Search in sources :

Example 1 with UserDeniedAuthorizationException

use of org.springframework.security.oauth2.common.exceptions.UserDeniedAuthorizationException in project spring-security-oauth by spring-projects.

the class AuthorizationEndpoint method approveOrDeny.

@RequestMapping(value = "/oauth/authorize", method = RequestMethod.POST, params = OAuth2Utils.USER_OAUTH_APPROVAL)
public View approveOrDeny(@RequestParam Map<String, String> approvalParameters, Map<String, ?> model, SessionStatus sessionStatus, Principal principal) {
    if (!(principal instanceof Authentication)) {
        sessionStatus.setComplete();
        throw new InsufficientAuthenticationException("User must be authenticated with Spring Security before authorizing an access token.");
    }
    AuthorizationRequest authorizationRequest = (AuthorizationRequest) model.get("authorizationRequest");
    if (authorizationRequest == null) {
        sessionStatus.setComplete();
        throw new InvalidRequestException("Cannot approve uninitialized authorization request.");
    }
    try {
        Set<String> responseTypes = authorizationRequest.getResponseTypes();
        authorizationRequest.setApprovalParameters(approvalParameters);
        authorizationRequest = userApprovalHandler.updateAfterApproval(authorizationRequest, (Authentication) principal);
        boolean approved = userApprovalHandler.isApproved(authorizationRequest, (Authentication) principal);
        authorizationRequest.setApproved(approved);
        if (authorizationRequest.getRedirectUri() == null) {
            sessionStatus.setComplete();
            throw new InvalidRequestException("Cannot approve request when no redirect URI is provided.");
        }
        if (!authorizationRequest.isApproved()) {
            return new RedirectView(getUnsuccessfulRedirect(authorizationRequest, new UserDeniedAuthorizationException("User denied access"), responseTypes.contains("token")), false, true, false);
        }
        if (responseTypes.contains("token")) {
            return getImplicitGrantResponse(authorizationRequest).getView();
        }
        return getAuthorizationCodeResponse(authorizationRequest, (Authentication) principal);
    } finally {
        sessionStatus.setComplete();
    }
}
Also used : UserDeniedAuthorizationException(org.springframework.security.oauth2.common.exceptions.UserDeniedAuthorizationException) AuthorizationRequest(org.springframework.security.oauth2.provider.AuthorizationRequest) OAuth2Authentication(org.springframework.security.oauth2.provider.OAuth2Authentication) Authentication(org.springframework.security.core.Authentication) RedirectView(org.springframework.web.servlet.view.RedirectView) InvalidRequestException(org.springframework.security.oauth2.common.exceptions.InvalidRequestException) InsufficientAuthenticationException(org.springframework.security.authentication.InsufficientAuthenticationException) RequestMapping(org.springframework.web.bind.annotation.RequestMapping)

Aggregations

InsufficientAuthenticationException (org.springframework.security.authentication.InsufficientAuthenticationException)1 Authentication (org.springframework.security.core.Authentication)1 InvalidRequestException (org.springframework.security.oauth2.common.exceptions.InvalidRequestException)1 UserDeniedAuthorizationException (org.springframework.security.oauth2.common.exceptions.UserDeniedAuthorizationException)1 AuthorizationRequest (org.springframework.security.oauth2.provider.AuthorizationRequest)1 OAuth2Authentication (org.springframework.security.oauth2.provider.OAuth2Authentication)1 RequestMapping (org.springframework.web.bind.annotation.RequestMapping)1 RedirectView (org.springframework.web.servlet.view.RedirectView)1