コード例 #1
0
  private boolean verifyPendingRequestDoesNotAlreadyExist(
      String resourceSetId,
      String resourceOwnerId,
      String realm,
      String requestingUserId,
      Set<String> scopes)
      throws org.forgerock.openam.sm.datalayer.store.ServerException, UmaException {
    Set<UmaPendingRequest> pendingRequests =
        pendingRequestsService.queryPendingRequests(
            resourceSetId, resourceOwnerId, requestingUserId, realm);
    if (!pendingRequests.isEmpty()) {
      for (UmaPendingRequest pendingRequest : pendingRequests) {
        if (pendingRequest.getScopes().containsAll(scopes)) {
          throw newRequestSubmittedException();
        }
      }
    }

    return false;
  }
コード例 #2
0
  @Post
  public Representation requestAuthorization(JsonRepresentation entity)
      throws BadRequestException, UmaException, EntitlementException, ServerException,
          NotFoundException {
    UmaProviderSettings umaProviderSettings = umaProviderSettingsFactory.get(this.getRequest());
    JsonValue requestBody = json(toMap(entity));
    PermissionTicket permissionTicket =
        getPermissionTicket(umaProviderSettings.getUmaTokenStore(), requestBody);

    final AccessToken authorisationApiToken = getAuthorisationApiToken();

    if (hasExpired(permissionTicket)) {
      throw new UmaException(
          400, UmaConstants.EXPIRED_TICKET_ERROR_CODE, "The permission ticket has expired");
    }

    // Remove permission ticket so it cannot be re-used
    umaProviderSettings.getUmaTokenStore().deletePermissionTicket(permissionTicket.getId());

    final String requestingUserId = authorisationApiToken.getResourceOwnerId();
    final String resourceSetId = permissionTicket.getResourceSetId();
    final Request request = getRequest();
    final String resourceOwnerId = getResourceOwnerId(resourceSetId);

    auditLogger.log(
        resourceSetId, resourceOwnerId, UmaAuditType.REQUEST, request, requestingUserId);

    if (isEntitled(umaProviderSettings, permissionTicket, authorisationApiToken)) {
      getResponse().setStatus(new Status(200));
      auditLogger.log(
          resourceSetId, resourceOwnerId, UmaAuditType.GRANTED, request, requestingUserId);
      return createJsonRpt(
          umaProviderSettings.getUmaTokenStore(), permissionTicket, authorisationApiToken);
    } else {
      try {
        if (verifyPendingRequestDoesNotAlreadyExist(
            resourceSetId,
            resourceOwnerId,
            permissionTicket.getRealm(),
            requestingUserId,
            permissionTicket.getScopes())) {
          auditLogger.log(
              resourceSetId, resourceOwnerId, UmaAuditType.DENIED, request, requestingUserId);
          throw new UmaException(
              403,
              UmaConstants.NOT_AUTHORISED_ERROR_CODE,
              "The client is not authorised to access the requested resource set");
        } else {
          pendingRequestsService.createPendingRequest(
              ServletUtils.getRequest(getRequest()),
              resourceSetId,
              auditLogger.getResourceName(resourceSetId, request),
              resourceOwnerId,
              requestingUserId,
              permissionTicket.getRealm(),
              permissionTicket.getScopes());
          auditLogger.log(
              resourceSetId,
              resourceOwnerId,
              UmaAuditType.REQUEST_SUBMITTED,
              request,
              requestingUserId);
        }
      } catch (org.forgerock.openam.sm.datalayer.store.ServerException e) {
        logger.error("Failed to create pending request", e);
        throw new UmaException(
            403, UmaConstants.NOT_AUTHORISED_ERROR_CODE, "Failed to create pending request");
      }
      throw newRequestSubmittedException();
    }

    // TODO not sure where "need_info" error fits in....
  }