Opened token api access to all users; restricted to only show currently-logged-in-users tokens
Amanda Anganes
parent
71da5b3d94
commit
906db0ac86
|
|
@ -62,7 +62,7 @@ public interface OAuth2TokenRepository {
|
|||
public OAuth2AccessTokenEntity getAccessTokenForIdToken(OAuth2AccessTokenEntity idToken);
|
||||
|
||||
public Set<OAuth2AccessTokenEntity> getAllAccessTokens();
|
||||
|
||||
|
||||
public Set<OAuth2RefreshTokenEntity> getAllRefreshTokens();
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -27,10 +27,6 @@ import org.springframework.security.oauth2.provider.token.AuthorizationServerTok
|
|||
import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;
|
||||
|
||||
public interface OAuth2TokenEntityService extends AuthorizationServerTokenServices, ResourceServerTokenServices {
|
||||
|
||||
public Set<OAuth2AccessTokenEntity> getAllAccessTokens();
|
||||
|
||||
public Set<OAuth2RefreshTokenEntity> getAllRefreshTokens();
|
||||
|
||||
@Override
|
||||
public OAuth2AccessTokenEntity readAccessToken(String accessTokenValue);
|
||||
|
|
@ -64,4 +60,7 @@ public interface OAuth2TokenEntityService extends AuthorizationServerTokenServic
|
|||
|
||||
public OAuth2RefreshTokenEntity getRefreshTokenById(Long id);
|
||||
|
||||
public Set<OAuth2AccessTokenEntity> getAllAccessTokensForUser(String name);
|
||||
|
||||
public Set<OAuth2RefreshTokenEntity> getAllRefreshTokensForUser(String name);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -48,8 +48,9 @@ public class JpaOAuth2TokenRepository implements OAuth2TokenRepository {
|
|||
@Override
|
||||
public Set<OAuth2RefreshTokenEntity> getAllRefreshTokens() {
|
||||
TypedQuery<OAuth2RefreshTokenEntity> query = manager.createNamedQuery("OAuth2RefreshTokenEntity.getAll", OAuth2RefreshTokenEntity.class);
|
||||
return new LinkedHashSet<OAuth2RefreshTokenEntity>(query.getResultList());
|
||||
return new LinkedHashSet<OAuth2RefreshTokenEntity>(query.getResultList());
|
||||
}
|
||||
|
||||
|
||||
@Override
|
||||
public OAuth2AccessTokenEntity getAccessTokenByValue(String accessTokenValue) {
|
||||
|
|
|
|||
|
|
@ -72,12 +72,32 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
|
|||
@Autowired
|
||||
private TokenEnhancer tokenEnhancer;
|
||||
|
||||
public Set<OAuth2AccessTokenEntity> getAllAccessTokens() {
|
||||
return tokenRepository.getAllAccessTokens();
|
||||
public Set<OAuth2AccessTokenEntity> getAllAccessTokensForUser(String id) {
|
||||
|
||||
Set<OAuth2AccessTokenEntity> all = tokenRepository.getAllAccessTokens();
|
||||
Set<OAuth2AccessTokenEntity> results = Sets.newLinkedHashSet();
|
||||
|
||||
for (OAuth2AccessTokenEntity token : all) {
|
||||
if (token.getAuthenticationHolder().getAuthentication().getName().equals(id)) {
|
||||
results.add(token);
|
||||
}
|
||||
}
|
||||
|
||||
return results;
|
||||
}
|
||||
|
||||
|
||||
public Set<OAuth2RefreshTokenEntity> getAllRefreshTokens() {
|
||||
return tokenRepository.getAllRefreshTokens();
|
||||
public Set<OAuth2RefreshTokenEntity> getAllRefreshTokensForUser(String id) {
|
||||
Set<OAuth2RefreshTokenEntity> all = tokenRepository.getAllRefreshTokens();
|
||||
Set<OAuth2RefreshTokenEntity> results = Sets.newLinkedHashSet();
|
||||
|
||||
for (OAuth2RefreshTokenEntity token : all) {
|
||||
if (token.getAuthenticationHolder().getAuthentication().getName().equals(id)) {
|
||||
results.add(token);
|
||||
}
|
||||
}
|
||||
|
||||
return results;
|
||||
}
|
||||
|
||||
public OAuth2AccessTokenEntity getAccessTokenById(Long id) {
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
package org.mitre.oauth2.web;
|
||||
|
||||
import java.security.Principal;
|
||||
import java.util.Set;
|
||||
|
||||
import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
|
||||
|
|
@ -31,56 +32,32 @@ public class AccessTokenAPI {
|
|||
private static Logger logger = LoggerFactory.getLogger(AccessTokenAPI.class);
|
||||
|
||||
@RequestMapping(value = "", method = RequestMethod.GET, produces = "application/json")
|
||||
public String getAll(ModelMap m) {
|
||||
|
||||
Set<OAuth2AccessTokenEntity> allTokens = tokenService.getAllAccessTokens();
|
||||
public String getAll(ModelMap m, Principal p) {
|
||||
|
||||
Set<OAuth2AccessTokenEntity> allTokens = tokenService.getAllAccessTokensForUser(p.getName());
|
||||
m.put("entity", allTokens);
|
||||
|
||||
return "jsonEntityView";
|
||||
}
|
||||
|
||||
@RequestMapping(value = "/{id}", method = RequestMethod.GET, produces = "application/json")
|
||||
public String getById(@PathVariable("id") Long id, ModelMap m) {
|
||||
public String getById(@PathVariable("id") Long id, ModelMap m, Principal p) {
|
||||
|
||||
OAuth2AccessTokenEntity token = tokenService.getAccessTokenById(id);
|
||||
|
||||
if (token != null) {
|
||||
|
||||
m.put("entity", token);
|
||||
|
||||
return "jsonEntityView";
|
||||
} else {
|
||||
|
||||
if (token == null) {
|
||||
logger.error("getToken failed; token not found: " + id);
|
||||
|
||||
m.put("code", HttpStatus.NOT_FOUND);
|
||||
m.put("errorMessage", "The requested token with id " + id + " could not be found.");
|
||||
return "jsonErrorView";
|
||||
}
|
||||
}
|
||||
|
||||
@PreAuthorize("hasRole('ROLE_ADMIN')")
|
||||
@RequestMapping(value = "/{id}", method = RequestMethod.DELETE)
|
||||
public String delete(@PathVariable("id") Long id, ModelMap m) {
|
||||
|
||||
OAuth2AccessTokenEntity token = tokenService.getAccessTokenById(id);
|
||||
|
||||
if (token != null) {
|
||||
|
||||
tokenService.revokeAccessToken(token);
|
||||
m.put("code", HttpStatus.OK);
|
||||
return "httpCodeView";
|
||||
|
||||
} else if (!token.getAuthenticationHolder().getAuthentication().getName().equals(p.getName())) {
|
||||
logger.error("getToken failed; token does not belong to principal " + p.getName());
|
||||
m.put("code", HttpStatus.FORBIDDEN);
|
||||
m.put("errorMessage", "You do not have permission to view this token");
|
||||
return "jsonErrorView";
|
||||
} else {
|
||||
|
||||
logger.error("Delete token failed; token not found: " + id);
|
||||
|
||||
m.put("code", HttpStatus.NOT_FOUND);
|
||||
m.put("errorMessage", "The requested token with id " + id + " could not be found.");
|
||||
return "jsonErrorView";
|
||||
m.put("entity", token);
|
||||
return "jsonEntityView";
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
package org.mitre.oauth2.web;
|
||||
|
||||
import java.security.Principal;
|
||||
import java.util.Set;
|
||||
|
||||
import org.mitre.oauth2.model.OAuth2RefreshTokenEntity;
|
||||
|
|
@ -32,9 +33,9 @@ public class RefreshTokenAPI {
|
|||
private static Logger logger = LoggerFactory.getLogger(RefreshTokenAPI.class);
|
||||
|
||||
@RequestMapping(value = "", method = RequestMethod.GET, produces = "application/json")
|
||||
public String getAll(ModelMap m) {
|
||||
public String getAll(ModelMap m, Principal p) {
|
||||
|
||||
Set<OAuth2RefreshTokenEntity> allTokens = tokenService.getAllRefreshTokens();
|
||||
Set<OAuth2RefreshTokenEntity> allTokens = tokenService.getAllRefreshTokensForUser(p.getName());
|
||||
|
||||
m.put("entity", allTokens);
|
||||
|
||||
|
|
@ -42,46 +43,24 @@ public class RefreshTokenAPI {
|
|||
}
|
||||
|
||||
@RequestMapping(value = "/{id}", method = RequestMethod.GET, produces = "application/json")
|
||||
public String getById(@PathVariable("id") Long id, ModelMap m) {
|
||||
public String getById(@PathVariable("id") Long id, ModelMap m, Principal p) {
|
||||
|
||||
OAuth2RefreshTokenEntity token = tokenService.getRefreshTokenById(id);
|
||||
|
||||
if (token != null) {
|
||||
|
||||
m.put("entity", token);
|
||||
|
||||
return "jsonEntityView";
|
||||
} else {
|
||||
|
||||
if (token == null) {
|
||||
logger.error("getToken failed; token not found: " + id);
|
||||
|
||||
m.put("code", HttpStatus.NOT_FOUND);
|
||||
m.put("errorMessage", "The requested token with id " + id + " could not be found.");
|
||||
return "jsonErrorView";
|
||||
}
|
||||
}
|
||||
|
||||
@PreAuthorize("hasRole('ROLE_ADMIN')")
|
||||
@RequestMapping(value = "/{id}", method = RequestMethod.DELETE)
|
||||
public String delete(@PathVariable("id") Long id, ModelMap m) {
|
||||
|
||||
OAuth2RefreshTokenEntity token = tokenService.getRefreshTokenById(id);
|
||||
|
||||
if (token != null) {
|
||||
|
||||
tokenService.revokeRefreshToken(token);
|
||||
m.put("code", HttpStatus.OK);
|
||||
return "httpCodeView";
|
||||
|
||||
} else if (!token.getAuthenticationHolder().getAuthentication().getName().equals(p.getName())) {
|
||||
logger.error("getToken failed; token does not belong to principal " + p.getName());
|
||||
m.put("code", HttpStatus.FORBIDDEN);
|
||||
m.put("errorMessage", "You do not have permission to view this token");
|
||||
return "jsonErrorView";
|
||||
} else {
|
||||
|
||||
logger.error("Delete token failed; token not found: " + id);
|
||||
|
||||
m.put("code", HttpStatus.NOT_FOUND);
|
||||
m.put("errorMessage", "The requested token with id " + id + " could not be found.");
|
||||
return "jsonErrorView";
|
||||
m.put("entity", token);
|
||||
return "jsonEntityView";
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue