Package org.springframework.security.cas.web

Class CasAuthenticationFilter

java.lang.Object
org.springframework.web.filter.GenericFilterBean
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
org.springframework.security.cas.web.CasAuthenticationFilter
All Implemented Interfaces:
jakarta.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.ApplicationEventPublisherAware, org.springframework.context.EnvironmentAware, org.springframework.context.MessageSourceAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware
public class CasAuthenticationFilter extends org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
Processes a CAS service ticket, obtains proxy granting tickets, and processes proxy tickets.

Service Tickets

A service ticket consists of an opaque ticket string. It arrives at this filter by the user's browser successfully authenticating using CAS, and then receiving an HTTP redirect to a service. The opaque ticket string is presented in the ticket request parameter.

This filter monitors the service URL so that it can receive the service ticket and process it. By default, this filter processes the URL /login/cas. When processing this URL, the value of ServiceProperties.getService() is used as the service when validating the ticket. This means that it is important that ServiceProperties.getService() specifies the same value as the filterProcessesUrl.

Processing the service ticket involves creating a CasServiceTicketAuthenticationToken which uses CasServiceTicketAuthenticationToken.CAS_STATEFUL_IDENTIFIER for the principal and the opaque ticket string as the credentials.

Obtaining Proxy Granting Tickets

If specified, the filter can also monitor the proxyReceptorUrl. The filter will respond to the requests matching this url so that the CAS Server can provide a PGT to the filter. Note that in addition to the proxyReceptorUrl a non-null proxyGrantingTicketStorage must be provided in order for the filter to respond to proxy receptor requests. By configuring a shared ProxyGrantingTicketStorage between the TicketValidator and the CasAuthenticationFilter, one can have the CasAuthenticationFilter handling the proxying requirements for CAS.

Proxy Tickets

The filter can process tickets present on any url. This is useful when one wants to process proxy tickets. In order for proxy tickets to get processed, ServiceProperties.isAuthenticateAllArtifacts() must return true. Additionally, if the request is already authenticated, authentication will not occur. Last, AuthenticationDetailsSource.buildDetails(Object) must return a ServiceAuthenticationDetails. This can be accomplished using the ServiceAuthenticationDetailsSource. In this case, ServiceAuthenticationDetails.getServiceUrl() will be used for the service url.

Processing the proxy ticket involves creating a CasServiceTicketAuthenticationToken which uses CasServiceTicketAuthenticationToken.CAS_STATELESS_IDENTIFIER for the principal and the opaque ticket string as the credentials. When a proxy ticket is successfully authenticated, the FilterChain continues and the authenticationSuccessHandler is not used.

Notes about the AuthenticationManager

The configured AuthenticationManager is expected to provide a provider that can recognise CasServiceTicketAuthenticationTokens containing this special principal name, and process them accordingly by validation with the CAS server. Additionally, it should be capable of using the result of ServiceAuthenticationDetails.getServiceUrl() as the service when validating the ticket.

Example Configuration

An example configuration that supports service tickets, obtaining proxy granting tickets, and proxy tickets is illustrated below: 

 <b:bean id="serviceProperties"
     class="org.springframework.security.cas.ServiceProperties"
     p:service="https://service.example.com/cas-sample/login/cas"
     p:authenticateAllArtifacts="true"/>
 <b:bean id="casEntryPoint"
     class="org.springframework.security.cas.web.CasAuthenticationEntryPoint"
     p:serviceProperties-ref="serviceProperties" p:loginUrl="https://login.example.org/cas/login" />
 <b:bean id="casFilter"
     class="org.springframework.security.cas.web.CasAuthenticationFilter"
     p:authenticationManager-ref="authManager"
     p:serviceProperties-ref="serviceProperties"
     p:proxyGrantingTicketStorage-ref="pgtStorage"
     p:proxyReceptorUrl="/login/cas/proxyreceptor">
     <b:property name="authenticationDetailsSource">
         <b:bean class="org.springframework.security.cas.web.authentication.ServiceAuthenticationDetailsSource"/>
     </b:property>
     <b:property name="authenticationFailureHandler">
         <b:bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"
             p:defaultFailureUrl="/casfailed.jsp"/>
     </b:property>
 </b:bean>
 <!--
     NOTE: In a real application you should not use an in memory implementation. You will also want
           to ensure to clean up expired tickets by calling ProxyGrantingTicketStorage.cleanup()
  -->
 <b:bean id="pgtStorage" class="org.apereo.cas.client.proxy.ProxyGrantingTicketStorageImpl"/>
 <b:bean id="casAuthProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider"
     p:serviceProperties-ref="serviceProperties"
     p:key="casAuthProviderKey">
     <b:property name="authenticationUserDetailsService">
         <b:bean
             class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
             <b:constructor-arg ref="userService" />
         </b:bean>
     </b:property>
     <b:property name="ticketValidator">
         <b:bean
             class="org.apereo.cas.client.validation.Cas20ProxyTicketValidator"
             p:acceptAnyProxy="true"
             p:proxyCallbackUrl="https://service.example.com/cas-sample/login/cas/proxyreceptor"
             p:proxyGrantingTicketStorage-ref="pgtStorage">
             <b:constructor-arg value="https://login.example.org/cas" />
         </b:bean>
     </b:property>
     <b:property name="statelessTicketCache">
         <b:bean class="org.springframework.security.cas.authentication.EhCacheBasedTicketCache">
             <b:property name="cache">
                 <b:bean class="net.sf.ehcache.Cache"
                   init-method="initialise"
                   destroy-method="dispose">
                     <b:constructor-arg value="casTickets"/>
                     <b:constructor-arg value="50"/>
                     <b:constructor-arg value="true"/>
                     <b:constructor-arg value="false"/>
                     <b:constructor-arg value="3600"/>
                     <b:constructor-arg value="900"/>
                 </b:bean>
             </b:property>
         </b:bean>
     </b:property>
 </b:bean>

  • Field Summary

    Fields inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter

    authenticationDetailsSource, eventPublisher, messages

    Fields inherited from class org.springframework.web.filter.GenericFilterBean

    logger

  • Constructor Summary

    Constructors
    Constructor
    Description
    CasAuthenticationFilter()
     

  • Method Summary

    Modifier and Type
    Method
    Description
    org.springframework.security.core.Authentication
    attemptAuthentication(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)
     
    protected String
    obtainArtifact(jakarta.servlet.http.HttpServletRequest request)
    If present, gets the artifact (CAS ticket) from the HttpServletRequest.
    protected boolean
    requiresAuthentication(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)
    Overridden to provide proxying capabilities.
    final void
    setAuthenticationFailureHandler(org.springframework.security.web.authentication.AuthenticationFailureHandler failureHandler)
    Wraps the AuthenticationFailureHandler to distinguish between handling proxy ticket authentication failures and service ticket failures.
    final void
    setProxyAuthenticationFailureHandler(org.springframework.security.web.authentication.AuthenticationFailureHandler proxyFailureHandler)
    Sets the AuthenticationFailureHandler for proxy requests.
    final void
    setProxyGrantingTicketStorage(org.apereo.cas.client.proxy.ProxyGrantingTicketStorage proxyGrantingTicketStorage)
     
    final void
    setProxyReceptorMatcher(org.springframework.security.web.util.matcher.RequestMatcher proxyReceptorMatcher)
    Use this RequestMatcher to match proxy receptor requests.
    final void
    setProxyReceptorUrl(String proxyReceptorUrl)
     
    final void
    setRedirectStrategy(org.springframework.security.web.RedirectStrategy redirectStrategy)
    Set the RedirectStrategy used to redirect to the saved request if there is one saved.
    final void
    setRequestCache(org.springframework.security.web.savedrequest.RequestCache requestCache)
    The RequestCache used to retrieve the saved request in failed gateway authentication scenarios.
    void
    setSecurityContextHolderStrategy(org.springframework.security.core.context.SecurityContextHolderStrategy securityContextHolderStrategy)
     
    void
    setSecurityContextRepository(org.springframework.security.web.context.SecurityContextRepository securityContextRepository)
     
    final void
    setServiceProperties(ServiceProperties serviceProperties)
     
    protected final void
    successfulAuthentication(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.FilterChain chain, org.springframework.security.core.Authentication authResult)
     

    Methods inherited from class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter

    afterPropertiesSet, doFilter, getAllowSessionCreation, getAuthenticationManager, getFailureHandler, getRememberMeServices, getSuccessHandler, setAllowSessionCreation, setApplicationEventPublisher, setAuthenticationConverter, setAuthenticationDetailsSource, setAuthenticationManager, setAuthenticationSuccessHandler, setContinueChainBeforeSuccessfulAuthentication, setFilterProcessesUrl, setMessageSource, setRememberMeServices, setRequiresAuthenticationRequestMatcher, setSessionAuthenticationStrategy, unsuccessfulAuthentication

    Methods inherited from class org.springframework.web.filter.GenericFilterBean

    addRequiredProperty, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Constructor Details

    • CasAuthenticationFilter

      public CasAuthenticationFilter()

  • Method Details

    • successfulAuthentication

      protected final void successfulAuthentication(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.FilterChain chain, org.springframework.security.core.Authentication authResult) throws IOException, jakarta.servlet.ServletException
      Overrides:
      successfulAuthentication in class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
      Throws:
      IOException
      jakarta.servlet.ServletException

    • attemptAuthentication

      public org.springframework.security.core.Authentication attemptAuthentication(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) throws org.springframework.security.core.AuthenticationException, IOException
      Overrides:
      attemptAuthentication in class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
      Throws:
      org.springframework.security.core.AuthenticationException
      IOException

    • obtainArtifact

      protected String obtainArtifact(jakarta.servlet.http.HttpServletRequest request)
      If present, gets the artifact (CAS ticket) from the HttpServletRequest.
      Parameters:
      request -
      Returns:
      if present the artifact from the HttpServletRequest, else null

    • requiresAuthentication

      protected boolean requiresAuthentication(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)
      Overridden to provide proxying capabilities.
      Overrides:
      requiresAuthentication in class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter

    • setProxyAuthenticationFailureHandler

      public final void setProxyAuthenticationFailureHandler(org.springframework.security.web.authentication.AuthenticationFailureHandler proxyFailureHandler)
      Sets the AuthenticationFailureHandler for proxy requests.
      Parameters:
      proxyFailureHandler -

    • setAuthenticationFailureHandler

      public final void setAuthenticationFailureHandler(org.springframework.security.web.authentication.AuthenticationFailureHandler failureHandler)
      Wraps the AuthenticationFailureHandler to distinguish between handling proxy ticket authentication failures and service ticket failures.
      Overrides:
      setAuthenticationFailureHandler in class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter

    • setProxyReceptorMatcher

      public final void setProxyReceptorMatcher(org.springframework.security.web.util.matcher.RequestMatcher proxyReceptorMatcher)
      Use this RequestMatcher to match proxy receptor requests. Without setting this matcher, CasAuthenticationFilter will not capture any proxy receptor requets.
      Parameters:
      proxyReceptorMatcher - the RequestMatcher to use
      Since:
      6.5

    • setProxyReceptorUrl

      public final void setProxyReceptorUrl(String proxyReceptorUrl)

    • setProxyGrantingTicketStorage

      public final void setProxyGrantingTicketStorage(org.apereo.cas.client.proxy.ProxyGrantingTicketStorage proxyGrantingTicketStorage)

    • setServiceProperties

      public final void setServiceProperties(ServiceProperties serviceProperties)

    • setSecurityContextRepository

      public void setSecurityContextRepository(org.springframework.security.web.context.SecurityContextRepository securityContextRepository)
      Overrides:
      setSecurityContextRepository in class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter

    • setSecurityContextHolderStrategy

      public void setSecurityContextHolderStrategy(org.springframework.security.core.context.SecurityContextHolderStrategy securityContextHolderStrategy)
      Overrides:
      setSecurityContextHolderStrategy in class org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter

    • setRedirectStrategy

      public final void setRedirectStrategy(org.springframework.security.web.RedirectStrategy redirectStrategy)
      Set the RedirectStrategy used to redirect to the saved request if there is one saved. Defaults to DefaultRedirectStrategy.
      Parameters:
      redirectStrategy - the redirect strategy to use
      Since:
      6.3

    • setRequestCache

      public final void setRequestCache(org.springframework.security.web.savedrequest.RequestCache requestCache)
      The RequestCache used to retrieve the saved request in failed gateway authentication scenarios.
      Parameters:
      requestCache - the request cache to use
      Since:
      6.3