SECOAUTH-160: allow multiple response types (but don't process them yet)

Author: Dave Syer

spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/jaxb/AbstractJaxbMessageConverter.java

@@ -36,6 +36,7 @@
  * @param <I>
  * @param <E>
  */
+@SuppressWarnings("restriction")
 abstract class AbstractJaxbMessageConverter<I, E> extends AbstractXmlHttpMessageConverter<E> {
 
 private final Class<I> internalClass;

spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/jaxb/JaxbOAuth2AccessToken.java

@@ -18,6 +18,7 @@
 import javax.xml.bind.annotation.XmlRootElement;
 import javax.xml.bind.annotation.XmlTransient;
 
+@SuppressWarnings("restriction")
 @XmlRootElement(name = "oauth")
 class JaxbOAuth2AccessToken {
 private String accessToken;

spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/jaxb/JaxbOAuth2Exception.java

@@ -17,6 +17,7 @@
 import javax.xml.bind.annotation.XmlElement;
 import javax.xml.bind.annotation.XmlRootElement;
 
+@SuppressWarnings("restriction")
 @XmlRootElement(name = "oauth")
 @XmlAccessorOrder(XmlAccessOrder.ALPHABETICAL)
 class JaxbOAuth2Exception {

spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/AuthorizationEndpoint.java

@@ -14,8 +14,10 @@
 package org.springframework.security.oauth2.provider.endpoint;
 
 import java.security.Principal;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.Date;
+import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
 
@@ -40,12 +42,14 @@
 import org.springframework.security.oauth2.provider.code.UserApprovalHandler;
 import org.springframework.stereotype.Controller;
 import org.springframework.util.Assert;
+import org.springframework.util.StringUtils;
 import org.springframework.web.bind.annotation.ModelAttribute;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.SessionAttributes;
 import org.springframework.web.bind.support.SessionStatus;
+import org.springframework.web.servlet.ModelAndView;
 import org.springframework.web.servlet.View;
 import org.springframework.web.servlet.view.RedirectView;
 
@@ -55,6 +59,7 @@
  */
 @Controller
 @SessionAttributes(types = UnconfirmedAuthorizationCodeClientToken.class)
+@RequestMapping(value = "/oauth/authorize")
 public class AuthorizationEndpoint extends AbstractEndpoint implements InitializingBean {
 
 public static final String USER_OAUTH_APPROVAL = "user_oauth_approval";
@@ -77,7 +82,8 @@ public void afterPropertiesSet() throws Exception {
 }
 
 @ModelAttribute
-public UnconfirmedAuthorizationCodeClientToken getClientToken(@RequestParam(value = "client_id", required = false) String clientId,
+public UnconfirmedAuthorizationCodeClientToken getClientToken(
+@RequestParam(value = "client_id", required = false) String clientId,
 @RequestParam(value = "redirect_uri", required = false) String redirectUri,
 @RequestParam(value = "state", required = false) String state,
 @RequestParam(value = "scope", required = false) String scopes) {
@@ -89,9 +95,11 @@ public UnconfirmedAuthorizationCodeClientToken getClientToken(@RequestParam(valu
 }
 
 // if the "response_type" is "code", we can process this request.
-@RequestMapping(value = "/oauth/authorize", params = "response_type=code", method = RequestMethod.GET)
-public String startAuthorization(Map<String, Object> model, @RequestParam Map<String, String> parameters,
-UnconfirmedAuthorizationCodeClientToken authToken, SessionStatus sessionStatus, Principal principal) {
+@RequestMapping(params="response_type")
+public ModelAndView authorize(Map<String, Object> model, @RequestParam("response_type") String responseType,
+@RequestParam Map<String, String> parameters,
+@ModelAttribute UnconfirmedAuthorizationCodeClientToken authToken, SessionStatus sessionStatus,
+Principal principal) {
 
 if (authToken.getClientId() == null) {
 sessionStatus.setComplete();
@@ -104,6 +112,24 @@ public String startAuthorization(Map<String, Object> model, @RequestParam Map<St
 "User must be authenticated with Spring Security before forwarding to user approval page.");
 }
 
+Set<String> responseTypes = new HashSet<String>(Arrays.asList(StringUtils.delimitedListToStringArray(
+responseType, " ")));
+
+if (responseTypes.contains("code")) {
+return new ModelAndView(startAuthorization(model, parameters), model);
+}
+
+if (responseTypes.contains("token")) {
+return new ModelAndView(implicitAuthorization(authToken, sessionStatus));
+}
+
+throw new UnsupportedResponseTypeException("Unsupported response type: " + responseType);
+
+}
+
+// if the "response_type" is "code", we can process this request.
+private String startAuthorization(Map<String, Object> model, Map<String, String> parameters) {
+
 logger.debug("Loading user approval page: " + userApprovalPage);
 // In case of a redirect we might want the request parameters to be included
 model.putAll(parameters);
@@ -112,23 +138,7 @@ public String startAuthorization(Map<String, Object> model, @RequestParam Map<St
 }
 
 // if the "response_type" is "token", we can process this request.
-@RequestMapping(value = "/oauth/authorize", params = "response_type=token")
-public View implicitAuthorization(UnconfirmedAuthorizationCodeClientToken authToken, SessionStatus sessionStatus,
-Principal principal) {
-
-if (authToken.getClientId() == null) {
-sessionStatus.setComplete();
-throw new InvalidClientException("A client_id must be supplied.");
-}
-else {
-authToken.setDenied(false);
-}
-
-if (!(principal instanceof Authentication)) {
-sessionStatus.setComplete();
-throw new InsufficientAuthenticationException(
-"User must be authenticated with Spring Security before implicitly granting an access token.");
-}
+private View implicitAuthorization(UnconfirmedAuthorizationCodeClientToken authToken, SessionStatus sessionStatus) {
 
 try {
 String requestedRedirect = redirectResolver.resolveRedirect(authToken.getRequestedRedirect(),
@@ -147,14 +157,10 @@ Collections.<String, String> emptyMap(), authToken.getClientId(), authToken.getC
 
 }
 
-@RequestMapping(value = "/oauth/authorize", method = RequestMethod.GET)
-public String rejectAuthorization(@RequestParam("response_type") String responseType) {
-throw new UnsupportedResponseTypeException("Unsupported response type: " + responseType);
-}
-
-@RequestMapping(value = "/oauth/authorize", method = RequestMethod.POST)
+@RequestMapping(method = RequestMethod.POST)
 public View approveOrDeny(@RequestParam(USER_OAUTH_APPROVAL) boolean approved,
-UnconfirmedAuthorizationCodeClientToken authToken, SessionStatus sessionStatus, Principal principal) {
+@ModelAttribute UnconfirmedAuthorizationCodeClientToken authToken, SessionStatus sessionStatus,
+Principal principal) {
 
 if (authToken.getClientId() == null) {
 sessionStatus.setComplete();

spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/filter/ClientCredentialsTokenEndpointFilter.java

@@ -22,14 +22,13 @@
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.oauth2.web.authentication.OAuth2AuthenticationFailureHandler;
 import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
 import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
 
 /**
  * A filter and authentication endpoint for the OAuth2 Token Endpoint. Allows clients to authenticate using request
  * parameters if included as a security filter, as permitted by the specification (but not recommended). It is
- * recommended by the specification that you permit HTTP basic authentication for cllients, and not use this filter at
+ * recommended by the specification that you permit HTTP basic authentication for clients, and not use this filter at
  * all.
  * 
  * @author Dave Syer

spring-security-oauth2/src/main/java/org/springframework/security/oauth2/web/authentication/OAuth2AuthenticationFailureHandler.java renamed to spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/filter/OAuth2AuthenticationFailureHandler.java

@@ -10,7 +10,7 @@
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
  * specific language governing permissions and limitations under the License.
  */
-package org.springframework.security.oauth2.web.authentication;
+package org.springframework.security.oauth2.provider.filter;
 
 import java.io.IOException;
 

spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/RandomValueTokenServices.java

@@ -38,6 +38,8 @@
  * Persistence is delegated to a {@code TokenStore} implementation.
  * 
  * @author Ryan Heaton
+ * @author Luke Taylor
+ * @author Dave Syer
  */
 public class RandomValueTokenServices implements AuthorizationServerTokenServices, ResourceServerTokenServices,
 InitializingBean {
@@ -97,7 +99,9 @@ else if (isExpired(refreshToken)) {
 refreshToken = createRefreshToken(authentication);
 }
 
-return createAccessToken(authentication, refreshToken);
+OAuth2AccessToken accessToken = createAccessToken(authentication, refreshToken);
+tokenStore.storeAccessToken(accessToken, authentication);
+return accessToken;
 }
 
 /**

spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/TestAuthorizationEndpoint.java

@@ -0,0 +1,116 @@
+/*
+ * Copyright 2006-2011 the original author or authors.
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * 
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+ * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+package org.springframework.security.oauth2.provider.endpoint;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Set;
+
+import org.junit.Test;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.oauth2.common.OAuth2AccessToken;
+import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
+import org.springframework.security.oauth2.provider.BaseClientDetails;
+import org.springframework.security.oauth2.provider.ClientDetails;
+import org.springframework.security.oauth2.provider.ClientDetailsService;
+import org.springframework.security.oauth2.provider.TokenGranter;
+import org.springframework.security.oauth2.provider.code.InMemoryAuthorizationCodeServices;
+import org.springframework.security.oauth2.provider.code.UnconfirmedAuthorizationCodeClientToken;
+import org.springframework.web.bind.support.SimpleSessionStatus;
+import org.springframework.web.servlet.ModelAndView;
+import org.springframework.web.servlet.View;
+import org.springframework.web.servlet.view.RedirectView;
+
+/**
+ * @author Dave Syer
+ * 
+ */
+public class TestAuthorizationEndpoint {
+
+private AuthorizationEndpoint endpoint = new AuthorizationEndpoint();
+
+private HashMap<String, Object> model = new HashMap<String, Object>();
+
+private HashMap<String, String> parameters = new HashMap<String, String>();
+
+private SimpleSessionStatus sessionStatus = new SimpleSessionStatus();
+
+private UsernamePasswordAuthenticationToken principal = new UsernamePasswordAuthenticationToken("foo", "bar",
+Collections.singleton(new SimpleGrantedAuthority("ROLE_USER")));
+
+@Test(expected = IllegalStateException.class)
+public void testMandatoryProperties() throws Exception {
+endpoint.afterPropertiesSet();
+}
+
+@Test
+public void testGetClientToken() {
+UnconfirmedAuthorizationCodeClientToken clientToken = endpoint.getClientToken("foo", "http://anywhere.com",
+"bar", "baz");
+assertEquals("bar", clientToken.getState());
+assertEquals("foo", clientToken.getClientId());
+assertEquals("http://anywhere.com", clientToken.getRequestedRedirect());
+assertEquals("[baz]", clientToken.getScope().toString());
+}
+
+@Test
+public void testAuthorizationCode() {
+ModelAndView result = endpoint.authorize(model, "code", parameters,
+endpoint.getClientToken("foo", null, null, null), sessionStatus, principal);
+assertEquals("forward:/oauth/confirm_access", result.getViewName());
+}
+
+@Test
+public void testAuthorizationCodeWithMultipleResponseTypes() {
+ModelAndView result = endpoint.authorize(model, "code other", parameters,
+endpoint.getClientToken("foo", null, null, null), sessionStatus, principal);
+assertEquals("forward:/oauth/confirm_access", result.getViewName());
+}
+
+@Test
+public void testImplicit() {
+endpoint.setTokenGranter(new TokenGranter() {
+public OAuth2AccessToken grant(String grantType, Map<String, String> parameters, String clientId,
+String clientSecret, Set<String> scope) {
+return null;
+}
+});
+endpoint.setClientDetailsService(new ClientDetailsService() {
+public ClientDetails loadClientByClientId(String clientId) throws OAuth2Exception {
+return new BaseClientDetails();
+}
+});
+ModelAndView result = endpoint.authorize(model, "token", parameters,
+endpoint.getClientToken("foo", "http://anywhere.com", null, null), sessionStatus, principal);
+assertTrue("Wrong view: " + result, ((RedirectView) result.getView()).getUrl()
+.startsWith("http://anywhere.com"));
+}
+
+@Test
+public void testApproveOrDeny() {
+endpoint.setClientDetailsService(new ClientDetailsService() {
+public ClientDetails loadClientByClientId(String clientId) throws OAuth2Exception {
+return new BaseClientDetails();
+}
+});
+endpoint.setAuthorizationCodeServices(new InMemoryAuthorizationCodeServices());
+View result = endpoint.approveOrDeny(true, endpoint.getClientToken("foo", "http://anywhere.com", null, null),
+sessionStatus, principal);
+assertTrue("Wrong view: " + result, ((RedirectView) result).getUrl().startsWith("http://anywhere.com"));
+}
+}

spring-security-oauth2/src/test/java/org/springframework/security/oauth2/web/authentication/TestOAuth2AuthenticationFailureHandler.java renamed to spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/filter/TestOAuth2AuthenticationFailureHandler.java

@@ -10,7 +10,7 @@
  * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
  * specific language governing permissions and limitations under the License.
  */
-package org.springframework.security.oauth2.web.authentication;
+package org.springframework.security.oauth2.provider.filter;
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertSame;
@@ -32,6 +32,7 @@
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
+import org.springframework.security.oauth2.provider.filter.OAuth2AuthenticationFailureHandler;
 import org.springframework.security.oauth2.provider.web.OAuth2ExceptionRenderer;
 import org.springframework.web.context.request.ServletWebRequest;