/** * Handle request internal model and view. * * @param request the request * @param response the response * @return the model and view * @throws Exception the exception */ @RequestMapping(path = OAuthConstants.BASE_OAUTH20_URL + '/' + OAuthConstants.AUTHORIZE_URL) public ModelAndView handleRequestInternal( final HttpServletRequest request, final HttpServletResponse response) throws Exception { final J2EContext context = new J2EContext(request, response); final ProfileManager manager = new ProfileManager(context); if (!verifyAuthorizeRequest(request) || !isRequestAuthenticated(manager, context)) { logger.error("Authorize request verification fails"); return new ModelAndView(OAuthConstants.ERROR_VIEW); } final String clientId = context.getRequestParameter(OAuthConstants.CLIENT_ID); final OAuthRegisteredService registeredService = OAuthUtils.getRegisteredOAuthService(this.servicesManager, clientId); try { RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed( clientId, registeredService); } catch (final Exception e) { logger.error(e.getMessage(), e); return new ModelAndView(OAuthConstants.ERROR_VIEW); } final ModelAndView mv = this.consentApprovalViewResolver.resolve(context, registeredService); if (!mv.isEmpty() && mv.hasView()) { return mv; } return redirectToCallbackRedirectUrl(manager, registeredService, context, clientId); }
/** * Verify the authorize request. * * @param request the HTTP request * @return whether the authorize request is valid */ private boolean verifyAuthorizeRequest(final HttpServletRequest request) { final boolean checkParameterExist = this.validator.checkParameterExist(request, OAuthConstants.CLIENT_ID) && this.validator.checkParameterExist(request, OAuthConstants.REDIRECT_URI) && this.validator.checkParameterExist(request, OAuthConstants.RESPONSE_TYPE); final String responseType = request.getParameter(OAuthConstants.RESPONSE_TYPE); final String clientId = request.getParameter(OAuthConstants.CLIENT_ID); final String redirectUri = request.getParameter(OAuthConstants.REDIRECT_URI); final OAuthRegisteredService registeredService = OAuthUtils.getRegisteredOAuthService(this.servicesManager, clientId); return checkParameterExist && checkResponseTypes(responseType, OAuthResponseType.CODE, OAuthResponseType.TOKEN) && this.validator.checkServiceValid(registeredService) && this.validator.checkCallbackValid(registeredService, redirectUri); }
private ModelAndView redirectToCallbackRedirectUrl( final ProfileManager manager, final OAuthRegisteredService registeredService, final J2EContext context, final String clientId) throws Exception { final Optional<UserProfile> profile = manager.get(true); if (profile == null || !profile.isPresent()) { logger.error("Unexpected null profile from profile manager"); return new ModelAndView(OAuthConstants.ERROR_VIEW); } final Service service = createService(registeredService); final Authentication authentication = createAuthentication(profile.get(), registeredService, context); try { RegisteredServiceAccessStrategyUtils.ensurePrincipalAccessIsAllowedForService( service, registeredService, authentication); } catch (final UnauthorizedServiceException | PrincipalException e) { logger.error(e.getMessage(), e); return new ModelAndView(OAuthConstants.ERROR_VIEW); } final String redirectUri = context.getRequestParameter(OAuthConstants.REDIRECT_URI); logger.debug( "Authorize request verification successful for client {} with redirect uri {}", clientId, redirectUri); final String responseType = context.getRequestParameter(OAuthConstants.RESPONSE_TYPE); final String callbackUrl; if (isResponseType(responseType, OAuthResponseType.CODE)) { callbackUrl = buildCallbackUrlForAuthorizationCodeResponseType(authentication, service, redirectUri); } else { callbackUrl = buildCallbackUrlForImplicitResponseType(context, authentication, service, redirectUri); } logger.debug("callbackUrl: {}", callbackUrl); return OAuthUtils.redirectTo(callbackUrl); }