org.surfnet.oaaas.auth.AbstractUserConsentHandler.java Source code

Java tutorial

  1. HOME
  2. Java
  3. org.surfnet.oaaas.auth.AbstractUserConsentHandler.java

Introduction

Here is the source code for org.surfnet.oaaas.auth.AbstractUserConsentHandler.java

Source

/*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */
package org.surfnet.oaaas.auth;

import java.io.IOException;
import java.util.Arrays;

import javax.annotation.Resource;
import javax.inject.Inject;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.commons.lang.StringUtils;
import org.surfnet.oaaas.model.AuthorizationRequest;
import org.surfnet.oaaas.model.Client;
import org.surfnet.oaaas.repository.AuthorizationRequestRepository;

/**
 * Responsible for handling user consent.
 * 
 */
public abstract class AbstractUserConsentHandler extends AbstractFilter {

    /**
     * The constant that contains the scopes, set by concrete userConsentHandlers
     * and consumed by the authorization endpoint.
     */
    public static final String GRANTED_SCOPES = "GRANTED_SCOPES";

    /**
     * Constant to get the Client when the control should be returned to the
     * implementor
     */
    public static final String CLIENT = "CLIENT";

    /**
     * 
     * Get the Client from the request context to use in handling user consent
     * 
     * @param request
     *          the {@link ServletRequest}
     * @return the Client which is asking for consent
     */
    public final Client getClient(ServletRequest request) {
        return (Client) request.getAttribute(CLIENT);
    }

    @Override
    public final void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        handleUserConsent((HttpServletRequest) request, (HttpServletResponse) response, chain,
                getAuthStateValue(request), getReturnUri(request), getClient(request));
    }

    /**
     * Implement this method to perform the actual authentication. Use
     * {@link org.surfnet.oaaas.simple.FormUserConsentHandler
     * FormUserConsentHandler} as an example.
     * 
     * In general, the contract is:
     * <p>
     * assert that the user has granted consent. You can use the request and
     * response for this. When not yet granted consent:
     * </p>
     * <ul>
     * <li>use {@link #getAuthStateValue(javax.servlet.ServletRequest)} to
     * pass-around for user agent communication</li>
     * <li>use {@link #getReturnUri(javax.servlet.ServletRequest)} if you need to
     * step out and return to the current location</li>
     * <li>use {@link #getClient(javax.servlet.ServletRequest)} for accessing the
     * {@link Client} data</li>
     * </ul>
     * <p>
     * When consent granted:
     * </p>
     * <ul>
     * <li>set the authState attribute, by calling
     * {@link #setAuthStateValue(javax.servlet.ServletRequest, String)}</li>
     * <li>set the scopes (optional) the user has given consent for, by calling
     * {@link #setScopes}</li>
     * <li>call chain.doFilter(request, response) to let the flow continue..
     * </ul>
     * 
     * @param request
     *          the ServletRequest
     * @param response
     *          the ServletResponse
     * @param chain
     *          the original http servlet filter chain
     * @param authStateValue
     *          the authState nonce to set back on the {@link ServletRequest} when
     *          done
     * @param returnUri
     *          the startpoint of the chain if you want to return from a form or
     *          other (external) component
     * @param client
     *          the Client wished to obtain an access token
     */
    public abstract void handleUserConsent(HttpServletRequest request, HttpServletResponse response,
            FilterChain chain, String authStateValue, String returnUri, Client client)
            throws IOException, ServletException;

    /**
     * Set the granted scopes of the consent on the request. Note: this optional.
     * 
     * @param request
     *          the original ServletRequest
     * @param scopes
     *          the {@link String[]} scopes.
     */
    protected final void setGrantedScopes(ServletRequest request, String[] scopes) {
        request.setAttribute(GRANTED_SCOPES, scopes);
    }

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    @Override
    public void destroy() {
    }

}