SEC-852

provided mechanism to do get a proxy ticket

cas/src/main/java/org/springframework/security/ui/cas/CasProcessingFilter.java

@@ -15,6 +15,11 @@
 
 package org.springframework.security.ui.cas;
 
+import java.io.IOException;
+
+import org.jasig.cas.client.proxy.ProxyGrantingTicketStorage;
+import org.jasig.cas.client.util.CommonUtils;
+import org.jasig.cas.client.validation.TicketValidator;
 import org.springframework.security.Authentication;
 import org.springframework.security.AuthenticationException;
 
@@ -24,6 +29,7 @@ import org.springframework.security.ui.AbstractProcessingFilter;
 import org.springframework.security.ui.FilterChainOrder;
 
 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 
 
 /**
@@ -38,6 +44,10 @@ import javax.servlet.http.HttpServletRequest;
  *  <p>The configured <code>AuthenticationManager</code> is expected to provide a provider that can recognise
  * <code>UsernamePasswordAuthenticationToken</code>s containing this special <code>principal</code> name, and process
  * them accordingly by validation with the CAS server.</p>
+ * <p>By configuring a shared {@link ProxyGrantingTicketStorage} between the {@link TicketValidator} and the CasProcessingFilter
+ * one can have the CasProcessingFilter handle the proxying requirements for CAS.  In addition, the URI endpoint for the proxying
+ * would also need to be configured (i.e. the part after protocol, hostname, and port).
+ * 
  * <p><b>Do not use this class directly.</b> Instead configure <code>web.xml</code> to use the {@link
  * org.springframework.security.util.FilterToBeanProxy}.</p>
  *
@@ -57,8 +67,17 @@ public class CasProcessingFilter extends AbstractProcessingFilter {
      */
     public static final String CAS_STATELESS_IDENTIFIER = "_cas_stateless_";
 
-    //~ Methods ========================================================================================================
+    /**
+     * The last portion of the receptor url, i.e. /proxy/receptor
+     */
+    private String proxyReceptorUrl;
     
+    /**
+     * The backing storage to store ProxyGrantingTicket requests.
+     */
+    private ProxyGrantingTicketStorage proxyGrantingTicketStorage;
+
+    //~ Methods ========================================================================================================  
     public Authentication attemptAuthentication(final HttpServletRequest request)
         throws AuthenticationException {
         final String username = CAS_STATEFUL_IDENTIFIER;
@@ -87,4 +106,35 @@ public class CasProcessingFilter extends AbstractProcessingFilter {
     public int getOrder() {
         return FilterChainOrder.CAS_PROCESSING_FILTER;
     }
+    
+
+    /**
+     * Overridden to provide proxying capabilities.
+     */
+	protected boolean requiresAuthentication(final HttpServletRequest request,
+			final HttpServletResponse response) {
+		final String requestUri = request.getRequestURI();
+
+        if (CommonUtils.isEmpty(this.proxyReceptorUrl) || !requestUri.endsWith(this.proxyReceptorUrl) || this.proxyGrantingTicketStorage == null) {
+        	return super.requiresAuthentication(request, response);
+        }
+
+        try {
+        	CommonUtils.readAndRespondToProxyReceptorRequest(request, response, this.proxyGrantingTicketStorage);
+        	return false;
+        } catch (final IOException e) {
+        	return super.requiresAuthentication(request, response);
+        }
+	}
+
+	public final void setProxyReceptorUrl(final String proxyReceptorUrl) {
+		this.proxyReceptorUrl = proxyReceptorUrl;
+	}
+
+	public final void setProxyGrantingTicketStorage(
+			final ProxyGrantingTicketStorage proxyGrantingTicketStorage) {
+		this.proxyGrantingTicketStorage = proxyGrantingTicketStorage;
+	}
+	
+	
 }

samples/cas/Readme.txt

@@ -10,11 +10,11 @@ client - this contains the actual sample web application which uses the cas serv
 Running the CAS Server
 -----------------------
 
-You first need to download the CAS server 3.2 distribution from
+You first need to download the CAS server 3.2.1 distribution from
 
 http://www.ja-sig.org/products/cas/downloads/index.html
 
-You only need the modules/cas-server-webapp-3.2.war web application file from the distribution. Copy this to the
+You only need the modules/cas-server-webapp-3.2.1.war web application file from the distribution. Copy this to the
 "server" directory inside the one that contains this readme file (i.e. copy it to samples/cas/server).
 
 You can then run the CAS server (from the same) by executing the maven command
@@ -34,7 +34,7 @@ Running the Client Application
 Leave the server running and start up a separate command window to run the sample application. Change to the directory
 samples/cas/client and execute the command
 
-mvn:jetty-run
+mvn jetty:run
 
 
 This should start the sample application on

samples/cas/client/src/main/webapp/WEB-INF/applicationContext-security.xml

@@ -11,7 +11,6 @@
         <sec:logout />
     </sec:http>
 
-
     <sec:authentication-manager alias="authenticationManager"/>
 
     <bean id="casProcessingFilter" class="org.springframework.security.ui.cas.CasProcessingFilter">
@@ -19,6 +18,8 @@
         <property name="authenticationManager" ref="authenticationManager"/>
         <property name="authenticationFailureUrl" value="/casfailed.jsp"/>
         <property name="defaultTargetUrl" value="/"/>
+        <property name="proxyGrantingTicketStorage" ref="proxyGrantingTicketStorage" />
+        <property name="proxyReceptorUrl" value="/secure/receptor" />
     </bean>
 
     <bean id="casProcessingFilterEntryPoint" class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint">
@@ -33,11 +34,15 @@
         <property name="ticketValidator">
         	<bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
         		<constructor-arg index="0" value="https://localhost:9443/cas" />
+        		<property name="proxyGrantingTicketStorage" ref="proxyGrantingTicketStorage" />
+        		<property name="proxyCallbackUrl" value="https://localhost:8443/cas-sample/secure/receptor" />
             </bean>
         </property>
         <property name="key" value="an_id_for_this_auth_provider_only"/>
     </bean>
     
+    <bean id="proxyGrantingTicketStorage" class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl" />
+
     <bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties">
         <property name="service" value="https://localhost:8443/cas-sample/j_spring_cas_security_check"/>
         <property name="sendRenew" value="false"/>
@@ -48,5 +53,4 @@
         <sec:user name="dianne" password="dianne" authorities="ROLE_USER" />
         <sec:user name="scott" password="scott" authorities="ROLE_USER" />
     </sec:user-service>
-
 </beans>

samples/cas/server/pom.xml

@@ -17,7 +17,7 @@
                 <version>6.1.7</version>
                 <configuration>
                     <contextPath>/cas</contextPath>
-                    <webApp>${basedir}/cas-server-webapp-3.2.war</webApp>
+                    <webApp>${basedir}/cas-server-webapp-3.2.1.war</webApp>
                     <connectors>
                         <connector implementation="org.mortbay.jetty.security.SslSocketConnector">
                             <port>9443</port>
@@ -30,6 +30,16 @@
                             <needClientAuth>false</needClientAuth>
                         </connector>
                     </connectors>
+			         <systemProperties>
+			            <systemProperty>
+			              <name>javax.net.ssl.trustStore</name>
+			               <value>../../certificates/server.jks</value>
+			            </systemProperty>
+			            <systemProperty>
+			            	<name>javax.net.ssl.trustStorePassword</name>
+			            	<value>password</value>
+			            </systemProperty>
+					</systemProperties>
                 </configuration>
             </plugin>
         </plugins>