Search in sources :

Example 6 with OAuthProviderToken

use of org.springframework.security.oauth.provider.token.OAuthProviderToken in project spring-security-oauth by spring-projects.

the class AccessTokenProcessingFilter method validateAdditionalParameters.

@Override
protected void validateAdditionalParameters(ConsumerDetails consumerDetails, Map<String, String> oauthParams) {
    super.validateAdditionalParameters(consumerDetails, oauthParams);
    String token = oauthParams.get(OAuthConsumerParameter.oauth_token.toString());
    if (token == null) {
        throw new InvalidOAuthParametersException(messages.getMessage("AccessTokenProcessingFilter.missingToken", "Missing token."));
    }
    if (isRequire10a()) {
        String verifier = oauthParams.get(OAuthConsumerParameter.oauth_verifier.toString());
        if (verifier == null) {
            throw new InvalidOAuthParametersException(messages.getMessage("AccessTokenProcessingFilter.missingVerifier", "Missing verifier."));
        }
        OAuthProviderToken requestToken = getTokenServices().getToken(token);
        if (!verifier.equals(requestToken.getVerifier())) {
            throw new InvalidOAuthParametersException(messages.getMessage("AccessTokenProcessingFilter.missingVerifier", "Invalid verifier."));
        }
    }
}
Also used : OAuthProviderToken(org.springframework.security.oauth.provider.token.OAuthProviderToken) InvalidOAuthParametersException(org.springframework.security.oauth.provider.InvalidOAuthParametersException)

Example 7 with OAuthProviderToken

use of org.springframework.security.oauth.provider.token.OAuthProviderToken in project spring-security-oauth by spring-projects.

the class OAuthProviderProcessingFilter method validateSignature.

/**
   * Validate the signature of the request given the authentication request.
   *
   * @param authentication The authentication request.
   */
protected void validateSignature(ConsumerAuthentication authentication) throws AuthenticationException {
    SignatureSecret secret = authentication.getConsumerDetails().getSignatureSecret();
    String token = authentication.getConsumerCredentials().getToken();
    OAuthProviderToken authToken = null;
    if (token != null && !"".equals(token)) {
        authToken = getTokenServices().getToken(token);
    }
    String signatureMethod = authentication.getConsumerCredentials().getSignatureMethod();
    OAuthSignatureMethod method;
    try {
        method = getSignatureMethodFactory().getSignatureMethod(signatureMethod, secret, authToken != null ? authToken.getSecret() : null);
    } catch (UnsupportedSignatureMethodException e) {
        throw new OAuthException(e.getMessage(), e);
    }
    String signatureBaseString = authentication.getConsumerCredentials().getSignatureBaseString();
    String signature = authentication.getConsumerCredentials().getSignature();
    if (log.isDebugEnabled()) {
        log.debug("Verifying signature " + signature + " for signature base string " + signatureBaseString + " with method " + method.getName() + ".");
    }
    method.verify(signatureBaseString, signature);
}
Also used : OAuthProviderToken(org.springframework.security.oauth.provider.token.OAuthProviderToken) OAuthException(org.springframework.security.oauth.common.OAuthException)

Example 8 with OAuthProviderToken

use of org.springframework.security.oauth.provider.token.OAuthProviderToken in project spring-security-oauth by spring-projects.

the class ProtectedResourceProcessingFilter method onValidSignature.

protected void onValidSignature(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
    ConsumerAuthentication authentication = (ConsumerAuthentication) SecurityContextHolder.getContext().getAuthentication();
    String token = authentication.getConsumerCredentials().getToken();
    OAuthAccessProviderToken accessToken = null;
    if (StringUtils.hasText(token)) {
        OAuthProviderToken authToken = getTokenServices().getToken(token);
        if (authToken == null) {
            throw new AccessDeniedException("Invalid access token.");
        } else if (!authToken.isAccessToken()) {
            throw new AccessDeniedException("Token should be an access token.");
        } else if (authToken instanceof OAuthAccessProviderToken) {
            accessToken = (OAuthAccessProviderToken) authToken;
        }
    } else if ((!(authentication.getConsumerDetails() instanceof ExtraTrustConsumerDetails)) || ((ExtraTrustConsumerDetails) authentication.getConsumerDetails()).isRequiredToObtainAuthenticatedToken()) {
        throw new InvalidOAuthParametersException(messages.getMessage("ProtectedResourceProcessingFilter.missingToken", "Missing auth token."));
    }
    Authentication userAuthentication = authHandler.createAuthentication(request, authentication, accessToken);
    SecurityContextHolder.getContext().setAuthentication(userAuthentication);
    chain.doFilter(request, response);
}
Also used : OAuthProviderToken(org.springframework.security.oauth.provider.token.OAuthProviderToken) AccessDeniedException(org.springframework.security.access.AccessDeniedException) InvalidOAuthParametersException(org.springframework.security.oauth.provider.InvalidOAuthParametersException) ConsumerAuthentication(org.springframework.security.oauth.provider.ConsumerAuthentication) Authentication(org.springframework.security.core.Authentication) ConsumerAuthentication(org.springframework.security.oauth.provider.ConsumerAuthentication) ExtraTrustConsumerDetails(org.springframework.security.oauth.provider.ExtraTrustConsumerDetails) OAuthAccessProviderToken(org.springframework.security.oauth.provider.token.OAuthAccessProviderToken)

Example 9 with OAuthProviderToken

use of org.springframework.security.oauth.provider.token.OAuthProviderToken in project spring-security-oauth by spring-projects.

the class UnauthenticatedRequestTokenProcessingFilterTests method testOnValidSignature.

/**
	 * test onValidSignature
	 */
@Test
public void testOnValidSignature() throws Exception {
    final OAuthProviderToken authToken = mock(OAuthProviderToken.class);
    UnauthenticatedRequestTokenProcessingFilter filter = new UnauthenticatedRequestTokenProcessingFilter() {

        @Override
        protected OAuthProviderToken createOAuthToken(ConsumerAuthentication authentication) {
            return authToken;
        }
    };
    HttpServletRequest request = mock(HttpServletRequest.class);
    HttpServletResponse response = mock(HttpServletResponse.class);
    FilterChain filterChain = mock(FilterChain.class);
    ConsumerCredentials creds = new ConsumerCredentials("key", "sig", "meth", "base", "tok");
    ConsumerDetails consumerDetails = mock(ConsumerDetails.class);
    when(authToken.getConsumerKey()).thenReturn("chi");
    when(authToken.getValue()).thenReturn("tokvalue");
    when(authToken.getSecret()).thenReturn("shhhhhh");
    when(consumerDetails.getAuthorities()).thenReturn(new ArrayList<GrantedAuthority>());
    when(consumerDetails.getConsumerKey()).thenReturn("chi");
    response.setContentType("text/plain;charset=utf-8");
    StringWriter writer = new StringWriter();
    when(response.getWriter()).thenReturn(new PrintWriter(writer));
    response.flushBuffer();
    TreeMap<String, String> params = new TreeMap<String, String>();
    params.put(OAuthConsumerParameter.oauth_callback.toString(), "mycallback");
    ConsumerAuthentication authentication = new ConsumerAuthentication(consumerDetails, creds, params);
    authentication.setAuthenticated(true);
    SecurityContextHolder.getContext().setAuthentication(authentication);
    filter.onValidSignature(request, response, filterChain);
    assertEquals("oauth_token=tokvalue&oauth_token_secret=shhhhhh&oauth_callback_confirmed=true", writer.toString());
    SecurityContextHolder.getContext().setAuthentication(null);
}
Also used : ConsumerCredentials(org.springframework.security.oauth.provider.ConsumerCredentials) FilterChain(javax.servlet.FilterChain) GrantedAuthority(org.springframework.security.core.GrantedAuthority) HttpServletResponse(javax.servlet.http.HttpServletResponse) TreeMap(java.util.TreeMap) UnauthenticatedRequestTokenProcessingFilter(org.springframework.security.oauth.provider.filter.UnauthenticatedRequestTokenProcessingFilter) HttpServletRequest(javax.servlet.http.HttpServletRequest) OAuthProviderToken(org.springframework.security.oauth.provider.token.OAuthProviderToken) StringWriter(java.io.StringWriter) ConsumerAuthentication(org.springframework.security.oauth.provider.ConsumerAuthentication) ConsumerDetails(org.springframework.security.oauth.provider.ConsumerDetails) PrintWriter(java.io.PrintWriter) Test(org.junit.Test)

Aggregations

OAuthProviderToken (org.springframework.security.oauth.provider.token.OAuthProviderToken)9 ConsumerAuthentication (org.springframework.security.oauth.provider.ConsumerAuthentication)5 ConsumerDetails (org.springframework.security.oauth.provider.ConsumerDetails)3 InvalidOAuthParametersException (org.springframework.security.oauth.provider.InvalidOAuthParametersException)3 TreeMap (java.util.TreeMap)2 FilterChain (javax.servlet.FilterChain)2 HttpServletRequest (javax.servlet.http.HttpServletRequest)2 HttpServletResponse (javax.servlet.http.HttpServletResponse)2 Test (org.junit.Test)2 Authentication (org.springframework.security.core.Authentication)2 GrantedAuthority (org.springframework.security.core.GrantedAuthority)2 ConsumerCredentials (org.springframework.security.oauth.provider.ConsumerCredentials)2 PrintWriter (java.io.PrintWriter)1 StringWriter (java.io.StringWriter)1 AccessDeniedException (org.springframework.security.access.AccessDeniedException)1 InsufficientAuthenticationException (org.springframework.security.authentication.InsufficientAuthenticationException)1 OAuthException (org.springframework.security.oauth.common.OAuthException)1 OAuthSignatureMethod (org.springframework.security.oauth.common.signature.OAuthSignatureMethod)1 SignatureSecret (org.springframework.security.oauth.common.signature.SignatureSecret)1 ExtraTrustConsumerDetails (org.springframework.security.oauth.provider.ExtraTrustConsumerDetails)1