use of org.keycloak.services.ForbiddenException in project keycloak by keycloak.
the class ClientsManagementService method unregisterNode.
/**
* URL invoked by adapter to register new client cluster node. Each application cluster node will invoke this URL once it joins cluster
*
* @param authorizationHeader
* @param formData
* @return
*/
@Path("unregister-node")
@POST
@Produces(MediaType.APPLICATION_JSON)
public Response unregisterNode(@HeaderParam(HttpHeaders.AUTHORIZATION) String authorizationHeader, final MultivaluedMap<String, String> formData) {
if (!checkSsl()) {
throw new ForbiddenException("HTTPS required");
}
event.event(EventType.UNREGISTER_NODE);
if (!realm.isEnabled()) {
event.error(Errors.REALM_DISABLED);
throw new NotAuthorizedException("Realm not enabled");
}
ClientModel client = authorizeClient();
String nodeHost = getClientClusterHost(formData);
event.client(client).detail(Details.NODE_HOST, nodeHost);
logger.debugf("Unregistering cluster host '%s' for client '%s'", nodeHost, client.getClientId());
client.unregisterNode(nodeHost);
event.success();
return Response.noContent().build();
}
use of org.keycloak.services.ForbiddenException in project keycloak by keycloak.
the class ClientsResource method getClient.
/**
* Base path for managing a specific client.
*
* @param id id of client (not client-id)
* @return
*/
@Path("{id}")
public ClientResource getClient(@PathParam("id") final String id) {
ClientModel clientModel = realm.getClientById(id);
if (clientModel == null) {
// we do this to make sure somebody can't phish ids
if (auth.clients().canList())
throw new NotFoundException("Could not find client");
else
throw new ForbiddenException();
}
session.getContext().setClient(clientModel);
ClientResource clientResource = new ClientResource(realm, auth, clientModel, session, adminEvent);
ResteasyProviderFactory.getInstance().injectProperties(clientResource);
return clientResource;
}
use of org.keycloak.services.ForbiddenException in project keycloak by keycloak.
the class UserResource method updateUser.
/**
* Update the user
*
* @param rep
* @return
*/
@PUT
@Consumes(MediaType.APPLICATION_JSON)
public Response updateUser(final UserRepresentation rep) {
auth.users().requireManage(user);
try {
boolean wasPermanentlyLockedOut = false;
if (rep.isEnabled() != null && rep.isEnabled()) {
UserLoginFailureModel failureModel = session.loginFailures().getUserLoginFailure(realm, user.getId());
if (failureModel != null) {
failureModel.clearFailures();
}
wasPermanentlyLockedOut = session.getProvider(BruteForceProtector.class).isPermanentlyLockedOut(session, realm, user);
}
UserProfile profile = session.getProvider(UserProfileProvider.class).create(USER_API, rep.toAttributes(), user);
Response response = validateUserProfile(profile, user, session);
if (response != null) {
return response;
}
profile.update(rep.getAttributes() != null);
updateUserFromRep(profile, user, rep, session, true);
RepresentationToModel.createCredentials(rep, session, realm, user, true);
// we need to do it here as the attributes would be overwritten by what is in the rep
if (wasPermanentlyLockedOut) {
session.getProvider(BruteForceProtector.class).cleanUpPermanentLockout(session, realm, user);
}
adminEvent.operation(OperationType.UPDATE).resourcePath(session.getContext().getUri()).representation(rep).success();
if (session.getTransactionManager().isActive()) {
session.getTransactionManager().commit();
}
return Response.noContent().build();
} catch (ModelDuplicateException e) {
return ErrorResponse.exists("User exists with same username or email");
} catch (ReadOnlyException re) {
return ErrorResponse.error("User is read only!", Status.BAD_REQUEST);
} catch (ModelException me) {
logger.warn("Could not update user!", me);
return ErrorResponse.error("Could not update user!", Status.BAD_REQUEST);
} catch (ForbiddenException fe) {
throw fe;
} catch (Exception me) {
// JPA
// may be committed by JTA which can't
logger.warn("Could not update user!", me);
return ErrorResponse.error("Could not update user!", Status.BAD_REQUEST);
}
}
use of org.keycloak.services.ForbiddenException in project keycloak by keycloak.
the class UserResource method setCredentialUserLabel.
/**
* Update a credential label for a user
*/
@PUT
@Consumes(javax.ws.rs.core.MediaType.TEXT_PLAIN)
@Path("credentials/{credentialId}/userLabel")
public void setCredentialUserLabel(@PathParam("credentialId") final String credentialId, String userLabel) {
auth.users().requireManage(user);
CredentialModel credential = session.userCredentialManager().getStoredCredentialById(realm, user, credentialId);
if (credential == null) {
// we do this to make sure somebody can't phish ids
if (auth.users().canQuery())
throw new NotFoundException("Credential not found");
else
throw new ForbiddenException();
}
session.userCredentialManager().updateCredentialLabel(realm, user, credentialId, userLabel);
}
use of org.keycloak.services.ForbiddenException in project keycloak by keycloak.
the class RealmsAdminResource method getRealmAdmin.
/**
* Base path for the admin REST API for one particular realm.
*
* @param headers
* @param name realm name (not id!)
* @return
*/
@Path("{realm}")
public RealmAdminResource getRealmAdmin(@Context final HttpHeaders headers, @PathParam("realm") final String name) {
RealmManager realmManager = new RealmManager(session);
RealmModel realm = realmManager.getRealmByName(name);
if (realm == null)
throw new NotFoundException("Realm not found.");
if (!auth.getRealm().equals(realmManager.getKeycloakAdminstrationRealm()) && !auth.getRealm().equals(realm)) {
throw new ForbiddenException();
}
AdminPermissionEvaluator realmAuth = AdminPermissions.evaluator(session, realm, auth);
AdminEventBuilder adminEvent = new AdminEventBuilder(realm, auth, session, clientConnection);
session.getContext().setRealm(realm);
RealmAdminResource adminResource = new RealmAdminResource(realmAuth, realm, tokenManager, adminEvent);
ResteasyProviderFactory.getInstance().injectProperties(adminResource);
// resourceContext.initResource(adminResource);
return adminResource;
}
Aggregations