...
ServiceTickets add to Ticket an additional property: the Target to which the ServiceTicket is intended to authenticate.
| Code Block | ||
|---|---|---|
| ||
public interface ServiceTicket extends Ticket {
/**
* Get the Target to which this ServiceTicket is intended to authenticate the
* chain of Principals represented by the grantor of this ticket.
*/
String getTarget();
}
|
Why is the return value for getTarget() a String? Because it is an arbitrary identifer. By convention it is a URL – and its being a URL has special meaning in the case of applications redirecting to CAS to obtain a ServiceTicket – but there is no requirement that the target be a URL. The Target represents an opportunity for the Principal owning the GrantingTicket requesting this ServiceTicket to ensure that the ServiceTicket that it obtains can only be used to authenticate to the Target it intends.
What is authenticated by a ServiceTicket? When a ServiceTicket is validated, the validation response is a representation of the chain of Principals from associated with the GrantingTicket that granted the ServiceTicket, and the GrantingTicket (if any) that granted that GrantingTicket, and the GrantingTicket (if any) that granted that GrantingTicket, and so forth up the chain until we reach a GrantingTicket that was the first in the chain.
...