The following is from a Spring HandlerInterceptorAdaptor. The developer claims
this is sufficient to CASify his application without the need for web.xml
filter configuration. I believe this design is woefully inadequate and does
not truly CASify the application. Unfortunately this design has gained traction
amongst some developers and I need strong reasons why developers should use CAS
as designed using the CAS client and its filters. If I am wrong and this is a
sufficient design I would like to know.
If you would like to respond to me directly, please don't hesitate.
Here is the code:
//See if they already have a session. If so, return true.
if (CasSessionManager.isAuthenticated(request)) { // this simply checks
for a session parameter that we put on the session after cas login, it is the
principal (unid)
Logger.getLogger(CasInterceptor.class.getName()).log(Level.FINE,
"Found session, allowing request.");
return true;
} //Check to see if they are attempting to validate a ticket. This
would be evident by a param named ticket.
else if (request.getParameter("ticket") != null) {
Logger.getLogger(CasInterceptor.class.getName()).log(Level.FINE,
"Found ticket, validating...");
//Validate the ticket
String myTicket = request.getParameter("ticket");
try {
Assertion casAssertion =
this.ticketValidator.validate(myTicket, localServiceUrl);
String unid = casAssertion.getPrincipal().getName();
//create a session
CasSessionManager.setUnid(request, unid);
//If the ldap factory is present, attempt to retreive
attributes from it,
//and set them as a user on the session as well.
if (this.ldapFactory != null) {
CasSessionManager.setUserPrivate(request,
this.ldapFactory.getPrivateUserByUnid(unid));
}
//This is where the many implementing web-apps have an
opporunity to do extra stuff after the login procedure succeeds.
if (this.loginManager != null) {
this.loginManager.completeLoginProcedure(unid, request);
}
Logger.getLogger(CasInterceptor.class.getName()).log(Level.FINE, "..Validation
passed. Creating session.");
} catch (TicketValidationException e) {
Logger.getLogger(CasInterceptor.class.getName()).log(Level.FINE, "..Validation
failed, directing to login page.");
//If they are not able to validate the ticket, send them away.
response.sendRedirect(this.casLoginUrl + "?service=" +
localServiceUrl);
return false;
} catch (UnauthorizedUserException e) {
Logger.getLogger(CasInterceptor.class.getName()).log(Level.FINE, "User was
un-authorized. directing to login page.");
//If they are not able to validate the ticket, send them away.
response.sendRedirect(this.casLoginUrl + "?service=" +
localServiceUrl);
return false;
}
return true;
} //Looks like they do not have a session, and they are not trying to
validate a ticket, send them to the login screen.
else {
Logger.getLogger(CasInterceptor.class.getName()).log(Level.FINE,
"No ticket, No Session. redirect to login");
//First save any params for later use. This may create a sesson,
but it is not a validated session.
CasSessionManager.setRequestParams(request);
//send them to the login screen.
response.sendRedirect(this.casLoginUrl + "?service=" +
localServiceUrl);
return false;
}
}
/
Bryan Wooten
[email protected]
Work: 801.585.9323
Cell: 801.414.3593
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
