casclient-2.1.1 源码

/* Copyright (c) 2000-2004 Yale University. All rights reserved. * See full notice at end. */ package edu.yale.its.tp.cas.client.filter; import java.io.*; import java.net.*; import java.util.*; import javax.servlet.*; import javax.servlet.http.*; import edu.yale.its.tp.cas.client.*; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; /** * <p>Protects web-accessible resources with CAS.</p> * * <p>The following filter initialization parameters are declared in * <code>web.xml</code>:</p> * * <ul> * <li><code>edu.yale.its.tp.cas.client.filter.loginUrl</code>: URL to * login page on CAS server. (Required)</li> * <li><code>edu.yale.its.tp.cas.client.filter.validateUrl</code>: URL * to validation URL on CAS server. (Required)</li> * <li><code>edu.yale.its.tp.cas.client.filter.serviceUrl</code>: URL * of this service. (Required if <code>serverName</code> is not * specified)</li> * <li><code>edu.yale.its.tp.cas.client.filter.serverName</code>: full * hostname with port number (e.g. <code>www.foo.com:8080</code>). * Port number isn't required if it is standard (80 for HTTP, 443 for * HTTPS). (Required if <code>serviceUrl</code> is not specified)</li> * <li><code>edu.yale.its.tp.cas.client.filter.authorizedProxy</code>: * whitespace-delimited list of valid proxies through which authentication * may have proceeded. One one proxy must match. (Optional. If nothing * is specified, the filter will only accept service tickets &#150; not * proxy tickets.)</li> * <li><code>edu.yale.its.tp.cas.client.filter.proxyCallbackUrl</code>: * URL of local proxy callback listener used to acquire PGT/PGTIOU. * (Optional.)</li> * <li><code>edu.yale.its.tp.cas.client.filter.renew</code>: value of * CAS "renew" parameter. Bypasses single sign-on and requires user * to provide CAS with his/her credentials again. (Optional. If nothing * is specified, this defaults to false.)</li> * <li><code>edu.yale.its.tp.cas.client.filter.gateway</code>: value of * CAS "gateway" parameter. Redirects initial call through CAS and if * the user has logged in, validates the ticket on return. If the user * has not logged in, returns to the web application without setting * the <code>CAS_FILTER_USER</code> variable. Note that once a redirect * through CAS has occurred, the filter will not automatically try again * to log the user in. You can then either provide an explicit CAS login * link (<code>https://cas-server/cas/login?service=http://your-app</code>) * or set up two instances of the filter mapped to different paths. One * instance would have gateway=true, the other wouldn't. When you need * the user to be logged in, direct him/her to the path of the other * filter.</li> * <li><code>edu.yale.its.tp.cas.client.filter.wrapRequest</code>: * wrap the <code>HttpServletRequest</code> object, overriding the * <code>getRemoteUser()</code> method. When set to "true", * <code>request.getRemoteUser()</code> will return the username of the * currently logged-in CAS user. (Optional. If nothing is specified, * this defaults to false.)</li> * </ul> * * <p>The logged-in username is set in the session attribute defined by * the value of <code>CAS_FILTER_USER</code> and may be accessed from within * your application either by setting <code>wrapRequest</code> and calling * <code>request.getRemoteUser()</code>, or by calling * <code>session.getAttribute(CASFilter.CAS_FILTER_USER)</code>.</p> * * <p>If <code>proxyCallbackUrl</code> is set, the URL will be passed to * CAS upon validation. If the callback URL is valid, it will receive a * CAS PGT and a PGTIOU. The PGTIOU will be returned to this filter and * will be accessible through the session attribute, * <code>CASFilter.CAS_FILTER_PGTIOU</code>. You may then acquire * proxy tickets to other services by calling * <code>edu.yale.its.tp.cas.proxy.ProxyTicketReceptor.getProxyTicket(pgtIou, targetService)</code>. * * @author Shawn Bayern * @author Drew Mazurek * @author andrew.petro@yale.edu */ public class CASFilter implements Filter { private static Log log = LogFactory.getLog(CASFilter.class); // Filter initialization parameters /** The name of the filter initialization parameter the value of which should be the https: address * of the CAS Login servlet. Optional parameter, but required for successful redirection of unauthenticated * requests to authentication. */ public final static String LOGIN_INIT_PARAM = "edu.yale.its.tp.cas.client.filter.loginUrl"; /** The name of the filter initialization parameter the value of which must be the https: address * of the CAS Validate servlet. Must be a CAS 2.0 validate servlet (CAS 1.0 non-XML won't suffice). * Required parameter. */ public final static String VALIDATE_INIT_PARAM = "edu.yale.its.tp.cas.client.filter.validateUrl"; /** The name of the filter initialization parameter the value of which must be the address * of the service this filter is filtering. The filter will use this as * the service parameter for CAS login and validation. Either this parameter or SERVERNAME_INIT_PARAM must be set. */ public final static String SERVICE_INIT_PARAM = "edu.yale.its.tp.cas.client.filter.serviceUrl"; /** The name of the filter initialization parameter the vlaue of which must be the server name, * e.g. www.yale.edu , of the service this filter is filtering. The filter will construct from this name * and the request the full service parameter for CAS login and validation. */ public final static String SERVERNAME_INIT_PARAM = "edu.yale.its.tp.cas.client.filter.serverName"; /** The name of the filter initialization parameter the value of which must be the String * that should be sent as the "renew" parameter on the request for login and validation. * This should either be "true" or not be set. It is mutually exclusive with GATEWAY. */ public final static String RENEW_INIT_PARAM = "edu.yale.its.tp.cas.client.filter.renew"; /** The name of the filter initialization parameter the value of which must be a whitespace * delimited list of services (ProxyTicketReceptors) authorized to proxy authentication to the * service filtered by this Filter. These must be https: URLs. This parameter is optional - * not setting it results in no proxy tickets being acceptable. */ public final static String AUTHORIZED_PROXY_INIT_PARAM = "edu.yale.its.tp.cas.client.filter.authorizedProxy"; /** The name of the filter initialization parameter the value of which must be the https: URL * to which CAS should send Proxy Granting Tickets when this filter validates tickets. */ public final static String PROXY_CALLBACK_INIT_PARAM = "edu.yale.its.tp.cas.client.filter.proxyCallbackUrl"; /** The name of the filter initialization parameter the value of which indicates * whether this filter should wrap requests to expose the authenticated username. */ public final static String WRAP_REQUESTS_INIT_PARAM = "edu.yale.its.tp.cas.client.filter.wrapRequest"; /** The name of the filter initialization parameter the value of which is the value the Filter * should send for the gateway parameter on the CAS login request. */ public final static String GATEWAY_INIT_PARAM = "edu.yale.its.tp.cas.client.filter.gateway"; // Session attributes used by this filter /** <p>Session attribute in which the username is stored.</p> */ public final static String CAS_FILTER_USER = "edu.yale.its.tp.cas.client.filter.user"; /** * Session attribute in which the CASReceipt is stored. */ public final static String CAS_FILTER_RECEIPT = "edu.yale.its.tp.cas.client.filter.