From 5a0869a771f65f87fa2a4ed402fb1f3597b92198 Mon Sep 17 00:00:00 2001
From: Matthias Piepkorn <mpiepk@gmail.com>
Date: Sun, 05 Feb 2017 11:32:25 +0000
Subject: [PATCH] Handle service ticket validation on proxyValidate endpoint, return error on proxy endpoint

---
 src/main/java/org/keycloak/protocol/cas/endpoints/ValidateEndpoint.java |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/main/java/org/keycloak/protocol/cas/endpoints/ValidateEndpoint.java b/src/main/java/org/keycloak/protocol/cas/endpoints/ValidateEndpoint.java
index 28fbd50..b2b0702 100644
--- a/src/main/java/org/keycloak/protocol/cas/endpoints/ValidateEndpoint.java
+++ b/src/main/java/org/keycloak/protocol/cas/endpoints/ValidateEndpoint.java
@@ -20,7 +20,7 @@
 import javax.ws.rs.core.*;
 
 public class ValidateEndpoint {
-    protected static final Logger logger = Logger.getLogger(org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.class);
+    protected static final Logger logger = Logger.getLogger(ValidateEndpoint.class);
 
     private static final String RESPONSE_OK = "yes\n";
     private static final String RESPONSE_FAILED = "no\n";
@@ -56,7 +56,7 @@
         MultivaluedMap<String, String> params = uriInfo.getQueryParameters();
         String service = params.getFirst(CASLoginProtocol.SERVICE_PARAM);
         String ticket = params.getFirst(CASLoginProtocol.TICKET_PARAM);
-        boolean renew = "true".equalsIgnoreCase(params.getFirst(CASLoginProtocol.RENEW_PARAM));
+        boolean renew = params.containsKey(CASLoginProtocol.RENEW_PARAM);
 
         event.event(EventType.CODE_TO_TOKEN);
 
@@ -152,8 +152,14 @@
             throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code is expired", Response.Status.BAD_REQUEST);
         }
 
+        clientSession.setNote(CASLoginProtocol.SESSION_SERVICE_TICKET, ticket);
         parseResult.getCode().setAction(null);
 
+        if (requireReauth && AuthenticationManager.isSSOAuthentication(clientSession)) {
+            event.error(Errors.SESSION_EXPIRED);
+            throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Interactive authentication was requested but not performed", Response.Status.BAD_REQUEST);
+        }
+
         UserSessionModel userSession = clientSession.getUserSession();
 
         if (userSession == null) {

--
Gitblit v1.9.1