backported error handler from 1.2, closes remote execution exploit

Author: jricher

openid-connect-server-webapp/src/main/webapp/WEB-INF/application-context.xml

@@ -155,6 +155,8 @@
 
 <import resource="authz-config.xml" />
 
+<bean id="oauth2ExceptionTranslator" class="org.springframework.security.oauth2.provider.error.DefaultWebResponseExceptionTranslator" />
+
 <bean id="clientCredentialsTokenEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
 <property name="authenticationManager" ref="clientAuthenticationManager" />
 <property name="filterProcessesUrl" value="/token"/>

openid-connect-server-webapp/src/main/webapp/WEB-INF/authz-config.xml

@@ -38,7 +38,8 @@
 request-validator-ref="oauthRequestValidator"
 redirect-resolver-ref="blacklistAwareRedirectResolver"
 authorization-endpoint-url="/authorize" 
-token-endpoint-url="/token">
+token-endpoint-url="/token"
+error-page="/error">
 
 <oauth:authorization-code authorization-code-services-ref="defaultOAuth2AuthorizationCodeService"/>
 <oauth:implicit />

openid-connect-server-webapp/src/main/webapp/WEB-INF/views/error.jsp

@@ -0,0 +1,45 @@
+<%@page import="org.springframework.http.HttpStatus"%>
+<%@page import="org.springframework.security.oauth2.common.exceptions.OAuth2Exception"%>
+<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c"%>
+<%@ taglib prefix="o" tagdir="/WEB-INF/tags"%>
+<%@ taglib prefix="security" uri="http://www.springframework.org/security/tags"%>
+<%@ taglib prefix="spring" uri="http://www.springframework.org/tags"%>
+<% 
+
+if (request.getAttribute("error") != null && request.getAttribute("error") instanceof OAuth2Exception) {
+request.setAttribute("errorCode", ((OAuth2Exception)request.getAttribute("error")).getOAuth2ErrorCode());
+request.setAttribute("message", ((OAuth2Exception)request.getAttribute("error")).getMessage());
+} else if (request.getAttribute("javax.servlet.error.exception") != null) {
+Throwable t = (Throwable)request.getAttribute("javax.servlet.error.exception");
+request.setAttribute("errorCode", t.getClass().getSimpleName() + " (" + request.getAttribute("javax.servlet.error.status_code") + ")");
+request.setAttribute("message", t.getMessage());
+} else if (request.getAttribute("javax.servlet.error.status_code") != null) {
+Integer code = (Integer)request.getAttribute("javax.servlet.error.status_code");
+HttpStatus status = HttpStatus.valueOf(code);
+request.setAttribute("errorCode", status.toString() + " " + status.getReasonPhrase());
+request.setAttribute("message", request.getAttribute("javax.servlet.error.message"));
+} else {
+request.setAttribute("errorCode", "Server error");
+request.setAttribute("message", "See the logs for details");
+}
+
+%>
+<o:header title="Error" />
+<div class="container-fluid main">
+<div class="row-fluid">
+<div class="offset1 span10">
+<div class="hero-unit">
+<h1><span>Error:</span>
+<span class="text-error"><c:out value="${ errorCode }" /></span>
+</h1>
+<p>
+There was an error processing your request. The server's message was:
+<blockquote class="text-error"><b><c:out value="${ message }" /></b></blockquote>
+ </p>
+
+</div>
+
+</div>
+</div>
+</div>
+<o:footer />

openid-connect-server/src/main/java/org/mitre/oauth2/web/OAuth2ExceptionHandler.java

@@ -0,0 +1,48 @@
+/*******************************************************************************
+ * Copyright 2015 The MITRE Corporation
+ * and the MIT Kerberos and Internet Trust Consortium
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *******************************************************************************/
+
+package org.mitre.oauth2.web;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
+import org.springframework.security.oauth2.provider.error.WebResponseExceptionTranslator;
+import org.springframework.web.bind.annotation.ControllerAdvice;
+import org.springframework.web.bind.annotation.ExceptionHandler;
+
+/**
+ * Controller helper that handles OAuth2 exceptions and propagates them as JSON errors.
+ * 
+ * @author jricher
+ *
+ */
+@ControllerAdvice
+public class OAuth2ExceptionHandler {
+private static final Logger logger = LoggerFactory.getLogger(OAuth2ExceptionHandler.class);
+
+@Autowired
+private WebResponseExceptionTranslator providerExceptionHandler;
+
+@ExceptionHandler(OAuth2Exception.class)
+public ResponseEntity<OAuth2Exception> handleException(Exception e) throws Exception {
+logger.info("Handling error: " + e.getClass().getSimpleName() + ", " + e.getMessage());
+return providerExceptionHandler.translate(e);
+}
+
+}

openid-connect-server/src/main/java/org/mitre/openid/connect/filter/PromptFilter.java

@@ -90,11 +90,12 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
 }
 
 // we have to create our own auth request in order to get at all the parmeters appropriately
-AuthorizationRequest authRequest = authRequestFactory.createAuthorizationRequest(createRequestMap(request.getParameterMap()));
+AuthorizationRequest authRequest = null;
 
 ClientDetailsEntity client = null;
 
 try {
+authRequest = authRequestFactory.createAuthorizationRequest(createRequestMap(request.getParameterMap()));
 client = clientService.loadClientByClientId(authRequest.getClientId());
 } catch (InvalidClientException e) {
 // no need to worry about this here, it would be caught elsewhere