@RequestMapping(value = "/oauth/check_token") @ResponseBody public Map<String, ?> checkToken(@RequestParam("token") String value) { OAuth2AccessToken token = resourceServerTokenServices.readAccessToken(value); if (token == null) { throw new InvalidTokenException("Token was not recognised"); } if (token.isExpired()) { throw new InvalidTokenException("Token has expired"); } OAuth2Authentication authentication = resourceServerTokenServices.loadAuthentication(token.getValue()); Map<String, Object> response = (Map<String, Object>)accessTokenConverter.convertAccessToken(token, authentication); // gh-1070 response.put("active", true); // Always true if token exists and not expired return response; }
@Override public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException { OAuth2AccessToken accessToken; try { accessToken = restTemplate.getAccessToken(); } catch (OAuth2Exception e) { BadCredentialsException bad = new BadCredentialsException("Could not obtain access token", e); publish(new OAuth2AuthenticationFailureEvent(bad)); throw bad; } try { OAuth2Authentication result = tokenServices.loadAuthentication(accessToken.getValue()); if (authenticationDetailsSource!=null) { request.setAttribute(OAuth2AuthenticationDetails.ACCESS_TOKEN_VALUE, accessToken.getValue()); request.setAttribute(OAuth2AuthenticationDetails.ACCESS_TOKEN_TYPE, accessToken.getTokenType()); result.setDetails(authenticationDetailsSource.buildDetails(request)); } publish(new AuthenticationSuccessEvent(result)); return result; } catch (InvalidTokenException e) { BadCredentialsException bad = new BadCredentialsException("Could not obtain user details from token", e); publish(new OAuth2AuthenticationFailureEvent(bad)); throw bad; } }
@Test public void testExpiredTokenIsInactive() { OAuth2AccessToken token = mock(OAuth2AccessToken.class); when(resourceServerTokenServices.readAccessToken("valid-token")).thenReturn(token); when(token.isExpired()).thenReturn(true); IntrospectionClaims claims = introspectEndpoint.introspect("valid-token"); Assert.assertFalse(claims.isActive()); }
OAuth2Authentication auth = tokenServices.loadAuthentication(token); if (auth == null) { throw new InvalidTokenException("Invalid token: " + token);
@Test public void testClaimsForValidToken() { OAuth2AccessToken token = mock(OAuth2AccessToken.class); when(resourceServerTokenServices.readAccessToken("valid-token")).thenReturn(token); when(token.isExpired()).thenReturn(false); when(token.getValue()).thenReturn("valid-token"); IntrospectionClaims claimsResult = introspectEndpoint.introspect("valid-token"); Assert.assertTrue(claimsResult.isActive()); Assert.assertEquals("somename", claimsResult.getName()); }
@RequestMapping(value = "/introspect", method = POST) @ResponseBody public IntrospectionClaims introspect(@RequestParam("token") String token) { IntrospectionClaims introspectionClaims = new IntrospectionClaims(); try { OAuth2AccessToken oAuth2AccessToken = resourceServerTokenServices.readAccessToken(token); if (oAuth2AccessToken.isExpired()) { introspectionClaims.setActive(false); return introspectionClaims; } resourceServerTokenServices.loadAuthentication(token); introspectionClaims = getClaimsForToken(oAuth2AccessToken.getValue()); introspectionClaims.setActive(true); } catch (InvalidTokenException e) { introspectionClaims.setActive(false); return introspectionClaims; } return introspectionClaims; }
@Transactional @RequestMapping(value = "/merge", method = RequestMethod.POST) @ApiOperation( value = "Merge carts", notes = "Merges anonymous cart with a logged in customer's cart", response = Void.class ) @ApiResponses(value = { @ApiResponse(code = 200, message = "Carts have been successfully merged", response = Void.class) }) public void mergeWithAnonymous( @ApiIgnore @AuthenticationPrincipal final CustomerUserDetails userDetails, @RequestBody final String anonymousToken) throws RemoveFromCartException, PricingException { final Customer loggedUser = customerService.readCustomerById(userDetails.getId()); final CustomerUserDetails anonymousUserDetails = (CustomerUserDetails) tokenServices.loadAuthentication (anonymousToken).getPrincipal(); final Customer anonymousUser = customerService.readCustomerById(anonymousUserDetails.getId()); final Order anonymousCart = orderService.findCartForCustomer(anonymousUser); mergeCartService.mergeCart(loggedUser, anonymousCart); }
@Test public void testInvalidJSONInClaims() { OAuth2AccessToken token = mock(OAuth2AccessToken.class); when(resourceServerTokenServices.readAccessToken("valid-token")).thenReturn(token); when(token.isExpired()).thenReturn(false); when(token.getValue()).thenReturn("valid-token"); PowerMockito.mockStatic(JsonUtils.class); Mockito.when(JsonUtils.readValue("claims", IntrospectionClaims.class)).thenThrow(JsonUtils.JsonUtilException.class); IntrospectionClaims claimsResult = introspectEndpoint.introspect("valid-token"); Assert.assertFalse(claimsResult.isActive()); Assert.assertNull(claimsResult.getName()); } }
@Test public void testValidToken() { OAuth2AccessToken token = mock(OAuth2AccessToken.class); when(resourceServerTokenServices.readAccessToken("valid-token")).thenReturn(token); when(token.isExpired()).thenReturn(false); when(token.getValue()).thenReturn("valid-token"); IntrospectionClaims claims = introspectEndpoint.introspect("valid-token"); Assert.assertTrue(claims.isActive()); verify(resourceServerTokenServices).readAccessToken("valid-token"); verify(resourceServerTokenServices).loadAuthentication("valid-token"); verify(token).isExpired(); }
@Bean public ResourceServerTokenServices mockResourceTokenServices() { final ResourceServerTokenServices tokenServices = mock(ResourceServerTokenServices.class); when(tokenServices.loadAuthentication(any())).thenAnswer(invocation -> { final UsernamePasswordAuthenticationToken user = new UsernamePasswordAuthenticationToken("user", "N/A", AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_USER")); final String token = (String) invocation.getArguments()[0]; final Set<String> scopes = ImmutableSet.copyOf(scopesForTokens.get(token)); final Map<String, Object> details = new HashMap<>(); details.put("realm", realms.get(token)); user.setDetails(details); final OAuth2Request request = new OAuth2Request(null, null, null, true, scopes, null, null, null, null); return new OAuth2Authentication(request, user); }); return tokenServices; }
@Test public void testInvalidToken_inReadAccessToken() { when(resourceServerTokenServices.readAccessToken("valid-token")).thenThrow(new InvalidTokenException("Bla")); IntrospectionClaims claims = introspectEndpoint.introspect("valid-token"); Assert.assertFalse(claims.isActive()); }
OAuth2AccessToken token = resourceServerTokenServices.readAccessToken(value); if (token == null) { throw new InvalidTokenException("Token was not recognised"); resourceServerTokenServices.loadAuthentication(value); } catch (AuthenticationException x) { throw new InvalidTokenException((x.getMessage()));
@Override public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException { OAuth2AccessToken accessToken; try { accessToken = restTemplate.getAccessToken(); } catch (OAuth2Exception e) { BadCredentialsException bad = new BadCredentialsException("Could not obtain access token", e); publish(new OAuth2AuthenticationFailureEvent(bad)); throw bad; } try { OAuth2Authentication result = tokenServices.loadAuthentication(accessToken.getValue()); if (authenticationDetailsSource!=null) { request.setAttribute(OAuth2AuthenticationDetails.ACCESS_TOKEN_VALUE, accessToken.getValue()); request.setAttribute(OAuth2AuthenticationDetails.ACCESS_TOKEN_TYPE, accessToken.getTokenType()); result.setDetails(authenticationDetailsSource.buildDetails(request)); } publish(new AuthenticationSuccessEvent(result)); return result; } catch (InvalidTokenException e) { BadCredentialsException bad = new BadCredentialsException("Could not obtain user details from token", e); publish(new OAuth2AuthenticationFailureEvent(bad)); throw bad; } }
when(token.getScope()).thenReturn(scopes); when(tokenServicesMock.readAccessToken("tokenValue")).thenReturn(token);
@Test public void testInvalidToken_inLoadAuthentication() { OAuth2AccessToken token = mock(OAuth2AccessToken.class); when(resourceServerTokenServices.readAccessToken("valid-token")).thenReturn(token); when(resourceServerTokenServices.loadAuthentication("valid-token")).thenThrow(new InvalidTokenException("Bla")); IntrospectionClaims claims = introspectEndpoint.introspect("valid-token"); Assert.assertFalse(claims.isActive()); }
protected Authentication authenticate(Authentication authentication) { if (authentication == null) { throw new InvalidTokenException("Invalid token (token not found)"); } else { String token = (String) authentication.getPrincipal(); OAuth2Authentication auth = this.tokenServices.loadAuthentication(token); if (auth == null) { throw new InvalidTokenException("Invalid token: " + token); } else { if (authentication.getDetails() instanceof OAuth2AuthenticationDetails) { OAuth2AuthenticationDetails details = (OAuth2AuthenticationDetails) authentication.getDetails(); if (!details.equals(auth.getDetails())) { details.setDecodedDetails(auth.getDetails()); } } auth.setDetails(authentication.getDetails()); auth.setAuthenticated(true); return auth; } } }
@RequestMapping(value = "/oauth/check_token") @ResponseBody public Map<String, ?> checkToken(@RequestParam("token") String value) { OAuth2AccessToken token = resourceServerTokenServices.readAccessToken(value); if (token == null) { throw new InvalidTokenException("Token was not recognised"); } if (token.isExpired()) { throw new InvalidTokenException("Token has expired"); } OAuth2Authentication authentication = resourceServerTokenServices.loadAuthentication(token.getValue()); Map<String, Object> response = (Map<String, Object>)accessTokenConverter.convertAccessToken(token, authentication); // gh-1070 response.put("active", true); // Always true if token exists and not expired return response; }
OAuth2Authentication auth = tokenServices.loadAuthentication(token); if (auth == null) { throw new InvalidTokenException("Invalid token: " + token);
public RequestPostProcessor oauth2Authentication(String username, Set<String> scopes, Set<String> roles) { String uuid = String.valueOf(UUID.randomUUID()); given(tokenServices.loadAuthentication(uuid)) .willReturn(createAuthentication(username, scopes, roles)); given(tokenServices.readAccessToken(uuid)).willReturn(new DefaultOAuth2AccessToken(uuid)); return new OAuth2PostProcessor(uuid); }
OAuth2Authentication auth = tokenServices.loadAuthentication(token); if (auth == null) { throw new InvalidTokenException("Invalid token: " + token);