List of usage examples for org.springframework.http HttpHeaders WARNING
String WARNING
To view the source code for org.springframework.http HttpHeaders WARNING.
Click Source Link
From source file:org.mitreid.multiparty.web.ResourceController.java
@RequestMapping(value = "/api/{id}", method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_VALUE) @ResponseBody//from ww w.j a va 2s . com public Resource getResource(@PathVariable("id") String rsId, @RequestHeader(value = "Authorization", required = false) String authorization, HttpServletResponse response) throws JsonIOException, IOException { // load the resource from the ID Resource res = resourceService.getById(rsId); if (res == null) { // no resource with that ID, return a 404 response.setStatus(HttpStatus.NOT_FOUND.value()); return null; } // get the resource set associated with the resource SharedResourceSet resourceSet = resourceService.getSharedResourceSetForResource(res); if (resourceSet == null) { // not shared yet, return a 404 response.setStatus(HttpStatus.NOT_FOUND.value()); return null; } // load the server configuration based on the issuer from the resource set MultipartyServerConfiguration server = serverConfig.getServerConfiguration(resourceSet.getIssuer()); // load client configuration (register if needed) RegisteredClient client = clientConfig.getClientConfiguration(server); // get an access token String protectionAccessTokenValue = acccessTokenService.getAccessToken(server, client); // get a permission ticket for this resource set String ticket = getTicket(resourceSet, server, client, protectionAccessTokenValue); if (Strings.isNullOrEmpty(ticket)) { // couldn't get a ticket for some reason response.addHeader(HttpHeaders.WARNING, "199 - UMA Authorization Server Unreachable"); response.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value()); return null; } // add the issuer and ticket to the response header response.addHeader(HttpHeaders.WWW_AUTHENTICATE, "UMA realm=\"multiparty-resource\", as_uri=\"" + resourceSet.getIssuer() + "\", ticket=\"" + ticket + "\""); // check the request to get the incoming token if (Strings.isNullOrEmpty(authorization) || !authorization.toLowerCase().startsWith("bearer ")) { // no token, return a 401 response.setStatus(HttpStatus.UNAUTHORIZED.value()); return null; } String incomingAccessToken = authorization.substring("bearer ".length()); // introspect/load the token JsonObject introspected = introspectToken(incomingAccessToken, server, client, protectionAccessTokenValue); if (!introspected.get("active").getAsBoolean()) { // token wasn't active, forbidden response.setStatus(HttpStatus.FORBIDDEN.value()); return null; } JsonArray permissions = introspected.get("permissions").getAsJsonArray(); for (JsonElement permission : permissions) { // check to see that the token is for the right resource set String permissionRsid = permission.getAsJsonObject().get("resource_set_id").getAsString(); if (permissionRsid.equals(resourceSet.getRsid())) { // check to see if the token has the right scopes Set<String> scopes = JsonUtils.getAsStringSet(permission.getAsJsonObject(), "permission_scopes"); if (scopes.contains("read")) { // if the token is good enough, return the resource return res; } } } // if we fall down here then we didn't find a workable permission response.setStatus(HttpStatus.FORBIDDEN.value()); return null; }