github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

check client information on delete of resource set

pull/708/merge
Justin Richer 2015-04-12 21:15:03 -05:00
parent 7273b0a5b7
commit d6dfa89533
1 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
openid-connect-server/src/main/java/org/mitre/uma/web/ResourceSetRegistrationEndpoint.java
View File

@ -221,13 +221,22 @@ public class ResourceSetRegistrationEndpoint {
logger.warn("Unauthorized resource set request from bad user; expected " + rs.getOwner() + " got " + auth.getName());
// it wasn't issued to this user
m.addAttribute("code", HttpStatus.FORBIDDEN);
m.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN);
return JsonErrorView.VIEWNAME;
} else if (auth instanceof OAuth2Authentication &&
!((OAuth2Authentication)auth).getOAuth2Request().getClientId().equals(rs.getClientId())){
logger.warn("Unauthorized resource set request from bad client; expected " + rs.getClientId() + " got " + ((OAuth2Authentication)auth).getOAuth2Request().getClientId());
// it wasn't issued to this user
m.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN);
return JsonErrorView.VIEWNAME;
} else {
// user and client matched
resourceSetService.remove(rs);
m.addAttribute("code", HttpStatus.NO_CONTENT);
m.addAttribute(HttpCodeView.CODE, HttpStatus.NO_CONTENT);
return HttpCodeView.VIEWNAME;
}