/** * Evaluate proxied service if needed. * * @param service the service * @param ticketGrantingTicket the ticket granting ticket * @param registeredService the registered service */ protected void evaluateProxiedServiceIfNeeded(final Service service, final TicketGrantingTicket ticketGrantingTicket, final RegisteredService registeredService) { val proxiedBy = ticketGrantingTicket.getProxiedBy(); if (proxiedBy != null) { LOGGER.debug("Ticket-granting ticket is proxied by [{}]. Locating proxy service in registry...", proxiedBy.getId()); val proxyingService = this.servicesManager.findServiceBy(proxiedBy); if (proxyingService != null) { LOGGER.debug("Located proxying service [{}] in the service registry", proxyingService); if (!proxyingService.getProxyPolicy().isAllowedToProxy()) { LOGGER.warn("Found proxying service [{}], but it is not authorized to fulfill the proxy attempt made by [{}]", proxyingService.getId(), service.getId()); throw new UnauthorizedProxyingException(UnauthorizedProxyingException.MESSAGE + registeredService.getId()); } } else { LOGGER.warn("No proxying service found. Proxy attempt by service [{}] (registered service [{}]) is not allowed.", service.getId(), registeredService.getId()); throw new UnauthorizedProxyingException(UnauthorizedProxyingException.MESSAGE + registeredService.getId()); } } else { LOGGER.trace("Ticket-granting ticket is not proxied by another service"); } }
@Override public AuthenticationHandlerExecutionResult authenticate(final Credential credential) throws GeneralSecurityException { val httpCredential = (HttpBasedServiceCredential) credential; if (!httpCredential.getService().getProxyPolicy().isAllowedProxyCallbackUrl(httpCredential.getCallbackUrl())) { LOGGER.warn("Proxy policy for service [{}] cannot authorize the requested callback url [{}].", httpCredential.getService().getServiceId(), httpCredential.getCallbackUrl()); throw new FailedLoginException(httpCredential.getCallbackUrl() + " cannot be authorized"); } LOGGER.debug("Attempting to authenticate [{}]", httpCredential); val callbackUrl = httpCredential.getCallbackUrl(); if (!this.httpClient.isValidEndPoint(callbackUrl)) { throw new FailedLoginException(callbackUrl.toExternalForm() + " sent an unacceptable response status code"); } return new DefaultAuthenticationHandlerExecutionResult(this, httpCredential, this.principalFactory.createPrincipal(httpCredential.getId())); }
result.throwExceptionIfNeeded(); if (!registeredService.getProxyPolicy().isAllowedToProxy()) { LOGGER.warn("Service [{}] attempted to proxy, but is not allowed.", serviceTicket.getService().getId()); throw new UnauthorizedProxyingException();
@Override public void write(final Kryo kryo, final Output output, final RegisteredService service) { kryo.writeObject(output, service.getServiceId()); kryo.writeObject(output, StringUtils.defaultIfEmpty(service.getName(), StringUtils.EMPTY)); kryo.writeObject(output, StringUtils.defaultIfEmpty(service.getDescription(), StringUtils.EMPTY)); kryo.writeObject(output, service.getId()); kryo.writeObject(output, service.getEvaluationOrder()); kryo.writeObject(output, ObjectUtils.defaultIfNull(service.getLogo(), getEmptyUrl())); kryo.writeObject(output, service.getLogoutType()); kryo.writeObject(output, ObjectUtils.defaultIfNull(service.getLogoutUrl(), StringUtils.EMPTY)); kryo.writeObject(output, new HashSet<>(service.getRequiredHandlers())); kryo.writeObject(output, StringUtils.defaultIfEmpty(service.getTheme(), StringUtils.EMPTY)); kryo.writeObject(output, StringUtils.defaultIfEmpty(service.getResponseType(), StringUtils.EMPTY)); writeObjectByReflection(kryo, output, ObjectUtils.defaultIfNull(service.getPublicKey(), new RegisteredServicePublicKeyImpl())); writeObjectByReflection(kryo, output, ObjectUtils.defaultIfNull(service.getProxyPolicy(), new RefuseRegisteredServiceProxyPolicy())); writeObjectByReflection(kryo, output, ObjectUtils.defaultIfNull(service.getAttributeReleasePolicy(), new ReturnAllowedAttributeReleasePolicy())); writeObjectByReflection(kryo, output, ObjectUtils.defaultIfNull(service.getUsernameAttributeProvider(), new DefaultRegisteredServiceUsernameProvider())); writeObjectByReflection(kryo, output, ObjectUtils.defaultIfNull(service.getAccessStrategy(), new DefaultRegisteredServiceAccessStrategy())); writeObjectByReflection(kryo, output, ObjectUtils.defaultIfNull(service.getMultifactorPolicy(), new DefaultRegisteredServiceMultifactorPolicy())); writeObjectByReflection(kryo, output, ObjectUtils.defaultIfNull(service.getContacts(), new ArrayList<>())); kryo.writeObject(output, StringUtils.defaultIfEmpty(service.getInformationUrl(), StringUtils.EMPTY)); kryo.writeObject(output, StringUtils.defaultIfEmpty(service.getPrivacyUrl(), StringUtils.EMPTY)); kryo.writeObject(output, new HashMap<>(service.getProperties())); }