ILIAS  release_5-1 Revision 5.0.0-5477-g43f3e3fab5f
CAS Basic client features (CAS 1.0, Service Tickets)
+ Collaboration diagram for CAS Basic client features (CAS 1.0, Service Tickets):

Modules

 CAS Proxy features (CAS 2.0, Proxy Granting Tickets)
 
 CAS proxied client features (CAS 2.0, Proxy Tickets)
 
 Miscellaneous
 

Functions

 CASClient::getST ()
 This method returns the Service Ticket provided in the URL of the request. More...
 
 CASClient::setST ($st)
 This method stores the Service Ticket. More...
 
 CASClient::hasST ()
 This method tells if a Service Ticket was stored. More...
 
 CASClient::setCasServerCert ($cert)
 Set the certificate of the CAS server. More...
 
 CASClient::setCasServerCACert ($cert)
 Set the CA certificate of the CAS server. More...
 
 CASClient::setNoCasServerValidation ()
 Set no SSL validation for the CAS server. More...
 
 CASClient::validateST ($validate_url, &$text_response, &$tree_response)
 This method is used to validate a ST; halt on failure, and sets $validate_url, $text_reponse and $tree_response on success. More...
 
 CASClient::validateSA ($validate_url, &$text_response, &$tree_response)
 This method is used to validate a SAML TICKET; halt on failure, and sets $validate_url, $text_reponse and $tree_response on success. More...
 
 CASClient::setSessionAttributes ($text_response)
 This method will parse the DOM and pull out the attributes from the SAML payload and put them into an array, then put the array into the session. More...
 

Variables

 CASClient::$_st
 the Service Ticket provided in the URL of the request if present (empty otherwise). More...
 
 CASClient::$_cas_server_cert
 the certificate of the CAS server. More...
 
 CASClient::$_cas_server_ca_cert
 the certificate of the CAS server CA. More...
 
 CASClient::$_no_cas_server_validation
 Set to true not to validate the CAS server. More...
 

Detailed Description

Function Documentation

◆ getST()

CASClient::getST ( )
private

This method returns the Service Ticket provided in the URL of the request.

Returns
The service ticket.

Definition at line 1298 of file client.php.

1299 { return $this->_st; }
$_st
the Service Ticket provided in the URL of the request if present (empty otherwise).
Definition: client.php:1291

References CASClient\$_st.

Referenced by CASClient\isAuthenticated(), and CASClient\validateST().

+ Here is the caller graph for this function:

◆ hasST()

CASClient::hasST ( )
private

This method tells if a Service Ticket was stored.

Returns
TRUE if a Service Ticket has been stored.

Definition at line 1314 of file client.php.

1315 { return !empty($this->_st); }

Referenced by CASClient\isAuthenticated().

+ Here is the caller graph for this function:

◆ setCasServerCACert()

CASClient::setCasServerCACert (   $cert)

Set the CA certificate of the CAS server.

Parameters
$certthe PEM certificate of the CA that emited the cert of the server

Definition at line 1366 of file client.php.

1367 {
1368 $this->_cas_server_ca_cert = $cert;
1369 }

◆ setCasServerCert()

CASClient::setCasServerCert (   $cert)

Set the certificate of the CAS server.

Parameters
$certthe PEM certificate

Definition at line 1356 of file client.php.

1357 {
1358 $this->_cas_server_cert = $cert;
1359 }

◆ setNoCasServerValidation()

CASClient::setNoCasServerValidation ( )

Set no SSL validation for the CAS server.

Definition at line 1374 of file client.php.

1375 {
1376 $this->_no_cas_server_validation = true;
1377 }

◆ setSessionAttributes()

CASClient::setSessionAttributes (   $text_response)
private

This method will parse the DOM and pull out the attributes from the SAML payload and put them into an array, then put the array into the session.

Parameters
$text_responsethe SAML payload.
Returns
bool TRUE when successfull and FALSE if no attributes a found

Definition at line 1600 of file client.php.

1601 {
1603
1604 $result = FALSE;
1605
1606 if (isset($_SESSION[SAML_ATTRIBUTES])) {
1607 phpCAS::trace("session attrs already set."); //testbml - do we care?
1608 }
1609
1610 $attr_array = array();
1611
1612 if (($dom = domxml_open_mem($text_response))) {
1613 $xPath = $dom->xpath_new_context();
1614 $xPath->xpath_register_ns('samlp', 'urn:oasis:names:tc:SAML:1.0:protocol');
1615 $xPath->xpath_register_ns('saml', 'urn:oasis:names:tc:SAML:1.0:assertion');
1616 $nodelist = $xPath->xpath_eval("//saml:Attribute");
1617 if($nodelist){
1618 $attrs = $nodelist->nodeset;
1619 foreach($attrs as $attr){
1620 $xres = $xPath->xpath_eval("saml:AttributeValue", $attr);
1621 $name = $attr->get_attribute("AttributeName");
1622 $value_array = array();
1623 foreach($xres->nodeset as $node){
1624 $value_array[] = $node->get_content();
1625 }
1626 $attr_array[$name] = $value_array;
1627 }
1628 $_SESSION[SAML_ATTRIBUTES] = $attr_array;
1629 // UGent addition...
1630 foreach($attr_array as $attr_key => $attr_value) {
1631 if(count($attr_value) > 1) {
1632 $this->_attributes[$attr_key] = $attr_value;
1633 phpCAS::trace("* " . $attr_key . "=" . $attr_value);
1634 }
1635 else {
1636 $this->_attributes[$attr_key] = $attr_value[0];
1637 phpCAS::trace("* " . $attr_key . "=" . $attr_value[0]);
1638 }
1639 }
1640 $result = TRUE;
1641 }else{
1642 phpCAS::trace("SAML Attributes are empty");
1643 $result = FALSE;
1644 }
1645 }
1647 return $result;
1648 }
$result
$_SESSION["AccountId"]
trace($str)
This method is used to log something in debug mode.
Definition: CAS.php:569
traceBegin()
This method is used to indicate the start of the execution of a function in debug mode.
Definition: CAS.php:577
traceEnd($res='')
This method is used to indicate the end of the execution of a function in debug mode.
Definition: CAS.php:604
const SAML_ATTRIBUTES
SAML Attributes.
Definition: CAS.php:136
domxml_open_mem($str, $mode=DOMXML_LOAD_PARSING, &$error=NULL)

References $_SESSION, $result, domxml_open_mem(), SAML_ATTRIBUTES, phpCAS\trace(), phpCAS\traceBegin(), and phpCAS\traceEnd().

+ Here is the call graph for this function:

◆ setST()

CASClient::setST (   $st)
private

This method stores the Service Ticket.

Parameters
$stThe Service Ticket.

Definition at line 1306 of file client.php.

1307 { $this->_st = $st; }

Referenced by CASClient\wasPreviouslyAuthenticated().

+ Here is the caller graph for this function:

◆ validateSA()

CASClient::validateSA (   $validate_url,
$text_response,
$tree_response 
)
private

This method is used to validate a SAML TICKET; halt on failure, and sets $validate_url, $text_reponse and $tree_response on success.

These parameters are used later by CASClient::validatePGT() for CAS proxies.

Parameters
$validate_urlthe URL of the request to the CAS server.
$text_responsethe response of the CAS server, as is (XML text).
$tree_responsethe response of the CAS server, as a DOM XML tree.
Returns
bool TRUE when successfull, halt otherwise by calling CASClient::authError().

Definition at line 1522 of file client.php.

1523 {
1525
1526 // build the URL to validate the ticket
1527 $validate_url = $this->getServerSamlValidateURL();
1528
1529 // open and read the URL
1530 if ( !$this->readURL($validate_url,''/*cookies*/,$headers,$text_response,$err_msg) ) {
1531 phpCAS::trace('could not open URL \''.$validate_url.'\' to validate ('.$err_msg.')');
1532 $this->authError('SA not validated', $validate_url, TRUE/*$no_response*/);
1533 }
1534
1535 phpCAS::trace('server version: '.$this->getServerVersion());
1536
1537 // analyze the result depending on the version
1538 switch ($this->getServerVersion()) {
1539 case SAML_VERSION_1_1:
1540
1541 // read the response of the CAS server into a DOM object
1542 if ( !($dom = domxml_open_mem($text_response))) {
1543 phpCAS::trace('domxml_open_mem() failed');
1544 $this->authError('SA not validated',
1545 $validate_url,
1546 FALSE/*$no_response*/,
1547 TRUE/*$bad_response*/,
1548 $text_response);
1549 }
1550 // read the root node of the XML tree
1551 if ( !($tree_response = $dom->document_element()) ) {
1552 phpCAS::trace('document_element() failed');
1553 $this->authError('SA not validated',
1554 $validate_url,
1555 FALSE/*$no_response*/,
1556 TRUE/*$bad_response*/,
1557 $text_response);
1558 }
1559 // insure that tag name is 'Envelope'
1560 if ( $tree_response->node_name() != 'Envelope' ) {
1561 phpCAS::trace('bad XML root node (should be `Envelope\' instead of `'.$tree_response->node_name().'\'');
1562 $this->authError('SA not validated',
1563 $validate_url,
1564 FALSE/*$no_response*/,
1565 TRUE/*$bad_response*/,
1566 $text_response);
1567 }
1568 // check for the NameIdentifier tag in the SAML response
1569 if ( sizeof($success_elements = $tree_response->get_elements_by_tagname("NameIdentifier")) != 0) {
1570 phpCAS::trace('NameIdentifier found');
1571 $user = trim($success_elements[0]->get_content());
1572 phpCAS::trace('user = `'.$user.'`');
1573 $this->setUser($user);
1574 $this->setSessionAttributes($text_response);
1575 } else {
1576 phpCAS::trace('no <NameIdentifier> tag found in SAML payload');
1577 $this->authError('SA not validated',
1578 $validate_url,
1579 FALSE/*$no_response*/,
1580 TRUE/*$bad_response*/,
1581 $text_response);
1582 }
1583 break;
1584 }
1585 $this->renameSession($this->getSA());
1586 // at this step, ST has been validated and $this->_user has been set,
1587 phpCAS::traceEnd(TRUE);
1588 return TRUE;
1589 }
renameSession($ticket)
Renaming the session.
Definition: client.php:733
getServerSamlValidateURL()
This method is used to retrieve the SAML validating URL of the CAS server.
Definition: client.php:447
readURL($url, $cookies, &$headers, &$body, &$err_msg)
This method is used to acces a remote URL.
Definition: client.php:2163
getSA()
This method returns the SAML Ticket provided in the URL of the request.
Definition: client.php:2471

References domxml_open_mem(), phpCAS\trace(), and phpCAS\traceBegin().

+ Here is the call graph for this function:

◆ validateST()

CASClient::validateST (   $validate_url,
$text_response,
$tree_response 
)
private

This method is used to validate a ST; halt on failure, and sets $validate_url, $text_reponse and $tree_response on success.

These parameters are used later by CASClient::validatePGT() for CAS proxies. Used for all CAS 1.0 validations

Parameters
$validate_urlthe URL of the request to the CAS server.
$text_responsethe response of the CAS server, as is (XML text).
$tree_responsethe response of the CAS server, as a DOM XML tree.
Returns
bool TRUE when successfull, halt otherwise by calling CASClient::authError().

Definition at line 1392 of file client.php.

1393 {
1395 // build the URL to validate the ticket
1396 $validate_url = $this->getServerServiceValidateURL().'&ticket='.$this->getST();
1397 if ( $this->isProxy() ) {
1398 // pass the callback url for CAS proxies
1399 $validate_url .= '&pgtUrl='.urlencode($this->getCallbackURL());
1400 }
1401
1402 // open and read the URL
1403 if ( !$this->readURL($validate_url,''/*cookies*/,$headers,$text_response,$err_msg) ) {
1404 phpCAS::trace('could not open URL \''.$validate_url.'\' to validate ('.$err_msg.')');
1405 $this->authError('ST not validated',
1406 $validate_url,
1407 TRUE/*$no_response*/);
1408 }
1409
1410 // analyze the result depending on the version
1411 switch ($this->getServerVersion()) {
1412 case CAS_VERSION_1_0:
1413 if (preg_match('/^no\n/',$text_response)) {
1414 phpCAS::trace('ST has not been validated');
1415 $this->authError('ST not validated',
1416 $validate_url,
1417 FALSE/*$no_response*/,
1418 FALSE/*$bad_response*/,
1419 $text_response);
1420 }
1421 if (!preg_match('/^yes\n/',$text_response)) {
1422 phpCAS::trace('ill-formed response');
1423 $this->authError('ST not validated',
1424 $validate_url,
1425 FALSE/*$no_response*/,
1426 TRUE/*$bad_response*/,
1427 $text_response);
1428 }
1429 // ST has been validated, extract the user name
1430 $arr = preg_split('/\n/',$text_response);
1431 $this->setUser(trim($arr[1]));
1432 break;
1433 case CAS_VERSION_2_0:
1434 // read the response of the CAS server into a DOM object
1435 if ( !($dom = domxml_open_mem($text_response))) {
1436 phpCAS::trace('domxml_open_mem() failed');
1437 $this->authError('ST not validated',
1438 $validate_url,
1439 FALSE/*$no_response*/,
1440 TRUE/*$bad_response*/,
1441 $text_response);
1442 }
1443 // read the root node of the XML tree
1444 if ( !($tree_response = $dom->document_element()) ) {
1445 phpCAS::trace('document_element() failed');
1446 $this->authError('ST not validated',
1447 $validate_url,
1448 FALSE/*$no_response*/,
1449 TRUE/*$bad_response*/,
1450 $text_response);
1451 }
1452 // insure that tag name is 'serviceResponse'
1453 if ( $tree_response->node_name() != 'serviceResponse' ) {
1454 phpCAS::trace('bad XML root node (should be `serviceResponse\' instead of `'.$tree_response->node_name().'\'');
1455 $this->authError('ST not validated',
1456 $validate_url,
1457 FALSE/*$no_response*/,
1458 TRUE/*$bad_response*/,
1459 $text_response);
1460 }
1461 if ( sizeof($success_elements = $tree_response->get_elements_by_tagname("authenticationSuccess")) != 0) {
1462 // authentication succeded, extract the user name
1463 if ( sizeof($user_elements = $success_elements[0]->get_elements_by_tagname("user")) == 0) {
1464 phpCAS::trace('<authenticationSuccess> found, but no <user>');
1465 $this->authError('ST not validated',
1466 $validate_url,
1467 FALSE/*$no_response*/,
1468 TRUE/*$bad_response*/,
1469 $text_response);
1470 }
1471 $user = trim($user_elements[0]->get_content());
1472 phpCAS::trace('user = `'.$user);
1473 $this->setUser($user);
1474
1475 } else if ( sizeof($failure_elements = $tree_response->get_elements_by_tagname("authenticationFailure")) != 0) {
1476 phpCAS::trace('<authenticationFailure> found');
1477 // authentication failed, extract the error code and message
1478 $this->authError('ST not validated',
1479 $validate_url,
1480 FALSE/*$no_response*/,
1481 FALSE/*$bad_response*/,
1482 $text_response,
1483 $failure_elements[0]->get_attribute('code')/*$err_code*/,
1484 trim($failure_elements[0]->get_content())/*$err_msg*/);
1485 } else {
1486 phpCAS::trace('neither <authenticationSuccess> nor <authenticationFailure> found');
1487 $this->authError('ST not validated',
1488 $validate_url,
1489 FALSE/*$no_response*/,
1490 TRUE/*$bad_response*/,
1491 $text_response);
1492 }
1493 break;
1494 }
1495 $this->renameSession($this->getST());
1496 // at this step, ST has been validated and $this->_user has been set,
1497 phpCAS::traceEnd(TRUE);
1498 return TRUE;
1499 }
setUser($user)
This method sets the CAS user's login name.
Definition: client.php:793
getST()
This method returns the Service Ticket provided in the URL of the request.
Definition: client.php:1298
getCallbackURL()
This method returns the URL that should be used for the PGT callback (in fact the URL of the current ...
Definition: client.php:1796
getServerServiceValidateURL()
This method is used to retrieve the service validating URL of the CAS server.
Definition: client.php:426
authError($failure, $cas_url, $no_response, $bad_response='', $cas_response='', $err_code='', $err_msg='')
This method is used to print the HTML output when the user was not authenticated.
Definition: client.php:2722
isProxy()
Tells if a CAS client is a CAS proxy or not.
Definition: client.php:1681

References domxml_open_mem(), CASClient\getCallbackURL(), CASClient\getServerServiceValidateURL(), CASClient\getST(), CASClient\isProxy(), CASClient\readURL(), CASClient\setUser(), phpCAS\trace(), and phpCAS\traceBegin().

+ Here is the call graph for this function:

Variable Documentation

◆ $_cas_server_ca_cert

CASClient::$_cas_server_ca_cert
private

the certificate of the CAS server CA.

Definition at line 1341 of file client.php.

◆ $_cas_server_cert

CASClient::$_cas_server_cert
private

the certificate of the CAS server.

Definition at line 1333 of file client.php.

◆ $_no_cas_server_validation

CASClient::$_no_cas_server_validation
private

Set to true not to validate the CAS server.

Definition at line 1349 of file client.php.

◆ $_st

CASClient::$_st
private

the Service Ticket provided in the URL of the request if present (empty otherwise).

Written by CASClient::CASClient(), read by CASClient::getST() and CASClient::hasPGT().

Definition at line 1291 of file client.php.

Referenced by CASClient\getST().