backported error handler from 1.2, closes remote execution exploit

openid-connect-server-webapp/src/main/webapp/WEB-INF/application-context.xml

@@ -155,6 +155,8 @@
 
 	<import resource="authz-config.xml" />
 
+	<bean id="oauth2ExceptionTranslator" class="org.springframework.security.oauth2.provider.error.DefaultWebResponseExceptionTranslator" />
+
 	<bean id="clientCredentialsTokenEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
 		<property name="authenticationManager" ref="clientAuthenticationManager" />
 		<property name="filterProcessesUrl" value="/token"/>

openid-connect-server-webapp/src/main/webapp/WEB-INF/authz-config.xml

@@ -38,7 +38,8 @@
 		request-validator-ref="oauthRequestValidator"
 		redirect-resolver-ref="blacklistAwareRedirectResolver"
 		authorization-endpoint-url="/authorize" 
-		token-endpoint-url="/token">
+		token-endpoint-url="/token"
+		error-page="/error">
 		
 		<oauth:authorization-code authorization-code-services-ref="defaultOAuth2AuthorizationCodeService"/>
 		<oauth:implicit />

openid-connect-server-webapp/src/main/webapp/WEB-INF/views/error.jsp

@@ -0,0 +1,45 @@
+<%@page import="org.springframework.http.HttpStatus"%>
+<%@page import="org.springframework.security.oauth2.common.exceptions.OAuth2Exception"%>
+<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c"%>
+<%@ taglib prefix="o" tagdir="/WEB-INF/tags"%>
+<%@ taglib prefix="security" uri="http://www.springframework.org/security/tags"%>
+<%@ taglib prefix="spring" uri="http://www.springframework.org/tags"%>
+<% 
+
+if (request.getAttribute("error") != null && request.getAttribute("error") instanceof OAuth2Exception) {
+	request.setAttribute("errorCode", ((OAuth2Exception)request.getAttribute("error")).getOAuth2ErrorCode());
+	request.setAttribute("message", ((OAuth2Exception)request.getAttribute("error")).getMessage());
+} else if (request.getAttribute("javax.servlet.error.exception") != null) {
+	Throwable t = (Throwable)request.getAttribute("javax.servlet.error.exception");
+	request.setAttribute("errorCode",  t.getClass().getSimpleName() + " (" + request.getAttribute("javax.servlet.error.status_code") + ")");
+	request.setAttribute("message", t.getMessage());
+} else if (request.getAttribute("javax.servlet.error.status_code") != null) {
+	Integer code = (Integer)request.getAttribute("javax.servlet.error.status_code");
+	HttpStatus status = HttpStatus.valueOf(code);
+	request.setAttribute("errorCode", status.toString() + " " + status.getReasonPhrase());
+	request.setAttribute("message", request.getAttribute("javax.servlet.error.message"));
+} else {
+	request.setAttribute("errorCode", "Server error");
+	request.setAttribute("message", "See the logs for details");
+}
+
+%>
+<o:header title="Error" />
+<div class="container-fluid main">
+	<div class="row-fluid">
+		<div class="offset1 span10">
+			<div class="hero-unit">
+				<h1><span>Error:</span>
+					<span class="text-error"><c:out value="${ errorCode }" /></span>
+				</h1>
+				<p>
+					There was an error processing your request. The server's message was:
+					<blockquote class="text-error"><b><c:out value="${ message }" /></b></blockquote>
+                </p>
+				
+			</div>
+
+		</div>
+	</div>
+</div>
+<o:footer />

openid-connect-server/src/main/java/org/mitre/oauth2/web/OAuth2ExceptionHandler.java

@@ -0,0 +1,48 @@
+/*******************************************************************************
+ * Copyright 2015 The MITRE Corporation
+ *   and the MIT Kerberos and Internet Trust Consortium
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *******************************************************************************/
+
+package org.mitre.oauth2.web;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
+import org.springframework.security.oauth2.provider.error.WebResponseExceptionTranslator;
+import org.springframework.web.bind.annotation.ControllerAdvice;
+import org.springframework.web.bind.annotation.ExceptionHandler;
+
+/**
+ * Controller helper that handles OAuth2 exceptions and propagates them as JSON errors.
+ * 
+ * @author jricher
+ *
+ */
+@ControllerAdvice
+public class OAuth2ExceptionHandler {
+	private static final Logger logger = LoggerFactory.getLogger(OAuth2ExceptionHandler.class);
+
+	@Autowired
+	private WebResponseExceptionTranslator providerExceptionHandler;
+
+	@ExceptionHandler(OAuth2Exception.class)
+	public ResponseEntity<OAuth2Exception> handleException(Exception e) throws Exception {
+		logger.info("Handling error: " + e.getClass().getSimpleName() + ", " + e.getMessage());
+		return providerExceptionHandler.translate(e);
+	}
+
+}

openid-connect-server/src/main/java/org/mitre/openid/connect/filter/PromptFilter.java

@@ -90,11 +90,12 @@ public class PromptFilter extends GenericFilterBean {
 		}
 
 		// we have to create our own auth request in order to get at all the parmeters appropriately
-		AuthorizationRequest authRequest = authRequestFactory.createAuthorizationRequest(createRequestMap(request.getParameterMap()));
+		AuthorizationRequest authRequest = null;
 
 		ClientDetailsEntity client = null;
 
 		try {
+			authRequest = authRequestFactory.createAuthorizationRequest(createRequestMap(request.getParameterMap()));
 			client = clientService.loadClientByClientId(authRequest.getClientId());
 		} catch (InvalidClientException e) {
 			// no need to worry about this here, it would be caught elsewhere