private void setAuthorization(
TokenGrantInfo tokenGrantInfo, HttpServletRequest request, HttpServletResponse response)
throws OAuthProblemException {
isAuthorized = false;
checkTokenCurrentAndNotExpired(tokenGrantInfo);
OAuth2RSEndpoint requestEndpoint = findEndpointForRequest(request);
if (grantScopeMatchesRequest(tokenGrantInfo, requestEndpoint)) {
log.info("Verified token " + tokenGrantInfo.getAccessToken());
isAuthorized = true;
// If client has no refresh token and token is within the threshold time of expiring, push out
// expiry time
if ((!tokenGrantInfo.getHasRefreshToken())
&& tokenCloseToExpiring(tokenGrantInfo)
&& response != null) {
log.info("Requesting token expiry time be extended");
Optional<AccessTokenExpiryInfo> newExpiryInfo =
authService.extendAccessTokenExpirySeconds(tokenGrantInfo.getAccessToken());
if (newExpiryInfo.isPresent()) {
Map<String, Object> entries = Maps.newHashMap();
String accessTimeRemaining = newExpiryInfo.get().getAccessTokenTimeRemaining();
entries.put(OAuth.OAUTH_EXPIRES_IN, accessTimeRemaining);
log.info("Token will now expire in " + accessTimeRemaining + " seconds");
response.setHeader(OAuth.HeaderType.AUTHORIZATION, OAuthUtils.encodeOAuthHeader(entries));
}
}
return;
}
log.info("Could not find grant scope matching request");
throw OAuthProblemException.error(OAuthError.ResourceResponse.INSUFFICIENT_SCOPE);
}
public OAuth2RSDecision(
String realm, String token, HttpServletRequest request, HttpServletResponse response)
throws OAuthProblemException {
token = trimAccessToken(token);
log.info("Processing decision on access token " + token);
Optional<TokenGrantInfo> tokenGrantInfoFound;
authService = getAuthService();
tokenGrantInfoFound = authService.getTokenGrantInfoByAccessToken(token);
if (tokenGrantInfoFound.isPresent()) {
log.info("Found match for token " + token);
TokenGrantInfo tokenGrantInfo = tokenGrantInfoFound.get();
this.oAuthClient = new OAuth2RSClient(tokenGrantInfo.getGrantClientIdentifier());
this.principal =
new OAuth2RSPrincipal(
tokenGrantInfo.getGrantUserPrimaryIdentifier() != null
? tokenGrantInfo.getGrantUserPrimaryIdentifier()
: tokenGrantInfo.getGrantUsername());
setAuthorization(tokenGrantInfo, request, response);
} else {
log.info("Invalid token " + token);
this.isAuthorized = false;
this.oAuthClient = getDefaultClient();
this.principal = getDefaultPrincipal(request);
throw OAuthProblemException.error(OAuthError.ResourceResponse.INVALID_TOKEN);
}
}
@Override
public void validateMethod(HttpServletRequest request) throws OAuthProblemException {
String method = request.getMethod();
if (!OAuth.HttpMethod.GET.equals(method) && !OAuth.HttpMethod.POST.equals(method)) {
throw OAuthProblemException.error(OAuthError.CodeResponse.INVALID_REQUEST)
.description("Method not correct.");
}
}
private void checkTokenCurrentAndNotExpired(TokenGrantInfo tokenGrantInfo)
throws OAuthProblemException {
Optional<DateTime> expiryDate = getTokenExpiryDate(tokenGrantInfo);
if ((expiryDate.isPresent() && expiryDate.get().isBeforeNow())
|| (!tokenGrantInfo.getGrantCurrent())) {
log.warning("Attempt to use expired or superseded token " + tokenGrantInfo.getAccessToken());
throw OAuthProblemException.error(OAuthError.ResourceResponse.INVALID_TOKEN);
}
}
private boolean tokenCloseToExpiring(TokenGrantInfo tokenGrantInfo) throws OAuthProblemException {
Optional<DateTime> expiryDate = getTokenExpiryDate(tokenGrantInfo);
Integer expiryThreshold = Resources.getTokenExpiryExtensionThreshold();
if (expiryThreshold == null) {
log.severe("Access token expiry threshold null");
throw OAuthProblemException.error(SERVER_ERROR);
}
return (expiryDate.isPresent() && expiryDate.get().minusSeconds(expiryThreshold).isBeforeNow());
}
private Optional<DateTime> getTokenExpiryDate(TokenGrantInfo tokenGrantInfo)
throws OAuthProblemException {
if (!tokenGrantInfo.getAccessTokenExpires()) {
// Token does not expire
if (tokenGrantInfo.getGrantClientTokensMustExpire()) {
throw OAuthProblemException.error(OAuthError.ResourceResponse.INVALID_TOKEN);
}
return Optional.absent();
}
int expirySeconds;
try {
expirySeconds = Integer.parseInt(tokenGrantInfo.getAccessTokenExpiry());
} catch (NumberFormatException e) {
log.warning("NumberFormatException during token check: " + e);
throw OAuthProblemException.error(OAuthError.ResourceResponse.INVALID_TOKEN);
}
return Optional.of(
new DateTime(tokenGrantInfo.getGrantTimeStamp()).plusSeconds(Math.abs(expirySeconds)));
}
private OAuth2RSEndpoint findEndpointForRequest(HttpServletRequest request)
throws OAuthProblemException {
Optional<OAuth2RSEndpoint> requestEndpointFound = authService.getEndpointForRequest(request);
if (!requestEndpointFound.isPresent()) {
log.severe(
"Could not find endpoint matching "
+ request.getMethod()
+ " request for: "
+ request.getRequestURL().toString());
throw OAuthProblemException.error(OAuthError.ResourceResponse.INVALID_REQUEST);
}
return requestEndpointFound.get();
}
// Manually get OAuth2RSAuthService bean; it can't be injected as these classes can't be managed
// CDI beans
// because of Apache Amber library code
private OAuth2RSAuthService getAuthService() throws OAuthProblemException {
try {
BeanManager beanManager = (BeanManager) new InitialContext().lookup("java:comp/BeanManager");
Bean<OAuth2RSAuthService> bean =
(Bean<OAuth2RSAuthService>)
beanManager.getBeans(OAuth2RSAuthService.class).iterator().next();
CreationalContext<OAuth2RSAuthService> context = beanManager.createCreationalContext(bean);
return (OAuth2RSAuthService)
beanManager.getReference(bean, OAuth2RSAuthService.class, context);
} catch (NamingException e) {
log.severe("JNDI error with OAuth2 Auth Service: " + e.getMessage());
throw OAuthProblemException.error(SERVER_ERROR);
}
}
private boolean grantScopeMatchesRequest(
TokenGrantInfo tokenGrantInfo, OAuth2RSEndpoint requestEndpoint)
throws OAuthProblemException {
Set<String> grantScopes = tokenGrantInfo.getGrantScopeNames();
if (grantScopes.isEmpty()) {
log.severe("No scopes associated with token grant");
throw OAuthProblemException.error(SERVER_ERROR);
}
for (String scopeName : grantScopes) {
Set<OAuth2RSEndpoint> scopeEndpoints = authService.getEndpointsForScopeName(scopeName);
if (scopeEndpoints == null) {
log.severe("No endpoints associated with scope");
throw OAuthProblemException.error(SERVER_ERROR);
}
for (OAuth2RSEndpoint scopeEndpoint : scopeEndpoints) {
if (requestEndpoint.equals(scopeEndpoint)) {
log.info(
"Endpoint " + requestEndpoint.getEndpointUrl() + " matches grant scope " + scopeName);
return true;
}
}
}
return false;
}
