From 66d58476d01d1eaf979a633137e6c0af260a8878 Mon Sep 17 00:00:00 2001 From: Bill Burke Date: Tue, 23 Sep 2014 11:05:10 -0400 Subject: [PATCH] refactor security page flow --- .../resources/RequiredActionsService.java | 4 +- .../services/resources/SocialResource.java | 18 +++---- .../services/resources/TokenService.java | 54 +++++++++---------- .../services/resources/flows/ErrorFlows.java | 2 + .../services/resources/flows/Flows.java | 6 +++ .../services/resources/flows/OAuthFlows.java | 2 + 6 files changed, 48 insertions(+), 38 deletions(-) mode change 100644 => 100755 services/src/main/java/org/keycloak/services/resources/flows/ErrorFlows.java diff --git a/services/src/main/java/org/keycloak/services/resources/RequiredActionsService.java b/services/src/main/java/org/keycloak/services/resources/RequiredActionsService.java index fcd3c5de6c..3b34ed1e8a 100755 --- a/services/src/main/java/org/keycloak/services/resources/RequiredActionsService.java +++ b/services/src/main/java/org/keycloak/services/resources/RequiredActionsService.java @@ -282,11 +282,11 @@ public class RequiredActionsService { ClientModel client = realm.findClient(clientId); if (client == null) { - return Flows.oauth(session, realm, request, uriInfo, clientConnection, authManager, tokenManager).forwardToSecurityFailure( + return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Unknown login requester."); } if (!client.isEnabled()) { - return Flows.oauth(session, realm, request, uriInfo, clientConnection, authManager, tokenManager).forwardToSecurityFailure( + return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Login requester not enabled."); } diff --git a/services/src/main/java/org/keycloak/services/resources/SocialResource.java b/services/src/main/java/org/keycloak/services/resources/SocialResource.java index 572b74d92e..07a5b9dfe8 100755 --- a/services/src/main/java/org/keycloak/services/resources/SocialResource.java +++ b/services/src/main/java/org/keycloak/services/resources/SocialResource.java @@ -132,7 +132,7 @@ public class SocialResource { if (!realm.isEnabled()) { event.error(Errors.REALM_DISABLED); - return oauth.forwardToSecurityFailure("Realm not enabled."); + return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Realm not enabled."); } String clientId = initialRequest.get(OAuth2Constants.CLIENT_ID); @@ -146,11 +146,11 @@ public class SocialResource { ClientModel client = realm.findClient(clientId); if (client == null) { event.error(Errors.CLIENT_NOT_FOUND); - return oauth.forwardToSecurityFailure("Unknown login requester."); + return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Unknown login requester."); } if (!client.isEnabled()) { event.error(Errors.CLIENT_DISABLED); - return oauth.forwardToSecurityFailure("Login requester not enabled."); + return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Login requester not enabled."); } String key = realm.getSocialConfig().get(provider.getId() + ".key"); @@ -178,7 +178,7 @@ public class SocialResource { return Flows.forms(session, realm, client, uriInfo).setQueryParams(queryParms).setWarning("Access denied").createLogin(); } catch (SocialProviderException e) { logger.error("Failed to process social callback", e); - return oauth.forwardToSecurityFailure("Failed to process social callback"); + return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Failed to process social callback"); } event.detail(Details.USERNAME, socialUser.getId() + "@" + provider.getId()); @@ -196,22 +196,22 @@ public class SocialResource { if (user != null) { event.error(Errors.SOCIAL_ID_IN_USE); - return oauth.forwardToSecurityFailure("This social account is already linked to other user"); + return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "This social account is already linked to other user"); } if (!authenticatedUser.isEnabled()) { event.error(Errors.USER_DISABLED); - return oauth.forwardToSecurityFailure("User is disabled"); + return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "User is disabled"); } if (!authenticatedUser.hasRole(realm.getApplicationByName(Constants.ACCOUNT_MANAGEMENT_APP).getRole(AccountRoles.MANAGE_ACCOUNT))) { event.error(Errors.NOT_ALLOWED); - return oauth.forwardToSecurityFailure("Insufficient permissions to link social account"); + return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Insufficient permissions to link social account"); } if (redirectUri == null) { event.error(Errors.INVALID_REDIRECT_URI); - return oauth.forwardToSecurityFailure("Unknown redirectUri"); + return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Unknown redirectUri"); } session.users().addSocialLink(realm, authenticatedUser, socialLink); @@ -245,7 +245,7 @@ public class SocialResource { if (!user.isEnabled()) { event.error(Errors.USER_DISABLED); - return oauth.forwardToSecurityFailure("Your account is not enabled."); + return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Your account is not enabled."); } String username = socialLink.getSocialUserId() + "@" + socialLink.getSocialProvider(); diff --git a/services/src/main/java/org/keycloak/services/resources/TokenService.java b/services/src/main/java/org/keycloak/services/resources/TokenService.java index d964906864..52e3704c10 100755 --- a/services/src/main/java/org/keycloak/services/resources/TokenService.java +++ b/services/src/main/java/org/keycloak/services/resources/TokenService.java @@ -493,27 +493,27 @@ public class TokenService { OAuthFlows oauth = Flows.oauth(session, realm, request, uriInfo, clientConnection, authManager, tokenManager); if (!checkSsl()) { - return oauth.forwardToSecurityFailure("HTTPS required"); + return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "HTTPS required"); } if (!realm.isEnabled()) { event.error(Errors.REALM_DISABLED); - return oauth.forwardToSecurityFailure("Realm not enabled."); + return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Realm not enabled."); } ClientModel client = realm.findClient(clientId); if (client == null) { event.error(Errors.CLIENT_NOT_FOUND); - return oauth.forwardToSecurityFailure("Unknown login requester."); + return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Unknown login requester."); } if (!client.isEnabled()) { event.error(Errors.CLIENT_NOT_FOUND); - return oauth.forwardToSecurityFailure("Login requester not enabled."); + return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Login requester not enabled."); } redirect = verifyRedirectUri(uriInfo, redirect, realm, client); if (redirect == null) { event.error(Errors.INVALID_REDIRECT_URI); - return oauth.forwardToSecurityFailure("Invalid redirect_uri."); + return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Invalid redirect_uri."); } if (formData.containsKey("cancel")) { @@ -603,28 +603,28 @@ public class TokenService { if (!realm.isEnabled()) { event.error(Errors.REALM_DISABLED); - return oauth.forwardToSecurityFailure("Realm not enabled"); + return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Realm not enabled"); } ClientModel client = realm.findClient(clientId); if (client == null) { event.error(Errors.CLIENT_NOT_FOUND); - return oauth.forwardToSecurityFailure("Unknown login requester."); + return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Unknown login requester."); } if (!client.isEnabled()) { event.error(Errors.CLIENT_DISABLED); - return oauth.forwardToSecurityFailure("Login requester not enabled."); + return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Login requester not enabled."); } redirect = verifyRedirectUri(uriInfo, redirect, realm, client); if (redirect == null) { event.error(Errors.INVALID_REDIRECT_URI); - return oauth.forwardToSecurityFailure("Invalid redirect_uri."); + return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Invalid redirect_uri."); } if (!realm.isRegistrationAllowed()) { event.error(Errors.REGISTRATION_DISABLED); - return oauth.forwardToSecurityFailure("Registration not allowed"); + return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Registration not allowed"); } List requiredCredentialTypes = new LinkedList(); @@ -917,35 +917,35 @@ public class TokenService { OAuthFlows oauth = Flows.oauth(session, realm, request, uriInfo, clientConnection, authManager, tokenManager); if (!checkSsl()) { - return oauth.forwardToSecurityFailure("HTTPS required"); + return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "HTTPS required"); } if (!realm.isEnabled()) { event.error(Errors.REALM_DISABLED); - return oauth.forwardToSecurityFailure("Realm not enabled"); + return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Realm not enabled"); } ClientModel client = realm.findClient(clientId); if (client == null) { event.error(Errors.CLIENT_NOT_FOUND); - return oauth.forwardToSecurityFailure("Unknown login requester."); + return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Unknown login requester."); } if (!client.isEnabled()) { event.error(Errors.CLIENT_DISABLED); - return oauth.forwardToSecurityFailure("Login requester not enabled."); + return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Login requester not enabled."); } if ( (client instanceof ApplicationModel) && ((ApplicationModel)client).isBearerOnly()) { event.error(Errors.NOT_ALLOWED); - return oauth.forwardToSecurityFailure("Bearer-only applications are not allowed to initiate browser login"); + return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Bearer-only applications are not allowed to initiate browser login"); } if (client.isDirectGrantsOnly()) { event.error(Errors.NOT_ALLOWED); - return oauth.forwardToSecurityFailure("direct-grants-only clients are not allowed to initiate browser login"); + return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "direct-grants-only clients are not allowed to initiate browser login"); } redirect = verifyRedirectUri(uriInfo, redirect, realm, client); if (redirect == null) { event.error(Errors.INVALID_REDIRECT_URI); - return oauth.forwardToSecurityFailure("Invalid redirect_uri."); + return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Invalid redirect_uri."); } AuthenticationManager.AuthResult authResult = authManager.authenticateIdentityCookie(session, realm, uriInfo, clientConnection, headers); @@ -1007,33 +1007,33 @@ public class TokenService { OAuthFlows oauth = Flows.oauth(session, realm, request, uriInfo, clientConnection, authManager, tokenManager); if (!checkSsl()) { - return oauth.forwardToSecurityFailure("HTTPS required"); + return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "HTTPS required"); } if (!realm.isEnabled()) { event.error(Errors.REALM_DISABLED); - return oauth.forwardToSecurityFailure("Realm not enabled"); + return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Realm not enabled"); } ClientModel client = realm.findClient(clientId); if (client == null) { event.error(Errors.CLIENT_NOT_FOUND); - return oauth.forwardToSecurityFailure("Unknown login requester."); + return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Unknown login requester."); } if (!client.isEnabled()) { event.error(Errors.CLIENT_DISABLED); - return oauth.forwardToSecurityFailure("Login requester not enabled."); + return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Login requester not enabled."); } redirect = verifyRedirectUri(uriInfo, redirect, realm, client); if (redirect == null) { event.error(Errors.INVALID_REDIRECT_URI); - return oauth.forwardToSecurityFailure("Invalid redirect_uri."); + return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Invalid redirect_uri."); } if (!realm.isRegistrationAllowed()) { event.error(Errors.REGISTRATION_DISABLED); - return oauth.forwardToSecurityFailure("Registration not allowed"); + return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Registration not allowed"); } authManager.expireIdentityCookie(realm, uriInfo, clientConnection); @@ -1065,7 +1065,7 @@ public class TokenService { String validatedRedirect = verifyRealmRedirectUri(uriInfo, redirectUri, realm); if (validatedRedirect == null) { OAuthFlows oauth = Flows.oauth(session, realm, request, uriInfo, clientConnection, authManager, tokenManager); - return oauth.forwardToSecurityFailure("Invalid redirect uri."); + return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Invalid redirect uri."); } return Response.status(302).location(UriBuilder.fromUri(validatedRedirect).build()).build(); } else { @@ -1145,7 +1145,7 @@ public class TokenService { OAuthFlows oauth = Flows.oauth(session, realm, request, uriInfo, clientConnection, authManager, tokenManager); if (!checkSsl()) { - return oauth.forwardToSecurityFailure("HTTPS required"); + return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "HTTPS required"); } String code = formData.getFirst(OAuth2Constants.CODE); @@ -1153,7 +1153,7 @@ public class TokenService { AccessCode accessCode = AccessCode.parse(code, session, realm); if (accessCode == null || !accessCode.isValid(ClientSessionModel.Action.OAUTH_GRANT)) { event.error(Errors.INVALID_CODE); - return oauth.forwardToSecurityFailure("Invalid access code."); + return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Invalid access code."); } event.detail(Details.CODE_ID, accessCode.getCodeId()); @@ -1177,7 +1177,7 @@ public class TokenService { if (!AuthenticationManager.isSessionValid(realm, userSession)) { AuthenticationManager.logout(session, realm, userSession, uriInfo, clientConnection); event.error(Errors.INVALID_CODE); - return oauth.forwardToSecurityFailure("Session not active"); + return Flows.forwardToSecurityFailurePage(session, realm, uriInfo, "Session not active"); } event.session(userSession); diff --git a/services/src/main/java/org/keycloak/services/resources/flows/ErrorFlows.java b/services/src/main/java/org/keycloak/services/resources/flows/ErrorFlows.java old mode 100644 new mode 100755 index 7d78352482..7d575d57be --- a/services/src/main/java/org/keycloak/services/resources/flows/ErrorFlows.java +++ b/services/src/main/java/org/keycloak/services/resources/flows/ErrorFlows.java @@ -22,4 +22,6 @@ public class ErrorFlows { return Response.status(status).entity(error).type(MediaType.APPLICATION_JSON).build(); } + + } diff --git a/services/src/main/java/org/keycloak/services/resources/flows/Flows.java b/services/src/main/java/org/keycloak/services/resources/flows/Flows.java index 9765c56d10..2adf26cb1b 100755 --- a/services/src/main/java/org/keycloak/services/resources/flows/Flows.java +++ b/services/src/main/java/org/keycloak/services/resources/flows/Flows.java @@ -31,6 +31,7 @@ import org.keycloak.services.managers.AuthenticationManager; import org.keycloak.services.managers.TokenManager; import org.keycloak.social.SocialProvider; +import javax.ws.rs.core.Response; import javax.ws.rs.core.UriInfo; /** @@ -58,4 +59,9 @@ public class Flows { return new ErrorFlows(); } + public static Response forwardToSecurityFailurePage(KeycloakSession session, RealmModel realm, UriInfo uriInfo, String message) { + return Flows.forms(session, realm, null, uriInfo).setError(message).createErrorPage(); + } + + } diff --git a/services/src/main/java/org/keycloak/services/resources/flows/OAuthFlows.java b/services/src/main/java/org/keycloak/services/resources/flows/OAuthFlows.java index a20f6fcdae..1675fb7bbc 100755 --- a/services/src/main/java/org/keycloak/services/resources/flows/OAuthFlows.java +++ b/services/src/main/java/org/keycloak/services/resources/flows/OAuthFlows.java @@ -179,9 +179,11 @@ public class OAuthFlows { } } + /* public Response forwardToSecurityFailure(String message) { return Flows.forms(session, realm, null, uriInfo).setError(message).createErrorPage(); } + */ private void isTotpConfigurationRequired(UserModel user) { for (RequiredCredentialModel c : realm.getRequiredCredentials()) {