Example 1 with AuthConstraint
use of com.peterphi.std.guice.common.auth.annotations.AuthConstraint in project stdlib by petergeneric.
the class OAuth2ClientCallbackRestServiceImpl method callback.
@Override
@AuthConstraint(id = "oauth2_client_callback", skip = true, comment = "Allow non-logged-in users to be redirected to the callback page so they can be logged in")
public Response callback(final String code, final String state, final String error, final String errorText, final String errorUri) {
final OAuth2SessionRef sessionRef = sessionRefProvider.get();
// Check the state nonce value and retrieve the returnTo data
// This ensures that we always warn the user if the nonce value does not match
final URI redirectTo = sessionRef.getRedirectToFromState(state);
if (StringUtils.isNotBlank(error)) {
throw new IllegalArgumentException("The authorisation server failed the authorisation request with error " + error + " with description " + errorText + "." + ((errorUri != null) ? " Additional information can be found at this page: " + errorUri : ""));
}
// Now call to exchange the authorisation code for a token
final String responseStr = remote.getToken(UserManagerOAuthService.GRANT_TYPE_AUTHORIZATION_CODE, code, sessionRef.getOwnCallbackUri().toString(), clientId, clientSecret, null, null, null, null);
final OAuth2TokenResponse response = OAuth2TokenResponse.decode(responseStr);
// Store the token information so that it is accessible across the session
sessionRef.load(response);
if (redirectTo == null) {
return Response.seeOther(URI.create("/")).cacheControl(CacheControl.valueOf(NO_CACHE)).build();
} else {
return Response.seeOther(redirectTo).cacheControl(CacheControl.valueOf(NO_CACHE)).build();
}
}
Also used :
OAuth2SessionRef(com.peterphi.std.guice.web.rest.auth.oauth2.OAuth2SessionRef)
OAuth2TokenResponse(com.peterphi.usermanager.rest.iface.oauth2server.types.OAuth2TokenResponse)
URI(java.net.URI)
AuthConstraint(com.peterphi.std.guice.common.auth.annotations.AuthConstraint)
Example 2 with AuthConstraint
use of com.peterphi.std.guice.common.auth.annotations.AuthConstraint in project stdlib by petergeneric.
the class UserManagerOAuthServiceImpl method getAuth.
@Override
@AuthConstraint(id = "oauth2server_auth", role = "authenticated", comment = "Must be logged in to the User Manager to initiate a service login")
@Retry
public Response getAuth(final String responseType, final String clientId, final String redirectUri, final String state, final String scope) {
// Has the current user approved this client+scope before? If so just redirect straight back
// Otherwise, bring up the authorisation UI
final Response response = createSessionAndRedirect(responseType, clientId, redirectUri, state, scope, autoGrantInteractiveAccessToAllServices);
if (response != null) {
return response;
} else {
final OAuthServiceEntity client = serviceDao.getByClientIdAndEndpoint(clientId, redirectUri);
if (client == null)
throw new IllegalArgumentException("Unknown client_id=" + clientId + " or invalid redirect uri for this service: " + redirectUri);
final TemplateCall call = templater.template("connect_to_service");
SessionNonceStore nonceStore = nonceStoreProvider.get();
// Provide additional client information
call.set("client", client);
call.set("nonce", nonceStore.allocate());
// Scopes as a list
if (StringUtils.isBlank(scope))
call.set("scopes", Collections.emptyList());
else
call.set("scopes", Arrays.asList(StringUtils.trimToEmpty(scope).split(" ")));
// Copy the request info
call.set("clientId", client.getId());
call.set("responseType", responseType);
call.set("redirectUri", redirectUri);
call.set("scope", scope);
call.set("state", state);
return call.process(Response.ok().type(MediaType.APPLICATION_XML).cacheControl(CacheControl.valueOf(NO_CACHE)));
}
}
Also used :
OAuth2TokenResponse(com.peterphi.usermanager.rest.iface.oauth2server.types.OAuth2TokenResponse)
Response(javax.ws.rs.core.Response)
OAuthServiceEntity(com.peterphi.usermanager.db.entity.OAuthServiceEntity)
SessionNonceStore(com.peterphi.usermanager.guice.nonce.SessionNonceStore)
TemplateCall(com.peterphi.std.guice.web.rest.templating.TemplateCall)
AuthConstraint(com.peterphi.std.guice.common.auth.annotations.AuthConstraint)
Retry(com.peterphi.std.guice.common.retry.annotation.Retry)
Example 3 with AuthConstraint
use of com.peterphi.std.guice.common.auth.annotations.AuthConstraint in project stdlib by petergeneric.
the class ImpersonationService method impersonate.
@AuthConstraint(id = "impersonation", role = UserLogin.ROLE_ADMIN, comment = "only admins can impersonate other users")
public String impersonate(final int userId) {
final UserLogin currentUser = userProvider.get();
final UserEntity newUser = authenticationService.getById(userId);
log.info("Admin user " + currentUser.getId() + " (" + currentUser.getEmail() + ") is changing their session to impersonate user " + newUser.getId() + " (" + newUser.getEmail() + ")");
currentUser.reload(newUser);
return newUser.getSessionReconnectKey();
}
Also used :
UserEntity(com.peterphi.usermanager.db.entity.UserEntity)
AuthConstraint(com.peterphi.std.guice.common.auth.annotations.AuthConstraint)
Example 4 with AuthConstraint
use of com.peterphi.std.guice.common.auth.annotations.AuthConstraint in project stdlib by petergeneric.
the class LoginUIServiceImpl method getLogin.
@Override
@AuthConstraint(skip = true, comment = "login page")
public String getLogin(String returnTo, String errorText) {
if (login.isLoggedIn()) {
throw new IllegalArgumentException("You are already logged in!");
} else {
TemplateCall call = templater.template("login");
call.set("allowAnonymousRegistration", allowAnonymousRegistration);
call.set("returnTo", returnTo);
call.set("errorText", errorText);
return call.process();
}
}
Also used :
TemplateCall(com.peterphi.std.guice.web.rest.templating.TemplateCall)
AuthConstraint(com.peterphi.std.guice.common.auth.annotations.AuthConstraint)
Example 5 with AuthConstraint
use of com.peterphi.std.guice.common.auth.annotations.AuthConstraint in project stdlib by petergeneric.
the class UserUIServiceImpl method deleteUser.
@Override
@Transactional
@AuthConstraint(role = UserLogin.ROLE_ADMIN)
public Response deleteUser(final int userId, final String nonce) {
nonceStore.validate(NONCE_USE, nonce);
final int localUser = login.getId();
accountDao.deleteById(userId);
if (localUser == userId) {
// Invalidate the current session
login.clear();
return Response.seeOther(URI.create("/logout")).build();
} else {
// Redirect back to the user list page
return Response.seeOther(URI.create("/users")).build();
}
}
Also used :
AuthConstraint(com.peterphi.std.guice.common.auth.annotations.AuthConstraint)
AuthConstraint(com.peterphi.std.guice.common.auth.annotations.AuthConstraint)
Transactional(com.peterphi.std.guice.database.annotation.Transactional)
Aggregations
AuthConstraint (com.peterphi.std.guice.common.auth.annotations.AuthConstraint)11
Transactional (com.peterphi.std.guice.database.annotation.Transactional)4
TemplateCall (com.peterphi.std.guice.web.rest.templating.TemplateCall)4
UserEntity (com.peterphi.usermanager.db.entity.UserEntity)4
AuthenticationFailureException (com.peterphi.usermanager.guice.authentication.AuthenticationFailureException)2
OAuth2TokenResponse (com.peterphi.usermanager.rest.iface.oauth2server.types.OAuth2TokenResponse)2
Response (javax.ws.rs.core.Response)2
AuthScope (com.peterphi.std.guice.common.auth.AuthScope)1
CurrentUser (com.peterphi.std.guice.common.auth.iface.CurrentUser)1
Retry (com.peterphi.std.guice.common.retry.annotation.Retry)1
WebQuery (com.peterphi.std.guice.restclient.jaxb.webquery.WebQuery)1
OAuth2SessionRef (com.peterphi.std.guice.web.rest.auth.oauth2.OAuth2SessionRef)1
OAuthServiceEntity (com.peterphi.usermanager.db.entity.OAuthServiceEntity)1
RoleEntity (com.peterphi.usermanager.db.entity.RoleEntity)1
SessionNonceStore (com.peterphi.usermanager.guice.nonce.SessionNonceStore)1
URI (java.net.URI)1
HttpSession (javax.servlet.http.HttpSession)1
NewCookie (javax.ws.rs.core.NewCookie)1
