Search in sources :

Example 1 with OAuth2RequestFactory

use of org.springframework.security.oauth2.provider.OAuth2RequestFactory in project spring-security-oauth by spring-projects.

the class TokenEndpointAuthenticationFilterTests method testPasswordGrantWithUnAuthenticatedClient.

@Test
public void testPasswordGrantWithUnAuthenticatedClient() throws Exception {
    SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken("client", "secret"));
    request.setParameter("grant_type", "password");
    Mockito.when(authenticationManager.authenticate(Mockito.<Authentication>any())).thenReturn(new UsernamePasswordAuthenticationToken("foo", "bar", AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_USER")));
    TokenEndpointAuthenticationFilter filter = new TokenEndpointAuthenticationFilter(authenticationManager, oAuth2RequestFactory);
    filter.doFilter(request, response, chain);
    Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
    assertTrue(authentication instanceof OAuth2Authentication);
    assertFalse(authentication.isAuthenticated());
}
Also used : OAuth2Authentication(org.springframework.security.oauth2.provider.OAuth2Authentication) Authentication(org.springframework.security.core.Authentication) OAuth2Authentication(org.springframework.security.oauth2.provider.OAuth2Authentication) UsernamePasswordAuthenticationToken(org.springframework.security.authentication.UsernamePasswordAuthenticationToken) Test(org.junit.Test)

Example 2 with OAuth2RequestFactory

use of org.springframework.security.oauth2.provider.OAuth2RequestFactory in project spring-security-oauth by spring-projects.

the class AuthorizationServerEndpointsConfiguration method tokenEndpoint.

@Bean
public TokenEndpoint tokenEndpoint() throws Exception {
    TokenEndpoint tokenEndpoint = new TokenEndpoint();
    tokenEndpoint.setClientDetailsService(clientDetailsService);
    tokenEndpoint.setProviderExceptionHandler(exceptionTranslator());
    tokenEndpoint.setTokenGranter(tokenGranter());
    tokenEndpoint.setOAuth2RequestFactory(oauth2RequestFactory());
    tokenEndpoint.setOAuth2RequestValidator(oauth2RequestValidator());
    tokenEndpoint.setAllowedRequestMethods(allowedTokenEndpointRequestMethods());
    return tokenEndpoint;
}
Also used : CheckTokenEndpoint(org.springframework.security.oauth2.provider.endpoint.CheckTokenEndpoint) TokenEndpoint(org.springframework.security.oauth2.provider.endpoint.TokenEndpoint) AbstractFactoryBean(org.springframework.beans.factory.config.AbstractFactoryBean) FactoryBean(org.springframework.beans.factory.FactoryBean) Bean(org.springframework.context.annotation.Bean)

Example 3 with OAuth2RequestFactory

use of org.springframework.security.oauth2.provider.OAuth2RequestFactory in project spring-security-oauth by spring-projects.

the class AbstractEndpoint method afterPropertiesSet.

public void afterPropertiesSet() throws Exception {
    Assert.state(tokenGranter != null, "TokenGranter must be provided");
    Assert.state(clientDetailsService != null, "ClientDetailsService must be provided");
    defaultOAuth2RequestFactory = new DefaultOAuth2RequestFactory(getClientDetailsService());
    if (oAuth2RequestFactory == null) {
        oAuth2RequestFactory = defaultOAuth2RequestFactory;
    }
}
Also used : DefaultOAuth2RequestFactory(org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory)

Example 4 with OAuth2RequestFactory

use of org.springframework.security.oauth2.provider.OAuth2RequestFactory in project spring-security-oauth by spring-projects.

the class AuthorizationEndpoint method authorize.

@RequestMapping(value = "/oauth/authorize")
public ModelAndView authorize(Map<String, Object> model, @RequestParam Map<String, String> parameters, SessionStatus sessionStatus, Principal principal) {
    // Pull out the authorization request first, using the OAuth2RequestFactory. All further logic should
    // query off of the authorization request instead of referring back to the parameters map. The contents of the
    // parameters map will be stored without change in the AuthorizationRequest object once it is created.
    AuthorizationRequest authorizationRequest = getOAuth2RequestFactory().createAuthorizationRequest(parameters);
    Set<String> responseTypes = authorizationRequest.getResponseTypes();
    if (!responseTypes.contains("token") && !responseTypes.contains("code")) {
        throw new UnsupportedResponseTypeException("Unsupported response types: " + responseTypes);
    }
    if (authorizationRequest.getClientId() == null) {
        throw new InvalidClientException("A client id must be provided");
    }
    try {
        if (!(principal instanceof Authentication) || !((Authentication) principal).isAuthenticated()) {
            throw new InsufficientAuthenticationException("User must be authenticated with Spring Security before authorization can be completed.");
        }
        ClientDetails client = getClientDetailsService().loadClientByClientId(authorizationRequest.getClientId());
        // The resolved redirect URI is either the redirect_uri from the parameters or the one from
        // clientDetails. Either way we need to store it on the AuthorizationRequest.
        String redirectUriParameter = authorizationRequest.getRequestParameters().get(OAuth2Utils.REDIRECT_URI);
        String resolvedRedirect = redirectResolver.resolveRedirect(redirectUriParameter, client);
        if (!StringUtils.hasText(resolvedRedirect)) {
            throw new RedirectMismatchException("A redirectUri must be either supplied or preconfigured in the ClientDetails");
        }
        authorizationRequest.setRedirectUri(resolvedRedirect);
        // We intentionally only validate the parameters requested by the client (ignoring any data that may have
        // been added to the request by the manager).
        oauth2RequestValidator.validateScope(authorizationRequest, client);
        // Some systems may allow for approval decisions to be remembered or approved by default. Check for
        // such logic here, and set the approved flag on the authorization request accordingly.
        authorizationRequest = userApprovalHandler.checkForPreApproval(authorizationRequest, (Authentication) principal);
        // TODO: is this call necessary?
        boolean approved = userApprovalHandler.isApproved(authorizationRequest, (Authentication) principal);
        authorizationRequest.setApproved(approved);
        // Validation is all done, so we can check for auto approval...
        if (authorizationRequest.isApproved()) {
            if (responseTypes.contains("token")) {
                return getImplicitGrantResponse(authorizationRequest);
            }
            if (responseTypes.contains("code")) {
                return new ModelAndView(getAuthorizationCodeResponse(authorizationRequest, (Authentication) principal));
            }
        }
        // Place auth request into the model so that it is stored in the session
        // for approveOrDeny to use. That way we make sure that auth request comes from the session,
        // so any auth request parameters passed to approveOrDeny will be ignored and retrieved from the session.
        model.put("authorizationRequest", authorizationRequest);
        return getUserApprovalPageResponse(model, authorizationRequest, (Authentication) principal);
    } catch (RuntimeException e) {
        sessionStatus.setComplete();
        throw e;
    }
}
Also used : AuthorizationRequest(org.springframework.security.oauth2.provider.AuthorizationRequest) ClientDetails(org.springframework.security.oauth2.provider.ClientDetails) OAuth2Authentication(org.springframework.security.oauth2.provider.OAuth2Authentication) Authentication(org.springframework.security.core.Authentication) InvalidClientException(org.springframework.security.oauth2.common.exceptions.InvalidClientException) RedirectMismatchException(org.springframework.security.oauth2.common.exceptions.RedirectMismatchException) ModelAndView(org.springframework.web.servlet.ModelAndView) UnsupportedResponseTypeException(org.springframework.security.oauth2.common.exceptions.UnsupportedResponseTypeException) InsufficientAuthenticationException(org.springframework.security.authentication.InsufficientAuthenticationException) RequestMapping(org.springframework.web.bind.annotation.RequestMapping)

Example 5 with OAuth2RequestFactory

use of org.springframework.security.oauth2.provider.OAuth2RequestFactory in project ORCID-Source by ORCID.

the class OrcidClientCredentialsCheckerTest method setup.

@Before
public void setup() {
    MockitoAnnotations.initMocks(this);
    oAuth2RequestFactory = new DefaultOAuth2RequestFactory(clientDetailsService);
    checker = new OrcidClientCredentialsChecker(oAuth2RequestFactory);
    checker.setClientDetailsEntityCacheManager(clientDetailsEntityCacheManager);
    checker.setOrcidOAuth2RequestValidator(orcidOAuth2RequestValidator);
}
Also used : DefaultOAuth2RequestFactory(org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory) Before(org.junit.Before)

Aggregations

Authentication (org.springframework.security.core.Authentication)3 OAuth2Authentication (org.springframework.security.oauth2.provider.OAuth2Authentication)3 DefaultOAuth2RequestFactory (org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory)3 Test (org.junit.Test)2 FactoryBean (org.springframework.beans.factory.FactoryBean)2 AbstractFactoryBean (org.springframework.beans.factory.config.AbstractFactoryBean)2 Bean (org.springframework.context.annotation.Bean)2 UsernamePasswordAuthenticationToken (org.springframework.security.authentication.UsernamePasswordAuthenticationToken)2 ArrayList (java.util.ArrayList)1 Before (org.junit.Before)1 InsufficientAuthenticationException (org.springframework.security.authentication.InsufficientAuthenticationException)1 InvalidClientException (org.springframework.security.oauth2.common.exceptions.InvalidClientException)1 RedirectMismatchException (org.springframework.security.oauth2.common.exceptions.RedirectMismatchException)1 UnsupportedResponseTypeException (org.springframework.security.oauth2.common.exceptions.UnsupportedResponseTypeException)1 AuthorizationRequest (org.springframework.security.oauth2.provider.AuthorizationRequest)1 ClientDetails (org.springframework.security.oauth2.provider.ClientDetails)1 ClientDetailsService (org.springframework.security.oauth2.provider.ClientDetailsService)1 CompositeTokenGranter (org.springframework.security.oauth2.provider.CompositeTokenGranter)1 OAuth2RequestFactory (org.springframework.security.oauth2.provider.OAuth2RequestFactory)1 TokenGranter (org.springframework.security.oauth2.provider.TokenGranter)1