<
flow
xmlns
=
"http://www./schema/webflow"
xmlns:xsi
=
"http://www./2001/XMLSchema-instance"
xsi:schemaLocation="http://www./schema/webflow
http://www./schema/webflow/spring-webflow-2.0.xsd">
<
var
name
=
"credentials"
class
=
"org.jasig.cas.authentication.principal.UsernamePasswordCredentials"
/>
<
on-start
>
<
evaluate
=
"initialFlowSetupAction"
/>
</
on-start
>
<
decision-state
id
=
"ticketGrantingTicketExistsCheck"
>
<
if
test
=
"flowScope.ticketGrantingTicketId != null"
then
=
"hasServiceCheck"
else
=
"gatewayRequestCheck"
/>
</
decision-state
>
<
decision-state
id
=
"gatewayRequestCheck"
>
<
if
test
=
"requestParameters.gateway != '' and requestParameters.gateway != null and flowScope.service != null"
then
=
"gatewayServicesManagementCheck"
else
=
"serviceAuthorizationCheck"
/>
</
decision-state
>
<
decision-state
id
=
"hasServiceCheck"
>
<
if
test
=
"flowScope.service != null"
then
=
"renewRequestCheck"
else
=
"viewGenericLoginSuccess"
/>
</
decision-state
>
<
decision-state
id
=
"renewRequestCheck"
>
<
if
test
=
"requestParameters.renew != '' and requestParameters.renew != null"
then
=
"serviceAuthorizationCheck"
else
=
"generateServiceTicket"
/>
</
decision-state
>
<!-- Do a service authorization check early without the need to login first -->
<
action-state
id
=
"serviceAuthorizationCheck"
>
<
evaluate
=
"serviceAuthorizationCheck"
/>
<
transition
to
=
"generateLoginTicket"
/>
</
action-state
>
<!--
The "warn" action makes the determination of whether to redirect directly to the requested
service or display the "confirmation" page to go back to the server.
-->
<
decision-state
id
=
"warn"
>
<
if
test
=
"flowScope.warnCookieValue"
then
=
"showWarningView"
else
=
"redirect"
/>
</
decision-state
>
<!--
<action-state id="startAuthenticate">
<action bean="x509Check" />
<transition on="success" to="sendTicketGrantingTicket" />
<transition on="warn" to="warn" />
<transition on="error" to="generateLoginTicket" />
</action-state>
-->
<!--
LPPE transitions begin here: You will also need to
move over the 'lppe-configuration.xml' file from the
'unused-spring-configuration' folder to the 'spring-configuration' folder
so CAS can pick up the definition for the bean 'passwordPolicyAction'.
-->
<
action-state
id
=
"passwordPolicyCheck"
>
<
evaluate
=
"passwordPolicyAction"
/>
<
transition
on
=
"showWarning"
to
=
"passwordServiceCheck"
/>
<
transition
on
=
"success"
to
=
"sendTicketGrantingTicket"
/>
<
transition
on
=
"error"
to
=
"viewLoginForm"
/>
</
action-state
>
<
action-state
id
=
"passwordServiceCheck"
>
<
evaluate
=
"sendTicketGrantingTicketAction"
/>
<
transition
to
=
"passwordPostCheck"
/>
</
action-state
>
<
decision-state
id
=
"passwordPostCheck"
>
<
if
test
=
"flowScope.service != null"
then
=
"warnPassRedirect"
else
=
"pwdWarningPostView"
/>
</
decision-state
>
<
action-state
id
=
"warnPassRedirect"
>
<
evaluate
=
"generateServiceTicketAction"
/>
<
transition
on
=
"success"
to
=
"pwdWarningPostView"
/>
<
transition
on
=
"error"
to
=
"generateLoginTicket"
/>
<
transition
on
=
"gateway"
to
=
"gatewayServicesManagementCheck"
/>
</
action-state
>
<
end-state
id
=
"pwdWarningAbstractView"
>
<
on-entry
>
<
set
name
=
"flowScope.passwordPolicyUrl"
value
=
"passwordPolicyAction.getPasswordPolicyUrl()"
/>
</
on-entry
>
</
end-state
>
<
end-state
id
=
"pwdWarningPostView"
view
=
"casWarnPassView"
parent
=
"#pwdWarningAbstractView"
/>
<
end-state
id
=
"casExpiredPassView"
view
=
"casExpiredPassView"
parent
=
"#pwdWarningAbstractView"
/>
<
end-state
id
=
"casMustChangePassView"
view
=
"casMustChangePassView"
parent
=
"#pwdWarningAbstractView"
/>
<
end-state
id
=
"casAccountDisabledView"
view
=
"casAccountDisabledView"
/>
<
end-state
id
=
"casAccountLockedView"
view
=
"casAccountLockedView"
/>
<
end-state
id
=
"casBadHoursView"
view
=
"casBadHoursView"
/>
<
end-state
id
=
"casBadWorkstationView"
view
=
"casBadWorkstationView"
/>
<!-- LPPE transitions end here... -->
<
action-state
id
=
"generateLoginTicket"
>
<
evaluate
=
"generateLoginTicketAction.generate(flowRequestContext)"
/>
<
transition
on
=
"generated"
to
=
"viewLoginForm"
/>
</
action-state
>
<
view-state
id
=
"viewLoginForm"
view
=
"casLoginView"
model
=
"credentials"
>
<
binder
>
<
binding
property
=
"username"
/>
<
binding
property
=
"password"
/>
</
binder
>
<
on-entry
>
<
set
name
=
"viewScope.commandName"
value
=
"'credentials'"
/>
</
on-entry
>
<
transition
on
=
"submit"
bind
=
"true"
validate
=
"true"
to
=
"realSubmit"
>
<
evaluate
=
"authenticationViaFormAction.doBind(flowRequestContext, flowScope.credentials)"
/>
</
transition
>
</
view-state
>
<
action-state
id
=
"realSubmit"
>
<
evaluate
=
"authenticationViaFormAction.submit(flowRequestContext, flowScope.credentials, messageContext)"
/>
<!--
To enable LPPE on the 'warn' replace the below transition with:
<transition on="warn" to="passwordPolicyCheck" />
CAS will attempt to transition to the 'warn' when there's a 'renew' parameter
and there exists a ticketGrantingId and a service for the incoming request.
-->
<
transition
on
=
"warn"
to
=
"warn"
/>
<!--
To enable LPPE on the 'success' replace the below transition with:
<transition on="success" to="passwordPolicyCheck" />
-->
<
transition
on
=
"success"
to
=
"sendTicketGrantingTicket"
/>
<
transition
on
=
"error"
to
=
"generateLoginTicket"
/>
<
transition
on
=
"accountDisabled"
to
=
"casAccountDisabledView"
/>
<
transition
on
=
"mustChangePassword"
to
=
"casMustChangePassView"
/>
<
transition
on
=
"accountLocked"
to
=
"casAccountLockedView"
/>
<
transition
on
=
"badHours"
to
=
"casBadHoursView"
/>
<
transition
on
=
"badWorkstation"
to
=
"casBadWorkstationView"
/>
<
transition
on
=
"passwordExpired"
to
=
"casExpiredPassView"
/>
</
action-state
>
<
action-state
id
=
"sendTicketGrantingTicket"
>
<
evaluate
=
"sendTicketGrantingTicketAction"
/>
<
transition
to
=
"serviceCheck"
/>
</
action-state
>
<
decision-state
id
=
"serviceCheck"
>
<
if
test
=
"flowScope.service != null"
then
=
"generateServiceTicket"
else
=
"viewGenericLoginSuccess"
/>
</
decision-state
>
<
action-state
id
=
"generateServiceTicket"
>
<
evaluate
=
"generateServiceTicketAction"
/>
<
transition
on
=
"success"
to
=
"warn"
/>
<
transition
on
=
"error"
to
=
"generateLoginTicket"
/>
<
transition
on
=
"gateway"
to
=
"gatewayServicesManagementCheck"
/>
</
action-state
>
<
action-state
id
=
"gatewayServicesManagementCheck"
>
<
evaluate
=
"gatewayServicesManagementCheck"
/>
<
transition
on
=
"success"
to
=
"redirect"
/>
</
action-state
>
<
action-state
id
=
"redirect"
>
<
evaluate
=
"flowScope.service.getResponse(requestScope.serviceTicketId)"
result-type
=
"org.jasig.cas.authentication.principal.Response"
result
=
"requestScope.response"
/>
<
transition
to
=
"postRedirectDecision"
/>
</
action-state
>
<
decision-state
id
=
"postRedirectDecision"
>
<
if
test
=
"requestScope.response.responseType.name() == 'POST'"
then
=
"postView"
else
=
"redirectView"
/>
</
decision-state
>
<!--
the "viewGenericLogin" is the end state for when a user attempts to login without coming directly from a service.
They have only initialized their single-sign on session.
-->
<
end-state
id
=
"viewGenericLoginSuccess"
view
=
"casLoginGenericSuccessView"
/>
<!--
The "showWarningView" end state is the end state for when the user has requested privacy settings (to be "warned") to be turned on. It delegates to a
view defines in default_views.properties that display the "Please click here to go to the service." message.
-->
<
end-state
id
=
"showWarningView"
view
=
"casLoginConfirmView"
/>
<
end-state
id
=
"postView"
view
=
"postResponseView"
>
<
on-entry
>
<
set
name
=
"requestScope.parameters"
value
=
"requestScope.response.attributes"
/>
<
set
name
=
"requestScope.originalUrl"
value
=
"flowScope.service.id"
/>
</
on-entry
>
</
end-state
>
<!--
The "redirect" end state allows CAS to properly end the workflow while still redirecting
the user back to the service required.
-->
<
end-state
id
=
"redirectView"
view
=
"externalRedirect:${requestScope.response.url}"
/>
<
end-state
id
=
"viewServiceErrorView"
view
=
"viewServiceErrorView"
/>
<
end-state
id
=
"viewServiceSsoErrorView"
view
=
"viewServiceSsoErrorView"
/>
<
global-transitions
>
<!-- CAS-1023 This one is simple - redirects to a login page (same as renew) when 'ssoEnabled' flag is unchecked
instead of showing an intermediate unauthorized view with a link to login page -->
<
transition
to
=
"viewLoginForm"
on-exception
=
"org.jasig.cas.services.UnauthorizedSsoServiceException"
/>
<
transition
to
=
"viewServiceErrorView"
on-exception
=
"org.springframework.webflow.execution.repository.NoSuchFlowExecutionException"
/>
<
transition
to
=
"viewServiceErrorView"
on-exception
=
"org.jasig.cas.services.UnauthorizedServiceException"
/>
</
global-transitions
>
</
flow
>