ILIAS  Release_4_1_x_branch Revision 61804
 All Data Structures Namespaces Files Functions Variables Groups Pages
Modules | Functions | Variables
CAS Basic client features (CAS 1.0, Service Tickets)
Implementation
+ Collaboration diagram for CAS Basic client features (CAS 1.0, Service Tickets):

Modules

 CAS Proxy features (CAS 2.0, Proxy Granting Tickets)
 Callback from the CAS server
 PGT storage
 CAS proxied client features (CAS 2.0, Proxy Tickets)
 Miscellaneous

Functions

 CASClient::getST ()
 This method returns the Service Ticket provided in the URL of the request.
 CASClient::setST ($st)
 This method stores the Service Ticket.
 CASClient::hasST ()
 This method tells if a Service Ticket was stored.
 CASClient::setCasServerCert ($cert)
 Set the certificate of the CAS server.
 CASClient::setCasServerCACert ($cert)
 Set the CA certificate of the CAS server.
 CASClient::setNoCasServerValidation ()
 Set no SSL validation for the CAS server.
 CASClient::validateST ($validate_url, &$text_response, &$tree_response)
 This method is used to validate a ST; halt on failure, and sets $validate_url, $text_reponse and $tree_response on success.
 CASClient::validateSA ($validate_url, &$text_response, &$tree_response)
 This method is used to validate a SAML TICKET; halt on failure, and sets $validate_url, $text_reponse and $tree_response on success.
 CASClient::setSessionAttributes ($text_response)
 This method will parse the DOM and pull out the attributes from the SAML payload and put them into an array, then put the array into the session.

Variables

 CASClient::$_st
 the Service Ticket provided in the URL of the request if present (empty otherwise).
 CASClient::$_cas_server_cert
 the certificate of the CAS server.
 CASClient::$_cas_server_ca_cert
 the certificate of the CAS server CA.
 CASClient::$_no_cas_server_validation
 Set to true not to validate the CAS server.

Detailed Description

Function Documentation

CASClient::getST ( )
private

This method returns the Service Ticket provided in the URL of the request.

Returns
The service ticket.

Definition at line 1298 of file client.php.

References CASClient\$_st.

Referenced by CASClient\isAuthenticated(), and CASClient\validateST().

{ return $this->_st; }

+ Here is the caller graph for this function:

CASClient::hasST ( )
private

This method tells if a Service Ticket was stored.

Returns
TRUE if a Service Ticket has been stored.

Definition at line 1314 of file client.php.

Referenced by CASClient\isAuthenticated().

{ return !empty($this->_st); }

+ Here is the caller graph for this function:

CASClient::setCasServerCACert (   $cert)

Set the CA certificate of the CAS server.

Parameters
$certthe PEM certificate of the CA that emited the cert of the server

Definition at line 1366 of file client.php.

{
$this->_cas_server_ca_cert = $cert;
}
CASClient::setCasServerCert (   $cert)

Set the certificate of the CAS server.

Parameters
$certthe PEM certificate

Definition at line 1356 of file client.php.

{
$this->_cas_server_cert = $cert;
}
CASClient::setNoCasServerValidation ( )

Set no SSL validation for the CAS server.

Definition at line 1374 of file client.php.

{
$this->_no_cas_server_validation = true;
}
CASClient::setSessionAttributes (   $text_response)
private

This method will parse the DOM and pull out the attributes from the SAML payload and put them into an array, then put the array into the session.

Parameters
$text_responsethe SAML payload.
Returns
bool TRUE when successfull and FALSE if no attributes a found

Definition at line 1600 of file client.php.

References $_SESSION, $result, domxml_open_mem(), SAML_ATTRIBUTES, phpCAS\trace(), phpCAS\traceBegin(), and phpCAS\traceEnd().

{
phpCAS::traceBegin();
$result = FALSE;
if (isset($_SESSION[SAML_ATTRIBUTES])) {
phpCAS::trace("session attrs already set."); //testbml - do we care?
}
$attr_array = array();
if (($dom = domxml_open_mem($text_response))) {
$xPath = $dom->xpath_new_context();
$xPath->xpath_register_ns('samlp', 'urn:oasis:names:tc:SAML:1.0:protocol');
$xPath->xpath_register_ns('saml', 'urn:oasis:names:tc:SAML:1.0:assertion');
$nodelist = $xPath->xpath_eval("//saml:Attribute");
if($nodelist){
$attrs = $nodelist->nodeset;
foreach($attrs as $attr){
$xres = $xPath->xpath_eval("saml:AttributeValue", $attr);
$name = $attr->get_attribute("AttributeName");
$value_array = array();
foreach($xres->nodeset as $node){
$value_array[] = $node->get_content();
}
$attr_array[$name] = $value_array;
}
$_SESSION[SAML_ATTRIBUTES] = $attr_array;
// UGent addition...
foreach($attr_array as $attr_key => $attr_value) {
if(count($attr_value) > 1) {
$this->_attributes[$attr_key] = $attr_value;
phpCAS::trace("* " . $attr_key . "=" . $attr_value);
}
else {
$this->_attributes[$attr_key] = $attr_value[0];
phpCAS::trace("* " . $attr_key . "=" . $attr_value[0]);
}
}
$result = TRUE;
}else{
phpCAS::trace("SAML Attributes are empty");
$result = FALSE;
}
}
phpCAS::traceEnd($result);
return $result;
}

+ Here is the call graph for this function:

CASClient::setST (   $st)
private

This method stores the Service Ticket.

Parameters
$stThe Service Ticket.

Definition at line 1306 of file client.php.

Referenced by CASClient\wasPreviouslyAuthenticated().

{ $this->_st = $st; }

+ Here is the caller graph for this function:

CASClient::validateSA (   $validate_url,
$text_response,
$tree_response 
)
private

This method is used to validate a SAML TICKET; halt on failure, and sets $validate_url, $text_reponse and $tree_response on success.

These parameters are used later by CASClient::validatePGT() for CAS proxies.

Parameters
$validate_urlthe URL of the request to the CAS server.
$text_responsethe response of the CAS server, as is (XML text).
$tree_responsethe response of the CAS server, as a DOM XML tree.
Returns
bool TRUE when successfull, halt otherwise by calling CASClient::authError().

Definition at line 1522 of file client.php.

References $user, domxml_open_mem(), phpCAS\trace(), and phpCAS\traceBegin().

{
phpCAS::traceBegin();
// build the URL to validate the ticket
$validate_url = $this->getServerSamlValidateURL();
// open and read the URL
if ( !$this->readURL($validate_url,''/*cookies*/,$headers,$text_response,$err_msg) ) {
phpCAS::trace('could not open URL \''.$validate_url.'\' to validate ('.$err_msg.')');
$this->authError('SA not validated', $validate_url, TRUE/*$no_response*/);
}
phpCAS::trace('server version: '.$this->getServerVersion());
// analyze the result depending on the version
switch ($this->getServerVersion()) {
case SAML_VERSION_1_1:
// read the response of the CAS server into a DOM object
if ( !($dom = domxml_open_mem($text_response))) {
phpCAS::trace('domxml_open_mem() failed');
$this->authError('SA not validated',
$validate_url,
FALSE/*$no_response*/,
TRUE/*$bad_response*/,
$text_response);
}
// read the root node of the XML tree
if ( !($tree_response = $dom->document_element()) ) {
phpCAS::trace('document_element() failed');
$this->authError('SA not validated',
$validate_url,
FALSE/*$no_response*/,
TRUE/*$bad_response*/,
$text_response);
}
// insure that tag name is 'Envelope'
if ( $tree_response->node_name() != 'Envelope' ) {
phpCAS::trace('bad XML root node (should be `Envelope\' instead of `'.$tree_response->node_name().'\'');
$this->authError('SA not validated',
$validate_url,
FALSE/*$no_response*/,
TRUE/*$bad_response*/,
$text_response);
}
// check for the NameIdentifier tag in the SAML response
if ( sizeof($success_elements = $tree_response->get_elements_by_tagname("NameIdentifier")) != 0) {
phpCAS::trace('NameIdentifier found');
$user = trim($success_elements[0]->get_content());
phpCAS::trace('user = `'.$user.'`');
$this->setUser($user);
$this->setSessionAttributes($text_response);
} else {
phpCAS::trace('no <NameIdentifier> tag found in SAML payload');
$this->authError('SA not validated',
$validate_url,
FALSE/*$no_response*/,
TRUE/*$bad_response*/,
$text_response);
}
break;
}
$this->renameSession($this->getSA());
// at this step, ST has been validated and $this->_user has been set,
phpCAS::traceEnd(TRUE);
return TRUE;
}

+ Here is the call graph for this function:

CASClient::validateST (   $validate_url,
$text_response,
$tree_response 
)
private

This method is used to validate a ST; halt on failure, and sets $validate_url, $text_reponse and $tree_response on success.

These parameters are used later by CASClient::validatePGT() for CAS proxies. Used for all CAS 1.0 validations

Parameters
$validate_urlthe URL of the request to the CAS server.
$text_responsethe response of the CAS server, as is (XML text).
$tree_responsethe response of the CAS server, as a DOM XML tree.
Returns
bool TRUE when successfull, halt otherwise by calling CASClient::authError().

Definition at line 1392 of file client.php.

References $user, CASClient\authError(), domxml_open_mem(), CASClient\getCallbackURL(), CASClient\getServerServiceValidateURL(), CASClient\getST(), CASClient\isProxy(), n, CASClient\readURL(), CASClient\setUser(), phpCAS\trace(), and phpCAS\traceBegin().

{
phpCAS::traceBegin();
// build the URL to validate the ticket
$validate_url = $this->getServerServiceValidateURL().'&ticket='.$this->getST();
if ( $this->isProxy() ) {
// pass the callback url for CAS proxies
$validate_url .= '&pgtUrl='.urlencode($this->getCallbackURL());
}
// open and read the URL
if ( !$this->readURL($validate_url,''/*cookies*/,$headers,$text_response,$err_msg) ) {
phpCAS::trace('could not open URL \''.$validate_url.'\' to validate ('.$err_msg.')');
$this->authError('ST not validated',
$validate_url,
TRUE/*$no_response*/);
}
// analyze the result depending on the version
switch ($this->getServerVersion()) {
case CAS_VERSION_1_0:
if (preg_match('/^no\n/',$text_response)) {
phpCAS::trace('ST has not been validated');
$this->authError('ST not validated',
$validate_url,
FALSE/*$no_response*/,
FALSE/*$bad_response*/,
$text_response);
}
if (!preg_match('/^yes\n/',$text_response)) {
phpCAS::trace('ill-formed response');
$this->authError('ST not validated',
$validate_url,
FALSE/*$no_response*/,
TRUE/*$bad_response*/,
$text_response);
}
// ST has been validated, extract the user name
$arr = preg_split('/\n/',$text_response);
$this->setUser(trim($arr[1]));
break;
case CAS_VERSION_2_0:
// read the response of the CAS server into a DOM object
if ( !($dom = domxml_open_mem($text_response))) {
phpCAS::trace('domxml_open_mem() failed');
$this->authError('ST not validated',
$validate_url,
FALSE/*$no_response*/,
TRUE/*$bad_response*/,
$text_response);
}
// read the root node of the XML tree
if ( !($tree_response = $dom->document_element()) ) {
phpCAS::trace('document_element() failed');
$this->authError('ST not validated',
$validate_url,
FALSE/*$no_response*/,
TRUE/*$bad_response*/,
$text_response);
}
// insure that tag name is 'serviceResponse'
if ( $tree_response->node_name() != 'serviceResponse' ) {
phpCAS::trace('bad XML root node (should be `serviceResponse\' instead of `'.$tree_response->node_name().'\'');
$this->authError('ST not validated',
$validate_url,
FALSE/*$no_response*/,
TRUE/*$bad_response*/,
$text_response);
}
if ( sizeof($success_elements = $tree_response->get_elements_by_tagname("authenticationSuccess")) != 0) {
// authentication succeded, extract the user name
if ( sizeof($user_elements = $success_elements[0]->get_elements_by_tagname("user")) == 0) {
phpCAS::trace('<authenticationSuccess> found, but no <user>');
$this->authError('ST not validated',
$validate_url,
FALSE/*$no_response*/,
TRUE/*$bad_response*/,
$text_response);
}
$user = trim($user_elements[0]->get_content());
phpCAS::trace('user = `'.$user);
$this->setUser($user);
} else if ( sizeof($failure_elements = $tree_response->get_elements_by_tagname("authenticationFailure")) != 0) {
phpCAS::trace('<authenticationFailure> found');
// authentication failed, extract the error code and message
$this->authError('ST not validated',
$validate_url,
FALSE/*$no_response*/,
FALSE/*$bad_response*/,
$text_response,
$failure_elements[0]->get_attribute('code')/*$err_code*/,
trim($failure_elements[0]->get_content())/*$err_msg*/);
} else {
phpCAS::trace('neither <authenticationSuccess> nor <authenticationFailure> found');
$this->authError('ST not validated',
$validate_url,
FALSE/*$no_response*/,
TRUE/*$bad_response*/,
$text_response);
}
break;
}
$this->renameSession($this->getST());
// at this step, ST has been validated and $this->_user has been set,
phpCAS::traceEnd(TRUE);
return TRUE;
}

+ Here is the call graph for this function:

Variable Documentation

CASClient::$_cas_server_ca_cert
private

the certificate of the CAS server CA.

Definition at line 1341 of file client.php.

CASClient::$_cas_server_cert
private

the certificate of the CAS server.

Definition at line 1333 of file client.php.

CASClient::$_no_cas_server_validation
private

Set to true not to validate the CAS server.

Definition at line 1349 of file client.php.

CASClient::$_st
private

the Service Ticket provided in the URL of the request if present (empty otherwise).

Written by CASClient::CASClient(), read by CASClient::getST() and CASClient::hasPGT().

Definition at line 1291 of file client.php.

Referenced by CASClient\getST().