cas-server-4.0.0服务端

/* * Licensed to Jasig under one or more contributor license * agreements. See the NOTICE file distributed with this work * for additional information regarding copyright ownership. * Jasig licenses this file to you under the Apache License, * Version 2.0 (the "License"); you may not use this file * except in compliance with the License. You may obtain a * copy of the License at the following location: * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, * software distributed under the License is distributed on an * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY * KIND, either express or implied. See the License for the * specific language governing permissions and limitations * under the License. */ package org.jasig.cas; import java.util.Collections; import java.util.List; import java.util.Map; import javax.validation.constraints.NotNull; import com.github.inspektr.audit.annotation.Audit; import org.apache.commons.lang.StringUtils; import org.jasig.cas.authentication.AcceptAnyAuthenticationPolicyFactory; import org.jasig.cas.authentication.Authentication; import org.jasig.cas.authentication.AuthenticationBuilder; import org.jasig.cas.authentication.AuthenticationException; import org.jasig.cas.authentication.AuthenticationManager; import org.jasig.cas.authentication.ContextualAuthenticationPolicy; import org.jasig.cas.authentication.ContextualAuthenticationPolicyFactory; import org.jasig.cas.authentication.MixedPrincipalException; import org.jasig.cas.authentication.Credential; import org.jasig.cas.authentication.principal.PersistentIdGenerator; import org.jasig.cas.authentication.principal.Principal; import org.jasig.cas.authentication.principal.Service; import org.jasig.cas.authentication.principal.ShibbolethCompatiblePersistentIdGenerator; import org.jasig.cas.authentication.principal.SimplePrincipal; import org.jasig.cas.logout.LogoutManager; import org.jasig.cas.logout.LogoutRequest; import org.jasig.cas.services.RegisteredService; import org.jasig.cas.services.RegisteredServiceAttributeFilter; import org.jasig.cas.services.ServiceContext; import org.jasig.cas.services.ServicesManager; import org.jasig.cas.services.UnauthorizedProxyingException; import org.jasig.cas.services.UnauthorizedServiceException; import org.jasig.cas.services.UnauthorizedSsoServiceException; import org.jasig.cas.services.support.RegisteredServiceDefaultAttributeFilter; import org.jasig.cas.ticket.ExpirationPolicy; import org.jasig.cas.ticket.InvalidTicketException; import org.jasig.cas.ticket.ServiceTicket; import org.jasig.cas.ticket.TicketException; import org.jasig.cas.ticket.TicketGrantingTicket; import org.jasig.cas.ticket.TicketGrantingTicketImpl; import org.jasig.cas.ticket.TicketValidationException; import org.jasig.cas.ticket.UnsatisfiedAuthenticationPolicyException; import org.jasig.cas.ticket.registry.TicketRegistry; import org.jasig.cas.util.UniqueTicketIdGenerator; import org.jasig.cas.validation.Assertion; import org.jasig.cas.validation.ImmutableAssertion; import org.perf4j.aop.Profiled; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.transaction.annotation.Transactional; import org.springframework.util.Assert; /** * Concrete implementation of a CentralAuthenticationService, and also the * central, organizing component of CAS's internal implementation. * <p> * This class is threadsafe. * <p> * This class has the following properties that must be set: * <ul> * <li> <code>ticketRegistry</code> - The Ticket Registry to maintain the list * of available tickets.</li> * <li> <code>serviceTicketRegistry</code> - Provides an alternative to configure separate registries for * TGTs and ST in order to store them in different locations (i.e. long term memory or short-term)</li> * <li> <code>authenticationManager</code> - The service that will handle * authentication.</li> * <li> <code>ticketGrantingTicketUniqueTicketIdGenerator</code> - Plug in to * generate unique secure ids for TicketGrantingTickets.</li> * <li> <code>serviceTicketUniqueTicketIdGenerator</code> - Plug in to * generate unique secure ids for ServiceTickets.</li> * <li> <code>ticketGrantingTicketExpirationPolicy</code> - The expiration * policy for TicketGrantingTickets.</li> * <li> <code>serviceTicketExpirationPolicy</code> - The expiration policy for * ServiceTickets.</li> * </ul> * * @author William G. Thompson, Jr. * @author Scott Battaglia * @author Dmitry Kopylenko * @since 3.0 */ public final class CentralAuthenticationServiceImpl implements CentralAuthenticationService { /** Log instance for logging events, info, warnings, errors, etc. */ private final Logger logger = LoggerFactory.getLogger(this.getClass()); /** TicketRegistry for storing and retrieving tickets as needed. */ @NotNull private final TicketRegistry ticketRegistry; /** New Ticket Registry for storing and retrieving services tickets. Can point to the same one as the ticketRegistry variable. */ @NotNull private final TicketRegistry serviceTicketRegistry; /** * AuthenticationManager for authenticating credentials for purposes of * obtaining tickets. */ @NotNull private final AuthenticationManager authenticationManager; /** * UniqueTicketIdGenerator to generate ids for TicketGrantingTickets * created. */ @NotNull private final UniqueTicketIdGenerator ticketGrantingTicketUniqueTicketIdGenerator; /** Map to contain the mappings of service->UniqueTicketIdGenerators. */ @NotNull private final Map<String, UniqueTicketIdGenerator> uniqueTicketIdGeneratorsForService; /** Implementation of Service Manager. */ @NotNull private final ServicesManager servicesManager; /** The logout manager. **/ @NotNull private final LogoutManager logoutManager; /** Expiration policy for ticket granting tickets. */ @NotNull private ExpirationPolicy ticketGrantingTicketExpirationPolicy; /** ExpirationPolicy for Service Tickets. */ @NotNull private ExpirationPolicy serviceTicketExpirationPolicy; /** Encoder to generate PseudoIds. */ @NotNull private PersistentIdGenerator persistentIdGenerator = new ShibbolethCompatiblePersistentIdGenerator(); /** The default attribute filter to match principal attributes against that of a registered service. **/ private RegisteredServiceAttributeFilter defaultAttributeFilter = new RegisteredServiceDefaultAttributeFilter(); /** * Authentication policy that uses a service context to produce stateful security policies to apply when * authenticating credentials. */ @NotNull private ContextualAuthenticationPolicyFactory<ServiceContext> serviceContextAuthenticationPolicyFactory = new AcceptAnyAuthenticationPolicyFactory(); /** * Build the central authentication service implementation. * * @param ticketRegistry the tickets registry. * @param serviceTicketRegistry the service tickets registry. * @param authenticationManager the authentication manager. * @param ticketGrantingTicketUniqueTicketIdGenerator the TGT id generator. * @param uniqueTicketIdGeneratorsForService the map with service and ticket id generators. * @param ticketGrantingTicketExpirationPolicy the TGT expiration policy. * @param serviceTicketExpirationPolicy the service ticket expiration policy. * @param servicesManager the services manager. * @param logoutManager the logout manager. */ public CentralAuthenticationServiceImpl(final TicketRegistry ticketRegistry, final TicketRegistry serviceTicketRegistry, final AuthenticationManager authenticationManager, final UniqueTicketIdGenerator ticketGrantingTicketUni