Search in sources :

Example 6 with AccessDeniedException

use of org.forgerock.oauth2.core.exceptions.AccessDeniedException in project OpenAM by OpenRock.

the class OpenAMResourceOwnerSessionValidator method validate.

/**
     * {@inheritDoc}
     */
public ResourceOwner validate(OAuth2Request request) throws ResourceOwnerAuthenticationRequired, AccessDeniedException, BadRequestException, InteractionRequiredException, LoginRequiredException, ServerException, NotFoundException {
    final OpenIdPrompt openIdPrompt = new OpenIdPrompt(request);
    if (!openIdPrompt.isValid()) {
        String message = "Invalid prompt parameter \"" + openIdPrompt.getOriginalValue() + "\"";
        logger.message(message);
        throw new BadRequestException(message);
    }
    SSOToken token = null;
    try {
        token = ssoTokenManager.createSSOToken(getHttpServletRequest(request.<Request>getRequest()));
    } catch (SSOException e) {
        logger.warning("Error authenticating user against OpenAM: ", e);
    }
    try {
        if (token == null) {
            token = ssoTokenManager.createSSOToken(request.getSession());
        }
    } catch (SSOException e) {
        logger.warning("Error authenticating user against OpenAM: ", e);
    }
    try {
        if (token != null) {
            try {
                // As the organization in the token is stored in lowercase, we need to lower case the auth2realm
                String auth2Realm = dnWrapper.orgNameToDN(realmNormaliser.normalise((String) request.getParameter("realm"))).toLowerCase();
                String tokenRealm = token.getProperty("Organization");
                // auth2Realm can't be null as we would have an error earlier
                if (!auth2Realm.equals(tokenRealm)) {
                    throw authenticationRequired(request);
                }
            } catch (SSOException e) {
                throw new AccessDeniedException(e);
            }
            if (openIdPrompt.containsLogin()) {
                throw authenticationRequired(request, token);
            }
            final String acrValuesStr = request.getParameter(ACR_VALUES);
            if (acrValuesStr != null) {
                setCurrentAcr(token, request, acrValuesStr);
            }
            try {
                final long authTime = stringToDate(token.getProperty(ISAuthConstants.AUTH_INSTANT)).getTime();
                if (isPastMaxAge(getMaxAge(request), authTime)) {
                    alterMaxAge(request);
                    throw authenticationRequired(request, token);
                }
                final AMIdentity id = IdUtils.getIdentity(AccessController.doPrivileged(AdminTokenAction.getInstance()), token.getProperty(Constants.UNIVERSAL_IDENTIFIER));
                return new OpenAMResourceOwner(id.getName(), id, authTime);
            } catch (Exception e) {
                //Exception as chance of MANY exception types here.
                logger.error("Error authenticating user against OpenAM: ", e);
                throw new LoginRequiredException();
            }
        } else if (PASSWORD.equals(request.getParameter(GRANT_TYPE))) {
            // been null from the attempted creation in L148.
            return getResourceOwner(request.getToken(AccessToken.class));
        } else {
            if (openIdPrompt.containsNone()) {
                logger.error("Not pre-authenticated and prompt parameter equals none.");
                if (request.getParameter(OAuth2Constants.Params.RESPONSE_TYPE) != null) {
                    throw new InteractionRequiredException(Utils.isOpenIdConnectFragmentErrorType(splitResponseType(request.<String>getParameter(RESPONSE_TYPE))) ? FRAGMENT : QUERY);
                } else {
                    throw new InteractionRequiredException();
                }
            } else if (!isRefreshToken(request)) {
                throw authenticationRequired(request);
            } else {
                return getResourceOwner(request.getToken(RefreshToken.class));
            }
        }
    } catch (SSOException | UnsupportedEncodingException | URISyntaxException e) {
        throw new AccessDeniedException(e);
    }
}
Also used : LoginRequiredException(org.forgerock.oauth2.core.exceptions.LoginRequiredException) InteractionRequiredException(org.forgerock.oauth2.core.exceptions.InteractionRequiredException) AccessDeniedException(org.forgerock.oauth2.core.exceptions.AccessDeniedException) SSOToken(com.iplanet.sso.SSOToken) UnsupportedEncodingException(java.io.UnsupportedEncodingException) SSOException(com.iplanet.sso.SSOException) URISyntaxException(java.net.URISyntaxException) OpenIdPrompt(org.forgerock.openidconnect.OpenIdPrompt) URISyntaxException(java.net.URISyntaxException) InvalidClientAuthZHeaderException(org.forgerock.oauth2.core.exceptions.InvalidClientAuthZHeaderException) ParseException(java.text.ParseException) EncodingException(org.owasp.esapi.errors.EncodingException) ServerException(org.forgerock.oauth2.core.exceptions.ServerException) NotFoundException(org.forgerock.oauth2.core.exceptions.NotFoundException) UnauthorizedClientException(org.forgerock.oauth2.core.exceptions.UnauthorizedClientException) SSOException(com.iplanet.sso.SSOException) UnsupportedEncodingException(java.io.UnsupportedEncodingException) TemplateException(freemarker.template.TemplateException) InvalidClientException(org.forgerock.oauth2.core.exceptions.InvalidClientException) BadRequestException(org.forgerock.oauth2.core.exceptions.BadRequestException) LoginRequiredException(org.forgerock.oauth2.core.exceptions.LoginRequiredException) InteractionRequiredException(org.forgerock.oauth2.core.exceptions.InteractionRequiredException) IOException(java.io.IOException) InvalidRequestException(org.forgerock.oauth2.core.exceptions.InvalidRequestException) AccessDeniedException(org.forgerock.oauth2.core.exceptions.AccessDeniedException) RefreshToken(org.forgerock.oauth2.core.RefreshToken) AMIdentity(com.sun.identity.idm.AMIdentity) BadRequestException(org.forgerock.oauth2.core.exceptions.BadRequestException)

Aggregations

OAuth2ProviderSettings (org.forgerock.oauth2.core.OAuth2ProviderSettings)4 UnauthorizedClientException (org.forgerock.oauth2.core.exceptions.UnauthorizedClientException)3 Locale (java.util.Locale)2 HttpServletRequest (javax.servlet.http.HttpServletRequest)2 OAuth2Request (org.forgerock.oauth2.core.OAuth2Request)2 AccessDeniedException (org.forgerock.oauth2.core.exceptions.AccessDeniedException)2 InvalidRequestException (org.forgerock.oauth2.core.exceptions.InvalidRequestException)2 NotFoundException (org.forgerock.oauth2.core.exceptions.NotFoundException)2 ServerException (org.forgerock.oauth2.core.exceptions.ServerException)2 Request (org.restlet.Request)2 SSOException (com.iplanet.sso.SSOException)1 SSOToken (com.iplanet.sso.SSOToken)1 AMIdentity (com.sun.identity.idm.AMIdentity)1 ValidationException (com.sun.identity.shared.validation.ValidationException)1 Template (freemarker.template.Template)1 TemplateException (freemarker.template.TemplateException)1 IOException (java.io.IOException)1 UnsupportedEncodingException (java.io.UnsupportedEncodingException)1 MalformedURLException (java.net.MalformedURLException)1 URI (java.net.URI)1