/** * This method is called to force authentication if the user was not already * authenticated. If the user is not authenticated, halt by redirecting to * the CAS server. */ function forceAuthentication() { global $PHPCAS_CLIENT, $PHPCAS_AUTH_CHECK_CALL; phpCAS::traceBegin(); if (!is_object($PHPCAS_CLIENT)) { phpCAS::error('this method should not be called before ' . __CLASS__ . '::client() or ' . __CLASS__ . '::proxy()'); } $auth = $PHPCAS_CLIENT->forceAuthentication(); // store where the authentication has been checked and the result $dbg = phpCAS::backtrace(); $PHPCAS_AUTH_CHECK_CALL = array('done' => TRUE, 'file' => $dbg[0]['file'], 'line' => $dbg[0]['line'], 'method' => __CLASS__ . '::' . __FUNCTION__, 'result' => $auth); if (!$auth) { phpCAS::trace('user is not authenticated, redirecting to the CAS server'); $PHPCAS_CLIENT->forceAuthentication(); } else { phpCAS::trace('no need to authenticate (user `' . phpCAS::getUser() . '\' is already authenticated)'); } phpCAS::traceEnd(); }
/** * This method is called to check if the user is authenticated (previously or by * tickets given in the URL). * * @return TRUE when the user is authenticated. */ function isAuthenticated() { global $PHPCAS_CLIENT, $PHPCAS_AUTH_CHECK_CALL; phpCAS::traceBegin(); if (!is_object($PHPCAS_CLIENT)) { phpCAS::error('this method should not be called before ' . __CLASS__ . '::client() or ' . __CLASS__ . '::proxy()'); } // call the isAuthenticated method of the global $PHPCAS_CLIENT object $auth = $PHPCAS_CLIENT->isAuthenticated(); // store where the authentication has been checked and the result $dbg = phpCAS::backtrace(); $PHPCAS_AUTH_CHECK_CALL = array('done' => TRUE, 'file' => $dbg[0]['file'], 'line' => $dbg[0]['line'], 'method' => __CLASS__ . '::' . __FUNCTION__, 'result' => $auth); phpCAS::traceEnd($auth); return $auth; }
/** * This method is called to check if the user is authenticated (previously or by * tickets given in the URL). * * @return TRUE when the user is authenticated. Also may redirect to the same URL without the ticket. */ public function isAuthenticated() { phpCAS::traceBegin(); $res = FALSE; $validate_url = ''; if ($this->wasPreviouslyAuthenticated()) { if ($this->hasST() || $this->hasPT() || $this->hasSA()) { // User has a additional ticket but was already authenticated phpCAS::trace('ticket was present and will be discarded, use renewAuthenticate()'); header('Location: ' . $this->getURL()); phpCAS::trace("Prepare redirect to remove ticket: " . $this->getURL()); phpCAS::traceExit(); exit; } else { // the user has already (previously during the session) been // authenticated, nothing to be done. phpCAS::trace('user was already authenticated, no need to look for tickets'); $res = TRUE; } } else { if ($this->hasST()) { // if a Service Ticket was given, validate it phpCAS::trace('ST `' . $this->getST() . '\' is present'); $this->validateST($validate_url, $text_response, $tree_response); // if it fails, it halts phpCAS::trace('ST `' . $this->getST() . '\' was validated'); if ($this->isProxy()) { $this->validatePGT($validate_url, $text_response, $tree_response); // idem phpCAS::trace('PGT `' . $this->getPGT() . '\' was validated'); $_SESSION['phpCAS']['pgt'] = $this->getPGT(); } $_SESSION['phpCAS']['user'] = $this->getUser(); if ($this->hasAttributes()) { $_SESSION['phpCAS']['attributes'] = $this->getAttributes(); } $res = TRUE; $logoutTicket = $this->getST(); } elseif ($this->hasPT()) { // if a Proxy Ticket was given, validate it phpCAS::trace('PT `' . $this->getPT() . '\' is present'); $this->validatePT($validate_url, $text_response, $tree_response); // note: if it fails, it halts phpCAS::trace('PT `' . $this->getPT() . '\' was validated'); if ($this->isProxy()) { $this->validatePGT($validate_url, $text_response, $tree_response); // idem phpCAS::trace('PGT `' . $this->getPGT() . '\' was validated'); $_SESSION['phpCAS']['pgt'] = $this->getPGT(); } $_SESSION['phpCAS']['user'] = $this->getUser(); if ($this->hasAttributes()) { $_SESSION['phpCAS']['attributes'] = $this->getAttributes(); } $res = TRUE; $logoutTicket = $this->getPT(); } elseif ($this->hasSA()) { // if we have a SAML ticket, validate it. phpCAS::trace('SA `' . $this->getSA() . '\' is present'); $this->validateSA($validate_url, $text_response, $tree_response); // if it fails, it halts phpCAS::trace('SA `' . $this->getSA() . '\' was validated'); $_SESSION['phpCAS']['user'] = $this->getUser(); $_SESSION['phpCAS']['attributes'] = $this->getAttributes(); $res = TRUE; $logoutTicket = $this->getSA(); } else { // no ticket given, not authenticated phpCAS::trace('no ticket found'); } if ($res) { // Mark the auth-check as complete to allow post-authentication // callbacks to make use of phpCAS::getUser() and similar methods $dbg = phpCAS::backtrace(); global $PHPCAS_AUTH_CHECK_CALL; $PHPCAS_AUTH_CHECK_CALL = array('done' => TRUE, 'file' => $dbg[0]['file'], 'line' => $dbg[0]['line'], 'method' => __CLASS__ . '::' . __FUNCTION__, 'result' => $res); // call the post-authenticate callback if registered. if ($this->_postAuthenticateCallbackFunction) { $args = $this->_postAuthenticateCallbackArgs; array_unshift($args, $logoutTicket); call_user_func_array($this->_postAuthenticateCallbackFunction, $args); } // if called with a ticket parameter, we need to redirect to the app without the ticket so that CAS-ification is transparent to the browser (for later POSTS) // most of the checks and errors should have been made now, so we're safe for redirect without masking error messages. // remove the ticket as a security precaution to prevent a ticket in the HTTP_REFERRER if ($this->_clearTicketsFromUrl) { header('Location: ' . $this->getURL()); phpCAS::trace("Prepare redirect to : " . $this->getURL()); phpCAS::traceExit(); exit; } } } phpCAS::traceEnd($res); return $res; }