/**
* Performs actual authentication.
*
* <p>The implementation should do one of the following:
*
* <ol>
* <li>Return a populated authentication token for the authenticated user, indicating successful
* authentication
* <li>Return null, indicating that the authentication process is still in progress. Before
* returning, the implementation should perform any additional work required to complete the
* process.
* <li>Throw an <tt>AuthenticationException</tt> if the authentication process fails
* </ol>
*
* @param request from which to extract parameters and perform the authentication
* @param response the response, which may be needed if the implementation has to do a redirect as
* part of a multi-stage authentication process (such as OpenID).
* @return the authenticated user token, or null if authentication is incomplete.
* @throws org.springframework.security.core.AuthenticationException if authentication fails.
*/
@Override
public Authentication attemptAuthentication(
HttpServletRequest request, HttpServletResponse response)
throws AuthenticationException, IOException, ServletException {
String code = null;
if (LOG.isDebugEnabled()) {
String url = request.getRequestURI();
String queryString = request.getQueryString();
LOG.debug("attemptAuthentication on url {}?{}", url, queryString);
}
// request parameters
final Map<String, String[]> parameters = request.getParameterMap();
LOG.debug("Got Parameters: {}", parameters);
// Check to see if there was an error response from the OAuth Provider
checkForErrors(parameters);
// Check state parameter to avoid cross-site-scripting attacks
checkStateParameter(request.getSession(), parameters);
final String codeValues[] = parameters.get(oAuth2ServiceProperties.getCodeParamName());
if (codeValues != null && codeValues.length > 0) {
code = codeValues[0];
LOG.debug("Got code {}", code);
}
OAuth2AuthenticationToken authRequest = new OAuth2AuthenticationToken(code);
// Allow subclasses to set the "details" property
setDetails(request, authRequest);
authRequest.setRedirectUri(oAuth2ServiceProperties.getAbsoluteRedirectUri(request));
return this.getAuthenticationManager().authenticate(authRequest);
}
/**
* Provided so that subclasses may configure what is put into the authentication request's details
* property.
*
* @param request that an authentication request is being created for
* @param authRequest the authentication request object that should have its details set
*/
protected void setDetails(HttpServletRequest request, OAuth2AuthenticationToken authRequest) {
authRequest.setDetails(authenticationDetailsSource.buildDetails(request));
}
