/** * Gets the instance of the UmaUris. * * <p>Cache each provider settings on the realm it was created for. * * @param request The request instance from which the base URL can be deduced. * @param realmInfo The realm. * @return The OAuth2ProviderSettings instance. */ public UmaUris get(HttpServletRequest request, RealmInfo realmInfo) throws NotFoundException { synchronized (providerSettingsMap) { UmaUris providerSettings = providerSettingsMap.get(realmInfo); if (providerSettings == null) { UmaProviderSettings umaProviderSettings = umaProviderSettingsFactory.get(realmInfo.getAbsoluteRealm()); OAuth2Uris oAuth2Uris = oAuth2UriFactory.get(request, realmInfo); String baseUrlPattern = baseURLProviderFactory.get(realmInfo.getAbsoluteRealm()).getURL(request); providerSettings = getUmaProviderSettings(realmInfo, umaProviderSettings, oAuth2Uris, baseUrlPattern); } return providerSettings; } }
@Post public Representation requestAuthorization(JsonRepresentation entity) throws BadRequestException, UmaException, EntitlementException, ServerException, NotFoundException { UmaProviderSettings umaProviderSettings = umaProviderSettingsFactory.get(this.getRequest()); JsonValue requestBody = json(toMap(entity)); PermissionTicket permissionTicket = getPermissionTicket(umaProviderSettings.getUmaTokenStore(), requestBody); final AccessToken authorisationApiToken = getAuthorisationApiToken(); if (hasExpired(permissionTicket)) { throw new UmaException( 400, UmaConstants.EXPIRED_TICKET_ERROR_CODE, "The permission ticket has expired"); } // Remove permission ticket so it cannot be re-used umaProviderSettings.getUmaTokenStore().deletePermissionTicket(permissionTicket.getId()); final String requestingUserId = authorisationApiToken.getResourceOwnerId(); final String resourceSetId = permissionTicket.getResourceSetId(); final Request request = getRequest(); final String resourceOwnerId = getResourceOwnerId(resourceSetId); auditLogger.log( resourceSetId, resourceOwnerId, UmaAuditType.REQUEST, request, requestingUserId); if (isEntitled(umaProviderSettings, permissionTicket, authorisationApiToken)) { getResponse().setStatus(new Status(200)); auditLogger.log( resourceSetId, resourceOwnerId, UmaAuditType.GRANTED, request, requestingUserId); return createJsonRpt( umaProviderSettings.getUmaTokenStore(), permissionTicket, authorisationApiToken); } else { try { if (verifyPendingRequestDoesNotAlreadyExist( resourceSetId, resourceOwnerId, permissionTicket.getRealm(), requestingUserId, permissionTicket.getScopes())) { auditLogger.log( resourceSetId, resourceOwnerId, UmaAuditType.DENIED, request, requestingUserId); throw new UmaException( 403, UmaConstants.NOT_AUTHORISED_ERROR_CODE, "The client is not authorised to access the requested resource set"); } else { pendingRequestsService.createPendingRequest( ServletUtils.getRequest(getRequest()), resourceSetId, auditLogger.getResourceName(resourceSetId, request), resourceOwnerId, requestingUserId, permissionTicket.getRealm(), permissionTicket.getScopes()); auditLogger.log( resourceSetId, resourceOwnerId, UmaAuditType.REQUEST_SUBMITTED, request, requestingUserId); } } catch (org.forgerock.openam.sm.datalayer.store.ServerException e) { logger.error("Failed to create pending request", e); throw new UmaException( 403, UmaConstants.NOT_AUTHORISED_ERROR_CODE, "Failed to create pending request"); } throw newRequestSubmittedException(); } // TODO not sure where "need_info" error fits in.... }