Examples with WebApplicationException javax.ws.rs.WebApplicationException used on opensource projects

Example 81 with WebApplicationException

use of javax.ws.rs.WebApplicationException in project oxAuth by GluuFederation.

the class ResourceSetRegistrationWS method getResourceSet.

@GET
@Path("{rsid}")
@Produces({ UmaConstants.JSON_MEDIA_TYPE })
@ApiOperation(value = "Reads a previously registered resource set description using the GET method.", notes = "Reads a previously registered resource set description using the GET method. If the request is successful, the authorization server MUST respond with a status message that includes a body containing the referenced resource set description, along with an \"_id\" property.", response = ResourceSet.class)
@ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized") })
public Response getResourceSet(@HeaderParam("Authorization") String authorization, @PathParam("rsid") @ApiParam(value = "Resource set description object ID", required = true) String rsid) {
    try {
        umaValidationService.assertHasProtectionScope(authorization);
        log.debug("Getting resource set description: '{}'", rsid);
        final org.xdi.oxauth.model.uma.persistence.ResourceSet ldapResourceSet = resourceSetService.getResourceSetById(rsid);
        final ResourceSetWithId response = new ResourceSetWithId();
        response.setId(ldapResourceSet.getId());
        response.setName(ldapResourceSet.getName());
        response.setUri(ldapResourceSet.getUrl());
        response.setIconUri(ldapResourceSet.getIconUri());
        response.setScopes(umaScopeService.getScopeUrlsByDns(ldapResourceSet.getScopes()));
        final ResponseBuilder builder = Response.ok();
        // convert manually to avoid possible conflicts between resteasy providers, e.g. jettison, jackson
        builder.entity(ServerUtil.asJson(response));
        return builder.build();
    } catch (Exception ex) {
        log.error("Exception happened", ex);
        if (ex instanceof WebApplicationException) {
            throw (WebApplicationException) ex;
        }
        errorResponseFactory.throwUmaInternalErrorException();
        // redundant but required statement by java
        return null;
    }
}

Example 82 with WebApplicationException

use of javax.ws.rs.WebApplicationException in project oxAuth by GluuFederation.

the class RptPermissionAuthorizationWS method authorizeRptPermission.

private UmaRPT authorizeRptPermission(String authorization, RptAuthorizationRequest rptAuthorizationRequest, HttpServletRequest httpRequest, AuthorizationGrant grant, String amHost) {
    UmaRPT rpt;
    if (Util.isNullOrEmpty(rptAuthorizationRequest.getRpt())) {
        rpt = rptManager.createRPT(authorization, amHost, false);
    } else {
        rpt = rptManager.getRPTByCode(rptAuthorizationRequest.getRpt());
    }
    // Validate RPT
    try {
        umaValidationService.validateRPT(rpt);
    } catch (WebApplicationException e) {
        // according to latest UMA spec ( dated 2015-02-23 https://docs.kantarainitiative.org/uma/draft-uma-core.html)
        // it's up to implementation whether to create new RPT for each request or pass back requests RPT.
        // Here we decided to pass back new RPT if request's RPT in invalid.
        rpt = rptManager.getRPTByCode(rptAuthorizationRequest.getRpt());
    }
    final ResourceSetPermission resourceSetPermission = resourceSetPermissionManager.getResourceSetPermissionByTicket(rptAuthorizationRequest.getTicket());
    // Validate resource set permission
    umaValidationService.validateResourceSetPermission(resourceSetPermission);
    // Add permission to RPT
    if (umaAuthorizationService.allowToAddPermission(grant, rpt, resourceSetPermission, httpRequest, rptAuthorizationRequest.getClaims())) {
        rptManager.addPermissionToRPT(rpt, resourceSetPermission);
        invalidateTicket(resourceSetPermission);
        return rpt;
    }
    // throw not authorized exception
    throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(errorResponseFactory.getUmaJsonErrorResponse(UmaErrorResponseType.NOT_AUTHORIZED_PERMISSION)).build());
}

Example 83 with WebApplicationException

use of javax.ws.rs.WebApplicationException in project oxAuth by GluuFederation.

the class RptPermissionAuthorizationWS method requestRptPermissionAuthorization.

@POST
@Consumes({ UmaConstants.JSON_MEDIA_TYPE })
@Produces({ UmaConstants.JSON_MEDIA_TYPE })
public Response requestRptPermissionAuthorization(@HeaderParam("Authorization") String authorization, @HeaderParam("Host") String amHost, RptAuthorizationRequest rptAuthorizationRequest, @Context HttpServletRequest httpRequest) {
    try {
        final AuthorizationGrant grant = umaValidationService.assertHasAuthorizationScope(authorization);
        final String validatedAmHost = umaValidationService.validateAmHost(amHost);
        final UmaRPT rpt = authorizeRptPermission(authorization, rptAuthorizationRequest, httpRequest, grant, validatedAmHost);
        // convert manually to avoid possible conflict between resteasy providers, e.g. jettison, jackson
        return Response.ok(ServerUtil.asJson(new RptAuthorizationResponse(rpt.getCode()))).build();
    } catch (Exception ex) {
        log.error("Exception happened", ex);
        if (ex instanceof WebApplicationException) {
            throw (WebApplicationException) ex;
        }
        throw new WebApplicationException(Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(errorResponseFactory.getUmaJsonErrorResponse(UmaErrorResponseType.SERVER_ERROR)).build());
    }
}

Example 84 with WebApplicationException

use of javax.ws.rs.WebApplicationException in project oxAuth by GluuFederation.

the class RptStatusWS method requestRptStatus.

@POST
@Produces({ UmaConstants.JSON_MEDIA_TYPE })
@ApiOperation(value = "The resource server MUST determine a received RPT's status, including both whether it is active and, if so, its associated authorization data, before giving or refusing access to the client. An RPT is associated with a set of authorization data that governs whether the client is authorized for access. The token's nature and format are dictated by its profile; the profile might allow it to be self-contained, such that the resource server is able to determine its status locally, or might require or allow the resource server to make a run-time introspection request of the authorization server that issued the token.", produces = UmaConstants.JSON_MEDIA_TYPE, notes = "The endpoint MAY allow other parameters to provide further context to\n" + "   the query.  For instance, an authorization service may need to know\n" + "   the IP address of the client accessing the protected resource in\n" + "   order to determine the appropriateness of the token being presented.\n" + "\n" + "   To prevent unauthorized token scanning attacks, the endpoint MUST\n" + "   also require some form of authorization to access this endpoint, such\n" + "   as client authentication as described in OAuth 2.0 [RFC6749] or a\n" + "   separate OAuth 2.0 access token such as the bearer token described in\n" + "   OAuth 2.0 Bearer Token Usage [RFC6750].  The methods of managing and\n" + "   validating these authentication credentials are out of scope of this\n" + "   specification.\n")
@ApiResponses(value = { @ApiResponse(code = 401, message = "Unauthorized") })
public Response requestRptStatus(@HeaderParam("Authorization") String authorization, @FormParam("token") @ApiParam(value = "The string value of the token.  For access tokens,\n" + "      this is the \"access_token\" value returned from the token endpoint\n" + "      defined in OAuth 2.0 [RFC6749] section 5.1.  For refresh tokens,\n" + "      this is the \"refresh_token\" value returned from the token endpoint\n" + "      as defined in OAuth 2.0 [RFC6749] section 5.1.  Other token types\n" + "      are outside the scope of this specification.", required = true) String rptAsString, @FormParam("token_type_hint") @ApiParam(value = "A hint about the type of the token\n" + "      submitted for introspection.  The protected resource re MAY pass\n" + "      this parameter in order to help the authorization server to\n" + "      optimize the token lookup.  If the server is unable to locate the\n" + "      token using the given hint, it MUST extend its search across all\n" + "      of its supported token types.  An authorization server MAY ignore\n" + "      this parameter, particularly if it is able to detect the token\n" + "      type automatically.  Values for this field are defined in OAuth\n" + "      Token Revocation [RFC7009].", required = false) String tokenTypeHint) {
    try {
        umaValidationService.assertHasProtectionScope(authorization);
        final UmaRPT rpt = rptManager.getRPTByCode(rptAsString);
        if (rpt != null && AbstractRPTManager.isGat(rpt.getCode())) {
            return gatResponse(rpt);
        }
        if (!isValid(rpt)) {
            return Response.status(Response.Status.OK).entity(new RptIntrospectionResponse(false)).cacheControl(ServerUtil.cacheControl(true)).build();
        }
        final List<UmaPermission> permissions = buildStatusResponsePermissions(rpt);
        // active status
        final RptIntrospectionResponse statusResponse = new RptIntrospectionResponse();
        statusResponse.setActive(true);
        statusResponse.setExpiresAt(rpt.getExpirationDate());
        statusResponse.setIssuedAt(rpt.getCreationDate());
        statusResponse.setPermissions(permissions);
        // convert manually to avoid possible conflict between resteasy providers, e.g. jettison, jackson
        final String entity = ServerUtil.asJson(statusResponse);
        return Response.status(Response.Status.OK).entity(entity).cacheControl(ServerUtil.cacheControl(true)).build();
    } catch (Exception ex) {
        log.error("Exception happened", ex);
        if (ex instanceof WebApplicationException) {
            throw (WebApplicationException) ex;
        }
        throw new WebApplicationException(Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(errorResponseFactory.getUmaJsonErrorResponse(UmaErrorResponseType.SERVER_ERROR)).build());
    }
}

Example 85 with WebApplicationException

use of javax.ws.rs.WebApplicationException in project oxAuth by GluuFederation.

the class ScopeWS method getScopeDescription.

@GET
@Path("{id}")
@Produces({ UmaConstants.JSON_MEDIA_TYPE })
public Response getScopeDescription(@PathParam("id") String id) {
    log.trace("UMA - get scope description: id: {}", id);
    try {
        if (StringUtils.isNotBlank(id)) {
            final ScopeDescription scope = umaScopeService.getInternalScope(id);
            if (scope != null) {
                final org.xdi.oxauth.model.uma.ScopeDescription jsonScope = new org.xdi.oxauth.model.uma.ScopeDescription();
                jsonScope.setIconUri(scope.getIconUrl());
                jsonScope.setName(scope.getDisplayName());
                return Response.status(Response.Status.OK).entity(ServerUtil.asJson(jsonScope)).build();
            }
        }
    } catch (Exception e) {
        log.error(e.getMessage(), e);
        throw new WebApplicationException(Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(errorResponseFactory.getUmaJsonErrorResponse(UmaErrorResponseType.SERVER_ERROR)).build());
    }
    throw new WebApplicationException(Response.status(Response.Status.NOT_FOUND).entity(errorResponseFactory.getUmaJsonErrorResponse(UmaErrorResponseType.NOT_FOUND)).build());
}