@Override public boolean supports(final Set<AuthenticationHandler> handlers, final AuthenticationTransaction transaction) { val service = transaction.getService(); if (service != null) { val registeredService = this.servicesManager.findServiceBy(service); LOGGER.trace("Located registered service definition [{}] for this authentication transaction", registeredService); if (registeredService == null || !registeredService.getAccessStrategy().isServiceAccessAllowed()) { LOGGER.warn("Service [{}] is not allowed to use SSO.", service); throw new UnauthorizedSsoServiceException(); } return !registeredService.getRequiredHandlers().isEmpty(); } return false; }
/** * Ensure service sso access is allowed. * * @param registeredService the registered service * @param service the service * @param ticketGrantingTicket the ticket granting ticket * @param credentialsProvided the credentials provided */ public static void ensureServiceSsoAccessIsAllowed(final RegisteredService registeredService, final Service service, final TicketGrantingTicket ticketGrantingTicket, final boolean credentialsProvided) { if (!registeredService.getAccessStrategy().isServiceAccessAllowedForSso()) { LOGGER.debug("Service [{}] is configured to not use SSO", service.getId()); if (ticketGrantingTicket.getProxiedBy() != null) { LOGGER.warn("Service [{}] is not allowed to use SSO for proxying.", service.getId()); throw new UnauthorizedSsoServiceException(); } if (ticketGrantingTicket.getProxiedBy() == null && ticketGrantingTicket.getCountOfUses() > 0 && !credentialsProvided) { LOGGER.warn("Service [{}] is not allowed to use SSO. The ticket-granting ticket [{}] is not proxied and it's been used at least once. " + "The authentication request must provide credentials before access can be granted", ticketGrantingTicket.getId(), service.getId()); throw new UnauthorizedSsoServiceException(); } } LOGGER.debug("Current authentication via ticket [{}] allows service [{}] to participate in the existing SSO session", ticketGrantingTicket.getId(), service.getId()); }
@Audit( action = "PROXY_TICKET", actionResolverName = "GRANT_PROXY_TICKET_RESOLVER", resourceResolverName = "GRANT_PROXY_TICKET_RESOURCE_RESOLVER") @Override public ProxyTicket grantProxyTicket(final String proxyGrantingTicket, final Service service) throws AbstractTicketException { val proxyGrantingTicketObject = getTicket(proxyGrantingTicket, ProxyGrantingTicket.class); val registeredService = this.servicesManager.findServiceBy(service); try { enforceRegisteredServiceAccess(service, proxyGrantingTicketObject, registeredService); RegisteredServiceAccessStrategyUtils.ensureServiceSsoAccessIsAllowed(registeredService, service, proxyGrantingTicketObject); } catch (final PrincipalException e) { throw new UnauthorizedSsoServiceException(); } evaluateProxiedServiceIfNeeded(service, proxyGrantingTicketObject, registeredService); getAuthenticationSatisfiedByPolicy(proxyGrantingTicketObject.getRoot().getAuthentication(), new ServiceContext(service, registeredService)); val authentication = proxyGrantingTicketObject.getRoot().getAuthentication(); AuthenticationCredentialsThreadLocalBinder.bindCurrent(authentication); val principal = authentication.getPrincipal(); val factory = (ProxyTicketFactory) this.ticketFactory.get(ProxyTicket.class); val proxyTicket = factory.create(proxyGrantingTicketObject, service, ProxyTicket.class); this.ticketRegistry.updateTicket(proxyGrantingTicketObject); this.ticketRegistry.addTicket(proxyTicket); LOGGER.info("Granted ticket [{}] for service [{}] for user [{}]", proxyTicket.getId(), service.getId(), principal.getId()); doPublishEvent(new CasProxyTicketGrantedEvent(this, proxyGrantingTicketObject, proxyTicket)); return proxyTicket; }