cleaned up old endpoints

pull/1192/merge
Justin Richer 8 years ago
parent 8178af87f0
commit b176d4d77e

@ -16,17 +16,24 @@
*******************************************************************************/
package org.mitre.oauth2.web;
import java.security.Principal;
import static org.mitre.oauth2.web.AuthenticationUtilities.ensureOAuthScope;
import java.util.Collection;
import org.mitre.oauth2.model.ClientDetailsEntity;
import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
import org.mitre.oauth2.model.OAuth2RefreshTokenEntity;
import org.mitre.oauth2.service.ClientDetailsEntityService;
import org.mitre.oauth2.service.OAuth2TokenEntityService;
import org.mitre.oauth2.service.SystemScopeService;
import org.mitre.openid.connect.view.HttpCodeView;
import org.mitre.uma.model.ResourceSet;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.OAuth2Request;
@ -38,7 +45,10 @@ import org.springframework.web.bind.annotation.RequestParam;
@Controller
public class RevocationEndpoint {
@Autowired
OAuth2TokenEntityService tokenServices;
private ClientDetailsEntityService clientService;
@Autowired
private OAuth2TokenEntityService tokenServices;
/**
* Logger for this class
@ -49,32 +59,53 @@ public class RevocationEndpoint {
@PreAuthorize("hasRole('ROLE_ADMIN') or hasRole('ROLE_CLIENT')")
@RequestMapping("/" + URL)
public String revoke(@RequestParam("token") String tokenValue, @RequestParam(value = "token_type_hint", required = false) String tokenType, Principal principal, Model model) {
public String revoke(@RequestParam("token") String tokenValue, @RequestParam(value = "token_type_hint", required = false) String tokenType, Authentication auth, Model model) {
// This is the token as passed in from OAuth (in case we need it some day)
//OAuth2AccessTokenEntity tok = tokenServices.getAccessToken((OAuth2Authentication) principal);
OAuth2Request authRequest = null;
if (principal instanceof OAuth2Authentication) {
// if the client is acting on its own behalf (the common case), pull out the client authorization request
authRequest = ((OAuth2Authentication) principal).getOAuth2Request();
ClientDetailsEntity authClient = null;
if (auth instanceof OAuth2Authentication) {
// the client authenticated with OAuth, do our UMA checks
ensureOAuthScope(auth, SystemScopeService.UMA_PROTECTION_SCOPE);
// get out the client that was issued the access token (not the token being revoked)
OAuth2Authentication o2a = (OAuth2Authentication) auth;
String authClientId = o2a.getOAuth2Request().getClientId();
authClient = clientService.loadClientByClientId(authClientId);
// the owner is the user who authorized the token in the first place
String ownerId = o2a.getUserAuthentication().getName();
} else {
// the client authenticated directly, make sure it's got the right access
String authClientId = auth.getName(); // direct authentication puts the client_id into the authentication's name field
authClient = clientService.loadClientByClientId(authClientId);
}
try {
// check and handle access tokens first
OAuth2AccessTokenEntity accessToken = tokenServices.readAccessToken(tokenValue);
if (authRequest != null) {
// client acting on its own, make sure it owns the token
if (!accessToken.getClient().getClientId().equals(authRequest.getClientId())) {
// trying to revoke a token we don't own, throw a 403
model.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN);
return HttpCodeView.VIEWNAME;
}
// client acting on its own, make sure it owns the token
if (!accessToken.getClient().getClientId().equals(authClient.getClientId())) {
// trying to revoke a token we don't own, throw a 403
logger.info("Client " + authClient.getClientId() + " tried to revoke a token owned by " + accessToken.getClient().getClientId());
model.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN);
return HttpCodeView.VIEWNAME;
}
// if we got this far, we're allowed to do this
tokenServices.revokeAccessToken(accessToken);
logger.debug("Client " + authClient.getClientId() + " revoked access token " + tokenValue);
model.addAttribute(HttpCodeView.CODE, HttpStatus.OK);
return HttpCodeView.VIEWNAME;
@ -84,17 +115,21 @@ public class RevocationEndpoint {
try {
OAuth2RefreshTokenEntity refreshToken = tokenServices.getRefreshToken(tokenValue);
if (authRequest != null) {
// client acting on its own, make sure it owns the token
if (!refreshToken.getClient().getClientId().equals(authRequest.getClientId())) {
// trying to revoke a token we don't own, throw a 403
model.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN);
return HttpCodeView.VIEWNAME;
}
// client acting on its own, make sure it owns the token
if (!refreshToken.getClient().getClientId().equals(authClient.getClientId())) {
// trying to revoke a token we don't own, throw a 403
logger.info("Client " + authClient.getClientId() + " tried to revoke a token owned by " + refreshToken.getClient().getClientId());
model.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN);
return HttpCodeView.VIEWNAME;
}
// if we got this far, we're allowed to do this
tokenServices.revokeRefreshToken(refreshToken);
logger.debug("Client " + authClient.getClientId() + " revoked access token " + tokenValue);
model.addAttribute(HttpCodeView.CODE, HttpStatus.OK);
return HttpCodeView.VIEWNAME;
@ -102,6 +137,8 @@ public class RevocationEndpoint {
// neither token type was found, simply say "OK" and be on our way.
logger.debug("Failed to revoke token " + tokenValue);
model.addAttribute(HttpCodeView.CODE, HttpStatus.OK);
return HttpCodeView.VIEWNAME;
}

@ -111,13 +111,14 @@ public class DataAPI {
}
break;
case END_OBJECT:
reader.endObject();
break;
case END_DOCUMENT:
break;
}
}
reader.endObject();
return "httpCodeView";
}

Loading…
Cancel
Save