Coverage Report

Coverage Report - org.apache.shiro.cas.CasRealm

Classes in this File

Line Coverage

Branch Coverage

Complexity

CasRealm

75%

70/93

76%

23/30

1.8

 /*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied.  See the License for the
  * specific language governing permissions and limitations
  * under the License.
  */
 package org.apache.shiro.cas;
 
 import org.apache.shiro.authc.AuthenticationException;
 import org.apache.shiro.authc.AuthenticationInfo;
 import org.apache.shiro.authc.AuthenticationToken;
 import org.apache.shiro.authc.SimpleAuthenticationInfo;
 import org.apache.shiro.authz.AuthorizationInfo;
 import org.apache.shiro.authz.SimpleAuthorizationInfo;
 import org.apache.shiro.realm.AuthorizingRealm;
 import org.apache.shiro.subject.PrincipalCollection;
 import org.apache.shiro.subject.SimplePrincipalCollection;
 import org.apache.shiro.util.CollectionUtils;
 import org.apache.shiro.util.StringUtils;
 import org.jasig.cas.client.authentication.AttributePrincipal;
 import org.jasig.cas.client.validation.*;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
 
 /**
  * This realm implementation acts as a CAS client to a CAS server for authentication and basic authorization.
  * <p/>
  * This realm functions by inspecting a submitted {@link org.apache.shiro.cas.CasToken CasToken} (which essentially 
  * wraps a CAS service ticket) and validates it against the CAS server using a configured CAS
  * {@link org.jasig.cas.client.validation.TicketValidator TicketValidator}.
  * <p/>
  * The {@link #getValidationProtocol() validationProtocol} is {@code CAS} by default, which indicates that a
  * a {@link org.jasig.cas.client.validation.Cas20ServiceTicketValidator Cas20ServiceTicketValidator}
  * will be used for ticket validation.  You can alternatively set
  * or {@link org.jasig.cas.client.validation.Saml11TicketValidator Saml11TicketValidator} of CAS client. It is based on
  * {@link AuthorizingRealm AuthorizingRealm} for both authentication and authorization. User id and attributes are retrieved from the CAS
  * service ticket validation response during authentication phase. Roles and permissions are computed during authorization phase (according
  * to the attributes previously retrieved).
  *
  * @since 1.2
  */
 public class CasRealm extends AuthorizingRealm {
 
     // default name of the CAS attribute for remember me authentication (CAS 3.4.10+)
     public static final String DEFAULT_REMEMBER_ME_ATTRIBUTE_NAME = "longTermAuthenticationRequestTokenUsed";
     public static final String DEFAULT_VALIDATION_PROTOCOL = "CAS";
     
     private static Logger log = LoggerFactory.getLogger(CasRealm.class);
     
     // this is the url of the CAS server (example : http://host:port/cas)
     private String casServerUrlPrefix;
     
     // this is the CAS service url of the application (example : http://host:port/mycontextpath/shiro-cas)
     private String casService;
     
     /* CAS protocol to use for ticket validation : CAS (default) or SAML :
        - CAS protocol can be used with CAS server version < 3.1 : in this case, no user attributes can be retrieved from the CAS ticket validation response (except if there are some customizations on CAS server side)
        - SAML protocol can be used with CAS server version >= 3.1 : in this case, user attributes can be extracted from the CAS ticket validation response
     */
     private String validationProtocol = DEFAULT_VALIDATION_PROTOCOL;
     
     // default name of the CAS attribute for remember me authentication (CAS 3.4.10+)
     private String rememberMeAttributeName = DEFAULT_REMEMBER_ME_ATTRIBUTE_NAME;
     
     // this class from the CAS client is used to validate a service ticket on CAS server
     private TicketValidator ticketValidator;
     
     // default roles to applied to authenticated user
     private String defaultRoles;
     
     // default permissions to applied to authenticated user
     private String defaultPermissions;
     
     // names of attributes containing roles
     private String roleAttributeNames;
     
     // names of attributes containing permissions
     private String permissionAttributeNames;
     
     public CasRealm() {
         setAuthenticationTokenClass(CasToken.class);
     }
 
     @Override
     protected void onInit() {
         super.onInit();
         ensureTicketValidator();
     }
 
     protected TicketValidator ensureTicketValidator() {
         if (this.ticketValidator == null) {
             this.ticketValidator = createTicketValidator();
         }
         return this.ticketValidator;
     }
     
     protected TicketValidator createTicketValidator() {
         String urlPrefix = getCasServerUrlPrefix();
         if ("saml".equalsIgnoreCase(getValidationProtocol())) {
             return new Saml11TicketValidator(urlPrefix);
         }
         return new Cas20ServiceTicketValidator(urlPrefix);
     }
     
     /**
      * Authenticates a user and retrieves its information.
      * 
      * @param token the authentication token
      * @throws AuthenticationException if there is an error during authentication.
      */
     @Override
     @SuppressWarnings("unchecked")
     protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
         CasToken casToken = (CasToken) token;
         if (token == null) {
             return null;
         }
         
         String ticket = (String)casToken.getCredentials();
         if (!StringUtils.hasText(ticket)) {
             return null;
         }
         
         TicketValidator ticketValidator = ensureTicketValidator();
 
         try {
             // contact CAS server to validate service ticket
             Assertion casAssertion = ticketValidator.validate(ticket, getCasService());
             // get principal, user id and attributes
             AttributePrincipal casPrincipal = casAssertion.getPrincipal();
             String userId = casPrincipal.getName();
             log.debug("Validate ticket : {} in CAS server : {} to retrieve user : {}", new Object[]{
                     ticket, getCasServerUrlPrefix(), userId
             });
 
             Map<String, Object> attributes = casPrincipal.getAttributes();
             // refresh authentication token (user id + remember me)
             casToken.setUserId(userId);
             String rememberMeAttributeName = getRememberMeAttributeName();
             String rememberMeStringValue = (String)attributes.get(rememberMeAttributeName);
             boolean isRemembered = rememberMeStringValue != null && Boolean.parseBoolean(rememberMeStringValue);
             if (isRemembered) {
                 casToken.setRememberMe(true);
             }
             // create simple authentication info
             List<Object> principals = CollectionUtils.asList(userId, attributes);
             PrincipalCollection principalCollection = new SimplePrincipalCollection(principals, getName());
             return new SimpleAuthenticationInfo(principalCollection, ticket);
         } catch (TicketValidationException e) { 
             throw new CasAuthenticationException("Unable to validate ticket [" + ticket + "]", e);
         }
     }
     
     /**
      * Retrieves the AuthorizationInfo for the given principals (the CAS previously authenticated user : id + attributes).
      * 
      * @param principals the primary identifying principals of the AuthorizationInfo that should be retrieved.
      * @return the AuthorizationInfo associated with this principals.
      */
     @Override
     @SuppressWarnings("unchecked")
     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
         // retrieve user information
         SimplePrincipalCollection principalCollection = (SimplePrincipalCollection) principals;
         List<Object> listPrincipals = principalCollection.asList();
         Map<String, String> attributes = (Map<String, String>) listPrincipals.get(1);
         // create simple authorization info
         SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
         // add default roles
         addRoles(simpleAuthorizationInfo, split(defaultRoles));
         // add default permissions
         addPermissions(simpleAuthorizationInfo, split(defaultPermissions));
         // get roles from attributes
         List<String> attributeNames = split(roleAttributeNames);
         for (String attributeName : attributeNames) {
             String value = attributes.get(attributeName);
             addRoles(simpleAuthorizationInfo, split(value));
         }
         // get permissions from attributes
         attributeNames = split(permissionAttributeNames);
         for (String attributeName : attributeNames) {
             String value = attributes.get(attributeName);
             addPermissions(simpleAuthorizationInfo, split(value));
         }
         return simpleAuthorizationInfo;
     }
     
     /**
      * Split a string into a list of not empty and trimmed strings, delimiter is a comma.
      * 
      * @param s the input string
      * @return the list of not empty and trimmed strings
      */
     private List<String> split(String s) {
         List<String> list = new ArrayList<String>();
         String[] elements = StringUtils.split(s, ',');
         if (elements != null && elements.length > 0) {
             for (String element : elements) {
                 if (StringUtils.hasText(element)) {
                     list.add(element.trim());
                 }
             }
         }
         return list;
     }
     
     /**
      * Add roles to the simple authorization info.
      * 
      * @param simpleAuthorizationInfo
      * @param roles the list of roles to add
      */
     private void addRoles(SimpleAuthorizationInfo simpleAuthorizationInfo, List<String> roles) {
         for (String role : roles) {
             simpleAuthorizationInfo.addRole(role);
         }
     }
     
     /**
      * Add permissions to the simple authorization info.
      * 
      * @param simpleAuthorizationInfo
      * @param permissions the list of permissions to add
      */
     private void addPermissions(SimpleAuthorizationInfo simpleAuthorizationInfo, List<String> permissions) {
         for (String permission : permissions) {
             simpleAuthorizationInfo.addStringPermission(permission);
         }
     }
 
     public String getCasServerUrlPrefix() {
         return casServerUrlPrefix;
     }
 
     public void setCasServerUrlPrefix(String casServerUrlPrefix) {
         this.casServerUrlPrefix = casServerUrlPrefix;
     }
 
     public String getCasService() {
         return casService;
     }
 
     public void setCasService(String casService) {
         this.casService = casService;
     }
 
     public String getValidationProtocol() {
         return validationProtocol;
     }
 
     public void setValidationProtocol(String validationProtocol) {
         this.validationProtocol = validationProtocol;
     }
 
     public String getRememberMeAttributeName() {
         return rememberMeAttributeName;
     }
 
     public void setRememberMeAttributeName(String rememberMeAttributeName) {
         this.rememberMeAttributeName = rememberMeAttributeName;
     }
 
     public String getDefaultRoles() {
         return defaultRoles;
     }
 
     public void setDefaultRoles(String defaultRoles) {
         this.defaultRoles = defaultRoles;
     }
 
     public String getDefaultPermissions() {
         return defaultPermissions;
     }
 
     public void setDefaultPermissions(String defaultPermissions) {
         this.defaultPermissions = defaultPermissions;
     }
 
     public String getRoleAttributeNames() {
         return roleAttributeNames;
     }
 
     public void setRoleAttributeNames(String roleAttributeNames) {
         this.roleAttributeNames = roleAttributeNames;
     }
 
     public String getPermissionAttributeNames() {
         return permissionAttributeNames;
     }
 
     public void setPermissionAttributeNames(String permissionAttributeNames) {
         this.permissionAttributeNames = permissionAttributeNames;
     }
 }

1		/*
2		* Licensed to the Apache Software Foundation (ASF) under one
3		* or more contributor license agreements. See the NOTICE file
4		* distributed with this work for additional information
5		* regarding copyright ownership. The ASF licenses this file
6		* to you under the Apache License, Version 2.0 (the
7		* "License"); you may not use this file except in compliance
8		* with the License. You may obtain a copy of the License at
9		*
10		* http://www.apache.org/licenses/LICENSE-2.0
11		*
12		* Unless required by applicable law or agreed to in writing,
13		* software distributed under the License is distributed on an
14		* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15		* KIND, either express or implied. See the License for the
16		* specific language governing permissions and limitations
17		* under the License.
18		*/
19		package org.apache.shiro.cas;
20
21		import org.apache.shiro.authc.AuthenticationException;
22		import org.apache.shiro.authc.AuthenticationInfo;
23		import org.apache.shiro.authc.AuthenticationToken;
24		import org.apache.shiro.authc.SimpleAuthenticationInfo;
25		import org.apache.shiro.authz.AuthorizationInfo;
26		import org.apache.shiro.authz.SimpleAuthorizationInfo;
27		import org.apache.shiro.realm.AuthorizingRealm;
28		import org.apache.shiro.subject.PrincipalCollection;
29		import org.apache.shiro.subject.SimplePrincipalCollection;
30		import org.apache.shiro.util.CollectionUtils;
31		import org.apache.shiro.util.StringUtils;
32		import org.jasig.cas.client.authentication.AttributePrincipal;
33		import org.jasig.cas.client.validation.*;
34		import org.slf4j.Logger;
35		import org.slf4j.LoggerFactory;
36
37		import java.util.ArrayList;
38		import java.util.List;
39		import java.util.Map;
40
41		/**
42		* This realm implementation acts as a CAS client to a CAS server for authentication and basic authorization.
43		* <p/>
44		* This realm functions by inspecting a submitted {@link org.apache.shiro.cas.CasToken CasToken} (which essentially
45		* wraps a CAS service ticket) and validates it against the CAS server using a configured CAS
46		* {@link org.jasig.cas.client.validation.TicketValidator TicketValidator}.
47		* <p/>
48		* The {@link #getValidationProtocol() validationProtocol} is {@code CAS} by default, which indicates that a
49		* a {@link org.jasig.cas.client.validation.Cas20ServiceTicketValidator Cas20ServiceTicketValidator}
50		* will be used for ticket validation. You can alternatively set
51		* or {@link org.jasig.cas.client.validation.Saml11TicketValidator Saml11TicketValidator} of CAS client. It is based on
52		* {@link AuthorizingRealm AuthorizingRealm} for both authentication and authorization. User id and attributes are retrieved from the CAS
53		* service ticket validation response during authentication phase. Roles and permissions are computed during authorization phase (according
54		* to the attributes previously retrieved).
55		*
56		* @since 1.2
57		*/
58		public class CasRealm extends AuthorizingRealm {
59
60		// default name of the CAS attribute for remember me authentication (CAS 3.4.10+)
61		public static final String DEFAULT_REMEMBER_ME_ATTRIBUTE_NAME = "longTermAuthenticationRequestTokenUsed";
62		public static final String DEFAULT_VALIDATION_PROTOCOL = "CAS";
63
64	1	private static Logger log = LoggerFactory.getLogger(CasRealm.class);
65
66		// this is the url of the CAS server (example : http://host:port/cas)
67		private String casServerUrlPrefix;
68
69		// this is the CAS service url of the application (example : http://host:port/mycontextpath/shiro-cas)
70		private String casService;
71
72		/* CAS protocol to use for ticket validation : CAS (default) or SAML :
73		- CAS protocol can be used with CAS server version < 3.1 : in this case, no user attributes can be retrieved from the CAS ticket validation response (except if there are some customizations on CAS server side)
74		- SAML protocol can be used with CAS server version >= 3.1 : in this case, user attributes can be extracted from the CAS ticket validation response
75		*/
76	8	private String validationProtocol = DEFAULT_VALIDATION_PROTOCOL;
77
78		// default name of the CAS attribute for remember me authentication (CAS 3.4.10+)
79	8	private String rememberMeAttributeName = DEFAULT_REMEMBER_ME_ATTRIBUTE_NAME;
80
81		// this class from the CAS client is used to validate a service ticket on CAS server
82		private TicketValidator ticketValidator;
83
84		// default roles to applied to authenticated user
85		private String defaultRoles;
86
87		// default permissions to applied to authenticated user
88		private String defaultPermissions;
89
90		// names of attributes containing roles
91		private String roleAttributeNames;
92
93		// names of attributes containing permissions
94		private String permissionAttributeNames;
95
96	8	public CasRealm() {
97	8	setAuthenticationTokenClass(CasToken.class);
98	8	}
99
100		@Override
101		protected void onInit() {
102	0	super.onInit();
103	0	ensureTicketValidator();
104	0	}
105
106		protected TicketValidator ensureTicketValidator() {
107	8	if (this.ticketValidator == null) {
108	0	this.ticketValidator = createTicketValidator();
109		}
110	8	return this.ticketValidator;
111		}
112
113		protected TicketValidator createTicketValidator() {
114	0	String urlPrefix = getCasServerUrlPrefix();
115	0	if ("saml".equalsIgnoreCase(getValidationProtocol())) {
116	0	return new Saml11TicketValidator(urlPrefix);
117		}
118	0	return new Cas20ServiceTicketValidator(urlPrefix);
119		}
120
121		/**
122		* Authenticates a user and retrieves its information.
123		*
124		* @param token the authentication token
125		* @throws AuthenticationException if there is an error during authentication.
126		*/
127		@Override
128		@SuppressWarnings("unchecked")
129		protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
130	8	CasToken casToken = (CasToken) token;
131	8	if (token == null) {
132	0	return null;
133		}
134
135	8	String ticket = (String)casToken.getCredentials();
136	8	if (!StringUtils.hasText(ticket)) {
137	0	return null;
138		}
139
140	8	TicketValidator ticketValidator = ensureTicketValidator();
141
142		try {
143		// contact CAS server to validate service ticket
144	8	Assertion casAssertion = ticketValidator.validate(ticket, getCasService());
145		// get principal, user id and attributes
146	8	AttributePrincipal casPrincipal = casAssertion.getPrincipal();
147	8	String userId = casPrincipal.getName();
148	8	log.debug("Validate ticket : {} in CAS server : {} to retrieve user : {}", new Object[]{
149		ticket, getCasServerUrlPrefix(), userId
150		});
151
152	8	Map<String, Object> attributes = casPrincipal.getAttributes();
153		// refresh authentication token (user id + remember me)
154	8	casToken.setUserId(userId);
155	8	String rememberMeAttributeName = getRememberMeAttributeName();
156	8	String rememberMeStringValue = (String)attributes.get(rememberMeAttributeName);
157	8	boolean isRemembered = rememberMeStringValue != null && Boolean.parseBoolean(rememberMeStringValue);
158	8	if (isRemembered) {
159	2	casToken.setRememberMe(true);
160		}
161		// create simple authentication info
162	8	List<Object> principals = CollectionUtils.asList(userId, attributes);
163	8	PrincipalCollection principalCollection = new SimplePrincipalCollection(principals, getName());
164	8	return new SimpleAuthenticationInfo(principalCollection, ticket);
165	0	} catch (TicketValidationException e) {
166	0	throw new CasAuthenticationException("Unable to validate ticket [" + ticket + "]", e);
167		}
168		}
169
170		/**
171		* Retrieves the AuthorizationInfo for the given principals (the CAS previously authenticated user : id + attributes).
172		*
173		* @param principals the primary identifying principals of the AuthorizationInfo that should be retrieved.
174		* @return the AuthorizationInfo associated with this principals.
175		*/
176		@Override
177		@SuppressWarnings("unchecked")
178		protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
179		// retrieve user information
180	8	SimplePrincipalCollection principalCollection = (SimplePrincipalCollection) principals;
181	8	List<Object> listPrincipals = principalCollection.asList();
182	8	Map<String, String> attributes = (Map<String, String>) listPrincipals.get(1);
183		// create simple authorization info
184	8	SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo();
185		// add default roles
186	8	addRoles(simpleAuthorizationInfo, split(defaultRoles));
187		// add default permissions
188	8	addPermissions(simpleAuthorizationInfo, split(defaultPermissions));
189		// get roles from attributes
190	8	List<String> attributeNames = split(roleAttributeNames);
191	8	for (String attributeName : attributeNames) {
192	3	String value = attributes.get(attributeName);
193	3	addRoles(simpleAuthorizationInfo, split(value));
194	3	}
195		// get permissions from attributes
196	8	attributeNames = split(permissionAttributeNames);
197	8	for (String attributeName : attributeNames) {
198	3	String value = attributes.get(attributeName);
199	3	addPermissions(simpleAuthorizationInfo, split(value));
200	3	}
201	8	return simpleAuthorizationInfo;
202		}
203
204		/**
205		* Split a string into a list of not empty and trimmed strings, delimiter is a comma.
206		*
207		* @param s the input string
208		* @return the list of not empty and trimmed strings
209		*/
210		private List<String> split(String s) {
211	38	List<String> list = new ArrayList<String>();
212	38	String[] elements = StringUtils.split(s, ',');
213	38	if (elements != null && elements.length > 0) {
214	36	for (String element : elements) {
215	22	if (StringUtils.hasText(element)) {
216	22	list.add(element.trim());
217		}
218		}
219		}
220	38	return list;
221		}
222
223		/**
224		* Add roles to the simple authorization info.
225		*
226		* @param simpleAuthorizationInfo
227		* @param roles the list of roles to add
228		*/
229		private void addRoles(SimpleAuthorizationInfo simpleAuthorizationInfo, List<String> roles) {
230	11	for (String role : roles) {
231	8	simpleAuthorizationInfo.addRole(role);
232		}
233	11	}
234
235		/**
236		* Add permissions to the simple authorization info.
237		*
238		* @param simpleAuthorizationInfo
239		* @param permissions the list of permissions to add
240		*/
241		private void addPermissions(SimpleAuthorizationInfo simpleAuthorizationInfo, List<String> permissions) {
242	11	for (String permission : permissions) {
243	8	simpleAuthorizationInfo.addStringPermission(permission);
244		}
245	11	}
246
247		public String getCasServerUrlPrefix() {
248	8	return casServerUrlPrefix;
249		}
250
251		public void setCasServerUrlPrefix(String casServerUrlPrefix) {
252	0	this.casServerUrlPrefix = casServerUrlPrefix;
253	0	}
254
255		public String getCasService() {
256	8	return casService;
257		}
258
259		public void setCasService(String casService) {
260	0	this.casService = casService;
261	0	}
262
263		public String getValidationProtocol() {
264	0	return validationProtocol;
265		}
266
267		public void setValidationProtocol(String validationProtocol) {
268	0	this.validationProtocol = validationProtocol;
269	0	}
270
271		public String getRememberMeAttributeName() {
272	9	return rememberMeAttributeName;
273		}
274
275		public void setRememberMeAttributeName(String rememberMeAttributeName) {
276	1	this.rememberMeAttributeName = rememberMeAttributeName;
277	1	}
278
279		public String getDefaultRoles() {
280	0	return defaultRoles;
281		}
282
283		public void setDefaultRoles(String defaultRoles) {
284	2	this.defaultRoles = defaultRoles;
285	2	}
286
287		public String getDefaultPermissions() {
288	0	return defaultPermissions;
289		}
290
291		public void setDefaultPermissions(String defaultPermissions) {
292	2	this.defaultPermissions = defaultPermissions;
293	2	}
294
295		public String getRoleAttributeNames() {
296	0	return roleAttributeNames;
297		}
298
299		public void setRoleAttributeNames(String roleAttributeNames) {
300	2	this.roleAttributeNames = roleAttributeNames;
301	2	}
302
303		public String getPermissionAttributeNames() {
304	0	return permissionAttributeNames;
305		}
306
307		public void setPermissionAttributeNames(String permissionAttributeNames) {
308	2	this.permissionAttributeNames = permissionAttributeNames;
309	2	}
310		}