protected Result redirectToOriginallyRequestedUrl(final WebContext context) {
final String requestedUrl = (String) context.getSessionAttribute(Pac4jConstants.REQUESTED_URL);
logger.debug("requestedUrl: {}", requestedUrl);
if (CommonHelper.isNotBlank(requestedUrl)) {
context.setSessionAttribute(Pac4jConstants.REQUESTED_URL, null);
return redirect(requestedUrl);
} else {
return redirect(this.defaultUrl);
}
}
@Override
protected boolean hasBeenCancelled(final WebContext context) {
final String error = context.getRequestParameter(OAuthCredentialsException.ERROR);
final String errorReason = context.getRequestParameter(OAuthCredentialsException.ERROR_REASON);
// user has denied permissions
if ("access_denied".equals(error) && "user_denied".equals(errorReason)) {
return true;
} else {
return false;
}
}
@Test
public void testRelayState() throws HttpAction {
final SAML2Client client = getClient();
final WebContext context =
new J2EContext(new MockHttpServletRequest(), new MockHttpServletResponse());
context.setSessionAttribute(SAML2Client.SAML_RELAY_STATE_ATTRIBUTE, "relayState");
final RedirectAction action = client.getRedirectAction(context);
assertTrue(
action
.getContent()
.contains("<input type=\"hidden\" name=\"RelayState\" value=\"relayState\"/>"));
}
@Override
protected boolean hasBeenCancelled(final WebContext context) {
final String error = context.getRequestParameter(OAuthCredentialsException.ERROR);
final String errorDescription =
context.getRequestParameter(OAuthCredentialsException.ERROR_DESCRIPTION);
// user has denied permissions
if ("access_denied".equals(error) && "the+user+denied+your+request".equals(errorDescription)) {
return true;
} else {
return false;
}
}
@Override
public boolean isAuthorized(final WebContext context, final UserProfile profile) {
CommonHelper.assertNotNull("pattern", pattern);
final String ip = context.getRemoteAddr();
return this.pattern.matcher(ip).matches();
}
/**
* Get the credentials from the web context.
*
* @param context the web context
* @return the credentials
* @throws RequiresHttpAction requires an extra HTTP action
*/
@Override
protected CasCredentials retrieveCredentials(final WebContext context) throws RequiresHttpAction {
// like the SingleSignOutFilter from CAS client :
if (this.logoutHandler.isTokenRequest(context)) {
final String ticket = context.getRequestParameter(SERVICE_TICKET_PARAMETER);
this.logoutHandler.recordSession(context, ticket);
final CasCredentials casCredentials = new CasCredentials(ticket, getName());
logger.debug("casCredentials : {}", casCredentials);
return casCredentials;
}
if (this.logoutHandler.isLogoutRequest(context)) {
this.logoutHandler.destroySession(context);
final String message = "logout request : no credential returned";
logger.debug(message);
throw RequiresHttpAction.ok(message, context);
}
if (this.gateway) {
logger.info("No credential found in this gateway round-trip");
return null;
}
final String message = "No ticket or logout request";
throw new CredentialsException(message);
}
/**
* Extracts digest Authorization header components. As per RFC 2617 : username is the user's name
* in the specified realm qop is quality of protection uri is the request uri response is the
* client response nonce is a server-specified data string which should be uniquely generated each
* time a 401 response is made cnonce is the client nonce nc is the nonce count If in the
* Authorization header it is not specified a username and response, we throw CredentialsException
* because the client uses an username and a password to authenticate. response is just a MD5
* encoded value based on user provided password and RFC 2617 digest authentication encoding rules
*
* @param context the current web context
* @return the Digest credentials
*/
@Override
public DigestCredentials extract(WebContext context) throws HttpAction {
final TokenCredentials credentials = this.extractor.extract(context);
if (credentials == null) {
return null;
}
String token = credentials.getToken();
Map<String, String> valueMap = parseTokenValue(token);
String username = valueMap.get("username");
String response = valueMap.get("response");
if (CommonHelper.isBlank(username) || CommonHelper.isBlank(response)) {
throw new CredentialsException("Bad format of the digest auth header");
}
String realm = valueMap.get("realm");
String nonce = valueMap.get("nonce");
String uri = valueMap.get("uri");
String cnonce = valueMap.get("cnonce");
String nc = valueMap.get("nc");
String qop = valueMap.get("qop");
String method = context.getRequestMethod();
return new DigestCredentials(
response, method, clientName, username, realm, nonce, uri, cnonce, nc, qop);
}
@Override
protected boolean hasBeenCancelled(final WebContext context) {
final String denied = context.getRequestParameter("denied");
if (CommonHelper.isNotBlank(denied)) {
return true;
} else {
return false;
}
}
@Override
protected String retrieveAuthorizationUrl(WebContext context) {
// Intentional override of this since the test doesn't need to care about actually
// getting a request token so let's not create an endpoint to do so
Token token = new Token(TEST_REQUEST_TOKEN, TEST_SECRET);
context.setSessionAttribute(getRequestTokenSessionAttributeName(), token);
final String authorizationUrl = getAuthorizationUrl(token);
logger.debug("authorizationUrl : {}", authorizationUrl);
return authorizationUrl;
}
@Override
protected String getStateParameter(WebContext webContext) {
String relayState = (String) webContext.getSessionAttribute(SAML_RELAY_STATE_ATTRIBUTE);
return (relayState == null) ? getContextualCallbackUrl(webContext) : relayState;
}
@Override
public boolean isAuthorized(final WebContext context, final List<CommonProfile> profiles)
throws RequiresHttpAction {
context.setResponseHeader("X-Frame-Options", "DENY");
return true;
}
