tessl/maven-org-apereo-cas--cas-server-support-surrogate-api
Apereo CAS Surrogate Authentication API providing core interfaces and classes for surrogate authentication functionality
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
'%3e%3cpath%20d='m7.15%205.779.281.877c-.001.502.003.991.124%201.48l.116-.082.229-1.265c.723%201.422%202.78%203.325%202.53%205.008-.022.154-.082.3-.158.435.349-.014.375-.38.578-.56.187%201.005.17%201.975-.22%202.932l1.428%203.159c-.007.07-.626.285-.744.226-.087-.044-.629-1.506-.742-1.754-.103-.224-.457-1.044-.592-1.165-.592-.534-2.033-.183-2.773-.256l.488-.115.148-.109c-.68-.08-1.363-.34-1.85-.815.531.046%201.052.121%201.592.087.1-.006.378-.02.432-.114-1.338-.016-2.398-.569-3.16-1.62-1.03-1.422-1.646-3.215-2.658-4.662-.203-.289-.474-.68-.776-.847-.015-.092.076-.054.137-.049.375.034.778.157%201.148.234l1.26.462c-.404-.737-1.332-.637-1.984-.994-.759-.416-1.2-1.386-1.487-2.149-.258-.68-.536-1.495-.492-2.217.282.262.529.573.896.73.087-.102-.838-1.102-.867-1.323C-.051.673.656-.051%201.328.003c1.128.09%202.44%201.953%202.87%202.886.074.069.145-.23.149-.25.029-.154.01-.306.054-.452.67.932%201.64%201.722%202.122%202.768l.626%201.778V5.78Z'/%3e%3cpath%20d='m10.851%206.733.626-1.778c.483-1.047%201.451-1.836%202.122-2.769.045.147.025.299.054.452.005.021.075.32.149.25.43-.932%201.742-2.796%202.87-2.885.672-.054%201.38.67%201.294%201.31-.03.22-.954%201.221-.867%201.322.367-.156.614-.467.896-.729.044.722-.234%201.536-.49%202.218-.288.763-.73%201.733-1.488%202.149-.652.356-1.58.256-1.984.993l1.26-.461c.37-.077.772-.2%201.148-.234.06-.006.152-.044.136.049-.301.166-.573.557-.775.847-.794%201.135-1.347%202.488-2.049%203.68-.635%201.081-1.285%202.087-2.613%202.432.148-.768.005-1.562-.173-2.316l-.32-.092c-.219-1.088-.84-2.001-1.466-2.908l.919-1.475.229%201.265.116.082c.12-.489.125-.979.123-1.48l.283-.877v.955ZM8.017%2014.984c-.238.57-.531%201.119-.78%201.686-.089.204-.446%201.24-.518%201.295-.145.114-.622-.087-.777-.2l1.207-2.78h.868ZM12.008%2013.75c-.059.174-.949.7-1.04.617l.12-.5.92-.117Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h18v18H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/maven-org-apereo-cas--cas-server-support-surrogate-api@7.2.0index.mddocs/
CAS Surrogate Authentication API
A comprehensive API for implementing surrogate authentication functionality in the Apereo CAS (Central Authentication Service) ecosystem. This library provides the core interfaces, data classes, and service access strategies needed to enable authorized users to impersonate other users for administrative and support purposes.
Package Information
- Package Name: org.apereo.cas:cas-server-support-surrogate-api
- Language: Java
- Build System: Gradle
- Installation: Include as dependency in CAS module or application
Core Imports
import org.apereo.cas.authentication.surrogate.SurrogateAuthenticationService;
import org.apereo.cas.authentication.surrogate.SurrogateAuthenticationRequest;
import org.apereo.cas.authentication.surrogate.SurrogateCredentialTrait;
import org.apereo.cas.authentication.surrogate.SurrogateCredentialParser;
import org.apereo.cas.services.SurrogateRegisteredServiceAccessStrategy;
import org.apereo.cas.services.BaseSurrogateRegisteredServiceAccessStrategy;
import org.apereo.cas.services.GroovySurrogateRegisteredServiceAccessStrategy;
import org.apereo.cas.authentication.AuthenticationBuilder;
import org.apereo.cas.authentication.principal.Principal;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.authentication.MutableCredential;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;Basic Usage
import org.apereo.cas.authentication.surrogate.SurrogateAuthenticationService;
import org.apereo.cas.authentication.surrogate.SurrogateAuthenticationRequest;
import org.apereo.cas.authentication.principal.Principal;
import org.apereo.cas.authentication.principal.Service;
import java.util.Collection;
import java.util.Optional;
// Implement surrogate authentication service
public class CustomSurrogateAuthenticationService implements SurrogateAuthenticationService {
@Override
public Collection<String> getImpersonationAccounts(String username, Optional<? extends Service> service) throws Throwable {
// Return list of accounts this user can impersonate
return java.util.Arrays.asList("user1", "user2", "admin");
}
@Override
public boolean canImpersonate(String surrogate, Principal principal, Optional<? extends Service> service) throws Throwable {
// Check if principal can impersonate the surrogate user
Collection<String> accounts = getImpersonationAccounts(principal.getId(), service);
return accounts.contains(surrogate) || isWildcardedAccount(accounts, service);
}
}
// Create surrogate authentication request
SurrogateAuthenticationRequest request = SurrogateAuthenticationRequest.builder()
.credential(mutableCredential)
.username("admin")
.surrogateUsername("targetUser")
.selectable(true)
.build();
// Check if request has surrogate username
if (request.hasSurrogateUsername()) {
// Process surrogate authentication
}Architecture
The surrogate authentication API follows a layered architecture:
- Service Layer:
SurrogateAuthenticationServicedefines core impersonation logic - Request Layer:
SurrogateAuthenticationRequestand parsing components handle authentication flow - Access Control Layer: Service access strategies control surrogate authentication at service level
- Credential Layer: Traits and parsers integrate with CAS credential handling framework
This design enables flexible backend integration (LDAP, JDBC, REST APIs) and fine-grained access control through CAS's service management framework.
Capabilities
Core Authentication Service
Primary interface for surrogate authentication operations including permission checking, account enumeration, and wildcard support for super-administrators.
@FunctionalInterface
public interface SurrogateAuthenticationService {
/**
* Logger instance.
*/
Logger LOGGER = LoggerFactory.getLogger(SurrogateAuthenticationService.class);
/**
* An authorized account may be tagged as a wildcard, meaning
* that the account has special permissions to impersonate anyone.
*/
String WILDCARD_ACCOUNT = "*";
/**
* Default bean name.
*/
String BEAN_NAME = "surrogateAuthenticationService";
/**
* Surrogate username attribute in the authentication payload.
*/
String AUTHENTICATION_ATTR_SURROGATE_USER = "surrogateUser";
/**
* Original credential attribute in the authentication payload.
*/
String AUTHENTICATION_ATTR_SURROGATE_PRINCIPAL = "surrogatePrincipal";
/**
* Indicates that surrogate authn is enabled and activated.
*/
String AUTHENTICATION_ATTR_SURROGATE_ENABLED = "surrogateEnabled";
Collection<String> getImpersonationAccounts(String username, Optional<? extends Service> service) throws Throwable;
default boolean canImpersonate(String surrogate, Principal principal, Optional<? extends Service> service) throws Throwable;
default boolean isWildcardedAccount(String surrogate, Principal principal, Optional<? extends Service> service) throws Throwable;
default boolean isWildcardedAccount(Collection<String> accounts, Optional<? extends Service> service);
default void collectSurrogateAttributes(AuthenticationBuilder builder, String surrogateUser, String principal);
}Request and Credential Handling
Data classes and parsers for managing surrogate authentication requests, credential traits, and integration with CAS authentication flow.
@ToString
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
@Getter
@NoArgsConstructor(force = true)
@EqualsAndHashCode
@RequiredArgsConstructor
@SuperBuilder
public class SurrogateAuthenticationRequest implements Serializable {
private final MutableCredential credential;
private final String username;
private final String surrogateUsername;
private final boolean selectable;
boolean hasSurrogateUsername();
}
@ToString
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
@Getter
@NoArgsConstructor(force = true)
@EqualsAndHashCode
@RequiredArgsConstructor
public class SurrogateCredentialTrait implements CredentialTrait {
private final String surrogateUsername;
}
@FunctionalInterface
public interface SurrogateCredentialParser {
String BEAN_NAME = "surrogateCredentialParser";
Optional<SurrogateAuthenticationRequest> parse(MutableCredential credential);
}Request and Credential Handling
Service Access Control
Service-level access strategies for controlling surrogate authentication permissions at the individual service level, including attribute-based and script-based authorization.
public abstract class BaseSurrogateRegisteredServiceAccessStrategy extends BaseRegisteredServiceAccessStrategy {
protected boolean isSurrogateAuthenticationSession(RegisteredServiceAccessStrategyRequest request);
}
@Getter
@Setter
@EqualsAndHashCode(callSuper = true)
public class SurrogateRegisteredServiceAccessStrategy extends BaseSurrogateRegisteredServiceAccessStrategy {
protected boolean requireAllAttributes = true;
protected boolean caseInsensitive;
private Map<String, Set<String>> surrogateRequiredAttributes = new HashMap<>(0);
boolean authorizeRequest(RegisteredServiceAccessStrategyRequest request);
protected boolean doPrincipalAttributesAllowSurrogateServiceAccess(RegisteredServiceAccessStrategyRequest request);
}
@Slf4j
@Getter
@Setter
@EqualsAndHashCode(callSuper = true)
public class GroovySurrogateRegisteredServiceAccessStrategy extends BaseSurrogateRegisteredServiceAccessStrategy {
@ExpressionLanguageCapable
private String groovyScript;
boolean authorizeRequest(RegisteredServiceAccessStrategyRequest request) throws Throwable;
}