Search in sources :

Example 16 with OAuthMessage

use of net.oauth.OAuthMessage in project zm-mailbox by Zimbra.

the class OAuthAuthorizationServlet method doPost.

@Override
public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
    LOG.debug("Authorization Handler doPost requested!");
    try {
        OAuthMessage requestMessage = OAuthServlet.getMessage(request, null);
        OAuthAccessor accessor = OAuthServiceProvider.getAccessor(requestMessage);
        //status can be yes/no(accept/declined)
        String status = (String) request.getAttribute("STATUS");
        if (null != status && status.equals("no")) {
            LOG.debug("Access to zimbra message is denied.");
            OAuthTokenCache.remove(accessor.requestToken, OAuthTokenCache.REQUEST_TOKEN_TYPE);
            sendUnauthorizedResponse(response, accessor);
            return;
        }
        String username = request.getParameter("username");
        String zmtoken = (String) request.getAttribute("ZM_AUTH_TOKEN");
        LOG.debug("[AuthorizationHandlerInput] username = %s, oauth_token = %s, ZM_AUTH_TOKEN = %s", username, request.getParameter("oauth_token"), zmtoken);
        if (zmtoken == null) {
            sendToAuthorizePage(request, response, accessor);
        } else {
            OAuthServiceProvider.markAsAuthorized(accessor, request.getParameter("username"), zmtoken);
            OAuthServiceProvider.generateVerifier(accessor);
            returnToConsumer(request, response, accessor);
        }
    } catch (Exception e) {
        LOG.debug("AuthorizationHandler exception", e);
        OAuthServiceProvider.handleException(e, request, response, true);
    }
}
Also used : OAuthAccessor(net.oauth.OAuthAccessor) OAuthMessage(net.oauth.OAuthMessage) ServletException(javax.servlet.ServletException) IOException(java.io.IOException)

Example 17 with OAuthMessage

use of net.oauth.OAuthMessage in project zm-mailbox by Zimbra.

the class OAuthAuthorizationServlet method doGet.

@Override
public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
    LOG.debug("Authorization Handler doGet requested!");
    try {
        OAuthMessage oAuthMessage = OAuthServlet.getMessage(request, null);
        OAuthAccessor accessor = OAuthServiceProvider.getAccessor(oAuthMessage);
        if (Boolean.TRUE.equals(accessor.getProperty("authorized"))) {
            // already authorized send the user back
            returnToConsumer(request, response, accessor);
        } else {
            sendToAuthorizePage(request, response, accessor);
        }
    } catch (Exception e) {
        OAuthServiceProvider.handleException(e, request, response, true);
    }
}
Also used : OAuthAccessor(net.oauth.OAuthAccessor) OAuthMessage(net.oauth.OAuthMessage) ServletException(javax.servlet.ServletException) IOException(java.io.IOException)

Example 18 with OAuthMessage

use of net.oauth.OAuthMessage in project cxf by apache.

the class CallbackURLController method handleRequest.

@RequestMapping("/callback")
protected ModelAndView handleRequest(@ModelAttribute("oAuthParams") OAuthParams oAuthParams, HttpServletRequest request) throws Exception {
    OAuthMessage message = OAuthServlet.getMessage(request, request.getRequestURL().toString());
    try {
        message.requireParameters(OAuth.OAUTH_TOKEN, OAuth.OAUTH_VERIFIER);
        oAuthParams.setOauthToken(message.getToken());
        oAuthParams.setOauthVerifier(message.getParameter(OAuth.OAUTH_VERIFIER));
        oAuthParams.setClientID(Common.findCookieValue(request, "clientID"));
        oAuthParams.setClientSecret(Common.findCookieValue(request, "clientSecret"));
    } catch (OAuthProblemException e) {
        oAuthParams.setErrorMessage("OAuth problem: " + e.getProblem() + e.getParameters().toString());
    }
    return new ModelAndView("tokenRequest");
}
Also used : OAuthProblemException(net.oauth.OAuthProblemException) OAuthMessage(net.oauth.OAuthMessage) ModelAndView(org.springframework.web.servlet.ModelAndView) RequestMapping(org.springframework.web.bind.annotation.RequestMapping)

Example 19 with OAuthMessage

use of net.oauth.OAuthMessage in project cxf by apache.

the class OAuthClientUtils method doGetAuthorizationHeader.

private static String doGetAuthorizationHeader(OAuthAccessor accessor, String method, String requestURI, Map<String, String> parameters) {
    try {
        OAuthMessage msg = accessor.newRequestMessage(method, requestURI, parameters.entrySet());
        StringBuilder sb = new StringBuilder();
        sb.append(msg.getAuthorizationHeader(null));
        for (Map.Entry<String, String> entry : parameters.entrySet()) {
            if (!entry.getKey().startsWith("oauth_")) {
                sb.append(", ");
                sb.append(OAuth.percentEncode(entry.getKey())).append("=\"");
                sb.append(OAuth.percentEncode(entry.getValue())).append('"');
            }
        }
        return sb.toString();
    } catch (Exception ex) {
        throw new ProcessingException(ex);
    }
}
Also used : OAuthMessage(net.oauth.OAuthMessage) HashMap(java.util.HashMap) Map(java.util.Map) ProcessingException(javax.ws.rs.ProcessingException) WebApplicationException(javax.ws.rs.WebApplicationException) OAuthServiceException(org.apache.cxf.rs.security.oauth.provider.OAuthServiceException) ProcessingException(javax.ws.rs.ProcessingException)

Example 20 with OAuthMessage

use of net.oauth.OAuthMessage in project cxf by apache.

the class AbstractAuthFilter method handleOAuthRequest.

/**
 * Authenticates the third-party consumer and returns
 * {@link OAuthInfo} bean capturing the information about the request.
 * @param req http request
 * @return OAuth info
 * @see OAuthInfo
 * @throws Exception
 * @throws OAuthProblemException
 */
protected OAuthInfo handleOAuthRequest(HttpServletRequest req) throws Exception, OAuthProblemException {
    if (LOG.isLoggable(Level.FINE)) {
        LOG.log(Level.FINE, "OAuth security filter for url: {0}", req.getRequestURL());
    }
    AccessToken accessToken = null;
    Client client = null;
    OAuthMessage oAuthMessage = OAuthServlet.getMessage(new CustomHttpServletWrapper(req), OAuthServlet.getRequestURL(req));
    if (oAuthMessage.getParameter(OAuth.OAUTH_TOKEN) != null) {
        oAuthMessage.requireParameters(REQUIRED_PARAMETERS);
        accessToken = dataProvider.getAccessToken(oAuthMessage.getToken());
        // check if access token is not null
        if (accessToken == null) {
            LOG.warning("Access token is unavailable");
            throw new OAuthProblemException(OAuth.Problems.TOKEN_REJECTED);
        }
        client = accessToken.getClient();
        OAuthUtils.validateMessage(oAuthMessage, client, accessToken, dataProvider, validator);
    } else {
        String consumerKey = null;
        String consumerSecret = null;
        String authHeader = oAuthMessage.getHeader("Authorization");
        if (authHeader != null) {
            if (authHeader.startsWith("OAuth")) {
                consumerKey = oAuthMessage.getParameter(OAuth.OAUTH_CONSUMER_KEY);
                consumerSecret = oAuthMessage.getParameter(OAuthConstants.OAUTH_CONSUMER_SECRET);
            } else if (authHeader.startsWith("Basic")) {
                AuthorizationPolicy policy = getAuthorizationPolicy(authHeader);
                if (policy != null) {
                    consumerKey = policy.getUserName();
                    consumerSecret = policy.getPassword();
                }
            }
        }
        if (consumerKey != null) {
            client = dataProvider.getClient(consumerKey);
        }
        if (client == null) {
            LOG.warning("Client is invalid");
            throw new OAuthProblemException(OAuth.Problems.CONSUMER_KEY_UNKNOWN);
        }
        if (consumerSecret != null && !consumerSecret.equals(client.getSecretKey())) {
            LOG.warning("Client secret is invalid");
            throw new OAuthProblemException(OAuth.Problems.CONSUMER_KEY_UNKNOWN);
        }
        OAuthUtils.validateMessage(oAuthMessage, client, null, dataProvider, validator);
        accessToken = client.getPreAuthorizedToken();
        if (accessToken == null || !accessToken.isPreAuthorized()) {
            LOG.warning("Preauthorized access token is unavailable");
            throw new OAuthProblemException(OAuth.Problems.TOKEN_REJECTED);
        }
    }
    List<OAuthPermission> permissions = accessToken.getScopes();
    List<OAuthPermission> matchingPermissions = new ArrayList<>();
    for (OAuthPermission perm : permissions) {
        boolean uriOK = checkRequestURI(req, perm.getUris());
        boolean verbOK = checkHttpVerb(req, perm.getHttpVerbs());
        if (uriOK && verbOK) {
            matchingPermissions.add(perm);
        }
    }
    if (!permissions.isEmpty() && matchingPermissions.isEmpty()) {
        String message = "Client has no valid permissions";
        LOG.warning(message);
        throw new OAuthProblemException(message);
    }
    return new OAuthInfo(accessToken, matchingPermissions);
}
Also used : OAuthProblemException(net.oauth.OAuthProblemException) AuthorizationPolicy(org.apache.cxf.configuration.security.AuthorizationPolicy) OAuthPermission(org.apache.cxf.rs.security.oauth.data.OAuthPermission) OAuthMessage(net.oauth.OAuthMessage) AccessToken(org.apache.cxf.rs.security.oauth.data.AccessToken) ArrayList(java.util.ArrayList) Client(org.apache.cxf.rs.security.oauth.data.Client)

Aggregations

OAuthMessage (net.oauth.OAuthMessage)22 OAuthAccessor (net.oauth.OAuthAccessor)10 HashMap (java.util.HashMap)9 OAuthProblemException (net.oauth.OAuthProblemException)8 IOException (java.io.IOException)7 Map (java.util.Map)5 ServletException (javax.servlet.ServletException)5 OAuthConsumer (net.oauth.OAuthConsumer)5 OAuthServiceException (org.apache.cxf.rs.security.oauth.provider.OAuthServiceException)4 ArrayList (java.util.ArrayList)3 RequestToken (org.apache.cxf.rs.security.oauth.data.RequestToken)3 Account (com.zimbra.cs.account.Account)2 OutputStream (java.io.OutputStream)2 IllegalArgumentException (java.lang.IllegalArgumentException)2 URI (java.net.URI)2 List (java.util.List)2 HttpServletRequest (javax.servlet.http.HttpServletRequest)2 OAuthValidator (net.oauth.OAuthValidator)2 SimpleOAuthValidator (net.oauth.SimpleOAuthValidator)2 AccessToken (org.apache.cxf.rs.security.oauth.data.AccessToken)2