1
|
/*
|
2
|
* Licensed to the Apache Software Foundation (ASF) under one
|
3
|
* or more contributor license agreements. See the NOTICE file
|
4
|
* distributed with this work for additional information
|
5
|
* regarding copyright ownership. The ASF licenses this file
|
6
|
* to you under the Apache License, Version 2.0 (the
|
7
|
* "License"); you may not use this file except in compliance
|
8
|
* with the License. You may obtain a copy of the License at
|
9
|
*
|
10
|
* http://www.apache.org/licenses/LICENSE-2.0
|
11
|
*
|
12
|
* Unless required by applicable law or agreed to in writing,
|
13
|
* software distributed under the License is distributed on an
|
14
|
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
15
|
* KIND, either express or implied. See the License for the
|
16
|
* specific language governing permissions and limitations
|
17
|
* under the License.
|
18
|
*/
|
19
|
package eu.dnetlib.oauth.handlers;
|
20
|
|
21
|
import org.apache.commons.collections.CollectionUtils;
|
22
|
import org.apache.commons.lang.StringUtils;
|
23
|
import org.springframework.http.HttpMethod;
|
24
|
import org.surfnet.oaaas.auth.AbstractAuthenticator;
|
25
|
import org.surfnet.oaaas.auth.AbstractUserConsentHandler;
|
26
|
import org.surfnet.oaaas.auth.principal.AuthenticatedPrincipal;
|
27
|
import org.surfnet.oaaas.model.AccessToken;
|
28
|
import org.surfnet.oaaas.model.AuthorizationRequest;
|
29
|
import org.surfnet.oaaas.model.Client;
|
30
|
import org.surfnet.oaaas.repository.AccessTokenRepository;
|
31
|
import org.surfnet.oaaas.repository.AuthorizationRequestRepository;
|
32
|
|
33
|
import javax.inject.Inject;
|
34
|
import javax.inject.Named;
|
35
|
import javax.servlet.FilterChain;
|
36
|
import javax.servlet.ServletException;
|
37
|
import javax.servlet.ServletResponse;
|
38
|
import javax.servlet.http.HttpServletRequest;
|
39
|
import javax.servlet.http.HttpServletResponse;
|
40
|
import java.io.IOException;
|
41
|
import java.util.List;
|
42
|
|
43
|
/**
|
44
|
* Example {@link AbstractUserConsentHandler} that forwards to a form.
|
45
|
*/
|
46
|
@Named("formConsentHandler")
|
47
|
public class FormUserConsentHandler extends AbstractUserConsentHandler {
|
48
|
|
49
|
private static final String USER_OAUTH_APPROVAL = "user_oauth_approval";
|
50
|
|
51
|
@Inject
|
52
|
private AccessTokenRepository accessTokenRepository;
|
53
|
|
54
|
@Inject
|
55
|
private AuthorizationRequestRepository authorizationRequestRepository;
|
56
|
|
57
|
@Override
|
58
|
public void handleUserConsent(HttpServletRequest request, HttpServletResponse response, FilterChain chain,
|
59
|
String authStateValue, String returnUri, Client client) throws IOException, ServletException {
|
60
|
if (isUserConsentPost(request)) {
|
61
|
if (processForm(request, response)) {
|
62
|
chain.doFilter(request, response);
|
63
|
}
|
64
|
} else {
|
65
|
processInitial(request, response, chain, returnUri, authStateValue, client);
|
66
|
}
|
67
|
}
|
68
|
|
69
|
private boolean isUserConsentPost(HttpServletRequest request) {
|
70
|
String oauthApproval = request.getParameter(USER_OAUTH_APPROVAL);
|
71
|
return request.getMethod().equals(HttpMethod.POST.toString()) && StringUtils.isNotBlank(oauthApproval);
|
72
|
}
|
73
|
|
74
|
private void processInitial(HttpServletRequest request, ServletResponse response, FilterChain chain,
|
75
|
String returnUri, String authStateValue, Client client) throws IOException, ServletException {
|
76
|
AuthenticatedPrincipal principal = (AuthenticatedPrincipal) request.getAttribute(AbstractAuthenticator.PRINCIPAL);
|
77
|
List<AccessToken> tokens = accessTokenRepository.findByResourceOwnerIdAndClient(principal.getName(), client);
|
78
|
if (!CollectionUtils.isEmpty(tokens)) {
|
79
|
// If another token is already present for this resource owner and client, no new consent should be requested
|
80
|
List<String> grantedScopes = tokens.get(0).getScopes(); // take the scopes of the first access token found.
|
81
|
setGrantedScopes(request, grantedScopes.toArray(new String[grantedScopes.size()]));
|
82
|
chain.doFilter(request, response);
|
83
|
} else {
|
84
|
AuthorizationRequest authorizationRequest = authorizationRequestRepository.findByAuthState(authStateValue);
|
85
|
request.setAttribute("requestedScopes", authorizationRequest.getRequestedScopes());
|
86
|
request.setAttribute("client", client);
|
87
|
request.setAttribute(AUTH_STATE, authStateValue);
|
88
|
request.setAttribute("actionUri", returnUri);
|
89
|
((HttpServletResponse) response).setHeader("X-Frame-Options", "SAMEORIGIN");
|
90
|
request.getRequestDispatcher(getUserConsentUrl()).forward(request, response);
|
91
|
}
|
92
|
|
93
|
}
|
94
|
|
95
|
/**
|
96
|
* Return the path to the User Consent page. Subclasses can use this hook by
|
97
|
* providing a custom html/jsp.
|
98
|
*
|
99
|
* @return the path to the User Consent page
|
100
|
*/
|
101
|
protected String getUserConsentUrl() {
|
102
|
return "/WEB-INF/jsp/userconsent.jsp";
|
103
|
}
|
104
|
|
105
|
private boolean processForm(final HttpServletRequest request, final HttpServletResponse response)
|
106
|
throws ServletException, IOException {
|
107
|
if (Boolean.valueOf(request.getParameter(USER_OAUTH_APPROVAL))) {
|
108
|
setAuthStateValue(request, request.getParameter(AUTH_STATE));
|
109
|
String[] scopes = request.getParameterValues(GRANTED_SCOPES);
|
110
|
setGrantedScopes(request, scopes);
|
111
|
return true;
|
112
|
} else {
|
113
|
request.getRequestDispatcher(getUserConsentDeniedUrl()).forward(request, response);
|
114
|
return false;
|
115
|
}
|
116
|
}
|
117
|
|
118
|
/**
|
119
|
* @return
|
120
|
*/
|
121
|
protected String getUserConsentDeniedUrl() {
|
122
|
return "/WEB-INF/jsp/userconsent_denied.jsp";
|
123
|
}
|
124
|
|
125
|
}
|