org.jasig.cas

Class CentralAuthenticationServiceImpl

java.lang.Object

org.jasig.cas.CentralAuthenticationServiceImpl

All Implemented Interfaces:

CentralAuthenticationService

public final class CentralAuthenticationServiceImpl
extends Object
implements CentralAuthenticationService

Concrete implementation of a CentralAuthenticationService, and also the central, organizing component of CAS's internal implementation.

This class is threadsafe.

This class has the following properties that must be set:

• ticketRegistry - The Ticket Registry to maintain the list of available tickets.
• serviceTicketRegistry - Provides an alternative to configure separate registries for TGTs and ST in order to store them in different locations (i.e. long term memory or short-term)
• authenticationManager - The service that will handle authentication.
• ticketGrantingTicketUniqueTicketIdGenerator - Plug in to generate unique secure ids for TicketGrantingTickets.
• serviceTicketUniqueTicketIdGenerator - Plug in to generate unique secure ids for ServiceTickets.
• ticketGrantingTicketExpirationPolicy - The expiration policy for TicketGrantingTickets.
• serviceTicketExpirationPolicy - The expiration policy for ServiceTickets.

Since:

3.0

Author:

William G. Thompson, Jr., Scott Battaglia, Dmitry Kopylenko

Constructor Summary

Constructors

Constructor and Description

CentralAuthenticationServiceImpl(TicketRegistry ticketRegistry, TicketRegistry serviceTicketRegistry, AuthenticationManager authenticationManager, UniqueTicketIdGenerator ticketGrantingTicketUniqueTicketIdGenerator, Map<String,UniqueTicketIdGenerator> uniqueTicketIdGeneratorsForService, ExpirationPolicy ticketGrantingTicketExpirationPolicy, ExpirationPolicy serviceTicketExpirationPolicy, ServicesManager servicesManager, LogoutManager logoutManager) Build the central authentication service implementation.

Method Summary

Methods

Modifier and Type	Method and Description
String	createTicketGrantingTicket(Credential... credentials) Create a TicketGrantingTicket by authenticating credentials.
String	delegateTicketGrantingTicket(String serviceTicketId, Credential... credentials) Delegate a TicketGrantingTicket to a Service for proxying authentication to other Services.
List<LogoutRequest>	destroyTicketGrantingTicket(String ticketGrantingTicketId) Destroy a TicketGrantingTicket and perform back channel logout.
String	grantServiceTicket(String ticketGrantingTicketId, Service service) Grants a ServiceTicket that may be used to access the given service.
String	grantServiceTicket(String ticketGrantingTicketId, Service service, Credential... credentials) Grant a ServiceTicket that may be used to access the given service by authenticating the given credentials.
void	setPersistentIdGenerator(PersistentIdGenerator persistentIdGenerator)
void	setServiceContextAuthenticationPolicyFactory(ContextualAuthenticationPolicyFactory<ServiceContext> policy)
void	setServiceTicketExpirationPolicy(ExpirationPolicy serviceTicketExpirationPolicy)
void	setTicketGrantingTicketExpirationPolicy(ExpirationPolicy ticketGrantingTicketExpirationPolicy)
Assertion	validateServiceTicket(String serviceTicketId, Service service) Validate a ServiceTicket for a particular Service.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

CentralAuthenticationServiceImpl

public CentralAuthenticationServiceImpl(TicketRegistry ticketRegistry,
                                TicketRegistry serviceTicketRegistry,
                                AuthenticationManager authenticationManager,
                                UniqueTicketIdGenerator ticketGrantingTicketUniqueTicketIdGenerator,
                                Map<String,UniqueTicketIdGenerator> uniqueTicketIdGeneratorsForService,
                                ExpirationPolicy ticketGrantingTicketExpirationPolicy,
                                ExpirationPolicy serviceTicketExpirationPolicy,
                                ServicesManager servicesManager,
                                LogoutManager logoutManager)

Build the central authentication service implementation.

Parameters:

ticketRegistry - the tickets registry.

serviceTicketRegistry - the service tickets registry.

authenticationManager - the authentication manager.

ticketGrantingTicketUniqueTicketIdGenerator - the TGT id generator.

uniqueTicketIdGeneratorsForService - the map with service and ticket id generators.

ticketGrantingTicketExpirationPolicy - the TGT expiration policy.

serviceTicketExpirationPolicy - the service ticket expiration policy.

servicesManager - the services manager.

logoutManager - the logout manager.

Method Detail

destroyTicketGrantingTicket

@Transactional(readOnly=false)
public List<LogoutRequest> destroyTicketGrantingTicket(String ticketGrantingTicketId)

Destroy a TicketGrantingTicket and perform back channel logout. This has the effect of invalidating any Ticket that was derived from the TicketGrantingTicket being destroyed. May throw an IllegalArgumentException if the TicketGrantingTicket ID is null. Destroy a TicketGrantingTicket and perform back channel logout. This has the effect of invalidating any Ticket that was derived from the TicketGrantingTicket being destroyed. May throw an IllegalArgumentException if the TicketGrantingTicket ID is null.

Specified by:

destroyTicketGrantingTicket in interface CentralAuthenticationService

Parameters:

ticketGrantingTicketId - the id of the ticket we want to destroy

Returns:

the logout requests.

grantServiceTicket

@Transactional(readOnly=false)
public String grantServiceTicket(String ticketGrantingTicketId,
                                      Service service,
                                      Credential... credentials)
                          throws AuthenticationException,
                                 TicketException

Description copied from interface: CentralAuthenticationService

Grant a ServiceTicket that may be used to access the given service by authenticating the given credentials. The details of the security policy around credential authentication and the definition of authentication success are dependent on the implementation, but it SHOULD be safe to assume that at least one credential MUST be authenticated for ticket creation to succeed.

The principal that is resolved from the authenticated credentials MUST be the same as that to which the given ticket-granting ticket was issued.

Specified by:

grantServiceTicket in interface CentralAuthenticationService

Parameters:

ticketGrantingTicketId - Proof of prior authentication.

service - The target service of the ServiceTicket.

credentials - One or more credentials to authenticate prior to granting the service ticket.

Returns:

Non-null service ticket identifier.

Throws:

IllegalArgumentException - if ticketGrantingTicketId or service are null.

AuthenticationException - on errors authenticating the credentials

TicketException - if the ticket could not be created.

grantServiceTicket

@Transactional(readOnly=false)
public String grantServiceTicket(String ticketGrantingTicketId,
                                      Service service)
                          throws TicketException

Description copied from interface: CentralAuthenticationService

Grants a ServiceTicket that may be used to access the given service.

Specified by:

grantServiceTicket in interface CentralAuthenticationService

Parameters:

ticketGrantingTicketId - Proof of prior authentication.

service - The target service of the ServiceTicket.

Returns:

Non-null service ticket identifier.

Throws:

TicketException - if the ticket could not be created.

delegateTicketGrantingTicket

@Transactional(readOnly=false)
public String delegateTicketGrantingTicket(String serviceTicketId,
                                                Credential... credentials)
                                    throws AuthenticationException,
                                           TicketException

Description copied from interface: CentralAuthenticationService

Delegate a TicketGrantingTicket to a Service for proxying authentication to other Services.

Specified by:

delegateTicketGrantingTicket in interface CentralAuthenticationService

Parameters:

serviceTicketId - The service ticket identifier that will delegate to a TicketGrantingTicket.

credentials - One or more credentials to authenticate prior to delegating the ticket.

Returns:

Non-null ticket-granting ticket identifier that can grant ServiceTicket that proxy authentication.

Throws:

IllegalArgumentException - if the ServiceTicketId or the Credential are null.

AuthenticationException - on errors authenticating the credentials

TicketException - if there was an error creating the ticket

validateServiceTicket

@Transactional(readOnly=false)
public Assertion validateServiceTicket(String serviceTicketId,
                                            Service service)
                                throws TicketException

Description copied from interface: CentralAuthenticationService

Validate a ServiceTicket for a particular Service.

Specified by:

validateServiceTicket in interface CentralAuthenticationService

Parameters:

serviceTicketId - Proof of prior authentication.

service - Service wishing to validate a prior authentication.

Returns:

Non-null ticket validation assertion.

Throws:

IllegalArgumentException - if the ServiceTicketId or the Service are null.

TicketException - if there was an error validating the ticket.

createTicketGrantingTicket

@Transactional(readOnly=false)
public String createTicketGrantingTicket(Credential... credentials)
                                  throws AuthenticationException,
                                         TicketException

Description copied from interface: CentralAuthenticationService

Create a TicketGrantingTicket by authenticating credentials. The details of the security policy around credential authentication and the definition of authentication success are dependent on the implementation, but it SHOULD be safe to assume that at least one credential MUST be authenticated for ticket creation to succeed.

Specified by:

createTicketGrantingTicket in interface CentralAuthenticationService

Parameters:

credentials - One or more credentials that may be authenticated in order to create the ticket.

Returns:

Non-null ticket-granting ticket identifier.

Throws:

IllegalArgumentException - if the credentials are null.

AuthenticationException - on errors authenticating the credentials

TicketException - if ticket cannot be created

setPersistentIdGenerator

public void setPersistentIdGenerator(PersistentIdGenerator persistentIdGenerator)

setServiceContextAuthenticationPolicyFactory

public void setServiceContextAuthenticationPolicyFactory(ContextualAuthenticationPolicyFactory<ServiceContext> policy)

setTicketGrantingTicketExpirationPolicy

public void setTicketGrantingTicketExpirationPolicy(ExpirationPolicy ticketGrantingTicketExpirationPolicy)

Parameters:

ticketGrantingTicketExpirationPolicy - a TGT expiration policy.

setServiceTicketExpirationPolicy

public void setServiceTicketExpirationPolicy(ExpirationPolicy serviceTicketExpirationPolicy)

Parameters:

serviceTicketExpirationPolicy - a ST expiration policy.