ProxyTicketSampleServlet.java

/*
 * Copyright 2011-2016 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.springframework.security.samples.cas.web;

import java.io.IOException;
import java.io.PrintWriter;
import java.net.URLEncoder;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.jasig.cas.client.util.CommonUtils;
import org.springframework.security.cas.authentication.CasAuthenticationToken;

/**
 * <p>
 * {@link ProxyTicketSampleServlet} demonstrates how to obtain a proxy ticket and then use
 * it to make a remote call. To learn how proxy tickets work, see the <a
 * href="https://wiki.jasig.org/display/CAS/Proxy+CAS+Walkthrough">Proxy CAS
 * Walkthrough</a>
 * </p>
 *
 * @author Rob Winch
 */
public final class ProxyTicketSampleServlet extends HttpServlet {
	/**
	 * This is the URL that will be called and authenticate a proxy ticket.
	 */
	private String targetUrl;

	@Override
	protected void doGet(HttpServletRequest request, HttpServletResponse response)
			throws ServletException, IOException {
		// NOTE: The CasAuthenticationToken can also be obtained using
		// SecurityContextHolder.getContext().getAuthentication()
		final CasAuthenticationToken token = (CasAuthenticationToken) request
				.getUserPrincipal();
		// proxyTicket could be reused to make calls to the CAS service even if the
		// target url differs
		final String proxyTicket = token.getAssertion().getPrincipal()
				.getProxyTicketFor(targetUrl);

		// Make a remote call to ourself. This is a bit silly, but it works well to
		// demonstrate how to use proxy tickets.
		final String serviceUrl = targetUrl + "?ticket="
				+ URLEncoder.encode(proxyTicket, "UTF-8");
		String proxyResponse = CommonUtils.getResponseFromServer(serviceUrl, "UTF-8");

		// modify the response and write it out to inform the user that it was obtained
		// using a proxy ticket.
		proxyResponse = proxyResponse.replaceFirst("Secure Page",
				"Secure Page using a Proxy Ticket");
		proxyResponse = proxyResponse.replaceFirst("<p>", "<p>This page is rendered by "
				+ getClass().getSimpleName()
				+ " by making a remote call to the Secure Page using a proxy ticket ("
				+ proxyTicket + ") and inserts this message. ");
		final PrintWriter writer = response.getWriter();
		writer.write(proxyResponse);
	}

	/**
	 * Initialize the target URL. It allows for the host to change based upon the
	 * "cas.service.host" system property. If the property is not set, the default is
	 * "localhost:8443".
	 */
	@Override
	public void init() throws ServletException {
		super.init();
		String casServiceHost = System.getProperty("cas.service.host", "localhost:8443");
		targetUrl = "https://" + casServiceHost + "/cas-sample/secure/";
	}

	private static final long serialVersionUID = -7720161771819727775L;
}