thredds.servlet.restrict

Class CASAuthorizer

java.lang.Object

thredds.servlet.restrict.CASAuthorizer

All Implemented Interfaces:

Authorizer

public class CASAuthorizer
extends Object
implements Authorizer

Protects web-accessible resources with CAS.

The following filter initialization parameters are declared in web.xml:

• edu.yale.its.tp.cas.client.filter.loginUrl: URL to login page on CAS server. (Required)
• edu.yale.its.tp.cas.client.filter.validateUrl: URL to validation URL on CAS server. (Required)
• edu.yale.its.tp.cas.client.filter.serviceUrl: URL of this service. (Required if serverName is not specified)
• edu.yale.its.tp.cas.client.filter.serverName: full hostname with port number (e.g. www.foo.com:8080). Port number isn't required if it is standard (80 for HTTP, 443 for HTTPS). (Required if serviceUrl is not specified)
• edu.yale.its.tp.cas.client.filter.authorizedProxy: whitespace-delimited list of valid proxies through which authentication may have proceeded. One one proxy must match. (Optional. If nothing is specified, the filter will only accept service tickets – not proxy tickets.)
• edu.yale.its.tp.cas.client.filter.proxyCallbackUrl: URL of local proxy callback listener used to acquire PGT/PGTIOU. (Optional.)
• edu.yale.its.tp.cas.client.filter.renew: value of CAS "renew" parameter. Bypasses single sign-on and requires user to provide CAS with his/her credentials again. (Optional. If nothing is specified, this defaults to false.)
• edu.yale.its.tp.cas.client.filter.gateway: value of CAS "gateway" parameter. Redirects initial call through CAS and if the user has logged in, validates the ticket on return. If the user has not logged in, returns to the web application without setting the CAS_FILTER_USER variable. Note that once a redirect through CAS has occurred, the filter will not automatically try again to log the user in. You can then either provide an explicit CAS login link (https://cas-server/cas/login?service=http://your-app) or set up two instances of the filter mapped to different paths. One instance would have gateway=true, the other wouldn't. When you need the user to be logged in, direct him/her to the path of the other filter.
• edu.yale.its.tp.cas.client.filter.wrapRequest: wrap the HttpServletRequest object, overriding the getRemoteUser() method. When set to "true", request.getRemoteUser() will return the username of the currently logged-in CAS user. (Optional. If nothing is specified, this defaults to false.)

The logged-in username is set in the session attribute defined by the value of CAS_FILTER_USER and may be accessed from within your application either by setting wrapRequest and calling request.getRemoteUser(), or by calling session.getAttribute(CASFilter.CAS_FILTER_USER).

If proxyCallbackUrl is set, the URL will be passed to CAS upon validation. If the callback URL is valid, it will receive a CAS PGT and a PGTIOU. The PGTIOU will be returned to this filter and will be accessible through the session attribute, CASFilter.CAS_FILTER_PGTIOU. You may then acquire proxy tickets to other services by calling edu.yale.its.tp.cas.proxy.ProxyTicketReceptor.getProxyTicket(pgtIou, targetService).

Author:

Shawn Bayern, Drew Mazurek, andrew.petro@yale.edu

modified for TDS jcaron 1/23/07

Field Summary

Fields

Modifier and Type	Field and Description
static String	AUTHORIZED_PROXY_INIT_PARAM The name of the filter initialization parameter the value of which must be a whitespace delimited list of services (ProxyTicketReceptors) authorized to proxy authentication to the service filtered by this Filter.
static String	CAS_FILTER_RECEIPT Session attribute in which the CASReceipt is stored.
static String	CAS_FILTER_USER Session attribute in which the username is stored.
static String	GATEWAY_INIT_PARAM The name of the filter initialization parameter the value of which is the value the Filter should send for the gateway parameter on the CAS login request.
static String	LOGIN_INIT_PARAM The name of the filter initialization parameter the value of which should be the https: address of the CAS Login servlet.
static String	PROXY_CALLBACK_INIT_PARAM The name of the filter initialization parameter the value of which must be the https: URL to which CAS should send Proxy Granting Tickets when this filter validates tickets.
static String	RENEW_INIT_PARAM The name of the filter initialization parameter the value of which must be the String that should be sent as the "renew" parameter on the request for login and validation.
static String	SERVERNAME_INIT_PARAM The name of the filter initialization parameter the vlaue of which must be the server name, e.g.
static String	SERVICE_INIT_PARAM The name of the filter initialization parameter the value of which must be the address of the service this filter is filtering.
static String	VALIDATE_INIT_PARAM The name of the filter initialization parameter the value of which must be the https: address of the CAS Validate servlet.
static String	WRAP_REQUESTS_INIT_PARAM The name of the filter initialization parameter the value of which indicates whether this filter should wrap requests to expose the authenticated username.

Constructor Summary

Constructors

Constructor and Description
CASAuthorizer()

Method Summary

Methods

Modifier and Type	Method and Description
boolean	authorize(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, String role) Decide is this request is authorized in the named role.
void	destroy()
void	doGet(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse res) Process this request.
void	init(javax.servlet.http.HttpServlet config) Initialize with servlet parameters.
void	setRoleSource(RoleSource db) Set the role source, if there is one.
String	toString()

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

LOGIN_INIT_PARAM

public static final String LOGIN_INIT_PARAM

The name of the filter initialization parameter the value of which should be the https: address of the CAS Login servlet. Optional parameter, but required for successful redirection of unauthenticated requests to authentication.

See Also:

Constant Field Values

VALIDATE_INIT_PARAM

public static final String VALIDATE_INIT_PARAM

The name of the filter initialization parameter the value of which must be the https: address of the CAS Validate servlet. Must be a CAS 2.0 validate servlet (CAS 1.0 non-XML won't suffice). Required parameter.

See Also:

Constant Field Values

SERVICE_INIT_PARAM

public static final String SERVICE_INIT_PARAM

The name of the filter initialization parameter the value of which must be the address of the service this filter is filtering. The filter will use this as the service parameter for CAS login and validation. Either this parameter or SERVERNAME_INIT_PARAM must be set.

See Also:

Constant Field Values

SERVERNAME_INIT_PARAM

public static final String SERVERNAME_INIT_PARAM

The name of the filter initialization parameter the vlaue of which must be the server name, e.g. www.yale.edu , of the service this filter is filtering. The filter will construct from this name and the request the full service parameter for CAS login and validation.

See Also:

Constant Field Values

RENEW_INIT_PARAM

public static final String RENEW_INIT_PARAM

The name of the filter initialization parameter the value of which must be the String that should be sent as the "renew" parameter on the request for login and validation. This should either be "true" or not be set. It is mutually exclusive with GATEWAY.

See Also:

Constant Field Values

AUTHORIZED_PROXY_INIT_PARAM

public static final String AUTHORIZED_PROXY_INIT_PARAM

The name of the filter initialization parameter the value of which must be a whitespace delimited list of services (ProxyTicketReceptors) authorized to proxy authentication to the service filtered by this Filter. These must be https: URLs. This parameter is optional - not setting it results in no proxy tickets being acceptable.

See Also:

Constant Field Values

PROXY_CALLBACK_INIT_PARAM

public static final String PROXY_CALLBACK_INIT_PARAM

The name of the filter initialization parameter the value of which must be the https: URL to which CAS should send Proxy Granting Tickets when this filter validates tickets.

See Also:

Constant Field Values

WRAP_REQUESTS_INIT_PARAM

public static final String WRAP_REQUESTS_INIT_PARAM

The name of the filter initialization parameter the value of which indicates whether this filter should wrap requests to expose the authenticated username.

See Also:

Constant Field Values

GATEWAY_INIT_PARAM

public static final String GATEWAY_INIT_PARAM

The name of the filter initialization parameter the value of which is the value the Filter should send for the gateway parameter on the CAS login request.

See Also:

Constant Field Values

CAS_FILTER_USER

public static final String CAS_FILTER_USER

Session attribute in which the username is stored.

See Also:

Constant Field Values

CAS_FILTER_RECEIPT

public static final String CAS_FILTER_RECEIPT

Session attribute in which the CASReceipt is stored.

See Also:

Constant Field Values

Constructor Detail

CASAuthorizer

public CASAuthorizer()

Method Detail

init

public void init(javax.servlet.http.HttpServlet config)
          throws javax.servlet.ServletException

Description copied from interface: Authorizer

Initialize with servlet parameters.

Specified by:

init in interface Authorizer

Parameters:

config - get init parameters from here.

Throws:

javax.servlet.ServletException - if error

setRoleSource

public void setRoleSource(RoleSource db)

Description copied from interface: Authorizer

Set the role source, if there is one. If not, assume no role authentication is needed. use RoleSource.hasRole() to test for role.

Specified by:

setRoleSource in interface Authorizer

Parameters:

db - tells whether a user has the named role.

authorize

public boolean authorize(javax.servlet.http.HttpServletRequest request,
                javax.servlet.http.HttpServletResponse response,
                String role)
                  throws javax.servlet.ServletException,
                         IOException

Description copied from interface: Authorizer

Decide is this request is authorized in the named role. This method must be thread-safe.

Specified by:

authorize in interface Authorizer

Parameters:

request - the request

response - the response

role - need this role

Returns:

true if user is authenticated. if false, must set res.setStatus().

Throws:

javax.servlet.ServletException - other errors

IOException - I/O error, eg network

doGet

public void doGet(javax.servlet.http.HttpServletRequest req,
         javax.servlet.http.HttpServletResponse res)
           throws javax.servlet.ServletException,
                  IOException

Description copied from interface: Authorizer

Process this request. May be a no-op.

Specified by:

doGet in interface Authorizer

Parameters:

req - the request

res - the response

Throws:

javax.servlet.ServletException - other errors

IOException - I/O error, eg network

toString

public String toString()

Overrides:

toString in class Object

destroy

public void destroy()