/**
* Gets the instance of the UmaUris.
*
* <p>Cache each provider settings on the realm it was created for.
*
* @param request The request instance from which the base URL can be deduced.
* @param realmInfo The realm.
* @return The OAuth2ProviderSettings instance.
*/
public UmaUris get(HttpServletRequest request, RealmInfo realmInfo) throws NotFoundException {
synchronized (providerSettingsMap) {
UmaUris providerSettings = providerSettingsMap.get(realmInfo);
if (providerSettings == null) {
UmaProviderSettings umaProviderSettings =
umaProviderSettingsFactory.get(realmInfo.getAbsoluteRealm());
OAuth2Uris oAuth2Uris = oAuth2UriFactory.get(request, realmInfo);
String baseUrlPattern =
baseURLProviderFactory.get(realmInfo.getAbsoluteRealm()).getURL(request);
providerSettings =
getUmaProviderSettings(realmInfo, umaProviderSettings, oAuth2Uris, baseUrlPattern);
}
return providerSettings;
}
}
@Post
public Representation requestAuthorization(JsonRepresentation entity)
throws BadRequestException, UmaException, EntitlementException, ServerException,
NotFoundException {
UmaProviderSettings umaProviderSettings = umaProviderSettingsFactory.get(this.getRequest());
JsonValue requestBody = json(toMap(entity));
PermissionTicket permissionTicket =
getPermissionTicket(umaProviderSettings.getUmaTokenStore(), requestBody);
final AccessToken authorisationApiToken = getAuthorisationApiToken();
if (hasExpired(permissionTicket)) {
throw new UmaException(
400, UmaConstants.EXPIRED_TICKET_ERROR_CODE, "The permission ticket has expired");
}
// Remove permission ticket so it cannot be re-used
umaProviderSettings.getUmaTokenStore().deletePermissionTicket(permissionTicket.getId());
final String requestingUserId = authorisationApiToken.getResourceOwnerId();
final String resourceSetId = permissionTicket.getResourceSetId();
final Request request = getRequest();
final String resourceOwnerId = getResourceOwnerId(resourceSetId);
auditLogger.log(
resourceSetId, resourceOwnerId, UmaAuditType.REQUEST, request, requestingUserId);
if (isEntitled(umaProviderSettings, permissionTicket, authorisationApiToken)) {
getResponse().setStatus(new Status(200));
auditLogger.log(
resourceSetId, resourceOwnerId, UmaAuditType.GRANTED, request, requestingUserId);
return createJsonRpt(
umaProviderSettings.getUmaTokenStore(), permissionTicket, authorisationApiToken);
} else {
try {
if (verifyPendingRequestDoesNotAlreadyExist(
resourceSetId,
resourceOwnerId,
permissionTicket.getRealm(),
requestingUserId,
permissionTicket.getScopes())) {
auditLogger.log(
resourceSetId, resourceOwnerId, UmaAuditType.DENIED, request, requestingUserId);
throw new UmaException(
403,
UmaConstants.NOT_AUTHORISED_ERROR_CODE,
"The client is not authorised to access the requested resource set");
} else {
pendingRequestsService.createPendingRequest(
ServletUtils.getRequest(getRequest()),
resourceSetId,
auditLogger.getResourceName(resourceSetId, request),
resourceOwnerId,
requestingUserId,
permissionTicket.getRealm(),
permissionTicket.getScopes());
auditLogger.log(
resourceSetId,
resourceOwnerId,
UmaAuditType.REQUEST_SUBMITTED,
request,
requestingUserId);
}
} catch (org.forgerock.openam.sm.datalayer.store.ServerException e) {
logger.error("Failed to create pending request", e);
throw new UmaException(
403, UmaConstants.NOT_AUTHORISED_ERROR_CODE, "Failed to create pending request");
}
throw newRequestSubmittedException();
}
// TODO not sure where "need_info" error fits in....
}
