List of usage examples for org.springframework.security.oauth2.provider AuthorizationRequest getApprovalParameters
public Map<String, String> getApprovalParameters()
From source file:org.cloudfoundry.identity.uaa.oauth.UserManagedAuthzApprovalHandler.java
@Override public boolean isApproved(AuthorizationRequest authorizationRequest, Authentication userAuthentication) { String flag = authorizationRequest.getApprovalParameters().get(approvalParameter); boolean userApproval = flag != null && flag.toLowerCase().equals("true"); if (logger.isDebugEnabled()) { StringBuilder builder = new StringBuilder("Looking up user approved authorizations for "); builder.append("client_id=").append(authorizationRequest.getClientId()); builder.append(" and username=").append(userAuthentication.getName()); logger.debug(builder.toString()); }// www. j a va 2 s. c o m Collection<String> requestedScopes = authorizationRequest.getScope(); // Factor in auto approved scopes Set<String> autoApprovedScopes = new HashSet<>(); BaseClientDetails client = (BaseClientDetails) clientDetailsService .retrieve(authorizationRequest.getClientId()); if (client != null && requestedScopes != null) { autoApprovedScopes.addAll(client.getAutoApproveScopes()); autoApprovedScopes = UaaTokenUtils.retainAutoApprovedScopes(requestedScopes, autoApprovedScopes); } //translate scope to user scopes - including wild cards if (userApproval) { // Store the scopes that have been approved / denied Date expiry = computeExpiry(); // Get the approved scopes, calculate the denied scope Map<String, String> approvalParameters = authorizationRequest.getApprovalParameters(); Set<String> approvedScopes = new HashSet<>(); approvedScopes.addAll(autoApprovedScopes); boolean foundUserApprovalParameter = false; for (String approvalParameter : approvalParameters.keySet()) { if (approvalParameter.startsWith(SCOPE_PREFIX)) { approvedScopes.add(approvalParameters.get(approvalParameter).substring(SCOPE_PREFIX.length())); foundUserApprovalParameter = true; } } if (foundUserApprovalParameter) { authorizationRequest.setScope(approvedScopes); for (String requestedScope : requestedScopes) { if (approvedScopes.contains(requestedScope)) { Approval approval = new Approval().setUserId(getUserId(userAuthentication)) .setClientId(authorizationRequest.getClientId()).setScope(requestedScope) .setExpiresAt(expiry).setStatus(APPROVED); approvalStore.addApproval(approval); } else { Approval approval = new Approval().setUserId(getUserId(userAuthentication)) .setClientId(authorizationRequest.getClientId()).setScope(requestedScope) .setExpiresAt(expiry).setStatus(DENIED); approvalStore.addApproval(approval); } } } else { // Deny all except auto approved scopes authorizationRequest.setScope(autoApprovedScopes); for (String requestedScope : requestedScopes) { if (!autoApprovedScopes.contains(requestedScope)) { Approval approval = new Approval().setUserId(getUserId(userAuthentication)) .setClientId(authorizationRequest.getClientId()).setScope(requestedScope) .setExpiresAt(expiry).setStatus(DENIED); approvalStore.addApproval(approval); } } } if (userAuthentication.isAuthenticated()) { return true; } } else { // Find the stored approvals for that user and client List<Approval> userApprovals = approvalStore.getApprovals(getUserId(userAuthentication), authorizationRequest.getClientId()); // Look at the scopes and see if they have expired Set<String> validUserApprovedScopes = new HashSet<>(); Set<String> approvedScopes = new HashSet<>(); approvedScopes.addAll(autoApprovedScopes); validUserApprovedScopes.addAll(autoApprovedScopes); Date today = new Date(); for (Approval approval : userApprovals) { if (approval.getExpiresAt().after(today)) { validUserApprovedScopes.add(approval.getScope()); if (approval.getStatus() == APPROVED) { approvedScopes.add(approval.getScope()); } } } if (logger.isDebugEnabled()) { logger.debug("Valid user approved/denied scopes are " + validUserApprovedScopes); } // If the requested scopes have already been acted upon by the user, // this request is approved if (validUserApprovedScopes.containsAll(requestedScopes) && userAuthentication.isAuthenticated()) { approvedScopes = UaaTokenUtils.retainAutoApprovedScopes(requestedScopes, approvedScopes); // Set only the scopes that have been approved by the user authorizationRequest.setScope(approvedScopes); return true; } } return false; }
From source file:org.springframework.security.oauth2.provider.approval.ApprovalStoreUserApprovalHandler.java
/** * Requires the authorization request to be explicitly approved, including all individual scopes, and the user to be * authenticated. A scope that was requested in the authorization request can be approved by sending a request * parameter <code>scope.<scopename></code> equal to "true" or "approved" (otherwise it will be assumed to * have been denied). The {@link ApprovalStore} will be updated to reflect the inputs. * /*from ww w .j av a 2 s . c o m*/ * @param authorizationRequest The authorization request. * @param userAuthentication the current user authentication * * @return An approved request if all scopes have been approved by the current user. */ public AuthorizationRequest updateAfterApproval(AuthorizationRequest authorizationRequest, Authentication userAuthentication) { // Get the approved scopes Set<String> requestedScopes = authorizationRequest.getScope(); Set<String> approvedScopes = new HashSet<String>(); Set<Approval> approvals = new HashSet<Approval>(); Date expiry = computeExpiry(); // Store the scopes that have been approved / denied Map<String, String> approvalParameters = authorizationRequest.getApprovalParameters(); for (String requestedScope : requestedScopes) { String approvalParameter = scopePrefix + requestedScope; String value = approvalParameters.get(approvalParameter); value = value == null ? "" : value.toLowerCase(); if ("true".equals(value) || value.startsWith("approve")) { approvedScopes.add(requestedScope); approvals.add(new Approval(userAuthentication.getName(), authorizationRequest.getClientId(), requestedScope, expiry, ApprovalStatus.APPROVED)); } else { approvals.add(new Approval(userAuthentication.getName(), authorizationRequest.getClientId(), requestedScope, expiry, ApprovalStatus.DENIED)); } } approvalStore.addApprovals(approvals); boolean approved; authorizationRequest.setScope(approvedScopes); if (approvedScopes.isEmpty() && !requestedScopes.isEmpty()) { approved = false; } else { approved = true; } authorizationRequest.setApproved(approved); return authorizationRequest; }
From source file:org.springframework.security.oauth2.provider.approval.TokenServicesUserApprovalHandler.java
/** * Basic implementation just requires the authorization request to be explicitly approved and the user to be * authenticated.//from w ww . j ava 2 s .co m * * @param authorizationRequest The authorization request. * @param userAuthentication the current user authentication * * @return Whether the specified request has been approved by the current user. */ public boolean isApproved(AuthorizationRequest authorizationRequest, Authentication userAuthentication) { String flag = authorizationRequest.getApprovalParameters().get(approvalParameter); boolean approved = flag != null && flag.toLowerCase().equals("true"); OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest, userAuthentication); if (logger.isDebugEnabled()) { StringBuilder builder = new StringBuilder("Looking up existing token for "); builder.append("client_id=" + authorizationRequest.getClientId()); builder.append(", scope=" + authorizationRequest.getScope()); builder.append(" and username=" + userAuthentication.getName()); logger.debug(builder.toString()); } OAuth2AccessToken accessToken = tokenServices.getAccessToken(authentication); logger.debug("Existing access token=" + accessToken); if (accessToken != null && !accessToken.isExpired()) { logger.debug("User already approved with token=" + accessToken); // A token was already granted and is still valid, so this is already approved approved = true; } else { logger.debug("Checking explicit approval"); approved = userAuthentication.isAuthenticated() && approved; } return approved; }