CasProxyDecider xref

View Javadoc

1   /* Copyright 2004 Acegi Technology Pty Limited
2    *
3    * Licensed under the Apache License, Version 2.0 (the "License");
4    * you may not use this file except in compliance with the License.
5    * You may obtain a copy of the License at
6    *
7    *     http://www.apache.org/licenses/LICENSE-2.0
8    *
9    * Unless required by applicable law or agreed to in writing, software
10   * distributed under the License is distributed on an "AS IS" BASIS,
11   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12   * See the License for the specific language governing permissions and
13   * limitations under the License.
14   */
15  
16  package org.acegisecurity.providers.cas;
17  
18  import java.util.List;
19  
20  
21  /***
22   * Decides whether a proxy list presented via CAS is trusted or not.
23   * 
24   * <P>
25   * CAS 1.0 allowed services to receive a service ticket and then validate it.
26   * CAS 2.0 allows services to receive a service ticket and then validate it
27   * with a proxy callback URL. The callback will enable the CAS server to
28   * authenticate the service. In doing so the service will receive a
29   * proxy-granting ticket and a proxy-granting ticket IOU. The IOU is just an
30   * internal record that a proxy-granting ticket is due to be received via the
31   * callback URL.
32   * </p>
33   * 
34   * <P>
35   * With a proxy-granting ticket, a service can request the CAS server provides
36   * it with a proxy ticket. A proxy ticket is just a service ticket, but the
37   * CAS server internally tracks the list (chain) of services used to build the
38   * proxy ticket. The proxy ticket is then presented to the target service.
39   * </p>
40   * 
41   * <P>
42   * If this application is a target service of a proxy ticket, the
43   * <code>CasProxyDecider</code> resolves whether or not the proxy list is
44   * trusted. Applications should only trust services they allow to impersonate
45   * an end user.
46   * </p>
47   * 
48   * <P>
49   * If this application is a service that should never accept proxy-granting
50   * tickets, the implementation should reject tickets that present a proxy list
51   * with any members. If the list has no members, it indicates the CAS server
52   * directly authenticated the user (ie there are no services which proxied the
53   * user authentication).
54   * </p>
55   *
56   * @author Ben Alex
57   * @version $Id: CasProxyDecider.java,v 1.2 2005/11/17 00:55:47 benalex Exp $
58   */
59  public interface CasProxyDecider {
60      //~ Methods ================================================================
61  
62      /***
63       * Decides whether the proxy list is trusted.
64       * 
65       * <P>
66       * Must throw any <code>ProxyUntrustedException</code> if the proxy list is
67       * untrusted.
68       * </p>
69       */
70      public void confirmProxyListTrusted(List proxyList)
71          throws ProxyUntrustedException;
72  }