@Test public void testNormalOperation() throws Exception { MockHttpServletRequest request = new MockHttpServletRequest(); request.setServletPath("/login/cas"); request.addParameter("ticket", "ST-0-ER94xMJmn6pha35CQRoZ"); CasAuthenticationFilter filter = new CasAuthenticationFilter(); filter.setAuthenticationManager(new AuthenticationManager() { public Authentication authenticate(Authentication a) { return a; } }); assertThat(filter.requiresAuthentication(request, new MockHttpServletResponse())).isTrue(); Authentication result = filter.attemptAuthentication(request, new MockHttpServletResponse()); assertThat(result != null).isTrue(); }
public CasAuthenticationFilter() { super("/login/cas"); setAuthenticationFailureHandler(new SimpleUrlAuthenticationFailureHandler()); }
@Override public Authentication attemptAuthentication(final HttpServletRequest request, final HttpServletResponse response) throws AuthenticationException, IOException { // if the request is a proxy request process it and return null to indicate the // request has been processed if (proxyReceptorRequest(request)) { logger.debug("Responding to proxy receptor request"); CommonUtils.readAndRespondToProxyReceptorRequest(request, response, this.proxyGrantingTicketStorage); return null; } final boolean serviceTicketRequest = serviceTicketRequest(request, response); final String username = serviceTicketRequest ? CAS_STATEFUL_IDENTIFIER : CAS_STATELESS_IDENTIFIER; String password = obtainArtifact(request); if (password == null) { logger.debug("Failed to obtain an artifact (cas ticket)"); password = ""; } final UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken( username, password); authRequest.setDetails(authenticationDetailsSource.buildDetails(request)); return this.getAuthenticationManager().authenticate(authRequest); }
/** * Overridden to provide proxying capabilities. */ protected boolean requiresAuthentication(final HttpServletRequest request, final HttpServletResponse response) { final boolean serviceTicketRequest = serviceTicketRequest(request, response); final boolean result = serviceTicketRequest || proxyReceptorRequest(request) || (proxyTicketRequest(serviceTicketRequest, request)); if (logger.isDebugEnabled()) { logger.debug("requiresAuthentication = " + result); } return result; }
/** * Indicates if the request is elgible to process a proxy ticket. * @param request * @return */ private boolean proxyTicketRequest(final boolean serviceTicketRequest, final HttpServletRequest request) { if (serviceTicketRequest) { return false; } final boolean result = authenticateAllArtifacts && obtainArtifact(request) != null && !authenticated(); if (logger.isDebugEnabled()) { logger.debug("proxyTicketRequest = " + result); } return result; }
FilterChain chain = mock(FilterChain.class); CasAuthenticationFilter filter = new CasAuthenticationFilter(); filter.setServiceProperties(serviceProperties); filter.setAuthenticationSuccessHandler(successHandler); filter.setProxyGrantingTicketStorage(mock(ProxyGrantingTicketStorage.class)); filter.setAuthenticationManager(manager); filter.afterPropertiesSet(); filter.doFilter(request, response, chain); assertThat(SecurityContextHolder .getContext().getAuthentication()).isNotNull().withFailMessage("Authentication should not be null"); filter.setFilterProcessesUrl(request.getServletPath()); SecurityContextHolder.clearContext(); filter.doFilter(request, response, chain); verifyNoMoreInteractions(chain); verify(successHandler).onAuthenticationSuccess(request, response, authentication);
@Override protected AbstractAuthenticationProcessingFilter getAuthenticationFilter() { CasAuthenticationFilter casFilter = new CasAuthenticationFilter(); casFilter.setAuthenticationManager(createAuthenticationManager()); casFilter.setAuthenticationFailureHandler(createAjaxFailureHandler()); casFilter.setAuthenticationSuccessHandler(createAjaxSuccessHandler()); return casFilter; }
void configure(CasAuthenticationFilter filter) { if (requiresAuthenticationRequestMatcher != null) { filter.setRequiresAuthenticationRequestMatcher(requiresAuthenticationRequestMatcher); } if (authenticationFailureHandler != null) { filter.setAuthenticationFailureHandler(authenticationFailureHandler); } if (proxyAuthenticationFailureHandler != null) { filter.setProxyAuthenticationFailureHandler(proxyAuthenticationFailureHandler); } if (authenticationSuccessHandler != null) { filter.setAuthenticationSuccessHandler(authenticationSuccessHandler); } if (proxyReceptorUrl != null) { filter.setProxyReceptorUrl(proxyReceptorUrl); } if (proxyGrantingTicketStorage != null) { filter.setProxyGrantingTicketStorage(proxyGrantingTicketStorage); } if (serviceAuthenticationDetailsSource != null) { filter.setAuthenticationDetailsSource(serviceAuthenticationDetailsSource); } } }
@Test public void testGettersSetters() { CasAuthenticationFilter filter = new CasAuthenticationFilter(); filter.setProxyGrantingTicketStorage(mock(ProxyGrantingTicketStorage.class)); filter.setProxyReceptorUrl("/someurl"); filter.setServiceProperties(new ServiceProperties()); }
@Test public void testChainNotInvokedForProxyReceptor() throws Exception { CasAuthenticationFilter filter = new CasAuthenticationFilter(); MockHttpServletRequest request = new MockHttpServletRequest(); MockHttpServletResponse response = new MockHttpServletResponse(); FilterChain chain = mock(FilterChain.class); request.setServletPath("/pgtCallback"); filter.setProxyGrantingTicketStorage(mock(ProxyGrantingTicketStorage.class)); filter.setProxyReceptorUrl(request.getServletPath()); filter.doFilter(request, response, chain); verifyZeroInteractions(chain); } }
@Test(expected = AuthenticationException.class) public void testNullServiceTicketHandledGracefully() throws Exception { CasAuthenticationFilter filter = new CasAuthenticationFilter(); filter.setAuthenticationManager(new AuthenticationManager() { public Authentication authenticate(Authentication a) { throw new BadCredentialsException("Rejected"); } }); filter.attemptAuthentication(new MockHttpServletRequest(), new MockHttpServletResponse()); }
@Test public void testRequiresAuthenticationProxyRequest() { CasAuthenticationFilter filter = new CasAuthenticationFilter(); MockHttpServletRequest request = new MockHttpServletRequest(); MockHttpServletResponse response = new MockHttpServletResponse(); request.setServletPath("/pgtCallback"); assertThat(filter.requiresAuthentication(request, response)).isFalse(); filter.setProxyReceptorUrl(request.getServletPath()); assertThat(filter.requiresAuthentication(request, response)).isFalse(); filter.setProxyGrantingTicketStorage(mock(ProxyGrantingTicketStorage.class)); assertThat(filter.requiresAuthentication(request, response)).isTrue(); request.setServletPath("/other"); assertThat(filter.requiresAuthentication(request, response)).isFalse(); }
@Override public void init(HttpSecurity http) throws Exception { CasAuthenticationFilter filter = new CasAuthenticationFilter(); filter.setAuthenticationManager(authenticationManager()); filter.setRequiresAuthenticationRequestMatcher(getAuthenticationRequestMatcher()); filter.setServiceProperties(serviceProperties); filterConfigurer.configure(filter); SingleSignOutFilter singleSignOutFilter = new SingleSignOutFilter(); singleSignOutFilterConfigurer.configure(singleSignOutFilter); if (securityProperties.isRequireSsl()) { http.requiresChannel().anyRequest().requiresSecure(); } if (!securityProperties.isEnableCsrf()) { http.csrf().disable(); } SpringBootWebSecurityConfiguration.configureHeaders(http.headers(), securityProperties.getHeaders()); http.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint) .and() .addFilterBefore(singleSignOutFilter, CsrfFilter.class) .addFilter(filter); if (securityProperties.getBasic().isEnabled()) { BasicAuthenticationFilter basicAuthFilter = new BasicAuthenticationFilter( http.getSharedObject(ApplicationContext.class).getBean(AuthenticationManager.class)); http.addFilterBefore(basicAuthFilter, CasAuthenticationFilter.class); } }
@Test public void testAuthenticateProxyUrl() throws Exception { CasAuthenticationFilter filter = new CasAuthenticationFilter(); MockHttpServletRequest request = new MockHttpServletRequest(); MockHttpServletResponse response = new MockHttpServletResponse(); request.setServletPath("/pgtCallback"); filter.setProxyGrantingTicketStorage(mock(ProxyGrantingTicketStorage.class)); filter.setProxyReceptorUrl(request.getServletPath()); assertThat(filter.attemptAuthentication(request, response)).isNull(); }
@Test public void testRequiresAuthenticationAuthAll() { ServiceProperties properties = new ServiceProperties(); properties.setAuthenticateAllArtifacts(true); String url = "/login/cas"; CasAuthenticationFilter filter = new CasAuthenticationFilter(); filter.setFilterProcessesUrl(url); filter.setServiceProperties(properties); MockHttpServletRequest request = new MockHttpServletRequest(); MockHttpServletResponse response = new MockHttpServletResponse(); request.setServletPath(url); assertThat(filter.requiresAuthentication(request, response)).isTrue(); request.setServletPath("/other"); assertThat(filter.requiresAuthentication(request, response)).isFalse(); request.setParameter(properties.getArtifactParameter(), "value"); assertThat(filter.requiresAuthentication(request, response)).isTrue(); SecurityContextHolder.getContext().setAuthentication( new AnonymousAuthenticationToken("key", "principal", AuthorityUtils .createAuthorityList("ROLE_ANONYMOUS"))); assertThat(filter.requiresAuthentication(request, response)).isTrue(); SecurityContextHolder.getContext().setAuthentication( new TestingAuthenticationToken("un", "principal")); assertThat(filter.requiresAuthentication(request, response)).isTrue(); SecurityContextHolder.getContext().setAuthentication( new TestingAuthenticationToken("un", "principal", "ROLE_ANONYMOUS")); assertThat(filter.requiresAuthentication(request, response)).isFalse(); }
@Bean public CasAuthenticationFilter casAuthenticationFilter() throws Exception { CasAuthenticationFilter casAuthenticationFilter = new CasAuthenticationFilter(); casAuthenticationFilter.setAuthenticationManager(authenticationManager()); casAuthenticationFilter.setSessionAuthenticationStrategy(sessionStrategy()); return casAuthenticationFilter; }
@Test public void testRequiresAuthenticationFilterProcessUrl() { String url = "/login/cas"; CasAuthenticationFilter filter = new CasAuthenticationFilter(); filter.setFilterProcessesUrl(url); MockHttpServletRequest request = new MockHttpServletRequest(); MockHttpServletResponse response = new MockHttpServletResponse(); request.setServletPath(url); assertThat(filter.requiresAuthentication(request, response)).isTrue(); }
@Test public void configureWhenAddFilterCasAuthenticationFilterThenFilterAdded() throws Exception { CasAuthenticationFilterConfig.CAS_AUTHENTICATION_FILTER = spy(new CasAuthenticationFilter()); this.spring.register(CasAuthenticationFilterConfig.class).autowire(); this.mockMvc.perform(get("/")); verify(CasAuthenticationFilterConfig.CAS_AUTHENTICATION_FILTER).doFilter( any(ServletRequest.class), any(ServletResponse.class), any(FilterChain.class)); }
/** * Indicates if the request is elgible to be processed as the proxy receptor. * @param request * @return */ private boolean proxyReceptorRequest(final HttpServletRequest request) { final boolean result = proxyReceptorConfigured() && proxyReceptorMatcher.matches(request); if (logger.isDebugEnabled()) { logger.debug("proxyReceptorRequest = " + result); } return result; }
@Override protected String obtainArtifact(HttpServletRequest request) { String value = super.obtainArtifact(request); if (StringUtils.isEmpty(value)) { value = request.getHeader(ServiceSecurityConstants.TICKET_PARAMETER); } return value; }