use of org.springframework.web.servlet.view.RedirectView in project spring-security-oauth by spring-projects.
the class AuthorizationEndpoint method approveOrDeny.
@RequestMapping(value = "/oauth/authorize", method = RequestMethod.POST, params = OAuth2Utils.USER_OAUTH_APPROVAL)
public View approveOrDeny(@RequestParam Map<String, String> approvalParameters, Map<String, ?> model, SessionStatus sessionStatus, Principal principal) {
if (!(principal instanceof Authentication)) {
sessionStatus.setComplete();
throw new InsufficientAuthenticationException("User must be authenticated with Spring Security before authorizing an access token.");
}
AuthorizationRequest authorizationRequest = (AuthorizationRequest) model.get("authorizationRequest");
if (authorizationRequest == null) {
sessionStatus.setComplete();
throw new InvalidRequestException("Cannot approve uninitialized authorization request.");
}
try {
Set<String> responseTypes = authorizationRequest.getResponseTypes();
authorizationRequest.setApprovalParameters(approvalParameters);
authorizationRequest = userApprovalHandler.updateAfterApproval(authorizationRequest, (Authentication) principal);
boolean approved = userApprovalHandler.isApproved(authorizationRequest, (Authentication) principal);
authorizationRequest.setApproved(approved);
if (authorizationRequest.getRedirectUri() == null) {
sessionStatus.setComplete();
throw new InvalidRequestException("Cannot approve request when no redirect URI is provided.");
}
if (!authorizationRequest.isApproved()) {
return new RedirectView(getUnsuccessfulRedirect(authorizationRequest, new UserDeniedAuthorizationException("User denied access"), responseTypes.contains("token")), false, true, false);
}
if (responseTypes.contains("token")) {
return getImplicitGrantResponse(authorizationRequest).getView();
}
return getAuthorizationCodeResponse(authorizationRequest, (Authentication) principal);
} finally {
sessionStatus.setComplete();
}
}
use of org.springframework.web.servlet.view.RedirectView in project spring-security-oauth by spring-projects.
the class AuthorizationEndpointTests method testAuthorizationCodeWithTrickyState.
@Test
public void testAuthorizationCodeWithTrickyState() throws Exception {
endpoint.setAuthorizationCodeServices(new StubAuthorizationCodeServices());
model.put("authorizationRequest", getAuthorizationRequest("foo", "http://anywhere.com", " =?s", null, Collections.singleton("code")));
View result = endpoint.approveOrDeny(Collections.singletonMap(OAuth2Utils.USER_OAUTH_APPROVAL, "true"), model, sessionStatus, principal);
assertEquals("http://anywhere.com?code=thecode&state=%20%3D?s", ((RedirectView) result).getUrl());
}
use of org.springframework.web.servlet.view.RedirectView in project spring-security-oauth by spring-projects.
the class AuthorizationEndpointTests method testAuthorizationCodeWithMultipleQueryParams.
@Test
public void testAuthorizationCodeWithMultipleQueryParams() throws Exception {
endpoint.setAuthorizationCodeServices(new StubAuthorizationCodeServices());
model.put("authorizationRequest", getAuthorizationRequest("foo", "http://anywhere.com?foo=bar&bar=foo", null, null, Collections.singleton("code")));
View result = endpoint.approveOrDeny(Collections.singletonMap(OAuth2Utils.USER_OAUTH_APPROVAL, "true"), model, sessionStatus, principal);
assertEquals("http://anywhere.com?foo=bar&bar=foo&code=thecode", ((RedirectView) result).getUrl());
}
use of org.springframework.web.servlet.view.RedirectView in project spring-security-oauth by spring-projects.
the class AuthorizationEndpointTests method testImplicitPreApproved.
@Test
public void testImplicitPreApproved() throws Exception {
endpoint.setTokenGranter(new TokenGranter() {
public OAuth2AccessToken grant(String grantType, TokenRequest tokenRequest) {
DefaultOAuth2AccessToken token = new DefaultOAuth2AccessToken("FOO");
token.setAdditionalInformation(Collections.singletonMap("foo", (Object) "bar"));
return token;
}
});
endpoint.setUserApprovalHandler(new DefaultUserApprovalHandler() {
public AuthorizationRequest checkForPreApproval(AuthorizationRequest authorizationRequest, Authentication userAuthentication) {
return authorizationRequest;
}
public AuthorizationRequest updateAfterApproval(AuthorizationRequest authorizationRequest, Authentication userAuthentication) {
return authorizationRequest;
}
public boolean isApproved(AuthorizationRequest authorizationRequest, Authentication userAuthentication) {
return true;
}
});
AuthorizationRequest authorizationRequest = getAuthorizationRequest("foo", "http://anywhere.com", "mystate", "myscope", Collections.singleton("token"));
ModelAndView result = endpoint.authorize(model, authorizationRequest.getRequestParameters(), sessionStatus, principal);
String url = ((RedirectView) result.getView()).getUrl();
assertTrue("Wrong view: " + result, url.startsWith("http://anywhere.com"));
assertTrue("Wrong state: " + result, url.contains("&state=mystate"));
assertTrue("Wrong token: " + result, url.contains("access_token="));
assertTrue("Wrong token: " + result, url.contains("foo=bar"));
}
use of org.springframework.web.servlet.view.RedirectView in project spring-security-oauth by spring-projects.
the class AuthorizationEndpointTests method testImplicitPreApprovedButInvalid.
@Test(expected = InvalidScopeException.class)
public void testImplicitPreApprovedButInvalid() throws Exception {
endpoint.setTokenGranter(new TokenGranter() {
public OAuth2AccessToken grant(String grantType, TokenRequest tokenRequest) {
throw new IllegalStateException("Shouldn't be called");
}
});
endpoint.setUserApprovalHandler(new DefaultUserApprovalHandler() {
public boolean isApproved(AuthorizationRequest authorizationRequest, Authentication userAuthentication) {
return true;
}
public AuthorizationRequest checkForPreApproval(AuthorizationRequest authorizationRequest, Authentication userAuthentication) {
return authorizationRequest;
}
public AuthorizationRequest updateAfterApproval(AuthorizationRequest authorizationRequest, Authentication userAuthentication) {
return authorizationRequest;
}
});
client.setScope(Collections.singleton("smallscope"));
AuthorizationRequest authorizationRequest = getAuthorizationRequest("foo", "http://anywhere.com", "mystate", "bigscope", Collections.singleton("token"));
ModelAndView result = endpoint.authorize(model, authorizationRequest.getRequestParameters(), sessionStatus, principal);
String url = ((RedirectView) result.getView()).getUrl();
assertTrue("Wrong view: " + result, url.startsWith("http://anywhere.com"));
}
Aggregations