public void doFilter(final ServletRequest servletRequest, final ServletResponse servletResponse, final FilterChain filterChain) throws IOException, ServletException { final HttpServletRequest request = (HttpServletRequest) servletRequest; final HttpServletResponse response = (HttpServletResponse) servletResponse; /** * <p>Workaround for now for the fact that Spring Security will fail since it doesn't call {@link #init(javax.servlet.FilterConfig)}.</p> * <p>Ultimately we need to allow deployers to actually inject their fully-initialized {@link org.jasig.cas.client.session.SingleSignOutHandler}.</p> */ if (!this.handlerInitialized.getAndSet(true)) { HANDLER.init(); } if (HANDLER.process(request, response)) { filterChain.doFilter(servletRequest, servletResponse); } }
protected String getPreAuthenticatedPrincipal(HttpServletRequest request) { String principal = super.getPreAuthenticatedPrincipal(request); HttpSession session = request.getSession(false); if (principal != null && session != null) { session.setAttribute( GeoServerCasConstants.CAS_ASSERTION_KEY, request.getAttribute(GeoServerCasConstants.CAS_ASSERTION_KEY)); request.removeAttribute(GeoServerCasConstants.CAS_ASSERTION_KEY); getHandler().process(request, null); } if (principal == null) { request.removeAttribute(GeoServerCasConstants.CAS_ASSERTION_KEY); } return principal; }
/** {@inheritDoc} */ public void invoke(final Request request, final Response response) throws IOException, ServletException { if (this.handler.process(request, response)) { getNext().invoke(request, response); } }
/** {@inheritDoc} */ public void invoke(final Request request, final Response response) throws IOException, ServletException { if (this.handler.process(request, response)) { getNext().invoke(request, response); } }
/** {@inheritDoc} */ public void invoke(final Request request, final Response response) throws IOException, ServletException { if (this.handler.process(request, response)) { getNext().invoke(request, response); } }
/** {@inheritDoc} */ public void invoke(final Request request, final Response response) throws IOException, ServletException { if (this.handler.process(request, response)) { getNext().invoke(request, response); } }
/** {@inheritDoc} */ public void invoke(final Request request, final Response response) throws IOException, ServletException { if (this.handler.process(request, response)) { getNext().invoke(request, response); } }
.getRequestChainByName("webLogout"); logOutChain.doLogout(getSecurityManager(), httpReq, httpRes, getName()); handler.process(httpReq, httpRes); } else LOGGER.info("Single Sign Out received from CAS server --> ignoring"); return; && session.getAttribute(GeoServerCasConstants.CAS_ASSERTION_KEY) != null && singleSignOut) { handler.process(httpReq, httpRes);
@Test public void backChannelLogoutOK() { final MockHttpSession session = doBackChannelLogout(); assertFalse(handler.process(request, response)); assertTrue(session.isInvalid()); }
@Test public void backChannelLogoutDoesNotRunIfPathIsNotEligibleForLogout() { handler.setLogoutCallbackPath("/logout"); request.setServletPath("/not-a-logout"); final MockHttpSession session = doBackChannelLogout(); assertTrue(handler.process(request, response)); assertFalse(session.isInvalid()); }
@Test public void backChannelLogoutRunsIfPathEqualsLogoutPath() { handler.setLogoutCallbackPath("/logout"); request.setServletPath("/logout"); final MockHttpSession session = doBackChannelLogout(); assertFalse(handler.process(request, response)); assertTrue(session.isInvalid()); }
@Test public void tokenRequestFailsIfBadParameter() { final MockHttpSession session = new MockHttpSession(); request.setSession(session); request.setParameter(ANOTHER_PARAMETER, TICKET); request.setQueryString(ANOTHER_PARAMETER + "=" + TICKET); assertTrue(handler.process(request, response)); final SessionMappingStorage storage = handler.getSessionMappingStorage(); assertNull(storage.removeSessionByMappingId(TICKET)); }
@Test public void tokenRequestOK() { final MockHttpSession session = new MockHttpSession(); request.setSession(session); request.setParameter(ARTIFACT_PARAMETER_NAME, TICKET); request.setQueryString(ARTIFACT_PARAMETER_NAME + "=" + TICKET); assertTrue(handler.process(request, response)); final SessionMappingStorage storage = handler.getSessionMappingStorage(); assertEquals(session, storage.removeSessionByMappingId(TICKET)); }
@Test public void tokenRequestFailsIfNoSession() { handler.setEagerlyCreateSessions(false); request.setSession(null); request.setParameter(ARTIFACT_PARAMETER_NAME, TICKET); request.setQueryString(ARTIFACT_PARAMETER_NAME + "=" + TICKET); assertTrue(handler.process(request, response)); final SessionMappingStorage storage = handler.getSessionMappingStorage(); assertNull(storage.removeSessionByMappingId(TICKET)); }
@Test public void backChannelLogoutFailsIfNoSessionIndex() { final String logoutMessage = LogoutMessageGenerator.generateBackChannelLogoutMessage(""); request.setParameter(LOGOUT_PARAMETER_NAME, logoutMessage); request.setMethod("POST"); final MockHttpSession session = new MockHttpSession(); handler.getSessionMappingStorage().addSessionById(TICKET, session); assertFalse(handler.process(request, response)); assertFalse(session.isInvalid()); }
@Test public void frontChannelLogoutFailsIfBadParameter() { final String logoutMessage = LogoutMessageGenerator.generateFrontChannelLogoutMessage(TICKET); request.setParameter(ANOTHER_PARAMETER, logoutMessage); request.setMethod("GET"); request.setQueryString(ANOTHER_PARAMETER + "=" + logoutMessage); final MockHttpSession session = new MockHttpSession(); handler.getSessionMappingStorage().addSessionById(TICKET, session); assertTrue(handler.process(request, response)); assertFalse(session.isInvalid()); }
@Test public void backChannelLogoutFailsIfMultipart() { final String logoutMessage = LogoutMessageGenerator.generateBackChannelLogoutMessage(TICKET); request.setParameter(LOGOUT_PARAMETER_NAME, logoutMessage); request.setMethod("POST"); request.setContentType("multipart/form-data"); final MockHttpSession session = new MockHttpSession(); handler.getSessionMappingStorage().addSessionById(TICKET, session); assertTrue(handler.process(request, response)); assertFalse(session.isInvalid()); }
@Test public void frontChannelLogoutFailsIfNoSessionIndex() { final String logoutMessage = LogoutMessageGenerator.generateFrontChannelLogoutMessage(""); request.setParameter(LOGOUT_PARAMETER_NAME, logoutMessage); request.setQueryString(LOGOUT_PARAMETER_NAME + "=" + logoutMessage); request.setMethod("GET"); final MockHttpSession session = new MockHttpSession(); handler.getSessionMappingStorage().addSessionById(TICKET, session); assertFalse(handler.process(request, response)); assertFalse(session.isInvalid()); }
@Test public void frontChannelLogoutOK() { final String logoutMessage = LogoutMessageGenerator.generateFrontChannelLogoutMessage(TICKET); request.setParameter(LOGOUT_PARAMETER_NAME, logoutMessage); request.setQueryString(LOGOUT_PARAMETER_NAME + "=" + logoutMessage); request.setMethod("GET"); final MockHttpSession session = new MockHttpSession(); handler.getSessionMappingStorage().addSessionById(TICKET, session); assertFalse(handler.process(request, response)); assertTrue(session.isInvalid()); assertNull(response.getRedirectedUrl()); }
@Test public void frontChannelLogoutRelayStateOK() { final String logoutMessage = LogoutMessageGenerator.generateFrontChannelLogoutMessage(TICKET); request.setParameter(LOGOUT_PARAMETER_NAME, logoutMessage); request.setParameter(RELAY_STATE_PARAMETER_NAME, TICKET); request.setQueryString(LOGOUT_PARAMETER_NAME + "=" + logoutMessage + "&" + RELAY_STATE_PARAMETER_NAME + "=" + TICKET); request.setMethod("GET"); final MockHttpSession session = new MockHttpSession(); handler.getSessionMappingStorage().addSessionById(TICKET, session); assertFalse(handler.process(request, response)); assertTrue(session.isInvalid()); } }