From a106121af3b82cab6e4af1d7df8b7ca82f19bd39 Mon Sep 17 00:00:00 2001
From: Justin Richer <jricher@mit.edu>
Date: Tue, 10 Jun 2014 16:29:45 -0400
Subject: [PATCH] created blacklist aware redirect resolver and wired it in,
 closes #549

---
 .../src/main/webapp/WEB-INF/authz-config.xml  |  1 +
 .../impl/BlacklistAwareRedirectResolver.java  | 40 +++++++++++++++++++
 2 files changed, 41 insertions(+)
 create mode 100644 openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/BlacklistAwareRedirectResolver.java

diff --git a/openid-connect-server-webapp/src/main/webapp/WEB-INF/authz-config.xml b/openid-connect-server-webapp/src/main/webapp/WEB-INF/authz-config.xml
index 1faef3cde..4cdbb3ee7 100644
--- a/openid-connect-server-webapp/src/main/webapp/WEB-INF/authz-config.xml
+++ b/openid-connect-server-webapp/src/main/webapp/WEB-INF/authz-config.xml
@@ -36,6 +36,7 @@
 		token-services-ref="defaultOAuth2ProviderTokenService" 
 		user-approval-handler-ref="tofuUserApprovalHandler" 
 		request-validator-ref="oauthRequestValidator"
+		redirect-resolver-ref="blacklistAwareRedirectResolver"
 		authorization-endpoint-url="/authorize" 
 		token-endpoint-url="/token">
 		
diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/BlacklistAwareRedirectResolver.java b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/BlacklistAwareRedirectResolver.java
new file mode 100644
index 000000000..e3b95c1fa
--- /dev/null
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/BlacklistAwareRedirectResolver.java
@@ -0,0 +1,40 @@
+/**
+ * 
+ */
+package org.mitre.oauth2.service.impl;
+
+import org.mitre.openid.connect.service.BlacklistedSiteService;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.oauth2.common.exceptions.InvalidRequestException;
+import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
+import org.springframework.security.oauth2.provider.ClientDetails;
+import org.springframework.security.oauth2.provider.endpoint.DefaultRedirectResolver;
+import org.springframework.security.oauth2.provider.endpoint.RedirectResolver;
+import org.springframework.stereotype.Component;
+
+/**
+ * @author jricher
+ *
+ */
+@Component("blacklistAwareRedirectResolver")
+public class BlacklistAwareRedirectResolver extends DefaultRedirectResolver {
+
+	@Autowired
+	private BlacklistedSiteService blacklistService;
+	
+	/* (non-Javadoc)
+	 * @see org.springframework.security.oauth2.provider.endpoint.RedirectResolver#resolveRedirect(java.lang.String, org.springframework.security.oauth2.provider.ClientDetails)
+	 */
+	@Override
+	public String resolveRedirect(String requestedRedirect, ClientDetails client) throws OAuth2Exception {
+		String redirect = super.resolveRedirect(requestedRedirect, client);
+		if (blacklistService.isBlacklisted(redirect)) {
+			// don't let it go through
+			throw new InvalidRequestException("The supplied redirect_uri is not allowed on this server.");
+		} else {
+			// not blacklisted, passed the parent test, we're fine
+			return redirect;
+		}
+	}
+
+}