Search in sources :

Example 1 with OA2GeneralError

use of edu.uiuc.ncsa.security.oauth_2_0.OA2GeneralError in project OA4MP by ncsa.

the class OA2CertServlet method getClient.

/**
 * This looks for the information about the client and checks the secret.
 *
 * @param req
 * @return
 */
@Override
public Client getClient(HttpServletRequest req) {
    String rawID = req.getParameter(CONST(CONSUMER_KEY));
    String rawSecret = getFirstParameterValue(req, CLIENT_SECRET);
    // According to the spec. this must be in a Basic Authz header if it is not sent as parameter
    List<String> basicTokens = HeaderUtils.getAuthHeader(req, "Basic");
    if (2 < basicTokens.size()) {
        // too many tokens to unscramble
        throw new OA2GeneralError(OA2Errors.INVALID_TOKEN, "Error: Too many authorization tokens.", HttpStatus.SC_UNAUTHORIZED);
    // throw new GeneralException("Too many authorization tokens");
    }
    if (rawID == null) {
        for (String x : basicTokens) {
            try {
                // Here is some detective work. We get up to TWO basic Authz headers with the id and secret.
                // Since ids are valid URIs the idea here is anything that is uri must be an id and the other
                // one is the secret. This also handles the case that one of these is sent as a parameter
                // in the call and the other is in the header.
                URI test = URI.create(x);
                // be the secret.
                if (test.getScheme() != null) {
                    rawID = x;
                } else {
                    rawSecret = x;
                }
            } catch (Throwable t) {
                if (rawSecret == null) {
                    rawSecret = x;
                }
            }
        }
    }
    if (rawID == null) {
        throw new UnknownClientException("No client id");
    }
    Identifier id = BasicIdentifier.newID(rawID);
    OA2Client client = (OA2Client) getClient(id);
    if (client.isPublicClient()) {
        throw new GeneralException("Error: public clients not supported for this operation.");
    }
    if (rawSecret == null) {
        throw new GeneralException("Error: No secret. request refused.");
    }
    if (!client.getSecret().equals(DigestUtils.shaHex(rawSecret))) {
        throw new GeneralException("Error: Secret is incorrect. request refused.");
    }
    return client;
}
Also used : OA2Client(edu.uiuc.ncsa.security.oauth_2_0.OA2Client) BasicIdentifier(edu.uiuc.ncsa.security.core.util.BasicIdentifier) Identifier(edu.uiuc.ncsa.security.core.Identifier) GeneralException(edu.uiuc.ncsa.security.core.exceptions.GeneralException) UnknownClientException(edu.uiuc.ncsa.security.core.exceptions.UnknownClientException) OA2GeneralError(edu.uiuc.ncsa.security.oauth_2_0.OA2GeneralError) URI(java.net.URI)

Example 2 with OA2GeneralError

use of edu.uiuc.ncsa.security.oauth_2_0.OA2GeneralError in project OA4MP by ncsa.

the class OA2AuthorizationServer method doIt.

@Override
protected void doIt(HttpServletRequest request, HttpServletResponse response) throws Throwable {
    Map<String, String> map = getFirstParameters(request);
    // printAllParameters(request);
    if (map.containsKey(OA2Constants.RESPONSE_TYPE)) {
        // Probably means this is an initial request. Pass it along to the init servlet to
        // unscramble it.
        MyHttpServletResponseWrapper wrapper = new MyHttpServletResponseWrapper(response);
        JSPUtil.fwd(request, wrapper, AUTHORIZED_ENDPOINT);
        if (wrapper.isExceptionEncountered()) {
            throw new OA2GeneralError(OA2Errors.INVALID_REQUEST, wrapper.toString(), wrapper.getStatus());
        }
        // something happened someplace else and the exception was handled.
        String content = wrapper.toString();
        // issue now is that the nonce was registered in the init servlet (as it should be for OA1)
        // and now it will be rejected ever more.
        JSONObject j = JSONObject.fromObject(content);
        String code = j.get("code").toString();
        String state = j.get("state").toString();
        request.setAttribute("code", code);
        request.setAttribute("state", state);
    }
    super.doIt(request, response);
}
Also used : JSONObject(net.sf.json.JSONObject) OA2GeneralError(edu.uiuc.ncsa.security.oauth_2_0.OA2GeneralError)

Example 3 with OA2GeneralError

use of edu.uiuc.ncsa.security.oauth_2_0.OA2GeneralError in project OA4MP by ncsa.

the class OA2ClientCheck method check.

/**
 * Note that all of the exceptions thrown here are because the callback cannot be verified, hence it is unclear
 * where the error is to be sent.
 * @param client
 * @param redirect
 */
public static void check(Client client, String redirect) {
    if (client == null) {
        throw new OA2GeneralError(OA2Errors.INVALID_REQUEST, "no client id", HttpStatus.SC_BAD_REQUEST);
    }
    if (!(client instanceof OA2Client)) {
        throw new NFWException("Internal error: Client is not an OA2Client");
    }
    OA2Client oa2Client = (OA2Client) client;
    boolean foundCB = false;
    if (oa2Client.getCallbackURIs() == null) {
        throw new OA2GeneralError(OA2Errors.INVALID_REQUEST, "client has not registered any callback URIs", HttpStatus.SC_BAD_REQUEST);
    }
    for (String uri : oa2Client.getCallbackURIs()) {
        if (uri.equals(redirect)) {
            foundCB = true;
            break;
        }
    }
    if (!foundCB) {
        throw new OA2GeneralError(OA2Errors.INVALID_REQUEST, "The given redirect \"" + redirect + "\" is not valid for this client", HttpStatus.SC_BAD_REQUEST);
    // throw new GeneralException("Error: The given redirect is not valid for this client");
    }
}
Also used : NFWException(edu.uiuc.ncsa.security.core.exceptions.NFWException) OA2Client(edu.uiuc.ncsa.security.oauth_2_0.OA2Client) OA2GeneralError(edu.uiuc.ncsa.security.oauth_2_0.OA2GeneralError)

Example 4 with OA2GeneralError

use of edu.uiuc.ncsa.security.oauth_2_0.OA2GeneralError in project OA4MP by ncsa.

the class UserInfoServlet method doIt.

@Override
protected void doIt(HttpServletRequest request, HttpServletResponse response) throws Throwable {
    // The access token is sent in the authorization header and should look like
    // Bearer oa4mp:...
    AccessToken at = getAT(request);
    ServiceTransaction transaction = (ServiceTransaction) getTransactionStore().get(at);
    if (((OA2Client) transaction.getClient()).isPublicClient()) {
        throw new OA2GeneralError(OA2Errors.INVALID_REQUEST, "public client not authorized to access user information", HttpStatus.SC_UNAUTHORIZED);
    }
    if (transaction == null) {
        throw new OA2GeneralError(OA2Errors.INVALID_REQUEST, "no transaction for the access token was found.", HttpStatus.SC_BAD_REQUEST);
    }
    if (!transaction.isAccessTokenValid()) {
        throw new OA2GeneralError(OA2Errors.INVALID_REQUEST, "invalid access token.", HttpStatus.SC_BAD_REQUEST);
    }
    try {
        checkTimestamp(at.getToken());
    } catch (InvalidTimestampException itx) {
        throw new OA2GeneralError(OA2Errors.INVALID_REQUEST, "token expired.", HttpStatus.SC_BAD_REQUEST);
    }
    OA2SE oa2SE = (OA2SE) getServiceEnvironment();
    UII2 uis = new UII2(oa2SE.getTokenForge(), getServiceEnvironment().getServiceAddress());
    UIIRequest2 uireq = new UIIRequest2(request, at);
    uireq.setUsername(getUsername(transaction));
    // Now we figure out which scope handler to use.
    UIIResponse2 uiresp = (UIIResponse2) uis.process(uireq);
    LinkedList<ClaimSource> claimSources = OA2ATServlet.setupScopeHandlers((OA2ServiceTransaction) transaction, oa2SE);
    DebugUtil.dbg(this, "Invoking scope handler");
    if (claimSources == null || claimSources.isEmpty()) {
        DebugUtil.dbg(this, " ***** NO SCOPE HANDLERS ");
    }
    for (ClaimSource claimSource : claimSources) {
        DebugUtil.dbg(this, " scope handler=" + claimSource.getClass().getSimpleName());
        claimSource.process(uiresp.getUserInfo(), transaction);
    }
    uiresp.write(response);
}
Also used : OA2Client(edu.uiuc.ncsa.security.oauth_2_0.OA2Client) OA2ServiceTransaction(edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction) ServiceTransaction(edu.uiuc.ncsa.security.delegation.server.ServiceTransaction) OA2SE(edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2SE) AccessToken(edu.uiuc.ncsa.security.delegation.token.AccessToken) UIIRequest2(edu.uiuc.ncsa.security.oauth_2_0.server.UIIRequest2) OA2GeneralError(edu.uiuc.ncsa.security.oauth_2_0.OA2GeneralError) InvalidTimestampException(edu.uiuc.ncsa.security.core.exceptions.InvalidTimestampException) UII2(edu.uiuc.ncsa.security.oauth_2_0.server.UII2) ClaimSource(edu.uiuc.ncsa.security.oauth_2_0.server.ClaimSource) UIIResponse2(edu.uiuc.ncsa.security.oauth_2_0.server.UIIResponse2)

Aggregations

OA2GeneralError (edu.uiuc.ncsa.security.oauth_2_0.OA2GeneralError)4 OA2Client (edu.uiuc.ncsa.security.oauth_2_0.OA2Client)3 OA2SE (edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2SE)1 OA2ServiceTransaction (edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction)1 Identifier (edu.uiuc.ncsa.security.core.Identifier)1 GeneralException (edu.uiuc.ncsa.security.core.exceptions.GeneralException)1 InvalidTimestampException (edu.uiuc.ncsa.security.core.exceptions.InvalidTimestampException)1 NFWException (edu.uiuc.ncsa.security.core.exceptions.NFWException)1 UnknownClientException (edu.uiuc.ncsa.security.core.exceptions.UnknownClientException)1 BasicIdentifier (edu.uiuc.ncsa.security.core.util.BasicIdentifier)1 ServiceTransaction (edu.uiuc.ncsa.security.delegation.server.ServiceTransaction)1 AccessToken (edu.uiuc.ncsa.security.delegation.token.AccessToken)1 ClaimSource (edu.uiuc.ncsa.security.oauth_2_0.server.ClaimSource)1 UII2 (edu.uiuc.ncsa.security.oauth_2_0.server.UII2)1 UIIRequest2 (edu.uiuc.ncsa.security.oauth_2_0.server.UIIRequest2)1 UIIResponse2 (edu.uiuc.ncsa.security.oauth_2_0.server.UIIResponse2)1 URI (java.net.URI)1 JSONObject (net.sf.json.JSONObject)1