...
| Code Block | ||
|---|---|---|
| ||
public interface ServiceTicket extends Ticket {
/**
* Get the Target to which this ServiceTicket is intended to authenticate the
* chain of Principals represented by the grantor of this ticket.
*/
String getTarget();
/**
* True if this ServiceTicket was created in the same transaction that created the granting ticket.
* False otherwise.
* This is how we implement the CAS 'renew' behavior -- ServiceTickets created simultaneous with
* their GrantingTicket may succeed on validation with renew=true, but if this value is false
* then validation with renew=true must fail.
*/
boolean createdInTxnThatCreatedGrantor();
}
|
Why is the return value for getTarget() a String? Because it is an arbitrary identifer. By convention it is a URL – and its being a URL has special meaning in the case of applications redirecting to CAS to obtain a ServiceTicket – but there is no requirement that the target be a URL. The Target represents an opportunity for the Principal owning the GrantingTicket requesting this ServiceTicket to ensure that communicate with the ServiceTicket that it obtains can only be used to authenticate to the Target it intendsTarget that validates the ticket exactly what request is being authenticated.
What is authenticated by a ServiceTicket? When a ServiceTicket is validated, the validation response is a representation of the chain of Principals from associated with the GrantingTicket that granted the ServiceTicket, and the GrantingTicket (if any) that granted that GrantingTicket, and the GrantingTicket (if any) that granted that GrantingTicket, and so forth up the chain until we reach a GrantingTicket that was the first in the chain.
...