Example 26 with JEEContext
use of org.pac4j.jee.context.JEEContext in project cas by apereo.
the class OAuth20AuthorizeEndpointController method prepareAccessTokenRequestContext.
/**
* Build access token request context.
*
* @param authzRequest the authz request
* @param registeredService the registered service
* @param context the context
* @param service the service
* @param authentication the authentication
* @return the access token request context
* @throws Exception the exception
*/
protected AccessTokenRequestContext prepareAccessTokenRequestContext(final OAuth20AuthorizationRequest authzRequest, final OAuthRegisteredService registeredService, final JEEContext context, final Service service, final Authentication authentication) throws Exception {
var payloadBuilder = AccessTokenRequestContext.builder();
if (authzRequest.isSingleSignOnSessionRequired()) {
val tgt = getConfigurationContext().fetchTicketGrantingTicketFrom(context);
payloadBuilder = payloadBuilder.ticketGrantingTicket(tgt);
}
val redirectUri = getConfigurationContext().getRequestParameterResolver().resolveRequestParameter(context, OAuth20Constants.REDIRECT_URI).map(String::valueOf).orElse(StringUtils.EMPTY);
val grantType = context.getRequestParameter(OAuth20Constants.GRANT_TYPE).map(String::valueOf).orElseGet(OAuth20GrantTypes.AUTHORIZATION_CODE::getType).toUpperCase();
val scopes = getConfigurationContext().getRequestParameterResolver().resolveRequestScopes(context);
val codeChallenge = context.getRequestParameter(OAuth20Constants.CODE_CHALLENGE).map(String::valueOf).orElse(StringUtils.EMPTY);
val challengeMethodsSupported = getConfigurationContext().getCasProperties().getAuthn().getOidc().getDiscovery().getCodeChallengeMethodsSupported();
val codeChallengeMethod = context.getRequestParameter(OAuth20Constants.CODE_CHALLENGE_METHOD).map(String::valueOf).filter(challengeMethodsSupported::contains).orElse(StringUtils.EMPTY).toUpperCase();
val userProfile = OAuth20Utils.getAuthenticatedUserProfile(context, getConfigurationContext().getSessionStore());
val claims = getConfigurationContext().getRequestParameterResolver().resolveRequestClaims(context);
val holder = payloadBuilder.service(service).authentication(authentication).registeredService(registeredService).grantType(getConfigurationContext().getRequestParameterResolver().resolveGrantType(context)).responseType(getConfigurationContext().getRequestParameterResolver().resolveResponseType(context)).codeChallenge(codeChallenge).codeChallengeMethod(codeChallengeMethod).scopes(scopes).clientId(authzRequest.getClientId()).redirectUri(redirectUri).userProfile(userProfile).claims(claims).responseMode(getConfigurationContext().getRequestParameterResolver().resolveResponseModeType(context)).build();
context.getRequestParameters().keySet().forEach(key -> context.getRequestParameter(key).ifPresent(value -> holder.getParameters().put(key, value)));
LOGGER.debug("Building authorization response for grant type [{}] with scopes [{}] for client id [{}]", grantType, scopes, authzRequest.getClientId());
return holder;
}
Also used :
lombok.val(lombok.val)
RegisteredServiceAccessStrategyUtils(org.apereo.cas.services.RegisteredServiceAccessStrategyUtils)
StringUtils(org.apache.commons.lang3.StringUtils)
BeanSupplier(org.apereo.cas.util.spring.beans.BeanSupplier)
WebContext(org.pac4j.core.context.WebContext)
AuthenticationCredentialsThreadLocalBinder(org.apereo.cas.authentication.AuthenticationCredentialsThreadLocalBinder)
AccessTokenRequestContext(org.apereo.cas.support.oauth.web.response.accesstoken.ext.AccessTokenRequestContext)
LoggingUtils(org.apereo.cas.util.LoggingUtils)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
Authentication(org.apereo.cas.authentication.Authentication)
OAuth20AuthorizationRequest(org.apereo.cas.support.oauth.web.response.OAuth20AuthorizationRequest)
GetMapping(org.springframework.web.bind.annotation.GetMapping)
OAuth20AuthorizationResponseBuilder(org.apereo.cas.support.oauth.web.response.callback.OAuth20AuthorizationResponseBuilder)
PostMapping(org.springframework.web.bind.annotation.PostMapping)
OAuth20Constants(org.apereo.cas.support.oauth.OAuth20Constants)
Unchecked(org.jooq.lambda.Unchecked)
OAuth20Utils(org.apereo.cas.support.oauth.util.OAuth20Utils)
AuditableContext(org.apereo.cas.audit.AuditableContext)
OAuth20GrantTypes(org.apereo.cas.support.oauth.OAuth20GrantTypes)
lombok.val(lombok.val)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
OAuthRegisteredService(org.apereo.cas.support.oauth.services.OAuthRegisteredService)
ProfileManager(org.pac4j.core.profile.ProfileManager)
OrderComparator(org.springframework.core.OrderComparator)
Objects(java.util.Objects)
HttpStatus(org.springframework.http.HttpStatus)
ModelAndView(org.springframework.web.servlet.ModelAndView)
Slf4j(lombok.extern.slf4j.Slf4j)
Service(org.apereo.cas.authentication.principal.Service)
Optional(java.util.Optional)
PreventedException(org.apereo.cas.authentication.PreventedException)
JEEContext(org.pac4j.jee.context.JEEContext)
OAuth20GrantTypes(org.apereo.cas.support.oauth.OAuth20GrantTypes)
Example 27 with JEEContext
use of org.pac4j.jee.context.JEEContext in project cas by apereo.
the class OAuth20AuthorizeEndpointController method buildAuthorizationForRequest.
/**
* Build callback url for request string.
*
* @param registeredService the registered service
* @param context the context
* @param service the service
* @param authentication the authentication
* @return the model and view
*/
protected ModelAndView buildAuthorizationForRequest(final OAuthRegisteredService registeredService, final JEEContext context, final Service service, final Authentication authentication) {
val registeredBuilders = getConfigurationContext().getOauthAuthorizationResponseBuilders().getObject();
val authzRequest = registeredBuilders.stream().filter(BeanSupplier::isNotProxy).sorted(OrderComparator.INSTANCE).map(builder -> toAuthorizationRequest(registeredService, context, service, authentication, builder)).filter(Objects::nonNull).filter(Optional::isPresent).findFirst().orElseThrow(() -> new IllegalArgumentException("Unable to build authorization request")).get().build();
val payload = Optional.ofNullable(authzRequest.getAccessTokenRequest()).orElseGet(Unchecked.supplier(() -> prepareAccessTokenRequestContext(authzRequest, registeredService, context, service, authentication)));
return registeredBuilders.stream().filter(BeanSupplier::isNotProxy).sorted(OrderComparator.INSTANCE).filter(b -> b.supports(authzRequest)).findFirst().map(Unchecked.function(builder -> {
if (authzRequest.isSingleSignOnSessionRequired() && payload.getTicketGrantingTicket() == null) {
val message = String.format("Missing ticket-granting-ticket for client id [%s] and service [%s]", authzRequest.getClientId(), registeredService.getName());
LOGGER.error(message);
return OAuth20Utils.produceErrorView(new PreventedException(message));
}
return builder.build(payload);
})).orElseGet(() -> OAuth20Utils.produceErrorView(new PreventedException("Could not build the callback response")));
}
Also used :
lombok.val(lombok.val)
RegisteredServiceAccessStrategyUtils(org.apereo.cas.services.RegisteredServiceAccessStrategyUtils)
StringUtils(org.apache.commons.lang3.StringUtils)
BeanSupplier(org.apereo.cas.util.spring.beans.BeanSupplier)
WebContext(org.pac4j.core.context.WebContext)
AuthenticationCredentialsThreadLocalBinder(org.apereo.cas.authentication.AuthenticationCredentialsThreadLocalBinder)
AccessTokenRequestContext(org.apereo.cas.support.oauth.web.response.accesstoken.ext.AccessTokenRequestContext)
LoggingUtils(org.apereo.cas.util.LoggingUtils)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
Authentication(org.apereo.cas.authentication.Authentication)
OAuth20AuthorizationRequest(org.apereo.cas.support.oauth.web.response.OAuth20AuthorizationRequest)
GetMapping(org.springframework.web.bind.annotation.GetMapping)
OAuth20AuthorizationResponseBuilder(org.apereo.cas.support.oauth.web.response.callback.OAuth20AuthorizationResponseBuilder)
PostMapping(org.springframework.web.bind.annotation.PostMapping)
OAuth20Constants(org.apereo.cas.support.oauth.OAuth20Constants)
Unchecked(org.jooq.lambda.Unchecked)
OAuth20Utils(org.apereo.cas.support.oauth.util.OAuth20Utils)
AuditableContext(org.apereo.cas.audit.AuditableContext)
OAuth20GrantTypes(org.apereo.cas.support.oauth.OAuth20GrantTypes)
lombok.val(lombok.val)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
OAuthRegisteredService(org.apereo.cas.support.oauth.services.OAuthRegisteredService)
ProfileManager(org.pac4j.core.profile.ProfileManager)
OrderComparator(org.springframework.core.OrderComparator)
Objects(java.util.Objects)
HttpStatus(org.springframework.http.HttpStatus)
ModelAndView(org.springframework.web.servlet.ModelAndView)
Slf4j(lombok.extern.slf4j.Slf4j)
Service(org.apereo.cas.authentication.principal.Service)
Optional(java.util.Optional)
PreventedException(org.apereo.cas.authentication.PreventedException)
JEEContext(org.pac4j.jee.context.JEEContext)
Optional(java.util.Optional)
BeanSupplier(org.apereo.cas.util.spring.beans.BeanSupplier)
PreventedException(org.apereo.cas.authentication.PreventedException)
Example 28 with JEEContext
use of org.pac4j.jee.context.JEEContext in project cas by apereo.
the class OAuth20IntrospectionEndpointController method handlePostRequest.
/**
* Handle post request.
*
* @param request the request
* @param response the response
* @return the response entity
*/
@PostMapping(value = '/' + OAuth20Constants.BASE_OAUTH20_URL + '/' + OAuth20Constants.INTROSPECTION_URL)
public ResponseEntity<OAuth20IntrospectionAccessTokenResponse> handlePostRequest(final HttpServletRequest request, final HttpServletResponse response) {
ResponseEntity<OAuth20IntrospectionAccessTokenResponse> result;
try {
val authExtractor = new BasicAuthExtractor();
val context = new JEEContext(request, response);
val credentialsResult = authExtractor.extract(context, getConfigurationContext().getSessionStore());
if (credentialsResult.isEmpty()) {
LOGGER.warn("Unable to locate and extract credentials from the request");
return buildUnauthorizedResponseEntity(OAuth20Constants.INVALID_CLIENT, true);
}
val credentials = (UsernamePasswordCredentials) credentialsResult.get();
val service = OAuth20Utils.getRegisteredOAuthServiceByClientId(getConfigurationContext().getServicesManager(), credentials.getUsername());
if (service == null) {
LOGGER.warn("Unable to locate service definition by client id [{}]", credentials.getUsername());
return buildUnauthorizedResponseEntity(OAuth20Constants.INVALID_CLIENT, true);
}
val validationError = validateIntrospectionRequest(service, credentials, request);
if (validationError.isPresent()) {
result = validationError.get();
} else {
val accessToken = StringUtils.defaultIfBlank(request.getParameter(OAuth20Constants.TOKEN), request.getParameter(OAuth20Constants.ACCESS_TOKEN));
LOGGER.debug("Located access token [{}] in the request", accessToken);
OAuth20Token ticket = null;
try {
val token = extractAccessTokenFrom(accessToken);
ticket = getConfigurationContext().getCentralAuthenticationService().getTicket(token, OAuth20Token.class);
} catch (final InvalidTicketException e) {
LOGGER.trace(e.getMessage(), e);
LOGGER.info("Unable to fetch access token [{}]: [{}]", accessToken, e.getMessage());
}
val introspect = createIntrospectionValidResponse(ticket);
introspect.setToken(accessToken);
result = new ResponseEntity<>(introspect, HttpStatus.OK);
}
} catch (final Exception e) {
LoggingUtils.error(LOGGER, e);
result = new ResponseEntity<>(HttpStatus.INTERNAL_SERVER_ERROR);
}
return result;
}
Also used :
lombok.val(lombok.val)
OAuth20Token(org.apereo.cas.ticket.OAuth20Token)
BasicAuthExtractor(org.pac4j.core.credentials.extractor.BasicAuthExtractor)
ResponseEntity(org.springframework.http.ResponseEntity)
OAuth20IntrospectionAccessTokenResponse(org.apereo.cas.support.oauth.web.response.introspection.OAuth20IntrospectionAccessTokenResponse)
InvalidTicketException(org.apereo.cas.ticket.InvalidTicketException)
JEEContext(org.pac4j.jee.context.JEEContext)
InvalidTicketException(org.apereo.cas.ticket.InvalidTicketException)
UsernamePasswordCredentials(org.pac4j.core.credentials.UsernamePasswordCredentials)
PostMapping(org.springframework.web.bind.annotation.PostMapping)
Example 29 with JEEContext
use of org.pac4j.jee.context.JEEContext in project cas by apereo.
the class OAuth20HandlerInterceptorAdapter method clientNeedAuthentication.
/**
* Is the client requesting is a OAuth "public" client?
* An OAuth "public" client is one that does not define a secret like a mobile application.
*
* @param request the request
* @param response the response
* @return true/false
*/
protected boolean clientNeedAuthentication(final HttpServletRequest request, final HttpServletResponse response) {
val clientId = requestParameterResolver.getObject().resolveClientIdAndClientSecret(new JEEContext(request, response), this.sessionStore.getObject()).getLeft();
if (clientId.isEmpty()) {
return true;
}
val registeredService = OAuth20Utils.getRegisteredOAuthServiceByClientId(servicesManager.getObject(), clientId);
return registeredService == null || OAuth20Utils.doesServiceNeedAuthentication(registeredService);
}
Also used :
lombok.val(lombok.val)
JEEContext(org.pac4j.jee.context.JEEContext)
Example 30 with JEEContext
use of org.pac4j.jee.context.JEEContext in project cas by apereo.
the class OAuth20HandlerInterceptorAdapter method requestRequiresAuthentication.
/**
* Request requires authentication.
*
* @param request the request
* @param response the response
* @return true/false
*/
protected boolean requestRequiresAuthentication(final HttpServletRequest request, final HttpServletResponse response) {
val context = new JEEContext(request, response);
val revokeTokenRequest = isRevokeTokenRequest(request, response);
if (revokeTokenRequest) {
return clientNeedAuthentication(request, response);
}
val accessTokenRequest = isAccessTokenRequest(request, response);
val extractor = extractAccessTokenGrantRequest(context);
if (!accessTokenRequest) {
if (extractor.isPresent()) {
val ext = extractor.get();
return ext.requestMustBeAuthenticated();
}
} else {
if (extractor.isPresent()) {
val ext = extractor.get();
return ext.getResponseType() != OAuth20ResponseTypes.DEVICE_CODE;
}
}
return false;
}
Also used :
lombok.val(lombok.val)
JEEContext(org.pac4j.jee.context.JEEContext)
Aggregations
JEEContext (org.pac4j.jee.context.JEEContext)227
lombok.val (lombok.val)224
MockHttpServletResponse (org.springframework.mock.web.MockHttpServletResponse)166
Test (org.junit.jupiter.api.Test)163
MockHttpServletRequest (org.springframework.mock.web.MockHttpServletRequest)161
MockTicketGrantingTicket (org.apereo.cas.mock.MockTicketGrantingTicket)34
ProfileManager (org.pac4j.core.profile.ProfileManager)27
UsernamePasswordCredentials (org.pac4j.core.credentials.UsernamePasswordCredentials)24
CommonProfile (org.pac4j.core.profile.CommonProfile)21
SpringBootTest (org.springframework.boot.test.context.SpringBootTest)16
ServletExternalContext (org.springframework.webflow.context.servlet.ServletExternalContext)14
MockRequestContext (org.springframework.webflow.test.MockRequestContext)14
HashMap (java.util.HashMap)13
CasProfile (org.pac4j.cas.profile.CasProfile)13
RedirectView (org.springframework.web.servlet.view.RedirectView)13
HttpServletRequest (javax.servlet.http.HttpServletRequest)12
Map (java.util.Map)10
Optional (java.util.Optional)10
HttpServletResponse (javax.servlet.http.HttpServletResponse)10
MockServletContext (org.apereo.cas.util.MockServletContext)10
