Java Code Examples for org.apache.cxf.rs.security.oauth2.utils.OAuthConstants#SERVER_ERROR

The following examples show how to use org.apache.cxf.rs.security.oauth2.utils.OAuthConstants#SERVER_ERROR . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: HawkAccessTokenValidator.java    From cxf with Apache License 2.0 6 votes vote down vote up
protected AccessTokenValidation getAccessTokenValidation(MessageContext mc,
                                                         String authScheme,
                                                         String authSchemeData,
                                                         MultivaluedMap<String, String> extraProps,
                                                         Map<String, String> schemeParams) {
    String macKey = schemeParams.get(OAuthConstants.HAWK_TOKEN_ID);
    ServerAccessToken accessToken = dataProvider.getAccessToken(macKey);
    if (!(accessToken instanceof HawkAccessToken)) {
        throw new OAuthServiceException(OAuthConstants.SERVER_ERROR);
    }
    HawkAccessToken macAccessToken = (HawkAccessToken)accessToken;
    AccessTokenValidation atv = new AccessTokenValidation(macAccessToken);

    // OAuth2 Pop token introspection will likely support returning a JWE-encrypted key
    if (!isRemoteSignatureValidation() || mc.getSecurityContext().isSecure()) {
        atv.getExtraProps().put(OAuthConstants.HAWK_TOKEN_KEY, macAccessToken.getMacKey());
        atv.getExtraProps().put(OAuthConstants.HAWK_TOKEN_ALGORITHM, macAccessToken.getMacAlgorithm());
    }

    return atv;
}
 
Example 2
Source File: OidcClientCodeRequestFilter.java    From cxf with Apache License 2.0 5 votes vote down vote up
@Override
protected ClientTokenContext createTokenContext(ContainerRequestContext rc,
                                                ClientAccessToken at,
                                                MultivaluedMap<String, String> requestParams,
                                                MultivaluedMap<String, String> state) {
    if (rc.getSecurityContext() instanceof OidcSecurityContext) {
        return ((OidcSecurityContext)rc.getSecurityContext()).getOidcContext();
    }
    OidcClientTokenContextImpl ctx = new OidcClientTokenContextImpl();
    if (at != null) {
        if (idTokenReader == null) {
            throw new OAuthServiceException(OAuthConstants.SERVER_ERROR);
        }
        IdToken idToken = idTokenReader.getIdToken(at,
                              requestParams.getFirst(OAuthConstants.AUTHORIZATION_CODE_VALUE),
                              getConsumer());
        // Validate the properties set up at the redirection time.
        validateIdToken(idToken, state);

        ctx.setIdToken(idToken);
        if (userInfoClient != null) {
            ctx.setUserInfo(userInfoClient.getUserInfo(at,
                                                       ctx.getIdToken(),
                                                       getConsumer()));
        }
        OidcSecurityContext oidcSecCtx = new OidcSecurityContext(ctx);
        oidcSecCtx.setRoleClaim(roleClaim);
        rc.setSecurityContext(oidcSecCtx);
    }

    return ctx;
}
 
Example 3
Source File: OAuthClientUtils.java    From cxf with Apache License 2.0 4 votes vote down vote up
/**
 * Obtains the access token from OAuth AccessToken Service
 * using the initialized web client
 * @param accessTokenService the AccessToken client
 * @param consumer {@link Consumer} representing the registered client.
 * @param grant {@link AccessTokenGrant} grant
 * @param extraParams extra parameters
 * @param defaultTokenType default expected token type - some early
 *        well-known OAuth2 services do not return a required token_type parameter
 * @param setAuthorizationHeader if set to true then HTTP Basic scheme
 *           will be used to pass client id and secret, otherwise they will
 *           be passed in the form payload
 * @return {@link ClientAccessToken} access token
 * @throws OAuthServiceException
 */
public static ClientAccessToken getAccessToken(WebClient accessTokenService,
                                               Consumer consumer,
                                               AccessTokenGrant grant,
                                               Map<String, String> extraParams,
                                               String defaultTokenType,
                                               boolean setAuthorizationHeader)
    throws OAuthServiceException {

    if (accessTokenService == null) {
        throw new OAuthServiceException(OAuthConstants.SERVER_ERROR);
    }

    Form form = new Form(grant.toMap());
    if (extraParams != null) {
        for (Map.Entry<String, String> entry : extraParams.entrySet()) {
            form.param(entry.getKey(), entry.getValue());
        }
    }
    if (consumer != null) {
        boolean secretAvailable = !StringUtils.isEmpty(consumer.getClientSecret());
        if (setAuthorizationHeader && secretAvailable) {
            accessTokenService.replaceHeader(HttpHeaders.AUTHORIZATION,
                DefaultBasicAuthSupplier.getBasicAuthHeader(consumer.getClientId(), consumer.getClientSecret()));
        } else {
            form.param(OAuthConstants.CLIENT_ID, consumer.getClientId());
            if (secretAvailable) {
                form.param(OAuthConstants.CLIENT_SECRET, consumer.getClientSecret());
            }
        }
    } else {
        // in this case the AccessToken service is expected to find a mapping between
        // the authenticated credentials and the client registration id
    }
    Response response = accessTokenService.form(form);
    final Map<String, String> map;
    try {
        map = response.getMediaType() == null
                || response.getMediaType().isCompatible(MediaType.APPLICATION_JSON_TYPE)
                        ? new OAuthJSONProvider().readJSONResponse((InputStream) response.getEntity())
                        : Collections.emptyMap();
    } catch (Exception ex) {
        throw new ResponseProcessingException(response, ex);
    }
    if (200 == response.getStatus()) {
        ClientAccessToken token = fromMapToClientToken(map, defaultTokenType);
        if (token == null) {
            throw new OAuthServiceException(OAuthConstants.SERVER_ERROR);
        }
        return token;
    } else if (response.getStatus() >= 400 && map.containsKey(OAuthConstants.ERROR_KEY)) {
        OAuthError error = new OAuthError(map.get(OAuthConstants.ERROR_KEY),
                                          map.get(OAuthConstants.ERROR_DESCRIPTION_KEY));
        error.setErrorUri(map.get(OAuthConstants.ERROR_URI_KEY));
        throw new OAuthServiceException(error);
    }
    throw new OAuthServiceException(OAuthConstants.SERVER_ERROR);
}
 
Example 4
Source File: OAuthServiceException.java    From cxf with Apache License 2.0 4 votes vote down vote up
public OAuthServiceException() {
    super(OAuthConstants.SERVER_ERROR);
}
 
Example 5
Source File: OAuthServiceException.java    From cxf with Apache License 2.0 4 votes vote down vote up
public OAuthServiceException(Throwable cause) {
    super(OAuthConstants.SERVER_ERROR, cause);
}
 
Example 6
Source File: AbstractHawkAccessTokenValidator.java    From cxf with Apache License 2.0 4 votes vote down vote up
public AccessTokenValidation validateAccessToken(MessageContext mc,
    String authScheme, String authSchemeData, MultivaluedMap<String, String> extraProps)
    throws OAuthServiceException {

    Map<String, String> schemeParams = getSchemeParameters(authSchemeData);
    AccessTokenValidation atv =
        getAccessTokenValidation(mc, authScheme, authSchemeData, extraProps, schemeParams);
    if (isRemoteSignatureValidation()) {
        return atv;
    }

    String macKey = atv.getExtraProps().get(OAuthConstants.HAWK_TOKEN_KEY);
    String macAlgo = atv.getExtraProps().get(OAuthConstants.HAWK_TOKEN_ALGORITHM);


    final HttpRequestProperties httpProps;
    if (extraProps != null && extraProps.containsKey(HTTP_VERB) && extraProps.containsKey(HTTP_URI)) {
        httpProps = new HttpRequestProperties(URI.create(extraProps.getFirst(HTTP_URI)),
                                              extraProps.getFirst(HTTP_VERB));
    } else {
        httpProps = new HttpRequestProperties(mc.getUriInfo().getRequestUri(),
                                              mc.getHttpServletRequest().getMethod());
    }
    HawkAuthorizationScheme macAuthInfo = new HawkAuthorizationScheme(httpProps, schemeParams);
    String normalizedString = macAuthInfo.getNormalizedRequestString();
    try {
        HmacAlgorithm hmacAlgo = HmacAlgorithm.toHmacAlgorithm(macAlgo);
        byte[] serverMacData = HmacUtils.computeHmac(macKey, hmacAlgo.getJavaName(), normalizedString);

        String clientMacString = schemeParams.get(OAuthConstants.HAWK_TOKEN_SIGNATURE);
        byte[] clientMacData = Base64Utility.decode(clientMacString);
        boolean validMac = MessageDigest.isEqual(serverMacData, clientMacData);
        if (!validMac) {
            AuthorizationUtils.throwAuthorizationFailure(Collections
                .singleton(OAuthConstants.HAWK_AUTHORIZATION_SCHEME));
        }
    } catch (Base64Exception e) {
        throw new OAuthServiceException(OAuthConstants.SERVER_ERROR, e);
    }
    validateTimestampNonce(macKey, macAuthInfo.getTimestamp(), macAuthInfo.getNonce());
    return atv;
}
 
Example 7
Source File: ServerAccessToken.java    From cxf with Apache License 2.0 4 votes vote down vote up
protected static ServerAccessToken validateTokenType(ServerAccessToken token, String expectedType) {
    if (!token.getTokenType().equals(expectedType)) {
        throw new OAuthServiceException(OAuthConstants.SERVER_ERROR);
    }
    return token;
}