From 8aa98fd8b485673e041dbbbb8d8dedea72492146 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 3 Feb 2014 16:58:39 +0100 Subject: Bugfix Error handling --- .../oauth20/json/OAuthSignatureAlgorithm.java | 1 + .../oauth20/protocol/OAuth20Protocol.java | 145 ++++++++++++--------- .../moa/id/auth/oauth/OAuth20ErrorsTests.java | 6 +- 3 files changed, 90 insertions(+), 62 deletions(-) diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuthSignatureAlgorithm.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuthSignatureAlgorithm.java index 5e023ff35..db15516e7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuthSignatureAlgorithm.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuthSignatureAlgorithm.java @@ -47,6 +47,7 @@ public enum OAuthSignatureAlgorithm { */ public Signature getSignatureInstance() throws NoSuchAlgorithmException, NoSuchProviderException { if (!StringUtils.isEmpty(this.providerName)) { + //return Signature.getInstance(this.signatureName, this.providerName); return Signature.getInstance(this.signatureName, this.providerName); } else { return Signature.getInstance(this.signatureName); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java index db18b3a3e..47b81c5ff 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java @@ -8,6 +8,7 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.commons.lang.StringUtils; +import org.hibernate.annotations.common.util.StringHelper; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.moduls.IAction; @@ -67,10 +68,12 @@ public class OAuth20Protocol implements IModulInfo { * , javax.servlet.http.HttpServletResponse) */ public IAction canHandleRequest(HttpServletRequest request, HttpServletResponse response) { - if (request.getParameter("action").equals(AUTH_ACTION)) { - return getAction(AUTH_ACTION); - } else if (request.getParameter("action").equals(TOKEN_ACTION)) { - return getAction(TOKEN_ACTION); + if (!StringUtils.isEmpty(request.getParameter("action"))) { + if (request.getParameter("action").equals(AUTH_ACTION)) { + return getAction(AUTH_ACTION); + } else if (request.getParameter("action").equals(TOKEN_ACTION)) { + return getAction(TOKEN_ACTION); + } } return null;// getAction(AUTH_ACTION); @@ -85,71 +88,95 @@ public class OAuth20Protocol implements IModulInfo { public boolean generateErrorMessage(Throwable e, HttpServletRequest request, HttpServletResponse response, IRequest protocolRequest) throws Throwable { - StringBuilder url = new StringBuilder(); - - String paramRedirect = request.getParameter(OAuth20Constants.PARAM_REDIRECT_URI); + // get error code and description + String errorCode; + String errorDescription; + // String errorUri = "http://tools.ietf.org/html/draft-ietf-oauth-v2-11"; if (e instanceof OAuth20Exception) { - - String action = request.getParameter("action"); - - Logger.debug("Going to throw O OAuth20Exception for action: " + action); - OAuth20Exception oAuth20Exception = ((OAuth20Exception) e); - - String errorCode = oAuth20Exception.getErrorCode(); - String errorDescription = oAuth20Exception.getMessage(); - // String errorUri = "http://tools.ietf.org/html/draft-ietf-oauth-v2-11"; - - if (action.equals(AUTH_ACTION)) { + errorCode = ((OAuth20Exception) e).getErrorCode(); + errorDescription = URLEncoder.encode(((OAuth20Exception) e).getMessageId() + ": " + e.getMessage(), "UTF-8"); + } else { + errorCode = OAuth20Constants.ERROR_SERVER_ERROR; + errorDescription = URLEncoder.encode(e.getMessage(), "UTF-8"); + } + + String paramRedirect = null; + String state = null; + boolean isAuthRequest = false; + if (protocolRequest != null) { + if (protocolRequest instanceof OAuth20AuthRequest) { + isAuthRequest = true; - // check if given redirect url is ok - if (StringUtils.isNotEmpty(paramRedirect) && OAuth20Util.isUrl(paramRedirect)) { - url.append(paramRedirect); + paramRedirect = ((OAuth20AuthRequest) protocolRequest).getRedirectUri(); + state = ((OAuth20AuthRequest) protocolRequest).getState(); + } else { + isAuthRequest = false; + } + } else { + String action = request.getParameter("action"); + if (!StringHelper.isEmpty(action)) { + if (action.equals(AUTH_ACTION)) { - // otherwise throw an - } else { - throw new MOAIDException("oauth20.01", new Object[] {}); + paramRedirect = request.getParameter(OAuth20Constants.PARAM_REDIRECT_URI); + state = request.getParameter(OAuth20Constants.PARAM_STATE); + isAuthRequest = true; } + } else { + throw new MOAIDException("oauth20.01", new Object[] {}); + } + } + + // if (action.equals(AUTH_ACTION)) { + if (isAuthRequest) { + Logger.debug("Going to throw O OAuth20Exception for auth request"); + + StringBuilder url = new StringBuilder(); + + // check if given redirect url is ok + if (StringUtils.isNotEmpty(paramRedirect) && OAuth20Util.isUrl(paramRedirect)) { + url.append(paramRedirect); - String state = request.getParameter(OAuth20Constants.PARAM_STATE); - - OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_ERROR, errorCode); - OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_ERROR_DESCRIPTION, - URLEncoder.encode(oAuth20Exception.getMessageId() + ": " + errorDescription, "UTF-8")); - // OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_ERROR_URI, errorUri); - OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_STATE, state); - - response.setContentType("text/html"); - response.setStatus(HttpServletResponse.SC_FOUND); - response.addHeader("Location", url.toString()); - Logger.debug("REDIRECT TO: " + url.toString()); - return true; - - } else if (action.equals(TOKEN_ACTION)) { - Map params = new HashMap(); - params.put(OAuth20Constants.PARAM_ERROR, errorCode); - params.put(OAuth20Constants.PARAM_ERROR_DESCRIPTION, - URLEncoder.encode(oAuth20Exception.getMessageId() + ": " + errorDescription, "UTF-8")); - // params.put(OAuth20Constants.PARAM_ERROR_URI, errorUri); - - // create response - JsonObject jsonObject = new JsonObject(); - OAuth20Util.addProperytiesToJsonObject(jsonObject, params); - String jsonResponse = jsonObject.toString(); - Logger.debug("JSON Response: " + jsonResponse); - - // write respone to http response - response.setContentType("application/json"); - response.setStatus(HttpServletResponse.SC_BAD_REQUEST); - response.getOutputStream().print(jsonResponse); - response.getOutputStream().close(); - - return true; + // otherwise throw an + } else { + throw new MOAIDException("oauth20.01", new Object[] {}); } + OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_ERROR, errorCode); + OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_ERROR_DESCRIPTION, errorDescription); + // OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_ERROR_URI, errorUri); + OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_STATE, state); + + response.setContentType("text/html"); + response.setStatus(HttpServletResponse.SC_FOUND); + response.addHeader("Location", url.toString()); + Logger.debug("REDIRECT TO: " + url.toString()); + return true; + + } else { + Logger.debug("Going to throw O OAuth20Exception for token request"); + + Map params = new HashMap(); + params.put(OAuth20Constants.PARAM_ERROR, errorCode); + params.put(OAuth20Constants.PARAM_ERROR_DESCRIPTION, errorDescription); + // params.put(OAuth20Constants.PARAM_ERROR_URI, errorUri); + + // create response + JsonObject jsonObject = new JsonObject(); + OAuth20Util.addProperytiesToJsonObject(jsonObject, params); + String jsonResponse = jsonObject.toString(); + Logger.debug("JSON Response: " + jsonResponse); + + // write respone to http response + response.setContentType("application/json"); + response.setStatus(HttpServletResponse.SC_BAD_REQUEST); + response.getOutputStream().print(jsonResponse); + response.getOutputStream().close(); + + return true; } - return false; + // return false; } diff --git a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/oauth/OAuth20ErrorsTests.java b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/oauth/OAuth20ErrorsTests.java index 9aede62e3..abfca4f36 100644 --- a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/oauth/OAuth20ErrorsTests.java +++ b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/oauth/OAuth20ErrorsTests.java @@ -28,11 +28,11 @@ public class OAuth20ErrorsTests { private static VerificationCodeReceiver receiver; // base uri - private static String OAUTH2_BASE_URI = "http://localhost:8080/moa-id-auth/dispatcher"; + private static String OAUTH2_BASE_URI = "https://localhost/moa-id-auth/"; // auth action - private static String OAUTH2_AUTH_URI = OAUTH2_BASE_URI + "?mod=id_oauth20&action=AUTH"; + private static String OAUTH2_AUTH_URI = OAUTH2_BASE_URI + "oauth2/auth"; // token action - private static String OAUTH2_TOKEN_URI = OAUTH2_BASE_URI + "?mod=id_oauth20&action=TOKEN"; + private static String OAUTH2_TOKEN_URI = OAUTH2_BASE_URI + "oauth2/token"; // client id private static String CLIENT_ID = "http://test"; -- cgit v1.2.3