private Response handleBasicAuthFailure() throws OAuthSystemException {
   OAuthResponse response =
       OAuthASResponse.errorResponse(HttpServletResponse.SC_UNAUTHORIZED)
           .setError(OAuth2ErrorCodes.INVALID_CLIENT)
           .setErrorDescription("Client Authentication failed.")
           .buildJSONMessage();
   return Response.status(response.getResponseStatus())
       .header(OAuthConstants.HTTP_RESP_HEADER_AUTHENTICATE, EndpointUtil.getRealmInfo())
       .entity(response.getBody())
       .build();
 }
  private Response handleSQLError() throws OAuthSystemException {
    OAuthResponse response =
        OAuthASResponse.errorResponse(HttpServletResponse.SC_BAD_GATEWAY)
            .setError(OAuth2ErrorCodes.SERVER_ERROR)
            .setErrorDescription("Service Unavailable Error.")
            .buildJSONMessage();

    return Response.status(response.getResponseStatus())
        .header(OAuthConstants.HTTP_RESP_HEADER_AUTHENTICATE, EndpointUtil.getRealmInfo())
        .entity(response.getBody())
        .build();
  }
示例#3
0
  @RequestMapping("/oAuthLogin")
  public ModelAndView oAuthLogin(HttpServletRequest request)
      throws OAuthProblemException, OAuthSystemException {
    ModelAndView mav = new ModelAndView();
    OAuthAuthzRequest oAuthzRequest = new OAuthAuthzRequest(request);
    String username = oAuthzRequest.getParam(OAuth.OAUTH_USERNAME);
    String state = oAuthzRequest.getState();
    // 生成授权码
    String authCode = null;
    String responseType = oAuthzRequest.getParam(OAuth.OAUTH_RESPONSE_TYPE);
    // ResponseType仅支持CODE和TOKEN
    if (responseType.equals(ResponseType.CODE.toString())) {
      OAuthIssuerImpl oAuthIssuerImpl = new OAuthIssuerImpl(new MD5Generator());
      authCode = oAuthIssuerImpl.authorizationCode();
      oAuthService.addAuthCode(authCode, username);
    }
    // 构建OAuth响应
    OAuthASResponse.OAuthAuthorizationResponseBuilder builder =
        OAuthASResponse.authorizationResponse(request, HttpServletResponse.SC_FOUND);
    // 设置授权码
    builder.setCode(authCode);

    // 获取客户端重定向地址
    String redirectURI = oAuthzRequest.getParam(OAuth.OAUTH_REDIRECT_URI);

    // 构建响应
    OAuthResponse response = builder.location(redirectURI).buildBodyMessage();
    // 根据OAuthResponse返回ResponseEntity响应
    HttpHeaders headers = new HttpHeaders();
    try {
      headers.setLocation(new URI(response.getLocationUri()));
      //			return new ResponseEntity<>(headers, HttpStatus.valueOf(response.getResponseStatus()));
    } catch (URISyntaxException e) {
      e.printStackTrace();
    }
    mav.addObject(OAuth.OAUTH_CODE, authCode);
    mav.addObject(OAuth.OAUTH_STATE, state);
    mav.setViewName("redirect:" + redirectURI);
    return mav;
  }
  @POST
  @Path("/")
  @Consumes("application/x-www-form-urlencoded")
  @Produces("application/json")
  public Response issueAccessToken(
      @Context HttpServletRequest request, MultivaluedMap<String, String> paramMap)
      throws OAuthSystemException {

    try {
      PrivilegedCarbonContext.startTenantFlow();
      PrivilegedCarbonContext carbonContext = PrivilegedCarbonContext.getThreadLocalCarbonContext();
      carbonContext.setTenantId(MultitenantConstants.SUPER_TENANT_ID);
      carbonContext.setTenantDomain(MultitenantConstants.SUPER_TENANT_DOMAIN_NAME);

      HttpServletRequestWrapper httpRequest = new OAuthRequestWrapper(request, paramMap);

      if (log.isDebugEnabled()) {
        logAccessTokenRequest(httpRequest);
      }

      // extract the basic auth credentials if present in the request and use for
      // authentication.
      if (request.getHeader(OAuthConstants.HTTP_REQ_HEADER_AUTHZ) != null) {

        try {
          String[] clientCredentials =
              EndpointUtil.extractCredentialsFromAuthzHeader(
                  request.getHeader(OAuthConstants.HTTP_REQ_HEADER_AUTHZ));

          // The client MUST NOT use more than one authentication method in each request
          if (paramMap.containsKey(OAuth.OAUTH_CLIENT_ID)
              && paramMap.containsKey(OAuth.OAUTH_CLIENT_SECRET)) {
            return handleBasicAuthFailure();
          }

          // If a client sends an invalid base64 encoded clientid:clientsecret value, it results in
          // this
          // array to only contain 1 element. This happens on specific errors though.
          if (clientCredentials.length != 2) {
            return handleBasicAuthFailure();
          }

          // add the credentials available in Authorization header to the parameter map
          paramMap.add(OAuth.OAUTH_CLIENT_ID, clientCredentials[0]);
          paramMap.add(OAuth.OAUTH_CLIENT_SECRET, clientCredentials[1]);

        } catch (OAuthClientException e) {
          // malformed credential string is considered as an auth failure.
          log.error("Error while extracting credentials from authorization header", e);
          return handleBasicAuthFailure();
        }
      }

      try {
        CarbonOAuthTokenRequest oauthRequest = new CarbonOAuthTokenRequest(httpRequest);
        // exchange the access token for the authorization grant.
        OAuth2AccessTokenRespDTO oauth2AccessTokenResp = getAccessToken(oauthRequest);
        // if there BE has returned an error
        if (oauth2AccessTokenResp.getErrorMsg() != null) {
          // if there is an auth failure, HTTP 401 Status Code should be sent back to the client.
          if (OAuth2ErrorCodes.INVALID_CLIENT.equals(oauth2AccessTokenResp.getErrorCode())) {
            return handleBasicAuthFailure();
          } else if ("sql_error".equals(oauth2AccessTokenResp.getErrorCode())) {
            return handleSQLError();
          } else if (OAuth2ErrorCodes.SERVER_ERROR.equals(oauth2AccessTokenResp.getErrorCode())) {
            return handleServerError();
          } else {
            // Otherwise send back HTTP 400 Status Code
            OAuthResponse.OAuthErrorResponseBuilder oAuthErrorResponseBuilder =
                OAuthASResponse.errorResponse(HttpServletResponse.SC_BAD_REQUEST)
                    .setError(oauth2AccessTokenResp.getErrorCode())
                    .setErrorDescription(oauth2AccessTokenResp.getErrorMsg());
            OAuthResponse response = oAuthErrorResponseBuilder.buildJSONMessage();

            ResponseHeader[] headers = oauth2AccessTokenResp.getResponseHeaders();
            ResponseBuilder respBuilder = Response.status(response.getResponseStatus());

            if (headers != null && headers.length > 0) {
              for (int i = 0; i < headers.length; i++) {
                if (headers[i] != null) {
                  respBuilder.header(headers[i].getKey(), headers[i].getValue());
                }
              }
            }

            return respBuilder.entity(response.getBody()).build();
          }
        } else {
          OAuthTokenResponseBuilder oAuthRespBuilder =
              OAuthASResponse.tokenResponse(HttpServletResponse.SC_OK)
                  .setAccessToken(oauth2AccessTokenResp.getAccessToken())
                  .setRefreshToken(oauth2AccessTokenResp.getRefreshToken())
                  .setExpiresIn(Long.toString(oauth2AccessTokenResp.getExpiresIn()))
                  .setTokenType(BEARER);
          oAuthRespBuilder.setScope(oauth2AccessTokenResp.getAuthorizedScopes());

          // OpenID Connect ID token
          if (oauth2AccessTokenResp.getIDToken() != null) {
            oAuthRespBuilder.setParam(OAuthConstants.ID_TOKEN, oauth2AccessTokenResp.getIDToken());
          }
          OAuthResponse response = oAuthRespBuilder.buildJSONMessage();
          ResponseHeader[] headers = oauth2AccessTokenResp.getResponseHeaders();
          ResponseBuilder respBuilder =
              Response.status(response.getResponseStatus())
                  .header(
                      OAuthConstants.HTTP_RESP_HEADER_CACHE_CONTROL,
                      OAuthConstants.HTTP_RESP_HEADER_VAL_CACHE_CONTROL_NO_STORE)
                  .header(
                      OAuthConstants.HTTP_RESP_HEADER_PRAGMA,
                      OAuthConstants.HTTP_RESP_HEADER_VAL_PRAGMA_NO_CACHE);

          if (headers != null && headers.length > 0) {
            for (int i = 0; i < headers.length; i++) {
              if (headers[i] != null) {
                respBuilder.header(headers[i].getKey(), headers[i].getValue());
              }
            }
          }

          return respBuilder.entity(response.getBody()).build();
        }

      } catch (OAuthProblemException e) {
        log.error("Error while creating the Carbon OAuth token request", e);
        OAuthResponse res =
            OAuthASResponse.errorResponse(HttpServletResponse.SC_BAD_REQUEST)
                .error(e)
                .buildJSONMessage();
        return Response.status(res.getResponseStatus()).entity(res.getBody()).build();
      }

    } finally {
      PrivilegedCarbonContext.endTenantFlow();
    }
  }
示例#5
0
  /**
   * 用户访问客户端,后者将前者导向认证服务器。此为认证服务器,判断是否授权
   *
   * @param request HttpServletRequest
   * @return 重定向URI redirectURI & 授权码 authCode & 当前状态 state
   * @throws OAuthSystemException
   * @throws OAuthProblemException
   */
  @RequestMapping("/authorize")
  public ModelAndView Authorize(HttpServletRequest request)
      throws OAuthSystemException, OAuthProblemException {
    ModelAndView mav = new ModelAndView();
    /*
    String username, String webKey, String scope, String state,String diasplay
    构建OAuth请求
    */
    OAuthAuthzRequest oAuthzRequest = new OAuthAuthzRequest(request);
    // 获取OAuth客户端Id
    String clientId = oAuthzRequest.getClientId();
    // 校验客户端Id是否正确
    if (!oAuthService.checkClientId(clientId)) {
      OAuthResponse oAuthResponse =
          OAuthASResponse.errorResponse(HttpServletResponse.SC_BAD_REQUEST)
              .setError(OAuthError.TokenResponse.INVALID_CLIENT)
              .setErrorDescription("无效的客户端Id")
              .buildJSONMessage();
      mav.addObject(OAuth2Constants.OAUTH_AUTHORIZE_FAILED_KEY, "无效的客户端Id");
      mav.setViewName("forward:/oauth2/authorizefailed");
      return mav;
      //			return new ResponseEntity(oAuthResponse.getBody(),
      // HttpStatus.valueOf(oAuthResponse.getResponseStatus()));
    }

    String username = "******";
    String state = oAuthzRequest.getState();
    // 生成授权码
    String authCode = null;
    String responseType = oAuthzRequest.getParam(OAuth.OAUTH_RESPONSE_TYPE);
    // ResponseType仅支持CODE和TOKEN
    if (responseType.equals(ResponseType.CODE.toString())) {
      OAuthIssuerImpl oAuthIssuerImpl = new OAuthIssuerImpl(new MD5Generator());
      authCode = oAuthIssuerImpl.authorizationCode();
      oAuthService.addAuthCode(authCode, username);
    }

    // 构建OAuth响应
    OAuthASResponse.OAuthAuthorizationResponseBuilder builder =
        OAuthASResponse.authorizationResponse(request, HttpServletResponse.SC_FOUND);

    // 设置授权码
    builder.setCode(authCode);

    // 获取客户端重定向地址
    String redirectURI = oAuthzRequest.getParam(OAuth.OAUTH_REDIRECT_URI);

    // 构建响应
    OAuthResponse response = builder.location(redirectURI).buildBodyMessage();
    // 根据OAuthResponse返回ResponseEntity响应
    HttpHeaders headers = new HttpHeaders();
    try {
      headers.setLocation(new URI(response.getLocationUri()));
      //			return new ResponseEntity<>(headers, HttpStatus.valueOf(response.getResponseStatus()));
    } catch (URISyntaxException e) {
      e.printStackTrace();
    }
    mav.addObject(OAuth.OAUTH_CODE, authCode);
    mav.addObject(OAuth.OAUTH_STATE, state);
    mav.setViewName("redirect:" + redirectURI);
    return mav;
  }