@Test
public void testOauthClient() throws Exception {
AuthorizationRequest request = new AuthorizationRequest("foo", Collections.singleton("read"));
request.setResourceIdsAndAuthoritiesFromClientDetails(
new BaseClientDetails("foo", "", "", "client_credentials", "ROLE_CLIENT"));
Authentication userAuthentication = null;
OAuth2Request clientAuthentication =
RequestTokenFactory.createOAuth2Request(
request.getRequestParameters(),
request.getClientId(),
request.getAuthorities(),
request.isApproved(),
request.getScope(),
request.getResourceIds(),
request.getRedirectUri(),
request.getResponseTypes(),
request.getExtensions());
OAuth2Authentication oAuth2Authentication =
new OAuth2Authentication(clientAuthentication, userAuthentication);
MethodInvocation invocation =
new SimpleMethodInvocation(this, ReflectionUtils.findMethod(getClass(), "testOauthClient"));
EvaluationContext context = handler.createEvaluationContext(oAuth2Authentication, invocation);
Expression expression =
handler.getExpressionParser().parseExpression("#oauth2.clientHasAnyRole('ROLE_CLIENT')");
assertTrue((Boolean) expression.getValue(context));
}
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
AuthorizationRequest authRequest =
authRequestFactory.createAuthorizationRequest(createRequestMap(request.getParameterMap()));
if (authRequest.getExtensions().get("prompt") != null) {
// we have a "prompt" parameter
String prompt = (String) authRequest.getExtensions().get("prompt");
if (prompt.equals("none")) {
logger.info("Client requested no prompt");
// see if the user's logged in
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (auth != null) {
// user's been logged in already (by session management)
// we're OK, continue without prompting
chain.doFilter(req, res);
} else {
// user hasn't been logged in, we need to "return an error"
logger.info("User not logged in, no prompt requested, returning 403 from filter");
response.sendError(HttpServletResponse.SC_FORBIDDEN, "Access Denied");
return;
}
} else if (prompt.equals("login")) {
// first see if the user's already been prompted in this session
HttpSession session = request.getSession();
if (session.getAttribute(PROMPTED) == null) {
// user hasn't been PROMPTED yet, we need to check
session.setAttribute(PROMPT_REQUESTED, Boolean.TRUE);
// see if the user's logged in
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (auth != null) {
// user's been logged in already (by session management)
// log them out and continue
SecurityContextHolder.getContext().setAuthentication(null);
chain.doFilter(req, res);
} else {
// user hasn't been logged in yet, we can keep going since we'll get there
chain.doFilter(req, res);
}
} else {
// user has been PROMPTED, we're fine
// but first, undo the prompt tag
session.removeAttribute(PROMPTED);
chain.doFilter(req, res);
}
} else {
// prompt parameter is a value we don't care about, not our business
chain.doFilter(req, res);
}
} else if (authRequest.getExtensions().get("max_age") != null) {
String maxAge = (String) authRequest.getExtensions().get("max_age");
HttpSession session = request.getSession();
Date authTime = (Date) session.getAttribute(AuthenticationTimeStamper.AUTH_TIMESTAMP);
Date now = new Date();
if (authTime != null) {
Integer max = Integer.parseInt(maxAge);
long seconds = (now.getTime() - authTime.getTime()) / 1000;
if (seconds > max) {
// session is too old, log the user out and continue
SecurityContextHolder.getContext().setAuthentication(null);
}
}
chain.doFilter(req, res);
} else {
// no prompt parameter, not our business
chain.doFilter(req, res);
}
}
