Beispiel #1
0
 private void setAuthorization(
     TokenGrantInfo tokenGrantInfo, HttpServletRequest request, HttpServletResponse response)
     throws OAuthProblemException {
   isAuthorized = false;
   checkTokenCurrentAndNotExpired(tokenGrantInfo);
   OAuth2RSEndpoint requestEndpoint = findEndpointForRequest(request);
   if (grantScopeMatchesRequest(tokenGrantInfo, requestEndpoint)) {
     log.info("Verified token " + tokenGrantInfo.getAccessToken());
     isAuthorized = true;
     // If client has no refresh token and token is within the threshold time of expiring, push out
     // expiry time
     if ((!tokenGrantInfo.getHasRefreshToken())
         && tokenCloseToExpiring(tokenGrantInfo)
         && response != null) {
       log.info("Requesting token expiry time be extended");
       Optional<AccessTokenExpiryInfo> newExpiryInfo =
           authService.extendAccessTokenExpirySeconds(tokenGrantInfo.getAccessToken());
       if (newExpiryInfo.isPresent()) {
         Map<String, Object> entries = Maps.newHashMap();
         String accessTimeRemaining = newExpiryInfo.get().getAccessTokenTimeRemaining();
         entries.put(OAuth.OAUTH_EXPIRES_IN, accessTimeRemaining);
         log.info("Token will now expire in " + accessTimeRemaining + " seconds");
         response.setHeader(OAuth.HeaderType.AUTHORIZATION, OAuthUtils.encodeOAuthHeader(entries));
       }
     }
     return;
   }
   log.info("Could not find grant scope matching request");
   throw OAuthProblemException.error(OAuthError.ResourceResponse.INSUFFICIENT_SCOPE);
 }
Beispiel #2
0
 public OAuth2RSDecision(
     String realm, String token, HttpServletRequest request, HttpServletResponse response)
     throws OAuthProblemException {
   token = trimAccessToken(token);
   log.info("Processing decision on access token " + token);
   Optional<TokenGrantInfo> tokenGrantInfoFound;
   authService = getAuthService();
   tokenGrantInfoFound = authService.getTokenGrantInfoByAccessToken(token);
   if (tokenGrantInfoFound.isPresent()) {
     log.info("Found match for token " + token);
     TokenGrantInfo tokenGrantInfo = tokenGrantInfoFound.get();
     this.oAuthClient = new OAuth2RSClient(tokenGrantInfo.getGrantClientIdentifier());
     this.principal =
         new OAuth2RSPrincipal(
             tokenGrantInfo.getGrantUserPrimaryIdentifier() != null
                 ? tokenGrantInfo.getGrantUserPrimaryIdentifier()
                 : tokenGrantInfo.getGrantUsername());
     setAuthorization(tokenGrantInfo, request, response);
   } else {
     log.info("Invalid token " + token);
     this.isAuthorized = false;
     this.oAuthClient = getDefaultClient();
     this.principal = getDefaultPrincipal(request);
     throw OAuthProblemException.error(OAuthError.ResourceResponse.INVALID_TOKEN);
   }
 }
Beispiel #3
0
 @Override
 public void validateMethod(HttpServletRequest request) throws OAuthProblemException {
   String method = request.getMethod();
   if (!OAuth.HttpMethod.GET.equals(method) && !OAuth.HttpMethod.POST.equals(method)) {
     throw OAuthProblemException.error(OAuthError.CodeResponse.INVALID_REQUEST)
         .description("Method not correct.");
   }
 }
Beispiel #4
0
 private void checkTokenCurrentAndNotExpired(TokenGrantInfo tokenGrantInfo)
     throws OAuthProblemException {
   Optional<DateTime> expiryDate = getTokenExpiryDate(tokenGrantInfo);
   if ((expiryDate.isPresent() && expiryDate.get().isBeforeNow())
       || (!tokenGrantInfo.getGrantCurrent())) {
     log.warning("Attempt to use expired or superseded token " + tokenGrantInfo.getAccessToken());
     throw OAuthProblemException.error(OAuthError.ResourceResponse.INVALID_TOKEN);
   }
 }
Beispiel #5
0
 private boolean tokenCloseToExpiring(TokenGrantInfo tokenGrantInfo) throws OAuthProblemException {
   Optional<DateTime> expiryDate = getTokenExpiryDate(tokenGrantInfo);
   Integer expiryThreshold = Resources.getTokenExpiryExtensionThreshold();
   if (expiryThreshold == null) {
     log.severe("Access token expiry threshold null");
     throw OAuthProblemException.error(SERVER_ERROR);
   }
   return (expiryDate.isPresent() && expiryDate.get().minusSeconds(expiryThreshold).isBeforeNow());
 }
Beispiel #6
0
 private Optional<DateTime> getTokenExpiryDate(TokenGrantInfo tokenGrantInfo)
     throws OAuthProblemException {
   if (!tokenGrantInfo.getAccessTokenExpires()) {
     // Token does not expire
     if (tokenGrantInfo.getGrantClientTokensMustExpire()) {
       throw OAuthProblemException.error(OAuthError.ResourceResponse.INVALID_TOKEN);
     }
     return Optional.absent();
   }
   int expirySeconds;
   try {
     expirySeconds = Integer.parseInt(tokenGrantInfo.getAccessTokenExpiry());
   } catch (NumberFormatException e) {
     log.warning("NumberFormatException during token check: " + e);
     throw OAuthProblemException.error(OAuthError.ResourceResponse.INVALID_TOKEN);
   }
   return Optional.of(
       new DateTime(tokenGrantInfo.getGrantTimeStamp()).plusSeconds(Math.abs(expirySeconds)));
 }
Beispiel #7
0
 private OAuth2RSEndpoint findEndpointForRequest(HttpServletRequest request)
     throws OAuthProblemException {
   Optional<OAuth2RSEndpoint> requestEndpointFound = authService.getEndpointForRequest(request);
   if (!requestEndpointFound.isPresent()) {
     log.severe(
         "Could not find endpoint matching "
             + request.getMethod()
             + " request for: "
             + request.getRequestURL().toString());
     throw OAuthProblemException.error(OAuthError.ResourceResponse.INVALID_REQUEST);
   }
   return requestEndpointFound.get();
 }
Beispiel #8
0
 // Manually get OAuth2RSAuthService bean; it can't be injected as these classes can't be managed
 // CDI beans
 // because of Apache Amber library code
 private OAuth2RSAuthService getAuthService() throws OAuthProblemException {
   try {
     BeanManager beanManager = (BeanManager) new InitialContext().lookup("java:comp/BeanManager");
     Bean<OAuth2RSAuthService> bean =
         (Bean<OAuth2RSAuthService>)
             beanManager.getBeans(OAuth2RSAuthService.class).iterator().next();
     CreationalContext<OAuth2RSAuthService> context = beanManager.createCreationalContext(bean);
     return (OAuth2RSAuthService)
         beanManager.getReference(bean, OAuth2RSAuthService.class, context);
   } catch (NamingException e) {
     log.severe("JNDI error with OAuth2 Auth Service: " + e.getMessage());
     throw OAuthProblemException.error(SERVER_ERROR);
   }
 }
Beispiel #9
0
 private boolean grantScopeMatchesRequest(
     TokenGrantInfo tokenGrantInfo, OAuth2RSEndpoint requestEndpoint)
     throws OAuthProblemException {
   Set<String> grantScopes = tokenGrantInfo.getGrantScopeNames();
   if (grantScopes.isEmpty()) {
     log.severe("No scopes associated with token grant");
     throw OAuthProblemException.error(SERVER_ERROR);
   }
   for (String scopeName : grantScopes) {
     Set<OAuth2RSEndpoint> scopeEndpoints = authService.getEndpointsForScopeName(scopeName);
     if (scopeEndpoints == null) {
       log.severe("No endpoints associated with scope");
       throw OAuthProblemException.error(SERVER_ERROR);
     }
     for (OAuth2RSEndpoint scopeEndpoint : scopeEndpoints) {
       if (requestEndpoint.equals(scopeEndpoint)) {
         log.info(
             "Endpoint " + requestEndpoint.getEndpointUrl() + " matches grant scope " + scopeName);
         return true;
       }
     }
   }
   return false;
 }