public void setAsText(final String text) throws IllegalArgumentException { final BufferedReader reader = new BufferedReader(new StringReader(text)); final List<String[]> proxyChains = new ArrayList<String[]>(); try { String line; while ((line = reader.readLine()) != null) { if (CommonUtils.isNotBlank(line)) { proxyChains.add(line.trim().split(" ")); } } } catch (final IOException e) { // ignore this } finally { try { reader.close(); } catch (final IOException e) { // nothing to do } } setValue(new ProxyList(proxyChains)); } }
protected void customParseResponse(final String response, final Assertion assertion) throws TicketValidationException { final List proxies = XmlUtils.getTextForElements(response, "proxy"); final String[] proxiedList = (String[]) proxies.toArray(new String[proxies.size()]); // this means there was nothing in the proxy chain, which is okay if (proxies == null || proxies.isEmpty() || this.acceptAnyProxy) { return; } if (allowedProxyChains.contains(proxiedList)) { return; } throw new InvalidProxyChainTicketValidationException("Invalid proxy chain: " + proxies.toString()); }
public void setAsText(final String text) throws IllegalArgumentException { final BufferedReader reader = new BufferedReader(new StringReader(text)); final List proxyChains = new ArrayList(); try { String line; while ((line = reader.readLine()) != null) { if (CommonUtils.isNotBlank(line)) { proxyChains.add(line.trim().split(" ")); } } } catch (final IOException e) { // ignore this } finally { try { reader.close(); } catch (final IOException e) { // nothing to do } } setValue(new ProxyList(proxyChains)); } }
protected void customParseResponse(final String response, final Assertion assertion) throws TicketValidationException { final List proxies = XmlUtils.getTextForElements(response, "proxy"); final String[] proxiedList = (String[]) proxies.toArray(new String[proxies.size()]); if (proxiedList.length>0) { assertion.getAttributes().put(GeoServerCasConstants.CAS_PROXYLIST_KEY, proxiedList); LOGGER.info("Proxy ticket validated"); } else { LOGGER.info("Service ticket validated"); } // this means there was nothing in the proxy chain, which is okay if (proxies == null || proxies.isEmpty() || this.acceptAnyProxy) { return; } if (allowedProxyChains.contains(proxiedList)) { return; } throw new InvalidProxyChainTicketValidationException("Invalid proxy chain: " + proxies.toString()); }
public static ProxyList createProxyList(final String proxies) { if (CommonUtils.isBlank(proxies)) { return new ProxyList(); } final ProxyListEditor editor = new ProxyListEditor(); editor.setAsText(proxies); return (ProxyList) editor.getValue(); }
@Override protected void customParseResponse(final String response, final Assertion assertion) throws TicketValidationException { final List<String> proxies = parseProxiesFromResponse(response); if (proxies == null) { throw new InvalidProxyChainTicketValidationException( "Invalid proxy chain: No proxy could be retrieved from response. " + "This indicates a problem with CAS validation. Review logs/configuration to find the root cause." ); } // this means there was nothing in the proxy chain, which is okay if (this.allowEmptyProxyChain && proxies.isEmpty()) { logger.debug("Found an empty proxy chain, permitted by client configuration"); return; } if (this.acceptAnyProxy) { logger.debug("Client configuration accepts any proxy. " + "It is generally dangerous to use a non-proxied CAS filter " + "specially for protecting resources that require proxy access."); return; } final String[] proxiedList = proxies.toArray(new String[proxies.size()]); if (this.allowedProxyChains.contains(proxiedList)) { return; } logger.warn("Proxies received from the CAS validation response are {}. " + "However, none are allowed by allowed proxy chain of the client which is {}", Arrays.toString(proxiedList), this.allowedProxyChains); throw new InvalidProxyChainTicketValidationException("Invalid proxy chain: " + proxies.toString()); }
public static ProxyList createProxyList(final String proxies) { if (CommonUtils.isBlank(proxies)) { return new ProxyList(); } final ProxyListEditor editor = new ProxyListEditor(); editor.setAsText(proxies); return (ProxyList) editor.getValue(); }
@Test public void testRegexProxyChainWithInvalidProxy() throws TicketValidationException, UnsupportedEncodingException { final List<String[]> list = new ArrayList<String[]>(); list.add(new String[] { "proxy1", "proxy2", "^proxy3/[a-z]*/" }); this.ticketValidator.setAllowedProxyChains(new ProxyList(list)); final String RESPONSE = "<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'><cas:authenticationSuccess><cas:user>username</cas:user><cas:proxyGrantingTicket>PGTIOU-84678-8a9d...</cas:proxyGrantingTicket><cas:proxies><cas:proxy>proxy1</cas:proxy><cas:proxy>proxy2</cas:proxy><cas:proxy>proxy3/ABC/</cas:proxy></cas:proxies></cas:authenticationSuccess></cas:serviceResponse>"; server.content = RESPONSE.getBytes(server.encoding); try { this.ticketValidator.validate("test", "test"); fail("Invalid proxy chain"); } catch (InvalidProxyChainTicketValidationException e) { // expected } }
@Test public void testRegexProxyChainWithValidProxy() throws TicketValidationException, UnsupportedEncodingException { final List<String[]> list = new ArrayList<String[]>(); list.add(new String[] { "proxy1", "proxy2", "^proxy3/[a-z]*/" }); this.ticketValidator.setAllowedProxyChains(new ProxyList(list)); final String USERNAME = "username"; final String RESPONSE = "<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'><cas:authenticationSuccess><cas:user>username</cas:user><cas:proxyGrantingTicket>PGTIOU-84678-8a9d...</cas:proxyGrantingTicket><cas:proxies><cas:proxy>proxy1</cas:proxy><cas:proxy>proxy2</cas:proxy><cas:proxy>proxy3/abc/</cas:proxy></cas:proxies></cas:authenticationSuccess></cas:serviceResponse>"; server.content = RESPONSE.getBytes(server.encoding); final Assertion assertion = this.ticketValidator.validate("test", "test"); assertEquals(USERNAME, assertion.getPrincipal().getName()); }
@Override public void configure(CasTicketValidatorBuilder ticketValidator) { URI baseUrl = (casSecurityProperties.getService().getCallbackBaseUrl() != null) ? casSecurityProperties.getService().getCallbackBaseUrl() : casSecurityProperties.getService().getBaseUrl(); ticketValidator.protocolVersion(casSecurityProperties.getServer().getProtocolVersion()); String proxyCallback = casSecurityProperties.getService().getPaths().getProxyCallback(); if (baseUrl != null && proxyCallback != null) { String proxyCallbackUrl = buildUrl(baseUrl, proxyCallback); ticketValidator.proxyCallbackUrl(proxyCallbackUrl); } if (!casSecurityProperties.getProxyValidation().isEnabled()) { ticketValidator.proxyChainsValidation(false); } else { List<String[]> proxyChains = casSecurityProperties .getProxyValidation() .getChains() .stream() .map(l -> l.toArray(new String[0])) .collect(Collectors.toList()); ticketValidator.proxyChains(new ProxyList(proxyChains)); } ticketValidator.proxyGrantingTicketStorage(proxyGrantingTicketStorage); } }
@Before public void setUp() throws Exception { final List<String[]> list = new ArrayList<String[]>(); list.add(new String[] { "proxy1", "proxy2", "proxy3" }); this.ticketValidator = new Cas20ProxyTicketValidator(CONST_CAS_SERVER_URL_PREFIX + "8089"); this.ticketValidator.setRenew(true); this.ticketValidator.setProxyCallbackUrl("test"); this.ticketValidator.setProxyGrantingTicketStorage(getProxyGrantingTicketStorage()); this.ticketValidator.setProxyRetriever(getProxyRetriever()); this.ticketValidator.setAllowedProxyChains(new ProxyList(list)); }