proxyGrantingTicketIou) {
        return decrypt(retrieveInternal(proxyGrantingTicketIou));
    }
--- a/cas-client-core/src/main/java/org/jasig/cas/client/proxy/Cas20ProxyRetriever.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/proxy/Cas20ProxyRetriever.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -75,6 +75,7 @@ public final class Cas20ProxyRetriever implements ProxyRetriever {
        this.urlConnectionFactory = urlFactory;
    }

+    @Override
    public String getProxyTicketIdFor(final String proxyGrantingTicketId, final String targetService) {
        CommonUtils.assertNotNull(proxyGrantingTicketId, "proxyGrantingTicketId cannot be null.");
        CommonUtils.assertNotNull(targetService, "targetService cannot be null.");
@ -94,7 +95,9 @@ public final class Cas20ProxyRetriever implements ProxyRetriever {
            return null;
        }

-        return XmlUtils.getTextForElement(response, "proxyTicket");
+        final String ticket = XmlUtils.getTextForElement(response, "proxyTicket");
+        logger.debug("Got proxy ticket {}", ticket);
+        return ticket;
    }

    private URL constructUrl(final String proxyGrantingTicketId, final String targetService) {
--- a/cas-client-core/src/main/java/org/jasig/cas/client/proxy/CleanUpTimerTask.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/proxy/CleanUpTimerTask.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -39,6 +39,7 @@ public final class CleanUpTimerTask extends TimerTask {
        this.proxyGrantingTicketStorage = proxyGrantingTicketStorage;
    }

+    @Override
    public void run() {
        this.proxyGrantingTicketStorage.cleanUp();
    }
--- a/cas-client-core/src/main/java/org/jasig/cas/client/proxy/ProxyGrantingTicketStorage.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/proxy/ProxyGrantingTicketStorage.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -23,7 +23,6 @@ package org.jasig.cas.client.proxy;
 * them to a specific ProxyGrantingTicketIou.
 *
 * @author Scott Battaglia
- * @version $Revision: 11729 $ $Date: 2007-09-26 14:22:30 -0400 (Tue, 26 Sep 2007) $
 * @since 3.0
 */
 public interface ProxyGrantingTicketStorage {
--- a/cas-client-core/src/main/java/org/jasig/cas/client/proxy/ProxyGrantingTicketStorageImpl.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/proxy/ProxyGrantingTicketStorageImpl.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -34,7 +34,6 @@ import org.slf4j.LoggerFactory;
 *
 * @author Scott Battaglia
 * @author Brad Cupit (brad [at] lsu {dot} edu)
- * @version $Revision: 11729 $ $Date: 2007-09-26 14:22:30 -0400 (Tue, 26 Sep 2007) $
 * @since 3.0
 */
 public final class ProxyGrantingTicketStorageImpl implements ProxyGrantingTicketStorage {
@ -57,7 +56,7 @@ public final class ProxyGrantingTicketStorageImpl implements ProxyGrantingTicket
     * 
     * @see ProxyGrantingTicketStorageImpl#DEFAULT_TIMEOUT
     */
-    private long timeout;
+    private final long timeout;

    /**
     * Constructor set the timeout to the default value.
@ -80,6 +79,7 @@ public final class ProxyGrantingTicketStorageImpl implements ProxyGrantingTicket
     * NOTE: you can only retrieve a ProxyGrantingTicket once with this method.
     * Its removed after retrieval.
     */
+    @Override
    public String retrieve(final String proxyGrantingTicketIou) {
        if (CommonUtils.isBlank(proxyGrantingTicketIou)) {
            return null;
@ -98,6 +98,7 @@ public final class ProxyGrantingTicketStorageImpl implements ProxyGrantingTicket
        return holder.getProxyGrantingTicket();
    }

+    @Override
    public void save(final String proxyGrantingTicketIou, final String proxyGrantingTicket) {
        final ProxyGrantingTicketHolder holder = new ProxyGrantingTicketHolder(proxyGrantingTicket);

@ -110,6 +111,7 @@ public final class ProxyGrantingTicketStorageImpl implements ProxyGrantingTicket
     * Cleans up old, expired proxy tickets. This method must be
     * called regularly via an external thread or timer.
     */
+    @Override
    public void cleanUp() {
        for (final Map.Entry<String, ProxyGrantingTicketHolder> holder : this.cache.entrySet()) {
            if (holder.getValue().isExpired(this.timeout)) {
--- a/cas-client-core/src/main/java/org/jasig/cas/client/proxy/ProxyRetriever.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/proxy/ProxyRetriever.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -25,7 +25,6 @@ import java.io.Serializable;
 * implementation a black box to the client.
 *
 * @author Scott Battaglia
- * @version $Revision: 11729 $ $Date: 2007-09-26 14:22:30 -0400 (Tue, 26 Sep 2007) $
 * @since 3.0
 */
 public interface ProxyRetriever extends Serializable {
--- a/cas-client-core/src/main/java/org/jasig/cas/client/proxy/package.html
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/proxy/package.html
@ -1,9 +1,9 @@
 <!--

-    Licensed to Jasig under one or more contributor license
+    Licensed to Apereo under one or more contributor license
    agreements. See the NOTICE file distributed with this work
    for additional information regarding copyright ownership.
-    Jasig licenses this file to you under the Apache License,
+    Apereo licenses this file to you under the Apache License,
    Version 2.0 (the "License"); you may not use this file
    except in compliance with the License.  You may obtain a
    copy of the License at the following location:
--- a/cas-client-core/src/main/java/org/jasig/cas/client/session/HashMapBackedSessionMappingStorage.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/session/HashMapBackedSessionMappingStorage.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -46,12 +46,14 @@ public final class HashMapBackedSessionMappingStorage implements SessionMappingS

    private final Logger logger = LoggerFactory.getLogger(getClass());

-    public synchronized void addSessionById(String mappingId, HttpSession session) {
+    @Override
+    public synchronized void addSessionById(final String mappingId, final HttpSession session) {
        ID_TO_SESSION_KEY_MAPPING.put(session.getId(), mappingId);
        MANAGED_SESSIONS.put(mappingId, session);

    }

+    @Override
    public synchronized void removeBySessionById(final String sessionId) {
        logger.debug("Attempting to remove Session=[{}]", sessionId);

@ -68,7 +70,8 @@ public final class HashMapBackedSessionMappingStorage implements SessionMappingS
        ID_TO_SESSION_KEY_MAPPING.remove(sessionId);
    }

-    public synchronized HttpSession removeSessionByMappingId(String mappingId) {
+    @Override
+    public synchronized HttpSession removeSessionByMappingId(final String mappingId) {
        final HttpSession session = MANAGED_SESSIONS.get(mappingId);

        if (session != null) {
--- a/cas-client-core/src/main/java/org/jasig/cas/client/session/SessionMappingStorage.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/session/SessionMappingStorage.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
--- a/cas-client-core/src/main/java/org/jasig/cas/client/session/SingleSignOutFilter.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/session/SingleSignOutFilter.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -39,16 +39,16 @@ public final class SingleSignOutFilter extends AbstractConfigurationFilter {

    private static final SingleSignOutHandler HANDLER = new SingleSignOutHandler();

-    private AtomicBoolean handlerInitialized = new AtomicBoolean(false);
+    private final AtomicBoolean handlerInitialized = new AtomicBoolean(false);

+    @Override
    public void init(final FilterConfig filterConfig) throws ServletException {
        super.init(filterConfig);
        if (!isIgnoreInitConfiguration()) {
            setArtifactParameterName(getString(ConfigurationKeys.ARTIFACT_PARAMETER_NAME));
            setLogoutParameterName(getString(ConfigurationKeys.LOGOUT_PARAMETER_NAME));
-            setFrontLogoutParameterName(getString(ConfigurationKeys.FRONT_LOGOUT_PARAMETER_NAME));
            setRelayStateParameterName(getString(ConfigurationKeys.RELAY_STATE_PARAMETER_NAME));
-            setCasServerUrlPrefix(getString(ConfigurationKeys.CAS_SERVER_URL_PREFIX));
+            setLogoutCallbackPath(getString(ConfigurationKeys.LOGOUT_CALLBACK_PATH));
            HANDLER.setArtifactParameterOverPost(getBoolean(ConfigurationKeys.ARTIFACT_PARAMETER_OVER_POST));
            HANDLER.setEagerlyCreateSessions(getBoolean(ConfigurationKeys.EAGERLY_CREATE_SESSIONS));
        }
@ -63,25 +63,22 @@ public final class SingleSignOutFilter extends AbstractConfigurationFilter {
    public void setLogoutParameterName(final String name) {
        HANDLER.setLogoutParameterName(name);
    }
-
-    public void setFrontLogoutParameterName(final String name) {
-        HANDLER.setFrontLogoutParameterName(name);
-    }
-
+    
    public void setRelayStateParameterName(final String name) {
        HANDLER.setRelayStateParameterName(name);
    }

-    public void setCasServerUrlPrefix(final String casServerUrlPrefix) {
-        HANDLER.setCasServerUrlPrefix(casServerUrlPrefix);
+    public void setLogoutCallbackPath(final String logoutCallbackPath) {
+        HANDLER.setLogoutCallbackPath(logoutCallbackPath);
    }

    public void setSessionMappingStorage(final SessionMappingStorage storage) {
        HANDLER.setSessionMappingStorage(storage);
    }

+    @Override
    public void doFilter(final ServletRequest servletRequest, final ServletResponse servletResponse,
-            final FilterChain filterChain) throws IOException, ServletException {
+                         final FilterChain filterChain) throws IOException, ServletException {
        final HttpServletRequest request = (HttpServletRequest) servletRequest;
        final HttpServletResponse response = (HttpServletResponse) servletResponse;

@ -98,6 +95,7 @@ public final class SingleSignOutFilter extends AbstractConfigurationFilter {
        }
    }

+    @Override
    public void destroy() {
        // nothing to do
    }
--- a/cas-client-core/src/main/java/org/jasig/cas/client/session/SingleSignOutHandler.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/session/SingleSignOutHandler.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -57,17 +57,14 @@ public final class SingleSignOutHandler {
    /** The name of the artifact parameter.  This is used to capture the session identifier. */
    private String artifactParameterName = Protocol.CAS2.getArtifactParameterName();

-    /** Parameter name that stores logout request for back channel SLO */
+    /** Parameter name that stores logout request for SLO */
    private String logoutParameterName = ConfigurationKeys.LOGOUT_PARAMETER_NAME.getDefaultValue();
-
-    /** Parameter name that stores logout request for front channel SLO */
-    private String frontLogoutParameterName = ConfigurationKeys.FRONT_LOGOUT_PARAMETER_NAME.getDefaultValue();
-
+    
    /** Parameter name that stores the state of the CAS server webflow for the callback */
    private String relayStateParameterName = ConfigurationKeys.RELAY_STATE_PARAMETER_NAME.getDefaultValue();
-    
-    /** The prefix url of the CAS server */
-    private String casServerUrlPrefix = "";
+
+    /** The logout callback path configured at the CAS server, if there is one */
+    private String logoutCallbackPath;

    private boolean artifactParameterOverPost = false;

@ -75,7 +72,7 @@ public final class SingleSignOutHandler {

    private List<String> safeParameters;

-    private LogoutStrategy logoutStrategy = isServlet30() ? new Servlet30LogoutStrategy() : new Servlet25LogoutStrategy();
+    private final LogoutStrategy logoutStrategy = isServlet30() ? new Servlet30LogoutStrategy() : new Servlet25LogoutStrategy();

    public void setSessionMappingStorage(final SessionMappingStorage storage) {
        this.sessionMappingStorage = storage;
@ -97,24 +94,17 @@ public final class SingleSignOutHandler {
    }

    /**
-     * @param name Name of parameter containing CAS logout request message for back channel SLO.
+     * @param name Name of parameter containing CAS logout request message for SLO.
     */
    public void setLogoutParameterName(final String name) {
        this.logoutParameterName = name;
    }

    /**
-     * @param casServerUrlPrefix The prefix url of the CAS server.
+     * @param logoutCallbackPath The logout callback path configured at the CAS server.
     */
-    public void setCasServerUrlPrefix(final String casServerUrlPrefix) {
-        this.casServerUrlPrefix = casServerUrlPrefix;
-    }
-
-    /**
-     * @param name Name of parameter containing CAS logout request message for front channel SLO.
-     */
-    public void setFrontLogoutParameterName(final String name) {
-        this.frontLogoutParameterName = name;
+    public void setLogoutCallbackPath(final String logoutCallbackPath) {
+        this.logoutCallbackPath = logoutCallbackPath;
    }

    /**
@ -135,14 +125,8 @@ public final class SingleSignOutHandler {
        if (this.safeParameters == null) {
            CommonUtils.assertNotNull(this.artifactParameterName, "artifactParameterName cannot be null.");
            CommonUtils.assertNotNull(this.logoutParameterName, "logoutParameterName cannot be null.");
-            CommonUtils.assertNotNull(this.frontLogoutParameterName, "frontLogoutParameterName cannot be null.");
            CommonUtils.assertNotNull(this.sessionMappingStorage, "sessionMappingStorage cannot be null.");
            CommonUtils.assertNotNull(this.relayStateParameterName, "relayStateParameterName cannot be null.");
-            CommonUtils.assertNotNull(this.casServerUrlPrefix, "casServerUrlPrefix cannot be null.");
-
-            if (CommonUtils.isBlank(this.casServerUrlPrefix)) {
-                logger.warn("Front Channel single sign out redirects are disabled when the 'casServerUrlPrefix' value is not set.");
-            }

            if (this.artifactParameterOverPost) {
                this.safeParameters = Arrays.asList(this.logoutParameterName, this.artifactParameterName);
@ -165,30 +149,32 @@ public final class SingleSignOutHandler {
    }

    /**
-     * Determines whether the given request is a CAS back channel logout request.
+     * Determines whether the given request is a CAS  logout request.
     *
     * @param request HTTP request.
     *
     * @return True if request is logout request, false otherwise.
     */
-    private boolean isBackChannelLogoutRequest(final HttpServletRequest request) {
-        return "POST".equals(request.getMethod())
-                && !isMultipartRequest(request)
-                && CommonUtils.isNotBlank(CommonUtils.safeGetParameter(request, this.logoutParameterName,
-                        this.safeParameters));
+    private boolean isLogoutRequest(final HttpServletRequest request) {
+        if ("POST".equalsIgnoreCase(request.getMethod())) {
+            return !isMultipartRequest(request)
+                    && pathEligibleForLogout(request)
+                    && CommonUtils.isNotBlank(CommonUtils.safeGetParameter(request, this.logoutParameterName,
+                    this.safeParameters));
+        }
+        
+        if ("GET".equalsIgnoreCase(request.getMethod())) {
+            return CommonUtils.isNotBlank(CommonUtils.safeGetParameter(request, this.logoutParameterName, this.safeParameters));
+        }
+        return false;
    }

-    /**
-     * Determines whether the given request is a CAS front channel logout request.  Front Channel log out requests are only supported
-     * when the 'casServerUrlPrefix' value is set.
-     *
-     * @param request HTTP request.
-     *
-     * @return True if request is logout request, false otherwise.
-     */
-    private boolean isFrontChannelLogoutRequest(final HttpServletRequest request) {
-        return "GET".equals(request.getMethod()) && CommonUtils.isNotBlank(this.casServerUrlPrefix)
-                && CommonUtils.isNotBlank(CommonUtils.safeGetParameter(request, this.frontLogoutParameterName));
+    private boolean pathEligibleForLogout(final HttpServletRequest request) {
+        return logoutCallbackPath == null || logoutCallbackPath.equals(getPath(request));
+    }
+
+    private String getPath(final HttpServletRequest request) {
+        return request.getServletPath() + CommonUtils.nullToEmpty(request.getPathInfo());
    }

    /**
@ -203,26 +189,15 @@ public final class SingleSignOutHandler {
            logger.trace("Received a token request");
            recordSession(request);
            return true;
-
-        } else if (isBackChannelLogoutRequest(request)) {
-            logger.trace("Received a back channel logout request");
+        } 
+        
+        if (isLogoutRequest(request)) {
+            logger.trace("Received a logout request");
            destroySession(request);
            return false;
-
-        } else if (isFrontChannelLogoutRequest(request)) {
-            logger.trace("Received a front channel logout request");
-            destroySession(request);
-            // redirection url to the CAS server
-            final String redirectionUrl = computeRedirectionToServer(request);
-            if (redirectionUrl != null) {
-                CommonUtils.sendRedirect(response, redirectionUrl);
-            }
-            return false;
-
-        } else {
-            logger.trace("Ignoring URI for logout: {}", request.getRequestURI());
-            return true;
-        }
+        } 
+        logger.trace("Ignoring URI for logout: {}", request.getRequestURI());
+        return true;
    }

    /**
@ -245,7 +220,7 @@ public final class SingleSignOutHandler {
        try {
            this.sessionMappingStorage.removeBySessionById(session.getId());
        } catch (final Exception e) {
-            // ignore if the session is already marked as invalid.  Nothing we can do!
+            // ignore if the session is already marked as invalid. Nothing we can do!
        }
        sessionMappingStorage.addSessionById(token, session);
    }
@ -286,16 +261,17 @@ public final class SingleSignOutHandler {
     * @param request HTTP request containing a CAS logout message.
     */
    private void destroySession(final HttpServletRequest request) {
-        final String logoutMessage;
-        // front channel logout -> the message needs to be base64 decoded + decompressed
-        if (isFrontChannelLogoutRequest(request)) {
-            logoutMessage = uncompressLogoutMessage(CommonUtils.safeGetParameter(request,
-                    this.frontLogoutParameterName));
-        } else {
-            logoutMessage = CommonUtils.safeGetParameter(request, this.logoutParameterName, this.safeParameters);
+        String logoutMessage = CommonUtils.safeGetParameter(request, this.logoutParameterName, this.safeParameters);
+        if (CommonUtils.isBlank(logoutMessage)) {
+            logger.error("Could not locate logout message of the request from {}", this.logoutParameterName);
+            return;
        }
+        
+        if (!logoutMessage.contains("SessionIndex")) {
+            logoutMessage = uncompressLogoutMessage(logoutMessage);
+        }
+        
        logger.trace("Logout request:\n{}", logoutMessage);
-
        final String token = XmlUtils.getTextForElement(logoutMessage, "SessionIndex");
        if (CommonUtils.isNotBlank(token)) {
            final HttpSession session = this.sessionMappingStorage.removeSessionByMappingId(token);
@ -314,33 +290,6 @@ public final class SingleSignOutHandler {
        }
    }

-    /**
-     * Compute the redirection url to the CAS server when it's a front channel SLO
-     * (depending on the relay state parameter).
-     *
-     * @param request The HTTP request.
-     * @return the redirection url to the CAS server.
-     */
-    private String computeRedirectionToServer(final HttpServletRequest request) {
-        final String relayStateValue = CommonUtils.safeGetParameter(request, this.relayStateParameterName);
-        // if we have a state value -> redirect to the CAS server to continue the logout process
-        if (CommonUtils.isNotBlank(relayStateValue)) {
-            final StringBuilder buffer = new StringBuilder();
-            buffer.append(casServerUrlPrefix);
-            if (!this.casServerUrlPrefix.endsWith("/")) {
-                buffer.append("/");
-            }
-            buffer.append("logout?_eventId=next&");
-            buffer.append(this.relayStateParameterName);
-            buffer.append("=");
-            buffer.append(CommonUtils.urlEncode(relayStateValue));
-            final String redirectUrl = buffer.toString();
-            logger.debug("Redirection url to the CAS server: {}", redirectUrl);
-            return redirectUrl;
-        }
-        return null;
-    }
-
    private boolean isMultipartRequest(final HttpServletRequest request) {
        return request.getContentType() != null && request.getContentType().toLowerCase().startsWith("multipart");
    }
@ -364,6 +313,7 @@ public final class SingleSignOutHandler {

    private class Servlet25LogoutStrategy implements LogoutStrategy {

+        @Override
        public void logout(final HttpServletRequest request) {
            // nothing additional to do here
        }
@ -371,6 +321,7 @@ public final class SingleSignOutHandler {

    private class Servlet30LogoutStrategy implements LogoutStrategy {

+        @Override
        public void logout(final HttpServletRequest request) {
            try {
                request.logout();
--- a/cas-client-core/src/main/java/org/jasig/cas/client/session/SingleSignOutHttpSessionListener.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/session/SingleSignOutHttpSessionListener.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -36,10 +36,12 @@ public final class SingleSignOutHttpSessionListener implements HttpSessionListen

    private SessionMappingStorage sessionMappingStorage;

+    @Override
    public void sessionCreated(final HttpSessionEvent event) {
        // nothing to do at the moment
    }

+    @Override
    public void sessionDestroyed(final HttpSessionEvent event) {
        if (sessionMappingStorage == null) {
            sessionMappingStorage = getSessionMappingStorage();
--- a/cas-client-core/src/main/java/org/jasig/cas/client/ssl/AnyHostnameVerifier.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/ssl/AnyHostnameVerifier.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -32,6 +32,7 @@ import javax.net.ssl.SSLSession;
 public final class AnyHostnameVerifier implements HostnameVerifier {

    /** {@inheritDoc} */
+    @Override
    public boolean verify(final String hostname, final SSLSession session) {
        return true;
    }
--- a/cas-client-core/src/main/java/org/jasig/cas/client/ssl/HttpURLConnectionFactory.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/ssl/HttpURLConnectionFactory.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
--- a/cas-client-core/src/main/java/org/jasig/cas/client/ssl/HttpsURLConnectionFactory.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/ssl/HttpsURLConnectionFactory.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -78,6 +78,7 @@ public final class HttpsURLConnectionFactory implements HttpURLConnectionFactory
        this.hostnameVerifier = verifier;
    }

+    @Override
    public HttpURLConnection buildHttpURLConnection(final URLConnection url) {
        return this.configureHttpsConnectionIfNeeded(url);
    }
@ -148,7 +149,7 @@ public final class HttpsURLConnectionFactory implements HttpURLConnectionFactory
    }

    @Override
-    public boolean equals(Object o) {
+    public boolean equals(final Object o) {
        if (this == o) return true;
        if (o == null || getClass() != o.getClass()) return false;

--- a/cas-client-core/src/main/java/org/jasig/cas/client/ssl/RegexHostnameVerifier.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/ssl/RegexHostnameVerifier.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -16,7 +16,6 @@
 * specific language governing permissions and limitations
 * under the License.
 */
-
 package org.jasig.cas.client.ssl;

 import java.io.Serializable;
@ -38,7 +37,7 @@ public final class RegexHostnameVerifier implements HostnameVerifier, Serializab
    private static final long serialVersionUID = 1L;

    /** Allowed hostname pattern */
-    private Pattern pattern;
+    private final Pattern pattern;

    /**
     * Creates a new instance using the given regular expression.
@ -50,6 +49,7 @@ public final class RegexHostnameVerifier implements HostnameVerifier, Serializab
    }

    /** {@inheritDoc} */
+    @Override
    public boolean verify(final String hostname, final SSLSession session) {
        return pattern.matcher(hostname).matches();
    }
--- a/cas-client-core/src/main/java/org/jasig/cas/client/ssl/WhitelistHostnameVerifier.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/ssl/WhitelistHostnameVerifier.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -35,7 +35,7 @@ public final class WhitelistHostnameVerifier implements HostnameVerifier, Serial
    private static final long serialVersionUID = 1L;

    /** Allowed hosts */
-    private String[] allowedHosts;
+    private final String[] allowedHosts;

    /**
     * Creates a new instance using the given array of allowed hosts.
@ -56,6 +56,7 @@ public final class WhitelistHostnameVerifier implements HostnameVerifier, Serial
    }

    /** {@inheritDoc} */
+    @Override
    public boolean verify(final String hostname, final SSLSession session) {

        for (final String allowedHost : this.allowedHosts) {
--- a/cas-client-core/src/main/java/org/jasig/cas/client/util/AbstractCasFilter.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/util/AbstractCasFilter.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -25,6 +25,7 @@ import javax.servlet.FilterConfig;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import java.util.Arrays;

 /**
 *  Abstract filter that contains code that is common to all CAS filters.
@ -45,7 +46,7 @@ public abstract class AbstractCasFilter extends AbstractConfigurationFilter {
    /** Represents the constant for where the assertion will be located in memory. */
    public static final String CONST_CAS_ASSERTION = "_const_cas_assertion_";

-    private Protocol protocol;
+    private final Protocol protocol;

    /** Sets where response.encodeUrl should be called on service urls when constructed. */
    private boolean encodeServiceUrl = true;
@ -62,6 +63,7 @@ public abstract class AbstractCasFilter extends AbstractConfigurationFilter {
        this.protocol = protocol;
    }

+    @Override
    public final void init(final FilterConfig filterConfig) throws ServletException {
        super.init(filterConfig);
        if (!isIgnoreInitConfiguration()) {
@ -96,6 +98,7 @@ public abstract class AbstractCasFilter extends AbstractConfigurationFilter {
    }

    // empty implementation as most filters won't need this.
+    @Override
    public void destroy() {
        // nothing to do
    }
@ -140,6 +143,7 @@ public abstract class AbstractCasFilter extends AbstractConfigurationFilter {
     * @return the ticket if its found, null otherwise.
     */
    protected String retrieveTicketFromRequest(final HttpServletRequest request) {
-        return CommonUtils.safeGetParameter(request, this.protocol.getArtifactParameterName());
+        return CommonUtils.safeGetParameter(request, this.protocol.getArtifactParameterName(),
+                Arrays.asList(this.protocol.getArtifactParameterName()));
    }
 }
--- a/cas-client-core/src/main/java/org/jasig/cas/client/util/AbstractConfigurationFilter.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/util/AbstractConfigurationFilter.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -45,7 +45,8 @@ public abstract class AbstractConfigurationFilter implements Filter {

    private ConfigurationStrategy configurationStrategy;

-    public void init(FilterConfig filterConfig) throws ServletException {
+    @Override
+    public void init(final FilterConfig filterConfig) throws ServletException {
        final String configurationStrategyName = filterConfig.getServletContext().getInitParameter(CONFIGURATION_STRATEGY_KEY);
        this.configurationStrategy = ReflectUtils.newInstance(ConfigurationStrategyName.resolveToConfigurationStrategy(configurationStrategyName));
        this.configurationStrategy.init(filterConfig, getClass());
--- a/cas-client-core/src/main/java/org/jasig/cas/client/util/AssertionHolder.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/util/AssertionHolder.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -24,7 +24,6 @@ import org.jasig.cas.client.validation.Assertion;
 * Static holder that places Assertion in a ThreadLocal.
 *
 * @author Scott Battaglia
- * @version $Revision: 11728 $ $Date: 2007-09-26 14:20:43 -0400 (Tue, 26 Sep 2007) $
 * @since 3.0
 */
 public class AssertionHolder {
--- a/cas-client-core/src/main/java/org/jasig/cas/client/util/AssertionThreadLocalFilter.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/util/AssertionThreadLocalFilter.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -28,17 +28,18 @@ import org.jasig.cas.client.validation.Assertion;
 * Places the assertion in a ThreadLocal such that other resources can access it that do not have access to the web tier session.
 *
 * @author Scott Battaglia
- * @version $Revision: 11728 $ $Date: 2007-09-26 14:20:43 -0400 (Tue, 26 Sep 2007) $
 * @since 3.0
 */
 public final class AssertionThreadLocalFilter implements Filter {

+    @Override
    public void init(final FilterConfig filterConfig) throws ServletException {
        // nothing to do here
    }

+    @Override
    public void doFilter(final ServletRequest servletRequest, final ServletResponse servletResponse,
-            final FilterChain filterChain) throws IOException, ServletException {
+                         final FilterChain filterChain) throws IOException, ServletException {
        final HttpServletRequest request = (HttpServletRequest) servletRequest;
        final HttpSession session = request.getSession(false);
        final Assertion assertion = (Assertion) (session == null ? request
@ -53,6 +54,7 @@ public final class AssertionThreadLocalFilter implements Filter {
        }
    }

+    @Override
    public void destroy() {
        // nothing to do
    }
--- a/cas-client-core/src/main/java/org/jasig/cas/client/util/CommonUtils.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/util/CommonUtils.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -18,15 +18,6 @@
 */
 package org.jasig.cas.client.util;

-import java.io.*;
-import java.net.HttpURLConnection;
-import java.net.URI;
-import java.net.URL;
-import java.net.URLEncoder;
-import java.util.*;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
 import org.jasig.cas.client.Protocol;
 import org.jasig.cas.client.proxy.ProxyGrantingTicketStorage;
 import org.jasig.cas.client.ssl.HttpURLConnectionFactory;
@ -36,11 +27,27 @@ import org.jasig.cas.client.validation.ProxyListEditor;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

+import javax.net.ssl.SSLException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import java.io.Closeable;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.io.UnsupportedEncodingException;
+import java.net.HttpURLConnection;
+import java.net.URL;
+import java.net.URLEncoder;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
 /**
 * Common utilities so that we don't need to include Commons Lang.
 *
 * @author Scott Battaglia
- * @version $Revision: 11729 $ $Date: 2007-09-26 14:22:30 -0400 (Tue, 26 Sep 2007) $
 * @since 3.0
 */
 public final class CommonUtils {
@ -61,19 +68,20 @@ public final class CommonUtils {

    private static final String SERVICE_PARAMETER_NAMES;

-    private CommonUtils() {
-        // nothing to do
-    }
-
    static {
        final Set<String> serviceParameterSet = new HashSet<String>(4);
        for (final Protocol protocol : Protocol.values()) {
            serviceParameterSet.add(protocol.getServiceParameterName());
        }
        SERVICE_PARAMETER_NAMES = serviceParameterSet.toString()
-                .replaceAll("\\[|\\]", "")
-                .replaceAll("\\s", "");
+            .replaceAll("\\[|\\]", "")
+            .replaceAll("\\s", "");
    }
+
+    private CommonUtils() {
+        // nothing to do
+    }
+
    /**
     * Check whether the object is null or not. If it is, throw an exception and
     * display the message.
@ -135,7 +143,7 @@ public final class CommonUtils {
     * @return true if its null or length of 0, false otherwise.
     */
    public static boolean isEmpty(final String string) {
-        return string == null || string.length() == 0;
+        return string == null || string.isEmpty();
    }

    /**
@ -157,7 +165,7 @@ public final class CommonUtils {
     * @return true if its blank, false otherwise.
     */
    public static boolean isBlank(final String string) {
-        return isEmpty(string) || string.trim().length() == 0;
+        return isEmpty(string) || string.trim().isEmpty();
    }

    /**
@ -179,21 +187,38 @@ public final class CommonUtils {
     * @param serviceUrl the actual service's url.
     * @param renew whether we should send renew or not.
     * @param gateway where we should send gateway or not.
+     * @param method the method used by the CAS server to send the user back to the application.
     * @return the fully constructed redirect url.
     */
    public static String constructRedirectUrl(final String casServerLoginUrl, final String serviceParameterName,
-            final String serviceUrl, final boolean renew, final boolean gateway) {
+                                              final String serviceUrl, final boolean renew, final boolean gateway, final String method) {
        return casServerLoginUrl + (casServerLoginUrl.contains("?") ? "&" : "?") + serviceParameterName + "="
-                + urlEncode(serviceUrl) + (renew ? "&renew=true" : "") + (gateway ? "&gateway=true" : "");
+            + urlEncode(serviceUrl) + (renew ? "&renew=true" : "") + (gateway ? "&gateway=true" : "")
+            + (method != null ? "&method=" + method : "");
+    }
+
+    /**
+     * Construct redirect url to a CAS server.
+     *
+     * @param casServerLoginUrl    the cas server login url
+     * @param serviceParameterName the service parameter name
+     * @param serviceUrl           the service url
+     * @param renew                the renew
+     * @param gateway              the gateway
+     * @return the string
+     */
+    public static String constructRedirectUrl(final String casServerLoginUrl, final String serviceParameterName,
+                                              final String serviceUrl, final boolean renew, final boolean gateway) {
+        return constructRedirectUrl(casServerLoginUrl, serviceParameterName, serviceUrl, renew, gateway, null);
    }

    /**
     * Url encode a value using UTF-8 encoding.
-     * 
+     *
     * @param value the value to encode.
     * @return the encoded value.
     */
-    public static String urlEncode(String value) {
+    public static String urlEncode(final String value) {
        try {
            return URLEncoder.encode(value, "UTF-8");
        } catch (final UnsupportedEncodingException e) {
@ -202,8 +227,8 @@ public final class CommonUtils {
    }

    public static void readAndRespondToProxyReceptorRequest(final HttpServletRequest request,
-            final HttpServletResponse response, final ProxyGrantingTicketStorage proxyGrantingTicketStorage)
-            throws IOException {
+                                                            final HttpServletResponse response, final ProxyGrantingTicketStorage proxyGrantingTicketStorage)
+        throws IOException {
        final String proxyGrantingTicketIou = request.getParameter(PARAM_PROXY_GRANTING_TICKET_IOU);

        final String proxyGrantingTicket = request.getParameter(PARAM_PROXY_GRANTING_TICKET);
@ -214,12 +239,12 @@ public final class CommonUtils {
        }

        LOGGER.debug("Received proxyGrantingTicketId [{}] for proxyGrantingTicketIou [{}]", proxyGrantingTicket,
-                proxyGrantingTicketIou);
+            proxyGrantingTicketIou);

        proxyGrantingTicketStorage.save(proxyGrantingTicketIou, proxyGrantingTicket);

        LOGGER.debug("Successfully saved proxyGrantingTicketId [{}] for proxyGrantingTicketIou [{}]",
-                proxyGrantingTicket, proxyGrantingTicketIou);
+            proxyGrantingTicket, proxyGrantingTicketIou);

        response.getWriter().write("<?xml version=\"1.0\"?>");
        response.getWriter().write("<casClient:proxySuccess xmlns:casClient=\"http://www.yale.edu/tp/casClient\" />");
@ -228,7 +253,7 @@ public final class CommonUtils {
    protected static String findMatchingServerName(final HttpServletRequest request, final String serverName) {
        final String[] serverNames = serverName.split(" ");

-        if (serverNames == null || serverNames.length == 0 || serverNames.length == 1) {
+        if (serverNames.length == 0 || serverNames.length == 1) {
            return serverName;
        }

@ -236,11 +261,7 @@ public final class CommonUtils {
        final String xHost = request.getHeader("X-Forwarded-Host");

        final String comparisonHost;
-        if (xHost != null && host == "localhost") {
-            comparisonHost = xHost;
-        } else {
-            comparisonHost = host;
-        }
+        comparisonHost = (xHost != null) ? xHost : host;

        if (comparisonHost == null) {
            return serverName;
@ -257,16 +278,6 @@ public final class CommonUtils {
        return serverNames[0];
    }

-    private static boolean serverNameContainsPort(final boolean containsScheme, final String serverName) {
-        if (!containsScheme && serverName.contains(":")) {
-            return true;
-        }
-
-        final int schemeIndex = serverName.indexOf(":");
-        final int portIndex = serverName.lastIndexOf(":");
-        return schemeIndex != portIndex;
-    }
-
    private static boolean requestIsOnStandardPort(final HttpServletRequest request) {
        final int serverPort = request.getServerPort();
        return serverPort == 80 || serverPort == 443;
@ -293,7 +304,7 @@ public final class CommonUtils {
                                             final String service, final String serverNames,
                                             final String artifactParameterName, final boolean encode) {
        return constructServiceUrl(request, response, service, serverNames, SERVICE_PARAMETER_NAMES
-                , artifactParameterName, encode);
+            , artifactParameterName, encode);
    }

    /**
@ -313,8 +324,8 @@ public final class CommonUtils {
     * @return the service url to use.
     */
    public static String constructServiceUrl(final HttpServletRequest request, final HttpServletResponse response,
-            final String service, final String serverNames, final String serviceParameterName,
-            final String artifactParameterName, final boolean encode) {
+                                             final String service, final String serverNames, final String serviceParameterName,
+                                             final String artifactParameterName, final boolean encode) {
        if (CommonUtils.isNotBlank(service)) {
            return encode ? response.encodeURL(service) : service;
        }
@ -323,30 +334,37 @@ public final class CommonUtils {
        final URIBuilder originalRequestUrl = new URIBuilder(request.getRequestURL().toString(), encode);
        originalRequestUrl.setParameters(request.getQueryString());

-        URIBuilder builder = null;
-
-        boolean containsScheme = true;
+        final URIBuilder builder;
        if (!serverName.startsWith("https://") && !serverName.startsWith("http://")) {
-            builder = new URIBuilder(encode);
-            builder.setScheme(request.isSecure() ? "https" : "http");
-            builder.setHost(serverName);
-            containsScheme = false;
-        }  else {
+            final String scheme = request.isSecure() ? "https://" : "http://";
+            builder = new URIBuilder(scheme + serverName, encode);
+        } else {
            builder = new URIBuilder(serverName, encode);
        }

-
-        if (!serverNameContainsPort(containsScheme, serverName) && !requestIsOnStandardPort(request)) {
+        if (builder.getPort() == -1 && !requestIsOnStandardPort(request)) {
            builder.setPort(request.getServerPort());
        }

-        builder.setEncodedPath(request.getRequestURI());
+        builder.setEncodedPath(builder.getEncodedPath() + request.getRequestURI());

        final List<String> serviceParameterNames = Arrays.asList(serviceParameterName.split(","));
        if (!serviceParameterNames.isEmpty() && !originalRequestUrl.getQueryParams().isEmpty()) {
            for (final URIBuilder.BasicNameValuePair pair : originalRequestUrl.getQueryParams()) {
-                if (!pair.getName().equals(artifactParameterName) && !serviceParameterNames.contains(pair.getName())) {
-                    builder.addParameter(pair.getName(), pair.getValue());
+                final String name = pair.getName();
+                if (!name.equals(artifactParameterName) && !serviceParameterNames.contains(name)) {
+                    if (name.contains("&") || name.contains("=")) {
+                        final URIBuilder encodedParamBuilder = new URIBuilder();
+                        encodedParamBuilder.setParameters(name);
+                        for (final URIBuilder.BasicNameValuePair pair2 : encodedParamBuilder.getQueryParams()) {
+                            final String name2 = pair2.getName();
+                            if (!name2.equals(artifactParameterName) && !serviceParameterNames.contains(name2)) {
+                                builder.addParameter(name2, pair2.getValue());
+                            }
+                        }
+                    } else {
+                        builder.addParameter(name, pair.getValue());
+                    }
                }
            }
        }
@ -374,13 +392,13 @@ public final class CommonUtils {
     * @return the value of the parameter.
     */
    public static String safeGetParameter(final HttpServletRequest request, final String parameter,
-            final List<String> parameters) {
+                                          final List<String> parameters) {
        if ("POST".equals(request.getMethod()) && parameters.contains(parameter)) {
            LOGGER.debug("safeGetParameter called on a POST HttpServletRequest for Restricted Parameters.  Cannot complete check safely.  Reverting to standard behavior for this Parameter");
            return request.getParameter(parameter);
        }
        return request.getQueryString() == null || !request.getQueryString().contains(parameter) ? null : request
-                .getParameter(parameter);
+            .getParameter(parameter);
    }

    public static String safeGetParameter(final HttpServletRequest request, final String parameter) {
@ -399,8 +417,8 @@ public final class CommonUtils {
    public static String getResponseFromServer(final String constructedUrl, final String encoding) {
        try {
            return getResponseFromServer(new URL(constructedUrl), DEFAULT_URL_CONNECTION_FACTORY, encoding);
-        } catch (final Exception e) {
-            throw new RuntimeException(e);
+        } catch (final IOException e) {
+            throw new RuntimeException(e.getMessage(), e);
        }
    }

@ -418,7 +436,7 @@ public final class CommonUtils {
     * @return the response.
     */
    public static String getResponseFromServer(final URL constructedUrl, final HttpURLConnectionFactory factory,
-            final String encoding) {
+                                               final String encoding) {

        HttpURLConnection conn = null;
        InputStreamReader in = null;
@ -438,8 +456,14 @@ public final class CommonUtils {
            }

            return builder.toString();
-        } catch (final Exception e) {
-            LOGGER.error(e.getMessage(), e);
+        } catch (final RuntimeException e) {
+            throw e;
+        } catch (final SSLException e) {
+            LOGGER.error("SSL error getting response from host: {} : Error Message: {}", constructedUrl.getHost(), e.getMessage(), e);
+            throw new RuntimeException(e);
+        } catch (final IOException e) {
+            LOGGER.error("Error getting response from host: [{}] with path: [{}] and protocol: [{}] Error Message: {}",
+                constructedUrl.getHost(), constructedUrl.getPath(), constructedUrl.getProtocol(), e.getMessage(), e);
            throw new RuntimeException(e);
        } finally {
            closeQuietly(in);
@ -468,7 +492,7 @@ public final class CommonUtils {
    public static void sendRedirect(final HttpServletResponse response, final String url) {
        try {
            response.sendRedirect(url);
-        } catch (final Exception e) {
+        } catch (final IOException e) {
            LOGGER.warn(e.getMessage(), e);
        }

@ -573,11 +597,11 @@ public final class CommonUtils {
            case 1: {
                final char ch0 = str.charAt(0);
                if (ch0 == 'y' || ch0 == 'Y' ||
-                        ch0 == 't' || ch0 == 'T') {
+                    ch0 == 't' || ch0 == 'T') {
                    return Boolean.TRUE;
                }
                if (ch0 == 'n' || ch0 == 'N' ||
-                        ch0 == 'f' || ch0 == 'F') {
+                    ch0 == 'f' || ch0 == 'F') {
                    return Boolean.FALSE;
                }
                break;
@ -586,11 +610,11 @@ public final class CommonUtils {
                final char ch0 = str.charAt(0);
                final char ch1 = str.charAt(1);
                if ((ch0 == 'o' || ch0 == 'O') &&
-                        (ch1 == 'n' || ch1 == 'N') ) {
+                    (ch1 == 'n' || ch1 == 'N')) {
                    return Boolean.TRUE;
                }
                if ((ch0 == 'n' || ch0 == 'N') &&
-                        (ch1 == 'o' || ch1 == 'O') ) {
+                    (ch1 == 'o' || ch1 == 'O')) {
                    return Boolean.FALSE;
                }
                break;
@ -600,13 +624,13 @@ public final class CommonUtils {
                final char ch1 = str.charAt(1);
                final char ch2 = str.charAt(2);
                if ((ch0 == 'y' || ch0 == 'Y') &&
-                        (ch1 == 'e' || ch1 == 'E') &&
-                        (ch2 == 's' || ch2 == 'S') ) {
+                    (ch1 == 'e' || ch1 == 'E') &&
+                    (ch2 == 's' || ch2 == 'S')) {
                    return Boolean.TRUE;
                }
                if ((ch0 == 'o' || ch0 == 'O') &&
-                        (ch1 == 'f' || ch1 == 'F') &&
-                        (ch2 == 'f' || ch2 == 'F') ) {
+                    (ch1 == 'f' || ch1 == 'F') &&
+                    (ch2 == 'f' || ch2 == 'F')) {
                    return Boolean.FALSE;
                }
                break;
@ -617,9 +641,9 @@ public final class CommonUtils {
                final char ch2 = str.charAt(2);
                final char ch3 = str.charAt(3);
                if ((ch0 == 't' || ch0 == 'T') &&
-                        (ch1 == 'r' || ch1 == 'R') &&
-                        (ch2 == 'u' || ch2 == 'U') &&
-                        (ch3 == 'e' || ch3 == 'E') ) {
+                    (ch1 == 'r' || ch1 == 'R') &&
+                    (ch2 == 'u' || ch2 == 'U') &&
+                    (ch3 == 'e' || ch3 == 'E')) {
                    return Boolean.TRUE;
                }
                break;
@ -631,10 +655,10 @@ public final class CommonUtils {
                final char ch3 = str.charAt(3);
                final char ch4 = str.charAt(4);
                if ((ch0 == 'f' || ch0 == 'F') &&
-                        (ch1 == 'a' || ch1 == 'A') &&
-                        (ch2 == 'l' || ch2 == 'L') &&
-                        (ch3 == 's' || ch3 == 'S') &&
-                        (ch4 == 'e' || ch4 == 'E') ) {
+                    (ch1 == 'a' || ch1 == 'A') &&
+                    (ch2 == 'l' || ch2 == 'L') &&
+                    (ch3 == 's' || ch3 == 'S') &&
+                    (ch4 == 'e' || ch4 == 'E')) {
                    return Boolean.FALSE;
                }
                break;
@ -690,7 +714,7 @@ public final class CommonUtils {
     * @return the int represented by the string, or the default if conversion fails
     */
    public static int toInt(final String str, final int defaultValue) {
-        if(str == null) {
+        if (str == null) {
            return defaultValue;
        }
        try {
@ -699,4 +723,25 @@ public final class CommonUtils {
            return defaultValue;
        }
    }
+
+    /**
+     * Returns the string as-is, unless it's <code>null</code>;
+     * in this case an empty string is returned.
+     *
+     * @param string a possibly <code>null</code> string
+     * @return a non-<code>null</code> string
+     */
+    public static String nullToEmpty(final String string) {
+        return string == null ? "" : string;
+    }
+
+    /**
+     * Adds a trailing slash to the given uri, if it doesn't already have one.
+     *
+     * @param uri a string that may or may not end with a slash
+     * @return the same string, except with a slash suffix (if necessary).
+     */
+    public static String addTrailingSlash(final String uri) {
+        return uri.endsWith("/") ? uri : uri + "/";
+    }
 }
--- a/cas-client-core/src/main/java/org/jasig/cas/client/util/DelegatingFilter.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/util/DelegatingFilter.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -31,7 +31,6 @@ import org.slf4j.LoggerFactory;
 * the associated filter is executed. Otherwise, the normal chain is executed.
 *
 * @author Scott Battaglia
- * @version $Revision: 11729 $ $Date: 2006-09-26 14:22:30 -0400 (Tue, 26 Sep 2006) $
 * @since 3.0
 */
 public final class DelegatingFilter implements Filter {
@ -78,10 +77,12 @@ public final class DelegatingFilter implements Filter {
        this.exactMatch = exactMatch;
    }

+    @Override
    public void destroy() {
        // nothing to do here
    }

+    @Override
    public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain filterChain)
            throws IOException, ServletException {

@ -108,6 +109,7 @@ public final class DelegatingFilter implements Filter {
        }
    }

+    @Override
    public void init(final FilterConfig filterConfig) throws ServletException {
        // nothing to do here.
    }
--- a/cas-client-core/src/main/java/org/jasig/cas/client/util/ErrorRedirectFilter.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/util/ErrorRedirectFilter.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -49,10 +49,12 @@ public final class ErrorRedirectFilter implements Filter {

    private String defaultErrorRedirectPage;

+    @Override
    public void destroy() {
        // nothing to do here
    }

+    @Override
    public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain filterChain)
            throws IOException, ServletException {
        final HttpServletResponse httpResponse = (HttpServletResponse) response;
@ -94,6 +96,7 @@ public final class ErrorRedirectFilter implements Filter {
        return throwable;
    }

+    @Override
    public void init(final FilterConfig filterConfig) throws ServletException {
        this.defaultErrorRedirectPage = filterConfig.getInitParameter("defaultErrorRedirectPage");

--- a/cas-client-core/src/main/java/org/jasig/cas/client/util/HttpServletRequestWrapperFilter.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/util/HttpServletRequestWrapperFilter.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -44,7 +44,6 @@ import org.jasig.cas.client.validation.Assertion;
 *
 * @author Scott Battaglia
 * @author Marvin S. Addison
- * @version $Revision: 11729 $ $Date: 2007-09-26 14:22:30 -0400 (Tue, 26 Sep 2007) $
 * @since 3.0
 */
 public final class HttpServletRequestWrapperFilter extends AbstractConfigurationFilter {
@ -55,6 +54,7 @@ public final class HttpServletRequestWrapperFilter extends AbstractConfiguration
    /** Whether or not to ignore case in role membership queries */
    private boolean ignoreCase;

+    @Override
    public void destroy() {
        // nothing to do
    }
@ -64,8 +64,9 @@ public final class HttpServletRequestWrapperFilter extends AbstractConfiguration
     * <code>request.getRemoteUser</code> to the underlying Assertion object
     * stored in the user session.
     */
+    @Override
    public void doFilter(final ServletRequest servletRequest, final ServletResponse servletResponse,
-            final FilterChain filterChain) throws IOException, ServletException {
+                         final FilterChain filterChain) throws IOException, ServletException {
        final AttributePrincipal principal = retrievePrincipalFromSessionOrRequest(servletRequest);

        filterChain.doFilter(new CasHttpServletRequestWrapper((HttpServletRequest) servletRequest, principal),
@ -82,6 +83,7 @@ public final class HttpServletRequestWrapperFilter extends AbstractConfiguration
        return assertion == null ? null : assertion.getPrincipal();
    }

+    @Override
    public void init(final FilterConfig filterConfig) throws ServletException {
        super.init(filterConfig);
        this.roleAttribute = getString(ConfigurationKeys.ROLE_ATTRIBUTE);
@ -97,14 +99,17 @@ public final class HttpServletRequestWrapperFilter extends AbstractConfiguration
            this.principal = principal;
        }

+        @Override
        public Principal getUserPrincipal() {
            return this.principal;
        }

+        @Override
        public String getRemoteUser() {
            return principal != null ? this.principal.getName() : null;
        }

+        @Override
        public boolean isUserInRole(final String role) {
            if (CommonUtils.isBlank(role)) {
                logger.debug("No valid role provided.  Returning false.");
--- a/cas-client-core/src/main/java/org/jasig/cas/client/util/IOUtils.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/util/IOUtils.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
--- a/cas-client-core/src/main/java/org/jasig/cas/client/util/MapNamespaceContext.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/util/MapNamespaceContext.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -61,10 +61,12 @@ public class MapNamespaceContext implements NamespaceContext {
        this.namespaceMap = namespaceMap;
    }

+    @Override
    public String getNamespaceURI(final String prefix) {
        return namespaceMap.get(prefix);
    }

+    @Override
    public String getPrefix(final String namespaceURI) {
        for (final Map.Entry<String, String> entry : namespaceMap.entrySet()) {
            if (entry.getValue().equalsIgnoreCase(namespaceURI)) {
@ -74,6 +76,7 @@ public class MapNamespaceContext implements NamespaceContext {
        return null;
    }

+    @Override
    public Iterator getPrefixes(final String namespaceURI) {
        return Collections.singleton(getPrefix(namespaceURI)).iterator();
    }
--- a/cas-client-core/src/main/java/org/jasig/cas/client/util/PrivateKeyUtils.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/util/PrivateKeyUtils.java
@ -0,0 +1,108 @@
+/**
+ * Licensed to Apereo under one or more contributor license
+ * agreements. See the NOTICE file distributed with this work
+ * for additional information regarding copyright ownership.
+ * Apereo licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file
+ * except in compliance with the License.  You may obtain a
+ * copy of the License at the following location:
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.jasig.cas.client.util;
+
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.openssl.PEMKeyPair;
+import org.bouncycastle.openssl.PEMParser;
+import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.*;
+import java.security.KeyFactory;
+import java.security.KeyPair;
+import java.security.PrivateKey;
+import java.security.Security;
+import java.security.spec.PKCS8EncodedKeySpec;
+
+/**
+ * Utility class to parse private keys.
+ *
+ * @author Jerome LELEU
+ * @since 3.6.0
+ */
+public class PrivateKeyUtils {
+
+    private static final Logger LOGGER = LoggerFactory.getLogger(PrivateKeyUtils.class);
+
+    static {
+        Security.addProvider(new BouncyCastleProvider());
+    }
+
+    public static PrivateKey createKey(final String path, final String algorithm) {
+        final PrivateKey key = readPemPrivateKey(path);
+        if (key == null) {
+            return readDERPrivateKey(path, algorithm);
+        } else {
+            return key;
+        }
+    }
+
+    private static PrivateKey readPemPrivateKey(final String path) {
+        LOGGER.debug("Attempting to read as PEM [{}]", path);
+        final File file = new File(path);
+        InputStreamReader isr = null;
+        BufferedReader br = null;
+        try {
+            isr = new FileReader(file);
+            br = new BufferedReader(isr);
+            final PEMParser pp = new PEMParser(br);
+            final PEMKeyPair pemKeyPair = (PEMKeyPair) pp.readObject();
+            final KeyPair kp = new JcaPEMKeyConverter().getKeyPair(pemKeyPair);
+            return kp.getPrivate();
+        } catch (final Exception e) {
+            LOGGER.error("Unable to read key", e);
+            return null;
+        } finally {
+            try {
+                if (br != null) {
+                    br.close();
+                }
+                if (isr != null) {
+                    isr.close();
+                }
+            } catch (final IOException e) {}
+        }
+    }
+
+    private static PrivateKey readDERPrivateKey(final String path, final String algorithm) {
+        LOGGER.debug("Attempting to read key as DER [{}]", path);
+        final File file = new File(path);
+        FileInputStream fis = null;
+        try {
+            fis = new FileInputStream(file);
+            final long byteLength = file.length();
+            final byte[] bytes = new byte[(int) byteLength];
+            fis.read(bytes, 0, (int) byteLength);
+            final PKCS8EncodedKeySpec privSpec = new PKCS8EncodedKeySpec(bytes);
+            final KeyFactory factory = KeyFactory.getInstance(algorithm);
+            return factory.generatePrivate(privSpec);
+        } catch (final Exception e) {
+            LOGGER.error("Unable to read key", e);
+            return null;
+        } finally {
+            try {
+                if (fis != null) {
+                    fis.close();
+                }
+            } catch (final IOException e) {}
+        }
+    }
+}
--- a/cas-client-core/src/main/java/org/jasig/cas/client/util/ReflectUtils.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/util/ReflectUtils.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -164,7 +164,7 @@ public final class ReflectUtils {
        do {
            try {
                field = clazz.getDeclaredField(fieldName);
-            } catch (NoSuchFieldException e) {
+            } catch (final NoSuchFieldException e) {
                clazz = clazz.getSuperclass();
            }
        } while (field == null && clazz != null);
@ -176,7 +176,7 @@ public final class ReflectUtils {
                field.setAccessible(true);
            }
            return field.get(target);
-        } catch (Exception e) {
+        } catch (final Exception e) {
            throw new IllegalArgumentException("Error getting field " + fieldName, e);
        }
    }
--- a/cas-client-core/src/main/java/org/jasig/cas/client/util/ThreadLocalXPathExpression.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/util/ThreadLocalXPathExpression.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -50,18 +50,22 @@ public class ThreadLocalXPathExpression extends ThreadLocal<XPathExpression> imp
        this.context = context;
    }

+    @Override
    public Object evaluate(final Object o, final QName qName) throws XPathExpressionException {
        return get().evaluate(o, qName);
    }

+    @Override
    public String evaluate(final Object o) throws XPathExpressionException {
        return get().evaluate(o);
    }

+    @Override
    public Object evaluate(final InputSource inputSource, final QName qName) throws XPathExpressionException {
        return get().evaluate(inputSource, qName);
    }

+    @Override
    public String evaluate(final InputSource inputSource) throws XPathExpressionException {
        return get().evaluate(inputSource);
    }
@ -98,7 +102,7 @@ public class ThreadLocalXPathExpression extends ThreadLocal<XPathExpression> imp
            final XPath xPath = XPathFactory.newInstance().newXPath();
            xPath.setNamespaceContext(context);
            return xPath.compile(expression);
-        } catch (XPathExpressionException e) {
+        } catch (final XPathExpressionException e) {
            throw new IllegalArgumentException("Invalid XPath expression");
        }
    }
--- a/cas-client-core/src/main/java/org/jasig/cas/client/util/URIBuilder.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/util/URIBuilder.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -28,13 +28,13 @@ import java.net.URISyntaxException;
 import java.net.URLDecoder;
 import java.nio.charset.Charset;
 import java.util.ArrayList;
-import java.util.Collections;
 import java.util.Iterator;
 import java.util.List;
 import java.util.regex.Pattern;

 /**
 * A utility class borrowed from apache http-client to build uris.
+ *
 * @author Misagh Moayyed
 * @since 3.4
 */
@ -86,7 +86,7 @@ public final class URIBuilder {
        }
    }

-    public URIBuilder(final String string, boolean encode) {
+    public URIBuilder(final String string, final boolean encode) {
        super();
        try {
            setEncode(encode);
@ -99,26 +99,40 @@ public final class URIBuilder {

    /**
     * Construct an instance from the provided URI.
-     * @param uri  the uri to digest
+     *
+     * @param uri the uri to digest
     */
    public URIBuilder(final URI uri) {
        super();
        digestURI(uri);
    }

-    private List <BasicNameValuePair> parseQuery(final String query) {
+    private List<BasicNameValuePair> parseQuery(final String query) {

        try {
            final Charset utf8 = Charset.forName("UTF-8");
            if (query != null && !query.isEmpty()) {
                final List<BasicNameValuePair> list = new ArrayList<BasicNameValuePair>();
-                final String queryValue = URLDecoder.decode(query, utf8.name());
-                final String[] parametersArray = queryValue.split("&");
+                final String[] parametersArray = query.split("&");

                for (final String parameter : parametersArray) {
-                    final String[] parameterCombo = parameter.split("=");
-                    if (parameterCombo.length == 2) {
-                        list.add(new BasicNameValuePair(parameterCombo[0], parameterCombo[1]));
+                    final int firstIndex = parameter.indexOf("=");
+                    if (firstIndex != -1) {
+                        final String paramName = parameter.substring(0, firstIndex);
+                        final String decodedParamName = URLDecoder.decode(paramName, utf8.name());
+
+                        final String paramVal = parameter.substring(firstIndex + 1);
+                        final String decodedParamVal = URLDecoder.decode(paramVal, utf8.name());
+
+                        list.add(new BasicNameValuePair(decodedParamName, decodedParamVal));
+                    } else {
+                        // Either we do not have a query parameter, or it might be encoded; take it verbaitm
+                        final String[] parameterCombo = parameter.split("=");
+                        if (parameterCombo.length >= 1) {
+                            final String key = URLDecoder.decode(parameterCombo[0], utf8.name());
+                            final String val = parameterCombo.length == 2 ? URLDecoder.decode(parameterCombo[1], utf8.name()) : "";
+                            list.add(new BasicNameValuePair(key, val));
+                        }
                    }
                }
                return list;
@ -238,7 +252,7 @@ public final class URIBuilder {
        return this.encode ? CommonUtils.urlEncode(fragment) : fragment;
    }

-    public URIBuilder setEncode(boolean encode) {
+    public URIBuilder setEncode(final boolean encode) {
        this.encode = encode;
        return this;
    }
@ -326,7 +340,7 @@ public final class URIBuilder {
     * will remove custom query if present.
     * </p>
     */
-    public URIBuilder setParameters(final List <BasicNameValuePair> nvps) {
+    public URIBuilder setParameters(final List<BasicNameValuePair> nvps) {
        this.queryParams = new ArrayList<BasicNameValuePair>();
        this.queryParams.addAll(nvps);
        this.encodedQuery = null;
@ -345,7 +359,6 @@ public final class URIBuilder {
    }


-
    /**
     * Adds URI query parameters. The parameter name / values are expected to be unescaped
     * and may contain non ASCII characters.
@ -354,7 +367,7 @@ public final class URIBuilder {
     * will remove custom query if present.
     * </p>
     */
-    public URIBuilder addParameters(final List <BasicNameValuePair> nvps) {
+    public URIBuilder addParameters(final List<BasicNameValuePair> nvps) {
        if (this.queryParams == null || this.queryParams.isEmpty()) {
            this.queryParams = new ArrayList<BasicNameValuePair>();
        }
@ -379,7 +392,7 @@ public final class URIBuilder {
        } else {
            this.queryParams.clear();
        }
-        for (final BasicNameValuePair nvp: nvps) {
+        for (final BasicNameValuePair nvp : nvps) {
            this.queryParams.add(nvp);
        }
        this.encodedQuery = null;
@ -510,6 +523,10 @@ public final class URIBuilder {
        return this.path;
    }

+    public String getEncodedPath() {
+        return this.encodedPath;
+    }
+
    public List<BasicNameValuePair> getQueryParams() {
        if (this.queryParams != null) {
            return new ArrayList<BasicNameValuePair>(this.queryParams);
@ -601,7 +618,7 @@ public final class URIBuilder {
        /**
         * Default Constructor taking a name and a value. The value may be null.
         *
-         * @param name The name.
+         * @param name  The name.
         * @param value The value.
         */
        public BasicNameValuePair(final String name, final String value) {
@ -646,7 +663,7 @@ public final class URIBuilder {
            if (object instanceof BasicNameValuePair) {
                final BasicNameValuePair that = (BasicNameValuePair) object;
                return this.name.equals(that.name)
-                        && this.value.equals(that.value);
+                    && this.value.equals(that.value);
            }
            return false;
        }
--- a/cas-client-core/src/main/java/org/jasig/cas/client/util/XmlUtils.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/util/XmlUtils.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -39,7 +39,6 @@ import javax.xml.parsers.SAXParserFactory;
 * Common utilities for easily parsing XML without duplicating logic.
 *
 * @author Scott Battaglia
- * @version $Revision: 11729 $ $Date: 2007-09-26 14:22:30 -0400 (Tue, 26 Sep 2007) $
 * @since 3.0
 */
 public final class XmlUtils {
@ -62,17 +61,19 @@ public final class XmlUtils {
        final Map<String, Boolean> features = new HashMap<String, Boolean>();
        features.put(XMLConstants.FEATURE_SECURE_PROCESSING, true);
        features.put("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+        features.put("http://apache.org/xml/features/disallow-doctype-decl", true);
        for (final Map.Entry<String, Boolean> entry : features.entrySet()) {
            try {
                factory.setFeature(entry.getKey(), entry.getValue());
-            } catch (ParserConfigurationException e) {
+            } catch (final ParserConfigurationException e) {
                LOGGER.warn("Failed setting XML feature {}: {}", entry.getKey(), e);
            }
        }
+        factory.setExpandEntityReferences(false);
        factory.setNamespaceAware(true);
        try {
            return factory.newDocumentBuilder().parse(new InputSource(new StringReader(xml)));
-        } catch (Exception e) {
+        } catch (final Exception e) {
            throw new RuntimeException("XML parsing error: " + e);
        }
    }
@ -84,11 +85,14 @@ public final class XmlUtils {
     */
    public static XMLReader getXmlReader() {
        try {
-            final XMLReader reader = SAXParserFactory.newInstance().newSAXParser().getXMLReader();
-            reader.setFeature("http://xml.org/sax/features/namespaces", true);
-            reader.setFeature("http://xml.org/sax/features/namespace-prefixes", false);
-            reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
-            return reader;
+            final SAXParserFactory factory = SAXParserFactory.newInstance();
+            factory.setNamespaceAware(true);
+            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+            factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            return factory.newSAXParser().getXMLReader();
        } catch (final Exception e) {
            throw new RuntimeException("Unable to create XMLReader", e);
        }
@ -114,13 +118,15 @@ public final class XmlUtils {

            private StringBuilder buffer = new StringBuilder();

+            @Override
            public void startElement(final String uri, final String localName, final String qName,
-                    final Attributes attributes) throws SAXException {
+                                     final Attributes attributes) throws SAXException {
                if (localName.equals(element)) {
                    this.foundElement = true;
                }
            }

+            @Override
            public void endElement(final String uri, final String localName, final String qName) throws SAXException {
                if (localName.equals(element)) {
                    this.foundElement = false;
@ -129,7 +135,8 @@ public final class XmlUtils {
                }
            }

-            public void characters(char[] ch, int start, int length) throws SAXException {
+            @Override
+            public void characters(final char[] ch, final int start, final int length) throws SAXException {
                if (this.foundElement) {
                    this.buffer.append(ch, start, length);
                }
@ -165,20 +172,23 @@ public final class XmlUtils {

            private boolean foundElement = false;

+            @Override
            public void startElement(final String uri, final String localName, final String qName,
-                    final Attributes attributes) throws SAXException {
+                                     final Attributes attributes) throws SAXException {
                if (localName.equals(element)) {
                    this.foundElement = true;
                }
            }

+            @Override
            public void endElement(final String uri, final String localName, final String qName) throws SAXException {
                if (localName.equals(element)) {
                    this.foundElement = false;
                }
            }

-            public void characters(char[] ch, int start, int length) throws SAXException {
+            @Override
+            public void characters(final char[] ch, final int start, final int length) throws SAXException {
                if (this.foundElement) {
                    builder.append(ch, start, length);
                }
--- a/cas-client-core/src/main/java/org/jasig/cas/client/util/package.html
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/util/package.html
@ -1,9 +1,9 @@
 <!--

-    Licensed to Jasig under one or more contributor license
+    Licensed to Apereo under one or more contributor license
    agreements. See the NOTICE file distributed with this work
    for additional information regarding copyright ownership.
-    Jasig licenses this file to you under the Apache License,
+    Apereo licenses this file to you under the Apache License,
    Version 2.0 (the "License"); you may not use this file
    except in compliance with the License.  You may obtain a
    copy of the License at the following location:
--- a/cas-client-core/src/main/java/org/jasig/cas/client/validation/AbstractCasProtocolUrlBasedTicketValidator.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/validation/AbstractCasProtocolUrlBasedTicketValidator.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -37,6 +37,7 @@ public abstract class AbstractCasProtocolUrlBasedTicketValidator extends Abstrac
    /**
     * Retrieves the response from the server by opening a connection and merely reading the response.
     */
+    @Override
    protected final String retrieveResponseFromServer(final URL validationUrl, final String ticket) {
        return CommonUtils.getResponseFromServer(validationUrl, getURLConnectionFactory(), getEncoding());
    }
--- a/cas-client-core/src/main/java/org/jasig/cas/client/validation/AbstractTicketValidationFilter.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/validation/AbstractTicketValidationFilter.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -127,6 +127,7 @@ public abstract class AbstractTicketValidationFilter extends AbstractCasFilter {
        return null;
    }

+    @Override
    protected void initInternal(final FilterConfig filterConfig) throws ServletException {
        setExceptionOnValidationFailure(getBoolean(ConfigurationKeys.EXCEPTION_ON_VALIDATION_FAILURE));
        setRedirectAfterValidation(getBoolean(ConfigurationKeys.REDIRECT_AFTER_VALIDATION));
@ -141,6 +142,7 @@ public abstract class AbstractTicketValidationFilter extends AbstractCasFilter {
        super.initInternal(filterConfig);
    }

+    @Override
    public void init() {
        super.init();
        CommonUtils.assertNotNull(this.ticketValidator, "ticketValidator cannot be null.");
@ -186,8 +188,9 @@ public abstract class AbstractTicketValidationFilter extends AbstractCasFilter {
        // nothing to do here.
    }

+    @Override
    public final void doFilter(final ServletRequest servletRequest, final ServletResponse servletResponse,
-            final FilterChain filterChain) throws IOException, ServletException {
+                               final FilterChain filterChain) throws IOException, ServletException {

        if (!preFilter(servletRequest, servletResponse, filterChain)) {
            return;
@ -252,4 +255,4 @@ public abstract class AbstractTicketValidationFilter extends AbstractCasFilter {
    public final void setUseSession(final boolean useSession) {
        this.useSession = useSession;
    }
-}
+}
--- a/cas-client-core/src/main/java/org/jasig/cas/client/validation/AbstractUrlBasedTicketValidator.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/validation/AbstractUrlBasedTicketValidator.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -71,8 +71,8 @@ public abstract class AbstractUrlBasedTicketValidator implements TicketValidator
     * @param casServerUrlPrefix the location of the CAS server.
     */
    protected AbstractUrlBasedTicketValidator(final String casServerUrlPrefix) {
-        this.casServerUrlPrefix = casServerUrlPrefix;
-        CommonUtils.assertNotNull(this.casServerUrlPrefix, "casServerUrlPrefix cannot be null.");
+        CommonUtils.assertNotNull(casServerUrlPrefix, "casServerUrlPrefix cannot be null.");
+        this.casServerUrlPrefix = CommonUtils.addTrailingSlash(casServerUrlPrefix);
    }

    /**
@ -124,12 +124,9 @@ public abstract class AbstractUrlBasedTicketValidator implements TicketValidator
        int i = 0;

        buffer.append(this.casServerUrlPrefix);
-        if (!this.casServerUrlPrefix.endsWith("/")) {
-            buffer.append("/");
-        }
        buffer.append(suffix);

-        for (Map.Entry<String, String> entry : urlParameters.entrySet()) {
+        for (final Map.Entry<String, String> entry : urlParameters.entrySet()) {
            final String key = entry.getKey();
            final String value = entry.getValue();

@ -184,6 +181,7 @@ public abstract class AbstractUrlBasedTicketValidator implements TicketValidator

    protected abstract String retrieveResponseFromServer(URL validationUrl, String ticket);

+    @Override
    public final Assertion validate(final String ticket, final String service) throws TicketValidationException {
        final String validationUrl = constructValidationUrl(ticket, service);
        logger.debug("Constructing validation url: {}", validationUrl);
--- a/cas-client-core/src/main/java/org/jasig/cas/client/validation/Assertion.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/validation/Assertion.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
--- a/cas-client-core/src/main/java/org/jasig/cas/client/validation/AssertionImpl.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/validation/AssertionImpl.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -101,32 +101,39 @@ public final class AssertionImpl implements Assertion {
        CommonUtils.assertNotNull(this.attributes, "attributes cannot be null.");
    }

+    @Override
    public Date getAuthenticationDate() {
        return this.authenticationDate;
    }

+    @Override
    public Date getValidFromDate() {
        return this.validFromDate;
    }

+    @Override
    public Date getValidUntilDate() {
        return this.validUntilDate;
    }

+    @Override
    public Map<String, Object> getAttributes() {
        return this.attributes;
    }

+    @Override
    public AttributePrincipal getPrincipal() {
        return this.principal;
    }

+    @Override
    public boolean isValid() {
        if (this.validFromDate == null) {
            return true;
        }

        final Date now = new Date();
-        return this.validFromDate.before(now) && (this.validUntilDate == null || this.validUntilDate.after(now));
+        return (this.validFromDate.before(now) || this.validFromDate.equals(now)) 
+                && (this.validUntilDate == null || this.validUntilDate.after(now) || this.validUntilDate.equals(now));
    }
 }
--- a/cas-client-core/src/main/java/org/jasig/cas/client/validation/Cas10TicketValidationFilter.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/validation/Cas10TicketValidationFilter.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -40,6 +40,7 @@ public class Cas10TicketValidationFilter extends AbstractTicketValidationFilter
        super(Protocol.CAS1);
    }

+    @Override
    protected final TicketValidator getTicketValidator(final FilterConfig filterConfig) {
        final String casServerUrlPrefix = getString(ConfigurationKeys.CAS_SERVER_URL_PREFIX);
        final Cas10TicketValidator validator = new Cas10TicketValidator(casServerUrlPrefix);
--- a/cas-client-core/src/main/java/org/jasig/cas/client/validation/Cas10TicketValidator.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/validation/Cas10TicketValidator.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -35,10 +35,12 @@ public final class Cas10TicketValidator extends AbstractCasProtocolUrlBasedTicke
        super(casServerUrlPrefix);
    }

+    @Override
    protected String getUrlSuffix() {
        return "validate";
    }

+    @Override
    protected Assertion parseResponseFromServer(final String response) throws TicketValidationException {
        if (!response.startsWith("yes")) {
            throw new TicketValidationException("CAS Server could not validate ticket.");
--- a/cas-client-core/src/main/java/org/jasig/cas/client/validation/Cas20ProxyReceivingTicketValidationFilter.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/validation/Cas20ProxyReceivingTicketValidationFilter.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -19,6 +19,7 @@
 package org.jasig.cas.client.validation;

 import java.io.IOException;
+import java.security.PrivateKey;
 import java.util.*;
 import javax.servlet.*;
 import javax.servlet.http.HttpServletRequest;
@ -30,6 +31,7 @@ import org.jasig.cas.client.proxy.*;
 import org.jasig.cas.client.ssl.HttpURLConnectionFactory;
 import org.jasig.cas.client.ssl.HttpsURLConnectionFactory;
 import org.jasig.cas.client.util.CommonUtils;
+import org.jasig.cas.client.util.PrivateKeyUtils;
 import org.jasig.cas.client.util.ReflectUtils;

 import static org.jasig.cas.client.configuration.ConfigurationKeys.*;
@ -54,7 +56,7 @@ public class Cas20ProxyReceivingTicketValidationFilter extends AbstractTicketVal
            TOLERANCE.getName(), IGNORE_PATTERN.getName(), IGNORE_URL_PATTERN_TYPE.getName(), HOSTNAME_VERIFIER.getName(), HOSTNAME_VERIFIER_CONFIG.getName(),
            EXCEPTION_ON_VALIDATION_FAILURE.getName(), REDIRECT_AFTER_VALIDATION.getName(), USE_SESSION.getName(), SECRET_KEY.getName(), CIPHER_ALGORITHM.getName(), PROXY_RECEPTOR_URL.getName(),
            PROXY_GRANTING_TICKET_STORAGE_CLASS.getName(), MILLIS_BETWEEN_CLEAN_UPS.getName(), ACCEPT_ANY_PROXY.getName(), ALLOWED_PROXY_CHAINS.getName(), TICKET_VALIDATOR_CLASS.getName(),
-            PROXY_CALLBACK_URL.getName(), FRONT_LOGOUT_PARAMETER_NAME.getName(), RELAY_STATE_PARAMETER_NAME.getName()
+            PROXY_CALLBACK_URL.getName(), RELAY_STATE_PARAMETER_NAME.getName(), METHOD.getName(), PRIVATE_KEY_PATH.getName(), PRIVATE_KEY_ALGORITHM.getName()
    };

    /**
@ -72,6 +74,8 @@ public class Cas20ProxyReceivingTicketValidationFilter extends AbstractTicketVal

    protected Class<? extends Cas20ProxyTicketValidator> defaultProxyTicketValidatorClass;

+    private PrivateKey privateKey;
+
    /**
     * Storage location of ProxyGrantingTickets and Proxy Ticket IOUs.
     */
@ -87,6 +91,7 @@ public class Cas20ProxyReceivingTicketValidationFilter extends AbstractTicketVal
        super(protocol);
    }

+    @Override
    protected void initInternal(final FilterConfig filterConfig) throws ServletException {
        setProxyReceptorUrl(getString(ConfigurationKeys.PROXY_RECEPTOR_URL));

@ -113,9 +118,12 @@ public class Cas20ProxyReceivingTicketValidationFilter extends AbstractTicketVal
        }

        this.millisBetweenCleanUps = getInt(ConfigurationKeys.MILLIS_BETWEEN_CLEAN_UPS);
+
+        this.privateKey = buildPrivateKey(getString(PRIVATE_KEY_PATH), getString(PRIVATE_KEY_ALGORITHM));
        super.initInternal(filterConfig);
    }

+    @Override
    public void init() {
        super.init();
        CommonUtils.assertNotNull(this.proxyGrantingTicketStorage, "proxyGrantingTicketStorage cannot be null.");
@ -139,12 +147,20 @@ public class Cas20ProxyReceivingTicketValidationFilter extends AbstractTicketVal
        return (T) ReflectUtils.newInstance(ticketValidatorClass, casServerUrlPrefix);
    }

+    public static PrivateKey buildPrivateKey(final String keyPath, final String keyAlgorithm) {
+        if (keyPath != null) {
+            return PrivateKeyUtils.createKey(keyPath, keyAlgorithm);
+        }
+        return null;
+    }
+
    /**
     * Constructs a Cas20ServiceTicketValidator or a Cas20ProxyTicketValidator based on supplied parameters.
     *
     * @param filterConfig the Filter Configuration object.
     * @return a fully constructed TicketValidator.
     */
+    @Override
    protected final TicketValidator getTicketValidator(final FilterConfig filterConfig) {
        final boolean allowAnyProxy = getBoolean(ConfigurationKeys.ACCEPT_ANY_PROXY);
        final String allowedProxyChains = getString(ConfigurationKeys.ALLOWED_PROXY_CHAINS);
@ -184,10 +200,13 @@ public class Cas20ProxyReceivingTicketValidationFilter extends AbstractTicketVal
            }
        }

+        validator.setPrivateKey(this.privateKey);
+
        validator.setCustomParameters(additionalParameters);
        return validator;
    }

+    @Override
    public void destroy() {
        super.destroy();
        this.timer.cancel();
@ -196,6 +215,7 @@ public class Cas20ProxyReceivingTicketValidationFilter extends AbstractTicketVal
    /**
     * This processes the ProxyReceptor request before the ticket validation code executes.
     */
+    @Override
    protected final boolean preFilter(final ServletRequest servletRequest, final ServletResponse servletResponse,
                                      final FilterChain filterChain) throws IOException, ServletException {
        final HttpServletRequest request = (HttpServletRequest) servletRequest;
--- a/cas-client-core/src/main/java/org/jasig/cas/client/validation/Cas20ProxyTicketValidator.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/validation/Cas20ProxyTicketValidator.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -46,13 +46,15 @@ public class Cas20ProxyTicketValidator extends Cas20ServiceTicketValidator {
        return this.allowedProxyChains;
    }

+    @Override
    protected String getUrlSuffix() {
        return "proxyValidate";
    }

+    @Override
    protected void customParseResponse(final String response, final Assertion assertion)
            throws TicketValidationException {
-        final List<String> proxies = XmlUtils.getTextForElements(response, "proxy");
+        final List<String> proxies = parseProxiesFromResponse(response);

        if (proxies == null) {
            throw new InvalidProxyChainTicketValidationException(
@ -61,7 +63,7 @@ public class Cas20ProxyTicketValidator extends Cas20ServiceTicketValidator {
            );
        }
        // this means there was nothing in the proxy chain, which is okay
-        if ((this.allowEmptyProxyChain && proxies.isEmpty())) {
+        if (this.allowEmptyProxyChain && proxies.isEmpty()) {
            logger.debug("Found an empty proxy chain, permitted by client configuration");
            return;
        }
@ -85,6 +87,10 @@ public class Cas20ProxyTicketValidator extends Cas20ServiceTicketValidator {
        throw new InvalidProxyChainTicketValidationException("Invalid proxy chain: " + proxies.toString());
    }

+    protected List<String> parseProxiesFromResponse(final String response) {
+        return XmlUtils.getTextForElements(response, "proxy");
+    }
+
    public final void setAcceptAnyProxy(final boolean acceptAnyProxy) {
        this.acceptAnyProxy = acceptAnyProxy;
    }
--- a/cas-client-core/src/main/java/org/jasig/cas/client/validation/Cas20ServiceTicketValidator.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/validation/Cas20ServiceTicketValidator.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -19,9 +19,13 @@
 package org.jasig.cas.client.validation;

 import java.io.StringReader;
+import java.security.PrivateKey;
 import java.util.*;
+import javax.crypto.Cipher;
 import javax.xml.parsers.SAXParser;
 import javax.xml.parsers.SAXParserFactory;
+
+import org.apache.commons.codec.binary.Base64;
 import org.jasig.cas.client.authentication.AttributePrincipal;
 import org.jasig.cas.client.authentication.AttributePrincipalImpl;
 import org.jasig.cas.client.proxy.Cas20ProxyRetriever;
@ -43,6 +47,9 @@ import org.xml.sax.helpers.DefaultHandler;
 */
 public class Cas20ServiceTicketValidator extends AbstractCasProtocolUrlBasedTicketValidator {

+    public static final String PGT_ATTRIBUTE = "proxyGrantingTicket";
+    private static final String PGTIOU_PREFIX = "PGTIOU-";
+
    /** The CAS 2.0 protocol proxy callback url. */
    private String proxyCallbackUrl;

@ -52,12 +59,14 @@ public class Cas20ServiceTicketValidator extends AbstractCasProtocolUrlBasedTick
    /** Implementation of the proxy retriever. */
    private ProxyRetriever proxyRetriever;

+    /** Private key for decryption */
+    private PrivateKey privateKey;
+
    /**
     * Constructs an instance of the CAS 2.0 Service Ticket Validator with the supplied
     * CAS server url prefix.
     *
     * @param casServerUrlPrefix the CAS Server URL prefix.
-     * @param urlFactory URL connection factory to use when communicating with the server
     */
    public Cas20ServiceTicketValidator(final String casServerUrlPrefix) {
        super(casServerUrlPrefix);
@ -69,30 +78,26 @@ public class Cas20ServiceTicketValidator extends AbstractCasProtocolUrlBasedTick
     *
     * @param urlParameters the Map containing the existing parameters to send to the server.
     */
+    @Override
    protected final void populateUrlAttributeMap(final Map<String, String> urlParameters) {
        urlParameters.put("pgtUrl", this.proxyCallbackUrl);
    }

+    @Override
    protected String getUrlSuffix() {
        return "serviceValidate";
    }

-    protected final Assertion parseResponseFromServer(final String response) throws TicketValidationException {
-        final String error = XmlUtils.getTextForElement(response, "authenticationFailure");
+    @Override
+    protected Assertion parseResponseFromServer(final String response) throws TicketValidationException {
+        final String error = parseAuthenticationFailureFromResponse(response);

        if (CommonUtils.isNotBlank(error)) {
            throw new TicketValidationException(error);
        }

-        final String principal = XmlUtils.getTextForElement(response, "user");
-        final String proxyGrantingTicketIou = XmlUtils.getTextForElement(response, "proxyGrantingTicket");
-
-        final String proxyGrantingTicket;
-        if (CommonUtils.isBlank(proxyGrantingTicketIou) || this.proxyGrantingTicketStorage == null) {
-            proxyGrantingTicket = null;
-        } else {
-            proxyGrantingTicket = this.proxyGrantingTicketStorage.retrieve(proxyGrantingTicketIou);
-        }
+        final String principal = parsePrincipalFromResponse(response);
+        final String proxyGrantingTicket = retrieveProxyGrantingTicket(response);

        if (CommonUtils.isEmpty(principal)) {
            throw new TicketValidationException("No principal was found in the response from the CAS server.");
@ -101,6 +106,7 @@ public class Cas20ServiceTicketValidator extends AbstractCasProtocolUrlBasedTick
        final Assertion assertion;
        final Map<String, Object> attributes = extractCustomAttributes(response);
        if (CommonUtils.isNotBlank(proxyGrantingTicket)) {
+            attributes.remove(PGT_ATTRIBUTE);
            final AttributePrincipal attributePrincipal = new AttributePrincipalImpl(principal, attributes,
                    proxyGrantingTicket, this.proxyRetriever);
            assertion = new AssertionImpl(attributePrincipal);
@ -113,6 +119,52 @@ public class Cas20ServiceTicketValidator extends AbstractCasProtocolUrlBasedTick
        return assertion;
    }

+    protected String retrieveProxyGrantingTicket(final String response) {
+        final List<String> values = XmlUtils.getTextForElements(response, PGT_ATTRIBUTE);
+        for (final String value : values) {
+            if (value != null) {
+                if (value.startsWith(PGTIOU_PREFIX)) {
+                    return retrieveProxyGrantingTicketFromStorage(value);
+                } else {
+                    return retrieveProxyGrantingTicketViaEncryption(value);
+                }
+            }
+        }
+        return null;
+    }
+
+    protected String retrieveProxyGrantingTicketFromStorage(final String pgtIou) {
+        if (this.proxyGrantingTicketStorage != null) {
+            return this.proxyGrantingTicketStorage.retrieve(pgtIou);
+        }
+        return null;
+    }
+
+    protected String retrieveProxyGrantingTicketViaEncryption(final String encryptedPgt) {
+        if (this.privateKey != null) {
+            try {
+                final Cipher cipher = Cipher.getInstance(privateKey.getAlgorithm());
+                final byte[] cred64 = new Base64().decode(encryptedPgt);
+                cipher.init(Cipher.DECRYPT_MODE, privateKey);
+                final byte[] cipherData = cipher.doFinal(cred64);
+                final String pgt = new String(cipherData);
+                logger.debug("Decrypted PGT: {}", pgt);
+                return pgt;
+            } catch (final Exception e) {
+                logger.error("Unable to decrypt PGT", e);
+            }
+        }
+        return null;
+    }
+
+    protected String parsePrincipalFromResponse(final String response) {
+        return XmlUtils.getTextForElement(response, "user");
+    }
+
+    protected String parseAuthenticationFailureFromResponse(final String response) {
+        return XmlUtils.getTextForElement(response, "authenticationFailure");
+    }
+
    /**
     * Default attribute parsing of attributes that look like the following:
     * &lt;cas:attributes&gt;
@ -246,4 +298,12 @@ public class Cas20ServiceTicketValidator extends AbstractCasProtocolUrlBasedTick
            return this.attributes;
        }
    }
+
+    public PrivateKey getPrivateKey() {
+        return privateKey;
+    }
+
+    public void setPrivateKey(final PrivateKey privateKey) {
+        this.privateKey = privateKey;
+    }
 }
--- a/cas-client-core/src/main/java/org/jasig/cas/client/validation/Cas30ProxyReceivingTicketValidationFilter.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/validation/Cas30ProxyReceivingTicketValidationFilter.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
--- a/cas-client-core/src/main/java/org/jasig/cas/client/validation/Cas30ProxyTicketValidator.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/validation/Cas30ProxyTicketValidator.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
--- a/cas-client-core/src/main/java/org/jasig/cas/client/validation/Cas30ServiceTicketValidator.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/validation/Cas30ServiceTicketValidator.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -18,6 +18,17 @@
 */
 package org.jasig.cas.client.validation;

+import org.jasig.cas.client.util.XmlUtils;
+import org.w3c.dom.Document;
+import org.w3c.dom.NamedNodeMap;
+import org.w3c.dom.Node;
+import org.w3c.dom.NodeList;
+
+import java.util.HashMap;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Map;
+
 /**
 * Service tickets validation service for the CAS protocol v3.
 *
@ -26,7 +37,7 @@ package org.jasig.cas.client.validation;
 */
 public class Cas30ServiceTicketValidator extends Cas20ServiceTicketValidator {

-    public Cas30ServiceTicketValidator(String casServerUrlPrefix) {
+    public Cas30ServiceTicketValidator(final String casServerUrlPrefix) {
        super(casServerUrlPrefix);
    }

@ -34,4 +45,46 @@ public class Cas30ServiceTicketValidator extends Cas20ServiceTicketValidator {
    protected String getUrlSuffix() {
        return "p3/serviceValidate";
    }
+
+    /**
+     * Custom attribute extractor that will account for inlined CAS attributes.  Useful when CAS is acting as
+     * as SAML 2 IdP and returns SAML attributes with names that contains namespaces.
+     *
+     * @param xml the XML to parse.
+     * @return - Map of attributes
+     */
+    @Override
+    protected Map<String, Object> extractCustomAttributes(final String xml) {
+        final Document document = XmlUtils.newDocument(xml);
+
+        // Check if attributes are inlined.  If not return default super method results
+        final NodeList attributeList = document.getElementsByTagName("cas:attribute");
+        if (attributeList.getLength() == 0) {
+            return super.extractCustomAttributes(xml);
+        }
+
+        final HashMap<String, Object> attributes = new HashMap<String, Object>();
+
+        for (int i = 0; i < attributeList.getLength(); i++) {
+            final Node casAttributeNode = attributeList.item(i);
+            final NamedNodeMap nodeAttributes = casAttributeNode.getAttributes();
+            final String name = nodeAttributes.getNamedItem("name").getNodeValue();
+            final String value = nodeAttributes.getNamedItem("value").getTextContent();
+            final Object mapValue = attributes.get(name);
+            if (mapValue != null) {
+                if (mapValue instanceof List) {
+                    ((List) mapValue).add(value);
+                } else {
+                    final LinkedList<Object> list = new LinkedList<Object>();
+                    list.add(mapValue);
+                    list.add(value);
+                    attributes.put(name, list);
+                }
+            } else {
+                attributes.put(name, value);
+            }
+        }
+        return attributes;
+    }
+
 }
--- a/cas-client-core/src/main/java/org/jasig/cas/client/validation/InvalidProxyChainTicketValidationException.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/validation/InvalidProxyChainTicketValidationException.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
--- a/cas-client-core/src/main/java/org/jasig/cas/client/validation/ProxyList.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/validation/ProxyList.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
--- a/cas-client-core/src/main/java/org/jasig/cas/client/validation/ProxyListEditor.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/validation/ProxyListEditor.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -36,6 +36,7 @@ import org.jasig.cas.client.util.CommonUtils;
 */
 public final class ProxyListEditor extends PropertyEditorSupport {

+    @Override
    public void setAsText(final String text) throws IllegalArgumentException {
        final BufferedReader reader = new BufferedReader(new StringReader(text));
        final List<String[]> proxyChains = new ArrayList<String[]>();
--- a/cas-client-core/src/main/java/org/jasig/cas/client/validation/TicketValidationException.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/validation/TicketValidationException.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
--- a/cas-client-core/src/main/java/org/jasig/cas/client/validation/TicketValidator.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/validation/TicketValidator.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
--- a/cas-client-core/src/main/java/org/jasig/cas/client/validation/json/Cas30JsonProxyReceivingTicketValidationFilter.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/validation/json/Cas30JsonProxyReceivingTicketValidationFilter.java
@ -0,0 +1,35 @@
+/**
+ * Licensed to Apereo under one or more contributor license
+ * agreements. See the NOTICE file distributed with this work
+ * for additional information regarding copyright ownership.
+ * Apereo licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file
+ * except in compliance with the License.  You may obtain a
+ * copy of the License at the following location:
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.jasig.cas.client.validation.json;
+
+import org.jasig.cas.client.validation.Cas30ProxyReceivingTicketValidationFilter;
+
+/**
+ * Creates either a Cas30JsonServiceTicketValidator to validate tickets.
+ *
+ * @author Misagh Moayyed
+ */
+public class Cas30JsonProxyReceivingTicketValidationFilter extends Cas30ProxyReceivingTicketValidationFilter {
+
+    public Cas30JsonProxyReceivingTicketValidationFilter() {
+        super();
+        this.defaultServiceTicketValidatorClass = Cas30JsonServiceTicketValidator.class;
+        this.defaultProxyTicketValidatorClass = Cas30JsonProxyTicketValidator.class;
+    }
+}
--- a/cas-client-core/src/main/java/org/jasig/cas/client/validation/json/Cas30JsonProxyTicketValidator.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/validation/json/Cas30JsonProxyTicketValidator.java
@ -0,0 +1,61 @@
+/**
+ * Licensed to Apereo under one or more contributor license
+ * agreements. See the NOTICE file distributed with this work
+ * for additional information regarding copyright ownership.
+ * Apereo licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file
+ * except in compliance with the License.  You may obtain a
+ * copy of the License at the following location:
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.jasig.cas.client.validation.json;
+
+import org.jasig.cas.client.validation.Assertion;
+import org.jasig.cas.client.validation.Cas30ProxyTicketValidator;
+import org.jasig.cas.client.validation.TicketValidationException;
+
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * This is {@link Cas30JsonProxyTicketValidator} that attempts to parse the CAS validation response
+ * as JSON. Very similar to {@link Cas30JsonServiceTicketValidator}, it also honors proxies as the name suggests.
+ *
+ * @author Misagh Moayyed
+ */
+public class Cas30JsonProxyTicketValidator extends Cas30ProxyTicketValidator {
+    public Cas30JsonProxyTicketValidator(final String casServerUrlPrefix) {
+        super(casServerUrlPrefix);
+        setCustomParameters(Collections.singletonMap("format", "JSON"));
+    }
+
+    @Override
+    protected Assertion parseResponseFromServer(final String response) throws TicketValidationException {
+        try {
+            final TicketValidationJsonResponse json = new JsonValidationResponseParser().parse(response);
+            return json.getAssertion(getProxyGrantingTicketStorage(), getProxyRetriever());
+        } catch (final Exception e) {
+            logger.warn("Unable parse the JSON response");
+            return super.parseResponseFromServer(response);
+        }
+    }
+
+    @Override
+    protected List<String> parseProxiesFromResponse(final String response) {
+        try {
+            final TicketValidationJsonResponse json = new JsonValidationResponseParser().parse(response);
+            return json.getServiceResponse().getAuthenticationSuccess().getProxies();
+        } catch (final Exception e) {
+            logger.warn("Unable to locate proxies from the JSON response", e);
+            return super.parseProxiesFromResponse(response);
+        }
+    }
+}
--- a/cas-client-core/src/main/java/org/jasig/cas/client/validation/json/Cas30JsonServiceTicketValidator.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/validation/json/Cas30JsonServiceTicketValidator.java
@ -0,0 +1,62 @@
+/**
+ * Licensed to Apereo under one or more contributor license
+ * agreements. See the NOTICE file distributed with this work
+ * for additional information regarding copyright ownership.
+ * Apereo licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file
+ * except in compliance with the License.  You may obtain a
+ * copy of the License at the following location:
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.jasig.cas.client.validation.json;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import org.jasig.cas.client.validation.Assertion;
+import org.jasig.cas.client.validation.Cas30ServiceTicketValidator;
+import org.jasig.cas.client.validation.TicketValidationException;
+
+import java.io.IOException;
+import java.util.Collections;
+import java.util.Map;
+
+/**
+ * This is {@link Cas30JsonServiceTicketValidator} that attempts to parse the CAS validation response
+ * as JSON. If the response is not formatted as JSON, it shall fallback to the XML default syntax.
+ * The JSON response provides advantages in terms of naming and parsing CAS attributes that have special
+ * names that otherwise may not be encoded as XML, such as the invalid {@code <cas:special:attribute>value</cas:special:attribute>}
+ *
+ * @author Misagh Moayyed
+ */
+public class Cas30JsonServiceTicketValidator extends Cas30ServiceTicketValidator {
+
+    public Cas30JsonServiceTicketValidator(final String casServerUrlPrefix) {
+        super(casServerUrlPrefix);
+        setCustomParameters(Collections.singletonMap("format", "JSON"));
+    }
+
+    @Override
+    protected Assertion parseResponseFromServer(final String response) throws TicketValidationException {
+        try {
+            final TicketValidationJsonResponse json = new JsonValidationResponseParser().parse(response);
+            return json.getAssertion(getProxyGrantingTicketStorage(), getProxyRetriever());
+        } catch (final JsonProcessingException e) {
+            logger.warn("Unable parse the JSON response. Falling back to XML", e);
+            return super.parseResponseFromServer(response);
+        } catch (final IOException e) {
+            throw new TicketValidationException(e.getMessage(), e);
+        }
+    }
+
+    @Override
+    protected Map<String, Object> extractCustomAttributes(final String xml) {
+        return Collections.emptyMap();
+    }
+}
--- a/cas-client-core/src/main/java/org/jasig/cas/client/validation/json/JsonValidationResponseParser.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/validation/json/JsonValidationResponseParser.java
@ -0,0 +1,66 @@
+/**
+ * Licensed to Apereo under one or more contributor license
+ * agreements. See the NOTICE file distributed with this work
+ * for additional information regarding copyright ownership.
+ * Apereo licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file
+ * except in compliance with the License.  You may obtain a
+ * copy of the License at the following location:
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.jasig.cas.client.validation.json;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.jasig.cas.client.util.CommonUtils;
+import org.jasig.cas.client.validation.TicketValidationException;
+
+import java.io.IOException;
+
+/**
+ * This is {@link JsonValidationResponseParser}.
+ *
+ * @author Misagh Moayyed
+ */
+final class JsonValidationResponseParser {
+    private final ObjectMapper objectMapper;
+
+    public JsonValidationResponseParser() {
+        this.objectMapper = new ObjectMapper();
+        this.objectMapper.findAndRegisterModules();
+    }
+
+    public TicketValidationJsonResponse parse(final String response) throws TicketValidationException, IOException {
+        if (CommonUtils.isBlank(response)) {
+            throw new TicketValidationException("Invalid JSON response; The response is empty");
+        }
+
+        final TicketValidationJsonResponse json = this.objectMapper.readValue(response, TicketValidationJsonResponse.class);
+
+        final TicketValidationJsonResponse.CasServiceResponseAuthentication serviceResponse = json.getServiceResponse();
+        if (serviceResponse.getAuthenticationFailure() != null
+                && serviceResponse.getAuthenticationSuccess() != null) {
+            throw new TicketValidationException("Invalid JSON response; It indicates both a success "
+                    + "and a failure event, which is indicative of a server error. The actual response is " + response);
+        }
+
+        if (serviceResponse.getAuthenticationFailure() != null) {
+            final String error = json.getServiceResponse().getAuthenticationFailure().getCode()
+                    + " - " + serviceResponse.getAuthenticationFailure().getDescription();
+            throw new TicketValidationException(error);
+        }
+
+        final String principal = json.getServiceResponse().getAuthenticationSuccess().getUser();
+        if (CommonUtils.isEmpty(principal)) {
+            throw new TicketValidationException("No principal was found in the response from the CAS server.");
+        }
+        return json;
+    }
+}
--- a/cas-client-core/src/main/java/org/jasig/cas/client/validation/json/TicketValidationJsonResponse.java
+++ b/cas-client-core/src/main/java/org/jasig/cas/client/validation/json/TicketValidationJsonResponse.java
@ -0,0 +1,158 @@
+/**
+ * Licensed to Apereo under one or more contributor license
+ * agreements. See the NOTICE file distributed with this work
+ * for additional information regarding copyright ownership.
+ * Apereo licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file
+ * except in compliance with the License.  You may obtain a
+ * copy of the License at the following location:
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.jasig.cas.client.validation.json;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import org.jasig.cas.client.authentication.AttributePrincipal;
+import org.jasig.cas.client.authentication.AttributePrincipalImpl;
+import org.jasig.cas.client.proxy.ProxyGrantingTicketStorage;
+import org.jasig.cas.client.proxy.ProxyRetriever;
+import org.jasig.cas.client.util.CommonUtils;
+import org.jasig.cas.client.validation.Assertion;
+import org.jasig.cas.client.validation.AssertionImpl;
+
+import java.util.List;
+import java.util.Map;
+
+/**
+ * This is {@link TicketValidationJsonResponse}.
+ *
+ * @author Misagh Moayyed
+ */
+final class TicketValidationJsonResponse {
+    private final CasServiceResponseAuthentication serviceResponse;
+
+    @JsonCreator
+    public TicketValidationJsonResponse(@JsonProperty("serviceResponse")
+                                        final CasServiceResponseAuthentication serviceResponse) {
+        this.serviceResponse = serviceResponse;
+    }
+
+    public CasServiceResponseAuthentication getServiceResponse() {
+        return serviceResponse;
+    }
+
+    Assertion getAssertion(final ProxyGrantingTicketStorage proxyGrantingTicketStorage,
+                           final ProxyRetriever proxyRetriever) {
+        final String proxyGrantingTicketIou = getServiceResponse().getAuthenticationSuccess().getProxyGrantingTicket();
+        final String proxyGrantingTicket;
+        if (CommonUtils.isBlank(proxyGrantingTicketIou) || proxyGrantingTicketStorage == null) {
+            proxyGrantingTicket = null;
+        } else {
+            proxyGrantingTicket = proxyGrantingTicketStorage.retrieve(proxyGrantingTicketIou);
+        }
+
+        final Assertion assertion;
+        final Map<String, Object> attributes = getServiceResponse().getAuthenticationSuccess().getAttributes();
+        final String principal = getServiceResponse().getAuthenticationSuccess().getUser();
+        if (CommonUtils.isNotBlank(proxyGrantingTicket)) {
+            final AttributePrincipal attributePrincipal = new AttributePrincipalImpl(principal, attributes,
+                    proxyGrantingTicket, proxyRetriever);
+            assertion = new AssertionImpl(attributePrincipal);
+        } else {
+            assertion = new AssertionImpl(new AttributePrincipalImpl(principal, attributes));
+        }
+        return assertion;
+    }
+
+    static class CasServiceResponseAuthentication {
+        private final CasServiceResponseAuthenticationFailure authenticationFailure;
+        private final CasServiceResponseAuthenticationSuccess authenticationSuccess;
+
+        @JsonCreator
+        public CasServiceResponseAuthentication(@JsonProperty("authenticationFailure")
+                                                final CasServiceResponseAuthenticationFailure authenticationFailure,
+                                                @JsonProperty("authenticationSuccess")
+                                                final CasServiceResponseAuthenticationSuccess authenticationSuccess) {
+            this.authenticationFailure = authenticationFailure;
+            this.authenticationSuccess = authenticationSuccess;
+        }
+
+        public CasServiceResponseAuthenticationFailure getAuthenticationFailure() {
+            return this.authenticationFailure;
+        }
+
+        public CasServiceResponseAuthenticationSuccess getAuthenticationSuccess() {
+            return this.authenticationSuccess;
+        }
+    }
+
+    static class CasServiceResponseAuthenticationSuccess {
+        private String user;
+        private String proxyGrantingTicket;
+        private List proxies;
+        private Map attributes;
+
+        public String getUser() {
+            return this.user;
+        }
+
+        public void setUser(final String user) {
+            this.user = user;
+        }
+
+        public String getProxyGrantingTicket() {
+            return this.proxyGrantingTicket;
+        }
+
+        public void setProxyGrantingTicket(final String proxyGrantingTicket) {
+            this.proxyGrantingTicket = proxyGrantingTicket;
+        }
+
+        public List getProxies() {
+            return this.proxies;
+        }
+
+        public void setProxies(final List proxies) {
+            this.proxies = proxies;
+        }
+
+        public Map getAttributes() {
+            return this.attributes;
+        }
+
+        public void setAttributes(final Map attributes) {
+            this.attributes = attributes;
+        }
+    }
+
+    static class CasServiceResponseAuthenticationFailure {
+        private String code;
+        private String description;
+
+        public String getCode() {
+            return this.code;
+        }
+
+        public void setCode(final String code) {
+            this.code = code;
+        }
+
+        public String getDescription() {
+            return this.description;
+        }
+
+        public void setDescription(final String description) {
+            this.description = description;
+        }
+    }
+}
+
+
--- a/cas-client-core/src/main/resources/META-INF/cas/samlRequestTemplate.xml
+++ b/cas-client-core/src/main/resources/META-INF/cas/samlRequestTemplate.xml
@ -1,9 +1,9 @@
 <!--

-    Licensed to Jasig under one or more contributor license
+    Licensed to Apereo under one or more contributor license
    agreements. See the NOTICE file distributed with this work
    for additional information regarding copyright ownership.
-    Jasig licenses this file to you under the Apache License,
+    Apereo licenses this file to you under the Apache License,
    Version 2.0 (the "License"); you may not use this file
    except in compliance with the License.  You may obtain a
    copy of the License at the following location:
--- a/cas-client-core/src/test/java/org/jasig/cas/client/PublicTestHttpServer.java
+++ b/cas-client-core/src/test/java/org/jasig/cas/client/PublicTestHttpServer.java
@ -1,8 +1,8 @@
-/*
- * Licensed to Jasig under one or more contributor license
+/**
+ * Licensed to Apereo under one or more contributor license
 * agreements. See the NOTICE file distributed with this work
 * for additional information regarding copyright ownership.
- * Jasig licenses this file to you under the Apache License,
+ * Apereo licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file
 * except in compliance with the License.  You may obtain a
 * copy of the License at the following location:
@ -23,10 +23,11 @@ import java.net.ServerSocket;
 import java.net.Socket;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.concurrent.CountDownLatch;
+import java.util.concurrent.TimeUnit;

 /**
 * @author Scott Battaglia
- * @version $Revision: 11721 $ $Date: 2007-08-09 15:17:44 -0400 (Wed, 09 Aug 2007) $
 * @since 3.0
 */
 public final class PublicTestHttpServer extends Thread {
@ -43,38 +44,51 @@ public final class PublicTestHttpServer extends Thread {

    private ServerSocket server;

-    private static Map<Integer, PublicTestHttpServer> serverMap = new HashMap<Integer, PublicTestHttpServer>();
+    private final CountDownLatch ready = new CountDownLatch(1);

-    private PublicTestHttpServer(String data, String encoding, String MIMEType, int port)
+    private static final Map<Integer, PublicTestHttpServer> serverMap = new HashMap<Integer, PublicTestHttpServer>();
+
+    private PublicTestHttpServer(final String data, final String encoding, final String MIMEType, final int port)
            throws UnsupportedEncodingException {
        this(data.getBytes(encoding), encoding, MIMEType, port);
    }

-    private PublicTestHttpServer(byte[] data, String encoding, String MIMEType, int port)
+    private PublicTestHttpServer(final byte[] data, final String encoding, final String MIMEType, final int port)
            throws UnsupportedEncodingException {
        this.content = data;
        this.port = port;
        this.encoding = encoding;
-        String header = "HTTP/1.0 200 OK\r\n" + "Server: OneFile 1.0\r\n" + "Content-type: " + MIMEType + "\r\n\r\n";
+        final String header = "HTTP/1.0 200 OK\r\n" + "Server: OneFile 1.0\r\n" + "Content-type: " + MIMEType + "\r\n\r\n";
        this.header = header.getBytes("ASCII");
    }

    public static synchronized PublicTestHttpServer instance(final int port) {
        if (serverMap.containsKey(port)) {
-            return serverMap.get(port);
+            final PublicTestHttpServer server = serverMap.get(port);
+            server.waitUntilReady();
+            return server;
        }

        try {
            final PublicTestHttpServer server = new PublicTestHttpServer("test", "ASCII", "text/plain", port);
            server.start();
            serverMap.put(port, server);
-            Thread.yield();
+            server.waitUntilReady();
            return server;
-        } catch (Exception e) {
+        } catch (final Exception e) {
            throw new RuntimeException(e);
        }
    }

+    private void waitUntilReady() {
+        try {
+            ready.await(10, TimeUnit.SECONDS);
+        } catch (final InterruptedException e) {
+            Thread.currentThread().interrupt();
+            throw new RuntimeException("interrupted", e);
+        }
+    }
+
    public void shutdown() {
        System.out.println("Shutting down connection on port " + server.getLocalPort());
        try {
@ -86,11 +100,13 @@ public final class PublicTestHttpServer extends Thread {
        httpServer = null;
    }

+    @Override
    public void run() {

        try {
            this.server = new ServerSocket(this.port);
            System.out.println("Accepting connections on port " + server.getLocalPort());
+            notifyReady();
            while (true) {

                Socket connection = null;
@ -101,7 +117,7 @@ public final class PublicTestHttpServer extends Thread {
                    // read the first line only; that's all we need
                    final StringBuffer request = new StringBuffer(80);
                    while (true) {
-                        int c = in.read();
+                        final int c = in.read();
                        if (c == '\r' || c == '\n' || c == -1)
                            break;
                        request.append((char) c);
@ -131,4 +147,8 @@ public final class PublicTestHttpServer extends Thread {
        }

    } // end run
+
+    private void notifyReady() {
+        ready.countDown();
+    }
 }
--- a/Show More
+++ b/Show More