From 5b089aea1670fc1cd5d719aa00f2a97b68b79faa Mon Sep 17 00:00:00 2001
From: Scott Battaglia <scott_battaglia@rutgers.edu>
Date: Wed, 18 Jun 2008 17:34:14 +0000
Subject: [PATCH] SEC-852

provided mechanism to do get a proxy ticket
---
 .../security/ui/cas/CasProcessingFilter.java  | 54 ++++++++++++++++++-
 samples/cas/Readme.txt                        |  6 +--
 .../WEB-INF/applicationContext-security.xml   | 16 +++---
 samples/cas/server/pom.xml                    | 14 ++++-
 4 files changed, 77 insertions(+), 13 deletions(-)

diff --git a/cas/src/main/java/org/springframework/security/ui/cas/CasProcessingFilter.java b/cas/src/main/java/org/springframework/security/ui/cas/CasProcessingFilter.java
index 579bd9f919..1860f18e76 100644
--- a/cas/src/main/java/org/springframework/security/ui/cas/CasProcessingFilter.java
+++ b/cas/src/main/java/org/springframework/security/ui/cas/CasProcessingFilter.java
@@ -15,6 +15,11 @@
 
 package org.springframework.security.ui.cas;
 
+import java.io.IOException;
+
+import org.jasig.cas.client.proxy.ProxyGrantingTicketStorage;
+import org.jasig.cas.client.util.CommonUtils;
+import org.jasig.cas.client.validation.TicketValidator;
 import org.springframework.security.Authentication;
 import org.springframework.security.AuthenticationException;
 
@@ -24,6 +29,7 @@ import org.springframework.security.ui.AbstractProcessingFilter;
 import org.springframework.security.ui.FilterChainOrder;
 
 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 
 
 /**
@@ -38,7 +44,11 @@ import javax.servlet.http.HttpServletRequest;
  *  <p>The configured <code>AuthenticationManager</code> is expected to provide a provider that can recognise
  * <code>UsernamePasswordAuthenticationToken</code>s containing this special <code>principal</code> name, and process
  * them accordingly by validation with the CAS server.</p>
- *  <p><b>Do not use this class directly.</b> Instead configure <code>web.xml</code> to use the {@link
+ * <p>By configuring a shared {@link ProxyGrantingTicketStorage} between the {@link TicketValidator} and the CasProcessingFilter
+ * one can have the CasProcessingFilter handle the proxying requirements for CAS.  In addition, the URI endpoint for the proxying
+ * would also need to be configured (i.e. the part after protocol, hostname, and port).
+ * 
+ * <p><b>Do not use this class directly.</b> Instead configure <code>web.xml</code> to use the {@link
  * org.springframework.security.util.FilterToBeanProxy}.</p>
  *
  * @author Ben Alex
@@ -57,8 +67,17 @@ public class CasProcessingFilter extends AbstractProcessingFilter {
      */
     public static final String CAS_STATELESS_IDENTIFIER = "_cas_stateless_";
 
-    //~ Methods ========================================================================================================
+    /**
+     * The last portion of the receptor url, i.e. /proxy/receptor
+     */
+    private String proxyReceptorUrl;
+    
+    /**
+     * The backing storage to store ProxyGrantingTicket requests.
+     */
+    private ProxyGrantingTicketStorage proxyGrantingTicketStorage;
 
+    //~ Methods ========================================================================================================  
     public Authentication attemptAuthentication(final HttpServletRequest request)
         throws AuthenticationException {
         final String username = CAS_STATEFUL_IDENTIFIER;
@@ -87,4 +106,35 @@ public class CasProcessingFilter extends AbstractProcessingFilter {
     public int getOrder() {
         return FilterChainOrder.CAS_PROCESSING_FILTER;
     }
+    
+
+    /**
+     * Overridden to provide proxying capabilities.
+     */
+	protected boolean requiresAuthentication(final HttpServletRequest request,
+			final HttpServletResponse response) {
+		final String requestUri = request.getRequestURI();
+
+        if (CommonUtils.isEmpty(this.proxyReceptorUrl) || !requestUri.endsWith(this.proxyReceptorUrl) || this.proxyGrantingTicketStorage == null) {
+        	return super.requiresAuthentication(request, response);
+        }
+
+        try {
+        	CommonUtils.readAndRespondToProxyReceptorRequest(request, response, this.proxyGrantingTicketStorage);
+        	return false;
+        } catch (final IOException e) {
+        	return super.requiresAuthentication(request, response);
+        }
+	}
+
+	public final void setProxyReceptorUrl(final String proxyReceptorUrl) {
+		this.proxyReceptorUrl = proxyReceptorUrl;
+	}
+
+	public final void setProxyGrantingTicketStorage(
+			final ProxyGrantingTicketStorage proxyGrantingTicketStorage) {
+		this.proxyGrantingTicketStorage = proxyGrantingTicketStorage;
+	}
+	
+	
 }
diff --git a/samples/cas/Readme.txt b/samples/cas/Readme.txt
index 4ab9cbdce7..b6345285fb 100644
--- a/samples/cas/Readme.txt
+++ b/samples/cas/Readme.txt
@@ -10,11 +10,11 @@ client - this contains the actual sample web application which uses the cas serv
 Running the CAS Server
 -----------------------
 
-You first need to download the CAS server 3.2 distribution from
+You first need to download the CAS server 3.2.1 distribution from
 
 http://www.ja-sig.org/products/cas/downloads/index.html
 
-You only need the modules/cas-server-webapp-3.2.war web application file from the distribution. Copy this to the
+You only need the modules/cas-server-webapp-3.2.1.war web application file from the distribution. Copy this to the
 "server" directory inside the one that contains this readme file (i.e. copy it to samples/cas/server).
 
 You can then run the CAS server (from the same) by executing the maven command
@@ -34,7 +34,7 @@ Running the Client Application
 Leave the server running and start up a separate command window to run the sample application. Change to the directory
 samples/cas/client and execute the command
 
-mvn:jetty-run
+mvn jetty:run
 
 
 This should start the sample application on
diff --git a/samples/cas/client/src/main/webapp/WEB-INF/applicationContext-security.xml b/samples/cas/client/src/main/webapp/WEB-INF/applicationContext-security.xml
index ebf15f93c6..4ad046f289 100644
--- a/samples/cas/client/src/main/webapp/WEB-INF/applicationContext-security.xml
+++ b/samples/cas/client/src/main/webapp/WEB-INF/applicationContext-security.xml
@@ -11,14 +11,15 @@
         <sec:logout />
     </sec:http>
 
-
     <sec:authentication-manager alias="authenticationManager"/>
 
     <bean id="casProcessingFilter" class="org.springframework.security.ui.cas.CasProcessingFilter">
         <sec:custom-filter after="CAS_PROCESSING_FILTER"/>
         <property name="authenticationManager" ref="authenticationManager"/>
         <property name="authenticationFailureUrl" value="/casfailed.jsp"/>
-        <property name="defaultTargetUrl" value="/"/>
+        <property name="defaultTargetUrl" value="/"/>
+        <property name="proxyGrantingTicketStorage" ref="proxyGrantingTicketStorage" />
+        <property name="proxyReceptorUrl" value="/secure/receptor" />
     </bean>
 
     <bean id="casProcessingFilterEntryPoint" class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint">
@@ -32,11 +33,15 @@
         <property name="serviceProperties" ref="serviceProperties" />
         <property name="ticketValidator">
         	<bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
-        		<constructor-arg index="0" value="https://localhost:9443/cas" />
+        		<constructor-arg index="0" value="https://localhost:9443/cas" />
+        		<property name="proxyGrantingTicketStorage" ref="proxyGrantingTicketStorage" />
+        		<property name="proxyCallbackUrl" value="https://localhost:8443/cas-sample/secure/receptor" />
             </bean>
         </property>
-        <property name="key" value="an_id_for_this_auth_provider_only"/>
-    </bean>
+        <property name="key" value="an_id_for_this_auth_provider_only"/>
+    </bean>
+    
+    <bean id="proxyGrantingTicketStorage" class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl" />
 
     <bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties">
         <property name="service" value="https://localhost:8443/cas-sample/j_spring_cas_security_check"/>
@@ -48,5 +53,4 @@
         <sec:user name="dianne" password="dianne" authorities="ROLE_USER" />
         <sec:user name="scott" password="scott" authorities="ROLE_USER" />
     </sec:user-service>
-
 </beans>
\ No newline at end of file
diff --git a/samples/cas/server/pom.xml b/samples/cas/server/pom.xml
index 66b99da74d..4efbad9b3d 100644
--- a/samples/cas/server/pom.xml
+++ b/samples/cas/server/pom.xml
@@ -17,7 +17,7 @@
                 <version>6.1.7</version>
                 <configuration>
                     <contextPath>/cas</contextPath>
-                    <webApp>${basedir}/cas-server-webapp-3.2.war</webApp>
+                    <webApp>${basedir}/cas-server-webapp-3.2.1.war</webApp>
                     <connectors>
                         <connector implementation="org.mortbay.jetty.security.SslSocketConnector">
                             <port>9443</port>
@@ -29,7 +29,17 @@
                             <wantClientAuth>true</wantClientAuth>
                             <needClientAuth>false</needClientAuth>
                         </connector>
-                    </connectors>
+                    </connectors>
+			         <systemProperties>
+			            <systemProperty>
+			              <name>javax.net.ssl.trustStore</name>
+			               <value>../../certificates/server.jks</value>
+			            </systemProperty>
+			            <systemProperty>
+			            	<name>javax.net.ssl.trustStorePassword</name>
+			            	<value>password</value>
+			            </systemProperty>
+					</systemProperties>
                 </configuration>
             </plugin>
         </plugins>