/
ThirdPartyIssuerService.java
139 lines (112 loc) · 3.79 KB
/
ThirdPartyIssuerService.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
/*******************************************************************************
* Copyright 2018 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*******************************************************************************/
/**
*
*/
package org.mitre.openid.connect.client.service.impl;
import java.net.URISyntaxException;
import java.util.HashSet;
import java.util.Set;
import javax.annotation.PostConstruct;
import javax.servlet.http.HttpServletRequest;
import org.apache.http.client.utils.URIBuilder;
import org.mitre.openid.connect.client.model.IssuerServiceResponse;
import org.mitre.openid.connect.client.service.IssuerService;
import org.springframework.security.authentication.AuthenticationServiceException;
import com.google.common.base.Strings;
/**
*
* Determines the issuer using an account chooser or other third-party-initiated login
*
* @author jricher
*
*/
public class ThirdPartyIssuerService implements IssuerService {
private String accountChooserUrl;
private Set<String> whitelist = new HashSet<>();
private Set<String> blacklist = new HashSet<>();
/* (non-Javadoc)
* @see org.mitre.openid.connect.client.service.IssuerService#getIssuer(javax.servlet.http.HttpServletRequest)
*/
@Override
public IssuerServiceResponse getIssuer(HttpServletRequest request) {
// if the issuer is passed in, return that
String iss = request.getParameter("iss");
if (!Strings.isNullOrEmpty(iss)) {
if (!whitelist.isEmpty() && !whitelist.contains(iss)) {
throw new AuthenticationServiceException("Whitelist was nonempty, issuer was not in whitelist: " + iss);
}
if (blacklist.contains(iss)) {
throw new AuthenticationServiceException("Issuer was in blacklist: " + iss);
}
return new IssuerServiceResponse(iss, request.getParameter("login_hint"), request.getParameter("target_link_uri"));
} else {
try {
// otherwise, need to forward to the account chooser
String redirectUri = request.getRequestURL().toString();
URIBuilder builder = new URIBuilder(accountChooserUrl);
builder.addParameter("redirect_uri", redirectUri);
return new IssuerServiceResponse(builder.build().toString());
} catch (URISyntaxException e) {
throw new AuthenticationServiceException("Account Chooser URL is not valid", e);
}
}
}
/**
* @return the accountChooserUrl
*/
public String getAccountChooserUrl() {
return accountChooserUrl;
}
/**
* @param accountChooserUrl the accountChooserUrl to set
*/
public void setAccountChooserUrl(String accountChooserUrl) {
this.accountChooserUrl = accountChooserUrl;
}
/**
* @return the whitelist
*/
public Set<String> getWhitelist() {
return whitelist;
}
/**
* @param whitelist the whitelist to set
*/
public void setWhitelist(Set<String> whitelist) {
this.whitelist = whitelist;
}
/**
* @return the blacklist
*/
public Set<String> getBlacklist() {
return blacklist;
}
/**
* @param blacklist the blacklist to set
*/
public void setBlacklist(Set<String> blacklist) {
this.blacklist = blacklist;
}
@PostConstruct
public void afterPropertiesSet() {
if (Strings.isNullOrEmpty(this.accountChooserUrl)) {
throw new IllegalArgumentException("Account Chooser URL cannot be null or empty");
}
}
}