aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuthSignatureAlgorithm.java23
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java176
-rw-r--r--id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/oauth/OAuth20ErrorsTests.java28
3 files changed, 90 insertions, 137 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuthSignatureAlgorithm.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuthSignatureAlgorithm.java
index 473efc10a..db15516e7 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuthSignatureAlgorithm.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuthSignatureAlgorithm.java
@@ -1,25 +1,3 @@
-/*******************************************************************************
- * Copyright 2014 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- *******************************************************************************/
package at.gv.egovernment.moa.id.protocols.oauth20.json;
import java.security.NoSuchAlgorithmException;
@@ -69,6 +47,7 @@ public enum OAuthSignatureAlgorithm {
*/
public Signature getSignatureInstance() throws NoSuchAlgorithmException, NoSuchProviderException {
if (!StringUtils.isEmpty(this.providerName)) {
+ //return Signature.getInstance(this.signatureName, this.providerName);
return Signature.getInstance(this.signatureName, this.providerName);
} else {
return Signature.getInstance(this.signatureName);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java
index 7ef5a2068..47b81c5ff 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java
@@ -1,25 +1,3 @@
-/*******************************************************************************
- * Copyright 2014 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- *******************************************************************************/
package at.gv.egovernment.moa.id.protocols.oauth20.protocol;
import java.net.URLEncoder;
@@ -30,10 +8,9 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;
+import org.hibernate.annotations.common.util.StringHelper;
import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
-import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException;
-import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider;
import at.gv.egovernment.moa.id.moduls.IAction;
import at.gv.egovernment.moa.id.moduls.IModulInfo;
import at.gv.egovernment.moa.id.moduls.IRequest;
@@ -79,13 +56,6 @@ public class OAuth20Protocol implements IModulInfo {
*/
public IRequest preProcess(HttpServletRequest request, HttpServletResponse resp, String action) throws MOAIDException {
// validation is done inside creation
-
- if (!AuthConfigurationProvider.getInstance().getAllowedProtocols().isOAUTHActive()) {
- Logger.info("OAuth is deaktivated!");
- throw new ProtocolNotActiveException("auth.22", new Object[] { NAME });
-
- }
-
OAuth20BaseRequest res = OAuth20BaseRequest.newInstance(action, request);
Logger.debug("Created: " + res);
return res;
@@ -98,10 +68,12 @@ public class OAuth20Protocol implements IModulInfo {
* , javax.servlet.http.HttpServletResponse)
*/
public IAction canHandleRequest(HttpServletRequest request, HttpServletResponse response) {
- if (request.getParameter("action").equals(AUTH_ACTION)) {
- return getAction(AUTH_ACTION);
- } else if (request.getParameter("action").equals(TOKEN_ACTION)) {
- return getAction(TOKEN_ACTION);
+ if (!StringUtils.isEmpty(request.getParameter("action"))) {
+ if (request.getParameter("action").equals(AUTH_ACTION)) {
+ return getAction(AUTH_ACTION);
+ } else if (request.getParameter("action").equals(TOKEN_ACTION)) {
+ return getAction(TOKEN_ACTION);
+ }
}
return null;// getAction(AUTH_ACTION);
@@ -116,71 +88,95 @@ public class OAuth20Protocol implements IModulInfo {
public boolean generateErrorMessage(Throwable e, HttpServletRequest request, HttpServletResponse response, IRequest protocolRequest)
throws Throwable {
- StringBuilder url = new StringBuilder();
-
- String paramRedirect = request.getParameter(OAuth20Constants.PARAM_REDIRECT_URI);
+ // get error code and description
+ String errorCode;
+ String errorDescription;
+ // String errorUri = "http://tools.ietf.org/html/draft-ietf-oauth-v2-11";
if (e instanceof OAuth20Exception) {
-
- String action = request.getParameter("action");
-
- Logger.debug("Going to throw O OAuth20Exception for action: " + action);
- OAuth20Exception oAuth20Exception = ((OAuth20Exception) e);
-
- String errorCode = oAuth20Exception.getErrorCode();
- String errorDescription = oAuth20Exception.getMessage();
- // String errorUri = "http://tools.ietf.org/html/draft-ietf-oauth-v2-11";
-
- if (action.equals(AUTH_ACTION)) {
+ errorCode = ((OAuth20Exception) e).getErrorCode();
+ errorDescription = URLEncoder.encode(((OAuth20Exception) e).getMessageId() + ": " + e.getMessage(), "UTF-8");
+ } else {
+ errorCode = OAuth20Constants.ERROR_SERVER_ERROR;
+ errorDescription = URLEncoder.encode(e.getMessage(), "UTF-8");
+ }
+
+ String paramRedirect = null;
+ String state = null;
+ boolean isAuthRequest = false;
+ if (protocolRequest != null) {
+ if (protocolRequest instanceof OAuth20AuthRequest) {
+ isAuthRequest = true;
- // check if given redirect url is ok
- if (StringUtils.isNotEmpty(paramRedirect) && OAuth20Util.isUrl(paramRedirect)) {
- url.append(paramRedirect);
+ paramRedirect = ((OAuth20AuthRequest) protocolRequest).getRedirectUri();
+ state = ((OAuth20AuthRequest) protocolRequest).getState();
+ } else {
+ isAuthRequest = false;
+ }
+ } else {
+ String action = request.getParameter("action");
+ if (!StringHelper.isEmpty(action)) {
+ if (action.equals(AUTH_ACTION)) {
- // otherwise throw an
- } else {
- throw new MOAIDException("oauth20.01", new Object[] {});
+ paramRedirect = request.getParameter(OAuth20Constants.PARAM_REDIRECT_URI);
+ state = request.getParameter(OAuth20Constants.PARAM_STATE);
+ isAuthRequest = true;
}
+ } else {
+ throw new MOAIDException("oauth20.01", new Object[] {});
+ }
+ }
+
+ // if (action.equals(AUTH_ACTION)) {
+ if (isAuthRequest) {
+ Logger.debug("Going to throw O OAuth20Exception for auth request");
+
+ StringBuilder url = new StringBuilder();
+
+ // check if given redirect url is ok
+ if (StringUtils.isNotEmpty(paramRedirect) && OAuth20Util.isUrl(paramRedirect)) {
+ url.append(paramRedirect);
- String state = request.getParameter(OAuth20Constants.PARAM_STATE);
-
- OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_ERROR, errorCode);
- OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_ERROR_DESCRIPTION,
- URLEncoder.encode(oAuth20Exception.getMessageId() + ": " + errorDescription, "UTF-8"));
- // OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_ERROR_URI, errorUri);
- OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_STATE, state);
-
- response.setContentType("text/html");
- response.setStatus(HttpServletResponse.SC_FOUND);
- response.addHeader("Location", url.toString());
- Logger.debug("REDIRECT TO: " + url.toString());
- return true;
-
- } else if (action.equals(TOKEN_ACTION)) {
- Map<String, Object> params = new HashMap<String, Object>();
- params.put(OAuth20Constants.PARAM_ERROR, errorCode);
- params.put(OAuth20Constants.PARAM_ERROR_DESCRIPTION,
- URLEncoder.encode(oAuth20Exception.getMessageId() + ": " + errorDescription, "UTF-8"));
- // params.put(OAuth20Constants.PARAM_ERROR_URI, errorUri);
-
- // create response
- JsonObject jsonObject = new JsonObject();
- OAuth20Util.addProperytiesToJsonObject(jsonObject, params);
- String jsonResponse = jsonObject.toString();
- Logger.debug("JSON Response: " + jsonResponse);
-
- // write respone to http response
- response.setContentType("application/json");
- response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
- response.getOutputStream().print(jsonResponse);
- response.getOutputStream().close();
-
- return true;
+ // otherwise throw an
+ } else {
+ throw new MOAIDException("oauth20.01", new Object[] {});
}
+ OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_ERROR, errorCode);
+ OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_ERROR_DESCRIPTION, errorDescription);
+ // OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_ERROR_URI, errorUri);
+ OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_STATE, state);
+
+ response.setContentType("text/html");
+ response.setStatus(HttpServletResponse.SC_FOUND);
+ response.addHeader("Location", url.toString());
+ Logger.debug("REDIRECT TO: " + url.toString());
+ return true;
+
+ } else {
+ Logger.debug("Going to throw O OAuth20Exception for token request");
+
+ Map<String, Object> params = new HashMap<String, Object>();
+ params.put(OAuth20Constants.PARAM_ERROR, errorCode);
+ params.put(OAuth20Constants.PARAM_ERROR_DESCRIPTION, errorDescription);
+ // params.put(OAuth20Constants.PARAM_ERROR_URI, errorUri);
+
+ // create response
+ JsonObject jsonObject = new JsonObject();
+ OAuth20Util.addProperytiesToJsonObject(jsonObject, params);
+ String jsonResponse = jsonObject.toString();
+ Logger.debug("JSON Response: " + jsonResponse);
+
+ // write respone to http response
+ response.setContentType("application/json");
+ response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
+ response.getOutputStream().print(jsonResponse);
+ response.getOutputStream().close();
+
+ return true;
}
- return false;
+ // return false;
}
diff --git a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/oauth/OAuth20ErrorsTests.java b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/oauth/OAuth20ErrorsTests.java
index 113a033a6..abfca4f36 100644
--- a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/oauth/OAuth20ErrorsTests.java
+++ b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/oauth/OAuth20ErrorsTests.java
@@ -1,25 +1,3 @@
-/*******************************************************************************
- * Copyright 2014 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- *******************************************************************************/
package test.at.gv.egovernment.moa.id.auth.oauth;
import java.io.IOException;
@@ -50,11 +28,11 @@ public class OAuth20ErrorsTests {
private static VerificationCodeReceiver receiver;
// base uri
- private static String OAUTH2_BASE_URI = "http://localhost:8080/moa-id-auth/dispatcher";
+ private static String OAUTH2_BASE_URI = "https://localhost/moa-id-auth/";
// auth action
- private static String OAUTH2_AUTH_URI = OAUTH2_BASE_URI + "?mod=id_oauth20&action=AUTH";
+ private static String OAUTH2_AUTH_URI = OAUTH2_BASE_URI + "oauth2/auth";
// token action
- private static String OAUTH2_TOKEN_URI = OAUTH2_BASE_URI + "?mod=id_oauth20&action=TOKEN";
+ private static String OAUTH2_TOKEN_URI = OAUTH2_BASE_URI + "oauth2/token";
// client id
private static String CLIENT_ID = "http://test";