ILIAS  Release_4_1_x_branch Revision 61804
 All Data Structures Namespaces Files Functions Variables Groups Pages
Functions | Variables
Authentication
Implementation
+ Collaboration diagram for Authentication:

Functions

 CASClient::setUser ($user)
 This method sets the CAS user's login name.
 CASClient::getUser ()
 This method returns the CAS user's login name.
 CASClient::setAttributes ($attributes)
 CASClient::getAttributes ()
 CASClient::hasAttributes ()
 CASClient::hasAttribute ($key)
 CASClient::getAttribute ($key)
 CASClient::renewAuthentication ()
 This method is called to renew the authentication of the user If the user is authenticated, renew the connection If not, redirect to CAS.
 CASClient::forceAuthentication ()
 This method is called to be sure that the user is authenticated.
 CASClient::setCacheTimesForAuthRecheck ($n)
 Set the number of times authentication will be cached before rechecked.
 CASClient::checkAuthentication ()
 This method is called to check whether the user is authenticated or not.
 CASClient::isAuthenticated ()
 This method is called to check if the user is authenticated (previously or by tickets given in the URL).
 CASClient::isSessionAuthenticated ()
 This method tells if the current session is authenticated.
 CASClient::wasPreviouslyAuthenticated ()
 This method tells if the user has already been (previously) authenticated by looking into the session variables.
 CASClient::redirectToCas ($gateway=false, $renew=false)
 This method is used to redirect the client to the CAS server.
 CASClient::logout ($params)
 This method is used to logout from CAS.
 CASClient::isLogoutRequest ()
 CASClient::isLogoutRequestAllowed ()
 CASClient::handleLogoutRequests ($check_client=true, $allowed_clients=false)
 This method handles logout requests.
 CASClient::redirectToCas ($gateway)
 This method is used to redirect the client to the CAS server.

Variables

 CASClient::$_user
 The Authenticated user.
 CASClient::$_attributes
 The Authenticated users attributes.
 CASClient::$_cache_times_for_auth_recheck
 An integer that gives the number of times authentication will be cached before rechecked.

Detailed Description

Function Documentation

CASClient::checkAuthentication ( )

This method is called to check whether the user is authenticated or not.

Returns
TRUE when the user is authenticated, FALSE otherwise.

Definition at line 924 of file client.php.

References $_SESSION, $res, CASClient\isAuthenticated(), CASClient\redirectToCas(), phpCAS\trace(), phpCAS\traceBegin(), and phpCAS\traceEnd().

{
phpCAS::traceBegin();
if ( $this->isAuthenticated() ) {
phpCAS::trace('user is authenticated');
$res = TRUE;
} else if (isset($_SESSION['phpCAS']['auth_checked'])) {
// the previous request has redirected the client to the CAS server with gateway=true
unset($_SESSION['phpCAS']['auth_checked']);
$res = FALSE;
} else {
// $_SESSION['phpCAS']['auth_checked'] = true;
// $this->redirectToCas(TRUE/* gateway */);
// // never reached
// $res = FALSE;
// avoid a check against CAS on every request
if (! isset($_SESSION['phpCAS']['unauth_count']) )
$_SESSION['phpCAS']['unauth_count'] = -2; // uninitialized
if (($_SESSION['phpCAS']['unauth_count'] != -2 && $this->_cache_times_for_auth_recheck == -1)
|| ($_SESSION['phpCAS']['unauth_count'] >= 0 && $_SESSION['phpCAS']['unauth_count'] < $this->_cache_times_for_auth_recheck))
{
$res = FALSE;
if ($this->_cache_times_for_auth_recheck != -1)
{
$_SESSION['phpCAS']['unauth_count']++;
phpCAS::trace('user is not authenticated (cached for '.$_SESSION['phpCAS']['unauth_count'].' times of '.$this->_cache_times_for_auth_recheck.')');
}
else
{
phpCAS::trace('user is not authenticated (cached for until login pressed)');
}
}
else
{
$_SESSION['phpCAS']['unauth_count'] = 0;
$_SESSION['phpCAS']['auth_checked'] = true;
phpCAS::trace('user is not authenticated (cache reset)');
$this->redirectToCas(TRUE/* gateway */);
// never reached
$res = FALSE;
}
}
phpCAS::traceEnd($res);
return $res;
}

+ Here is the call graph for this function:

CASClient::forceAuthentication ( )

This method is called to be sure that the user is authenticated.

When not authenticated, halt by redirecting to the CAS server; otherwise return TRUE.

Returns
TRUE when the user is authenticated; otherwise halt.

Definition at line 878 of file client.php.

References $_SESSION, $res, CASClient\isAuthenticated(), CASClient\redirectToCas(), phpCAS\trace(), phpCAS\traceBegin(), and phpCAS\traceEnd().

{
phpCAS::traceBegin();
if ( $this->isAuthenticated() ) {
// the user is authenticated, nothing to be done.
phpCAS::trace('no need to authenticate');
$res = TRUE;
} else {
// the user is not authenticated, redirect to the CAS server
if (isset($_SESSION['phpCAS']['auth_checked'])) {
unset($_SESSION['phpCAS']['auth_checked']);
}
$this->redirectToCas(FALSE/* no gateway */);
// never reached
$res = FALSE;
}
phpCAS::traceEnd($res);
return $res;
}

+ Here is the call graph for this function:

CASClient::getAttribute (   $key)

Definition at line 846 of file client.php.

References CASClient\hasAttribute().

{
if($this->hasAttribute($key)) {
return $this->_attributes[$key];
}
}

+ Here is the call graph for this function:

CASClient::getAttributes ( )

Definition at line 833 of file client.php.

References CASClient\$_attributes, and phpCAS\error().

Referenced by CASClient\isAuthenticated().

{
if ( empty($this->_user) ) { // if no user is set, there shouldn't be any attributes also...
phpCAS::error('this method should be used only after '.__CLASS__.'::forceAuthentication() or '.__CLASS__.'::isAuthenticated()');
}
return $this->_attributes;
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

CASClient::getUser ( )

This method returns the CAS user's login name.

Warning
should be called only after CASClient::forceAuthentication() or CASClient::isAuthenticated(), otherwise halt with an error.
Returns
the login name of the authenticated user

Definition at line 805 of file client.php.

References CASClient\$_user, and phpCAS\error().

Referenced by CASClient\isAuthenticated().

{
if ( empty($this->_user) ) {
phpCAS::error('this method should be used only after '.__CLASS__.'::forceAuthentication() or '.__CLASS__.'::isAuthenticated()');
}
return $this->_user;
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

CASClient::handleLogoutRequests (   $check_client = true,
  $allowed_clients = false 
)

This method handles logout requests.

Parameters
$check_clienttrue to check the client bofore handling the request, false not to perform any access control. True by default.
$allowed_clientsan array of host names allowed to send logout requests. By default, only the CAs server (declared in the constructor) will be allowed.

Definition at line 1202 of file client.php.

References $_COOKIE, $_GET, $_POST, $client, phpCAS\error(), exit, CASClient\getServerHostname(), CASClient\isLogoutRequest(), phpCAS\log(), phpCAS\traceBegin(), phpCAS\traceEnd(), and phpCAS\traceExit().

{
phpCAS::traceBegin();
if (!$this->isLogoutRequest()) {
phpCAS::log("Not a logout request");
phpCAS::traceEnd();
return;
}
if(!$this->_start_session){
phpCAS::log("phpCAS can't handle logout requests if it does not manage the session.");
}
phpCAS::log("Logout requested");
phpCAS::log("SAML REQUEST: ".$_POST['logoutRequest']);
if ($check_client) {
if (!$allowed_clients) {
$allowed_clients = array( $this->getServerHostname() );
}
$client_ip = $_SERVER['REMOTE_ADDR'];
$client = gethostbyaddr($client_ip);
phpCAS::log("Client: ".$client."/".$client_ip);
$allowed = false;
foreach ($allowed_clients as $allowed_client) {
if (($client == $allowed_client) or ($client_ip == $allowed_client)) {
phpCAS::log("Allowed client '".$allowed_client."' matches, logout request is allowed");
$allowed = true;
break;
} else {
phpCAS::log("Allowed client '".$allowed_client."' does not match");
}
}
if (!$allowed) {
phpCAS::error("Unauthorized logout request from client '".$client."'");
printf("Unauthorized!");
phpCAS::traceExit();
exit();
}
} else {
phpCAS::log("No access control set");
}
// Extract the ticket from the SAML Request
preg_match("|<samlp:SessionIndex>(.*)</samlp:SessionIndex>|", $_POST['logoutRequest'], $tick, PREG_OFFSET_CAPTURE, 3);
$wrappedSamlSessionIndex = preg_replace('|<samlp:SessionIndex>|','',$tick[0][0]);
$ticket2logout = preg_replace('|</samlp:SessionIndex>|','',$wrappedSamlSessionIndex);
phpCAS::log("Ticket to logout: ".$ticket2logout);
$session_id = preg_replace('/[^\w]/','',$ticket2logout);
phpCAS::log("Session id: ".$session_id);
// destroy a possible application session created before phpcas
if(session_id()){
session_unset();
session_destroy();
}
// fix session ID
session_id($session_id);
$_COOKIE[session_name()]=$session_id;
$_GET[session_name()]=$session_id;
// Overwrite session
session_start();
session_unset();
session_destroy();
printf("Disconnected!");
phpCAS::traceExit();
exit();
}

+ Here is the call graph for this function:

CASClient::hasAttribute (   $key)

Definition at line 843 of file client.php.

Referenced by CASClient\getAttribute().

{ return (is_array($this->_attributes) && array_key_exists($key, $this->_attributes)); }

+ Here is the caller graph for this function:

CASClient::hasAttributes ( )

Definition at line 840 of file client.php.

{ return !empty($this->_attributes); }
CASClient::isAuthenticated ( )

This method is called to check if the user is authenticated (previously or by tickets given in the URL).

Returns
TRUE when the user is authenticated. Also may redirect to the same URL without the ticket.

Definition at line 981 of file client.php.

References $_SESSION, $res, CASClient\getAttributes(), CASClient\getPGT(), CASClient\getPT(), CASClient\getSA(), CASClient\getST(), CASClient\getURL(), CASClient\getUser(), CASClient\hasPT(), CASClient\hasSA(), CASClient\hasST(), CASClient\isProxy(), phpCAS\log(), phpCAS\trace(), phpCAS\traceBegin(), phpCAS\traceEnd(), CASClient\validatePGT(), CASClient\validatePT(), and CASClient\wasPreviouslyAuthenticated().

Referenced by CASClient\checkAuthentication(), CASClient\forceAuthentication(), and CASClient\renewAuthentication().

{
phpCAS::traceBegin();
$res = FALSE;
$validate_url = '';
if ( $this->wasPreviouslyAuthenticated() ) {
if($this->hasST() || $this->hasPT() || $this->hasSA()){
// User has a additional ticket but was already authenticated
phpCAS::trace('ticket was present and will be discarded, use renewAuthenticate()');
header('Location: '.$this->getURL());
phpCAS::log( "Prepare redirect to remove ticket: ".$this->getURL() );
}else{
// the user has already (previously during the session) been
// authenticated, nothing to be done.
phpCAS::trace('user was already authenticated, no need to look for tickets');
}
$res = TRUE;
}
else {
if ( $this->hasST() ) {
// if a Service Ticket was given, validate it
phpCAS::trace('ST `'.$this->getST().'\' is present');
$this->validateST($validate_url,$text_response,$tree_response); // if it fails, it halts
phpCAS::trace('ST `'.$this->getST().'\' was validated');
if ( $this->isProxy() ) {
$this->validatePGT($validate_url,$text_response,$tree_response); // idem
phpCAS::trace('PGT `'.$this->getPGT().'\' was validated');
$_SESSION['phpCAS']['pgt'] = $this->getPGT();
}
$_SESSION['phpCAS']['user'] = $this->getUser();
$res = TRUE;
}
elseif ( $this->hasPT() ) {
// if a Proxy Ticket was given, validate it
phpCAS::trace('PT `'.$this->getPT().'\' is present');
$this->validatePT($validate_url,$text_response,$tree_response); // note: if it fails, it halts
phpCAS::trace('PT `'.$this->getPT().'\' was validated');
if ( $this->isProxy() ) {
$this->validatePGT($validate_url,$text_response,$tree_response); // idem
phpCAS::trace('PGT `'.$this->getPGT().'\' was validated');
$_SESSION['phpCAS']['pgt'] = $this->getPGT();
}
$_SESSION['phpCAS']['user'] = $this->getUser();
$res = TRUE;
}
elseif ( $this->hasSA() ) {
// if we have a SAML ticket, validate it.
phpCAS::trace('SA `'.$this->getSA().'\' is present');
$this->validateSA($validate_url,$text_response,$tree_response); // if it fails, it halts
phpCAS::trace('SA `'.$this->getSA().'\' was validated');
$_SESSION['phpCAS']['user'] = $this->getUser();
$_SESSION['phpCAS']['attributes'] = $this->getAttributes();
$res = TRUE;
}
else {
// no ticket given, not authenticated
phpCAS::trace('no ticket found');
}
if ($res) {
// if called with a ticket parameter, we need to redirect to the app without the ticket so that CAS-ification is transparent to the browser (for later POSTS)
// most of the checks and errors should have been made now, so we're safe for redirect without masking error messages.
header('Location: '.$this->getURL());
phpCAS::log( "Prepare redirect to : ".$this->getURL() );
}
}
phpCAS::traceEnd($res);
return $res;
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

CASClient::isLogoutRequest ( )
private
Returns
true if the current request is a logout request.

Definition at line 1183 of file client.php.

References $_POST.

Referenced by CASClient\CASClient(), and CASClient\handleLogoutRequests().

{
return !empty($_POST['logoutRequest']);
}

+ Here is the caller graph for this function:

CASClient::isLogoutRequestAllowed ( )
private
Returns
true if a logout request is allowed.

Definition at line 1191 of file client.php.

{
}
CASClient::isSessionAuthenticated ( )

This method tells if the current session is authenticated.

Returns
true if authenticated based soley on $_SESSION variable
Since
0.4.22 by Brendan Arnold

Definition at line 1057 of file client.php.

References $_SESSION.

Referenced by CASClient\wasPreviouslyAuthenticated().

{
return !empty($_SESSION['phpCAS']['user']);
}

+ Here is the caller graph for this function:

CASClient::logout (   $params)

This method is used to logout from CAS.

$params an array that contains the optional url and service parameters that will be passed to the CAS server

Definition at line 1154 of file client.php.

References CAS_STR_LOGOUT, CAS_STR_SHOULD_HAVE_BEEN_REDIRECTED, exit, CASClient\getServerLogoutURL(), CASClient\getString(), phpCAS\log(), CASClient\printHTMLFooter(), CASClient\printHTMLHeader(), phpCAS\traceBegin(), and phpCAS\traceExit().

{
phpCAS::traceBegin();
$cas_url = $this->getServerLogoutURL();
$paramSeparator = '?';
if (isset($params['url'])) {
$cas_url = $cas_url . $paramSeparator . "url=" . urlencode($params['url']);
$paramSeparator = '&';
}
if (isset($params['service'])) {
$cas_url = $cas_url . $paramSeparator . "service=" . urlencode($params['service']);
}
header('Location: '.$cas_url);
phpCAS::log( "Prepare redirect to : ".$cas_url );
session_unset();
session_destroy();
$this->printHTMLHeader($this->getString(CAS_STR_LOGOUT));
printf('<p>'.$this->getString(CAS_STR_SHOULD_HAVE_BEEN_REDIRECTED).'</p>',$cas_url);
$this->printHTMLFooter();
phpCAS::traceExit();
exit();
}

+ Here is the call graph for this function:

CASClient::redirectToCas (   $gateway)

This method is used to redirect the client to the CAS server.

It is used by CASClient::forceAuthentication() and CASClient::checkAuthentication().

Parameters
$gatewaytrue to check authentication, false to force it

Definition at line 743 of file client.php.

References CAS_STR_AUTHENTICATION_WANTED, CAS_STR_SHOULD_HAVE_BEEN_REDIRECTED, exit, CASClient\getServerLoginURL(), CASClient\getString(), CASClient\printHTMLFooter(), CASClient\printHTMLHeader(), phpCAS\traceBegin(), and phpCAS\traceExit().

{
phpCAS::traceBegin();
$cas_url = $this->getServerLoginURL($gateway);
header('Location: '.$cas_url);
$this->printHTMLHeader($this->getString(CAS_STR_AUTHENTICATION_WANTED));
printf('<p>'.$this->getString(CAS_STR_SHOULD_HAVE_BEEN_REDIRECTED).'</p>',$cas_url);
$this->printHTMLFooter();
phpCAS::traceExit();
exit();
}

+ Here is the call graph for this function:

CASClient::redirectToCas (   $gateway = false,
  $renew = false 
)

This method is used to redirect the client to the CAS server.

It is used by CASClient::forceAuthentication() and CASClient::checkAuthentication().

Parameters
$gatewaytrue to check authentication, false to force it
$renewtrue to force the authentication with the CAS server

Definition at line 1133 of file client.php.

References CAS_STR_AUTHENTICATION_WANTED, CAS_STR_SHOULD_HAVE_BEEN_REDIRECTED, exit, CASClient\getServerLoginURL(), CASClient\getString(), phpCAS\log(), CASClient\printHTMLFooter(), CASClient\printHTMLHeader(), phpCAS\traceBegin(), and phpCAS\traceExit().

Referenced by CASClient\checkAuthentication(), CASClient\forceAuthentication(), and CASClient\renewAuthentication().

{
phpCAS::traceBegin();
$cas_url = $this->getServerLoginURL($gateway,$renew);
header('Location: '.$cas_url);
phpCAS::log( "Redirect to : ".$cas_url );
$this->printHTMLHeader($this->getString(CAS_STR_AUTHENTICATION_WANTED));
printf('<p>'.$this->getString(CAS_STR_SHOULD_HAVE_BEEN_REDIRECTED).'</p>',$cas_url);
$this->printHTMLFooter();
phpCAS::traceExit();
exit();
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

CASClient::renewAuthentication ( )

This method is called to renew the authentication of the user If the user is authenticated, renew the connection If not, redirect to CAS.

Definition at line 858 of file client.php.

References $_SESSION, CASClient\isAuthenticated(), CASClient\redirectToCas(), phpCAS\trace(), phpCAS\traceBegin(), and phpCAS\traceEnd().

{
phpCAS::traceBegin();
// Either way, the user is authenticated by CAS
if( isset( $_SESSION['phpCAS']['auth_checked'] ) )
unset($_SESSION['phpCAS']['auth_checked']);
if ( $this->isAuthenticated() ) {
phpCAS::trace('user already authenticated; renew');
$this->redirectToCas(false,true);
} else {
$this->redirectToCas();
}
phpCAS::traceEnd();
}

+ Here is the call graph for this function:

CASClient::setAttributes (   $attributes)

Definition at line 830 of file client.php.

Referenced by CASClient\wasPreviouslyAuthenticated().

{ $this->_attributes = $attributes; }

+ Here is the caller graph for this function:

CASClient::setCacheTimesForAuthRecheck (   $n)

Set the number of times authentication will be cached before rechecked.

Parameters
$nan integer.

Definition at line 914 of file client.php.

References $n.

{
$this->_cache_times_for_auth_recheck = $n;
}
CASClient::setUser (   $user)
private

This method sets the CAS user's login name.

Parameters
$userthe login name of the authenticated user.

Definition at line 793 of file client.php.

References $user.

Referenced by CASClient\validateST(), and CASClient\wasPreviouslyAuthenticated().

{
$this->_user = $user;
}

+ Here is the caller graph for this function:

CASClient::wasPreviouslyAuthenticated ( )
private

This method tells if the user has already been (previously) authenticated by looking into the session variables.

Note
This function switches to callback mode when needed.
Returns
TRUE when the user has already been authenticated; FALSE otherwise.

Definition at line 1072 of file client.php.

References $_SESSION, $auth, CASClient\callback(), CASClient\isCallbackMode(), CASClient\isProxy(), CASClient\isSessionAuthenticated(), CASClient\setAttributes(), CASClient\setPGT(), CASClient\setPT(), CASClient\setST(), CASClient\setUser(), phpCAS\trace(), phpCAS\traceBegin(), and phpCAS\traceEnd().

Referenced by CASClient\isAuthenticated().

{
phpCAS::traceBegin();
if ( $this->isCallbackMode() ) {
$this->callback();
}
$auth = FALSE;
if ( $this->isProxy() ) {
// CAS proxy: username and PGT must be present
if ( $this->isSessionAuthenticated() && !empty($_SESSION['phpCAS']['pgt']) ) {
// authentication already done
$this->setUser($_SESSION['phpCAS']['user']);
$this->setPGT($_SESSION['phpCAS']['pgt']);
phpCAS::trace('user = `'.$_SESSION['phpCAS']['user'].'\', PGT = `'.$_SESSION['phpCAS']['pgt'].'\'');
$auth = TRUE;
} elseif ( $this->isSessionAuthenticated() && empty($_SESSION['phpCAS']['pgt']) ) {
// these two variables should be empty or not empty at the same time
phpCAS::trace('username found (`'.$_SESSION['phpCAS']['user'].'\') but PGT is empty');
// unset all tickets to enforce authentication
unset($_SESSION['phpCAS']);
$this->setST('');
$this->setPT('');
} elseif ( !$this->isSessionAuthenticated() && !empty($_SESSION['phpCAS']['pgt']) ) {
// these two variables should be empty or not empty at the same time
phpCAS::trace('PGT found (`'.$_SESSION['phpCAS']['pgt'].'\') but username is empty');
// unset all tickets to enforce authentication
unset($_SESSION['phpCAS']);
$this->setST('');
$this->setPT('');
} else {
phpCAS::trace('neither user not PGT found');
}
} else {
// `simple' CAS client (not a proxy): username must be present
if ( $this->isSessionAuthenticated() ) {
// authentication already done
$this->setUser($_SESSION['phpCAS']['user']);
if(isset($_SESSION['phpCAS']['attributes'])){
$this->setAttributes($_SESSION['phpCAS']['attributes']);
}
phpCAS::trace('user = `'.$_SESSION['phpCAS']['user'].'\'');
$auth = TRUE;
} else {
phpCAS::trace('no user found');
}
}
phpCAS::traceEnd($auth);
return $auth;
}

+ Here is the call graph for this function:

+ Here is the caller graph for this function:

Variable Documentation

CASClient::$_attributes
private

The Authenticated users attributes.

Written by CASClient::setAttributes(), read by CASClient::getAttributes().

Attention
client applications should use phpCAS::getAttributes().

Definition at line 828 of file client.php.

Referenced by CASClient\getAttributes().

CASClient::$_cache_times_for_auth_recheck
private

An integer that gives the number of times authentication will be cached before rechecked.

Definition at line 905 of file client.php.

CASClient::$_user
private

The Authenticated user.

Written by CASClient::setUser(), read by CASClient::getUser().

Attention
client applications should use phpCAS::getUser().

Definition at line 784 of file client.php.

Referenced by CASClient\getUser().