desginate specific PT expiration policy

mr-serjey · Feb 15, 2016 · d82d1f0 · d82d1f0
1 parent 2efc714
commit d82d1f0
Show file tree

Hide file tree

Showing 33 changed files with 156 additions and 75 deletions.
diff --git a/cas-management-webapp-support/src/test/resources/spring-configuration/applicationContext.xml b/cas-management-webapp-support/src/test/resources/spring-configuration/applicationContext.xml
@@ -28,7 +28,7 @@
     <alias name="defaultTicketRegistry" alias="ticketRegistry" />
     <util:map id="uniqueIdGeneratorsMap"/>
     <alias name="ticketGrantingTicketExpirationPolicy" alias="grantingTicketExpirationPolicy" />
-    <alias name="multiTimeUseOrTimeoutExpirationPolicy" alias="serviceTicketExpirationPolicy" />
+
     <util:list id="serviceFactoryList" />
     <alias name="acceptAnyAuthenticationPolicyFactory" alias="authenticationPolicyFactory" />
     <bean id="attributeRepository" class="org.jasig.services.persondir.support.NamedStubPersonAttributeDao"/>

diff --git a/cas-management-webapp/src/main/webapp/WEB-INF/spring-configuration/applicationContext.xml b/cas-management-webapp/src/main/webapp/WEB-INF/spring-configuration/applicationContext.xml
@@ -41,7 +41,7 @@
     <alias name="defaultTicketRegistry" alias="ticketRegistry" />
     <util:map id="uniqueIdGeneratorsMap"/>
     <alias name="ticketGrantingTicketExpirationPolicy" alias="grantingTicketExpirationPolicy" />
-    <alias name="multiTimeUseOrTimeoutExpirationPolicy" alias="serviceTicketExpirationPolicy" />
+
     <util:list id="serviceFactoryList" />
     <alias name="acceptAnyAuthenticationPolicyFactory" alias="authenticationPolicyFactory" />
     <alias name="defaultPrincipalFactory" alias="principalFactory" />

diff --git a/...-core-api-authentication/src/main/java/org/jasig/cas/authentication/RootCasException.java b/...-core-api-authentication/src/main/java/org/jasig/cas/authentication/RootCasException.java
@@ -12,7 +12,7 @@
  * see org.jasig.cas.authentication.handler.AuthenticationException
  * @since 4.0.0
  */
-public abstract class RootCasException extends Exception {
+public abstract class RootCasException extends RuntimeException {
 
   private static final long serialVersionUID = -2384466176716541689L;
 

diff --git a/cas-server-core-api-ticket/src/main/java/org/jasig/cas/ticket/Ticket.java b/cas-server-core-api-ticket/src/main/java/org/jasig/cas/ticket/Ticket.java
@@ -7,7 +7,6 @@
  * Interface for the generic concept of a ticket.
  *
  * @author Scott Battaglia
-
  * @since 3.0.0
  */
 public interface Ticket extends Serializable {

diff --git a/cas-server-core-api-ticket/src/main/java/org/jasig/cas/ticket/TicketState.java b/cas-server-core-api-ticket/src/main/java/org/jasig/cas/ticket/TicketState.java
@@ -6,7 +6,6 @@
 
 /**
  * @author Scott Battaglia
-
  * @since 3.0.0
  */
 public interface TicketState {
@@ -46,4 +45,17 @@ public interface TicketState {
      * @return the authentication information.
      */
     Authentication getAuthentication();
+
+    /**
+     * Records the <i>previous</i> last time this ticket was used as well as
+     * the last usage time. The ticket usage count is also incremented.
+     * <p>
+     * <p>Tickets themselves are solely responsible to maintain their state. The
+     * determination of  ticket usage is left up to the implementation and
+     * the specific ticket type.
+     *
+     * @see ExpirationPolicy
+     * @since 4.3.0
+     */
+    void update();
 }
diff --git a/cas-server-core-tickets/src/main/java/org/jasig/cas/ticket/AbstractTicket.java b/cas-server-core-tickets/src/main/java/org/jasig/cas/ticket/AbstractTicket.java
@@ -32,7 +32,7 @@ public abstract class AbstractTicket implements Ticket, TicketState {
     private static final long serialVersionUID = -8506442397878267555L;
 
     /**
-     * The {@link ExpirationPolicy} this is associated with.
+     * The {@link ExpirationPolicy} this ticket is associated with.
      **/
     @Lob
     @Column(name="EXPIRATION_POLICY", length = Integer.MAX_VALUE, nullable=false)
@@ -71,11 +71,10 @@ protected AbstractTicket() {
      * be null) and a specified Expiration Policy.
      *
      * @param id the unique identifier for the ticket
-     * @param ticket the parent TicketGrantingTicket
      * @param expirationPolicy the expiration policy for the ticket.
      * @throws IllegalArgumentException if the id or expiration policy is null.
      */
-    public AbstractTicket(final String id, final TicketGrantingTicket ticket,
+    public AbstractTicket(final String id,
         final ExpirationPolicy expirationPolicy) {
         Assert.notNull(expirationPolicy, "expirationPolicy cannot be null");
         Assert.notNull(id, "id cannot be null");
@@ -91,20 +90,16 @@ public final String getId() {
         return this.id;
     }
 
-    /**
-     * Records the <i>previous</i> last time this ticket was used as well as
-     * the last usage time. The ticket usage count is also incremented.
-     *
-     * <p>Tickets themselves are solely responsible to maintain their state. The
-     * determination of  ticket usage is left up to the implementation and
-     * the specific ticket type.
-     *
-     * @see ExpirationPolicy
-     */
-    protected final void updateState() {
+    @Override
+    public final void update() {
         this.previousLastTimeUsed = this.lastTimeUsed;
         this.lastTimeUsed = ZonedDateTime.now(ZoneOffset.UTC);
         this.countOfUses++;
+
+        if (getGrantingTicket() != null && !getGrantingTicket().isExpired()) {
+            final TicketState state = TicketState.class.cast(getGrantingTicket());
+            state.update();
+        }
     }
 
     @Override

diff --git a/cas-server-core-tickets/src/main/java/org/jasig/cas/ticket/DefaultProxyTicketFactory.java b/cas-server-core-tickets/src/main/java/org/jasig/cas/ticket/DefaultProxyTicketFactory.java
@@ -27,40 +27,39 @@ public class DefaultProxyTicketFactory implements ProxyTicketFactory {
 
     /** Default instance for the ticket id generator. */
     @NotNull
-    protected final UniqueTicketIdGenerator defaultServiceTicketIdGenerator = new DefaultUniqueTicketIdGenerator();
+    protected final UniqueTicketIdGenerator defaultTicketIdGenerator = new DefaultUniqueTicketIdGenerator();
 
     /** Map to contain the mappings of service to {@link UniqueTicketIdGenerator}s. */
     @NotNull
     @Resource(name="uniqueIdGeneratorsMap")
     protected Map<String, UniqueTicketIdGenerator> uniqueTicketIdGeneratorsForService;
 
     /** Whether we should track the most recent session by keeping the latest service ticket. */
-    @Value("${tgt.onlyTrackMostRecentSession:true}")
+    @Value("${tgt.track.recent.session:true}")
     protected boolean onlyTrackMostRecentSession = true;
 
     /** ExpirationPolicy for Service Tickets. */
     @NotNull
-    @Resource(name="serviceTicketExpirationPolicy")
-    protected ExpirationPolicy serviceTicketExpirationPolicy;
+    @Resource(name="proxyTicketExpirationPolicy")
+    protected ExpirationPolicy proxyTicketExpirationPolicy;
 
     @Override
     public <T extends Ticket> T create(final ProxyGrantingTicket proxyGrantingTicket,
                                        final Service service) {
         final String uniqueTicketIdGenKey = service.getClass().getName();
-        logger.debug("Looking up service ticket id generator for [{}]", uniqueTicketIdGenKey);
-        UniqueTicketIdGenerator serviceTicketUniqueTicketIdGenerator =
-                this.uniqueTicketIdGeneratorsForService.get(uniqueTicketIdGenKey);
-        if (serviceTicketUniqueTicketIdGenerator == null) {
-            serviceTicketUniqueTicketIdGenerator = this.defaultServiceTicketIdGenerator;
-            logger.debug("Service ticket id generator not found for [{}]. Using the default generator...",
+        logger.debug("Looking up ticket id generator for [{}]", uniqueTicketIdGenKey);
+        UniqueTicketIdGenerator generator = this.uniqueTicketIdGeneratorsForService.get(uniqueTicketIdGenKey);
+        if (generator == null) {
+            generator = this.defaultTicketIdGenerator;
+            logger.debug("Ticket id generator not found for [{}]. Using the default generator...",
                     uniqueTicketIdGenKey);
         }
 
-        final String ticketId = serviceTicketUniqueTicketIdGenerator.getNewTicketId(ProxyTicket.PROXY_TICKET_PREFIX);
+        final String ticketId = generator.getNewTicketId(ProxyTicket.PROXY_TICKET_PREFIX);
         final ProxyTicket serviceTicket = proxyGrantingTicket.grantProxyTicket(
                 ticketId,
                 service,
-                this.serviceTicketExpirationPolicy,
+                this.proxyTicketExpirationPolicy,
                 this.onlyTrackMostRecentSession);
         return (T) serviceTicket;
     }
@@ -82,7 +81,7 @@ public void setUniqueTicketIdGeneratorsForService(final Map<String, UniqueTicket
         this.uniqueTicketIdGeneratorsForService = uniqueTicketIdGeneratorsForService;
     }
 
-    public void setServiceTicketExpirationPolicy(final ExpirationPolicy serviceTicketExpirationPolicy) {
-        this.serviceTicketExpirationPolicy = serviceTicketExpirationPolicy;
+    public void setProxyTicketExpirationPolicy(final ExpirationPolicy proxyTicketExpirationPolicy) {
+        this.proxyTicketExpirationPolicy = proxyTicketExpirationPolicy;
     }
 }
diff --git a/cas-server-core-tickets/src/main/java/org/jasig/cas/ticket/DefaultServiceTicketFactory.java b/cas-server-core-tickets/src/main/java/org/jasig/cas/ticket/DefaultServiceTicketFactory.java
@@ -33,7 +33,7 @@ public class DefaultServiceTicketFactory implements ServiceTicketFactory {
     protected Map<String, UniqueTicketIdGenerator> uniqueTicketIdGeneratorsForService;
 
     /** Whether we should track the most recent session by keeping the latest service ticket. */
-    @Value("${tgt.onlyTrackMostRecentSession:true}")
+    @Value("${tgt.track.recent.session:true}")
     protected boolean onlyTrackMostRecentSession = true;
 
     /** ExpirationPolicy for Service Tickets. */

diff --git a/...ickets/src/main/java/org/jasig/cas/ticket/InvalidProxyGrantingTicketForServiceTicket.java b/...ickets/src/main/java/org/jasig/cas/ticket/InvalidProxyGrantingTicketForServiceTicket.java
@@ -0,0 +1,34 @@
+package org.jasig.cas.ticket;
+
+import org.jasig.cas.authentication.principal.Service;
+
+/**
+ * Exception thrown when a ST has already granted a PGT and is asked to do so again.
+ *
+ * @author Misagh Moayyed
+ * @since 4.3.0
+ */
+public class InvalidProxyGrantingTicketForServiceTicket extends AbstractTicketValidationException {
+    private static final long serialVersionUID = 2120177571513373134L;
+
+    private static final String CODE = "INVALID_PROXY_GRANTING_TICKET";
+
+    /**
+     * Instantiates a new Invalid proxy granting ticket for service ticket.
+     *
+     * @param service the service
+     */
+    public InvalidProxyGrantingTicketForServiceTicket(final Service service) {
+        this(CODE, service);
+    }
+
+    /**
+     * Instantiates a new Invalid proxy granting ticket for service ticket.
+     *
+     * @param code    the code
+     * @param service the service
+     */
+    public InvalidProxyGrantingTicketForServiceTicket(final String code, final Service service) {
+        super(code, service);
+    }
+}
diff --git a/cas-server-core-tickets/src/main/java/org/jasig/cas/ticket/ProxyGrantingTicketImpl.java b/cas-server-core-tickets/src/main/java/org/jasig/cas/ticket/ProxyGrantingTicketImpl.java
@@ -65,7 +65,8 @@ public ProxyTicket grantProxyTicket(final String id, final Service service, fina
                 service, this.getCountOfUses() == 0,
                 expirationPolicy);
 
-        updateServiceAndTrackSession(serviceTicket.getId(), service, onlyTrackMostRecentSession);
+        updateStateAndTrackServiceSession(serviceTicket.getId(), service, onlyTrackMostRecentSession);
+
         return serviceTicket;
     }
 

diff --git a/cas-server-core-tickets/src/main/java/org/jasig/cas/ticket/ServiceTicketImpl.java b/cas-server-core-tickets/src/main/java/org/jasig/cas/ticket/ServiceTicketImpl.java
@@ -75,7 +75,7 @@ public ServiceTicketImpl() {
     public ServiceTicketImpl(final String id,
         @NotNull final TicketGrantingTicketImpl ticket, @NotNull final Service service,
         final boolean fromNewLogin, final ExpirationPolicy policy) {
-        super(id, ticket, policy);
+        super(id, policy);
 
         Assert.notNull(service, "service cannot be null");
         Assert.notNull(ticket, "ticket cannot be null");
@@ -104,7 +104,7 @@ public Service getService() {
      */
     @Override
     public boolean isValidFor(final Service serviceToValidate) {
-        updateState();
+        update();
         return serviceToValidate.matches(this.service);
     }
 
@@ -136,8 +136,7 @@ public ProxyGrantingTicket grantProxyGrantingTicket(
         final ExpirationPolicy expirationPolicy) {
         synchronized (this.lock) {
             if(this.grantedTicketAlready) {
-                throw new IllegalStateException(
-                    "PGT already generated for this ST. Cannot grant more than one TGT for ST");
+                throw new InvalidProxyGrantingTicketForServiceTicket(service);
             }
             this.grantedTicketAlready = Boolean.TRUE;
         }

diff --git a/cas-server-core-tickets/src/main/java/org/jasig/cas/ticket/TicketGrantingTicketImpl.java b/cas-server-core-tickets/src/main/java/org/jasig/cas/ticket/TicketGrantingTicketImpl.java
@@ -105,7 +105,7 @@ public TicketGrantingTicketImpl(final String id,
         final TicketGrantingTicket parentTicketGrantingTicket,
         @NotNull final Authentication authentication, final ExpirationPolicy policy) {
 
-        super(id, parentTicketGrantingTicket, policy);
+        super(id, policy);
 
         if (parentTicketGrantingTicket != null && proxiedBy == null) {
             throw new IllegalArgumentException("Must specify proxiedBy when providing parent TGT");
@@ -155,7 +155,7 @@ public final synchronized ServiceTicket grantServiceTicket(final String id,
                 service, this.getCountOfUses() == 0 || credentialsProvided,
                 expirationPolicy);
 
-        updateServiceAndTrackSession(serviceTicket.getId(), service, onlyTrackMostRecentSession);
+        updateStateAndTrackServiceSession(serviceTicket.getId(), service, onlyTrackMostRecentSession);
         return serviceTicket;
     }
 
@@ -166,8 +166,8 @@ public final synchronized ServiceTicket grantServiceTicket(final String id,
      * @param service                    the service
      * @param onlyTrackMostRecentSession the only track most recent session
      */
-    protected void updateServiceAndTrackSession(final String id, final Service service, final boolean onlyTrackMostRecentSession) {
-        updateState();
+    protected void updateStateAndTrackServiceSession(final String id, final Service service, final boolean onlyTrackMostRecentSession) {
+        update();
 
         final List<Authentication> authentications = getChainedAuthentications();
         service.setPrincipal(authentications.get(authentications.size()-1).getPrincipal());

diff --git a/...ets/src/main/java/org/jasig/cas/ticket/support/MultiTimeUseOrTimeoutExpirationPolicy.java b/...ets/src/main/java/org/jasig/cas/ticket/support/MultiTimeUseOrTimeoutExpirationPolicy.java
@@ -4,6 +4,7 @@
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Component;
 import org.springframework.util.Assert;
@@ -21,7 +22,7 @@
  * @since 3.0.0
  */
 @Component("multiTimeUseOrTimeoutExpirationPolicy")
-public final class MultiTimeUseOrTimeoutExpirationPolicy extends AbstractCasExpirationPolicy {
+public class MultiTimeUseOrTimeoutExpirationPolicy extends AbstractCasExpirationPolicy {
 
     /** Serialization support. */
     private static final long serialVersionUID = -5704993954986738308L;
@@ -32,15 +33,8 @@ public final class MultiTimeUseOrTimeoutExpirationPolicy extends AbstractCasExpi
      */
     private static final Logger LOGGER = LoggerFactory.getLogger(MultiTimeUseOrTimeoutExpirationPolicy.class);
 
-    /** The time to kill in milliseconds. */
-    @Value("#{${st.timeToKillInSeconds:10}*1000}")
-    private final long timeToKillInMilliSeconds;
-
-    /** The maximum number of uses before expiration. */
-
-    @Value("${st.numberOfUses:1}")
-    private final int numberOfUses;
-
+    private long timeToKillInMilliSeconds;
+    private int numberOfUses;
 
     /** No-arg constructor for serialization support. */
     private MultiTimeUseOrTimeoutExpirationPolicy() {
@@ -100,4 +94,50 @@ public boolean isExpired(final TicketState ticketState) {
         }
         return false;
     }
+
+    /**
+     * The Proxy ticket expiration policy.
+     */
+    @Component("proxyTicketExpirationPolicy")
+    public static class ProxyTicketExpirationPolicy extends MultiTimeUseOrTimeoutExpirationPolicy {
+
+        private static final long serialVersionUID = -5814201080268311070L;
+
+        /**
+         * Instantiates a new proxy ticket expiration policy.
+         *
+         * @param numberOfUses             the number of uses
+         * @param timeToKillInMilliSeconds the time to kill in milli seconds
+         */
+        @Autowired
+        public ProxyTicketExpirationPolicy(@Value("${pt.numberOfUses:1}")
+                                             final int numberOfUses,
+                                             @Value("#{${pt.timeToKillInSeconds:10}*1000}")
+                                             final long timeToKillInMilliSeconds) {
+            super(numberOfUses, timeToKillInMilliSeconds);
+        }
+    }
+
+    /**
+     * The Service ticket expiration policy.
+     */
+    @Component("serviceTicketExpirationPolicy")
+    public static class ServiceTicketExpirationPolicy extends MultiTimeUseOrTimeoutExpirationPolicy {
+
+        private static final long serialVersionUID = -5814201080268311070L;
+
+        /**
+         * Instantiates a new Service ticket expiration policy.
+         *
+         * @param numberOfUses             the number of uses
+         * @param timeToKillInMilliSeconds the time to kill in milli seconds
+         */
+        @Autowired
+        public ServiceTicketExpirationPolicy(@Value("${st.numberOfUses:1}")
+                                             final int numberOfUses,
+                                             @Value("#{${st.timeToKillInSeconds:10}*1000}")
+                                             final long timeToKillInMilliSeconds) {
+            super(numberOfUses, timeToKillInMilliSeconds);
+        }
+    }
 }
diff --git a/cas-server-documentation/installation/Configuring-Service-Proxy-Policy.md b/cas-server-documentation/installation/Configuring-Service-Proxy-Policy.md
@@ -11,7 +11,7 @@ Note that by default, the proxy authentication is disallowed for all application
 
 ## Components
 
-### `RefuseRegisteredServiceProxyPolicy`
+### Refuse
 Disallows proxy authentication for a service. This is default policy and need not be configured explicitly.
 
 ```json
@@ -26,7 +26,7 @@ Disallows proxy authentication for a service. This is default policy and need no
 }
 ```
 
-### `RegexMatchingRegisteredServiceProxyPolicy`
+### Regex
 A proxy policy that only allows proxying to PGT urls that match the specified regex pattern.
 
 ```json

diff --git a/cas-server-integration-ehcache/src/test/resources/ticketRegistry.xml b/cas-server-integration-ehcache/src/test/resources/ticketRegistry.xml
@@ -130,7 +130,7 @@
     <util:list id="monitorsList" />
     <util:map id="uniqueIdGeneratorsMap"/>
     <alias name="ticketGrantingTicketExpirationPolicy" alias="grantingTicketExpirationPolicy" />
-    <alias name="multiTimeUseOrTimeoutExpirationPolicy" alias="serviceTicketExpirationPolicy" />
+
     <util:list id="serviceFactoryList" />
     <alias name="acceptAnyAuthenticationPolicyFactory" alias="authenticationPolicyFactory" />
     <bean id="attributeRepository" class="org.jasig.services.persondir.support.NamedStubPersonAttributeDao"/>