Upgrades for spring-security-oauth2 version 2+

- User confirmation screen for the new spring-security-oauth2 - OAuthManagement methods are fixed

Upgrades for spring-security-oauth2 version 2+
- User confirmation screen for the new spring-security-oauth2 - OAuthManagement methods are fixed
b32ec214 · Matija Obreza · cdc843a1 · b32ec214 · b32ec214 · b32ec214
Commit b32ec214 authored Oct 05, 2017 by Matija Obreza
5 changed files
--- a/src/main/java/org/genesys2/server/listener/sample/CreateAdminListener.java
+++ b/src/main/java/org/genesys2/server/listener/sample/CreateAdminListener.java
@@ -50,6 +50,7 @@ public class CreateAdminListener extends RunAsAdminListener {

 	private void createDefaultAccounts() throws UserException, PasswordPolicyException {
 		createAdmin("SYSTEM", "SYSTEM", null, AccountType.SYSTEM);
+		// TODO read from props
 		createAdmin("admin@example.com", "First Admin", "Admin123!", AccountType.LOCAL);
 	}


--- a/src/main/java/org/genesys2/server/servlet/controller/OAuthAccessConfirmationController.java
+++ b/src/main/java/org/genesys2/server/servlet/controller/OAuthAccessConfirmationController.java
@@ -16,13 +16,21 @@

 package org.genesys2.server.servlet.controller;

+import java.security.Principal;
+import java.util.LinkedHashMap;
+import java.util.Map;
+
 import javax.servlet.http.HttpServletRequest;

 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
+import org.springframework.security.oauth2.common.util.OAuth2Utils;
 import org.springframework.security.oauth2.provider.AuthorizationRequest;
 import org.springframework.security.oauth2.provider.ClientDetails;
 import org.springframework.security.oauth2.provider.ClientDetailsService;
+import org.springframework.security.oauth2.provider.approval.Approval;
+import org.springframework.security.oauth2.provider.approval.ApprovalStore;
+import org.springframework.security.oauth2.provider.approval.Approval.ApprovalStatus;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.ModelMap;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -39,12 +47,25 @@ public class OAuthAccessConfirmationController extends BaseController {
 	@Autowired
 	protected ClientDetailsService clientDetailsService;

+	@Autowired
+	private ApprovalStore approvalStore;
+
 	@RequestMapping("/oauth/confirm_access")
-	public String getAccessConfirmation(ModelMap model) throws Exception {
+	public String getAccessConfirmation(final Map<String, Object> model, final Principal principal) throws Exception {
 		final AuthorizationRequest clientAuth = (AuthorizationRequest) model.remove("authorizationRequest");
 		final ClientDetails client = clientDetailsService.loadClientByClientId(clientAuth.getClientId());
 		model.put("auth_request", clientAuth);
 		model.put("client", client);
+		final Map<String, String> scopes = new LinkedHashMap<String, String>();
+		for (final String scope : clientAuth.getScope()) {
+			scopes.put(OAuth2Utils.SCOPE_PREFIX + scope, "false");
+		}
+		for (final Approval approval : approvalStore.getApprovals(principal.getName(), client.getClientId())) {
+			if (clientAuth.getScope().contains(approval.getScope())) {
+				scopes.put(OAuth2Utils.SCOPE_PREFIX + approval.getScope(), approval.getStatus() == ApprovalStatus.APPROVED ? "true" : "false");
+			}
+		}
+		model.put("scopes", scopes);
 		return "/oauth/confirm";
 	}


--- a/src/main/java/org/genesys2/server/servlet/controller/admin/OAuthManagementController.java
+++ b/src/main/java/org/genesys2/server/servlet/controller/admin/OAuthManagementController.java
@@ -29,8 +29,6 @@ import org.genesys.blocks.oauth.service.OAuthTokenStoreService;
 import org.genesys2.server.servlet.controller.BaseController;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.access.prepost.PreAuthorize;
-import org.springframework.security.oauth2.common.OAuth2AccessToken;
-import org.springframework.security.oauth2.provider.ClientDetails;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -66,9 +64,9 @@ public class OAuthManagementController extends BaseController {
 	@RequestMapping("/{clientId}/removeall")
 	public String removeAllAccessTokens(@PathVariable("clientId") String clientId) {

-		final Collection<OAuth2AccessToken> tokens = tokenStoreService.findTokensByClientId(clientId);
-		for (final OAuth2AccessToken token : tokens) {
-			tokenStoreService.removeAccessToken(token);
+		final Collection<AccessToken> tokens = tokenStoreService.findAccessTokensByClientId(clientId);
+		for (final AccessToken token : tokens) {
+			tokenStoreService.removeAccessToken(token.getTokenId());
 		}

 		return "redirect:" + CONTROLLER_PATH + "/" + clientId + "/";
@@ -126,8 +124,8 @@ public class OAuthManagementController extends BaseController {
 	@PreAuthorize("hasAnyRole('VETTEDUSER','ADMINISTRATOR')")
 	@RequestMapping("/{id}/edit")
 	public String editClient(Model model, @PathVariable("id") String clientId) {
-		final ClientDetails clientDetails = clientDetailsService.loadClientByClientId(clientId);
-		model.addAttribute("clientDetails", clientDetails);
+		final OAuthClient client = clientDetailsService.getClient(clientId);
+		model.addAttribute("clientDetails", client);
 		return VIEW_PATH + "/edit";
 	}

@@ -145,14 +143,15 @@ public class OAuthManagementController extends BaseController {
 	@PreAuthorize("hasAnyRole('VETTEDUSER','ADMINISTRATOR')")
 	@RequestMapping(value = "/save-client", method = RequestMethod.POST, params = { "id", "action-delete" })
 	public String deleteClient(Model model, @RequestParam("id") String clientId) {
-		ClientDetails clientDetails = clientDetailsService.loadClientByClientId(clientId);
+		OAuthClient clientDetails = clientDetailsService.getClient(clientId);
 		_logger.info("Deleting client " + clientDetails.getClientId());
 		clientDetailsService.removeClient(clientDetails);
 		return "redirect:" + CONTROLLER_PATH + "/";
 	}

 	@RequestMapping(value = "/save-client", method = RequestMethod.POST, params = { "id", "version", "action-save" })
-	public String saveExistinClient(Model model, @RequestBody @JsonView(JsonViews.Protected.class) OAuthClient updates, @RequestParam("id") long id, @RequestParam("version") int version) {
+	public String saveExistinClient(Model model, @RequestBody @JsonView(JsonViews.Protected.class) OAuthClient updates, @RequestParam("id") long id,
+			@RequestParam("version") int version) {

 		final OAuthClient clientDetails = clientDetailsService.updateClient(id, version, updates);

@@ -162,7 +161,7 @@ public class OAuthManagementController extends BaseController {
 	@PreAuthorize("hasRole('ADMINISTRATOR')")
 	@RequestMapping(value = "/{clientId}", method = RequestMethod.GET)
 	public String clientDetailsInfo(Model model, @PathVariable("clientId") String clientId) {
-		final ClientDetails clientDetails = clientDetailsService.loadClientByClientId(clientId);
+		final OAuthClient clientDetails = clientDetailsService.getClient(clientId);
 		final Collection<AccessToken> tokensByClientId = tokenStoreService.findAccessTokensByClientId(clientId);
 		final Collection<RefreshToken> refreshTokensByClientId = tokenStoreService.findRefreshTokensByClientId(clientId);


--- a/src/main/resources/content/language.properties
+++ b/src/main/resources/content/language.properties
@@ -565,15 +565,23 @@ blurp.blurp-title=Blurp title
 blurp.blurp-body=Blurp contents
 blurp.update-blurp=Save blurp

+oauth2.deny-access=Deny access
+oauth2.grant-selected-scopes=Grant access to selected scopes

 oauth2.confirm-request=Confirm access
 oauth2.confirm-client=You, <b>{0}</b>, hereby authorize <b>{1}</b> to access your protected resources.
 oauth2.button-approve=Yes, allow access
 oauth2.button-deny=No, deny access
-
 oauth2.authorization-code=Authorization code
 oauth2.authorization-code-instructions=Copy this authorization code: 

+# Scope
+oauth.allow-access=Allow access
+oauth.deny-access=Deny access
+oauth.scope.read=Read
+oauth.scope.write=Write
+oauth.scope.accession=Manage accession data
+
 oauth2.access-denied=Access denied
 oauth2.access-denied-text=You have denied access to your resources.


--- a/src/main/webapp/WEB-INF/jsp/oauth/confirm.jsp
+++ b/src/main/webapp/WEB-INF/jsp/oauth/confirm.jsp
@@ -31,22 +31,60 @@
    </c:if>

    <div class="row">
-      <div class="col-sm-2">
+      <div class="col-sm-4 col-xs-12">
+        <h3><spring:message code="oauth2.deny-access" /></h3>
        <form action="<c:url value="/oauth/authorize" />" method="post">
-          <input name="user_oauth_approval" value="true" type="hidden" /> <label><input class="btn btn-primary"
-            name="authorize" value="<spring:message code="oauth2.button-approve" />" type="submit"
-          /></label>
          <!-- CSRF protection -->
          <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
+          <input name="user_oauth_approval" value="false" type="hidden" />
+          <label><input
+            class="btn btn-default" name="deny" value="<spring:message code="oauth2.button-deny" />" type="submit"
+          /></label>
        </form>
      </div>
-      <div class="col-sm-2">
+
+      <div class="col-sm-8 col-xs-12">
+        <h3><spring:message code="oauth2.grant-selected-scopes" /></h3>
        <form action="<c:url value="/oauth/authorize" />" method="post">
-          <input name="user_oauth_approval" value="false" type="hidden" /> <label><input
-            class="btn btn-default" name="deny" value="<spring:message code="oauth2.button-deny" />" type="submit"
-          /></label>
          <!-- CSRF protection -->
          <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
+          <input name="user_oauth_approval" value="true" type="hidden" />
+          <c:forEach items="${scopes}" var="scope">
+    				<div class="row">
+    					<c:set var="approved">
+    						<c:if test="${scope.value}">
+    									checked</c:if>
+    					</c:set>
+    					<c:set var="denied">
+    						<c:if test="${!scope.value}">
+    									checked</c:if>
+    					</c:set>
+    					<div class="col-xs-12 col-sm-4">
+    						<div class="form-control-static">
+    							<spring:message code="oauth.${scope.key}" />
+    						</div>
+    					</div>
+    					<div class="col-xs-6 col-sm-4">
+    						<div class="radio">
+    							<label>
+    								<input type="radio" name="${scope.key}" value="true" ${approved} />
+    								<spring:message code="oauth.allow-access" />
+    							</label>
+    						</div>
+    					</div>
+    					<div class="col-xs-6 col-sm-4">
+    						<div class="radio">
+    							<label>
+    								<input type="radio" name="${scope.key}" value="false" ${denied} />
+    								<spring:message code="oauth.deny-access" />
+    							</label>
+    						</div>
+    					</div>
+    				</div>
+    			</c:forEach>
+          <label><input class="btn btn-primary"
+            name="authorize" value="<spring:message code="oauth2.button-approve" />" type="submit"
+          /></label>
        </form>
      </div>
    </div>