1 | |
|
2 | |
|
3 | |
|
4 | |
|
5 | |
|
6 | |
|
7 | |
|
8 | |
|
9 | |
|
10 | |
|
11 | |
|
12 | |
|
13 | |
|
14 | |
|
15 | |
|
16 | |
|
17 | |
|
18 | |
|
19 | |
package org.apache.shiro.cas; |
20 | |
|
21 | |
import org.apache.shiro.authc.AuthenticationException; |
22 | |
import org.apache.shiro.authc.AuthenticationInfo; |
23 | |
import org.apache.shiro.authc.AuthenticationToken; |
24 | |
import org.apache.shiro.authc.SimpleAuthenticationInfo; |
25 | |
import org.apache.shiro.authz.AuthorizationInfo; |
26 | |
import org.apache.shiro.authz.SimpleAuthorizationInfo; |
27 | |
import org.apache.shiro.realm.AuthorizingRealm; |
28 | |
import org.apache.shiro.subject.PrincipalCollection; |
29 | |
import org.apache.shiro.subject.SimplePrincipalCollection; |
30 | |
import org.apache.shiro.util.CollectionUtils; |
31 | |
import org.apache.shiro.util.StringUtils; |
32 | |
import org.jasig.cas.client.authentication.AttributePrincipal; |
33 | |
import org.jasig.cas.client.validation.*; |
34 | |
import org.slf4j.Logger; |
35 | |
import org.slf4j.LoggerFactory; |
36 | |
|
37 | |
import java.util.ArrayList; |
38 | |
import java.util.List; |
39 | |
import java.util.Map; |
40 | |
|
41 | |
|
42 | |
|
43 | |
|
44 | |
|
45 | |
|
46 | |
|
47 | |
|
48 | |
|
49 | |
|
50 | |
|
51 | |
|
52 | |
|
53 | |
|
54 | |
|
55 | |
|
56 | |
|
57 | |
|
58 | |
public class CasRealm extends AuthorizingRealm { |
59 | |
|
60 | |
|
61 | |
public static final String DEFAULT_REMEMBER_ME_ATTRIBUTE_NAME = "longTermAuthenticationRequestTokenUsed"; |
62 | |
public static final String DEFAULT_VALIDATION_PROTOCOL = "CAS"; |
63 | |
|
64 | 1 | private static Logger log = LoggerFactory.getLogger(CasRealm.class); |
65 | |
|
66 | |
|
67 | |
private String casServerUrlPrefix; |
68 | |
|
69 | |
|
70 | |
private String casService; |
71 | |
|
72 | |
|
73 | |
|
74 | |
|
75 | |
|
76 | 8 | private String validationProtocol = DEFAULT_VALIDATION_PROTOCOL; |
77 | |
|
78 | |
|
79 | 8 | private String rememberMeAttributeName = DEFAULT_REMEMBER_ME_ATTRIBUTE_NAME; |
80 | |
|
81 | |
|
82 | |
private TicketValidator ticketValidator; |
83 | |
|
84 | |
|
85 | |
private String defaultRoles; |
86 | |
|
87 | |
|
88 | |
private String defaultPermissions; |
89 | |
|
90 | |
|
91 | |
private String roleAttributeNames; |
92 | |
|
93 | |
|
94 | |
private String permissionAttributeNames; |
95 | |
|
96 | 8 | public CasRealm() { |
97 | 8 | setAuthenticationTokenClass(CasToken.class); |
98 | 8 | } |
99 | |
|
100 | |
@Override |
101 | |
protected void onInit() { |
102 | 0 | super.onInit(); |
103 | 0 | ensureTicketValidator(); |
104 | 0 | } |
105 | |
|
106 | |
protected TicketValidator ensureTicketValidator() { |
107 | 8 | if (this.ticketValidator == null) { |
108 | 0 | this.ticketValidator = createTicketValidator(); |
109 | |
} |
110 | 8 | return this.ticketValidator; |
111 | |
} |
112 | |
|
113 | |
protected TicketValidator createTicketValidator() { |
114 | 0 | String urlPrefix = getCasServerUrlPrefix(); |
115 | 0 | if ("saml".equalsIgnoreCase(getValidationProtocol())) { |
116 | 0 | return new Saml11TicketValidator(urlPrefix); |
117 | |
} |
118 | 0 | return new Cas20ServiceTicketValidator(urlPrefix); |
119 | |
} |
120 | |
|
121 | |
|
122 | |
|
123 | |
|
124 | |
|
125 | |
|
126 | |
|
127 | |
@Override |
128 | |
@SuppressWarnings("unchecked") |
129 | |
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { |
130 | 8 | CasToken casToken = (CasToken) token; |
131 | 8 | if (token == null) { |
132 | 0 | return null; |
133 | |
} |
134 | |
|
135 | 8 | String ticket = (String)casToken.getCredentials(); |
136 | 8 | if (!StringUtils.hasText(ticket)) { |
137 | 0 | return null; |
138 | |
} |
139 | |
|
140 | 8 | TicketValidator ticketValidator = ensureTicketValidator(); |
141 | |
|
142 | |
try { |
143 | |
|
144 | 8 | Assertion casAssertion = ticketValidator.validate(ticket, getCasService()); |
145 | |
|
146 | 8 | AttributePrincipal casPrincipal = casAssertion.getPrincipal(); |
147 | 8 | String userId = casPrincipal.getName(); |
148 | 8 | log.debug("Validate ticket : {} in CAS server : {} to retrieve user : {}", new Object[]{ |
149 | |
ticket, getCasServerUrlPrefix(), userId |
150 | |
}); |
151 | |
|
152 | 8 | Map<String, Object> attributes = casPrincipal.getAttributes(); |
153 | |
|
154 | 8 | casToken.setUserId(userId); |
155 | 8 | String rememberMeAttributeName = getRememberMeAttributeName(); |
156 | 8 | String rememberMeStringValue = (String)attributes.get(rememberMeAttributeName); |
157 | 8 | boolean isRemembered = rememberMeStringValue != null && Boolean.parseBoolean(rememberMeStringValue); |
158 | 8 | if (isRemembered) { |
159 | 2 | casToken.setRememberMe(true); |
160 | |
} |
161 | |
|
162 | 8 | List<Object> principals = CollectionUtils.asList(userId, attributes); |
163 | 8 | PrincipalCollection principalCollection = new SimplePrincipalCollection(principals, getName()); |
164 | 8 | return new SimpleAuthenticationInfo(principalCollection, ticket); |
165 | 0 | } catch (TicketValidationException e) { |
166 | 0 | throw new CasAuthenticationException("Unable to validate ticket [" + ticket + "]", e); |
167 | |
} |
168 | |
} |
169 | |
|
170 | |
|
171 | |
|
172 | |
|
173 | |
|
174 | |
|
175 | |
|
176 | |
@Override |
177 | |
@SuppressWarnings("unchecked") |
178 | |
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { |
179 | |
|
180 | 8 | SimplePrincipalCollection principalCollection = (SimplePrincipalCollection) principals; |
181 | 8 | List<Object> listPrincipals = principalCollection.asList(); |
182 | 8 | Map<String, String> attributes = (Map<String, String>) listPrincipals.get(1); |
183 | |
|
184 | 8 | SimpleAuthorizationInfo simpleAuthorizationInfo = new SimpleAuthorizationInfo(); |
185 | |
|
186 | 8 | addRoles(simpleAuthorizationInfo, split(defaultRoles)); |
187 | |
|
188 | 8 | addPermissions(simpleAuthorizationInfo, split(defaultPermissions)); |
189 | |
|
190 | 8 | List<String> attributeNames = split(roleAttributeNames); |
191 | 8 | for (String attributeName : attributeNames) { |
192 | 3 | String value = attributes.get(attributeName); |
193 | 3 | addRoles(simpleAuthorizationInfo, split(value)); |
194 | 3 | } |
195 | |
|
196 | 8 | attributeNames = split(permissionAttributeNames); |
197 | 8 | for (String attributeName : attributeNames) { |
198 | 3 | String value = attributes.get(attributeName); |
199 | 3 | addPermissions(simpleAuthorizationInfo, split(value)); |
200 | 3 | } |
201 | 8 | return simpleAuthorizationInfo; |
202 | |
} |
203 | |
|
204 | |
|
205 | |
|
206 | |
|
207 | |
|
208 | |
|
209 | |
|
210 | |
private List<String> split(String s) { |
211 | 38 | List<String> list = new ArrayList<String>(); |
212 | 38 | String[] elements = StringUtils.split(s, ','); |
213 | 38 | if (elements != null && elements.length > 0) { |
214 | 36 | for (String element : elements) { |
215 | 22 | if (StringUtils.hasText(element)) { |
216 | 22 | list.add(element.trim()); |
217 | |
} |
218 | |
} |
219 | |
} |
220 | 38 | return list; |
221 | |
} |
222 | |
|
223 | |
|
224 | |
|
225 | |
|
226 | |
|
227 | |
|
228 | |
|
229 | |
private void addRoles(SimpleAuthorizationInfo simpleAuthorizationInfo, List<String> roles) { |
230 | 11 | for (String role : roles) { |
231 | 8 | simpleAuthorizationInfo.addRole(role); |
232 | 8 | } |
233 | 11 | } |
234 | |
|
235 | |
|
236 | |
|
237 | |
|
238 | |
|
239 | |
|
240 | |
|
241 | |
private void addPermissions(SimpleAuthorizationInfo simpleAuthorizationInfo, List<String> permissions) { |
242 | 11 | for (String permission : permissions) { |
243 | 8 | simpleAuthorizationInfo.addStringPermission(permission); |
244 | 8 | } |
245 | 11 | } |
246 | |
|
247 | |
public String getCasServerUrlPrefix() { |
248 | 8 | return casServerUrlPrefix; |
249 | |
} |
250 | |
|
251 | |
public void setCasServerUrlPrefix(String casServerUrlPrefix) { |
252 | 0 | this.casServerUrlPrefix = casServerUrlPrefix; |
253 | 0 | } |
254 | |
|
255 | |
public String getCasService() { |
256 | 8 | return casService; |
257 | |
} |
258 | |
|
259 | |
public void setCasService(String casService) { |
260 | 0 | this.casService = casService; |
261 | 0 | } |
262 | |
|
263 | |
public String getValidationProtocol() { |
264 | 0 | return validationProtocol; |
265 | |
} |
266 | |
|
267 | |
public void setValidationProtocol(String validationProtocol) { |
268 | 0 | this.validationProtocol = validationProtocol; |
269 | 0 | } |
270 | |
|
271 | |
public String getRememberMeAttributeName() { |
272 | 9 | return rememberMeAttributeName; |
273 | |
} |
274 | |
|
275 | |
public void setRememberMeAttributeName(String rememberMeAttributeName) { |
276 | 1 | this.rememberMeAttributeName = rememberMeAttributeName; |
277 | 1 | } |
278 | |
|
279 | |
public String getDefaultRoles() { |
280 | 0 | return defaultRoles; |
281 | |
} |
282 | |
|
283 | |
public void setDefaultRoles(String defaultRoles) { |
284 | 2 | this.defaultRoles = defaultRoles; |
285 | 2 | } |
286 | |
|
287 | |
public String getDefaultPermissions() { |
288 | 0 | return defaultPermissions; |
289 | |
} |
290 | |
|
291 | |
public void setDefaultPermissions(String defaultPermissions) { |
292 | 2 | this.defaultPermissions = defaultPermissions; |
293 | 2 | } |
294 | |
|
295 | |
public String getRoleAttributeNames() { |
296 | 0 | return roleAttributeNames; |
297 | |
} |
298 | |
|
299 | |
public void setRoleAttributeNames(String roleAttributeNames) { |
300 | 2 | this.roleAttributeNames = roleAttributeNames; |
301 | 2 | } |
302 | |
|
303 | |
public String getPermissionAttributeNames() { |
304 | 0 | return permissionAttributeNames; |
305 | |
} |
306 | |
|
307 | |
public void setPermissionAttributeNames(String permissionAttributeNames) { |
308 | 2 | this.permissionAttributeNames = permissionAttributeNames; |
309 | 2 | } |
310 | |
} |