Tuesday, April 15, 2008

Standalone Java CAS Client

There's a variety of clients for CAS. The Java-based clients (JA-SIG, Yale, see JA-SIG website) typically handle the browser-based client interaction with CAS very well through ServletFilter implementations.

Now what about programmatic authentication, i.e. achieving authentication through non-browser based applications? There exists a CAS .NET client but I did not manage to find the appropriate Java implementation. So here goes - it is based on the Apache HttpClient.

In case I missed any existing implementation achieving the same purpose, let's look at the bright side: at least now I understand the CAS protocol :-)

My CAS client works within any application. It uses the HttpClient and behaves like a browser client as CAS requires cookie support.

Here's the code:


import org.apache.commons.httpclient.Header;
import org.apache.commons.httpclient.HttpClient;
import org.apache.commons.httpclient.HttpMethod;
import org.apache.commons.httpclient.HttpStatus;
import org.apache.commons.httpclient.methods.GetMethod;
import org.apache.commons.httpclient.methods.PostMethod;
import org.apache.log4j.Logger;

/**
* The CasClient allows users to programmatically login
* to CAS protected services based on the CAS 2 protocol.
* This client behaves like a browser-client in terms of
* cookie handling.<br>
*
* @author Mathias Richter
*/
public class CasClient
{

public static Logger LOG = Logger.getLogger( CasClient.class );

public static final String LOGIN_URL_PART = "login";
public static final String SERVICE_VALIDATE_URL_PART = "serviceValidate";
public static final String TICKET_BEGIN = "ticket=";
private static final String LT_BEGIN = "name=\"lt\" value=\"";
public static final String CAS_USER_BEGIN = "<cas:user>";
public static final String CAS_USER_END = "</cas:user>";

private HttpClient fClient;
private String fCasUrl;

/**
* Construct a new CasClient.
*
* @param casUrl The base URL of the CAS service to be used.
*/
public CasClient( String casBaseUrl )
{
this( new HttpClient(), casBaseUrl );
}

/**
* Construct a new CasClient which uses the specified HttpClient
* for its HTTP calls.
*
* @param client
* @param casBaseUrl
*/
public CasClient( HttpClient client, String casBaseUrl )
{
fClient = client;
fCasUrl = casBaseUrl;
}

/**
* Authenticate the specified username with the specified password.
* This will not yield any ticket, as no service is authenticated
* against. This wil just set the CAS cookie in this client upon
* successful authentication.
*
* @param username
* @param password
*/
public void authenticate( String username, String password )
{
authenticate( null, username, password );
}

/**
* Validate the specified service ticket against the specified service.
* If the ticket is valid, this will yield the clear text user name
* of the autenticated user.<br>
* Note that each service ticket issued by CAS can be used exactly once
* to validate.
*
* @param serviceUrl
* @param serviceTicket
*
* @return Clear text username of the authenticated user.
*/
public String validate( String serviceUrl, String serviceTicket )
{
String result = null;
PostMethod method = new PostMethod( fCasUrl + SERVICE_VALIDATE_URL_PART );
method.setParameter( "service", serviceUrl );
method.setParameter( "ticket", serviceTicket );
try
{
int statusCode = fClient.executeMethod(method);
if (statusCode != HttpStatus.SC_OK)
{
LOG.error( "Could not validate: " + method.getStatusLine() );
method.releaseConnection();
} else
{
result = extractUser( new String( method.getResponseBody() ) );
}
} catch ( Exception x )
{
LOG.error( "Could not validate: " + x.toString () );
x.printStackTrace();
}
method.releaseConnection();
return result;
}

/**
* Authenticate the specified user with the specified password against the
* specified service.
*
* @param serviceUrl May be null. If a url is specified, the authentication will happen against this service, yielding a service ticket which can be validated.
* @param username
* @param password
* @return A valid service ticket, if and only if the specified service URL is not null.
*/
public String authenticate( String serviceUrl, String username, String password )
{
String lt = getLt( serviceUrl );
if ( lt == null )
{
LOG.error( "Cannot retrieve LT from CAS. Aborting authentication for '" + username + "'" );
return null;
}
String result = null;
PostMethod method = new PostMethod( fCasUrl + LOGIN_URL_PART );
if ( serviceUrl != null ) // optional
method.setParameter( "service", serviceUrl );
method.setParameter( "_eventId", "submit" );
method.setParameter("username", username );
method.setParameter("password", password );
method.setParameter("lt", lt );
method.setParameter( "gateway", "true" );
try
{
fClient.executeMethod(method);
if ( serviceUrl == null )
{
if ( extractLt( new String( method.getResponseBody() ) ) != null ) // if CAS does not return a login page with an LT authentication was successful
{
LOG.error( "Authentication for '" + username + "' unsuccessful" );
if ( LOG.isDebugEnabled() )
LOG.debug( "Authentication for '" + username + "' unsuccessful." );
} else
{
if ( LOG.isDebugEnabled() )
LOG.debug( "Authentication for '" + username + "' unsuccessful." );
}
} else
{
Header h = method.getResponseHeader( "Location" );
if ( h != null )
result = extractServiceTicket( h.getValue() );
if ( result == null )
LOG.error( "Authentication for '" + username + "' unsuccessful." );
}
} catch ( Exception x )
{
LOG.error( "Could not authenticate'" + username + "':" + x.toString () );
}
method.releaseConnection();
return result;
}

/**
* Helper method to extract the user name from a "service validate" call to CAS.
*
* @param data Response data.
* @return The clear text username, if it could be extracted, null otherwise.
*/
protected String extractUser( String data )
{
String user = null;
int start = data.indexOf( CAS_USER_BEGIN );
if ( start >= 0 )
{
start += CAS_USER_BEGIN.length();
int end = data.indexOf( CAS_USER_END );
if ( end > start )
user = data.substring( start, end );
else
LOG.warn( "Could not extract username from CAS validation response. Raw data is: '" + data + "'" );
} else
{
LOG.warn( "Could not extract username from CAS validation response. Raw data is: '" + data + "'" );
}
return user;
}

/**
* Helper method to extract the service ticket from a login call to CAS.
*
* @param data Response data.
* @return The service ticket, if it could be extracted, null otherwise.
*/
protected String extractServiceTicket( String data )
{
String serviceTicket = null;
int start = data.indexOf( TICKET_BEGIN );
if ( start > 0 )
{
start += TICKET_BEGIN.length();
serviceTicket = data.substring( start );
}
return serviceTicket;
}

/**
* Helper method to extract the LT from a login form from CAS.
*
* @param data Response data.
* @return The LT, if it could be extracted, null otherwise.
*/
protected String extractLt( String data )
{
String token = null;
int start = data.indexOf( LT_BEGIN );
if ( start < 0 )
{
LOG.error( "Could not obtain LT token from CAS: LT Token not found in response." );
} else
{
start += LT_BEGIN.length();
int end = data.indexOf( "\"", start );
token = data.substring( start, end );
}
return token;
}

/**
* This method requests the original login form from CAS.
* This form contains an LT, an initial token that must be
* presented to CAS upon sending it an authentication request
* with credentials.<br>
* If a service URL is provided (which is optional), this method
* will post the URL such that CAS authenticates against the
* specified service when a subsequent authentication request is
* sent.
*
* @param serviceUrl
* @return The LT token if it could be extracted from the CAS response.
*/
protected String getLt( String serviceUrl )
{
String lt = null;
HttpMethod method = null;
if ( serviceUrl == null )
method = new GetMethod( fCasUrl + LOGIN_URL_PART );
else
{
method = new PostMethod( fCasUrl + LOGIN_URL_PART );
( ( PostMethod ) method ).setParameter( "service", serviceUrl );
}
try
{
int statusCode = fClient.executeMethod(method);
if (statusCode != HttpStatus.SC_OK)
{
LOG.error( "Could not obtain LT token from CAS: " + method.getStatusLine() );
method.releaseConnection();
} else
{
Object o = method.getResponseHeaders() ;
return extractLt( new String( method.getResponseBody() ) );
}
} catch ( Exception x )
{
LOG.error( "Could not obtain LT token from CAS: " + x.toString () );
}
method.releaseConnection();
return lt;
}

}



12 comments:

Anonymous said...

hey - just wanted to let you know i was solving this same problem and got stuck... i found your code via google and plunked it in, a few tweaks, and it worked! i switched back to mine and stepped through until i found the problem: I'd used method.setRequestBody( some "NameValuePair"s) instead of method.setParameter. Apparently I must've been stomping on the cookie or something... I'm not sure... but that change made the difference and having your working code was great! :)

Anonymous said...

Thank you for posting.

steve cook said...

Any chance you could post sample code using your client?
Thanks
Steve

shekhar said...

I am not receiving the ticketId, only serviceUrl is received from CAS server.
Can you help

shekhar said...

adding parameter
execution=e1s1
solves the problem.

But unaware of the reason.
If you find any better solution please reply.

Harkomal Singh said...

I found it very helpful.

I am able to get response for serviceValidate url, but it gives me user in encrypted format like



JJuH5FMVz6Lsq+4xwIpe39iCZx0=



I know my user/pass is admin/admin, how can we decrypt it to orginal username.

Thanks,

Anonymous said...

Hi,
what does this snippet have? I'd like to use it for some open source coding if possible.

Anonymous said...

Hi,
what license does this snippet have? I'd like to use it for some open source coding if possible.

Mathias said...

Feel free to use this code any way you want, if it works for you as is. Maybe a mention in your open source project's readme would be nice.

Paresh Maru said...

I downloaded your program from google code and configured for my standalone sample program.

My cas is hosted at http://localhost:8080/cas

My app is hosted at http://localhost:8080/myapp

for Constructor i am passing cas URL

for authenticate method I am passing myapp URL

however I am always getting HTTP status 500

rajdeo kumar said...

Hi,mathiasrichter

I am trying to use user code but not able to get the ticket from the CAS. I am geeting the 302 status code.

rajdeo kumar said...

Hi,mathiasrichter

I am trying to use user code but not able to get the ticket from the CAS. I am geeting the 302 status code. please suggest.

regards
Rajdeo.kumar