github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

moved an uma package to common, extracted OAuth scope enforcement utility

pull/708/merge
Justin Richer 2015-02-28 08:32:47 -05:00
parent 5be7d64c7d
commit c41488b103
3 changed files with 61 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
openid-connect-server/src/main/java/org/mitre/uma/repository/ResourceSetRepository.java → openid-connect-common/src/main/java/org/mitre/uma/repository/ResourceSetRepository.java
View File

54
openid-connect-server/src/main/java/org/mitre/uma/web/OAuthScopeEnforcementUtilities.java Normal file
View File

@ -0,0 +1,54 @@
/*******************************************************************************
* Copyright 2015 The MITRE Corporation
* and the MIT Kerberos and Internet Trust Consortium
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*******************************************************************************/
package org.mitre.uma.web;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.common.exceptions.InsufficientScopeException;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import com.google.common.collect.ImmutableSet;
/**
*
* Utility class to enforce OAuth scopes in authenticated requests.
*
* @author jricher
*
*/
public abstract class OAuthScopeEnforcementUtilities {
/**
* Makes sure the authentication contains the given scope, throws an exception otherwise
* @param auth the authentication object to check
* @param scope TODO
* @param scope the scope to look for
* @throws InsufficientScopeException if the authentication does not contain that scope
*/
public static void ensureOAuthScope(Authentication auth, String scope) {
// if auth is OAuth, make sure we've got the right scope
if (auth instanceof OAuth2Authentication) {
OAuth2Authentication oAuth2Authentication = (OAuth2Authentication) auth;
if (oAuth2Authentication.getOAuth2Request().getScope() == null
|| !oAuth2Authentication.getOAuth2Request().getScope().contains(scope)) {
throw new InsufficientScopeException("Insufficient scope", ImmutableSet.of(scope));
}
}
}
}

26
openid-connect-server/src/main/java/org/mitre/uma/web/ResourceSetRegistrationEndpoint.java
View File

@ -16,6 +16,8 @@
*******************************************************************************/ *******************************************************************************/
package org.mitre.uma.web; package org.mitre.uma.web;
import static org.mitre.uma.web.OAuthScopeEnforcementUtilities.ensureOAuthScope;
import static org.mitre.util.JsonUtils.getAsLong; import static org.mitre.util.JsonUtils.getAsLong;
import static org.mitre.util.JsonUtils.getAsString; import static org.mitre.util.JsonUtils.getAsString;
import static org.mitre.util.JsonUtils.getAsStringSet; import static org.mitre.util.JsonUtils.getAsStringSet;
@ -39,8 +41,6 @@ import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus; import org.springframework.http.HttpStatus;
import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.common.exceptions.InsufficientScopeException;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.stereotype.Controller; import org.springframework.stereotype.Controller;
import org.springframework.ui.Model; import org.springframework.ui.Model;
import org.springframework.util.MimeTypeUtils; import org.springframework.util.MimeTypeUtils;
@ -50,7 +50,6 @@ import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.RequestMethod;
import com.google.common.base.Strings; import com.google.common.base.Strings;
import com.google.common.collect.ImmutableSet;
import com.google.gson.JsonElement; import com.google.gson.JsonElement;
import com.google.gson.JsonObject; import com.google.gson.JsonObject;
import com.google.gson.JsonParseException; import com.google.gson.JsonParseException;
@ -75,7 +74,7 @@ public class ResourceSetRegistrationEndpoint {
@RequestMapping(method = RequestMethod.POST, produces = MimeTypeUtils.APPLICATION_JSON_VALUE, consumes = MimeTypeUtils.APPLICATION_JSON_VALUE) @RequestMapping(method = RequestMethod.POST, produces = MimeTypeUtils.APPLICATION_JSON_VALUE, consumes = MimeTypeUtils.APPLICATION_JSON_VALUE)
public String createResourceSet(@RequestBody String jsonString, Model m, Authentication auth) { public String createResourceSet(@RequestBody String jsonString, Model m, Authentication auth) {
ensureOAuthScope(auth); ensureOAuthScope(auth, SystemScopeService.UMA_PROTECTION_SCOPE);
ResourceSet rs = parseResourceSet(jsonString); ResourceSet rs = parseResourceSet(jsonString);
@ -105,7 +104,7 @@ public class ResourceSetRegistrationEndpoint {
@RequestMapping(value = "/{id}", method = RequestMethod.GET, produces = MimeTypeUtils.APPLICATION_JSON_VALUE) @RequestMapping(value = "/{id}", method = RequestMethod.GET, produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
public String readResourceSet(@PathVariable ("id") Long id, Model m, Authentication auth) { public String readResourceSet(@PathVariable ("id") Long id, Model m, Authentication auth) {
ensureOAuthScope(auth); ensureOAuthScope(auth, SystemScopeService.UMA_PROTECTION_SCOPE);
ResourceSet rs = resourceSetService.getById(id); ResourceSet rs = resourceSetService.getById(id);
@ -133,7 +132,7 @@ public class ResourceSetRegistrationEndpoint {
@RequestMapping(value = "/{id}", method = RequestMethod.PUT, consumes = MimeTypeUtils.APPLICATION_JSON_VALUE, produces = MimeTypeUtils.APPLICATION_JSON_VALUE) @RequestMapping(value = "/{id}", method = RequestMethod.PUT, consumes = MimeTypeUtils.APPLICATION_JSON_VALUE, produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
public String updateResourceSet(@PathVariable ("id") Long id, @RequestBody String jsonString, Model m, Authentication auth) { public String updateResourceSet(@PathVariable ("id") Long id, @RequestBody String jsonString, Model m, Authentication auth) {
ensureOAuthScope(auth); ensureOAuthScope(auth, SystemScopeService.UMA_PROTECTION_SCOPE);
ResourceSet newRs = parseResourceSet(jsonString); ResourceSet newRs = parseResourceSet(jsonString);
@ -178,7 +177,7 @@ public class ResourceSetRegistrationEndpoint {
@RequestMapping(value = "/{id}", method = RequestMethod.DELETE, produces = MimeTypeUtils.APPLICATION_JSON_VALUE) @RequestMapping(value = "/{id}", method = RequestMethod.DELETE, produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
public String deleteResourceSet(@PathVariable ("id") Long id, Model m, Authentication auth) { public String deleteResourceSet(@PathVariable ("id") Long id, Model m, Authentication auth) {
ensureOAuthScope(auth); ensureOAuthScope(auth, SystemScopeService.UMA_PROTECTION_SCOPE);
ResourceSet rs = resourceSetService.getById(id); ResourceSet rs = resourceSetService.getById(id);
@ -207,7 +206,7 @@ public class ResourceSetRegistrationEndpoint {
@RequestMapping(method = RequestMethod.GET, produces = MimeTypeUtils.APPLICATION_JSON_VALUE) @RequestMapping(method = RequestMethod.GET, produces = MimeTypeUtils.APPLICATION_JSON_VALUE)
public String listResourceSets(Model m, Authentication auth) { public String listResourceSets(Model m, Authentication auth) {
ensureOAuthScope(auth); ensureOAuthScope(auth, SystemScopeService.UMA_PROTECTION_SCOPE);
String owner = auth.getName(); String owner = auth.getName();
@ -224,17 +223,6 @@ public class ResourceSetRegistrationEndpoint {
return JsonEntityView.VIEWNAME; return JsonEntityView.VIEWNAME;
} }
private void ensureOAuthScope(Authentication auth) {
// if auth is OAuth, make sure we've got the right scope
if (auth instanceof OAuth2Authentication) {
OAuth2Authentication oAuth2Authentication = (OAuth2Authentication) auth;
if (oAuth2Authentication.getOAuth2Request().getScope() == null
|| !oAuth2Authentication.getOAuth2Request().getScope().contains(SystemScopeService.UMA_PROTECTION_SCOPE)) {
throw new InsufficientScopeException("Insufficient scope", ImmutableSet.of(SystemScopeService.UMA_PROTECTION_SCOPE));
}
}
}
private ResourceSet parseResourceSet(String jsonString) { private ResourceSet parseResourceSet(String jsonString) {
try { try {