/**
* This method is called to force authentication if the user was not already
* authenticated. If the user is not authenticated, halt by redirecting to
* the CAS server.
*/
function forceAuthentication()
{
global $PHPCAS_CLIENT, $PHPCAS_AUTH_CHECK_CALL;
phpCAS::traceBegin();
if (!is_object($PHPCAS_CLIENT)) {
phpCAS::error('this method should not be called before ' . __CLASS__ . '::client() or ' . __CLASS__ . '::proxy()');
}
$auth = $PHPCAS_CLIENT->forceAuthentication();
// store where the authentication has been checked and the result
$dbg = phpCAS::backtrace();
$PHPCAS_AUTH_CHECK_CALL = array('done' => TRUE, 'file' => $dbg[0]['file'], 'line' => $dbg[0]['line'], 'method' => __CLASS__ . '::' . __FUNCTION__, 'result' => $auth);
if (!$auth) {
phpCAS::trace('user is not authenticated, redirecting to the CAS server');
$PHPCAS_CLIENT->forceAuthentication();
} else {
phpCAS::trace('no need to authenticate (user `' . phpCAS::getUser() . '\' is already authenticated)');
}
phpCAS::traceEnd();
}
/**
* This method is called to check if the user is authenticated (previously or by
* tickets given in the URL).
*
* @return TRUE when the user is authenticated.
*/
function isAuthenticated()
{
global $PHPCAS_CLIENT, $PHPCAS_AUTH_CHECK_CALL;
phpCAS::traceBegin();
if (!is_object($PHPCAS_CLIENT)) {
phpCAS::error('this method should not be called before ' . __CLASS__ . '::client() or ' . __CLASS__ . '::proxy()');
}
// call the isAuthenticated method of the global $PHPCAS_CLIENT object
$auth = $PHPCAS_CLIENT->isAuthenticated();
// store where the authentication has been checked and the result
$dbg = phpCAS::backtrace();
$PHPCAS_AUTH_CHECK_CALL = array('done' => TRUE, 'file' => $dbg[0]['file'], 'line' => $dbg[0]['line'], 'method' => __CLASS__ . '::' . __FUNCTION__, 'result' => $auth);
phpCAS::traceEnd($auth);
return $auth;
}
/**
* This method is called to check if the user is authenticated (previously or by
* tickets given in the URL).
*
* @return TRUE when the user is authenticated. Also may redirect to the same URL without the ticket.
*/
public function isAuthenticated()
{
phpCAS::traceBegin();
$res = FALSE;
$validate_url = '';
if ($this->wasPreviouslyAuthenticated()) {
if ($this->hasST() || $this->hasPT() || $this->hasSA()) {
// User has a additional ticket but was already authenticated
phpCAS::trace('ticket was present and will be discarded, use renewAuthenticate()');
header('Location: ' . $this->getURL());
phpCAS::trace("Prepare redirect to remove ticket: " . $this->getURL());
phpCAS::traceExit();
exit;
} else {
// the user has already (previously during the session) been
// authenticated, nothing to be done.
phpCAS::trace('user was already authenticated, no need to look for tickets');
$res = TRUE;
}
} else {
if ($this->hasST()) {
// if a Service Ticket was given, validate it
phpCAS::trace('ST `' . $this->getST() . '\' is present');
$this->validateST($validate_url, $text_response, $tree_response);
// if it fails, it halts
phpCAS::trace('ST `' . $this->getST() . '\' was validated');
if ($this->isProxy()) {
$this->validatePGT($validate_url, $text_response, $tree_response);
// idem
phpCAS::trace('PGT `' . $this->getPGT() . '\' was validated');
$_SESSION['phpCAS']['pgt'] = $this->getPGT();
}
$_SESSION['phpCAS']['user'] = $this->getUser();
if ($this->hasAttributes()) {
$_SESSION['phpCAS']['attributes'] = $this->getAttributes();
}
$res = TRUE;
$logoutTicket = $this->getST();
} elseif ($this->hasPT()) {
// if a Proxy Ticket was given, validate it
phpCAS::trace('PT `' . $this->getPT() . '\' is present');
$this->validatePT($validate_url, $text_response, $tree_response);
// note: if it fails, it halts
phpCAS::trace('PT `' . $this->getPT() . '\' was validated');
if ($this->isProxy()) {
$this->validatePGT($validate_url, $text_response, $tree_response);
// idem
phpCAS::trace('PGT `' . $this->getPGT() . '\' was validated');
$_SESSION['phpCAS']['pgt'] = $this->getPGT();
}
$_SESSION['phpCAS']['user'] = $this->getUser();
if ($this->hasAttributes()) {
$_SESSION['phpCAS']['attributes'] = $this->getAttributes();
}
$res = TRUE;
$logoutTicket = $this->getPT();
} elseif ($this->hasSA()) {
// if we have a SAML ticket, validate it.
phpCAS::trace('SA `' . $this->getSA() . '\' is present');
$this->validateSA($validate_url, $text_response, $tree_response);
// if it fails, it halts
phpCAS::trace('SA `' . $this->getSA() . '\' was validated');
$_SESSION['phpCAS']['user'] = $this->getUser();
$_SESSION['phpCAS']['attributes'] = $this->getAttributes();
$res = TRUE;
$logoutTicket = $this->getSA();
} else {
// no ticket given, not authenticated
phpCAS::trace('no ticket found');
}
if ($res) {
// Mark the auth-check as complete to allow post-authentication
// callbacks to make use of phpCAS::getUser() and similar methods
$dbg = phpCAS::backtrace();
global $PHPCAS_AUTH_CHECK_CALL;
$PHPCAS_AUTH_CHECK_CALL = array('done' => TRUE, 'file' => $dbg[0]['file'], 'line' => $dbg[0]['line'], 'method' => __CLASS__ . '::' . __FUNCTION__, 'result' => $res);
// call the post-authenticate callback if registered.
if ($this->_postAuthenticateCallbackFunction) {
$args = $this->_postAuthenticateCallbackArgs;
array_unshift($args, $logoutTicket);
call_user_func_array($this->_postAuthenticateCallbackFunction, $args);
}
// if called with a ticket parameter, we need to redirect to the app without the ticket so that CAS-ification is transparent to the browser (for later POSTS)
// most of the checks and errors should have been made now, so we're safe for redirect without masking error messages.
// remove the ticket as a security precaution to prevent a ticket in the HTTP_REFERRER
if ($this->_clearTicketsFromUrl) {
header('Location: ' . $this->getURL());
phpCAS::trace("Prepare redirect to : " . $this->getURL());
phpCAS::traceExit();
exit;
}
}
}
phpCAS::traceEnd($res);
return $res;
}
