org.apereo.cas

Interface CentralAuthenticationService

All Known Implementing Classes:

AbstractCentralAuthenticationService, DefaultCentralAuthenticationService

public interface CentralAuthenticationService

CAS viewed as a set of services to generate and validate Tickets.

This is the interface between a Web HTML, Web Services, RMI, or any other request processing layer and the CAS Service viewed as a mechanism to generate, store, validate, and retrieve Tickets containing Authentication information. The features of the request processing layer (the HttpXXX Servlet objects) are not visible here or in any modules behind this layer. In theory, a standalone application could call these methods directly as a private authentication service.

Since:

3.0.0

Field Summary

Fields

Modifier and Type	Field and Description
static java.lang.String	NAMESPACE CAS namespace.

Method Summary

Modifier and Type	Method and Description
ProxyGrantingTicket	createProxyGrantingTicket(java.lang.String serviceTicketId, AuthenticationResult authenticationResult) Delegate a TicketGrantingTicket to a Service for proxying authentication to other Services.
TicketGrantingTicket	createTicketGrantingTicket(AuthenticationResult authenticationResult) Create a TicketGrantingTicket by authenticating credentials.
default void	deleteTicket(java.lang.String ticketId) Attempts to delete a ticket from the underlying store and is allowed to run any number of processing on the ticket and removal op before invoking it.
java.util.List<LogoutRequest>	destroyTicketGrantingTicket(java.lang.String ticketGrantingTicketId) Destroy a TicketGrantingTicket and perform back channel logout.
Ticket	getTicket(java.lang.String ticketId) Obtains the given ticket by its id and returns the CAS-representative object.
<T extends Ticket> T	getTicket(java.lang.String ticketId, java.lang.Class<T> clazz) Obtains the given ticket by its id and type and returns the CAS-representative object.
java.util.Collection<Ticket>	getTickets(java.util.function.Predicate<Ticket> predicate) Retrieve a collection of tickets from the underlying ticket registry.
ProxyTicket	grantProxyTicket(java.lang.String proxyGrantingTicket, Service service) Grant a ProxyTicket that may be used to access the given service by authenticating the given credentials.
ServiceTicket	grantServiceTicket(java.lang.String ticketGrantingTicketId, Service service, AuthenticationResult authenticationResult) Grant a ServiceTicket that may be used to access the given service by authenticating the given credentials.
Ticket	updateTicket(Ticket ticket) Updates the ticket instance in the underlying storage mechanism.
Assertion	validateServiceTicket(java.lang.String serviceTicketId, Service service) Validate a ServiceTicket for a particular Service.

Field Detail

NAMESPACE

static final java.lang.String NAMESPACE

CAS namespace.

Method Detail

createTicketGrantingTicket

TicketGrantingTicket createTicketGrantingTicket(AuthenticationResult authenticationResult)
                                         throws AuthenticationException,
                                                AbstractTicketException

Create a TicketGrantingTicket by authenticating credentials. The details of the security policy around credential authentication and the definition of authentication success are dependent on the implementation, but it SHOULD be safe to assume that at least one credential MUST be authenticated for ticket creation to succeed.

Parameters:

authenticationResult - the current authentication result in order to create the ticket.

Returns:

Non -null ticket-granting ticket identifier.

Throws:

AuthenticationException - on errors authenticating the credentials

AbstractTicketException - if ticket cannot be created

updateTicket

Ticket updateTicket(Ticket ticket)

Updates the ticket instance in the underlying storage mechanism. The properties of a given ticket, such as its authentication attributes may have changed during various legs of the authentication flow.

Parameters:

ticket - the ticket

Returns:

the updated ticket

Since:

5.0.0

getTicket

Ticket getTicket(java.lang.String ticketId)
          throws InvalidTicketException

Obtains the given ticket by its id and returns the CAS-representative object. Implementations need to check for the validity of the ticket by making sure it exists and has not expired yet, etc. This method is specifically designed to remove the need to access the ticket registry.

Parameters:

ticketId - the ticket granting ticket id

Returns:

the ticket object

Throws:

InvalidTicketException - the invalid ticket exception

Since:

5.0.0

getTicket

<T extends Ticket> T getTicket(java.lang.String ticketId,
                               java.lang.Class<T> clazz)
                        throws InvalidTicketException

Obtains the given ticket by its id and type and returns the CAS-representative object. Implementations need to check for the validity of the ticket by making sure it exists and has not expired yet, etc. This method is specifically designed to remove the need to access the ticket registry.

Type Parameters:

T - the generic ticket type to return that extends Ticket

Parameters:

ticketId - the ticket granting ticket id

clazz - the ticket type that is requested to be found

Returns:

the ticket object

Throws:

InvalidTicketException - the invalid ticket exception

Since:

4.1.0

deleteTicket

default void deleteTicket(java.lang.String ticketId)

Attempts to delete a ticket from the underlying store and is allowed to run any number of processing on the ticket and removal op before invoking it. The ticket id can be associated with any ticket type that is valid and understood by CAS and the underlying ticket store; however some special cases require that you invoke the appropriate operation when destroying tickets, such destroyTicketGrantingTicket(String).

Parameters:

ticketId - the ticket id

getTickets

java.util.Collection<Ticket> getTickets(java.util.function.Predicate<Ticket> predicate)

Retrieve a collection of tickets from the underlying ticket registry. The retrieval operation must pass the predicate check that is solely used to filter the collection of tickets received. Implementations can use the predicate to request a collection of expired tickets, or tickets whose id matches a certain pattern, etc. The resulting collection will include tickets that have been evaluated by the predicate.

Parameters:

predicate - the predicate

Returns:

the tickets

Since:

4.1.0

grantServiceTicket

ServiceTicket grantServiceTicket(java.lang.String ticketGrantingTicketId,
                                 Service service,
                                 AuthenticationResult authenticationResult)
                          throws AuthenticationException,
                                 AbstractTicketException

Grant a ServiceTicket that may be used to access the given service by authenticating the given credentials. The details of the security policy around credential authentication and the definition of authentication success are dependent on the implementation, but it SHOULD be safe to assume that at least one credential MUST be authenticated for ticket creation to succeed.

The principal that is resolved from the authenticated credentials MUST be the same as that to which the given ticket-granting ticket was issued.

Parameters:

ticketGrantingTicketId - Proof of prior authentication.

service - The target service of the ServiceTicket.

authenticationResult - The authentication context established if credentials provided

Returns:

Non -null service ticket identifier.

Throws:

AuthenticationException - on errors authenticating the credentials

AbstractTicketException - if the ticket could not be created.

grantProxyTicket

ProxyTicket grantProxyTicket(java.lang.String proxyGrantingTicket,
                             Service service)
                      throws AbstractTicketException

Grant a ProxyTicket that may be used to access the given service by authenticating the given credentials. The details of the security policy around credential authentication and the definition of authentication success are dependent on the implementation, but it SHOULD be safe to assume that at least one credential MUST be authenticated for ticket creation to succeed.

The principal that is resolved from the authenticated credentials MUST be the same as that to which the given ticket-granting ticket was issued.

Parameters:

proxyGrantingTicket - Proof of prior authentication.

service - The target service of the ServiceTicket.

Returns:

Non -null service ticket identifier.

Throws:

AbstractTicketException - if the ticket could not be created.

validateServiceTicket

Assertion validateServiceTicket(java.lang.String serviceTicketId,
                                Service service)
                         throws AbstractTicketException

Validate a ServiceTicket for a particular Service.

Parameters:

serviceTicketId - Proof of prior authentication.

service - Service wishing to validate a prior authentication.

Returns:

Non -null ticket validation assertion.

Throws:

AbstractTicketException - if there was an error validating the ticket.

destroyTicketGrantingTicket

java.util.List<LogoutRequest> destroyTicketGrantingTicket(java.lang.String ticketGrantingTicketId)

Destroy a TicketGrantingTicket and perform back channel logout. This has the effect of invalidating any Ticket that was derived from the TicketGrantingTicket being destroyed. May throw an IllegalArgumentException if the TicketGrantingTicket ID is null.

Parameters:

ticketGrantingTicketId - the id of the ticket we want to destroy

Returns:

the logout requests.

createProxyGrantingTicket

ProxyGrantingTicket createProxyGrantingTicket(java.lang.String serviceTicketId,
                                              AuthenticationResult authenticationResult)
                                       throws AuthenticationException,
                                              AbstractTicketException

Delegate a TicketGrantingTicket to a Service for proxying authentication to other Services.

Parameters:

serviceTicketId - The service ticket identifier that will delegate to a TicketGrantingTicket.

authenticationResult - The current authentication context before this ticket can be granted.

Returns:

Non -null ticket-granting ticket identifier that can grant ServiceTicket that proxy authentication.

Throws:

AuthenticationException - on errors authenticating the credentials

AbstractTicketException - if there was an error creating the ticket