UrlUtil Methods

Owned by scottt732
Last updated: Aug 25, 2010Version comment

Service Url Methods

The Service Urls methods are used by other methods in this class. They are intended to be UrlEncoded and embedded as parameters in links to the CAS server. Under certain circumstances, the CAS Server will decode these Urls and redirect back. This application should never redirect directly to one of these Urls.

Login Url Methods

These methods generate Urls for logging in to CAS. The gateway and renew parameters are mutually exclusive and cannot both be set to true. When both are false, the Url is to the CAS login screen. The gateway parameter will cause the application to attempt to login transparently without rendering a UI. It will fail gracefully if the user does not already have a SingleSignOn session (i.e., the request will remain unauthenticated). The renew parameter will ignore any outstanding SingleSignOun sessions and force the user to supply credentials again.

  • UrlUtil.ConstructLoginRedirectUrl(gateway := false, renew := false)
    • HttpUtility.UrlEncode(UrlUtil.ConstructServiceUrl(gateway := false))

      https://casserver/cas/login
         ?service=https%3a%2f%2fappserver%2fexample%2fdefault.aspx

  • UrlUtil.ConstructLoginRedirectUrl(gateway := true, renew := false)
    • HttpUtility.UrlEncode(UrlUtil.ConstructServiceUrl(gateway := true))

      https://casserver/cas/login
         ?service=https%3a%2f%2fappserver%2fexample%2fdefault.aspx%3fgatewayResponse%3dtrue
         &gateway=true

  • UrlUtil.ConstructLoginRedirectUrl(gateway := false, renew := true )
    • HttpUtility.UrlEncode(UrlUtil.ConstructServiceUrl(gateway := false))

      https://casserver/cas/login
         ?service=https%3a%2f%2fappserver%2fexample%2fdefault.aspx
         &renew=true

  • UrlUtil.ConstructLoginRedirectUrl(gateway := true, renew := true )

    InvalidArgumentException: Gateway and Renew parameters are mutually exclusive

Validate Url Methods

These methods are called by the ITicketValidator implementation or the AbstractUrlTicketValidator's default implementation to generate a Url suitable for validating a service ticket against the CAS server.

  • UrlUtil.ConstructValidateUrl(serviceTicket := "SAMPLETICKET", gateway:= false, renew := false, customParameters := @customParameters)
    • HttpUtility.UrlEncode(UrlUtil.ConstructServiceUrl(gateway := false))
      CAS 1.0: (@customParameters = null)

      https://casserver/cas/validate
         ?service=https%3a%2f%2fappserver%2fexample%2fdefault.aspx
         &ticket=SAMPLETICKET

      CAS 2.0 w/o ProxyTicketManager: (@customParameters = null)

      https://casserver/cas/serviceValidate
         ?service=https%3a%2f%2fappserver%2fexample%2fdefault.aspx
         &ticket=SAMPLETICKET

      CAS 2.0 w/ProxyTicketManager: (@customParameters = { { "pgtUrl", HttpUtility.UrlEncode(UrlUtil.ConstructProxyCallbackUrl()) } })

      https://casserver/cas/proxyValidate
         ?service=https%3a%2f%2fappserver%2fexample%2fdefault.aspx
         &ticket=SAMPLETICKET
         &pgtUrl=https%3a%2f%2fappserver%2fexample%2fdefault.aspx%3fproxyResponse%3dtrue

      SAML 1.1: (@customParameters = null)

      https://casserver/cas/samlValidate
         ?service=https%3a%2f%2fappserver%2fexample%2fdefault.aspx
         &ticket=SAMPLETICKET

  • UrlUtil.ConstructValidateUrl(serviceTicket := "SAMPLETICKET", gateway := false, renew := true, customParameters := @customParameters)
    • HttpUtility.UrlEncode(UrlUtil.ConstructServiceUrl(gateway := false))
      CAS 1.0: (@customParameters = null)

      https://casserver/cas/validate
         ?service=https%3a%2f%2fappserver%2fexample%2fdefault.aspx
         &ticket=SAMPLETICKET
         &renew=true

      CAS 2.0 w/o ProxyTicketManager: (@customParameters = null)

      https://casserver/cas/serviceValidate
         ?service=https%3a%2f%2fappserver%2fexample%2fdefault.aspx
         &ticket=SAMPLETICKET
         &renew=true

      CAS 2.0 w/ProxyTicketManager: (@customParameters = { { "pgtUrl", HttpUtility.UrlEncode(UrlUtil.ConstructProxyCallbackUrl()) } })

      https://casserver/cas/proxyValidate
         ?service=https%3a%2f%2fappserver%2fexample%2fdefault.aspx
         &ticket=SAMPLETICKET
         &renew=true
         &pgtUrl=https%3a%2f%2fappserver%2fexample%2fdefault.aspx%3fproxyResponse%3dtrue

      SAML 1.1: (@customParameters = null)

      https://casserver/cas/samlValidate
         ?service=https%3a%2f%2fappserver%2fexample%2fdefault.aspx
         &ticket=SAMPLETICKET
         &renew=true

  • UrlUtil.ConstructValidateRedirectUrl(serviceTicket := "SAMPLETICKET", gateway := true, renew := false, customParameters := @customParameters)
    • HttpUtility.UrlEncode(UrlUtil.ConstructServiceUrl(gateway := true))
      CAS 1.0: (@customParameters = null)

      https://casserver/cas/validate
         ?service=https%3a%2f%2fappserver%2fexample%2fdefault.aspx%3fgatewayResponse%3dtrue
         &ticket=SAMPLETICKET

      CAS 2.0 w/o ProxyTicketManager: (@customParameters = null)

      https://casserver/cas/serviceValidate
         ?service=https%3a%2f%2fappserver%2fexample%2fdefault.aspx%3fgatewayResponse%3dtrue
         &ticket=SAMPLETICKET

      CAS 2.0 w/ProxyTicketManager: (@customParameters = { { "pgtUrl", HttpUtility.UrlEncode(UrlUtil.ConstructProxyCallbackUrl()) } })

      https://casserver/cas/proxyValidate
         ?service=https%3a%2f%2fappserver%2fexample%2fdefault.aspx%3fgatewayResponse%3dtrue
         &ticket=SAMPLETICKET
         &pgtUrl=https%3a%2f%2fappserver%2fexample%2fdefault.aspx%3fproxyResponse%3dtrue

      SAML 1.1: (@customParameters = null)

      https://casserver/cas/samlValidate
         ?service=https%3a%2f%2fappserver%2fexample%2fdefault.aspx%3fgatewayResponse%3dtrue
         &ticket=SAMPLETICKET

  • UrlUtil.ConstructValidateRedirectUrl(serviceTicket := "SAMPLETICKET", gateway := true, renew := true, customParameters := @customParameters)

    InvalidArgumentException: Gateway and Renew parameters are mutually exclusive

SingleSignOut Url Method

The FormsAuthentication.SignOut() simply destroys the FormsAuthenticationCookie/FormsAuthenticationTicket and redirects the user back to the current page. This causes all subsequent requests (including the redirected request) to the application to be unauthenticated.

The SingleSignOut Url is used by CasAuthentication.SingleSignOut() to perform the same functionality as FormsAuthentication.SignOut() with the additional step of notifying the CAS server that the CAS TicketGrantingTicket (TGT) should be invalid for subsequent authentication requests against the CAS server from the same browser session.

If your CAS server and other web application clients are configured to support it, the CAS server will attempt to issue requests to all other services informing them to destroy the ServiceTicket (ST) generated using that TicketGrantingTicket (TGT). This part of the process is fairly brittle and requires careful configuration on the CAS server and at each application to succeed. Errors and warnings will not be reported back to the web application requesting SingleSignOut.

The CAS Server will silently redirect back to the current page after completing (or attempting to complete) the SingleSignOut request.

  • UrlUtil.ConstructSingleSignOutRedirectUrl()
    • HttpUtility.UrlEncode(UrlUtil.ConstructServiceUrl(gateway := false))

      https://casserver/cas/logout
         ?service=https%3a%2f%2fappserver%2fexample%2fdefault.aspx

Proxy Url Methods

This method generates a Url to the CAS server requesting a proxy ticket for the targetService supplied. If the proxyGrantingTicketId validates, the CAS server will return a proxy ticket which can be appended to the targetService url in a subsequent request.

  • UrlUtil.ConstructProxyTicketRequestUrl(proxyGrantingTicketId := "SAMPLETICKET", targetService := "http://foreignservice/")

    https://casserver/cas/proxy
       ?pgt=SAMPLETICKET
       &targetService=http%3a%2f%2fforeignservice%2f

To actually perform a proxy redirect, use one of the CasAuthentication.ProxyRedirect(...) methods. The call hierarchy of a ProxyRedirect is as follows:

  • CasAuthentication.ProxyRedirect(url := "http://foreignservice/", proxyTicketUrlParameter := @proxyTicketUrlParameter(default = "ticket"), endResponse := @endResponse)
    • HttpContext.Current.Response.Redirect(url := UrlUtil.GetProxyRedirectUrl(targetService := url, proxyTicketUrlParameter := proxyTicketUrlParameter), endResponse := endResponse)
      • CasAuthentication.GetProxyTicketIdFor(targetServiceUrl := UrlUtil.ResolveUrl(url := targetService))
        • HttpUtil.PerformHttpGet(url := UrlUtil.ConstructProxyTicketRequestUrl(proxyGrantingTicketId := casTicket.ProxyGrantingTicket, targetService := targetServiceUrl), requireHttp200 := true)

Notes

  • gatewayResponse and proxyResponse are DotNetCasClient-specific parameters. These are not meaningful to the CAS server and should not be used by your application. These parameters are added to outbound CAS requests as encoded Url parameters. In certain circumstances, the CAS server will redirect back to the decoded Urls. When the CasAuthenticationModule detects these inbound redirected requests from the CAS server, it knows to apply certain logic relating to gateway authentication support and proxy ticket support.