001/*
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing,
013 * software distributed under the License is distributed on an
014 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
015 * KIND, either express or implied.  See the License for the
016 * specific language governing permissions and limitations
017 * under the License.
018 */
019package org.apache.shiro.cas;
020
021import org.apache.shiro.authc.AuthenticationException;
022import org.apache.shiro.authc.AuthenticationToken;
023import org.apache.shiro.subject.Subject;
024import org.apache.shiro.web.filter.authc.AuthenticatingFilter;
025import org.apache.shiro.web.util.WebUtils;
026import org.slf4j.Logger;
027import org.slf4j.LoggerFactory;
028
029import javax.servlet.ServletRequest;
030import javax.servlet.ServletResponse;
031import javax.servlet.http.HttpServletRequest;
032import java.io.IOException;
033
034/**
035 * This filter validates the CAS service ticket to authenticate the user.  It must be configured on the URL recognized
036 * by the CAS server.  For example, in {@code shiro.ini}:
037 * <pre>
038 * [main]
039 * casFilter = org.apache.shiro.cas.CasFilter
040 * ...
041 *
042 * [urls]
043 * /shiro-cas = casFilter
044 * ...
045 * </pre>
046 * (example : http://host:port/mycontextpath/shiro-cas)
047 *
048 * @since 1.2
049 * @see <a href="https://github.com/bujiio/buji-pac4j">buji-pac4j</a>
050 * @deprecated replaced with Shiro integration in <a href="https://github.com/bujiio/buji-pac4j">buji-pac4j</a>.
051 */
052@Deprecated
053public class CasFilter extends AuthenticatingFilter {
054    
055    private static Logger logger = LoggerFactory.getLogger(CasFilter.class);
056    
057    // the name of the parameter service ticket in url
058    private static final String TICKET_PARAMETER = "ticket";
059    
060    // the url where the application is redirected if the CAS service ticket validation failed (example : /mycontextpatch/cas_error.jsp)
061    private String failureUrl;
062    
063    /**
064     * The token created for this authentication is a CasToken containing the CAS service ticket received on the CAS service url (on which
065     * the filter must be configured).
066     * 
067     * @param request the incoming request
068     * @param response the outgoing response
069     * @throws Exception if there is an error processing the request.
070     */
071    @Override
072    protected AuthenticationToken createToken(ServletRequest request, ServletResponse response) throws Exception {
073        HttpServletRequest httpRequest = (HttpServletRequest) request;
074        String ticket = httpRequest.getParameter(TICKET_PARAMETER);
075        return new CasToken(ticket);
076    }
077    
078    /**
079     * Execute login by creating {@link #createToken(javax.servlet.ServletRequest, javax.servlet.ServletResponse) token} and logging subject
080     * with this token.
081     * 
082     * @param request the incoming request
083     * @param response the outgoing response
084     * @throws Exception if there is an error processing the request.
085     */
086    @Override
087    protected boolean onAccessDenied(ServletRequest request, ServletResponse response) throws Exception {
088        return executeLogin(request, response);
089    }
090    
091    /**
092     * Returns <code>false</code> to always force authentication (user is never considered authenticated by this filter).
093     * 
094     * @param request the incoming request
095     * @param response the outgoing response
096     * @param mappedValue the filter-specific config value mapped to this filter in the URL rules mappings.
097     * @return <code>false</code>
098     */
099    @Override
100    protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
101        return false;
102    }
103    
104    /**
105     * If login has been successful, redirect user to the original protected url.
106     * 
107     * @param token the token representing the current authentication
108     * @param subject the current authenticated subjet
109     * @param request the incoming request
110     * @param response the outgoing response
111     * @throws Exception if there is an error processing the request.
112     */
113    @Override
114    protected boolean onLoginSuccess(AuthenticationToken token, Subject subject, ServletRequest request,
115                                     ServletResponse response) throws Exception {
116        issueSuccessRedirect(request, response);
117        return false;
118    }
119    
120    /**
121     * If login has failed, redirect user to the CAS error page (no ticket or ticket validation failed) except if the user is already
122     * authenticated, in which case redirect to the default success url.
123     * 
124     * @param token the token representing the current authentication
125     * @param ae the current authentication exception
126     * @param request the incoming request
127     * @param response the outgoing response
128     */
129    @Override
130    protected boolean onLoginFailure(AuthenticationToken token, AuthenticationException ae, ServletRequest request,
131                                     ServletResponse response) {
132        if (logger.isDebugEnabled()) {
133            logger.debug( "Authentication exception", ae );
134        }
135        // is user authenticated or in remember me mode ?
136        Subject subject = getSubject(request, response);
137        if (subject.isAuthenticated() || subject.isRemembered()) {
138            try {
139                issueSuccessRedirect(request, response);
140            } catch (Exception e) {
141                logger.error("Cannot redirect to the default success url", e);
142            }
143        } else {
144            try {
145                WebUtils.issueRedirect(request, response, failureUrl);
146            } catch (IOException e) {
147                logger.error("Cannot redirect to failure url : {}", failureUrl, e);
148            }
149        }
150        return false;
151    }
152    
153    public void setFailureUrl(String failureUrl) {
154        this.failureUrl = failureUrl;
155    }
156}