From ebe0a4c8c3e63b5cdbd9ee1bd781635059cd5516 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 3 Feb 2014 16:44:14 +0100 Subject: Bugfix: Error Handling --- .../oauth20/json/OAuthSignatureAlgorithm.java | 23 +-- .../oauth20/protocol/OAuth20Protocol.java | 176 ++++++++++----------- .../moa/id/auth/oauth/OAuth20ErrorsTests.java | 28 +--- 3 files changed, 90 insertions(+), 137 deletions(-) (limited to 'id/server/idserverlib/src') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuthSignatureAlgorithm.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuthSignatureAlgorithm.java index 473efc10a..db15516e7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuthSignatureAlgorithm.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuthSignatureAlgorithm.java @@ -1,25 +1,3 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.oauth20.json; import java.security.NoSuchAlgorithmException; @@ -69,6 +47,7 @@ public enum OAuthSignatureAlgorithm { */ public Signature getSignatureInstance() throws NoSuchAlgorithmException, NoSuchProviderException { if (!StringUtils.isEmpty(this.providerName)) { + //return Signature.getInstance(this.signatureName, this.providerName); return Signature.getInstance(this.signatureName, this.providerName); } else { return Signature.getInstance(this.signatureName); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java index 7ef5a2068..47b81c5ff 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java @@ -1,25 +1,3 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.oauth20.protocol; import java.net.URLEncoder; @@ -30,10 +8,9 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.commons.lang.StringUtils; +import org.hibernate.annotations.common.util.StringHelper; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; -import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException; -import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.id.moduls.IModulInfo; import at.gv.egovernment.moa.id.moduls.IRequest; @@ -79,13 +56,6 @@ public class OAuth20Protocol implements IModulInfo { */ public IRequest preProcess(HttpServletRequest request, HttpServletResponse resp, String action) throws MOAIDException { // validation is done inside creation - - if (!AuthConfigurationProvider.getInstance().getAllowedProtocols().isOAUTHActive()) { - Logger.info("OAuth is deaktivated!"); - throw new ProtocolNotActiveException("auth.22", new Object[] { NAME }); - - } - OAuth20BaseRequest res = OAuth20BaseRequest.newInstance(action, request); Logger.debug("Created: " + res); return res; @@ -98,10 +68,12 @@ public class OAuth20Protocol implements IModulInfo { * , javax.servlet.http.HttpServletResponse) */ public IAction canHandleRequest(HttpServletRequest request, HttpServletResponse response) { - if (request.getParameter("action").equals(AUTH_ACTION)) { - return getAction(AUTH_ACTION); - } else if (request.getParameter("action").equals(TOKEN_ACTION)) { - return getAction(TOKEN_ACTION); + if (!StringUtils.isEmpty(request.getParameter("action"))) { + if (request.getParameter("action").equals(AUTH_ACTION)) { + return getAction(AUTH_ACTION); + } else if (request.getParameter("action").equals(TOKEN_ACTION)) { + return getAction(TOKEN_ACTION); + } } return null;// getAction(AUTH_ACTION); @@ -116,71 +88,95 @@ public class OAuth20Protocol implements IModulInfo { public boolean generateErrorMessage(Throwable e, HttpServletRequest request, HttpServletResponse response, IRequest protocolRequest) throws Throwable { - StringBuilder url = new StringBuilder(); - - String paramRedirect = request.getParameter(OAuth20Constants.PARAM_REDIRECT_URI); + // get error code and description + String errorCode; + String errorDescription; + // String errorUri = "http://tools.ietf.org/html/draft-ietf-oauth-v2-11"; if (e instanceof OAuth20Exception) { - - String action = request.getParameter("action"); - - Logger.debug("Going to throw O OAuth20Exception for action: " + action); - OAuth20Exception oAuth20Exception = ((OAuth20Exception) e); - - String errorCode = oAuth20Exception.getErrorCode(); - String errorDescription = oAuth20Exception.getMessage(); - // String errorUri = "http://tools.ietf.org/html/draft-ietf-oauth-v2-11"; - - if (action.equals(AUTH_ACTION)) { + errorCode = ((OAuth20Exception) e).getErrorCode(); + errorDescription = URLEncoder.encode(((OAuth20Exception) e).getMessageId() + ": " + e.getMessage(), "UTF-8"); + } else { + errorCode = OAuth20Constants.ERROR_SERVER_ERROR; + errorDescription = URLEncoder.encode(e.getMessage(), "UTF-8"); + } + + String paramRedirect = null; + String state = null; + boolean isAuthRequest = false; + if (protocolRequest != null) { + if (protocolRequest instanceof OAuth20AuthRequest) { + isAuthRequest = true; - // check if given redirect url is ok - if (StringUtils.isNotEmpty(paramRedirect) && OAuth20Util.isUrl(paramRedirect)) { - url.append(paramRedirect); + paramRedirect = ((OAuth20AuthRequest) protocolRequest).getRedirectUri(); + state = ((OAuth20AuthRequest) protocolRequest).getState(); + } else { + isAuthRequest = false; + } + } else { + String action = request.getParameter("action"); + if (!StringHelper.isEmpty(action)) { + if (action.equals(AUTH_ACTION)) { - // otherwise throw an - } else { - throw new MOAIDException("oauth20.01", new Object[] {}); + paramRedirect = request.getParameter(OAuth20Constants.PARAM_REDIRECT_URI); + state = request.getParameter(OAuth20Constants.PARAM_STATE); + isAuthRequest = true; } + } else { + throw new MOAIDException("oauth20.01", new Object[] {}); + } + } + + // if (action.equals(AUTH_ACTION)) { + if (isAuthRequest) { + Logger.debug("Going to throw O OAuth20Exception for auth request"); + + StringBuilder url = new StringBuilder(); + + // check if given redirect url is ok + if (StringUtils.isNotEmpty(paramRedirect) && OAuth20Util.isUrl(paramRedirect)) { + url.append(paramRedirect); - String state = request.getParameter(OAuth20Constants.PARAM_STATE); - - OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_ERROR, errorCode); - OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_ERROR_DESCRIPTION, - URLEncoder.encode(oAuth20Exception.getMessageId() + ": " + errorDescription, "UTF-8")); - // OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_ERROR_URI, errorUri); - OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_STATE, state); - - response.setContentType("text/html"); - response.setStatus(HttpServletResponse.SC_FOUND); - response.addHeader("Location", url.toString()); - Logger.debug("REDIRECT TO: " + url.toString()); - return true; - - } else if (action.equals(TOKEN_ACTION)) { - Map params = new HashMap(); - params.put(OAuth20Constants.PARAM_ERROR, errorCode); - params.put(OAuth20Constants.PARAM_ERROR_DESCRIPTION, - URLEncoder.encode(oAuth20Exception.getMessageId() + ": " + errorDescription, "UTF-8")); - // params.put(OAuth20Constants.PARAM_ERROR_URI, errorUri); - - // create response - JsonObject jsonObject = new JsonObject(); - OAuth20Util.addProperytiesToJsonObject(jsonObject, params); - String jsonResponse = jsonObject.toString(); - Logger.debug("JSON Response: " + jsonResponse); - - // write respone to http response - response.setContentType("application/json"); - response.setStatus(HttpServletResponse.SC_BAD_REQUEST); - response.getOutputStream().print(jsonResponse); - response.getOutputStream().close(); - - return true; + // otherwise throw an + } else { + throw new MOAIDException("oauth20.01", new Object[] {}); } + OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_ERROR, errorCode); + OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_ERROR_DESCRIPTION, errorDescription); + // OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_ERROR_URI, errorUri); + OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_STATE, state); + + response.setContentType("text/html"); + response.setStatus(HttpServletResponse.SC_FOUND); + response.addHeader("Location", url.toString()); + Logger.debug("REDIRECT TO: " + url.toString()); + return true; + + } else { + Logger.debug("Going to throw O OAuth20Exception for token request"); + + Map params = new HashMap(); + params.put(OAuth20Constants.PARAM_ERROR, errorCode); + params.put(OAuth20Constants.PARAM_ERROR_DESCRIPTION, errorDescription); + // params.put(OAuth20Constants.PARAM_ERROR_URI, errorUri); + + // create response + JsonObject jsonObject = new JsonObject(); + OAuth20Util.addProperytiesToJsonObject(jsonObject, params); + String jsonResponse = jsonObject.toString(); + Logger.debug("JSON Response: " + jsonResponse); + + // write respone to http response + response.setContentType("application/json"); + response.setStatus(HttpServletResponse.SC_BAD_REQUEST); + response.getOutputStream().print(jsonResponse); + response.getOutputStream().close(); + + return true; } - return false; + // return false; } diff --git a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/oauth/OAuth20ErrorsTests.java b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/oauth/OAuth20ErrorsTests.java index 113a033a6..abfca4f36 100644 --- a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/oauth/OAuth20ErrorsTests.java +++ b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/auth/oauth/OAuth20ErrorsTests.java @@ -1,25 +1,3 @@ -/******************************************************************************* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - *******************************************************************************/ package test.at.gv.egovernment.moa.id.auth.oauth; import java.io.IOException; @@ -50,11 +28,11 @@ public class OAuth20ErrorsTests { private static VerificationCodeReceiver receiver; // base uri - private static String OAUTH2_BASE_URI = "http://localhost:8080/moa-id-auth/dispatcher"; + private static String OAUTH2_BASE_URI = "https://localhost/moa-id-auth/"; // auth action - private static String OAUTH2_AUTH_URI = OAUTH2_BASE_URI + "?mod=id_oauth20&action=AUTH"; + private static String OAUTH2_AUTH_URI = OAUTH2_BASE_URI + "oauth2/auth"; // token action - private static String OAUTH2_TOKEN_URI = OAUTH2_BASE_URI + "?mod=id_oauth20&action=TOKEN"; + private static String OAUTH2_TOKEN_URI = OAUTH2_BASE_URI + "oauth2/token"; // client id private static String CLIENT_ID = "http://test"; -- cgit v1.2.3