Examples with OAuth2Request org.springframework.security.oauth2.provider.OAuth2Request used on opensource projects

Search in sources :

Example 56 with OAuth2Request

use of org.springframework.security.oauth2.provider.OAuth2Request in project ORCID-Source by ORCID.

the class SecurityContextTestUtils method setUpSecurityContextForClientOnly.

public static void setUpSecurityContextForClientOnly(String clientId, Set<String> scopes) {
    SecurityContextImpl securityContext = new SecurityContextImpl();
    OrcidOAuth2Authentication mockedAuthentication = mock(OrcidOAuth2Authentication.class);
    securityContext.setAuthentication(mockedAuthentication);
    SecurityContextHolder.setContext(securityContext);
    when(mockedAuthentication.getPrincipal()).thenReturn(new ProfileEntity(clientId));
    when(mockedAuthentication.isClientOnly()).thenReturn(true);
    OAuth2Request authorizationRequest = new OAuth2Request(Collections.<String, String>emptyMap(), clientId, Collections.<GrantedAuthority>emptyList(), true, scopes, Collections.<String>emptySet(), null, Collections.<String>emptySet(), Collections.<String, Serializable>emptyMap());
    when(mockedAuthentication.getOAuth2Request()).thenReturn(authorizationRequest);
    when(mockedAuthentication.isAuthenticated()).thenReturn(true);
    when(mockedAuthentication.getName()).thenReturn(clientId);
}
Also used : SecurityContextImpl(org.springframework.security.core.context.SecurityContextImpl) OAuth2Request(org.springframework.security.oauth2.provider.OAuth2Request) OrcidOAuth2Authentication(org.orcid.core.oauth.OrcidOAuth2Authentication) ProfileEntity(org.orcid.persistence.jpa.entities.ProfileEntity)

Example 57 with OAuth2Request

use of org.springframework.security.oauth2.provider.OAuth2Request in project ORCID-Source by ORCID.

the class SourceManagerImpl method retrieveRealUserOrcid.

@Override
public String retrieveRealUserOrcid() {
    Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
    if (authentication == null) {
        return null;
    }
    // API
    if (OAuth2Authentication.class.isAssignableFrom(authentication.getClass())) {
        OAuth2Request authorizationRequest = ((OAuth2Authentication) authentication).getOAuth2Request();
        return authorizationRequest.getClientId();
    }
    // Delegation mode
    String realUserIfInDelegationMode = getRealUserIfInDelegationMode(authentication);
    if (realUserIfInDelegationMode != null) {
        return realUserIfInDelegationMode;
    }
    // Normal web user
    return retrieveEffectiveOrcid(authentication);
}
Also used : OAuth2Request(org.springframework.security.oauth2.provider.OAuth2Request) OAuth2Authentication(org.springframework.security.oauth2.provider.OAuth2Authentication) Authentication(org.springframework.security.core.Authentication) OAuth2Authentication(org.springframework.security.oauth2.provider.OAuth2Authentication)

Example 58 with OAuth2Request

use of org.springframework.security.oauth2.provider.OAuth2Request in project ORCID-Source by ORCID.

the class OrcidApiAuthorizationSecurityAspect method visibilityResponseFilter.

@AfterReturning(pointcut = "@annotation(accessControl)", returning = "response")
public void visibilityResponseFilter(Response response, AccessControl accessControl) {
    if (accessControl.requestComesFromInternalApi()) {
        return;
    }
    Object entity = response.getEntity();
    if (entity != null && OrcidMessage.class.isAssignableFrom(entity.getClass())) {
        OrcidMessage orcidMessage = (OrcidMessage) entity;
        //If it is search results, don't filter them, just return them
        if (orcidMessage.getOrcidSearchResults() != null) {
            return;
        }
        // get the client id
        Object authentication = getAuthentication();
        Set<Visibility> visibilities = new HashSet<Visibility>();
        if (allowAnonymousAccess((Authentication) authentication, accessControl)) {
            visibilities.add(Visibility.PUBLIC);
        } else {
            visibilities = permissionChecker.obtainVisibilitiesForAuthentication(getAuthentication(), accessControl.requiredScope(), orcidMessage);
        }
        //If the message contains a bio, and the given name is filtered, restore it as an empty space
        boolean setEmptyGivenNameIfFiltered = false;
        if (orcidMessage.getOrcidProfile() != null) {
            if (orcidMessage.getOrcidProfile() != null && orcidMessage.getOrcidProfile().getOrcidBio() != null) {
                setEmptyGivenNameIfFiltered = true;
            }
        }
        ScopePathType requiredScope = accessControl.requiredScope();
        // If the required scope is */read-limited or */update
        if (isUpdateOrReadScope(requiredScope)) {
            // if it should be able to
            if (OrcidOAuth2Authentication.class.isAssignableFrom(authentication.getClass())) {
                OrcidOAuth2Authentication orcidAuth = (OrcidOAuth2Authentication) getAuthentication();
                OAuth2Request authorization = orcidAuth.getOAuth2Request();
                String clientId = authorization.getClientId();
                // #1: Get the user orcid
                String userOrcid = getUserOrcidFromOrcidMessage(orcidMessage);
                // #2: Evaluate the scope to know which field to filter
                boolean allowWorks = false;
                boolean allowFunding = false;
                boolean allowAffiliations = false;
                // Get the update equivalent scope, if it is reading, but,
                // doesnt have the read permissions, check if it have the
                // update permissions
                ScopePathType equivalentUpdateScope = getEquivalentUpdateScope(requiredScope);
                if (requiredScope.equals(ScopePathType.READ_LIMITED)) {
                    if (hasScopeEnabled(clientId, userOrcid, ScopePathType.ORCID_WORKS_READ_LIMITED.getContent(), ScopePathType.ORCID_WORKS_UPDATE.getContent()))
                        allowWorks = true;
                    if (hasScopeEnabled(clientId, userOrcid, ScopePathType.FUNDING_READ_LIMITED.getContent(), ScopePathType.FUNDING_UPDATE.getContent()))
                        allowFunding = true;
                    if (hasScopeEnabled(clientId, userOrcid, ScopePathType.AFFILIATIONS_READ_LIMITED.getContent(), ScopePathType.AFFILIATIONS_UPDATE.getContent()))
                        allowAffiliations = true;
                } else if (requiredScope.equals(ScopePathType.ORCID_WORKS_UPDATE) || requiredScope.equals(ScopePathType.ORCID_WORKS_READ_LIMITED)) {
                    // works
                    if (hasScopeEnabled(clientId, userOrcid, requiredScope.getContent(), equivalentUpdateScope == null ? null : equivalentUpdateScope.getContent()))
                        // If so, allow him to see private works
                        allowWorks = true;
                } else if (requiredScope.equals(ScopePathType.FUNDING_UPDATE) || requiredScope.equals(ScopePathType.FUNDING_READ_LIMITED)) {
                    // funding
                    if (hasScopeEnabled(clientId, userOrcid, requiredScope.getContent(), equivalentUpdateScope == null ? null : equivalentUpdateScope.getContent()))
                        // If so, allow him to see private funding
                        allowFunding = true;
                } else if (requiredScope.equals(ScopePathType.AFFILIATIONS_UPDATE) || requiredScope.equals(ScopePathType.AFFILIATIONS_READ_LIMITED)) {
                    // affiliations
                    if (hasScopeEnabled(clientId, userOrcid, requiredScope.getContent(), equivalentUpdateScope == null ? null : equivalentUpdateScope.getContent()))
                        // If so, allow him to see private affiliations
                        allowAffiliations = true;
                }
                visibilityFilter.filter(orcidMessage, clientId, allowWorks, allowFunding, allowAffiliations, visibilities.toArray(new Visibility[visibilities.size()]));
            } else {
                visibilityFilter.filter(orcidMessage, null, false, false, false, visibilities.toArray(new Visibility[visibilities.size()]));
            }
        } else {
            visibilityFilter.filter(orcidMessage, null, false, false, false, visibilities.toArray(new Visibility[visibilities.size()]));
        }
        //If the given name was set at the beginning and now is filtered, it means we should restore it as an empty field
        if (setEmptyGivenNameIfFiltered) {
            if (orcidMessage.getOrcidProfile() != null) {
                if (orcidMessage.getOrcidProfile().getOrcidBio() == null) {
                    orcidMessage.getOrcidProfile().setOrcidBio(new OrcidBio());
                }
                if (orcidMessage.getOrcidProfile().getOrcidBio().getPersonalDetails() == null) {
                    orcidMessage.getOrcidProfile().getOrcidBio().setPersonalDetails(new PersonalDetails());
                }
            }
        }
        //Filter given or family names visibility 
        if (orcidMessage.getOrcidProfile() != null) {
            if (orcidMessage.getOrcidProfile().getOrcidBio() != null) {
                if (orcidMessage.getOrcidProfile().getOrcidBio().getPersonalDetails() != null) {
                    if (orcidMessage.getOrcidProfile().getOrcidBio().getPersonalDetails().getGivenNames() != null) {
                        orcidMessage.getOrcidProfile().getOrcidBio().getPersonalDetails().getGivenNames().setVisibility(null);
                    } else {
                        //Null given names could break client integrations, so, lets return an empty string
                        GivenNames empty = new GivenNames();
                        empty.setContent(StringUtils.EMPTY);
                        orcidMessage.getOrcidProfile().getOrcidBio().getPersonalDetails().setGivenNames(empty);
                    }
                    if (orcidMessage.getOrcidProfile().getOrcidBio().getPersonalDetails().getFamilyName() != null) {
                        orcidMessage.getOrcidProfile().getOrcidBio().getPersonalDetails().getFamilyName().setVisibility(null);
                    }
                }
            }
        }
        //replace section visibilities now we may have filtered items
        if (orcidMessage.getOrcidProfile() != null) {
            if (orcidMessage.getOrcidProfile().getOrcidBio() != null) {
                if (orcidMessage.getOrcidProfile().getOrcidBio().getPersonalDetails() != null) {
                    OtherNames n = orcidMessage.getOrcidProfile().getOrcidBio().getPersonalDetails().getOtherNames();
                    if (n != null) {
                        n.setVisibility(getMostFromCollection(n.getOtherName()));
                    }
                }
                ExternalIdentifiers ids = orcidMessage.getOrcidProfile().getOrcidBio().getExternalIdentifiers();
                if (ids != null) {
                    ids.setVisibility(getMostFromCollection(ids.getExternalIdentifier()));
                }
                Keywords kws = orcidMessage.getOrcidProfile().getOrcidBio().getKeywords();
                if (kws != null) {
                    kws.setVisibility(getMostFromCollection(kws.getKeyword()));
                }
                ResearcherUrls urls = orcidMessage.getOrcidProfile().getOrcidBio().getResearcherUrls();
                if (urls != null) {
                    urls.setVisibility(getMostFromCollection(urls.getResearcherUrl()));
                }
            }
        }
    }
}
Also used : Keywords(org.orcid.jaxb.model.message.Keywords) OrcidBio(org.orcid.jaxb.model.message.OrcidBio) OtherNames(org.orcid.jaxb.model.message.OtherNames) OrcidOAuth2Authentication(org.orcid.core.oauth.OrcidOAuth2Authentication) PersonalDetails(org.orcid.jaxb.model.message.PersonalDetails) OAuth2Request(org.springframework.security.oauth2.provider.OAuth2Request) ScopePathType(org.orcid.jaxb.model.message.ScopePathType) GivenNames(org.orcid.jaxb.model.message.GivenNames) OrcidMessage(org.orcid.jaxb.model.message.OrcidMessage) ResearcherUrls(org.orcid.jaxb.model.message.ResearcherUrls) Visibility(org.orcid.jaxb.model.message.Visibility) ExternalIdentifiers(org.orcid.jaxb.model.message.ExternalIdentifiers) HashSet(java.util.HashSet) AfterReturning(org.aspectj.lang.annotation.AfterReturning)

Example 59 with OAuth2Request

use of org.springframework.security.oauth2.provider.OAuth2Request in project ORCID-Source by ORCID.

the class DefaultPermissionChecker method checkScopes.

private void checkScopes(OAuth2Authentication oAuth2Authentication, ScopePathType requiredScope) {
    OAuth2Request authorizationRequest = oAuth2Authentication.getOAuth2Request();
    Set<String> requestedScopes = authorizationRequest.getScope();
    if (requiredScope.isUserGrantWriteScope()) {
        OrcidOAuth2Authentication orcidOauth2Authentication = (OrcidOAuth2Authentication) oAuth2Authentication;
        String activeToken = orcidOauth2Authentication.getActiveToken();
        if (activeToken != null) {
            OrcidOauth2TokenDetail tokenDetail = orcidOauthTokenDetailService.findNonDisabledByTokenValue(activeToken);
            if (removeUserGrantWriteScopePastValitity(tokenDetail)) {
                throw new AccessControlException("Write scopes for this token have expired ");
            }
        }
    }
    if (!hasRequiredScope(requestedScopes, requiredScope)) {
        throw new AccessControlException("Insufficient or wrong scope " + requestedScopes);
    }
}
Also used : OAuth2Request(org.springframework.security.oauth2.provider.OAuth2Request) AccessControlException(java.security.AccessControlException) OrcidOAuth2Authentication(org.orcid.core.oauth.OrcidOAuth2Authentication) OrcidOauth2TokenDetail(org.orcid.persistence.jpa.entities.OrcidOauth2TokenDetail)

Example 60 with OAuth2Request

use of org.springframework.security.oauth2.provider.OAuth2Request in project ORCID-Source by ORCID.

the class TokenTargetFilterTest method setUpSecurityContext.

private void setUpSecurityContext(String userOrcid, String clientId, ScopePathType... scopePathTypes) {
    SecurityContextImpl securityContext = new SecurityContextImpl();
    OrcidOAuth2Authentication mockedAuthentication = mock(OrcidOAuth2Authentication.class);
    securityContext.setAuthentication(mockedAuthentication);
    SecurityContextHolder.setContext(securityContext);
    if (userOrcid != null) {
        ProfileEntity userProfileEntity = new ProfileEntity(userOrcid);
        when(mockedAuthentication.getPrincipal()).thenReturn(userProfileEntity);
        Authentication userAuthentication = mock(Authentication.class);
        when(userAuthentication.getPrincipal()).thenReturn(userProfileEntity);
        when(mockedAuthentication.getUserAuthentication()).thenReturn(userAuthentication);
    } else {
        when(mockedAuthentication.getPrincipal()).thenReturn(clientId);
    }
    Set<String> scopes = new HashSet<String>();
    if (scopePathTypes != null) {
        for (ScopePathType scopePathType : scopePathTypes) {
            scopes.add(scopePathType.value());
        }
    }
    OAuth2Request authorizationRequest = new OAuth2Request(Collections.<String, String>emptyMap(), clientId, Collections.<GrantedAuthority>emptyList(), true, scopes, Collections.<String>emptySet(), null, Collections.<String>emptySet(), Collections.<String, Serializable>emptyMap());
    when(mockedAuthentication.getOAuth2Request()).thenReturn(authorizationRequest);
    when(mockedAuthentication.isAuthenticated()).thenReturn(true);
}
Also used : SecurityContextImpl(org.springframework.security.core.context.SecurityContextImpl) OAuth2Request(org.springframework.security.oauth2.provider.OAuth2Request) ScopePathType(org.orcid.jaxb.model.message.ScopePathType) OrcidOAuth2Authentication(org.orcid.core.oauth.OrcidOAuth2Authentication) Authentication(org.springframework.security.core.Authentication) OrcidOAuth2Authentication(org.orcid.core.oauth.OrcidOAuth2Authentication) ProfileEntity(org.orcid.persistence.jpa.entities.ProfileEntity) HashSet(java.util.HashSet)

Aggregations

OAuth2Request (org.springframework.security.oauth2.provider.OAuth2Request)99 OAuth2Authentication (org.springframework.security.oauth2.provider.OAuth2Authentication)77 Authentication (org.springframework.security.core.Authentication)57 Test (org.junit.Test)56 HashMap (java.util.HashMap)21 OAuth2AccessToken (org.springframework.security.oauth2.common.OAuth2AccessToken)16 UsernamePasswordAuthenticationToken (org.springframework.security.authentication.UsernamePasswordAuthenticationToken)15 AuthorizationRequest (org.springframework.security.oauth2.provider.AuthorizationRequest)14 ProfileEntity (org.orcid.persistence.jpa.entities.ProfileEntity)13 ClientDetailsEntity (org.orcid.persistence.jpa.entities.ClientDetailsEntity)12 Date (java.util.Date)11 HashSet (java.util.HashSet)11 Expression (org.springframework.expression.Expression)10 DBUnitTest (org.orcid.test.DBUnitTest)8 EvaluationContext (org.springframework.expression.EvaluationContext)8 MethodInvocation (org.aopalliance.intercept.MethodInvocation)7 OrcidOAuth2Authentication (org.orcid.core.oauth.OrcidOAuth2Authentication)7 DefaultOAuth2AccessToken (org.springframework.security.oauth2.common.DefaultOAuth2AccessToken)7 BaseClientDetails (org.springframework.security.oauth2.provider.client.BaseClientDetails)7 SimpleMethodInvocation (org.springframework.security.util.SimpleMethodInvocation)7
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial