Package net.shibboleth.idp.cas.ticket.impl

Class EncodingTicketService

java.lang.Object
net.shibboleth.idp.cas.ticket.impl.AbstractTicketService
net.shibboleth.idp.cas.ticket.impl.EncodingTicketService
All Implemented Interfaces:
TicketService
public class EncodingTicketService extends AbstractTicketService
Ticket service that uses two different strategies for ticket persistence:
  1. Service tickets, proxy tickets, and root proxy-granting tickets are persisted by serializing ticket data and encrypting it into the opaque part of the ticket ID using a DataSealer.
  2. Chained proxy-granting tickets are persisted using a StorageService.

NOTE: The service tickets, proxy tickets, and root proxy-granting tickets produced by this component do not support one-time use. More precisely, removeServiceTicket(String) and removeProxyTicket(String) simply return a decoded ticket and do not invalidate the ticket in any way. Since there is no backing store for those types of tickets, they can be reused until one of the following conditions is met:

  1. The value of Ticket.getExpirationInstant() is exceeded.
  2. The DataSealer key used to encrypt data is revoked.
Since:
3.3.0

  • Field Details

    • SERVICE_TICKET_PREFIX

      @Nonnull public static final String SERVICE_TICKET_PREFIX
      Default service ticket prefix.
      See Also:

    • PROXY_TICKET_PREFIX

      @Nonnull public static final String PROXY_TICKET_PREFIX
      Default proxy ticket prefix.
      See Also:

    • PROXY_GRANTING_TICKET_PREFIX

      @Nonnull public static final String PROXY_GRANTING_TICKET_PREFIX
      Default proxy granting ticket prefix.
      See Also:

    • NOT_USED

      @Nonnull private static final String NOT_USED
      Non-null marker value for unused ServiceTicket#id field and storage context name.
      See Also:

    • log

      @Nonnull private final org.slf4j.Logger log
      Class logger.

    • dataSealer

      @Nonnull private final DataSealer dataSealer
      Data sealer that handles encryption of serialized service ticket data.

    • serviceTicketPrefix

      @Nonnull @NotEmpty private String serviceTicketPrefix
      Service ticket prefix.

    • proxyTicketPrefix

      @Nonnull @NotEmpty private String proxyTicketPrefix
      Proxy ticket prefix.

    • proxyGrantingTicketPrefix

      @Nonnull @NotEmpty private String proxyGrantingTicketPrefix
      Proxy granting ticket prefix.

  • Constructor Details

  • Method Details

    • setServiceTicketPrefix

      public void setServiceTicketPrefix(@Nonnull @NotEmpty String prefix)
      Sets the service ticket prefix. Default is ST.
      Parameters:
      prefix - Service ticket prefix.

    • setProxyTicketPrefix

      public void setProxyTicketPrefix(@Nonnull @NotEmpty String prefix)
      Sets the proxy ticket prefix. Default is PT.
      Parameters:
      prefix - Proxy ticket prefix.

    • setProxyGrantingTicketPrefix

      public void setProxyGrantingTicketPrefix(@Nonnull @NotEmpty String prefix)
      Sets the proxy granting ticket prefix. Default is PGT-E. Note that this MUST be distinct from the proxy granting ticket prefix used for regular proxy-granting ticket identifiers.
      Parameters:
      prefix - Proxy granting ticket prefix.

    • createServiceTicket

      @Nonnull public ServiceTicket createServiceTicket(@Nonnull String id, @Nonnull Instant expiry, @Nonnull String service, @Nullable TicketState state, boolean renew)
      Creates and stores a ticket for the given service.
      Parameters:
      id - ID of ticket to create.
      expiry - Expiration date of service ticket.
      service - Service for which ticket is granted.
      state - Additional state to be stored with the ticket.
      renew - True to indicate the ticket was generated in response to a forced authentication, false otherwise.
      Returns:
      Created service ticket.

    • removeServiceTicket

      @Nullable public ServiceTicket removeServiceTicket(@Nonnull String id)
      Removes the service ticket with the given identifier.
      Parameters:
      id - Identifier of ticket to remove.
      Returns:
      Removed ticket or null if not found.

    • createProxyTicket

      @Nonnull public ProxyTicket createProxyTicket(@Nonnull String id, @Nonnull Instant expiry, @Nonnull ProxyGrantingTicket pgt, @Nonnull String service)
      Creates and stores a proxy ticket for the given service.
      Parameters:
      id - ID of proxy-granting ticket to create.
      expiry - Expiration date of proxy ticket.
      pgt - Proxy-granting ticket used to create proxy ticket.
      service - Service for which ticket is granted.
      Returns:
      Created proxy ticket.

    • removeProxyTicket

      @Nullable public ProxyTicket removeProxyTicket(@Nonnull String id)
      Removes the proxy ticket with the given identifier.
      Parameters:
      id - Identifier of ticket to remove.
      Returns:
      Removed ticket or null if not found.

    • createProxyGrantingTicket

      @Nonnull public ProxyGrantingTicket createProxyGrantingTicket(@Nonnull String id, @Nonnull Instant expiry, @Nonnull ServiceTicket serviceTicket, @Nonnull String pgtUrl)
      Creates a top-level proxy-granting ticket from a service ticket.
      Specified by:
      createProxyGrantingTicket in interface TicketService
      Overrides:
      createProxyGrantingTicket in class AbstractTicketService
      Parameters:
      id - ID of proxy-granting ticket to create.
      expiry - Expiration date of proxy-granting ticket.
      serviceTicket - Successfully-validated service ticket.
      pgtUrl - Proxy callback URL used to authenticate and identify the proxying service.
      Returns:
      Created proxy-granting ticket.

    • fetchProxyGrantingTicket

      @Nullable public ProxyGrantingTicket fetchProxyGrantingTicket(@Nonnull String id)
      Retrieves a proxy-granting ticket by its ID.
      Specified by:
      fetchProxyGrantingTicket in interface TicketService
      Overrides:
      fetchProxyGrantingTicket in class AbstractTicketService
      Parameters:
      id - Proxy-granting ticket ID.
      Returns:
      Proxy-granting ticket or null if not found.

    • removeProxyGrantingTicket

      @Nullable public ProxyGrantingTicket removeProxyGrantingTicket(@Nonnull String id)
      Removes the proxy-granting ticket with the given identifier.
      Specified by:
      removeProxyGrantingTicket in interface TicketService
      Overrides:
      removeProxyGrantingTicket in class AbstractTicketService
      Parameters:
      id - Identifier of ticket to remove.
      Returns:
      Removed ticket or null if not found.

    • encode

      @Nonnull <T extends Ticket> T encode(@Nonnull Class<T> ticketClass, @Nonnull T ticket, @Nonnull String prefix)
      Encode a ticket.
      Type Parameters:
      T - type of ticket
      Parameters:
      ticketClass - class of ticket
      ticket - ticket
      prefix - ticket ID prefix
      Returns:
      ticket encoded ticket

    • decode

      @Nullable private <T extends Ticket> T decode(@Nonnull Class<T> ticketClass, @Nonnull String id, @Nonnull String prefix)
      Decode a ticket.
      Type Parameters:
      T - type of ticket
      Parameters:
      ticketClass - class of ticket
      id - ticket ID
      prefix - ticket ID prefix
      Returns:
      decoded ticket