or run

npx @tessl/cli init
Log in

Version

Tile

Overview

Evals

Files

docs

adaptive-authentication.mdauthentication-handlers.mdauthentication-policies.mdcredential-handling.mdindex.mdpassword-policies.mdprincipal-resolution.md
tile.json

tessl/maven-org-apereo-cas--cas-server-core-authentication-api

Core authentication API module for Apereo CAS providing fundamental authentication interfaces, implementations, and components for the CAS server infrastructure

Workspace
tessl
Visibility
Public
Created
Last updated
Describes
mavenpkg:maven/org.apereo.cas/cas-server-core-authentication-api@7.2.x

To install, run

npx @tessl/cli install tessl/maven-org-apereo-cas--cas-server-core-authentication-api@7.2.0

index.mddocs/

CAS Server Core Authentication API

The CAS Server Core Authentication API module provides the foundational components for authentication processing within the CAS (Central Authentication Service) server. This module defines the core interfaces, abstract classes, and implementations for handling authentication requests, managing credentials, applying authentication policies, and resolving principals.

Package Information

Maven Coordinates:

<dependency>
    <groupId>org.apereo.cas</groupId>
    <artifactId>cas-server-core-authentication-api</artifactId>
    <version>${cas.version}</version>
</dependency>

Java Version: Java 11+
Framework: Spring Framework
Base Package: org.apereo.cas.authentication

Core Imports

// Core authentication management
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.AuthenticationBuilder;
import org.apereo.cas.authentication.AuthenticationHandler;
import org.apereo.cas.authentication.AuthenticationManager;
import org.apereo.cas.authentication.AuthenticationResult;
import org.apereo.cas.authentication.AuthenticationTransaction;
import org.apereo.cas.authentication.Credential;
import org.apereo.cas.authentication.Principal;

// Authentication builders and factories
import org.apereo.cas.authentication.DefaultAuthentication;
import org.apereo.cas.authentication.DefaultAuthenticationBuilder;
import org.apereo.cas.authentication.DefaultAuthenticationManager;
import org.apereo.cas.authentication.DefaultAuthenticationTransaction;

// Core utilities
import org.apereo.cas.authentication.CoreAuthenticationUtils;
import org.apereo.cas.authentication.AuthenticationHolder;

// Principal management
import org.apereo.cas.authentication.principal.DefaultPrincipalFactory;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.authentication.principal.PrincipalElectionStrategy;
import org.apereo.cas.authentication.principal.SimplePrincipal;

// Common credentials
import org.apereo.cas.authentication.credential.UsernamePasswordCredential;
import org.apereo.cas.authentication.credential.RememberMeUsernamePasswordCredential;
import org.apereo.cas.authentication.credential.OneTimePasswordCredential;
import org.apereo.cas.authentication.credential.BasicIdentifiableCredential;

Basic Usage

Creating and Managing Authentication

// Create authentication manager
AuthenticationManager authenticationManager = new DefaultAuthenticationManager(
    authenticationEventExecutionPlan,
    authenticationHandlerResolvers,
    authenticationTransactionFactory
);

// Create authentication transaction
AuthenticationTransaction transaction = DefaultAuthenticationTransaction.of(credential);

// Perform authentication
AuthenticationResult result = authenticationManager.authenticate(transaction);
Authentication authentication = result.getAuthentication();

Working with Credentials

// Username/password authentication
UsernamePasswordCredential credential = new UsernamePasswordCredential("username", "password");

// Remember-me authentication
RememberMeUsernamePasswordCredential rememberMeCredential = 
    new RememberMeUsernamePasswordCredential("username", "password", true);

// One-time password
OneTimePasswordCredential otpCredential = new OneTimePasswordCredential("user", "123456");

// Validate credentials
ValidationContext context = new ValidationContext();
boolean isValid = credential.validate(context);

Principal Management

// Create principal factory
PrincipalFactory principalFactory = new DefaultPrincipalFactory();

// Create principal with attributes
Map<String, Object> attributes = Map.of(
    "email", "user@example.com",
    "role", "admin"
);
Principal principal = principalFactory.createPrincipal("username", attributes);

// Principal election strategy
PrincipalElectionStrategy electionStrategy = new DefaultPrincipalElectionStrategy();
Principal elected = electionStrategy.electPrincipal(authentications);

Authentication Context Management

// Store authentication in thread-local context
AuthenticationHolder.setCurrentAuthentication(authentication);

// Retrieve current authentication
Authentication current = AuthenticationHolder.getCurrentAuthentication();

// Clear authentication context
AuthenticationHolder.clear();

Architecture

The CAS authentication API is organized around several core concepts:

Authentication Flow

  1. Credential Submission - Users provide credentials through various means
  2. Authentication Handler Processing - Handlers validate credentials against data sources
  3. Principal Resolution - User principals are resolved and populated with attributes
  4. Policy Enforcement - Authentication policies are applied to determine success
  5. Result Creation - Authentication results are constructed and returned

Key Components

Authentication Manager

Central component that orchestrates the authentication process, managing handlers, policies, and transaction flow.

Authentication Handlers

Components responsible for validating specific credential types against authentication sources (LDAP, database, etc.).

Principal Resolvers

Components that resolve user principals and populate them with attributes from various sources.

Authentication Policies

Components that determine whether authentication requirements are satisfied based on configured rules.

Credential Types

Various credential implementations supporting different authentication methods and protocols.

Capabilities

Authentication Handlers

Comprehensive support for various authentication methods and data sources.

// Abstract base handler
public abstract class AbstractAuthenticationHandler implements AuthenticationHandler {
    protected AbstractAuthenticationHandler(String name, ServicesManager servicesManager, 
                                          PrincipalFactory principalFactory, Integer order) { }
    
    public abstract boolean supports(Credential credential);
    public abstract AuthenticationHandlerExecutionResult authenticate(Credential credential) 
        throws GeneralSecurityException, PreventedException;
}

// Username/password handler
public class AcceptUsersAuthenticationHandler extends AbstractUsernamePasswordAuthenticationHandler {
    public AcceptUsersAuthenticationHandler(Map<String, String> users) { }
}

Authentication Handlers →

Principal Resolution

Flexible principal resolution and attribute management system.

// Principal factory
public interface PrincipalFactory {
    Principal createPrincipal(String id);
    Principal createPrincipal(String id, Map<String, Object> attributes);
}

// Principal election strategy
public interface PrincipalElectionStrategy {
    Principal electPrincipal(Collection<Authentication> authentications);
}

// Attribute merging
public interface AttributeMerger {
    Map<String, List<Object>> mergeAttributes(Map<String, List<Object>> toModify, 
                                            Map<String, List<Object>> toMerge);
}

Principal Resolution →

Authentication Policies

Configurable policies for authentication requirements and validation.

// Base authentication policy
public abstract class BaseAuthenticationPolicy implements AuthenticationPolicy {
    public abstract AuthenticationPolicyExecutionResult execute(AuthenticationTransaction transaction) 
        throws Exception;
}

// Policy implementations
public class AllAuthenticationHandlersSucceededAuthenticationPolicy extends BaseAuthenticationPolicy { }
public class AtLeastOneCredentialValidatedAuthenticationPolicy extends BaseAuthenticationPolicy { }
public class RequiredAuthenticationHandlerAuthenticationPolicy extends BaseAuthenticationPolicy { }

Authentication Policies →

Credential Handling

Support for various credential types and validation mechanisms.

// Base credential class
public abstract class AbstractCredential implements Credential {
    public abstract String getId();
    public boolean isValid() { return true; }
    public void validate(ValidationContext context) throws Exception { }
}

// Credential implementations
public class UsernamePasswordCredential extends AbstractCredential { }
public class OneTimePasswordCredential extends AbstractCredential { }
public class OneTimeTokenCredential extends AbstractCredential { }
public class HttpBasedServiceCredential extends AbstractCredential { }

Credential Handling →

Password Policies

Comprehensive password policy support and enforcement.

// Password policy handling strategy
public interface AuthenticationPasswordPolicyHandlingStrategy {
    List<MessageDescriptor> handle(Principal principal, PasswordPolicyContext passwordPolicyConfiguration) 
        throws Exception;
}

// Password policy context
public class PasswordPolicyContext {
    public PasswordPolicyContext(PasswordPolicy passwordPolicy) { }
    public PasswordPolicy getPasswordPolicy() { }
}

Password Policies →

Adaptive Authentication

Risk-based authentication and adaptive security measures.

// Adaptive authentication policy
public interface AdaptiveAuthenticationPolicy {
    boolean isAuthenticationRequestAllowed(RequestContext requestContext, 
                                         String userAgent, 
                                         GeoLocationRequest location);
}

// IP address intelligence
public interface IPAddressIntelligenceService {
    IPAddressIntelligenceResponse examine(RequestContext requestContext, String clientIpAddress);
}

Adaptive Authentication →

Core Utilities

// Authentication utilities
public class CoreAuthenticationUtils {
    public static Map<String, Object> convertAttributeValuesToObjects(Map<String, ?> attributes);
    public static AttributeMerger getAttributeMerger(PrincipalAttributesCoreProperties.MergingStrategyTypes mergingPolicy);
    public static boolean isRememberMeAuthentication(Authentication authentication);
    public static Predicate<Credential> newCredentialSelectionPredicate(String selectionCriteria);
    public static List<AuthenticationPolicy> newAuthenticationPolicy(AuthenticationPolicyProperties policyProps);
}

// SSL context management
public interface CasSSLContext {
    SSLContext getSslContext();
    TrustManager[] getTrustManagers();
    KeyManager[] getKeyManagers();
    HostnameVerifier getHostnameVerifier();
    
    static CasSSLContext system() { }
    static CasSSLContext disabled() { }
}

Exception Handling

The API provides comprehensive exception handling for authentication failures:

// Account-related exceptions
public class AccountDisabledException extends AccountException { }
public class AccountPasswordMustChangeException extends AccountException { }
public class InvalidLoginLocationException extends AccountException { }
public class InvalidLoginTimeException extends AccountException { }

// Principal-related exceptions
public class MixedPrincipalException extends Exception { }
public class UniquePrincipalRequiredException extends Exception { }
public class UnresolvedPrincipalException extends Exception { }

// Policy exceptions
public class UnsatisfiedAuthenticationPolicyException extends AbstractTicketException { }

This API provides a complete foundation for implementing authentication workflows in CAS server deployments, with extensive configuration options and extensibility points for custom requirements.