Examples with ForbiddenException org.forgerock.json.resource.ForbiddenException used on opensource projects

Example 1 with ForbiddenException

use of org.forgerock.json.resource.ForbiddenException in project OpenAM by OpenRock.

the class TokenGenerationService method createInstance.

@Override
public Promise<ResourceResponse, ResourceException> createInstance(Context context, CreateRequest request) {
    TokenGenerationServiceInvocationState invocationState;
    try {
        invocationState = TokenGenerationServiceInvocationState.fromJson(request.getContent());
    } catch (Exception e) {
        logger.error("Exception caught marshalling json into TokenGenerationServiceInvocationState instance: " + e);
        return new BadRequestException(e.getMessage(), e).asPromise();
    }
    SSOToken subjectToken;
    try {
        subjectToken = validateAssertionSubjectSession(invocationState);
    } catch (ForbiddenException e) {
        return e.asPromise();
    }
    STSInstanceState stsInstanceState;
    try {
        stsInstanceState = getSTSInstanceState(invocationState);
    } catch (ResourceException e) {
        return e.asPromise();
    }
    if (TokenType.SAML2.equals(invocationState.getTokenType())) {
        try {
            final String assertion = saml2TokenGeneration.generate(subjectToken, stsInstanceState, invocationState);
            return newResultPromise(issuedTokenResource(assertion));
        } catch (TokenCreationException e) {
            logger.error("Exception caught generating saml2 token: " + e, e);
            return e.asPromise();
        } catch (Exception e) {
            logger.error("Exception caught generating saml2 token: " + e, e);
            return new InternalServerErrorException(e.toString(), e).asPromise();
        }
    } else if (TokenType.OPENIDCONNECT.equals(invocationState.getTokenType())) {
        try {
            final String assertion = openIdConnectTokenGeneration.generate(subjectToken, stsInstanceState, invocationState);
            return newResultPromise(issuedTokenResource(assertion));
        } catch (TokenCreationException e) {
            logger.error("Exception caught generating OpenIdConnect token: " + e, e);
            return e.asPromise();
        } catch (Exception e) {
            logger.error("Exception caught generating OpenIdConnect token: " + e, e);
            return new InternalServerErrorException(e.toString(), e).asPromise();
        }
    } else {
        String message = "Bad request: unexpected token type:" + invocationState.getTokenType();
        logger.error(message);
        return new BadRequestException(message).asPromise();
    }
}

Example 2 with ForbiddenException

use of org.forgerock.json.resource.ForbiddenException in project OpenAM by OpenRock.

the class IdentityServicesImpl method delete.

/**
     * Deletes an {@code AMIdentity} from the identity repository that match
     * the details specified in {@code identity}.
     *
     * @param identity The identity to delete.
     * @param admin The admin token.
     * @throws ResourceException If a problem occurs.
     */
public void delete(IdentityDetails identity, SSOToken admin) throws ResourceException {
    if (identity == null) {
        throw new BadRequestException("delete failed: identity object not specified.");
    }
    String name = identity.getName();
    String identityType = identity.getType();
    String realm = identity.getRealm();
    if (name == null) {
        throw new NotFoundException("delete failed: null object name.");
    }
    if (realm == null) {
        realm = "/";
    }
    try {
        AMIdentity amIdentity = getAMIdentity(admin, identityType, name, realm);
        if (amIdentity != null) {
            if (isSpecialUser(amIdentity)) {
                throw new ForbiddenException("Cannot delete user.");
            }
            AMIdentityRepository repo = getRepo(admin, realm);
            IdType idType = amIdentity.getType();
            if (IdType.GROUP.equals(idType) || IdType.ROLE.equals(idType)) {
                // First remove users from memberships
                Set<AMIdentity> members = getMembers(amIdentity, IdType.USER);
                for (AMIdentity member : members) {
                    try {
                        removeMember(repo, amIdentity, member);
                    } catch (IdRepoException ex) {
                    //ignore this, member maybe already removed.
                    }
                }
            }
            deleteAMIdentity(repo, amIdentity);
        } else {
            String msg = "Object \'" + name + "\' of type \'" + identityType + "\' was not found.";
            throw new NotFoundException(msg);
        }
    } catch (IdRepoException ex) {
        debug.error("IdentityServicesImpl:delete", ex);
        throw RESOURCE_MAPPING_HANDLER.handleError(ex);
    } catch (SSOException ex) {
        debug.error("IdentityServicesImpl:delete", ex);
        throw new BadRequestException(ex.getMessage());
    } catch (ObjectNotFound e) {
        debug.error("IdentityServicesImpl:delete", e);
        throw new NotFoundException(e.getMessage());
    }
}

Example 3 with ForbiddenException

use of org.forgerock.json.resource.ForbiddenException in project OpenAM by OpenRock.

the class IdentityResourceExceptionMappingHandler method handleError.

@Override
public ResourceException handleError(IdRepoException idRepoException) {
    int code = Integer.valueOf(idRepoException.getErrorCode());
    ResultCode ldapResultCode = ResultCode.valueOf(idRepoException.getLdapErrorIntCode());
    if (idRepoException instanceof PasswordPolicyException) {
        //Convert the error code for the LDAP code
        if (ldapResultCode == ResultCode.INVALID_CREDENTIALS) {
            idRepoException = new PasswordPolicyException(ldapResultCode, IdRepoErrorCode.OLD_PASSWORD_INCORRECT, idRepoException.getMessageArgs());
        }
        if (ldapResultCode == ResultCode.INSUFFICIENT_ACCESS_RIGHTS) {
            return new ForbiddenException(idRepoException);
        }
        if (ldapResultCode == ResultCode.CONSTRAINT_VIOLATION) {
            idRepoException = new PasswordPolicyException(idRepoException.getConstraintViolationDetails());
        }
        return new BadRequestException(idRepoException.getMessage());
    }
    //compute LDAP error
    if (ldapResultCode == ResultCode.NO_SUCH_OBJECT) {
        return new NotFoundException(idRepoException);
    }
    if (ldapResultCode == ResultCode.NOT_ALLOWED_ON_RDN) {
        return new ForbiddenException(idRepoException);
    }
    // Compute error code
    switch(code) {
        case GENERAL_OBJECT_NOT_FOUND:
            return new NotFoundException(idRepoException);
        case GENERAL_ACCESS_DENIED:
            return new ForbiddenException(idRepoException);
        default:
            return new InternalServerErrorException(idRepoException);
    }
}

Example 4 with ForbiddenException

use of org.forgerock.json.resource.ForbiddenException in project OpenAM by OpenRock.

the class RestUtils method hasPermission.

public static void hasPermission(final Context context) throws SSOException, IdRepoException, ForbiddenException {
    SSOTokenManager mgr = SSOTokenManager.getInstance();
    SSOToken ssotok = mgr.createSSOToken(getCookieFromServerContext(context));
    mgr.validateToken(ssotok);
    mgr.refreshSession(ssotok);
    AMIdentity amIdentity = new AMIdentity(ssotok);
    if (!(amIdentity.equals(AdminUserIdHolder.adminUserId))) {
        debug.error("Unauthorized user.");
        throw new ForbiddenException("Access Denied");
    }
}

Example 5 with ForbiddenException

use of org.forgerock.json.resource.ForbiddenException in project OpenAM by OpenRock.

the class SmsRealmProvider method handleDelete.

@Override
public Promise<ResourceResponse, ResourceException> handleDelete(Context serverContext, DeleteRequest request) {
    RealmContext realmContext = serverContext.asContext(RealmContext.class);
    String realmPath = realmContext.getResolvedRealm();
    try {
        OrganizationConfigManager realmManager = new OrganizationConfigManager(getSSOToken(), realmPath);
        final ResourceResponse resource = getResource(getJsonValue(realmPath));
        realmManager.deleteSubOrganization(null, false);
        String principalName = PrincipalRestUtils.getPrincipalNameFromServerContext(serverContext);
        debug.message("RealmResource.deleteInstance :: DELETE of realm " + realmPath + " performed by " + principalName);
        return newResultPromise(resource);
    } catch (SMSException smse) {
        ResourceException exception = configureErrorMessage(smse);
        if (exception instanceof NotFoundException) {
            debug.warning("RealmResource.deleteInstance() : Cannot find {}", realmPath, smse);
            return exception.asPromise();
        } else if (exception instanceof ForbiddenException || exception instanceof PermanentException || exception instanceof ConflictException || exception instanceof BadRequestException) {
            debug.warning("RealmResource.deleteInstance() : Cannot DELETE {}", realmPath, smse);
            return exception.asPromise();
        } else {
            return new BadRequestException(exception.getMessage(), exception).asPromise();
        }
    } catch (Exception e) {
        return new BadRequestException(e.getMessage(), e).asPromise();
    }
}