1
|
|
|
package org.apereo.cas.config; |
2
|
|
|
|
3
|
|
|
import org.apache.commons.lang3.StringUtils; |
4
|
|
|
import org.apereo.cas.CipherExecutor; |
5
|
|
|
import org.apereo.cas.configuration.CasConfigurationProperties; |
6
|
|
|
import org.apereo.cas.configuration.model.core.util.EncryptionOptionalSigningJwtCryptographyProperties; |
7
|
|
|
import org.apereo.cas.ticket.ExpirationPolicy; |
8
|
|
|
import org.apereo.cas.token.JWTTokenTicketBuilder; |
9
|
|
|
import org.apereo.cas.token.TokenTicketBuilder; |
10
|
|
|
import org.apereo.cas.token.cipher.TokenTicketCipherExecutor; |
11
|
|
|
import org.apereo.cas.util.cipher.NoOpCipherExecutor; |
12
|
|
|
import org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator; |
13
|
|
|
import org.slf4j.Logger; |
14
|
|
|
import org.slf4j.LoggerFactory; |
15
|
|
|
import org.springframework.beans.factory.annotation.Autowired; |
16
|
|
|
import org.springframework.beans.factory.annotation.Qualifier; |
17
|
|
|
import org.springframework.boot.autoconfigure.AutoConfigureOrder; |
18
|
|
|
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; |
19
|
|
|
import org.springframework.boot.context.properties.EnableConfigurationProperties; |
20
|
|
|
import org.springframework.cloud.context.config.annotation.RefreshScope; |
21
|
|
|
import org.springframework.context.annotation.Bean; |
22
|
|
|
import org.springframework.context.annotation.Configuration; |
23
|
|
|
import org.springframework.core.Ordered; |
24
|
|
|
|
25
|
|
|
/** |
26
|
|
|
* This is {@link TokenCoreConfiguration}. |
27
|
|
|
* |
28
|
|
|
* @author Misagh Moayyed |
29
|
|
|
* @since 5.0.0 |
30
|
|
|
*/ |
31
|
|
|
@Configuration("tokenCoreConfiguration") |
32
|
|
|
@EnableConfigurationProperties(CasConfigurationProperties.class) |
33
|
|
|
@AutoConfigureOrder(Ordered.HIGHEST_PRECEDENCE) |
34
|
|
|
public class TokenCoreConfiguration { |
35
|
|
|
private static final Logger LOGGER = LoggerFactory.getLogger(TokenCoreConfiguration.class); |
36
|
|
|
|
37
|
|
|
@Autowired |
38
|
|
|
private CasConfigurationProperties casProperties; |
39
|
|
|
|
40
|
|
|
@Autowired |
41
|
|
|
@Qualifier("casClientTicketValidator") |
42
|
|
|
private AbstractUrlBasedTicketValidator casClientTicketValidator; |
43
|
|
|
|
44
|
|
|
@Autowired |
45
|
|
|
@Qualifier("grantingTicketExpirationPolicy") |
46
|
|
|
private ExpirationPolicy grantingTicketExpirationPolicy; |
47
|
|
|
|
48
|
|
|
@Bean |
49
|
|
|
@RefreshScope |
50
|
|
|
@ConditionalOnMissingBean(name = "tokenCipherExecutor") |
51
|
|
|
public CipherExecutor tokenCipherExecutor() { |
52
|
|
|
final EncryptionOptionalSigningJwtCryptographyProperties crypto = casProperties.getAuthn().getToken().getCrypto(); |
53
|
|
|
boolean enabled = crypto.isEnabled(); |
54
|
|
|
if (!enabled && (StringUtils.isNotBlank(crypto.getEncryption().getKey())) && StringUtils.isNotBlank(crypto.getSigning().getKey())) { |
55
|
|
|
LOGGER.warn("Token encryption/signing is not enabled explicitly in the configuration, yet signing/encryption keys " |
56
|
|
|
+ "are defined for operations. CAS will proceed to enable the token encryption/signing functionality."); |
57
|
|
|
enabled = true; |
58
|
|
|
} |
59
|
|
|
|
60
|
|
|
if (enabled) { |
61
|
|
|
return new TokenTicketCipherExecutor(crypto.getEncryption().getKey(), |
62
|
|
|
crypto.getSigning().getKey(), |
63
|
|
|
crypto.getAlg(), crypto.isEncryptionEnabled()); |
64
|
|
|
} |
65
|
|
|
LOGGER.info("Token cookie encryption/signing is turned off. This " |
66
|
|
|
+ "MAY NOT be safe in a production environment. Consider using other choices to handle encryption, " |
67
|
|
|
+ "signing and verification of generated tokens."); |
68
|
|
|
return NoOpCipherExecutor.getInstance(); |
69
|
|
|
} |
70
|
|
|
|
71
|
|
|
@RefreshScope |
72
|
|
|
@Bean |
73
|
|
|
@ConditionalOnMissingBean(name = "tokenTicketBuilder") |
74
|
|
|
public TokenTicketBuilder tokenTicketBuilder() { |
75
|
|
|
return new JWTTokenTicketBuilder(casClientTicketValidator, |
76
|
|
|
casProperties.getServer().getPrefix(), |
77
|
|
|
tokenCipherExecutor(), |
78
|
|
|
grantingTicketExpirationPolicy); |
79
|
|
|
} |
80
|
|
|
} |
81
|
|
|
|