public Result callback() {
final PlayWebContext context = new PlayWebContext(ctx(), config.getSessionStore());
CommonHelper.assertNotNull("config", config);
CommonHelper.assertNotNull("config.httpActionAdapter", config.getHttpActionAdapter());
final Clients clients = config.getClients();
CommonHelper.assertNotNull("clients", clients);
final Client client = clients.findClient(context);
logger.debug("client: {}", client);
CommonHelper.assertNotNull("client", client);
CommonHelper.assertTrue(
client instanceof IndirectClient, "only indirect clients are allowed on the callback url");
final Credentials credentials;
try {
credentials = client.getCredentials(context);
} catch (final RequiresHttpAction e) {
return (Result) config.getHttpActionAdapter().adapt(e.getCode(), context);
}
logger.debug("credentials: {}", credentials);
final UserProfile profile = client.getUserProfile(credentials, context);
logger.debug("profile: {}", profile);
saveUserProfile(context, profile);
return redirectToOriginallyRequestedUrl(context);
}
public CompletionStage<Result> internalCall(
final Context ctx, final String clients, final String authorizers, final boolean multiProfile)
throws Throwable {
assertNotNull("securityLogic", securityLogic);
assertNotNull("config", config);
final PlayWebContext playWebContext = new PlayWebContext(ctx, sessionStore);
final HttpActionAdapter actionAdapter = config.getHttpActionAdapter();
return CompletableFuture.supplyAsync(
() -> {
return securityLogic.perform(
playWebContext,
config,
(webCtx, parameters) -> {
// when called from Scala
if (delegate == null) {
return null;
} else {
return delegate.call(ctx).toCompletableFuture().get();
}
},
actionAdapter,
clients,
authorizers,
null,
multiProfile);
},
ec.current());
}
@Override
public boolean isAuthorized(
final WebContext context,
final UserProfile profile,
final String authorizerName,
final Map<String, Authorizer> authorizersMap) {
final List<Authorizer> authorizers = new ArrayList<>();
// if we have an authorizer name (which may be a list of authorizer names)
if (CommonHelper.isNotBlank(authorizerName)) {
final String[] names = authorizerName.split(Pac4jConstants.ELEMENT_SEPRATOR);
final int nb = names.length;
for (int i = 0; i < nb; i++) {
final String name = names[i];
if ("hsts".equalsIgnoreCase(name)) {
authorizers.add(STRICT_TRANSPORT_SECURITY_HEADER);
} else if ("nosniff".equalsIgnoreCase(name)) {
authorizers.add(X_CONTENT_TYPE_OPTIONS_HEADER);
} else if ("noframe".equalsIgnoreCase(name)) {
authorizers.add(X_FRAME_OPTIONS_HEADER);
} else if ("xssprotection".equalsIgnoreCase(name)) {
authorizers.add(XSS_PROTECTION_HEADER);
} else if ("nocache".equalsIgnoreCase(name)) {
authorizers.add(CACHE_CONTROL_HEADER);
} else if ("securityheaders".equalsIgnoreCase(name)) {
authorizers.add(CACHE_CONTROL_HEADER);
authorizers.add(X_CONTENT_TYPE_OPTIONS_HEADER);
authorizers.add(STRICT_TRANSPORT_SECURITY_HEADER);
authorizers.add(X_FRAME_OPTIONS_HEADER);
authorizers.add(XSS_PROTECTION_HEADER);
} else if ("csrfToken".equalsIgnoreCase(name)) {
authorizers.add(CSRF_TOKEN_GENERATOR_AUTHORIZER);
} else if ("csrfCheck".equalsIgnoreCase(name)) {
authorizers.add(CSRF_AUTHORIZER);
} else if ("csrf".equalsIgnoreCase(name)) {
authorizers.add(CSRF_TOKEN_GENERATOR_AUTHORIZER);
authorizers.add(CSRF_AUTHORIZER);
} else {
// we must have authorizers
CommonHelper.assertNotNull("authorizersMap", authorizersMap);
final Authorizer result = authorizersMap.get(name);
// we must have an authorizer defined for this name
CommonHelper.assertNotNull("authorizersMap['" + name + "']", result);
authorizers.add(result);
}
}
}
return isAuthorized(context, profile, authorizers);
}
@Override
public boolean isAuthorized(final WebContext context, final UserProfile profile) {
CommonHelper.assertNotNull("pattern", pattern);
final String ip = context.getRemoteAddr();
return this.pattern.matcher(ip).matches();
}
@Override
protected void internalInit(final WebContext context) {
super.internalInit(context);
CommonHelper.assertNotNull("scope", this.scope);
if (this.scope == Google2Scope.EMAIL) {
this.scopeValue = this.EMAIL_SCOPE;
} else if (this.scope == Google2Scope.PROFILE) {
this.scopeValue = this.PROFILE_SCOPE;
} else {
this.scopeValue = this.PROFILE_SCOPE + " " + this.EMAIL_SCOPE;
}
this.service =
new StateOAuth20ServiceImpl(
new GoogleApi20(),
new OAuthConfig(
this.key,
this.secret,
computeFinalCallbackUrl(context),
SignatureType.Header,
this.scopeValue,
null),
this.connectTimeout,
this.readTimeout,
this.proxyHost,
this.proxyPort,
false,
true);
}
@Override
public boolean isAuthorized(
final WebContext context, final UserProfile profile, final List<Authorizer> authorizers) {
// authorizations check comes after authentication and profile must not be null
CommonHelper.assertNotNull("profile", profile);
if (authorizers != null && authorizers.size() > 0) {
// check authorizations using authorizers: all must be satisfied
for (Authorizer authorizer : authorizers) {
if (!authorizer.isAuthorized(context, profile)) {
return false;
}
}
}
return true;
}
@Override
protected void internalInit() {
CommonHelper.assertNotBlank("callbackUrl", this.callbackUrl);
CommonHelper.assertNotNull("logoutHandler", this.logoutHandler);
if (CommonHelper.isBlank(this.casLoginUrl) && CommonHelper.isBlank(this.casPrefixUrl)) {
throw new TechnicalException("casLoginUrl and casPrefixUrl cannot be both blank");
}
if (this.casPrefixUrl != null && !this.casPrefixUrl.endsWith("/")) {
this.casPrefixUrl += "/";
}
if (CommonHelper.isBlank(this.casPrefixUrl)) {
this.casPrefixUrl = this.casLoginUrl.replaceFirst("/login", "/");
} else if (CommonHelper.isBlank(this.casLoginUrl)) {
this.casLoginUrl = this.casPrefixUrl + "login";
}
if (this.casProtocol == CasProtocol.CAS10) {
this.ticketValidator = new Cas10TicketValidator(this.casPrefixUrl);
} else if (this.casProtocol == CasProtocol.CAS20) {
this.ticketValidator = new Cas20ServiceTicketValidator(this.casPrefixUrl);
if (this.casProxyReceptor != null) {
final Cas20ServiceTicketValidator cas20ServiceTicketValidator =
(Cas20ServiceTicketValidator) this.ticketValidator;
cas20ServiceTicketValidator.setProxyCallbackUrl(this.casProxyReceptor.getCallbackUrl());
cas20ServiceTicketValidator.setProxyGrantingTicketStorage(
this.casProxyReceptor.getProxyGrantingTicketStorage());
}
} else if (this.casProtocol == CasProtocol.CAS20_PROXY) {
this.ticketValidator = new Cas20ProxyTicketValidator(this.casPrefixUrl);
final Cas20ProxyTicketValidator cas20ProxyTicketValidator =
(Cas20ProxyTicketValidator) this.ticketValidator;
cas20ProxyTicketValidator.setAcceptAnyProxy(this.acceptAnyProxy);
cas20ProxyTicketValidator.setAllowedProxyChains(this.allowedProxyChains);
if (this.casProxyReceptor != null) {
cas20ProxyTicketValidator.setProxyCallbackUrl(this.casProxyReceptor.getCallbackUrl());
cas20ProxyTicketValidator.setProxyGrantingTicketStorage(
this.casProxyReceptor.getProxyGrantingTicketStorage());
}
} else if (this.casProtocol == CasProtocol.SAML) {
this.ticketValidator = new Saml11TicketValidator(this.casPrefixUrl);
}
}
@Override
public void afterPropertiesSet() {
super.afterPropertiesSet();
CommonHelper.assertNotNull("clients", this.clients);
this.clients.init();
}
@Override
public R perform(
final C context,
final Config config,
final HttpActionAdapter<R, C> httpActionAdapter,
final String inputDefaultUrl,
final Boolean inputMultiProfile,
final Boolean inputRenewSession) {
logger.debug("=== CALLBACK ===");
// default values
final String defaultUrl;
if (inputDefaultUrl == null) {
defaultUrl = Pac4jConstants.DEFAULT_URL_VALUE;
} else {
defaultUrl = inputDefaultUrl;
}
final boolean multiProfile;
if (inputMultiProfile == null) {
multiProfile = false;
} else {
multiProfile = inputMultiProfile;
}
final boolean renewSession;
if (inputRenewSession == null) {
renewSession = true;
} else {
renewSession = inputRenewSession;
}
// checks
assertNotNull("context", context);
assertNotNull("config", config);
assertNotNull("httpActionAdapter", httpActionAdapter);
assertNotBlank(Pac4jConstants.DEFAULT_URL, defaultUrl);
final Clients clients = config.getClients();
assertNotNull("clients", clients);
// logic
final Client client = clients.findClient(context);
logger.debug("client: {}", client);
assertNotNull("client", client);
assertTrue(
client instanceof IndirectClient, "only indirect clients are allowed on the callback url");
HttpAction action;
try {
final Credentials credentials = client.getCredentials(context);
logger.debug("credentials: {}", credentials);
final CommonProfile profile = client.getUserProfile(credentials, context);
logger.debug("profile: {}", profile);
saveUserProfile(context, profile, multiProfile, renewSession);
action = redirectToOriginallyRequestedUrl(context, defaultUrl);
} catch (final HttpAction e) {
logger.debug("extra HTTP action required in callback: {}", e.getCode());
action = e;
}
return httpActionAdapter.adapt(action.getCode(), context);
}
public void setConfiguration(final OAuth20Configuration configuration) {
CommonHelper.assertNotNull("configuration", configuration);
this.configuration = configuration;
this.configuration.setClient(this);
}
public void setAuthorizationGenerators(
final List<AuthorizationGenerator<U>> authorizationGenerators) {
CommonHelper.assertNotNull("authorizationGenerators", authorizationGenerators);
this.authorizationGenerators = authorizationGenerators;
}
public void addAuthorizationGenerator(final AuthorizationGenerator<U> authorizationGenerator) {
CommonHelper.assertNotNull("authorizationGenerator", authorizationGenerator);
this.authorizationGenerators.add(authorizationGenerator);
}
public void setAuthorizationGenerators(
final AuthorizationGenerator<U>... authorizationGenerators) {
CommonHelper.assertNotNull("authorizationGenerators", authorizationGenerators);
this.authorizationGenerators = Arrays.asList(authorizationGenerators);
}
