gunark-rubycas-client 2.0.99

data/lib/casclient/frameworks/merb/strategy.rb

@@ -0,0 +1,110 @@
+# The 'cas' strategy attempts to login users based on the CAS protocol 
+# http://www.ja-sig.org/products/cas/overview/background/index.html
+# 
+# install the rubycas-client gem
+# http://rubyforge.org/projects/rubycas-client/
+#
+require 'casclient'
+class Merb::Authentication
+  module Strategies
+    class CAS < Merb::Authentication::Strategy
+
+      include CASClient
+
+      def run!
+        @client ||= Client.new(config)
+
+        service_ticket = read_ticket
+
+        cas_login_url = @client.add_service_to_login_url(service_url)
+
+        last_service_ticket = session[:cas_last_valid_ticket]
+        if (service_ticket && last_service_ticket && 
+            last_service_ticket.ticket == service_ticket.ticket && 
+            last_service_ticket.service == service_ticket.service)
+
+          # warn() rather than info() because we really shouldn't be re-validating the same ticket. 
+          # The only time when this is acceptable is if the user manually does a refresh and the ticket
+          # happens to be in the URL.
+          log.warn("Reusing previously validated ticket since the new ticket and service are the same.")
+          service_ticket = last_service_ticket
+        elsif last_service_ticket &&
+          !config[:authenticate_on_every_request] && 
+          session[@client.username_session_key]
+          # Re-use the previous ticket if the user already has a local CAS session (i.e. if they were already
+          # previously authenticated for this service). This is to prevent redirection to the CAS server on every
+          # request.
+          # This behaviour can be disabled (so that every request is routed through the CAS server) by setting
+          # the :authenticate_on_every_request config option to false. 
+          log.debug "Existing local CAS session detected for #{session[@client.username_session_key].inspect}. "+
+                  "Previous ticket #{last_service_ticket.ticket.inspect} will be re-used."
+                  service_ticket = last_service_ticket
+        end
+
+        if service_ticket
+          @client.validate_service_ticket(service_ticket) unless service_ticket.has_been_validated?
+          validation_response = service_ticket.response
+
+          if service_ticket.is_valid?
+            log.info("Ticket #{service_ticket.inspect} for service #{service_ticket.service.inspect} " + 
+                    "belonging to user #{validation_response.user.inspect} is VALID.")
+
+            session[@client.username_session_key] = validation_response.user
+            session[@client.extra_attributes_session_key] = validation_response.extra_attributes
+
+            # Store the ticket in the session to avoid re-validating the same service
+            # ticket with the CAS server.
+            session[:cas_last_valid_ticket] = service_ticket
+            return true
+          else  
+            log.warn("Ticket #{service_ticket.ticket.inspect} failed validation -- " + 
+                    "#{validation_response.failure_code}: #{validation_response.failure_message}")
+            redirect!(cas_login_url)
+            return false
+          end
+        else
+          log.warn("No ticket -- redirecting to #{cas_login_url}")
+          redirect!(cas_login_url)
+          return false
+        end
+      end
+
+      def read_ticket
+        ticket = request.params[:ticket]
+
+        return nil unless ticket
+
+        log.debug("Request contains ticket #{ticket.inspect}.")
+
+        if ticket =~ /^PT-/
+          ProxyTicket.new(ticket, service_url, request.params[:renew])
+        else
+          ServiceTicket.new(ticket, service_url, request.params[:renew])
+        end
+      end
+
+      def service_url
+        if config[:service_url]
+          log.debug("Using explicitly set service url: #{config[:service_url]}")
+          return config[:service_url]
+        end
+
+        params = request.params.dup
+        params.delete(:ticket)
+        service_url = "#{request.protocol}://#{request.host}" + request.path
+        log.debug("Guessed service url: #{service_url.inspect}")
+        return service_url
+      end
+
+      def config
+        ::Merb::Plugins.config[:"rubycas-client"]
+      end
+
+      def log
+        ::Merb.logger
+      end
+
+    end # CAS
+  end # Strategies
+end
+

data/lib/casclient/frameworks/rails/cas_proxy_callback_controller.rb

@@ -0,0 +1,76 @@
+require 'pstore'
+
+# Rails controller that responds to proxy generating ticket callbacks from the CAS server and allows
+# for retrieval of those PGTs.
+class CasProxyCallbackController < ActionController::Base
+
+  # Receives a proxy granting ticket from the CAS server and stores it in the database.
+  # Note that this action should ALWAYS be called via https, otherwise you have a gaping security hole.
+  # In fact, the JA-SIG implementation of the CAS server will refuse to send PGTs to non-https URLs.
+  def receive_pgt
+	#FIXME: these checks don't work because REMOTE_HOST doesn't work consistently under all web servers (for example it doesn't work at all under mongrel)
+	#				... need to find a reliable way to check if the request came through from a reverse HTTPS proxy -- until then I'm disabling this check
+    #render_error "PGTs can be received only via HTTPS or local connections." and return unless
+    #  request.ssl? or request.env['REMOTE_HOST'] == "127.0.0.1"
+
+    pgtIou = params['pgtIou']
+    
+    # CAS Protocol spec says that the argument should be called 'pgt', but the JA-SIG CAS server seems to use pgtId.
+    # To accomodate this, we check for both parameters, although 'pgt' takes precedence over 'pgtId'.
+    pgtId = params['pgt'] || params['pgtId']
+    
+    # We need to render a response with HTTP status code 200 when no pgtIou/pgtId is specified because CAS seems first
+    # call the action without any parameters (maybe to check if the server responds correctly)
+    render :text => "Okay, the server is up, but please specify a pgtIou and pgtId." and return unless pgtIou and pgtId
+    
+    # TODO: pstore contents should probably be encrypted...
+    pstore = open_pstore
+    
+    pstore.transaction do
+      pstore[pgtIou] = pgtId
+    end
+    
+    render :text => "PGT received. Thank you!" and return
+  end
+  
+  # Retreives a proxy granting ticket, sends it to output, and deletes the pgt from session storage.
+  # Note that this action should ALWAYS be called via https, otherwise you have a gaping security hole --
+  # in fact, the action will not work if the request is not made via SSL or is not local (we allow for local
+  # non-SSL requests since this allows for the use of reverse HTTPS proxies like Pound).
+  def retrieve_pgt
+    #render_error "You can only retrieve PGTs via HTTPS or local connections." and return unless
+    #  request.ssl? or request.env['REMOTE_HOST'] == "127.0.0.1"
+    
+    pgtIou = params['pgtIou']
+    
+    render_error "No pgtIou specified. Cannot retreive the pgtId." and return unless pgtIou
+  
+    pstore = open_pstore
+  
+    pgt = nil
+    pstore.transaction do
+      pgt = pstore[pgtIou]
+    end
+    
+    if not pgt
+      render_error "Invalid pgtIou specified. Perhaps this pgt has already been retrieved?" and return
+    end
+    
+    render :text => pgt
+    
+    # TODO: need to periodically clean the storage, otherwise it will just keep growing
+    pstore.transaction do
+      pstore.delete pgtIou
+    end
+  end
+  
+  private
+    def render_error(msg)
+      # Note that the error messages are mostly just for debugging, since the CAS server never reads them.
+      render :text => msg, :status => 500
+    end
+    
+    def open_pstore
+      PStore.new("#{RAILS_ROOT}/tmp/cas_pgt.pstore")
+    end
+end

data/lib/casclient/frameworks/rails/filter.rb

@@ -0,0 +1,313 @@
+module CASClient
+  module Frameworks
+    module Rails
+      class Filter
+        cattr_reader :config, :log, :client
+        
+        # These are initialized when you call configure.
+        @@config = nil
+        @@client = nil
+        @@log = nil
+        
+        class << self
+          def filter(controller)
+            raise "Cannot use the CASClient filter because it has not yet been configured." if config.nil?
+            
+            last_st = controller.session[:cas_last_valid_ticket]
+            
+            if single_sign_out(controller)
+              controller.send(:render, :text => "CAS Single-Sign-Out request intercepted.")
+              return false 
+            end
+
+            st = read_ticket(controller)
+            
+            is_new_session = true
+            
+            if st && last_st && 
+                last_st.ticket == st.ticket && 
+                last_st.service == st.service
+              # warn() rather than info() because we really shouldn't be re-validating the same ticket. 
+              # The only situation where this is acceptable is if the user manually does a refresh and 
+              # the same ticket happens to be in the URL.
+              log.warn("Re-using previously validated ticket since the ticket id and service are the same.")
+              st = last_st
+              is_new_session = false
+            elsif last_st &&
+                !config[:authenticate_on_every_request] && 
+                controller.session[client.username_session_key]
+              # Re-use the previous ticket if the user already has a local CAS session (i.e. if they were already
+              # previously authenticated for this service). This is to prevent redirection to the CAS server on every
+              # request.
+              # This behaviour can be disabled (so that every request is routed through the CAS server) by setting
+              # the :authenticate_on_every_request config option to false.
+              log.debug "Existing local CAS session detected for #{controller.session[client.username_session_key].inspect}. "+
+                "Previous ticket #{last_st.ticket.inspect} will be re-used."
+              st = last_st
+              is_new_session = false
+            end
+            
+            if st
+              client.validate_service_ticket(st) unless st.has_been_validated?
+              vr = st.response
+              
+              if st.is_valid?
+                if is_new_session
+                  log.info("Ticket #{st.ticket.inspect} for service #{st.service.inspect} belonging to user #{vr.user.inspect} is VALID.")
+                  controller.session[client.username_session_key] = vr.user.dup
+                  controller.session[client.extra_attributes_session_key] = HashWithIndifferentAccess.new(vr.extra_attributes.dup)
+                  
+                  if vr.extra_attributes
+                    log.debug("Extra user attributes provided along with ticket #{st.ticket.inspect}: #{vr.extra_attributes.inspect}.")
+                  end
+                  
+                  # RubyCAS-Client 1.x used :casfilteruser as it's username session key,
+                  # so we need to set this here to ensure compatibility with configurations
+                  # built around the old client.
+                  controller.session[:casfilteruser] = vr.user
+                  
+                  f = store_service_session_lookup(st, controller.session.session_id)
+                  log.debug("Wrote service session lookup file to #{f.inspect} with session id #{controller.session.session_id.inspect}.")
+                end
+              
+                # Store the ticket in the session to avoid re-validating the same service
+                # ticket with the CAS server.
+                controller.session[:cas_last_valid_ticket] = st
+                
+                if vr.pgt_iou
+                  unless controller.session[:cas_pgt] && controller.session[:cas_pgt].ticket && controller.session[:cas_pgt].iou == vr.pgt_iou
+                    log.info("Receipt has a proxy-granting ticket IOU. Attempting to retrieve the proxy-granting ticket...")
+                    pgt = client.retrieve_proxy_granting_ticket(vr.pgt_iou)
+
+                    if pgt
+                      log.debug("Got PGT #{pgt.ticket.inspect} for PGT IOU #{pgt.iou.inspect}. This will be stored in the session.")
+                      controller.session[:cas_pgt] = pgt
+                      # For backwards compatibility with RubyCAS-Client 1.x configurations...
+                      controller.session[:casfilterpgt] = pgt
+                    else
+                      log.error("Failed to retrieve a PGT for PGT IOU #{vr.pgt_iou}!")
+                    end
+                  else
+                    log.info("PGT is present in session and PGT IOU #{vr.pgt_iou} matches the saved PGT IOU.  Not retrieving new PGT.")
+                  end
+
+                end
+                
+                return true
+              else
+                log.warn("Ticket #{st.ticket.inspect} failed validation -- #{vr.failure_code}: #{vr.failure_message}")
+                redirect_to_cas_for_authentication(controller)
+                return false
+              end
+            else
+              if returning_from_gateway?(controller)
+                log.info "Returning from CAS gateway without authentication."
+                
+                if use_gatewaying?
+                  log.info "This CAS client is configured to use gatewaying, so we will permit the user to continue without authentication."
+                  return true
+                else
+                  log.warn "The CAS client is NOT configured to allow gatewaying, yet this request was gatewayed. Something is not right!"
+                end
+              end
+              
+              redirect_to_cas_for_authentication(controller)
+              return false
+            end
+          end
+          
+          def configure(config)
+            @@config = config
+            @@config[:logger] = RAILS_DEFAULT_LOGGER unless @@config[:logger]
+            @@client = CASClient::Client.new(config)
+            @@log = client.log
+          end
+          
+          def use_gatewaying?
+            @@config[:use_gatewaying]
+          end
+          
+          # Clears the given controller's local Rails session, does some local 
+          # CAS cleanup, and redirects to the CAS logout page. Additionally, the
+          # <tt>request.referer</tt> value from the <tt>controller</tt> instance 
+          # is passed to the CAS server as a 'destination' parameter. This 
+          # allows RubyCAS server to provide a follow-up login page allowing
+          # the user to log back in to the service they just logged out from 
+          # using a different username and password. Other CAS server 
+          # implemenations may use this 'destination' parameter in different 
+          # ways. 
+          # If given, the optional <tt>service</tt> URL overrides 
+          # <tt>request.referer</tt>.
+          def logout(controller, service = nil)
+            referer = service || controller.request.referer
+            st = controller.session[:cas_last_valid_ticket]
+            delete_service_session_lookup(st) if st
+            controller.send(:reset_session)
+            controller.send(:redirect_to, client.logout_url(referer))
+          end
+          
+          def redirect_to_cas_for_authentication(controller)
+            service_url = read_service_url(controller)
+            redirect_url = client.add_service_to_login_url(service_url)
+            
+            if use_gatewaying?
+              controller.session[:cas_sent_to_gateway] = true
+              redirect_url << "&gateway=true"
+            else
+              controller.session[:cas_sent_to_gateway] = false
+            end
+            
+            if controller.session[:previous_redirect_to_cas] &&
+                controller.session[:previous_redirect_to_cas] > (Time.now - 1.second)
+              log.warn("Previous redirect to the CAS server was less than a second ago. The client at #{controller.request.remote_ip.inspect} may be stuck in a redirection loop!")
+              controller.session[:cas_validation_retry_count] ||= 0
+              
+              if controller.session[:cas_validation_retry_count] > 3
+                log.error("Redirection loop intercepted. Client at #{controller.request.remote_ip.inspect} will be redirected back to login page and forced to renew authentication.")
+                redirect_url += "&renew=1&redirection_loop_intercepted=1"
+              end
+              
+              controller.session[:cas_validation_retry_count] += 1
+            else
+              controller.session[:cas_validation_retry_count] = 0
+            end
+            controller.session[:previous_redirect_to_cas] = Time.now
+            
+            log.debug("Redirecting to #{redirect_url.inspect}")
+            controller.send(:redirect_to, redirect_url)
+          end
+          
+          private
+          def single_sign_out(controller)
+            
+            # Avoid calling raw_post (which may consume the post body) if
+            # this seems to be a file upload
+            if content_type = controller.request.headers["CONTENT_TYPE"] &&
+                content_type =~ %r{^multipart/}
+              return false
+            end
+            
+            if controller.request.post? &&
+                controller.params['logoutRequest'] &&
+                controller.params['logoutRequest'] =~
+                  %r{^<samlp:LogoutRequest.*?<samlp:SessionIndex>(.*)</samlp:SessionIndex>}m
+              # TODO: Maybe check that the request came from the registered CAS server? Although this might be
+              #       pointless since it's easily spoofable...
+              si = $~[1]
+              log.debug "Intercepted single-sign-out request for CAS session #{si.inspect}."
+              
+              required_sess_store = CGI::Session::ActiveRecordStore
+              current_sess_store  = ActionController::Base.session_options[:database_manager]
+              
+              if current_sess_store == required_sess_store
+                session_id = read_service_session_lookup(si)
+                
+                if session_id
+                  session = CGI::Session::ActiveRecordStore::Session.find_by_session_id(session_id)
+                  if session
+                    session.destroy
+                    log.debug("Destroyed #{session.inspect} for session #{session_id.inspect} corresponding to service ticket #{si.inspect}.")
+                  else
+                    log.debug("Data for session #{session_id.inspect} was not found. It may have already been cleared by a local CAS logout request.")
+                  end
+                  
+                  log.info("Single-sign-out for session #{session_id.inspect} completed successfuly.")
+                else
+                  log.warn("Couldn't destroy session with SessionIndex #{si} because no corresponding session id could be looked up.")
+                end
+              else
+                log.error "Cannot process logout request because this Rails application's session store is "+
+                  " #{current_sess_store.name.inspect}. Single Sign-Out only works with the "+
+                  " #{required_sess_store.name.inspect} session store."
+              end
+              
+              # Return true to indicate that a single-sign-out request was detected
+              # and that further processing of the request is unnecessary.
+              return true
+            end
+            
+            # This is not a single-sign-out request.
+            return false
+          end
+          
+          def read_ticket(controller)
+            ticket = controller.params[:ticket]
+            
+            return nil unless ticket
+            
+            log.debug("Request contains ticket #{ticket.inspect}.")
+            
+            if ticket =~ /^PT-/
+              ProxyTicket.new(ticket, read_service_url(controller), controller.params[:renew])
+            else
+              ServiceTicket.new(ticket, read_service_url(controller), controller.params[:renew])
+            end
+          end
+          
+          def returning_from_gateway?(controller)
+            controller.session[:cas_sent_to_gateway]
+          end
+          
+          def read_service_url(controller)
+            if config[:service_url]
+              log.debug("Using explicitly set service url: #{config[:service_url]}")
+              return config[:service_url]
+            end
+            
+            params = controller.params.dup
+            params.delete(:ticket)
+            service_url = controller.url_for(params)
+            log.debug("Guessed service url: #{service_url.inspect}")
+            return service_url
+          end
+          
+          # Creates a file in tmp/sessions linking a SessionTicket
+          # with the local Rails session id. The file is named
+          # cas_sess.<session ticket> and its text contents is the corresponding 
+          # Rails session id.
+          # Returns the filename of the lookup file created.
+          def store_service_session_lookup(st, sid)
+            st = st.ticket if st.kind_of? ServiceTicket
+            f = File.new(filename_of_service_session_lookup(st), 'w')
+            f.write(sid)
+            f.close
+            return filename_of_service_session_lookup(st)
+          end
+          
+          # Returns the local Rails session ID corresponding to the given
+          # ServiceTicket. This is done by reading the contents of the
+          # cas_sess.<session ticket> file created in a prior call to 
+          # #store_service_session_lookup.
+          def read_service_session_lookup(st)
+            st = st.ticket if st.kind_of? ServiceTicket
+            ssl_filename = filename_of_service_session_lookup(st)
+            return File.exists?(ssl_filename) && IO.read(ssl_filename)
+          end
+          
+          # Removes a stored relationship between a ServiceTicket and a local
+          # Rails session id. This should be called when the session is being
+          # closed.
+          #
+          # See #store_service_session_lookup.
+          def delete_service_session_lookup(st)
+            st = st.ticket if st.kind_of? ServiceTicket
+            ssl_filename = filename_of_service_session_lookup(st)
+            File.delete(ssl_filename) if File.exists?(ssl_filename)
+          end
+          
+          # Returns the path and filename of the service session lookup file.
+          def filename_of_service_session_lookup(st)
+            st = st.ticket if st.kind_of? ServiceTicket
+            return "#{RAILS_ROOT}/tmp/sessions/cas_sess.#{st}"
+          end
+        end
+      end
+    
+      class GatewayFilter < Filter
+        def self.use_gatewaying?
+          return true unless @@config[:use_gatewaying] == false
+        end
+      end
+    end
+  end
+end

data/lib/casclient/responses.rb

@@ -0,0 +1,185 @@
+module CASClient
+  module XmlResponse
+    attr_reader :xml, :parse_datetime
+    attr_reader :failure_code, :failure_message
+    
+    def check_and_parse_xml(raw_xml)
+      begin
+        doc = REXML::Document.new(raw_xml)
+      rescue REXML::ParseException => e
+        raise BadResponseException, 
+          "MALFORMED CAS RESPONSE:\n#{raw_xml.inspect}\n\nEXCEPTION:\n#{e}"
+      end
+      
+      unless doc.elements && doc.elements["cas:serviceResponse"]
+        raise BadResponseException, 
+          "This does not appear to be a valid CAS response (missing cas:serviceResponse root element)!\nXML DOC:\n#{doc.to_s}"
+      end
+      
+      return doc.elements["cas:serviceResponse"].elements[1]
+    end
+    
+    def to_s
+      xml.to_s
+    end
+  end
+  
+  # Represents a response from the CAS server to a 'validate' request
+  # (i.e. after validating a service/proxy ticket).
+  class ValidationResponse
+    include XmlResponse
+    
+    attr_reader :protocol, :user, :pgt_iou, :proxies, :extra_attributes
+    
+    def initialize(raw_text)
+      parse(raw_text)
+    end
+    
+    def parse(raw_text)
+      raise BadResponseException, 
+        "CAS response is empty/blank." if raw_text.blank?
+      @parse_datetime = Time.now
+      
+      if raw_text =~ /^(yes|no)\n(.*?)\n$/m
+        @protocol = 1.0
+        @valid = $~[1] == 'yes'
+        @user = $~[2]
+        return
+      end
+      
+      @xml = check_and_parse_xml(raw_text)
+      
+      # if we got this far then we've got a valid XML response, so we're doing CAS 2.0
+      @protocol = 2.0
+      
+      if is_success?
+        @user = @xml.elements["cas:user"].text.strip if @xml.elements["cas:user"]
+        @pgt_iou =  @xml.elements["cas:proxyGrantingTicket"].text.strip if @xml.elements["cas:proxyGrantingTicket"]
+        
+        proxy_els = @xml.elements.to_a('//cas:authenticationSuccess/cas:proxies/cas:proxy')
+        if proxy_els.size > 0
+          @proxies = []
+          proxy_els.each do |el|
+            @proxies << el.text
+          end
+        end
+        
+        @extra_attributes = {}
+        @xml.elements.to_a('//cas:authenticationSuccess/*').each do |el|
+          @extra_attributes.merge!(Hash.from_xml(el.to_s)) unless el.prefix == 'cas'
+        end
+        
+        # unserialize extra attributes
+        @extra_attributes.each do |k, v|
+          @extra_attributes[k] = YAML.load(v)
+        end
+      elsif is_failure?
+        @failure_code = @xml.elements['//cas:authenticationFailure'].attributes['code']
+        @failure_message = @xml.elements['//cas:authenticationFailure'].text.strip
+      else
+        # this should never happen, since the response should already have been recognized as invalid
+        raise BadResponseException, "BAD CAS RESPONSE:\n#{raw_text.inspect}\n\nXML DOC:\n#{doc.inspect}"
+      end
+      
+    end
+    
+    def is_success?
+      @valid == true || (protocol > 1.0 && xml.name == "authenticationSuccess")
+    end
+    
+    def is_failure?
+      @valid == false || (protocol > 1.0 && xml.name == "authenticationFailure" )
+    end
+  end
+  
+  # Represents a response from the CAS server to a proxy ticket request 
+  # (i.e. after requesting a proxy ticket).
+  class ProxyResponse
+    include XmlResponse
+    
+    attr_reader :proxy_ticket
+    
+    def initialize(raw_text)
+      parse(raw_text)
+    end
+    
+    def parse(raw_text)
+      raise BadResponseException, 
+        "CAS response is empty/blank." if raw_text.blank?
+      @parse_datetime = Time.now
+      
+      @xml = check_and_parse_xml(raw_text)
+      
+      if is_success?
+        @proxy_ticket = @xml.elements["cas:proxyTicket"].text.strip if @xml.elements["cas:proxyTicket"]
+      elsif is_failure?
+        @failure_code = @xml.elements['//cas:proxyFailure'].attributes['code']
+        @failure_message = @xml.elements['//cas:proxyFailure'].text.strip
+      else
+        # this should never happen, since the response should already have been recognized as invalid
+        raise BadResponseException, "BAD CAS RESPONSE:\n#{raw_text.inspect}\n\nXML DOC:\n#{doc.inspect}"
+      end
+      
+    end
+    
+    def is_success?
+      xml.name == "proxySuccess"
+    end
+    
+    def is_failure?
+      xml.name == "proxyFailure"
+    end
+  end
+  
+  # Represents a response from the CAS server to a login request 
+  # (i.e. after submitting a username/password).
+  class LoginResponse
+    attr_reader :tgt, :ticket, :service_redirect_url
+    attr_reader :failure_message
+    
+    def initialize(http_response = nil)
+      parse_http_response(http_response) if http_response
+    end
+    
+    def parse_http_response(http_response)
+      header = http_response.to_hash
+      
+      # FIXME: this regexp might be incorrect...
+      if header['set-cookie'] && 
+          header['set-cookie'].first && 
+          header['set-cookie'].first =~ /tgt=([^&]+);/
+        @tgt = $~[1]
+      end
+    
+      location = header['location'].first if header['location'] && header['location'].first
+      if location =~ /ticket=([^&]+)/
+        @ticket = $~[1]
+      end
+      
+      if !http_response.kind_of?(Net::HTTPSuccess) || ticket.blank?
+        @failure = true
+        # Try to extract the error message -- this only works with RubyCAS-Server.
+        # For other servers we just return the entire response body (i.e. the whole error page).
+        body = http_response.body
+        if body =~ /<div class="messagebox mistake">(.*?)<\/div>/m
+          @failure_message = $~[1].strip
+        else
+          @failure_message = body
+        end
+      end
+      
+      @service_redirect_url = location
+    end
+    
+    def is_success?
+      !@failure && !ticket.blank?
+    end
+    
+    def is_failure?
+      @failure == true
+    end
+  end
+  
+  class BadResponseException < CASException
+  end
+end