// 要不要PreApproval??
  @Override
  public AuthorizationRequest checkForPreApproval(
      AuthorizationRequest authorizationRequest, Authentication userAuthentication) {
    boolean approved = false;
    String clientId = authorizationRequest.getClientId();
    Set<String> scopes = authorizationRequest.getScope();

    OAuth2Request storedOAuth2Request = requestFactory.createOAuth2Request(authorizationRequest);

    OAuth2Authentication authentication =
        new OAuth2Authentication(storedOAuth2Request, userAuthentication);
    if (logger.isDebugEnabled()) {
      StringBuilder builder = new StringBuilder("Looking up existing token for ");
      builder.append("client_id=" + clientId);
      builder.append(", scope=" + scopes);
      builder.append(" and username="******"Existing access token=" + accessToken);
    if (accessToken != null && !accessToken.isExpired()) {
      logger.debug("User already approved with token=" + accessToken);
      approved = true;
    } else {
      logger.debug("Checking explicit approval");
      approved = userAuthentication.isAuthenticated() && approved;
    }

    authorizationRequest.setApproved(approved);
    return authorizationRequest;
  }
  /**
   * Basic implementation just requires the authorization request to be explicitly approved and the
   * user to be authenticated.
   *
   * @param authorizationRequest The authorization request.
   * @param userAuthentication the current user authentication
   * @return Whether the specified request has been approved by the current user.
   */
  public boolean isApproved(
      AuthorizationRequest authorizationRequest, Authentication userAuthentication) {

    String flag = authorizationRequest.getApprovalParameters().get(approvalParameter);
    boolean approved = flag != null && flag.toLowerCase().equals("true");

    OAuth2Authentication authentication =
        new OAuth2Authentication(authorizationRequest, userAuthentication);
    if (logger.isDebugEnabled()) {
      StringBuilder builder = new StringBuilder("Looking up existing token for ");
      builder.append("client_id=" + authorizationRequest.getClientId());
      builder.append(", scope=" + authorizationRequest.getScope());
      builder.append(" and username="******"Existing access token=" + accessToken);
    if (accessToken != null && !accessToken.isExpired()) {
      logger.debug("User already approved with token=" + accessToken);
      // A token was already granted and is still valid, so this is already approved
      approved = true;
    } else {
      logger.debug("Checking explicit approval");
      approved = userAuthentication.isAuthenticated() && approved;
    }

    return approved;
  }
  public View getUnsuccessfulView(
      AuthorizationRequest authorizationRequest, OAuth2Exception failure) {

    if (authorizationRequest == null || authorizationRequest.getRedirectUri() == null) {
      // we have no redirect for the user. very sad.
      throw new UnapprovedClientAuthenticationException(
          "Authorization failure, and no redirect URI.", failure);
    }

    Map<String, String> query = new LinkedHashMap<String, String>();

    query.put("error", failure.getOAuth2ErrorCode());
    query.put("error_description", failure.getMessage());

    if (authorizationRequest.getState() != null) {
      query.put("state", authorizationRequest.getState());
    }

    if (failure.getAdditionalInformation() != null) {
      for (Map.Entry<String, String> additionalInfo :
          failure.getAdditionalInformation().entrySet()) {
        query.put(additionalInfo.getKey(), additionalInfo.getValue());
      }
    }

    String url =
        append(
            authorizationRequest.getRedirectUri(), query, appendToFragment(authorizationRequest));
    return new RedirectView(url, false, true, false);
  }
  @Before
  public void setUp() {
    mockUserDatabase(userId, user);
    authorizationRequest = new AuthorizationRequest("client", Collections.singleton("read"));
    authorizationRequest.setResourceIds(new HashSet<>(Arrays.asList("client", "scim")));
    Map<String, String> requestParameters = new HashMap<>();
    authorizationRequest.setRequestParameters(requestParameters);
    authentication =
        new OAuth2Authentication(
            authorizationRequest.createOAuth2Request(),
            UaaAuthenticationTestFactory.getAuthentication(userId, userName, "*****@*****.**"));

    signerProvider = new SignerProvider();
    signerProvider.setSigningKey(signerKey);
    signerProvider.setVerifierKey(verifierKey);
    tokenServices.setSignerProvider(signerProvider);
    endpoint.setTokenServices(tokenServices);
    Date oneSecondAgo = new Date(System.currentTimeMillis() - 1000);
    Date thirtySecondsAhead = new Date(System.currentTimeMillis() + 30000);

    approvalStore.addApproval(
        new Approval(
            userId, "client", "read", thirtySecondsAhead, ApprovalStatus.APPROVED, oneSecondAgo));
    approvalStore.addApproval(
        new Approval(
            userId, "client", "write", thirtySecondsAhead, ApprovalStatus.APPROVED, oneSecondAgo));
    tokenServices.setApprovalStore(approvalStore);

    clientDetailsService.setClientDetailsStore(clientDetailsStore);
    tokenServices.setClientDetailsService(clientDetailsService);

    accessToken = tokenServices.createAccessToken(authentication);
  }
  @Test
  public void testClientWildcard() throws Exception {
    BaseClientDetails theclient =
        new BaseClientDetails(
            "client",
            "zones",
            "zones.*.admin",
            "authorization_code, password",
            "scim.read, scim.write",
            "http://*****:*****@vmware.com"));

    accessToken = tokenServices.createAccessToken(authentication);

    endpoint.checkToken(accessToken.getValue());
  }
 // 待改进,读取用户所拥有的权限以及客户端请求的权限,根据二者返回
 @Override
 public Map<String, Object> getUserApprovalRequest(
     AuthorizationRequest authorizationRequest, Authentication userAuthentication) {
   Map<String, Object> model = new HashMap<String, Object>();
   model.putAll(authorizationRequest.getRequestParameters());
   return model;
 }
 @Override
 public AuthorizationRequest updateAfterApproval(
     AuthorizationRequest authorizationRequest, Authentication userAuthentication) {
   Map<String, String> approvalParameters = authorizationRequest.getApprovalParameters();
   Set<String> scopes = new LinkedHashSet();
   for (Map.Entry<String, String> entry : approvalParameters.entrySet()) {
     String key = entry.getKey();
     String value = entry.getValue();
     if (value.equals("true")) {
       scopes.add(key);
     }
   }
   authorizationRequest.setScope(scopes);
   String flag = approvalParameters.get(approvalParameter);
   boolean approved = flag != null && flag.toLowerCase().equals("true");
   authorizationRequest.setApproved(approved);
   return authorizationRequest;
 }
  /**
   * Basic access confirmation controller for OAuth2
   *
   * @param model Model objects to be passed to the view
   * @param principal The principal user making the auth request
   * @return A ModelAndView for the access_confirmation page
   */
  @RequestMapping("/api/oauth/confirm_access")
  public ModelAndView getAccessConfirmation(Map<String, Object> model, Principal principal) {
    // get the authorization request from the model
    AuthorizationRequest clientAuth = (AuthorizationRequest) model.remove("authorizationRequest");

    logger.trace(
        "Token request recieved from " + clientAuth.getClientId() + " for " + principal.getName());
    // get a list of the scopes from the request
    Set<String> scopes = clientAuth.getScope();
    String join = Joiner.on(" & ").join(scopes);

    // add necessary information to the model
    model.put("auth_request", clientAuth);
    model.put("scopes", join);
    model.put("principal", principal);

    return new ModelAndView("oauth/access_confirmation", model);
  }
  @Override
  public View getSuccessfulAuthorizationCodeView(
      AuthorizationRequest authorizationRequest, String authorizationCode) {
    if (authorizationCode == null) {
      throw new IllegalStateException("No authorization code found in the current request scope.");
    }

    Map<String, String> query = new LinkedHashMap<String, String>();
    query.put("code", authorizationCode);

    String state = authorizationRequest.getState();
    if (state != null) {
      query.put("state", state);
    }

    return new RedirectView(
        append(authorizationRequest.getRedirectUri(), query, false), false, true, false);
  }
  public OAuth2AccessToken refreshAccessToken(
      String refreshTokenValue, AuthorizationRequest request) throws AuthenticationException {

    if (!supportRefreshToken) {
      throw new InvalidGrantException("Invalid refresh token: " + refreshTokenValue);
    }

    OAuth2RefreshToken refreshToken = tokenStore.readRefreshToken(refreshTokenValue);
    if (refreshToken == null) {
      throw new InvalidGrantException("Invalid refresh token: " + refreshTokenValue);
    }

    OAuth2Authentication authentication =
        tokenStore.readAuthenticationForRefreshToken(refreshToken);
    String clientId = authentication.getOAuth2Request().getClientId();
    if (clientId == null || !clientId.equals(request.getClientId())) {
      throw new InvalidGrantException("Wrong client for this refresh token: " + refreshTokenValue);
    }

    // clear out any access tokens already associated with the refresh
    // token.
    tokenStore.removeAccessTokenUsingRefreshToken(refreshToken);

    if (isExpired(refreshToken)) {
      tokenStore.removeRefreshToken(refreshToken);
      throw new InvalidTokenException("Invalid refresh token (expired): " + refreshToken);
    }

    authentication = createRefreshedAuthentication(authentication, request.getScope());

    if (!reuseRefreshToken) {
      tokenStore.removeRefreshToken(refreshToken);
      refreshToken = createRefreshToken(authentication);
    }

    OAuth2AccessToken accessToken = createAccessToken(authentication, refreshToken);
    tokenStore.storeAccessToken(accessToken, authentication);
    if (!reuseRefreshToken) {
      tokenStore.storeRefreshToken(refreshToken, authentication);
    }
    return accessToken;
  }
 @Override
 public String retrieveSourceOrcid() {
   Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
   if (authentication == null) {
     return null;
   }
   // API
   if (OAuth2Authentication.class.isAssignableFrom(authentication.getClass())) {
     AuthorizationRequest authorizationRequest =
         ((OAuth2Authentication) authentication).getAuthorizationRequest();
     return authorizationRequest.getClientId();
   }
   // Delegation mode
   String realUserIfInDelegationMode = getRealUserIfInDelegationMode(authentication);
   if (realUserIfInDelegationMode != null) {
     return realUserIfInDelegationMode;
   }
   // Normal web user
   return retrieveEffectiveOrcid(authentication);
 }
  @RequestMapping("/oauth/confirm_access")
  public ModelAndView getAccessConfirmation(@ModelAttribute AuthorizationRequest clientAuth)
      throws Exception {

    ClientDetails client = clientDetailsService.loadClientByClientId(clientAuth.getClientId());

    TreeMap<String, Object> model = new TreeMap<String, Object>();
    model.put("auth_request", clientAuth);
    model.put("client", client);

    return new ModelAndView("access_confirmation", model);
  }
  private String appendAccessToken(
      AuthorizationRequest authorizationRequest, OAuth2AccessToken accessToken) {

    Map<String, Object> vars = new LinkedHashMap<String, Object>();
    Map<String, String> keys = new HashMap<String, String>();

    if (accessToken == null) {
      throw new InvalidRequestException("An implicit grant could not be made");
    }

    vars.put("access_token", accessToken.getValue());
    vars.put("token_type", accessToken.getTokenType());
    String state = authorizationRequest.getState();

    if (state != null) {
      vars.put("state", state);
    }
    Date expiration = accessToken.getExpiration();
    if (expiration != null) {
      long expires_in = (expiration.getTime() - System.currentTimeMillis()) / 1000;
      vars.put("expires_in", expires_in);
    }
    String originalScope = authorizationRequest.getRequestParameters().get(OAuth2Utils.SCOPE);
    if (originalScope == null
        || !OAuth2Utils.parseParameterList(originalScope).equals(accessToken.getScope())) {
      vars.put("scope", OAuth2Utils.formatParameterList(accessToken.getScope()));
    }
    Map<String, Object> additionalInformation = accessToken.getAdditionalInformation();
    for (String key : additionalInformation.keySet()) {
      Object value = additionalInformation.get(key);
      if (value != null) {
        keys.put("extra_" + key, key);
        vars.put("extra_" + key, value);
      }
    }
    // Do not include the refresh token (even if there is one)
    return append(authorizationRequest.getRedirectUri(), vars, keys, true);
  }
Exemple #14
0
  @RequestMapping("/oauth/confirm_access")
  public String confirm(
      @ModelAttribute AuthorizationRequest clientAuth,
      Map<String, Object> model,
      final HttpServletRequest request)
      throws Exception {

    if (clientAuth == null) {
      model.put(
          "error",
          "No authorizatioun request is present, so we cannot confirm access (we don't know what you are asking for).");
      // response.sendError(HttpServletResponse.SC_BAD_REQUEST);
    } else {
      ClientDetails client = clientDetailsService.loadClientByClientId(clientAuth.getClientId());
      model.put("auth_request", clientAuth);
      model.put("client", client);
      model.put(
          "message",
          "To confirm or deny access POST to the following locations with the parameters requested.");
      Map<String, Object> options =
          new HashMap<String, Object>() {
            {
              put(
                  "confirm",
                  new HashMap<String, String>() {
                    {
                      put("location", getLocation(request, "oauth/authorize"));
                      put("path", getPath(request, "oauth/authorize"));
                      put("key", "user_oauth_approval");
                      put("value", "true");
                    }
                  });
              put(
                  "deny",
                  new HashMap<String, String>() {
                    {
                      put("location", getLocation(request, "oauth/authorize"));
                      put("path", getPath(request, "oauth/authorize"));
                      put("key", "user_oauth_approval");
                      put("value", "false");
                    }
                  });
            }
          };
      model.put("options", options);
    }
    return "access_confirmation";
  }
  @Test
  public void testOauthClient() throws Exception {
    AuthorizationRequest request = new AuthorizationRequest("foo", Collections.singleton("read"));
    request.setResourceIdsAndAuthoritiesFromClientDetails(
        new BaseClientDetails("foo", "", "", "client_credentials", "ROLE_CLIENT"));
    Authentication userAuthentication = null;

    OAuth2Request clientAuthentication =
        RequestTokenFactory.createOAuth2Request(
            request.getRequestParameters(),
            request.getClientId(),
            request.getAuthorities(),
            request.isApproved(),
            request.getScope(),
            request.getResourceIds(),
            request.getRedirectUri(),
            request.getResponseTypes(),
            request.getExtensions());

    OAuth2Authentication oAuth2Authentication =
        new OAuth2Authentication(clientAuthentication, userAuthentication);
    MethodInvocation invocation =
        new SimpleMethodInvocation(this, ReflectionUtils.findMethod(getClass(), "testOauthClient"));
    EvaluationContext context = handler.createEvaluationContext(oAuth2Authentication, invocation);
    Expression expression =
        handler.getExpressionParser().parseExpression("#oauth2.clientHasAnyRole('ROLE_CLIENT')");
    assertTrue((Boolean) expression.getValue(context));
  }
  @Override
  public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
      throws IOException, ServletException {

    HttpServletRequest request = (HttpServletRequest) req;
    HttpServletResponse response = (HttpServletResponse) res;

    AuthorizationRequest authRequest =
        authRequestFactory.createAuthorizationRequest(createRequestMap(request.getParameterMap()));

    if (authRequest.getExtensions().get("prompt") != null) {
      // we have a "prompt" parameter
      String prompt = (String) authRequest.getExtensions().get("prompt");

      if (prompt.equals("none")) {
        logger.info("Client requested no prompt");
        // see if the user's logged in
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();

        if (auth != null) {
          // user's been logged in already (by session management)
          // we're OK, continue without prompting
          chain.doFilter(req, res);
        } else {
          // user hasn't been logged in, we need to "return an error"
          logger.info("User not logged in, no prompt requested, returning 403 from filter");
          response.sendError(HttpServletResponse.SC_FORBIDDEN, "Access Denied");
          return;
        }
      } else if (prompt.equals("login")) {

        // first see if the user's already been prompted in this session
        HttpSession session = request.getSession();
        if (session.getAttribute(PROMPTED) == null) {
          // user hasn't been PROMPTED yet, we need to check

          session.setAttribute(PROMPT_REQUESTED, Boolean.TRUE);

          // see if the user's logged in
          Authentication auth = SecurityContextHolder.getContext().getAuthentication();
          if (auth != null) {
            // user's been logged in already (by session management)
            // log them out and continue
            SecurityContextHolder.getContext().setAuthentication(null);
            chain.doFilter(req, res);
          } else {
            // user hasn't been logged in yet, we can keep going since we'll get there
            chain.doFilter(req, res);
          }
        } else {
          // user has been PROMPTED, we're fine

          // but first, undo the prompt tag
          session.removeAttribute(PROMPTED);
          chain.doFilter(req, res);
        }
      } else {
        // prompt parameter is a value we don't care about, not our business
        chain.doFilter(req, res);
      }

    } else if (authRequest.getExtensions().get("max_age") != null) {
      String maxAge = (String) authRequest.getExtensions().get("max_age");
      HttpSession session = request.getSession();
      Date authTime = (Date) session.getAttribute(AuthenticationTimeStamper.AUTH_TIMESTAMP);

      Date now = new Date();
      if (authTime != null) {
        Integer max = Integer.parseInt(maxAge);
        long seconds = (now.getTime() - authTime.getTime()) / 1000;
        if (seconds > max) {
          // session is too old, log the user out and continue
          SecurityContextHolder.getContext().setAuthentication(null);
        }
      }

      chain.doFilter(req, res);
    } else {
      // no prompt parameter, not our business
      chain.doFilter(req, res);
    }
  }
  @Before
  public void setUp() {
    userAuthorities = new ArrayList<>();
    userAuthorities.add(new SimpleGrantedAuthority("read"));
    userAuthorities.add(new SimpleGrantedAuthority("write"));
    userAuthorities.add(new SimpleGrantedAuthority("zones.myzone.admin"));
    userAuthorities.addAll(UaaAuthority.USER_AUTHORITIES);
    user =
        new UaaUser(
            userId,
            userName,
            "password",
            userEmail,
            userAuthorities,
            "GivenName",
            "FamilyName",
            new Date(System.currentTimeMillis() - 2000),
            new Date(System.currentTimeMillis() - 2000),
            OriginKeys.UAA,
            "externalId",
            false,
            IdentityZoneHolder.get().getId(),
            "salt",
            new Date(System.currentTimeMillis() - 2000));
    mockUserDatabase(userId, user);
    authorizationRequest = new AuthorizationRequest("client", Collections.singleton("read"));
    authorizationRequest.setResourceIds(new HashSet<>(Arrays.asList("client", "scim")));
    Map<String, String> requestParameters = new HashMap<>();
    authorizationRequest.setRequestParameters(requestParameters);
    authentication =
        new OAuth2Authentication(
            authorizationRequest.createOAuth2Request(),
            UaaAuthenticationTestFactory.getAuthentication(userId, userName, "*****@*****.**"));

    signerProvider = new SignerProvider();
    signerProvider.setSigningKey(signerKey);
    signerProvider.setVerifierKey(verifierKey);
    tokenServices.setSignerProvider(signerProvider);
    endpoint.setTokenServices(tokenServices);
    Date oneSecondAgo = new Date(System.currentTimeMillis() - 1000);
    Date thirtySecondsAhead = new Date(System.currentTimeMillis() + 30000);

    approvalStore.addApproval(
        new Approval()
            .setUserId(userId)
            .setClientId("client")
            .setScope("read")
            .setExpiresAt(thirtySecondsAhead)
            .setStatus(ApprovalStatus.APPROVED)
            .setLastUpdatedAt(oneSecondAgo));
    approvalStore.addApproval(
        new Approval()
            .setUserId(userId)
            .setClientId("client")
            .setScope("write")
            .setExpiresAt(thirtySecondsAhead)
            .setStatus(ApprovalStatus.APPROVED)
            .setLastUpdatedAt(oneSecondAgo));
    tokenServices.setApprovalStore(approvalStore);
    tokenServices.setTokenPolicy(new TokenPolicy(43200, 2592000));

    defaultClient =
        new BaseClientDetails(
            "client",
            "scim, cc",
            "read, write",
            "authorization_code, password",
            "scim.read, scim.write",
            "http://localhost:8080/uaa");
    clientDetailsStore = Collections.singletonMap("client", defaultClient);
    clientDetailsService.setClientDetailsStore(clientDetailsStore);
    tokenServices.setClientDetailsService(clientDetailsService);

    accessToken = tokenServices.createAccessToken(authentication);
  }
 @Override
 public boolean isApproved(
     AuthorizationRequest authorizationRequest, Authentication userAuthentication) {
   return authorizationRequest.isApproved();
 }
 protected boolean appendToFragment(AuthorizationRequest authorizationRequest) {
   return authorizationRequest.getResponseTypes().contains("token");
 }