aboutsummaryrefslogtreecommitdiff
path: root/id/server/modules/moa-id-module-openID/src/main/java/at
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2019-02-19 11:29:19 +0100
committerThomas Lenz <tlenz@iaik.tugraz.at>2019-02-19 11:29:19 +0100
commit0ec665ef207e9fb0f599a2b66789e5c39b2893dd (patch)
tree61e771243e682114f38908455e3ddc304cf529df /id/server/modules/moa-id-module-openID/src/main/java/at
parentc7cd9327bbc4d7e180bab9b6bff2a17028c166dc (diff)
downloadmoa-id-spss-0ec665ef207e9fb0f599a2b66789e5c39b2893dd.tar.gz
moa-id-spss-0ec665ef207e9fb0f599a2b66789e5c39b2893dd.tar.bz2
moa-id-spss-0ec665ef207e9fb0f599a2b66789e5c39b2893dd.zip
update OpenID-Connect request validation
Diffstat (limited to 'id/server/modules/moa-id-module-openID/src/main/java/at')
-rw-r--r--id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java33
-rw-r--r--id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20BaseRequest.java22
-rw-r--r--id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenRequest.java35
3 files changed, 39 insertions, 51 deletions
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java
index 0350a113c..4dc99262e 100644
--- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java
@@ -24,19 +24,20 @@ package at.gv.egovernment.moa.id.protocols.oauth20.protocol;
import javax.servlet.http.HttpServletRequest;
+import org.apache.commons.lang.StringUtils;
import org.springframework.beans.factory.config.BeanDefinition;
import org.springframework.context.annotation.Scope;
import org.springframework.stereotype.Component;
import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration;
-import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants;
import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Util;
import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20AccessDeniedException;
import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20Exception;
+import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20OANotSupportedException;
import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20ResponseTypeException;
import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20WrongParameterException;
import at.gv.egovernment.moa.logging.Logger;
@@ -160,7 +161,7 @@ public class OAuth20AuthRequest extends OAuth20BaseRequest {
}
@Override
- protected void populateSpecialParameters(HttpServletRequest request, IConfiguration authConfig) throws OAuth20Exception {
+ protected void populateSpecialParameters(HttpServletRequest request, IConfiguration authConfig, ISPConfiguration oAuthConfig) throws OAuth20Exception {
this.setResponseType(this.getParam(request, OAuth20Constants.PARAM_RESPONSE_TYPE, true));
this.setState(this.getParam(request, OAuth20Constants.PARAM_STATE, true));
this.setRedirectUri(this.getParam(request, OAuth20Constants.PARAM_REDIRECT_URI, true));
@@ -178,25 +179,23 @@ public class OAuth20AuthRequest extends OAuth20BaseRequest {
throw new OAuth20WrongParameterException(OAuth20Constants.PARAM_STATE);
}
- // check if client id and redirect uri are ok
- try {
- // OAOAUTH20 cannot be null at this point. check was done in base request
- ISPConfiguration oAuthConfig = authConfig.getServiceProviderConfiguration(this.getSPEntityId());
-
-
- if (!this.getClientID().equals(oAuthConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_OPENID_CLIENTID))
- || !this.getRedirectUri().equals(oAuthConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_OPENID_REDIRECTURL))) {
- throw new OAuth20AccessDeniedException();
- }
-
- this.setOnlineApplicationConfiguration(oAuthConfig);
- Logger.info("Dispatch OpenIDConnect AuthRequest: ClientID=" + this.clientID);
+ // OAOAUTH20 cannot be null at this point. check was done in base request
+ if (StringUtils.isEmpty(oAuthConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_OPENID_CLIENTSECRET))
+ || StringUtils.isEmpty(oAuthConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_OPENID_CLIENTID))
+ || StringUtils.isEmpty(oAuthConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_OPENID_REDIRECTURL))) {
+ throw new OAuth20OANotSupportedException();
+ }
+
+ if (!this.getClientID().equals(oAuthConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_OPENID_CLIENTID))
+ || !this.getRedirectUri().equals(oAuthConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_OPENID_REDIRECTURL))) {
+ throw new OAuth20AccessDeniedException();
- } catch (EAAFConfigurationException e) {
- throw new OAuth20WrongParameterException(OAuth20Constants.PARAM_CLIENT_ID);
}
+ this.setOnlineApplicationConfiguration(oAuthConfig);
+ Logger.info("Dispatch OpenIDConnect AuthRequest: ClientID=" + this.clientID);
+
}
// /* (non-Javadoc)
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20BaseRequest.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20BaseRequest.java
index 118de861c..9cceea7d5 100644
--- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20BaseRequest.java
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20BaseRequest.java
@@ -35,10 +35,8 @@ import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration;
import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException;
import at.gv.egiz.eaaf.core.impl.idp.controller.protocols.RequestImpl;
-import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants;
import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20Exception;
-import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20OANotSupportedException;
import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20WrongParameterException;
import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
import at.gv.egovernment.moa.logging.Logger;
@@ -77,21 +75,17 @@ abstract class OAuth20BaseRequest extends RequestImpl {
throw new OAuth20WrongParameterException(OAuth20Constants.PARAM_CLIENT_ID);
}
- if (StringUtils.isEmpty(oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_OPENID_CLIENTSECRET))
- || StringUtils.isEmpty(oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_OPENID_CLIENTID))
- || StringUtils.isEmpty(oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_OPENID_REDIRECTURL))) {
- throw new OAuth20OANotSupportedException();
- }
+ // oAuth
+ this.populateSpecialParameters(request, authConfig, oaParam);
+
+ // cleanup parameters
+ this.checkAllowedParameters(request);
+
}
catch (EAAFConfigurationException e) {
throw new OAuth20WrongParameterException(OAuth20Constants.PARAM_CLIENT_ID);
}
-
- // oAuth
- this.populateSpecialParameters(request, authConfig);
-
- // cleanup parameters
- this.checkAllowedParameters(request);
+
}
private void checkAllowedParameters(final HttpServletRequest request) throws OAuth20WrongParameterException {
@@ -112,6 +106,6 @@ abstract class OAuth20BaseRequest extends RequestImpl {
}
- protected abstract void populateSpecialParameters(final HttpServletRequest request, IConfiguration authConfig) throws OAuth20Exception;
+ protected abstract void populateSpecialParameters(final HttpServletRequest request, IConfiguration authConfig, ISPConfiguration oaParam) throws OAuth20Exception;
}
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenRequest.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenRequest.java
index 89e4252b1..9a3613ea1 100644
--- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenRequest.java
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenRequest.java
@@ -24,20 +24,20 @@ package at.gv.egovernment.moa.id.protocols.oauth20.protocol;
import javax.servlet.http.HttpServletRequest;
+import org.apache.commons.lang.StringUtils;
import org.springframework.beans.factory.config.BeanDefinition;
import org.springframework.context.annotation.Scope;
import org.springframework.stereotype.Component;
import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
import at.gv.egiz.eaaf.core.api.idp.ISPConfiguration;
-import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants;
import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20AccessDeniedException;
import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20Exception;
import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20InvalidGrantException;
-import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20WrongParameterException;
+import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20OANotSupportedException;
import at.gv.egovernment.moa.logging.Logger;
@Component("OAuth20TokenRequest")
@@ -125,7 +125,7 @@ class OAuth20TokenRequest extends OAuth20BaseRequest {
}
@Override
- protected void populateSpecialParameters(HttpServletRequest request, IConfiguration authConfig) throws OAuth20Exception {
+ protected void populateSpecialParameters(HttpServletRequest request, IConfiguration authConfig, ISPConfiguration oaParam) throws OAuth20Exception {
this.setCode(this.getParam(request, OAuth20Constants.RESPONSE_CODE, true));
this.setGrantType(this.getParam(request, OAuth20Constants.PARAM_GRANT_TYPE, true));
this.setClientID(this.getParam(request, OAuth20Constants.PARAM_CLIENT_ID, true));
@@ -136,26 +136,21 @@ class OAuth20TokenRequest extends OAuth20BaseRequest {
throw new OAuth20InvalidGrantException();
}
- // check if client id and secret are ok
- try {
- // OAOAUTH20 cannot be null at this point. check was done in base request
- ISPConfiguration oaParam = authConfig.getServiceProviderConfiguration(this.getSPEntityId());
-
- if (!this.getClientID().equals(oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_OPENID_CLIENTID))) {
- throw new OAuth20AccessDeniedException();
- }
-
- if (!this.getClientSecret().equals(oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_OPENID_CLIENTSECRET))) {
- throw new OAuth20AccessDeniedException();
- }
-
- this.setOnlineApplicationConfiguration(oaParam);
-
+ // OAOAUTH20 cannot be null at this point. check was done in base request
+ if (StringUtils.isEmpty(oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_OPENID_CLIENTSECRET))
+ || StringUtils.isEmpty(oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_OPENID_CLIENTID)))
+ throw new OAuth20OANotSupportedException();
+
+ if (!this.getClientID().equals(oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_OPENID_CLIENTID))) {
+ throw new OAuth20AccessDeniedException();
}
- catch (EAAFConfigurationException e) {
- throw new OAuth20WrongParameterException(OAuth20Constants.PARAM_CLIENT_ID);
+
+ if (!this.getClientSecret().equals(oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_OPENID_CLIENTSECRET))) {
+ throw new OAuth20AccessDeniedException();
}
+ this.setOnlineApplicationConfiguration(oaParam);
+
Logger.info("Dispatch OpenIDConnect TokenRequest: ClientID=" + this.clientID);
//add valid parameters