use of org.pac4j.core.credentials.UsernamePasswordCredentials in project cas by apereo.
the class OAuth20IntrospectionEndpointController method handlePostRequest.
/**
* Handle post request.
*
* @param request the request
* @param response the response
* @return the response entity
*/
@PostMapping(consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE, produces = MediaType.APPLICATION_JSON_VALUE, value = '/' + OAuth20Constants.BASE_OAUTH20_URL + '/' + OAuth20Constants.INTROSPECTION_URL)
public ResponseEntity<OAuth20IntrospectionAccessTokenResponse> handlePostRequest(final HttpServletRequest request, final HttpServletResponse response) {
ResponseEntity<OAuth20IntrospectionAccessTokenResponse> result;
try {
val authExtractor = new BasicAuthExtractor();
val context = new JEEContext(request, response);
val credentialsResult = authExtractor.extract(context, getConfigurationContext().getSessionStore());
if (credentialsResult.isEmpty()) {
LOGGER.warn("Unable to locate and extract credentials from the request");
return buildUnauthorizedResponseEntity(OAuth20Constants.INVALID_CLIENT, true);
}
val credentials = (UsernamePasswordCredentials) credentialsResult.get();
val service = OAuth20Utils.getRegisteredOAuthServiceByClientId(getConfigurationContext().getServicesManager(), credentials.getUsername());
if (service == null) {
LOGGER.warn("Unable to locate service definition by client id [{}]", credentials.getUsername());
return buildUnauthorizedResponseEntity(OAuth20Constants.INVALID_CLIENT, true);
}
val validationError = validateIntrospectionRequest(service, credentials, request);
if (validationError.isPresent()) {
result = validationError.get();
} else {
val accessToken = StringUtils.defaultIfBlank(request.getParameter(OAuth20Constants.TOKEN), request.getParameter(OAuth20Constants.ACCESS_TOKEN));
LOGGER.debug("Located access token [{}] in the request", accessToken);
var ticket = (OAuth20AccessToken) null;
try {
val token = extractAccessTokenFrom(accessToken);
ticket = getConfigurationContext().getCentralAuthenticationService().getTicket(token, OAuth20AccessToken.class);
} catch (final InvalidTicketException e) {
LOGGER.trace(e.getMessage(), e);
LOGGER.info("Unable to fetch access token [{}]: [{}]", accessToken, e.getMessage());
}
val introspect = createIntrospectionValidResponse(ticket);
result = new ResponseEntity<>(introspect, HttpStatus.OK);
}
} catch (final Exception e) {
LoggingUtils.error(LOGGER, e);
result = new ResponseEntity<>(HttpStatus.INTERNAL_SERVER_ERROR);
}
return result;
}
use of org.pac4j.core.credentials.UsernamePasswordCredentials in project cas by apereo.
the class BasicAuthenticationAction method constructCredentialsFromRequest.
@Override
protected Credential constructCredentialsFromRequest(final RequestContext requestContext) {
try {
val request = WebUtils.getHttpServletRequestFromExternalWebflowContext(requestContext);
val response = WebUtils.getHttpServletResponseFromExternalWebflowContext(requestContext);
val extractor = new BasicAuthExtractor();
val webContext = new JEEContext(request, response);
val credentialsResult = extractor.extract(webContext, JEESessionStore.INSTANCE);
if (credentialsResult.isPresent()) {
val credentials = (UsernamePasswordCredentials) credentialsResult.get();
LOGGER.debug("Received basic authentication request from credentials [{}]", credentials);
return new UsernamePasswordCredential(credentials.getUsername(), credentials.getPassword());
}
} catch (final Exception e) {
LoggingUtils.warn(LOGGER, e);
}
return null;
}
use of org.pac4j.core.credentials.UsernamePasswordCredentials in project cas by apereo.
the class OAuth20ProofKeyCodeExchangeAuthenticatorTests method verifyAuthenticationPlainWithSecretTransmittedByBasicAuthn.
@Test
public void verifyAuthenticationPlainWithSecretTransmittedByBasicAuthn() throws Exception {
val credentials = new UsernamePasswordCredentials("client", "secret");
val request = new MockHttpServletRequest();
ticketRegistry.addTicket(new OAuth20DefaultCode("CODE-1234567890", RegisteredServiceTestUtils.getService(), RegisteredServiceTestUtils.getAuthentication(), new HardTimeoutExpirationPolicy(10), new MockTicketGrantingTicket("casuser"), new ArrayList<>(), "ABCD123", "plain", "clientid12345", new HashMap<>(), OAuth20ResponseTypes.CODE, OAuth20GrantTypes.AUTHORIZATION_CODE));
request.addHeader("Authorization", "Basic " + EncodingUtils.encodeBase64("client:secret"));
request.addParameter(OAuth20Constants.CODE_VERIFIER, "ABCD123");
request.addParameter(OAuth20Constants.CODE, "CODE-1234567890");
val ctx = new JEEContext(request, new MockHttpServletResponse());
authenticator.validate(credentials, ctx, JEESessionStore.INSTANCE);
assertNotNull(credentials.getUserProfile());
assertEquals("client", credentials.getUserProfile().getId());
}
use of org.pac4j.core.credentials.UsernamePasswordCredentials in project cas by apereo.
the class OAuth20ProofKeyCodeExchangeAuthenticatorTests method verifyAuthenticationHashedWithoutSecret.
@Test
public void verifyAuthenticationHashedWithoutSecret() throws Exception {
val hash = EncodingUtils.encodeUrlSafeBase64(DigestUtils.rawDigestSha256("ABCD123"));
val credentials = new UsernamePasswordCredentials("clientWithoutSecret", "ABCD123");
val request = new MockHttpServletRequest();
val ticket = new OAuth20DefaultCode("CODE-1234567890", RegisteredServiceTestUtils.getService(), RegisteredServiceTestUtils.getAuthentication(), new HardTimeoutExpirationPolicy(10), new MockTicketGrantingTicket("casuser"), new ArrayList<>(), hash, "s256", "clientid12345", new HashMap<>(), OAuth20ResponseTypes.CODE, OAuth20GrantTypes.AUTHORIZATION_CODE);
ticketRegistry.addTicket(ticket);
request.addParameter(OAuth20Constants.CLIENT_ID, "clientWithoutSecret");
request.addParameter(OAuth20Constants.CODE_VERIFIER, "ABCD123");
request.addParameter(OAuth20Constants.CODE, ticket.getId());
val ctx = new JEEContext(request, new MockHttpServletResponse());
authenticator.validate(credentials, ctx, JEESessionStore.INSTANCE);
assertNotNull(credentials.getUserProfile());
assertEquals("clientWithoutSecret", credentials.getUserProfile().getId());
}
use of org.pac4j.core.credentials.UsernamePasswordCredentials in project cas by apereo.
the class OAuth20ProofKeyCodeExchangeAuthenticatorTests method verifyAuthenticationNotHashedCorrectly.
@Test
public void verifyAuthenticationNotHashedCorrectly() throws Exception {
val credentials = new UsernamePasswordCredentials("client", "ABCD123");
val request = new MockHttpServletRequest();
val ticket = new OAuth20DefaultCode("CODE-1234567890", RegisteredServiceTestUtils.getService(), RegisteredServiceTestUtils.getAuthentication(), new HardTimeoutExpirationPolicy(10), new MockTicketGrantingTicket("casuser"), new ArrayList<>(), "something-else", "s256", "clientid12345", new HashMap<>(), OAuth20ResponseTypes.CODE, OAuth20GrantTypes.AUTHORIZATION_CODE);
ticketRegistry.addTicket(ticket);
request.addParameter(OAuth20Constants.CLIENT_ID, "client");
request.addParameter(OAuth20Constants.CODE_VERIFIER, "ABCD123");
request.addParameter(OAuth20Constants.CLIENT_SECRET, "secret");
request.addParameter(OAuth20Constants.CODE, ticket.getId());
val ctx = new JEEContext(request, new MockHttpServletResponse());
assertThrows(CredentialsException.class, () -> authenticator.validate(credentials, ctx, JEESessionStore.INSTANCE));
}
Aggregations