You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by kw...@apache.org on 2016/02/12 14:13:13 UTC
svn commit: r1730019 -
/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/OAuth2InteractiveAuthenticator.java
Author: kwall
Date: Fri Feb 12 13:13:13 2016
New Revision: 1730019
URL: http://svn.apache.org/viewvc?rev=1730019&view=rev
Log:
QPID-7028: [Java Broker] OAuth2 - ensure that errors reported by the authentication endpoint are propagated to the client
Modified:
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/OAuth2InteractiveAuthenticator.java
Modified: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/OAuth2InteractiveAuthenticator.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/OAuth2InteractiveAuthenticator.java?rev=1730019&r1=1730018&r2=1730019&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/OAuth2InteractiveAuthenticator.java (original)
+++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/OAuth2InteractiveAuthenticator.java Fri Feb 12 13:13:13 2016
@@ -23,6 +23,7 @@ import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.SecureRandom;
+import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Map;
@@ -58,6 +59,23 @@ public class OAuth2InteractiveAuthentica
private static final String ORIGINAL_REQUEST_URI_SESSION_ATTRIBUTE = "originalRequestURI";
private static final String REDIRECT_URI_SESSION_ATTRIBUTE = "redirectURI";
+ /** Authentication Endpoint error responses https://tools.ietf.org/html/rfc6749#section-4.2.1 */
+ private static final Map<String, Integer> ERROR_RESPONSES;
+
+ static
+ {
+ // Authentication Enpoint
+ Map<String, Integer> errorResponses = new HashMap<>();
+ errorResponses.put("invalid_request", 400);
+ errorResponses.put("unauthorized_client", 400);
+ errorResponses.put("unsupported_response_type", 400);
+ errorResponses.put("invalid_scope", 400);
+ errorResponses.put("access_denied", 403);
+ errorResponses.put("server_error", 500);
+ errorResponses.put("temporarily_unavailable", 503);
+ ERROR_RESPONSES = Collections.unmodifiableMap(errorResponses);
+ }
+
private SecureRandom _random = new SecureRandom();
@Override
@@ -84,6 +102,25 @@ public class OAuth2InteractiveAuthentica
return new FailedAuthenticationHandler(400, "Some request parameters are included more than once " + request, e);
}
+ String error = requestParameters.get("error");
+ if (error != null)
+ {
+ int responseCode = decodeErrorAsResponseCode(error);
+ String errorDescription = requestParameters.get("error_description");
+ if (responseCode == 403)
+ {
+ LOGGER.debug("Resource owner denies the access request");
+ return new FailedAuthenticationHandler(responseCode, "Resource owner denies the access request");
+
+ }
+ else
+ {
+ LOGGER.warn("Authorization endpoint failed, error : '{}', error description '{}'",
+ error, errorDescription);
+ return new FailedAuthenticationHandler(responseCode, String.format("Authorization request failed :'%s'", error));
+ }
+ }
+
final String authorizationCode = requestParameters.get("code");
if (authorizationCode == null)
{
@@ -106,7 +143,7 @@ public class OAuth2InteractiveAuthentica
if (state == null)
{
LOGGER.warn("Deny login attempt with wrong state: {}", state);
- return new FailedAuthenticationHandler(400, "no state set on request with authorization code grant: "
+ return new FailedAuthenticationHandler(400, "No state set on request with authorization code grant: "
+ request);
}
if (!checkState(httpSession, state))
@@ -272,6 +309,11 @@ public class OAuth2InteractiveAuthentica
return state != null && state.equals(nonce);
}
+ private int decodeErrorAsResponseCode(final String error)
+ {
+ return ERROR_RESPONSES.containsKey(error) ? ERROR_RESPONSES.get(error) : 500;
+ }
+
class FailedAuthenticationHandler implements AuthenticationHandler
{
private final int _errorCode;
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org