@Override @JsonIgnore public boolean isServiceAccessAllowedForSso() { buildGroovyAccessStrategyInstanceIfNeeded(); return this.groovyStrategyInstance.isServiceAccessAllowedForSso(); }
/** * Tries to determine if authentication was created as part of a "renew" event. * Renewed authentications can occur if the service is not allowed to participate * in SSO or if a "renew" request parameter is specified. * * @param ctx the request context * @return true if renewed */ private boolean isAuthenticationRenewed(final RequestContext ctx) { if (ctx.getRequestParameters().contains(CasProtocolConstants.PARAMETER_RENEW)) { LOGGER.debug("[{}] is specified for the request. The authentication session will be considered renewed.", CasProtocolConstants.PARAMETER_RENEW); return true; } final Service service = WebUtils.getService(ctx); if (service != null) { final RegisteredService registeredService = this.servicesManager.findServiceBy(service); if (registeredService != null) { final boolean isAllowedForSso = registeredService.getAccessStrategy().isServiceAccessAllowedForSso(); LOGGER.debug("Located [{}] in registry. Service access to participate in SSO is set to [{}]", registeredService.getServiceId(), isAllowedForSso); return !isAllowedForSso; } } return false; }
/** * Ensure service sso access is allowed. * * @param registeredService the registered service * @param service the service * @param ticketGrantingTicket the ticket granting ticket * @param credentialsProvided the credentials provided */ public static void ensureServiceSsoAccessIsAllowed(final RegisteredService registeredService, final Service service, final TicketGrantingTicket ticketGrantingTicket, final boolean credentialsProvided) { if (!registeredService.getAccessStrategy().isServiceAccessAllowedForSso()) { LOGGER.debug("Service [{}] is configured to not use SSO", service.getId()); if (ticketGrantingTicket.getProxiedBy() != null) { LOGGER.warn("Service [{}] is not allowed to use SSO for proxying.", service.getId()); throw new UnauthorizedSsoServiceException(); } if (ticketGrantingTicket.getProxiedBy() == null && ticketGrantingTicket.getCountOfUses() > 0 && !credentialsProvided) { LOGGER.warn("Service [{}] is not allowed to use SSO. The ticket-granting ticket [{}] is not proxied and it's been used at least once. " + "The authentication request must provide credentials before access can be granted", ticketGrantingTicket.getId(), service.getId()); throw new UnauthorizedSsoServiceException(); } } LOGGER.debug("Current authentication via ticket [{}] allows service [{}] to participate in the existing SSO session", ticketGrantingTicket.getId(), service.getId()); }
@Override public boolean isParticipating(final RequestContext ctx) { if (renewEnabled && ctx.getRequestParameters().contains(CasProtocolConstants.PARAMETER_RENEW)) { LOGGER.debug("[{}] is specified for the request. The authentication session will be considered renewed.", CasProtocolConstants.PARAMETER_RENEW); return this.createSsoSessionCookieOnRenewAuthentications; } val authentication = WebUtils.getAuthentication(ctx); val service = WebUtils.getService(ctx); if (service != null) { val registeredService = this.servicesManager.findServiceBy(service); if (registeredService != null) { val ca = AuthenticationCredentialsThreadLocalBinder.getCurrentAuthentication(); try { AuthenticationCredentialsThreadLocalBinder.bindCurrent(authentication); val isAllowedForSso = registeredService.getAccessStrategy().isServiceAccessAllowedForSso(); LOGGER.debug("Located [{}] in registry. Service access to participate in SSO is set to [{}]", registeredService.getServiceId(), isAllowedForSso); return isAllowedForSso; } finally { AuthenticationCredentialsThreadLocalBinder.bindCurrent(ca); } } } return true; } }