Example 6 with OA2SE
use of edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2SE in project OA4MP by ncsa.
the class OA2AuthorizedServlet method CheckIdTokenHint.
/**
* In this case, a previous request to the token endpoint returned an ID token. If this is sent to
* this endpoint, we are to check that there is an active logon for the user (=there is a transaction
* for that name here) and return a success but no body. Otherwise, we throw an exception.
*
* @param httpServletRequest
* @param httpServletResponse
* @param callback
* @return
*/
protected boolean CheckIdTokenHint(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String callback) {
if (!httpServletRequest.getParameterMap().containsKey(ID_TOKEN_HINT)) {
return false;
}
UsernameFindable ufStore = null;
String rawIDToken = String.valueOf(httpServletRequest.getParameterMap().get(ID_TOKEN_HINT));
JSONObject idToken = null;
try {
idToken = JWTUtil.verifyAndReadJWT(rawIDToken, ((OA2SE) getServiceEnvironment()).getJsonWebKeys());
} catch (Throwable e) {
throw new GeneralException("Error: Cannot read ID token hint", e);
}
String state = httpServletRequest.getParameter(STATE);
String username = null;
if (idToken.containsKey(OA2Claims.SUBJECT)) {
username = idToken.getString(OA2Claims.SUBJECT);
} else {
}
try {
ufStore = (UsernameFindable) getTransactionStore();
OA2ServiceTransaction t = ufStore.getByUsername(username);
if (t != null) {
// Then there is a transaction, so the user authenticated successfully.
if (idToken.containsKey(OA2Claims.AUDIENCE)) {
if (!t.getClient().getIdentifierString().equals(idToken.getString(OA2Claims.AUDIENCE))) {
// The wrong client for this user is attempting the request. That is not allowed.
throw new OA2RedirectableError(OA2Errors.REQUEST_NOT_SUPPORTED, "Incorrect aud parameter in the ID token. This request is not supported on this server", state, callback);
}
} else {
// The client that is associated with this user must be supplied.
throw new OA2RedirectableError(OA2Errors.REQUEST_NOT_SUPPORTED, "No aud parameter in the ID token. This request is not supported on this server", state, callback);
}
httpServletResponse.setStatus(HttpStatus.SC_OK);
// The spec does not state that anything is returned, just a positive response.
return true;
}
} catch (IOException e) {
// Really something is probably wrong with the class structure is this fails...
throw new NFWException("Internal error: Could not cast the store to a username findable store.");
}
throw new OA2RedirectableError(OA2Errors.LOGIN_REQUIRED, "Login required.", state, callback);
}
Also used :
NFWException(edu.uiuc.ncsa.security.core.exceptions.NFWException)
GeneralException(edu.uiuc.ncsa.security.core.exceptions.GeneralException)
JSONObject(net.sf.json.JSONObject)
OA2SE(edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2SE)
UsernameFindable(edu.uiuc.ncsa.myproxy.oa4mp.oauth2.storage.UsernameFindable)
OA2ServiceTransaction(edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction)
IOException(java.io.IOException)
Example 7 with OA2SE
use of edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2SE in project OA4MP by ncsa.
the class OA2CertServlet method doRealCertRequest.
@Override
protected void doRealCertRequest(ServiceTransaction trans, String statusString) throws Throwable {
// CIL-243: binding the CR's DN to the user name. Uncomment if we ever decide to do this \
/*
if (trans.getCertReq().getCN()==null || (!trans.getUsername().equals(trans.getCertReq().getCN()))) { // CN can be null
throw new OA2GeneralError(OA2Errors.INVALID_REQUEST, "The common name on the cert request is \"" +
trans.getCertReq().getCN() +
"\" which does not match the username \"" + trans.getUsername() + "\"", HttpStatus.SC_BAD_REQUEST);
}
*/
OA2ServiceTransaction st = (OA2ServiceTransaction) trans;
OA2SE oa2SE = (OA2SE) getServiceEnvironment();
if (!oa2SE.isTwoFactorSupportEnabled()) {
checkMPConnection(st);
} else {
// and for all.
if (!getMyproxyConnectionCache().containsKey(st.getIdentifier())) {
throw new GeneralException("No cached my proxy object with identifier " + st.getIdentifierString());
}
MPSingleConnectionProvider.MyProxyLogonConnection mpc = (MPSingleConnectionProvider.MyProxyLogonConnection) getMyproxyConnectionCache().get(st.getIdentifier()).getValue();
// not done promptly by the user.
if (mpc.getMyProxyLogon() instanceof MyMyProxyLogon) {
MyMyProxyLogon myProxyLogon = (MyMyProxyLogon) mpc.getMyProxyLogon();
getMyproxyConnectionCache().remove(mpc.getIdentifier());
createMPConnection(trans.getIdentifier(), myProxyLogon.getUsername(), myProxyLogon.getPassphrase(), trans.getLifetime());
}
}
doCertRequest(st, statusString);
}
Also used :
GeneralException(edu.uiuc.ncsa.security.core.exceptions.GeneralException)
OA2SE(edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2SE)
OA2ServiceTransaction(edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction)
MPSingleConnectionProvider(edu.uiuc.ncsa.myproxy.MPSingleConnectionProvider)
MyMyProxyLogon(edu.uiuc.ncsa.myproxy.oa4mp.server.servlet.AbstractAuthorizationServlet.MyMyProxyLogon)
Example 8 with OA2SE
use of edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2SE in project OA4MP by ncsa.
the class OA2CertServlet method postprocess.
@Override
public void postprocess(TransactionState state) throws Throwable {
super.postprocess(state);
OA2ServiceTransaction t = (OA2ServiceTransaction) state.getTransaction();
if (((OA2SE) getServiceEnvironment()).isRefreshTokenEnabled() && t.hasRefreshToken()) {
// If this has a refresh token, then then do not invalidate the access token, since
// users may re-get certs for the lifetime of the refresh token.
t.setAccessTokenValid(true);
getTransactionStore().save(t);
}
}
Also used :
OA2ServiceTransaction(edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction)
Example 9 with OA2SE
use of edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2SE in project OA4MP by ncsa.
the class OA2UtilServlet method doIt.
@Override
protected void doIt(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Throwable {
OA2SE oa2se = (OA2SE) getEnvironment();
if (!oa2se.isUtilServletEnabled()) {
return;
}
String action = getParameter(httpServletRequest, httpServletResponse, ACTION_KEY);
if (action == null) {
return;
}
if (!action.equals(ACTION_CHECK_CLAIM)) {
spitOutMessage(httpServletResponse, CODE_ERROR, "unknown action of \"" + action + "\" requested from util servlet");
return;
}
String claimName = getParameter(httpServletRequest, httpServletResponse, CLAIM_NAME_KEY);
if (claimName == null) {
return;
}
String claimValue = getParameter(httpServletRequest, httpServletResponse, CLAIM_VALUE_KEY);
if (claimValue == null) {
return;
}
String token = getParameter(httpServletRequest, httpServletResponse, TOKEN_KEY);
if (token == null) {
return;
}
JSONObject json = null;
// so we have everything and are ready to rock.
try {
json = JWTUtil.verifyAndReadJWT(token, oa2se.getJsonWebKeys());
} catch (Throwable t) {
spitOutMessage(httpServletResponse, CODE_ERROR, "Invalid token. Message=\"" + t.getMessage() + "\"");
return;
}
if (!json.containsKey(claimName)) {
spitOutMessage(httpServletResponse, CODE_ERROR, "claim named \"" + claimName + "\" not found.");
return;
}
// simple case is its just a string
Object rawClaims = json.get(claimName);
if (rawClaims instanceof JSONArray) {
JSONArray array = (JSONArray) rawClaims;
for (int i = 0; i < array.size(); i++) {
String nextString = array.getString(i);
// first cut, parse by , as delimiter.
StringTokenizer st = new StringTokenizer(nextString, ",", false);
while (st.hasMoreTokens()) {
String x = st.nextToken();
if (claimValue.equals(x)) {
spitOutMessage(httpServletResponse, CODE_OK, null);
}
}
}
spitOutMessage(httpServletResponse, CODE_NO, null);
return;
}
// Every other case (including JSONObject, which we don't know how to parse in general)
String claim = rawClaims.toString();
if (-1 < claim.indexOf(claimValue)) {
spitOutMessage(httpServletResponse, CODE_OK, null);
} else {
spitOutMessage(httpServletResponse, CODE_NO, null);
}
return;
}
Also used :
StringTokenizer(java.util.StringTokenizer)
JSONObject(net.sf.json.JSONObject)
OA2SE(edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2SE)
JSONArray(net.sf.json.JSONArray)
JSONObject(net.sf.json.JSONObject)
Example 10 with OA2SE
use of edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2SE in project OA4MP by ncsa.
the class UserInfoServlet method doIt.
@Override
protected void doIt(HttpServletRequest request, HttpServletResponse response) throws Throwable {
// The access token is sent in the authorization header and should look like
// Bearer oa4mp:...
AccessToken at = getAT(request);
ServiceTransaction transaction = (ServiceTransaction) getTransactionStore().get(at);
if (((OA2Client) transaction.getClient()).isPublicClient()) {
throw new OA2GeneralError(OA2Errors.INVALID_REQUEST, "public client not authorized to access user information", HttpStatus.SC_UNAUTHORIZED);
}
if (transaction == null) {
throw new OA2GeneralError(OA2Errors.INVALID_REQUEST, "no transaction for the access token was found.", HttpStatus.SC_BAD_REQUEST);
}
if (!transaction.isAccessTokenValid()) {
throw new OA2GeneralError(OA2Errors.INVALID_REQUEST, "invalid access token.", HttpStatus.SC_BAD_REQUEST);
}
try {
checkTimestamp(at.getToken());
} catch (InvalidTimestampException itx) {
throw new OA2GeneralError(OA2Errors.INVALID_REQUEST, "token expired.", HttpStatus.SC_BAD_REQUEST);
}
OA2SE oa2SE = (OA2SE) getServiceEnvironment();
UII2 uis = new UII2(oa2SE.getTokenForge(), getServiceEnvironment().getServiceAddress());
UIIRequest2 uireq = new UIIRequest2(request, at);
uireq.setUsername(getUsername(transaction));
// Now we figure out which scope handler to use.
UIIResponse2 uiresp = (UIIResponse2) uis.process(uireq);
LinkedList<ClaimSource> claimSources = OA2ATServlet.setupScopeHandlers((OA2ServiceTransaction) transaction, oa2SE);
DebugUtil.dbg(this, "Invoking scope handler");
if (claimSources == null || claimSources.isEmpty()) {
DebugUtil.dbg(this, " ***** NO SCOPE HANDLERS ");
}
for (ClaimSource claimSource : claimSources) {
DebugUtil.dbg(this, " scope handler=" + claimSource.getClass().getSimpleName());
claimSource.process(uiresp.getUserInfo(), transaction);
}
uiresp.write(response);
}
Also used :
OA2Client(edu.uiuc.ncsa.security.oauth_2_0.OA2Client)
OA2ServiceTransaction(edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction)
ServiceTransaction(edu.uiuc.ncsa.security.delegation.server.ServiceTransaction)
OA2SE(edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2SE)
AccessToken(edu.uiuc.ncsa.security.delegation.token.AccessToken)
UIIRequest2(edu.uiuc.ncsa.security.oauth_2_0.server.UIIRequest2)
OA2GeneralError(edu.uiuc.ncsa.security.oauth_2_0.OA2GeneralError)
InvalidTimestampException(edu.uiuc.ncsa.security.core.exceptions.InvalidTimestampException)
UII2(edu.uiuc.ncsa.security.oauth_2_0.server.UII2)
ClaimSource(edu.uiuc.ncsa.security.oauth_2_0.server.ClaimSource)
UIIResponse2(edu.uiuc.ncsa.security.oauth_2_0.server.UIIResponse2)
Aggregations
OA2SE (edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2SE)13
OA2ServiceTransaction (edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction)7
GeneralException (edu.uiuc.ncsa.security.core.exceptions.GeneralException)3
JSONObject (net.sf.json.JSONObject)3
IssuerTransactionState (edu.uiuc.ncsa.myproxy.oa4mp.server.servlet.IssuerTransactionState)2
BasicIdentifier (edu.uiuc.ncsa.security.core.util.BasicIdentifier)2
AccessToken (edu.uiuc.ncsa.security.delegation.token.AccessToken)2
RefreshToken (edu.uiuc.ncsa.security.delegation.token.RefreshToken)2
ArrayList (java.util.ArrayList)2
ServletException (javax.servlet.ServletException)2
JSONArray (net.sf.json.JSONArray)2
MPSingleConnectionProvider (edu.uiuc.ncsa.myproxy.MPSingleConnectionProvider)1
MyProxyConnectable (edu.uiuc.ncsa.myproxy.MyProxyConnectable)1
BasicClaimsSourceImpl (edu.uiuc.ncsa.myproxy.oa4mp.oauth2.servlet.BasicClaimsSourceImpl)1
LDAPClaimSourceFactory (edu.uiuc.ncsa.myproxy.oa4mp.oauth2.servlet.LDAPClaimSourceFactory)1
RefreshTokenRetentionPolicy (edu.uiuc.ncsa.myproxy.oa4mp.oauth2.storage.RefreshTokenRetentionPolicy)1
RefreshTokenStore (edu.uiuc.ncsa.myproxy.oa4mp.oauth2.storage.RefreshTokenStore)1
UsernameFindable (edu.uiuc.ncsa.myproxy.oa4mp.oauth2.storage.UsernameFindable)1
AdminClient (edu.uiuc.ncsa.myproxy.oa4mp.server.admin.adminClient.AdminClient)1
MyMyProxyLogon (edu.uiuc.ncsa.myproxy.oa4mp.server.servlet.AbstractAuthorizationServlet.MyMyProxyLogon)1
