use of edu.uiuc.ncsa.security.delegation.token.AuthorizationGrant in project OA4MP by ncsa.
the class AbstractAccessTokenServlet method doDelegation.
protected IssuerTransactionState doDelegation(Client client, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Throwable, ServletException {
printAllParameters(httpServletRequest);
info("5.a. Starting access token exchange");
Verifier v = getServiceEnvironment().getTokenForge().getVerifier(httpServletRequest);
AuthorizationGrant ag = getServiceEnvironment().getTokenForge().getAuthorizationGrant(httpServletRequest);
ATRequest atRequest = new ATRequest(httpServletRequest, client);
atRequest.setVerifier(v);
atRequest.setAuthorizationGrant(ag);
// FIXME!! make this configurable??
atRequest.setExpiresIn(DateUtils.MAX_TIMEOUT);
ATResponse atResp = (ATResponse) getATI().process(atRequest);
ServiceTransaction transaction = verifyAndGet(atResp);
String cc = "client=" + transaction.getClient();
info("5.a. got access token " + cc);
preprocess(new TransactionState(httpServletRequest, httpServletResponse, atResp.getParameters(), transaction));
debug("5.a. access token = " + atResp.getAccessToken() + " for verifier = " + v);
transaction.setAuthGrantValid(false);
transaction.setAccessToken(atResp.getAccessToken());
transaction.setAccessTokenValid(true);
try {
getTransactionStore().save(transaction);
info("5.a. updated transaction state for " + cc + ", sending response to client");
} catch (GeneralException e) {
throw new ServletException("Error saving transaction", e);
}
// atResp.write(httpServletResponse);
info("5.b. done with access token exchange with " + cc);
IssuerTransactionState transactionState = new IssuerTransactionState(httpServletRequest, httpServletResponse, atResp.getParameters(), transaction, atResp);
postprocess(transactionState);
return transactionState;
}
use of edu.uiuc.ncsa.security.delegation.token.AuthorizationGrant in project OA4MP by ncsa.
the class OA2ReadyServlet method doIt.
@Override
protected void doIt(HttpServletRequest request, HttpServletResponse response) throws Throwable {
if (request.getParameterMap().containsKey(OA2Constants.ERROR)) {
throw new OA2RedirectableError(request.getParameter(OA2Constants.ERROR), request.getParameter(OA2Constants.ERROR_DESCRIPTION), request.getParameter(OA2Constants.STATE));
}
// Get the cert itself. The server itself does a redirect using the callback to this servlet
// (so it is the portal that actually is invoking this method after the authorization
// step.) The token and verifier are peeled off and used
// to complete the request.
info("2.a. Getting token and verifier.");
String token = request.getParameter(CONST(ClientEnvironment.TOKEN));
String state = request.getParameter(OA2Constants.STATE);
if (token == null) {
warn("2.a. The token is " + (token == null ? "null" : token) + ".");
GeneralException ge = new GeneralException("Error: This servlet requires parameters for the token and possibly verifier.");
request.setAttribute("exception", ge);
JSPUtil.fwd(request, response, getCE().getErrorPagePath());
return;
}
info("2.a Token found.");
AuthorizationGrant grant = new AuthorizationGrantImpl(URI.create(token));
info("2.a. Getting the cert(s) from the service");
String identifier = clearCookie(request, response);
OA2Asset asset = null;
if (identifier == null) {
asset = (OA2Asset) getCE().getAssetStore().getByToken(BasicIdentifier.newID(token));
if (asset != null) {
identifier = asset.getIdentifierString();
}
}
AssetResponse assetResponse = null;
OA2MPService oa2MPService = (OA2MPService) getOA4MPService();
UserInfo ui = null;
boolean getCerts = ((OA2ClientEnvironment) getCE()).getScopes().contains(OA2Scopes.SCOPE_MYPROXY);
if (identifier == null) {
// Since this is a demo servlet, we don't blow up if there is no identifier found, just can't save anything.
String msg = "Error: no cookie found. Cannot save certificates";
warn(msg);
debug("No cookie found");
// if(asset == null) asset = new OA2Asset(BasicIdentifier.newID())
ATResponse2 atResponse2 = oa2MPService.getAccessToken(asset, grant);
ui = oa2MPService.getUserInfo(atResponse2.getAccessToken().toString());
if (getCerts) {
assetResponse = oa2MPService.getCert(asset, atResponse2);
}
} else {
asset = (OA2Asset) getCE().getAssetStore().get(identifier);
if (asset.getState() == null || !asset.getState().equals(state)) {
// Just a note: This is most likely to arise when the server's authorize-init.jsp has been
// changed or replaced and the hidden field for the state (passed to the form, then passed back
// and therefore not stored on the server anyplace) is missing.
warn("The expected state from the server was \"" + asset.getState() + "\", but instead \"" + state + "\" was returned. Transaction aborted.");
throw new IllegalArgumentException("Error: The state returned by the server is invalid.");
}
ATResponse2 atResponse2 = oa2MPService.getAccessToken(asset, grant);
// ui = oa2MPService.getUserInfo(atResponse2.getAccessToken().getToken());
ui = oa2MPService.getUserInfo(identifier);
if (getCerts) {
assetResponse = oa2MPService.getCert(asset, atResponse2);
}
// The general case is to do the call with the identifier if you want the asset store managed.
// assetResponse = getOA4MPService().getCert(token, null, BasicIdentifier.newID(identifier));
}
// The work in this call
// Again, we take the first returned cert to peel off some information to display. This
// just proves we got a response.
info("2.b. Done! Displaying success page.");
if (getCerts) {
if (assetResponse.getX509Certificates() == null) {
request.setAttribute("certSubject", "(no cert returned)");
} else {
X509Certificate cert = assetResponse.getX509Certificates()[0];
// Rest of this is putting up something for the user to see
request.setAttribute("certSubject", cert.getSubjectDN());
request.setAttribute("cert", CertUtil.toPEM(assetResponse.getX509Certificates()));
request.setAttribute("username", assetResponse.getUsername());
// FIX OAUTH-216. Note that this is displayed on the client's success page.
if (asset.getPrivateKey() != null) {
request.setAttribute("privateKey", KeyUtil.toPKCS1PEM(asset.getPrivateKey()));
} else {
request.setAttribute("privateKey", "(none)");
}
}
} else {
request.setAttribute("certSubject", "(no cert requested)");
}
if (ui != null) {
String output = JSONUtils.valueToString(ui.toJSon(), 4, 2);
request.setAttribute("userinfo", output);
} else {
request.setAttribute("userinfo", "no user info returned.");
}
// Fix in cases where the server request passes through Apache before going to Tomcat.
String contextPath = request.getContextPath();
if (!contextPath.endsWith("/")) {
contextPath = contextPath + "/";
}
request.setAttribute("action", contextPath);
info("2.a. Completely finished with delegation.");
JSPUtil.fwd(request, response, getCE().getSuccessPagePath());
return;
}
use of edu.uiuc.ncsa.security.delegation.token.AuthorizationGrant in project OA4MP by ncsa.
the class AbstractOA4MPService method getCert.
/**
* Performs the {@link #getCert(String, String)} call then updates the asset associated with
* the given identifier. This throws an exception is there is no asset or if the asset store
* is not enabled.
*
* @param tempToken
* @param verifier
* @param identifier
* @return
*/
public AssetResponse getCert(String tempToken, String verifier, Identifier identifier) {
Asset asset = null;
Identifier realId = null;
if (identifier == null) {
// failsafe. Should only happen if user never specifies an identifier
realId = makeb64Uri(tempToken);
} else {
// most common use case by far.
realId = identifier;
}
if (realId == null) {
throw new IllegalArgumentException("Error: no identifier found for this transaction. Cannot retrieve asset.");
}
asset = getAssetStore().get(realId);
if (asset == null && tempToken != null) {
asset = getAssetStore().getByToken(BasicIdentifier.newID(tempToken));
}
if (asset == null) {
// If the asset is still null nothing is found, so demunge any identifier and throw an exception.
String currentID = tempToken == null ? realId.toString() : tempToken;
throw new IllegalArgumentException("Error:No asset with the given identifier \"" + currentID + "\" found. " + "You might need to clear your cookies and retry the entire request.");
}
AuthorizationGrant ag = getEnvironment().getTokenForge().getAuthorizationGrant(tempToken);
Verifier v = null;
if (verifier != null) {
v = getEnvironment().getTokenForge().getVerifier(verifier);
}
return getCert(asset, ag, v);
}
use of edu.uiuc.ncsa.security.delegation.token.AuthorizationGrant in project OA4MP by ncsa.
the class RefreshTokenStoreTest method testRT.
public void testRT(TransactionStore tStore) throws Exception {
if (!(tStore instanceof RefreshTokenStore)) {
// fail here if can't cast
throw new IllegalStateException("Error: The store " + tStore.getClass().getSimpleName() + " is not of a type RefreshTokenStore");
}
RefreshTokenStore rts = (RefreshTokenStore) tStore;
OA2ServiceTransaction st2 = (OA2ServiceTransaction) tStore.create();
OA2TokenForge tf2 = new OA2TokenForge("http://localhost/test/");
RefreshToken rt = tf2.getRefreshToken();
st2.setRefreshToken(rt);
// the auth grant is used to retrieve this later and should in this case just be set to the identifier.
AuthorizationGrant ag = tf2.getAuthorizationGrant(st2.getIdentifierString());
st2.setAuthorizationGrant(ag);
st2.setRefreshTokenLifetime(EXPIRES_IN);
tStore.save(st2);
OA2ServiceTransaction testST = rts.get(rt);
assert testST.equals(st2) : "Error: created transaction is not fetched faithfully from the store";
// get another one and retry since we have to be able to show the store can handle updating the refresh token
rt = tf2.getRefreshToken();
st2.setRefreshToken(rt);
st2.setRefreshTokenValid(false);
tStore.save(st2);
assert rts.get(rt).equals(st2) : "Error: updating refresh token fails.";
}
use of edu.uiuc.ncsa.security.delegation.token.AuthorizationGrant in project OA4MP by ncsa.
the class NewTransactionTest method newAG.
protected AuthorizationGrant newAG(TokenForge tokenForge, String... x) {
AuthorizationGrant ag = tokenForge.getAuthorizationGrant(x);
// The forge may return a shared secret. Since we never use this in OA4MP, make sure it is null
// or you will get false test results since the secret won't be stored.
ag.setSharedSecret(null);
return ag;
}
Aggregations