Commit b32ec214 authored by Matija Obreza's avatar Matija Obreza
Browse files

Upgrades for spring-security-oauth2 version 2+

- User confirmation screen for the new spring-security-oauth2
- OAuthManagement methods are fixed
parent cdc843a1
......@@ -50,6 +50,7 @@ public class CreateAdminListener extends RunAsAdminListener {
private void createDefaultAccounts() throws UserException, PasswordPolicyException {
createAdmin("SYSTEM", "SYSTEM", null, AccountType.SYSTEM);
// TODO read from props
createAdmin("admin@example.com", "First Admin", "Admin123!", AccountType.LOCAL);
}
......
......@@ -16,13 +16,21 @@
package org.genesys2.server.servlet.controller;
import java.security.Principal;
import java.util.LinkedHashMap;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
import org.springframework.security.oauth2.common.util.OAuth2Utils;
import org.springframework.security.oauth2.provider.AuthorizationRequest;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.ClientDetailsService;
import org.springframework.security.oauth2.provider.approval.Approval;
import org.springframework.security.oauth2.provider.approval.ApprovalStore;
import org.springframework.security.oauth2.provider.approval.Approval.ApprovalStatus;
import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.RequestMapping;
......@@ -39,12 +47,25 @@ public class OAuthAccessConfirmationController extends BaseController {
@Autowired
protected ClientDetailsService clientDetailsService;
@Autowired
private ApprovalStore approvalStore;
@RequestMapping("/oauth/confirm_access")
public String getAccessConfirmation(ModelMap model) throws Exception {
public String getAccessConfirmation(final Map<String, Object> model, final Principal principal) throws Exception {
final AuthorizationRequest clientAuth = (AuthorizationRequest) model.remove("authorizationRequest");
final ClientDetails client = clientDetailsService.loadClientByClientId(clientAuth.getClientId());
model.put("auth_request", clientAuth);
model.put("client", client);
final Map<String, String> scopes = new LinkedHashMap<String, String>();
for (final String scope : clientAuth.getScope()) {
scopes.put(OAuth2Utils.SCOPE_PREFIX + scope, "false");
}
for (final Approval approval : approvalStore.getApprovals(principal.getName(), client.getClientId())) {
if (clientAuth.getScope().contains(approval.getScope())) {
scopes.put(OAuth2Utils.SCOPE_PREFIX + approval.getScope(), approval.getStatus() == ApprovalStatus.APPROVED ? "true" : "false");
}
}
model.put("scopes", scopes);
return "/oauth/confirm";
}
......
......@@ -29,8 +29,6 @@ import org.genesys.blocks.oauth.service.OAuthTokenStoreService;
import org.genesys2.server.servlet.controller.BaseController;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.PathVariable;
......@@ -66,9 +64,9 @@ public class OAuthManagementController extends BaseController {
@RequestMapping("/{clientId}/removeall")
public String removeAllAccessTokens(@PathVariable("clientId") String clientId) {
final Collection<OAuth2AccessToken> tokens = tokenStoreService.findTokensByClientId(clientId);
for (final OAuth2AccessToken token : tokens) {
tokenStoreService.removeAccessToken(token);
final Collection<AccessToken> tokens = tokenStoreService.findAccessTokensByClientId(clientId);
for (final AccessToken token : tokens) {
tokenStoreService.removeAccessToken(token.getTokenId());
}
return "redirect:" + CONTROLLER_PATH + "/" + clientId + "/";
......@@ -126,8 +124,8 @@ public class OAuthManagementController extends BaseController {
@PreAuthorize("hasAnyRole('VETTEDUSER','ADMINISTRATOR')")
@RequestMapping("/{id}/edit")
public String editClient(Model model, @PathVariable("id") String clientId) {
final ClientDetails clientDetails = clientDetailsService.loadClientByClientId(clientId);
model.addAttribute("clientDetails", clientDetails);
final OAuthClient client = clientDetailsService.getClient(clientId);
model.addAttribute("clientDetails", client);
return VIEW_PATH + "/edit";
}
......@@ -145,14 +143,15 @@ public class OAuthManagementController extends BaseController {
@PreAuthorize("hasAnyRole('VETTEDUSER','ADMINISTRATOR')")
@RequestMapping(value = "/save-client", method = RequestMethod.POST, params = { "id", "action-delete" })
public String deleteClient(Model model, @RequestParam("id") String clientId) {
ClientDetails clientDetails = clientDetailsService.loadClientByClientId(clientId);
OAuthClient clientDetails = clientDetailsService.getClient(clientId);
_logger.info("Deleting client " + clientDetails.getClientId());
clientDetailsService.removeClient(clientDetails);
return "redirect:" + CONTROLLER_PATH + "/";
}
@RequestMapping(value = "/save-client", method = RequestMethod.POST, params = { "id", "version", "action-save" })
public String saveExistinClient(Model model, @RequestBody @JsonView(JsonViews.Protected.class) OAuthClient updates, @RequestParam("id") long id, @RequestParam("version") int version) {
public String saveExistinClient(Model model, @RequestBody @JsonView(JsonViews.Protected.class) OAuthClient updates, @RequestParam("id") long id,
@RequestParam("version") int version) {
final OAuthClient clientDetails = clientDetailsService.updateClient(id, version, updates);
......@@ -162,7 +161,7 @@ public class OAuthManagementController extends BaseController {
@PreAuthorize("hasRole('ADMINISTRATOR')")
@RequestMapping(value = "/{clientId}", method = RequestMethod.GET)
public String clientDetailsInfo(Model model, @PathVariable("clientId") String clientId) {
final ClientDetails clientDetails = clientDetailsService.loadClientByClientId(clientId);
final OAuthClient clientDetails = clientDetailsService.getClient(clientId);
final Collection<AccessToken> tokensByClientId = tokenStoreService.findAccessTokensByClientId(clientId);
final Collection<RefreshToken> refreshTokensByClientId = tokenStoreService.findRefreshTokensByClientId(clientId);
......
......@@ -565,15 +565,23 @@ blurp.blurp-title=Blurp title
blurp.blurp-body=Blurp contents
blurp.update-blurp=Save blurp
oauth2.deny-access=Deny access
oauth2.grant-selected-scopes=Grant access to selected scopes
oauth2.confirm-request=Confirm access
oauth2.confirm-client=You, <b>{0}</b>, hereby authorize <b>{1}</b> to access your protected resources.
oauth2.button-approve=Yes, allow access
oauth2.button-deny=No, deny access
oauth2.authorization-code=Authorization code
oauth2.authorization-code-instructions=Copy this authorization code:
# Scope
oauth.allow-access=Allow access
oauth.deny-access=Deny access
oauth.scope.read=Read
oauth.scope.write=Write
oauth.scope.accession=Manage accession data
oauth2.access-denied=Access denied
oauth2.access-denied-text=You have denied access to your resources.
......
......@@ -31,22 +31,60 @@
</c:if>
<div class="row">
<div class="col-sm-2">
<div class="col-sm-4 col-xs-12">
<h3><spring:message code="oauth2.deny-access" /></h3>
<form action="<c:url value="/oauth/authorize" />" method="post">
<input name="user_oauth_approval" value="true" type="hidden" /> <label><input class="btn btn-primary"
name="authorize" value="<spring:message code="oauth2.button-approve" />" type="submit"
/></label>
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
<input name="user_oauth_approval" value="false" type="hidden" />
<label><input
class="btn btn-default" name="deny" value="<spring:message code="oauth2.button-deny" />" type="submit"
/></label>
</form>
</div>
<div class="col-sm-2">
<div class="col-sm-8 col-xs-12">
<h3><spring:message code="oauth2.grant-selected-scopes" /></h3>
<form action="<c:url value="/oauth/authorize" />" method="post">
<input name="user_oauth_approval" value="false" type="hidden" /> <label><input
class="btn btn-default" name="deny" value="<spring:message code="oauth2.button-deny" />" type="submit"
/></label>
<!-- CSRF protection -->
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
<input name="user_oauth_approval" value="true" type="hidden" />
<c:forEach items="${scopes}" var="scope">
<div class="row">
<c:set var="approved">
<c:if test="${scope.value}">
checked</c:if>
</c:set>
<c:set var="denied">
<c:if test="${!scope.value}">
checked</c:if>
</c:set>
<div class="col-xs-12 col-sm-4">
<div class="form-control-static">
<spring:message code="oauth.${scope.key}" />
</div>
</div>
<div class="col-xs-6 col-sm-4">
<div class="radio">
<label>
<input type="radio" name="${scope.key}" value="true" ${approved} />
<spring:message code="oauth.allow-access" />
</label>
</div>
</div>
<div class="col-xs-6 col-sm-4">
<div class="radio">
<label>
<input type="radio" name="${scope.key}" value="false" ${denied} />
<spring:message code="oauth.deny-access" />
</label>
</div>
</div>
</div>
</c:forEach>
<label><input class="btn btn-primary"
name="authorize" value="<spring:message code="oauth2.button-approve" />" type="submit"
/></label>
</form>
</div>
</div>
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment