use of edu.uiuc.ncsa.security.oauth_2_0.OA2GeneralError in project OA4MP by ncsa.
the class OA2CertServlet method getClient.
/**
* This looks for the information about the client and checks the secret.
*
* @param req
* @return
*/
@Override
public Client getClient(HttpServletRequest req) {
String rawID = req.getParameter(CONST(CONSUMER_KEY));
String rawSecret = getFirstParameterValue(req, CLIENT_SECRET);
// According to the spec. this must be in a Basic Authz header if it is not sent as parameter
List<String> basicTokens = HeaderUtils.getAuthHeader(req, "Basic");
if (2 < basicTokens.size()) {
// too many tokens to unscramble
throw new OA2GeneralError(OA2Errors.INVALID_TOKEN, "Error: Too many authorization tokens.", HttpStatus.SC_UNAUTHORIZED);
// throw new GeneralException("Too many authorization tokens");
}
if (rawID == null) {
for (String x : basicTokens) {
try {
// Here is some detective work. We get up to TWO basic Authz headers with the id and secret.
// Since ids are valid URIs the idea here is anything that is uri must be an id and the other
// one is the secret. This also handles the case that one of these is sent as a parameter
// in the call and the other is in the header.
URI test = URI.create(x);
// be the secret.
if (test.getScheme() != null) {
rawID = x;
} else {
rawSecret = x;
}
} catch (Throwable t) {
if (rawSecret == null) {
rawSecret = x;
}
}
}
}
if (rawID == null) {
throw new UnknownClientException("No client id");
}
Identifier id = BasicIdentifier.newID(rawID);
OA2Client client = (OA2Client) getClient(id);
if (client.isPublicClient()) {
throw new GeneralException("Error: public clients not supported for this operation.");
}
if (rawSecret == null) {
throw new GeneralException("Error: No secret. request refused.");
}
if (!client.getSecret().equals(DigestUtils.shaHex(rawSecret))) {
throw new GeneralException("Error: Secret is incorrect. request refused.");
}
return client;
}
use of edu.uiuc.ncsa.security.oauth_2_0.OA2GeneralError in project OA4MP by ncsa.
the class OA2AuthorizationServer method doIt.
@Override
protected void doIt(HttpServletRequest request, HttpServletResponse response) throws Throwable {
Map<String, String> map = getFirstParameters(request);
// printAllParameters(request);
if (map.containsKey(OA2Constants.RESPONSE_TYPE)) {
// Probably means this is an initial request. Pass it along to the init servlet to
// unscramble it.
MyHttpServletResponseWrapper wrapper = new MyHttpServletResponseWrapper(response);
JSPUtil.fwd(request, wrapper, AUTHORIZED_ENDPOINT);
if (wrapper.isExceptionEncountered()) {
throw new OA2GeneralError(OA2Errors.INVALID_REQUEST, wrapper.toString(), wrapper.getStatus());
}
// something happened someplace else and the exception was handled.
String content = wrapper.toString();
// issue now is that the nonce was registered in the init servlet (as it should be for OA1)
// and now it will be rejected ever more.
JSONObject j = JSONObject.fromObject(content);
String code = j.get("code").toString();
String state = j.get("state").toString();
request.setAttribute("code", code);
request.setAttribute("state", state);
}
super.doIt(request, response);
}
use of edu.uiuc.ncsa.security.oauth_2_0.OA2GeneralError in project OA4MP by ncsa.
the class OA2ClientCheck method check.
/**
* Note that all of the exceptions thrown here are because the callback cannot be verified, hence it is unclear
* where the error is to be sent.
* @param client
* @param redirect
*/
public static void check(Client client, String redirect) {
if (client == null) {
throw new OA2GeneralError(OA2Errors.INVALID_REQUEST, "no client id", HttpStatus.SC_BAD_REQUEST);
}
if (!(client instanceof OA2Client)) {
throw new NFWException("Internal error: Client is not an OA2Client");
}
OA2Client oa2Client = (OA2Client) client;
boolean foundCB = false;
if (oa2Client.getCallbackURIs() == null) {
throw new OA2GeneralError(OA2Errors.INVALID_REQUEST, "client has not registered any callback URIs", HttpStatus.SC_BAD_REQUEST);
}
for (String uri : oa2Client.getCallbackURIs()) {
if (uri.equals(redirect)) {
foundCB = true;
break;
}
}
if (!foundCB) {
throw new OA2GeneralError(OA2Errors.INVALID_REQUEST, "The given redirect \"" + redirect + "\" is not valid for this client", HttpStatus.SC_BAD_REQUEST);
// throw new GeneralException("Error: The given redirect is not valid for this client");
}
}
use of edu.uiuc.ncsa.security.oauth_2_0.OA2GeneralError in project OA4MP by ncsa.
the class UserInfoServlet method doIt.
@Override
protected void doIt(HttpServletRequest request, HttpServletResponse response) throws Throwable {
// The access token is sent in the authorization header and should look like
// Bearer oa4mp:...
AccessToken at = getAT(request);
ServiceTransaction transaction = (ServiceTransaction) getTransactionStore().get(at);
if (((OA2Client) transaction.getClient()).isPublicClient()) {
throw new OA2GeneralError(OA2Errors.INVALID_REQUEST, "public client not authorized to access user information", HttpStatus.SC_UNAUTHORIZED);
}
if (transaction == null) {
throw new OA2GeneralError(OA2Errors.INVALID_REQUEST, "no transaction for the access token was found.", HttpStatus.SC_BAD_REQUEST);
}
if (!transaction.isAccessTokenValid()) {
throw new OA2GeneralError(OA2Errors.INVALID_REQUEST, "invalid access token.", HttpStatus.SC_BAD_REQUEST);
}
try {
checkTimestamp(at.getToken());
} catch (InvalidTimestampException itx) {
throw new OA2GeneralError(OA2Errors.INVALID_REQUEST, "token expired.", HttpStatus.SC_BAD_REQUEST);
}
OA2SE oa2SE = (OA2SE) getServiceEnvironment();
UII2 uis = new UII2(oa2SE.getTokenForge(), getServiceEnvironment().getServiceAddress());
UIIRequest2 uireq = new UIIRequest2(request, at);
uireq.setUsername(getUsername(transaction));
// Now we figure out which scope handler to use.
UIIResponse2 uiresp = (UIIResponse2) uis.process(uireq);
LinkedList<ClaimSource> claimSources = OA2ATServlet.setupScopeHandlers((OA2ServiceTransaction) transaction, oa2SE);
DebugUtil.dbg(this, "Invoking scope handler");
if (claimSources == null || claimSources.isEmpty()) {
DebugUtil.dbg(this, " ***** NO SCOPE HANDLERS ");
}
for (ClaimSource claimSource : claimSources) {
DebugUtil.dbg(this, " scope handler=" + claimSource.getClass().getSimpleName());
claimSource.process(uiresp.getUserInfo(), transaction);
}
uiresp.write(response);
}
Aggregations