Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 18 Next »

This page is a place to evolve a CAS 3 domain model for tickets.

Discussion

The question we're asking is, "What's the proper relationship, in a class hierarchy used by CAS server implementation, between service tickets and proxy tickets?"

Code snippets

Ticket

public Interface Ticket {

   /**
    * Get the Date at which this Ticket was created.
    */
    public Date getTimestamp();


   /**
    * Returns true if this ticket is valid, false otherwise.
    */
    public boolean isValid();

}
TicketGrantingTicket

public Interface TicketGrantingTicket 
    extends Ticket {

   /**
    * Get the Principal which owns this TicketGrantingTicket and may exercise it
    * to obtain a TargettedTicket for authentication to a particular URL. 
    * For instance, in the case of a SSOTicket this Principal is the end user who authenticated
    * to CAS by presentation of Primary Credentials.
    * In the case of a ProxyGrantingTicket, this is the URL to which the PGT was vended.
    */
    public Principal getPrincipal();


   /**
    * Derive from this TicketGrantingTicket a TargettedTicket for use in authenticating
    * to some particular target.
    */
    public TargettedTicket deriveTicket(URL target);

}
SSOTicket

Single Sign On tickets are tickets representing a particular user's single sign on session with CAS. They are TicketGrantingTickets but they are not DerivedTickets because their origin is not from another CAS ticket. They are not derived from another of the CAS 3 Ticket Domain Model tickets. Rather, they are derived from something external to the ticket domain model: the presentation and authentication of primary credentials.

SSOTicket code sketch
public Class SSOTicket implements TicketGrantingTicket {

    private final Date whenCreated = new Date();

    private final Principal authenticatedUser;

    private final ExpirationPolicy expPolicy;

    private final ExpirationPolicyFactory expPolicyFactory;


    public SSOTicket(Principal authenticatedUser, 
        ExpirationPolicy expPolicy, 
        ExpirationPolicyFactory expPolicyFactory) {
       this.authenticatedUser = authenticatedUser;
       this.expPolicy = expPolicy;
       this.expPolicyFactory = expPolicyFactory;
    }

    public Principal getUser() {
       return this.authenticatedUser;
    }

    public boolean isValid() {
         return this.expPolicy.isValid();
    }

    public void expire() {
        this.expPolicy.expire();
    }

    public TargettedTicket deriveTicket(URL target) {

        return new TargettedTicketImpl(target, this, this.expPolicyFactory.buildPolicyInstance());

    }

}
ProxyGrantingTicket
public Class ProxyGrantingTicket 
    implements TicketGrantingTicket, DerivedTicket {

    private final Date whenCreated = new Date();

    private final Principal authenticatedUser;

    private final ExpirationPolicy expPolicy;

    private final ExpirationPolicyFactory expPolicyFactory;

    private final TicketGrantingTicket parent;


    public ProxyGrantingTicket(Principal proxyingService, 
        ExpirationPolicy expPolicy, 
        ExpirationPolicyFactory expPolicyFactory, 
        TicketGrantingTicket parent) {

       this.authenticatedUser = authenticatedUser;
       this.expPolicy = expPolicy;
       this.expPolicyFactory = expPolicyFactory;
       this.parent = parent;
    }

    public Principal getUser() {
       return this.authenticatedUser;
    }

    public boolean isValid() {
         return this.expPolicy.isValid();
    }

    public void expire() {
        this.expPolicy.expire();
    }

    public TargettedTicket deriveTicket(URL target) {

        return new TargettedTicketImpl(target, this, this.expPolicyFactory.buildPolicyInstance());

    }

    public TicketGrantingTicket getParant() {
        return this.parent;
    }

}
DerivedTicket

public Interface DerivedTicket 
    extends Ticket {

   /**
    * Get the TicketGrantingTicket from which this ticket was derived.
    */
    public TicketGrantingTicket getParent();

}
TargettedTicket

public Interface TargettedTicket
    extends DerivedTicket {

   /**
    * Get the URL to which this ticket will authenticate.
    */
    public URL getTarget();

   /**
    * Get the chain of principals through which authentication has passed
    * in producing this targetted ticket, starting with the most recent principal
    * and leading back to the originally authenticating User.
    */
    public List getPrincipalChain();

}
TargettedTicketImpl
public Class TargettedTicketImpl implements TargettedTicket {

    private final Date whenCreated = new Date();

    private final ExpirationPolicy expPolicy;

    private final TicketGrantingTicket parent;

    private final URL target;


    public SSOTicket(URL target, TicketGrantingTicket parent, ExpirationPolicy expPolicy) {
       this.target = target;
       this.parent = parent;
       this.expPolicy = expPolicy;
    }

    public boolean isValid() {
         return this.expPolicy.isValid()
             && this.parent.isValid();
    }

    public URL getTarget() {
        return this.target;
    }

    public List getPrincipalChain() {
      
      List principalChain = new ArrayList();

      TicketGrantingTicket ancestor = this.parent;

      while (ancestor != null) {

         principalChain.add(ancestor.getPrincipal());

         if (parent instanceof DerivedTicket) {
              DerivedTicket ancestorIsAlsoAChild = (DerivedTicket) ancestor;
              ancestor = ancestor.getParent();
         } else {
              // perhaps an ugly way of breaking out of this while loop
              ancestor = null;
         }

     }
            
     return principalChain;
    }

    public TicketGrantingTicket getParent() {
        return this.parent;
    }

}
  • No labels