ILIAS  release_6 Revision v6.24-5-g0c8bfefb3b8
Functions | Variables
Authentication
Implementation
+ Collaboration diagram for Authentication:

Functions

 CAS_Client::_setUser ($user)
 This method sets the CAS user's login name. More...
 
 CAS_Client::getUser ()
 This method returns the CAS user's login name. More...
 
 CAS_Client::_getUser ()
 This method returns the CAS user's login name. More...
 
 CAS_Client::setAttributes ($attributes)
 Set an array of attributes. More...
 
 CAS_Client::getAttributes ()
 Get an key values arry of attributes. More...
 
 CAS_Client::hasAttributes ()
 Check whether attributes are available. More...
 
 CAS_Client::hasAttribute ($key)
 Check whether a specific attribute with a name is available. More...
 
 CAS_Client::_hasAttribute ($key)
 Check whether a specific attribute with a name is available. More...
 
 CAS_Client::getAttribute ($key)
 Get a specific attribute by name. More...
 
 CAS_Client::renewAuthentication ()
 This method is called to renew the authentication of the user If the user is authenticated, renew the connection If not, redirect to CAS. More...
 
 CAS_Client::forceAuthentication ()
 This method is called to be sure that the user is authenticated. More...
 
 CAS_Client::setCacheTimesForAuthRecheck ($n)
 Set the number of times authentication will be cached before rechecked. More...
 
 CAS_Client::checkAuthentication ()
 This method is called to check whether the user is authenticated or not. More...
 
 CAS_Client::isAuthenticated ($renew=false)
 This method is called to check if the user is authenticated (previously or by tickets given in the URL). More...
 
 CAS_Client::isSessionAuthenticated ()
 This method tells if the current session is authenticated. More...
 
 CAS_Client::_wasPreviouslyAuthenticated ()
 This method tells if the user has already been (previously) authenticated by looking into the session variables. More...
 
 CAS_Client::redirectToCas ($gateway=false, $renew=false)
 This method is used to redirect the client to the CAS server. More...
 
 CAS_Client::logout ($params)
 This method is used to logout from CAS. More...
 
 CAS_Client::_isLogoutRequest ()
 Check of the current request is a logout request. More...
 
 CAS_Client::handleLogoutRequests ($check_client=true, $allowed_clients=false)
 This method handles logout requests. More...
 

Variables

 CAS_Client::$_user
 The Authenticated user. More...
 
 CAS_Client::$_attributes
 The Authenticated users attributes. More...
 
 CAS_Client::$_cache_times_for_auth_recheck
 An integer that gives the number of times authentication will be cached before rechecked. More...
 

Detailed Description

Function Documentation

◆ _getUser()

CAS_Client::_getUser ( )
private

This method returns the CAS user's login name.

Returns
string the login name of the authenticated user
Warning
should be called only after CAS_Client::forceAuthentication() or CAS_Client::isAuthenticated(), otherwise halt with an error.

Definition at line 1150 of file Client.php.

1151 {
1152 // This is likely a duplicate check that could be removed....
1153 if (empty($this->_user)) {
1154 phpCAS::error(
1155 'this method should be used only after ' . __CLASS__
1156 . '::forceAuthentication() or ' . __CLASS__ . '::isAuthenticated()'
1157 );
1158 }
1159 return $this->_user;
1160 }
CAS_Client\$_user
$_user
The Authenticated user.
Definition: Client.php:1112
phpCAS\error
static error($msg)
This method is used by interface methods to print an error and where the function was originally call...
Definition: CAS.php:563

References CAS_Client\$_user, and phpCAS\error().

Referenced by CAS_Client\getProxiedService(), CAS_Client\getUser(), and CAS_Client\isAuthenticated().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ _hasAttribute()

CAS_Client::_hasAttribute (   $key)
private

Check whether a specific attribute with a name is available.

Parameters
string$keyname of attribute
Returns
bool is attribute available

Definition at line 1237 of file Client.php.

1238 {
1239 return (is_array($this->_attributes)
1240 && array_key_exists($key, $this->_attributes));
1241 }

Referenced by CAS_Client\getAttribute(), and CAS_Client\hasAttribute().

+ Here is the caller graph for this function:

◆ _isLogoutRequest()

CAS_Client::_isLogoutRequest ( )
private

Check of the current request is a logout request.

Returns
bool is logout request.

Definition at line 1749 of file Client.php.

1750 {
1751 return !empty($_POST['logoutRequest']);
1752 }
$_POST
$_POST["username"]
Definition: cfg.phpunit.template.php:11

References $_POST.

Referenced by CAS_Client\__construct(), and CAS_Client\handleLogoutRequests().

+ Here is the caller graph for this function:

◆ _setUser()

CAS_Client::_setUser (   $user)
private

This method sets the CAS user's login name.

Parameters
string$userthe login name of the authenticated user.
Returns
void

Definition at line 1121 of file Client.php.

1122 {
1123 $this->_user = $user;
1124 }

Referenced by CAS_Client\_wasPreviouslyAuthenticated().

+ Here is the caller graph for this function:

◆ _wasPreviouslyAuthenticated()

CAS_Client::_wasPreviouslyAuthenticated ( )
private

This method tells if the user has already been (previously) authenticated by looking into the session variables.

Note
This function switches to callback mode when needed.
Returns
true when the user has already been authenticated; false otherwise.

Definition at line 1578 of file Client.php.

1579 {
1580 phpCAS::traceBegin();
1581
1582 if ($this->_isCallbackMode()) {
1583 // Rebroadcast the pgtIou and pgtId to all nodes
1584 if ($this->_rebroadcast && !isset($_POST['rebroadcast'])) {
1585 $this->_rebroadcast(self::PGTIOU);
1586 }
1587 $this->_callback();
1588 }
1589
1590 $auth = false;
1591
1592 if ($this->isProxy()) {
1593 // CAS proxy: username and PGT must be present
1594 if ($this->isSessionAuthenticated()
1595 && !empty($_SESSION['phpCAS']['pgt'])
1596 ) {
1597 // authentication already done
1598 $this->_setUser($_SESSION['phpCAS']['user']);
1599 if (isset($_SESSION['phpCAS']['attributes'])) {
1600 $this->setAttributes($_SESSION['phpCAS']['attributes']);
1601 }
1602 $this->_setPGT($_SESSION['phpCAS']['pgt']);
1603 phpCAS::trace(
1604 'user = `' . $_SESSION['phpCAS']['user'] . '\', PGT = `'
1605 . $_SESSION['phpCAS']['pgt'] . '\''
1606 );
1607
1608 // Include the list of proxies
1609 if (isset($_SESSION['phpCAS']['proxies'])) {
1610 $this->_setProxies($_SESSION['phpCAS']['proxies']);
1611 phpCAS::trace(
1612 'proxies = "'
1613 . implode('", "', $_SESSION['phpCAS']['proxies']) . '"'
1614 );
1615 }
1616
1617 $auth = true;
1618 } elseif ($this->isSessionAuthenticated()
1619 && empty($_SESSION['phpCAS']['pgt'])
1620 ) {
1621 // these two variables should be empty or not empty at the same time
1622 phpCAS::trace(
1623 'username found (`' . $_SESSION['phpCAS']['user']
1624 . '\') but PGT is empty'
1625 );
1626 // unset all tickets to enforce authentication
1627 unset($_SESSION['phpCAS']);
1628 $this->setTicket('');
1629 } elseif (!$this->isSessionAuthenticated()
1630 && !empty($_SESSION['phpCAS']['pgt'])
1631 ) {
1632 // these two variables should be empty or not empty at the same time
1633 phpCAS::trace(
1634 'PGT found (`' . $_SESSION['phpCAS']['pgt']
1635 . '\') but username is empty'
1636 );
1637 // unset all tickets to enforce authentication
1638 unset($_SESSION['phpCAS']);
1639 $this->setTicket('');
1640 } else {
1641 phpCAS::trace('neither user nor PGT found');
1642 }
1643 } else {
1644 // `simple' CAS client (not a proxy): username must be present
1645 if ($this->isSessionAuthenticated()) {
1646 // authentication already done
1647 $this->_setUser($_SESSION['phpCAS']['user']);
1648 if (isset($_SESSION['phpCAS']['attributes'])) {
1649 $this->setAttributes($_SESSION['phpCAS']['attributes']);
1650 }
1651 phpCAS::trace('user = `' . $_SESSION['phpCAS']['user'] . '\'');
1652
1653 // Include the list of proxies
1654 if (isset($_SESSION['phpCAS']['proxies'])) {
1655 $this->_setProxies($_SESSION['phpCAS']['proxies']);
1656 phpCAS::trace(
1657 'proxies = "'
1658 . implode('", "', $_SESSION['phpCAS']['proxies']) . '"'
1659 );
1660 }
1661
1662 $auth = true;
1663 } else {
1664 phpCAS::trace('no user found');
1665 }
1666 }
1667
1668 phpCAS::traceEnd($auth);
1669 return $auth;
1670 }
$_SESSION
$_SESSION["AccountId"]
Definition: cfg.phpunit.template.php:10
phpCAS
The phpCAS class is a simple container for the phpCAS library.
Definition: CAS.php:286
CAS_Client\isSessionAuthenticated
isSessionAuthenticated()
This method tells if the current session is authenticated.
Definition: Client.php:1565
CAS_Client\_setUser
_setUser($user)
This method sets the CAS user's login name.
Definition: Client.php:1121
CAS_Client\setAttributes
setAttributes($attributes)
Set an array of attributes.
Definition: Client.php:1178
CAS_Client\setTicket
setTicket($st)
This method stores the Service Ticket.
Definition: Client.php:1917
CAS_Client\_callback
_callback()
This method is called by CAS_Client::CAS_Client() when running in callback mode.
Definition: Client.php:2461
CAS_Client\_isCallbackMode
_isCallbackMode()
This method returns true when the CAs client is running i callback mode, false otherwise.
Definition: Client.php:2399
CAS_Client\_rebroadcast
_rebroadcast($type)
This method rebroadcasts logout/pgtIou requests.
Definition: Client.php:3988
CAS_Client\isProxy
isProxy()
Tells if a CAS client is a CAS proxy or not.
Definition: Client.php:2302
CAS_Client\_setPGT
_setPGT($pgt)
This method stores the Proxy Granting Ticket.
Definition: Client.php:2343
CAS_Client\_setProxies
_setProxies($proxies)
Set the Proxy array, probably from persistant storage.
Definition: Client.php:3203
phpCAS\trace
static trace($str)
This method is used to log something in debug mode.
Definition: CAS.php:599
phpCAS\traceEnd
static traceEnd($res='')
This method is used to indicate the end of the execution of a function in debug mode.
Definition: CAS.php:658
phpCAS\traceBegin
static traceBegin()
This method is used to indicate the start of the execution of a function in debug mode.
Definition: CAS.php:611
$auth
$auth
Definition: metadata.php:59

References $_POST, $_SESSION, $auth, CAS_Client\_callback(), CAS_Client\_isCallbackMode(), CAS_Client\_rebroadcast(), CAS_Client\_setPGT(), CAS_Client\_setProxies(), CAS_Client\_setUser(), CAS_Client\isProxy(), CAS_Client\isSessionAuthenticated(), CAS_Client\setAttributes(), CAS_Client\setTicket(), phpCAS\trace(), phpCAS\traceBegin(), and phpCAS\traceEnd().

Referenced by CAS_Client\isAuthenticated().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ checkAuthentication()

CAS_Client::checkAuthentication ( )

This method is called to check whether the user is authenticated or not.

Returns
true when the user is authenticated, false when a previous gateway login failed or the function will not return if the user is redirected to the cas server for a gateway login attempt

Definition at line 1344 of file Client.php.

1345 {
1346 phpCAS::traceBegin();
1347 $res = false;
1348 if ($this->isAuthenticated()) {
1349 phpCAS::trace('user is authenticated');
1350 /* The 'auth_checked' variable is removed just in case it's set. */
1351 unset($_SESSION['phpCAS']['auth_checked']);
1352 $res = true;
1353 } elseif (isset($_SESSION['phpCAS']['auth_checked'])) {
1354 // the previous request has redirected the client to the CAS server
1355 // with gateway=true
1356 unset($_SESSION['phpCAS']['auth_checked']);
1357 $res = false;
1358 } else {
1359 // avoid a check against CAS on every request
1360 if (!isset($_SESSION['phpCAS']['unauth_count'])) {
1361 $_SESSION['phpCAS']['unauth_count'] = -2; // uninitialized
1362 }
1363
1364 if (($_SESSION['phpCAS']['unauth_count'] != -2
1365 && $this->_cache_times_for_auth_recheck == -1)
1366 || ($_SESSION['phpCAS']['unauth_count'] >= 0
1367 && $_SESSION['phpCAS']['unauth_count'] < $this->_cache_times_for_auth_recheck)
1368 ) {
1369 $res = false;
1370
1371 if ($this->_cache_times_for_auth_recheck != -1) {
1372 $_SESSION['phpCAS']['unauth_count']++;
1373 phpCAS::trace(
1374 'user is not authenticated (cached for '
1375 . $_SESSION['phpCAS']['unauth_count'] . ' times of '
1376 . $this->_cache_times_for_auth_recheck . ')'
1377 );
1378 } else {
1379 phpCAS::trace(
1380 'user is not authenticated (cached for until login pressed)'
1381 );
1382 }
1383 } else {
1384 $_SESSION['phpCAS']['unauth_count'] = 0;
1385 $_SESSION['phpCAS']['auth_checked'] = true;
1386 phpCAS::trace('user is not authenticated (cache reset)');
1387 $this->redirectToCas(true/* gateway */);
1388 // never reached
1389 $res = false;
1390 }
1391 }
1392 phpCAS::traceEnd($res);
1393 return $res;
1394 }
CAS_Client\isAuthenticated
isAuthenticated($renew=false)
This method is called to check if the user is authenticated (previously or by tickets given in the UR...
Definition: Client.php:1405
CAS_Client\redirectToCas
redirectToCas($gateway=false, $renew=false)
This method is used to redirect the client to the CAS server.
Definition: Client.php:1682
$res
foreach($_POST as $key=> $value) $res
Definition: save_question_post_data.php:15

References $_SESSION, $res, CAS_Client\isAuthenticated(), CAS_Client\redirectToCas(), phpCAS\trace(), phpCAS\traceBegin(), and phpCAS\traceEnd().

+ Here is the call graph for this function:

◆ forceAuthentication()

CAS_Client::forceAuthentication ( )

This method is called to be sure that the user is authenticated.

When not authenticated, halt by redirecting to the CAS server; otherwise return true.

Returns
true when the user is authenticated; otherwise halt.

Definition at line 1292 of file Client.php.

1293 {
1294 phpCAS::traceBegin();
1295
1296 if ($this->isAuthenticated()) {
1297 // the user is authenticated, nothing to be done.
1298 phpCAS::trace('no need to authenticate');
1299 $res = true;
1300 } else {
1301 // the user is not authenticated, redirect to the CAS server
1302 if (isset($_SESSION['phpCAS']['auth_checked'])) {
1303 unset($_SESSION['phpCAS']['auth_checked']);
1304 }
1305 $this->redirectToCas(false/* no gateway */);
1306 // never reached
1307 $res = false;
1308 }
1309 phpCAS::traceEnd($res);
1310 return $res;
1311 }

References $_SESSION, $res, CAS_Client\isAuthenticated(), CAS_Client\redirectToCas(), phpCAS\trace(), phpCAS\traceBegin(), and phpCAS\traceEnd().

+ Here is the call graph for this function:

◆ getAttribute()

CAS_Client::getAttribute (   $key)

Get a specific attribute by name.

Parameters
string$keyname of attribute
Returns
string attribute values

Definition at line 1250 of file Client.php.

1251 {
1252 // Sequence validation
1253 $this->ensureAuthenticationCallSuccessful();
1254
1255 if ($this->_hasAttribute($key)) {
1256 return $this->_attributes[$key];
1257 }
1258 }
CAS_Client\_hasAttribute
_hasAttribute($key)
Check whether a specific attribute with a name is available.
Definition: Client.php:1237
CAS_Client\ensureAuthenticationCallSuccessful
ensureAuthenticationCallSuccessful()
Ensure that authentication was checked.
Definition: Client.php:831

References CAS_Client\_hasAttribute(), and CAS_Client\ensureAuthenticationCallSuccessful().

+ Here is the call graph for this function:

◆ getAttributes()

CAS_Client::getAttributes ( )

Get an key values arry of attributes.

Returns
arry of attributes

Definition at line 1188 of file Client.php.

1189 {
1190 // Sequence validation
1191 $this->ensureAuthenticationCallSuccessful();
1192 // This is likely a duplicate check that could be removed....
1193 if (empty($this->_user)) {
1194 // if no user is set, there shouldn't be any attributes also...
1195 phpCAS::error(
1196 'this method should be used only after ' . __CLASS__
1197 . '::forceAuthentication() or ' . __CLASS__ . '::isAuthenticated()'
1198 );
1199 }
1200 return $this->_attributes;
1201 }
CAS_Client\$_attributes
$_attributes
The Authenticated users attributes.
Definition: Client.php:1169

References CAS_Client\$_attributes, CAS_Client\ensureAuthenticationCallSuccessful(), and phpCAS\error().

+ Here is the call graph for this function:

◆ getUser()

CAS_Client::getUser ( )

This method returns the CAS user's login name.

Returns
string the login name of the authenticated user
Warning
should be called only after CAS_Client::forceAuthentication() or CAS_Client::isAuthenticated(), otherwise halt with an error.

Definition at line 1134 of file Client.php.

1135 {
1136 // Sequence validation
1137 $this->ensureAuthenticationCallSuccessful();
1138
1139 return $this->_getUser();
1140 }
CAS_Client\_getUser
_getUser()
This method returns the CAS user's login name.
Definition: Client.php:1150

References CAS_Client\_getUser(), and CAS_Client\ensureAuthenticationCallSuccessful().

+ Here is the call graph for this function:

◆ handleLogoutRequests()

CAS_Client::handleLogoutRequests (   $check_client = true,
  $allowed_clients = false 
)

This method handles logout requests.

Parameters
bool$check_clienttrue to check the client bofore handling the request, false not to perform any access control. True by default.
bool$allowed_clientsan array of host names allowed to send logout requests.
Returns
void

Definition at line 1764 of file Client.php.

1765 {
1766 phpCAS::traceBegin();
1767 if (!$this->_isLogoutRequest()) {
1768 phpCAS::trace("Not a logout request");
1769 phpCAS::traceEnd();
1770 return;
1771 }
1772 if (!$this->getChangeSessionID()
1773 && is_null($this->_signoutCallbackFunction)
1774 ) {
1775 phpCAS::trace(
1776 "phpCAS can't handle logout requests if it is not allowed to change session_id."
1777 );
1778 }
1779 phpCAS::trace("Logout requested");
1780 $decoded_logout_rq = urldecode($_POST['logoutRequest']);
1781 phpCAS::trace("SAML REQUEST: " . $decoded_logout_rq);
1782 $allowed = false;
1783 if ($check_client) {
1784 if (!$allowed_clients) {
1785 $allowed_clients = array( $this->_getServerHostname() );
1786 }
1787 $client_ip = $_SERVER['REMOTE_ADDR'];
1788 $client = gethostbyaddr($client_ip);
1789 phpCAS::trace("Client: " . $client . "/" . $client_ip);
1790 foreach ($allowed_clients as $allowed_client) {
1791 if (($client == $allowed_client)
1792 || ($client_ip == $allowed_client)
1793 ) {
1794 phpCAS::trace(
1795 "Allowed client '" . $allowed_client
1796 . "' matches, logout request is allowed"
1797 );
1798 $allowed = true;
1799 break;
1800 } else {
1801 phpCAS::trace(
1802 "Allowed client '" . $allowed_client . "' does not match"
1803 );
1804 }
1805 }
1806 } else {
1807 phpCAS::trace("No access control set");
1808 $allowed = true;
1809 }
1810 // If Logout command is permitted proceed with the logout
1811 if ($allowed) {
1812 phpCAS::trace("Logout command allowed");
1813 // Rebroadcast the logout request
1814 if ($this->_rebroadcast && !isset($_POST['rebroadcast'])) {
1815 $this->_rebroadcast(self::LOGOUT);
1816 }
1817 // Extract the ticket from the SAML Request
1818 preg_match(
1819 "|<samlp:SessionIndex>(.*)</samlp:SessionIndex>|",
1820 $decoded_logout_rq,
1821 $tick,
1822 PREG_OFFSET_CAPTURE,
1823 3
1824 );
1825 $wrappedSamlSessionIndex = preg_replace(
1826 '|<samlp:SessionIndex>|',
1827 '',
1828 $tick[0][0]
1829 );
1830 $ticket2logout = preg_replace(
1831 '|</samlp:SessionIndex>|',
1832 '',
1833 $wrappedSamlSessionIndex
1834 );
1835 phpCAS::trace("Ticket to logout: " . $ticket2logout);
1836
1837 // call the post-authenticate callback if registered.
1838 if ($this->_signoutCallbackFunction) {
1839 $args = $this->_signoutCallbackArgs;
1840 array_unshift($args, $ticket2logout);
1841 call_user_func_array($this->_signoutCallbackFunction, $args);
1842 }
1843
1844 // If phpCAS is managing the session_id, destroy session thanks to
1845 // session_id.
1846 if ($this->getChangeSessionID()) {
1847 $session_id = preg_replace('/[^a-zA-Z0-9\-]/', '', $ticket2logout);
1848 phpCAS::trace("Session id: " . $session_id);
1849
1850 // destroy a possible application session created before phpcas
1851 if (session_id() !== "") {
1852 session_unset();
1853 session_destroy();
1854 }
1855 // fix session ID
1856 session_id($session_id);
1857 $_COOKIE[session_name()] = $session_id;
1858 $_GET[session_name()] = $session_id;
1859
1860 // Overwrite session
1861 session_start();
1862 session_unset();
1863 session_destroy();
1864 phpCAS::trace("Session " . $session_id . " destroyed");
1865 }
1866 } else {
1867 phpCAS::error("Unauthorized logout request from client '" . $client . "'");
1868 phpCAS::trace("Unauthorized logout request from client '" . $client . "'");
1869 }
1870 flush();
1871 phpCAS::traceExit();
1872 throw new CAS_GracefullTerminationException();
1873 }
$_GET
$_GET["client_id"]
Definition: cfg.phpunit.template.php:12
CAS_GracefullTerminationException
Definition: GracefullTerminationException.php:44
$client
if($_SERVER['argc']< 4) $client
Definition: cron.php:12
CAS_Client\_isLogoutRequest
_isLogoutRequest()
Check of the current request is a logout request.
Definition: Client.php:1749
CAS_Client\$_signoutCallbackArgs
$_signoutCallbackArgs
Definition: Client.php:721
CAS_Client\_getServerHostname
_getServerHostname()
This method is used to retrieve the hostname of the CAS server.
Definition: Client.php:287
CAS_Client\getChangeSessionID
getChangeSessionID()
Get whether phpCas is allowed to change session_id.
Definition: Client.php:1088
phpCAS\traceExit
static traceExit()
This method is used to indicate the end of the execution of the program.
Definition: CAS.php:681
$_SERVER
$_SERVER['HTTP_HOST']
Definition: raiseError.php:10
$_COOKIE
$_COOKIE[session_name()]
Definition: xapitoken.php:39

References $_COOKIE, $_GET, $_POST, $_SERVER, CAS_Client\$_signoutCallbackArgs, $client, CAS_Client\_getServerHostname(), CAS_Client\_isLogoutRequest(), CAS_Client\_rebroadcast(), phpCAS\error(), CAS_Client\getChangeSessionID(), phpCAS\trace(), phpCAS\traceBegin(), phpCAS\traceEnd(), and phpCAS\traceExit().

+ Here is the call graph for this function:

◆ hasAttribute()

CAS_Client::hasAttribute (   $key)

Check whether a specific attribute with a name is available.

Parameters
string$keyname of attribute
Returns
bool is attribute available

Definition at line 1222 of file Client.php.

1223 {
1224 // Sequence validation
1225 $this->ensureAuthenticationCallSuccessful();
1226
1227 return $this->_hasAttribute($key);
1228 }

References CAS_Client\_hasAttribute(), and CAS_Client\ensureAuthenticationCallSuccessful().

+ Here is the call graph for this function:

◆ hasAttributes()

CAS_Client::hasAttributes ( )

Check whether attributes are available.

Returns
bool attributes available

Definition at line 1208 of file Client.php.

1209 {
1210 // Sequence validation
1211 $this->ensureAuthenticationCallSuccessful();
1212
1213 return !empty($this->_attributes);
1214 }

References CAS_Client\ensureAuthenticationCallSuccessful().

+ Here is the call graph for this function:

◆ isAuthenticated()

CAS_Client::isAuthenticated (   $renew = false)

This method is called to check if the user is authenticated (previously or by tickets given in the URL).

Parameters
bool$renewtrue to force the authentication with the CAS server
Returns
true when the user is authenticated. Also may redirect to the same URL without the ticket.

Definition at line 1405 of file Client.php.

1406 {
1407 phpCAS::traceBegin();
1408 $res = false;
1409 $validate_url = '';
1410 if ($this->_wasPreviouslyAuthenticated()) {
1411 if ($this->hasTicket()) {
1412 // User has a additional ticket but was already authenticated
1413 phpCAS::trace(
1414 'ticket was present and will be discarded, use renewAuthenticate()'
1415 );
1416 if ($this->_clearTicketsFromUrl) {
1417 phpCAS::trace("Prepare redirect to : " . $this->getURL());
1418 session_write_close();
1419 header('Location: ' . $this->getURL());
1420 flush();
1421 phpCAS::traceExit();
1422 throw new CAS_GracefullTerminationException();
1423 } else {
1424 phpCAS::trace(
1425 'Already authenticated, but skipping ticket clearing since setNoClearTicketsFromUrl() was used.'
1426 );
1427 $res = true;
1428 }
1429 } else {
1430 // the user has already (previously during the session) been
1431 // authenticated, nothing to be done.
1432 phpCAS::trace(
1433 'user was already authenticated, no need to look for tickets'
1434 );
1435 $res = true;
1436 }
1437
1438 // Mark the auth-check as complete to allow post-authentication
1439 // callbacks to make use of phpCAS::getUser() and similar methods
1440 $this->markAuthenticationCall($res);
1441 } else {
1442 if ($this->hasTicket()) {
1443 switch ($this->getServerVersion()) {
1444 case CAS_VERSION_1_0:
1445 // if a Service Ticket was given, validate it
1446 phpCAS::trace(
1447 'CAS 1.0 ticket `' . $this->getTicket() . '\' is present'
1448 );
1449 $this->validateCAS10(
1450 $validate_url,
1451 $text_response,
1452 $tree_response,
1453 $renew
1454 ); // if it fails, it halts
1455 phpCAS::trace(
1456 'CAS 1.0 ticket `' . $this->getTicket() . '\' was validated'
1457 );
1458 $_SESSION['phpCAS']['user'] = $this->_getUser();
1459 $res = true;
1460 $logoutTicket = $this->getTicket();
1461 break;
1462 case CAS_VERSION_2_0:
1463 case CAS_VERSION_3_0:
1464 // if a Proxy Ticket was given, validate it
1465 phpCAS::trace(
1466 'CAS ' . $this->getServerVersion() . ' ticket `' . $this->getTicket() . '\' is present'
1467 );
1468 $this->validateCAS20(
1469 $validate_url,
1470 $text_response,
1471 $tree_response,
1472 $renew
1473 ); // note: if it fails, it halts
1474 phpCAS::trace(
1475 'CAS ' . $this->getServerVersion() . ' ticket `' . $this->getTicket() . '\' was validated'
1476 );
1477 if ($this->isProxy()) {
1478 $this->_validatePGT(
1479 $validate_url,
1480 $text_response,
1481 $tree_response
1482 ); // idem
1483 phpCAS::trace('PGT `' . $this->_getPGT() . '\' was validated');
1484 $_SESSION['phpCAS']['pgt'] = $this->_getPGT();
1485 }
1486 $_SESSION['phpCAS']['user'] = $this->_getUser();
1487 if (!empty($this->_attributes)) {
1488 $_SESSION['phpCAS']['attributes'] = $this->_attributes;
1489 }
1490 $proxies = $this->getProxies();
1491 if (!empty($proxies)) {
1492 $_SESSION['phpCAS']['proxies'] = $this->getProxies();
1493 }
1494 $res = true;
1495 $logoutTicket = $this->getTicket();
1496 break;
1497 case SAML_VERSION_1_1:
1498 // if we have a SAML ticket, validate it.
1499 phpCAS::trace(
1500 'SAML 1.1 ticket `' . $this->getTicket() . '\' is present'
1501 );
1502 $this->validateSA(
1503 $validate_url,
1504 $text_response,
1505 $tree_response,
1506 $renew
1507 ); // if it fails, it halts
1508 phpCAS::trace(
1509 'SAML 1.1 ticket `' . $this->getTicket() . '\' was validated'
1510 );
1511 $_SESSION['phpCAS']['user'] = $this->_getUser();
1512 $_SESSION['phpCAS']['attributes'] = $this->_attributes;
1513 $res = true;
1514 $logoutTicket = $this->getTicket();
1515 break;
1516 default:
1517 phpCAS::trace('Protocoll error');
1518 break;
1519 }
1520 } else {
1521 // no ticket given, not authenticated
1522 phpCAS::trace('no ticket found');
1523 }
1524
1525 // Mark the auth-check as complete to allow post-authentication
1526 // callbacks to make use of phpCAS::getUser() and similar methods
1527 $this->markAuthenticationCall($res);
1528
1529 if ($res) {
1530 // call the post-authenticate callback if registered.
1531 if ($this->_postAuthenticateCallbackFunction) {
1532 $args = $this->_postAuthenticateCallbackArgs;
1533 array_unshift($args, $logoutTicket);
1534 call_user_func_array(
1535 $this->_postAuthenticateCallbackFunction,
1536 $args
1537 );
1538 }
1539
1540 // if called with a ticket parameter, we need to redirect to the
1541 // app without the ticket so that CAS-ification is transparent
1542 // to the browser (for later POSTS) most of the checks and
1543 // errors should have been made now, so we're safe for redirect
1544 // without masking error messages. remove the ticket as a
1545 // security precaution to prevent a ticket in the HTTP_REFERRER
1546 if ($this->_clearTicketsFromUrl) {
1547 phpCAS::trace("Prepare redirect to : " . $this->getURL());
1548 session_write_close();
1549 header('Location: ' . $this->getURL());
1550 flush();
1551 phpCAS::traceExit();
1552 throw new CAS_GracefullTerminationException();
1553 }
1554 }
1555 }
1556 phpCAS::traceEnd($res);
1557 return $res;
1558 }
user
user()
Definition: user.php:4
CAS
Licensed to Jasig under one or more contributor license agreements.
error
error($a_errmsg)
set error message @access public
Definition: class.ilIniFile.php:395
CAS_Client\_wasPreviouslyAuthenticated
_wasPreviouslyAuthenticated()
This method tells if the user has already been (previously) authenticated by looking into the session...
Definition: Client.php:1578
CAS_Client\hasTicket
hasTicket()
This method tells if a Service Ticket was stored.
Definition: Client.php:1927
CAS_Client\getTicket
getTicket()
This method returns the Service Ticket provided in the URL of the request.
Definition: Client.php:1905
CAS_Client\markAuthenticationCall
markAuthenticationCall($auth)
Mark the caller of authentication.
Definition: Client.php:770
CAS_Client\getServerVersion
getServerVersion()
This method is used to retrieve the version of the CAS server.
Definition: Client.php:277
CAS_Client\getURL
getURL()
This method returns the URL of the current request (without any ticket CGI parameter).
Definition: Client.php:3648
CAS_Client\_validatePGT
_validatePGT(&$validate_url, $text_response, $tree_response)
This method is used to validate a PGT; halt on failure.
Definition: Client.php:2680
CAS_Client\_getPGT
_getPGT()
This method returns the Proxy Granting Ticket given by the CAS server.
Definition: Client.php:2331
CAS_Client\validateSA
validateSA(&$validate_url, &$text_response, &$tree_response, $renew=false)
This method is used to validate a SAML TICKET; halt on failure, and sets $validate_url,...
Definition: Client.php:2110
CAS_VERSION_3_0
const CAS_VERSION_3_0
CAS version 3.0.
Definition: CAS.php:82
CAS_VERSION_1_0
const CAS_VERSION_1_0
CAS version 1.0.
Definition: CAS.php:74
CAS_VERSION_2_0
const CAS_VERSION_2_0
Definition: CAS.php:78

References $_SESSION, $res, CAS_Client\_getPGT(), CAS_Client\_getUser(), CAS_Client\_validatePGT(), CAS_Client\_wasPreviouslyAuthenticated(), CAS_VERSION_1_0, CAS_VERSION_2_0, CAS_VERSION_3_0, error(), CAS_Client\getServerVersion(), CAS_Client\getTicket(), CAS_Client\getURL(), CAS_Client\hasTicket(), CAS_Client\isProxy(), CAS_Client\markAuthenticationCall(), phpCAS\trace(), phpCAS\traceBegin(), phpCAS\traceEnd(), phpCAS\traceExit(), user(), and CAS_Client\validateSA().

Referenced by CAS_Client\checkAuthentication(), CAS_Client\forceAuthentication(), and CAS_Client\renewAuthentication().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ isSessionAuthenticated()

CAS_Client::isSessionAuthenticated ( )

This method tells if the current session is authenticated.

Returns
true if authenticated based soley on $_SESSION variable

Definition at line 1565 of file Client.php.

1566 {
1567 return !empty($_SESSION['phpCAS']['user']);
1568 }

References $_SESSION.

Referenced by CAS_Client\__construct(), and CAS_Client\_wasPreviouslyAuthenticated().

+ Here is the caller graph for this function:

◆ logout()

CAS_Client::logout (   $params)

This method is used to logout from CAS.

Parameters
array$paramsan array that contains the optional url and service parameters that will be passed to the CAS server
Returns
void

Definition at line 1710 of file Client.php.

1711 {
1712 phpCAS::traceBegin();
1713 $cas_url = $this->getServerLogoutURL();
1714 $paramSeparator = '?';
1715 if (isset($params['url'])) {
1716 $cas_url = $cas_url . $paramSeparator . "url="
1717 . urlencode($params['url']);
1718 $paramSeparator = '&';
1719 }
1720 if (isset($params['service'])) {
1721 $cas_url = $cas_url . $paramSeparator . "service="
1722 . urlencode($params['service']);
1723 }
1724 header('Location: ' . $cas_url);
1725 phpCAS::trace("Prepare redirect to : " . $cas_url);
1726
1727 phpCAS::trace("Destroying session : " . session_id());
1728 session_unset();
1729 session_destroy();
1730 if (session_status() === PHP_SESSION_NONE) {
1731 phpCAS::trace("Session terminated");
1732 } else {
1733 phpCAS::error("Session was not terminated");
1734 phpCAS::trace("Session was not terminated");
1735 }
1736 $lang = $this->getLangObj();
1737 $this->printHTMLHeader($lang->getLogout());
1738 printf('<p>' . $lang->getShouldHaveBeenRedirected() . '</p>', $cas_url);
1739 $this->printHTMLFooter();
1740 phpCAS::traceExit();
1741 throw new CAS_GracefullTerminationException();
1742 }
CAS_Client\getServerLogoutURL
getServerLogoutURL()
This method is used to retrieve the logout URL of the CAS server.
Definition: Client.php:549
CAS_Client\getLangObj
getLangObj()
Create the language.
Definition: Client.php:226
CAS_Client\printHTMLFooter
printHTMLFooter()
This method prints the footer of the HTML output (after filtering).
Definition: Client.php:130
CAS_Client\printHTMLHeader
printHTMLHeader($title)
This method prints the header of the HTML output (after filtering).
Definition: Client.php:101
$lang
$lang
Definition: xapiexit.php:8

References $lang, phpCAS\error(), CAS_Client\getLangObj(), CAS_Client\getServerLogoutURL(), CAS_Client\printHTMLFooter(), CAS_Client\printHTMLHeader(), phpCAS\trace(), phpCAS\traceBegin(), and phpCAS\traceExit().

+ Here is the call graph for this function:

◆ redirectToCas()

CAS_Client::redirectToCas (   $gateway = false,
  $renew = false 
)

This method is used to redirect the client to the CAS server.

It is used by CAS_Client::forceAuthentication() and CAS_Client::checkAuthentication().

Parameters
bool$gatewaytrue to check authentication, false to force it
bool$renewtrue to force the authentication with the CAS server
Returns
void

Definition at line 1682 of file Client.php.

1683 {
1684 phpCAS::traceBegin();
1685 $cas_url = $this->getServerLoginURL($gateway, $renew);
1686 session_write_close();
1687 if (php_sapi_name() === 'cli') {
1688 @header('Location: ' . $cas_url);
1689 } else {
1690 header('Location: ' . $cas_url);
1691 }
1692 phpCAS::trace("Redirect to : " . $cas_url);
1693 $lang = $this->getLangObj();
1694 $this->printHTMLHeader($lang->getAuthenticationWanted());
1695 printf('<p>' . $lang->getShouldHaveBeenRedirected() . '</p>', $cas_url);
1696 $this->printHTMLFooter();
1697 phpCAS::traceExit();
1698 throw new CAS_GracefullTerminationException();
1699 }
CAS_Client\getServerLoginURL
getServerLoginURL($gateway=false, $renew=false)
This method is used to retrieve the login URL of the CAS server.
Definition: Client.php:341

References $lang, CAS_Client\getLangObj(), CAS_Client\getServerLoginURL(), CAS_Client\printHTMLFooter(), CAS_Client\printHTMLHeader(), phpCAS\trace(), phpCAS\traceBegin(), and phpCAS\traceExit().

Referenced by CAS_Client\checkAuthentication(), CAS_Client\forceAuthentication(), and CAS_Client\renewAuthentication().

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ renewAuthentication()

CAS_Client::renewAuthentication ( )

This method is called to renew the authentication of the user If the user is authenticated, renew the connection If not, redirect to CAS.

Returns
true when the user is authenticated; otherwise halt.

Definition at line 1267 of file Client.php.

1268 {
1269 phpCAS::traceBegin();
1270 // Either way, the user is authenticated by CAS
1271 if (isset($_SESSION['phpCAS']['auth_checked'])) {
1272 unset($_SESSION['phpCAS']['auth_checked']);
1273 }
1274 if ($this->isAuthenticated(true)) {
1275 phpCAS::trace('user already authenticated');
1276 $res = true;
1277 } else {
1278 $this->redirectToCas(false, true);
1279 // never reached
1280 $res = false;
1281 }
1282 phpCAS::traceEnd();
1283 return $res;
1284 }

References $_SESSION, $res, CAS_Client\isAuthenticated(), CAS_Client\redirectToCas(), phpCAS\trace(), phpCAS\traceBegin(), and phpCAS\traceEnd().

+ Here is the call graph for this function:

◆ setAttributes()

CAS_Client::setAttributes (   $attributes)

Set an array of attributes.

Parameters
array$attributesa key value array of attributes
Returns
void

Definition at line 1178 of file Client.php.

1179 {
1180 $this->_attributes = $attributes;
1181 }
$attributes
$attributes
Definition: metadata.php:231

References $attributes.

Referenced by CAS_Client\_wasPreviouslyAuthenticated().

+ Here is the caller graph for this function:

◆ setCacheTimesForAuthRecheck()

CAS_Client::setCacheTimesForAuthRecheck (   $n)

Set the number of times authentication will be cached before rechecked.

Parameters
int$nnumber of times to wait for a recheck
Returns
void

Definition at line 1328 of file Client.php.

1329 {
1330 if (gettype($n) != 'integer') {
1331 throw new CAS_TypeMismatchException($n, '$n', 'string');
1332 }
1333
1334 $this->_cache_times_for_auth_recheck = $n;
1335 }
$n
$n
Definition: RandomTest.php:85
CAS_TypeMismatchException
Definition: TypeMismatchException.php:41

References $n.

Variable Documentation

◆ $_attributes

CAS_Client::$_attributes
private

The Authenticated users attributes.

Written by CAS_Client::setAttributes(), read by CAS_Client::getAttributes().

Attention
client applications should use phpCAS::getAttributes().

Definition at line 1169 of file Client.php.

Referenced by CAS_Client\getAttributes().

◆ $_cache_times_for_auth_recheck

CAS_Client::$_cache_times_for_auth_recheck
private

An integer that gives the number of times authentication will be cached before rechecked.

Definition at line 1319 of file Client.php.

◆ $_user

CAS_Client::$_user
private

The Authenticated user.

Written by CAS_Client::_setUser(), read by CAS_Client::getUser().

Definition at line 1112 of file Client.php.

Referenced by CAS_Client\_getUser().