zowe
diff --git a/‎apiml-security-common/src/main/java/org/zowe/apiml/gateway/security/login/SuccessfulAccessTokenHandler.java
Lines changed: 4 additions & 3 deletions b/‎apiml-security-common/src/main/java/org/zowe/apiml/gateway/security/login/SuccessfulAccessTokenHandler.java
Lines changed: 4 additions & 3 deletions
diff --git a/‎apiml-security-common/src/main/java/org/zowe/apiml/security/common/config/AccessTokenProviderConfig.java
Lines changed: 8 additions & 1 deletion b/‎apiml-security-common/src/main/java/org/zowe/apiml/security/common/config/AccessTokenProviderConfig.java
Lines changed: 8 additions & 1 deletion
diff --git a/‎apiml-security-common/src/main/java/org/zowe/apiml/security/common/error/AuthExceptionHandler.java
Lines changed: 7 additions & 0 deletions b/‎apiml-security-common/src/main/java/org/zowe/apiml/security/common/error/AuthExceptionHandler.java
Lines changed: 7 additions & 0 deletions
diff --git a/‎apiml-security-common/src/main/java/org/zowe/apiml/security/common/error/ErrorType.java
Lines changed: 2 additions & 1 deletion b/‎apiml-security-common/src/main/java/org/zowe/apiml/security/common/error/ErrorType.java
Lines changed: 2 additions & 1 deletion
diff --git a/‎apiml-security-common/src/main/java/org/zowe/apiml/security/common/error/ResourceAccessExceptionHandler.java
Lines changed: 0 additions & 8 deletions b/‎apiml-security-common/src/main/java/org/zowe/apiml/security/common/error/ResourceAccessExceptionHandler.java
Lines changed: 0 additions & 8 deletions
diff --git a/‎apiml-security-common/src/main/java/org/zowe/apiml/security/common/filter/StoreAccessTokenInfoFilter.java
Lines changed: 18 additions & 8 deletions b/‎apiml-security-common/src/main/java/org/zowe/apiml/security/common/filter/StoreAccessTokenInfoFilter.java
Lines changed: 18 additions & 8 deletions
diff --git a/‎apiml-security-common/src/main/java/org/zowe/apiml/security/common/handler/UnauthorizedHandler.java
Lines changed: 2 additions & 0 deletions b/‎apiml-security-common/src/main/java/org/zowe/apiml/security/common/handler/UnauthorizedHandler.java
Lines changed: 2 additions & 0 deletions
diff --git a/‎apiml-security-common/src/main/java/org/zowe/apiml/security/common/token/AccessTokenProvider.java
Lines changed: 4 additions & 1 deletion b/‎apiml-security-common/src/main/java/org/zowe/apiml/security/common/token/AccessTokenProvider.java
Lines changed: 4 additions & 1 deletion
diff --git a/‎apiml-security-common/src/main/resources/security-common-log-messages.yml
Lines changed: 8 additions & 1 deletion b/‎apiml-security-common/src/main/resources/security-common-log-messages.yml
Lines changed: 8 additions & 1 deletion
diff --git a/‎apiml-security-common/src/test/java/org/zowe/apiml/gateway/security/login/SuccessfulAccessTokenHandlerTest.java
Lines changed: 15 additions & 7 deletions b/‎apiml-security-common/src/test/java/org/zowe/apiml/gateway/security/login/SuccessfulAccessTokenHandlerTest.java
Lines changed: 15 additions & 7 deletions
@@ -24,6 +24,8 @@
 import java.io.IOException;
 import java.util.Set;
 
+import static org.zowe.apiml.security.common.filter.StoreAccessTokenInfoFilter.TOKEN_REQUEST;
+
 @Component
 @RequiredArgsConstructor
 public class SuccessfulAccessTokenHandler implements AuthenticationSuccessHandler {
@@ -32,9 +34,8 @@ public class SuccessfulAccessTokenHandler implements AuthenticationSuccessHandle
 
     @Override
     public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
-        Object expirationTime = request.getAttribute("expirationTime");
-        String validity = expirationTime == null || expirationTime.equals("") ? "0" : request.getAttribute("expirationTime").toString();
-        String token = accessTokenProvider.getToken(authentication.getPrincipal().toString(), Integer.parseInt(validity));
+        AccessTokenRequest accessTokenRequest = (AccessTokenRequest)request.getAttribute(TOKEN_REQUEST);
+        String token = accessTokenProvider.getToken(authentication.getPrincipal().toString(), accessTokenRequest.getValidity(), accessTokenRequest.getScopes());
         response.getWriter().print(token);
         response.getWriter().flush();
         response.getWriter().close();
 
@@ -15,6 +15,8 @@
 import org.springframework.context.annotation.Configuration;
 import org.zowe.apiml.security.common.token.AccessTokenProvider;
 
+import java.util.Set;
+
 @Configuration
 public class AccessTokenProviderConfig {
 
@@ -33,7 +35,12 @@ public boolean isInvalidated(String token) {
             }
 
             @Override
-            public String getToken(String username, int expirationTime) {
+            public String getToken(String username, int expirationTime, Set<String> scopes) {
+                throw new NotImplementedException();
+            }
+
+            @Override
+            public boolean isValidForScopes(String token, String serviceId) {
                 throw new NotImplementedException();
             }
         };
 
@@ -63,6 +63,8 @@ public void handleException(HttpServletRequest request, HttpServletResponse resp
             handleTokenExpire(request, response, ex);
         } else if (ex instanceof TokenFormatNotValidException) {
             handleTokenFormatException(request, response, ex);
+        } else if (ex instanceof AccessTokenBodyNotValidException) {
+            handleInvalidAccessTokenBodyException(request, response, ex);
         } else if (ex instanceof InvalidCertificateException) {
             handleInvalidCertificate(response, ex);
         } else if (ex instanceof ZosAuthenticationException) {
@@ -135,6 +137,11 @@ private void handleInvalidTokenTypeException(HttpServletRequest request, HttpSer
         writeErrorResponse(ErrorType.INVALID_TOKEN_TYPE.getErrorMessageKey(), HttpStatus.UNAUTHORIZED, request, response);
     }
 
+    private void handleInvalidAccessTokenBodyException(HttpServletRequest request, HttpServletResponse response, RuntimeException ex) throws ServletException {
+        log.debug(ERROR_MESSAGE_400, ex.getMessage());
+        writeErrorResponse(ex.getMessage(), HttpStatus.BAD_REQUEST, request, response);
+    }
+
     //500
     private void handleAuthenticationException(HttpServletRequest request, HttpServletResponse response, RuntimeException ex) throws ServletException {
         log.debug(ERROR_MESSAGE_500, ex.getMessage());
 
@@ -16,7 +16,8 @@
 public enum ErrorType {
     BAD_CREDENTIALS("org.zowe.apiml.security.login.invalidCredentials", "Invalid Credentials", "Provide a valid username and password."),
     TOKEN_NOT_VALID("org.zowe.apiml.security.query.invalidToken", "Token is not valid.", "Provide a valid token."),
-    BAD_ACCESS_TOKEN_BODY("org.zowe.apiml.security.query.invalidAccessTokenBody", "Personal Access Token body in the request is not valid.", "Provide a valid body."),
+    BAD_ACCESS_TOKEN_BODY("org.zowe.apiml.security.query.invalidAccessTokenBody", "Personal Access Token body in the request is not valid.", "Use a valid body in the request. Format of a message: {validity: int , scopes: [string]}."),
+    ACCESS_TOKEN_BODY_MISSING_SCOPES("org.zowe.apiml.security.query.accessTokenBodyMissingScopes", "Body in the HTTP request for Personal Access Token does not contain scopes.", "Provide a list of services for which this token will be valid."),
     TOKEN_NOT_PROVIDED("org.zowe.apiml.security.query.tokenNotProvided", "No authorization token provided.", "Provide a valid authorization token."),
     TOKEN_EXPIRED("org.zowe.apiml.security.expiredToken", "Token is expired.", "Obtain a new token by performing an authentication request."),
     AUTH_CREDENTIALS_NOT_FOUND("org.zowe.apiml.security.login.invalidInput", "Authorization header is missing, or request body is missing or invalid.", "Provide valid authentication."),
 
@@ -46,19 +46,11 @@ public void handleException(HttpServletRequest request, HttpServletResponse resp
             handleGatewayNotAvailable(request, response, ex);
         } else if (ex instanceof ServiceNotAccessibleException) {
             handleServiceNotAccessible(request, response, ex);
-        } else if (ex instanceof AccessTokenBodyNotValidException) {
-            handleInvalidAccessTokenBodyException(request, response, ex);
         } else {
             throw ex;
         }
     }
 
-    //400
-    private void handleInvalidAccessTokenBodyException(HttpServletRequest request, HttpServletResponse response, RuntimeException ex) throws ServletException {
-        log.debug(ERROR_MESSAGE_400, ex.getMessage());
-        writeErrorResponse(ErrorType.BAD_ACCESS_TOKEN_BODY.getErrorMessageKey(), HttpStatus.BAD_REQUEST, request, response);
-    }
-
     //500
     private void handleGatewayNotAvailable(HttpServletRequest request, HttpServletResponse response, RuntimeException ex) throws ServletException {
         log.debug(ERROR_MESSAGE_500, ex.getMessage());
 
@@ -15,36 +15,46 @@
 import org.springframework.web.filter.OncePerRequestFilter;
 import org.zowe.apiml.gateway.security.login.SuccessfulAccessTokenHandler;
 import org.zowe.apiml.security.common.error.AccessTokenBodyNotValidException;
-import org.zowe.apiml.security.common.error.ResourceAccessExceptionHandler;
+import org.zowe.apiml.security.common.error.AuthExceptionHandler;
 
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
 import javax.servlet.ServletInputStream;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
+import java.util.Set;
+import java.util.stream.Collectors;
 
-@RequiredArgsConstructor
 /**
  * This filter will store the personal access information from the body as request attribute
  */
+@RequiredArgsConstructor
 public class StoreAccessTokenInfoFilter extends OncePerRequestFilter {
-    private static final String EXPIRATION_TIME = "expirationTime";
-    private final ResourceAccessExceptionHandler resourceAccessExceptionHandler;
+    public static final String TOKEN_REQUEST = "tokenRequest";
     private static final ObjectReader mapper = new ObjectMapper().reader();
+    private final AuthExceptionHandler authExceptionHandler;
 
     @Override
     protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException {
         try {
             ServletInputStream inputStream = request.getInputStream();
             if (inputStream.available() != 0) {
-                int validity = mapper.readValue(inputStream, SuccessfulAccessTokenHandler.AccessTokenRequest.class).getValidity();
-                request.setAttribute(EXPIRATION_TIME, validity);
+                SuccessfulAccessTokenHandler.AccessTokenRequest accessTokenRequest = mapper.readValue(inputStream, SuccessfulAccessTokenHandler.AccessTokenRequest.class);
+                Set<String> scopes = accessTokenRequest.getScopes();
+                if (scopes == null || scopes.isEmpty()) {
+                    authExceptionHandler.handleException(request, response,  new AccessTokenBodyNotValidException("org.zowe.apiml.security.token.accessTokenBodyMissingScopes"));
+                    return;
+                }
+                accessTokenRequest.setScopes(scopes.stream().map(String::toLowerCase).collect(Collectors.toSet()));
+                request.setAttribute(TOKEN_REQUEST, accessTokenRequest);
+                filterChain.doFilter(request, response);
+            } else {
+                authExceptionHandler.handleException(request, response,  new AccessTokenBodyNotValidException("org.zowe.apiml.security.token.accessTokenBodyMissingScopes"));
             }
 
-            filterChain.doFilter(request, response);
         } catch (IOException e) {
-            resourceAccessExceptionHandler.handleException(request, response, new AccessTokenBodyNotValidException("The request body you provided is not valid"));
+            authExceptionHandler.handleException(request, response, new AccessTokenBodyNotValidException("org.zowe.apiml.security.query.invalidAccessTokenBody"));
         }
     }
 }
@@ -9,6 +9,7 @@
  */
 package org.zowe.apiml.security.common.handler;
 
+import lombok.Getter;
 import org.zowe.apiml.security.common.error.AuthExceptionHandler;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
@@ -26,6 +27,7 @@
 @Slf4j
 @Component("plainAuth")
 @RequiredArgsConstructor
+@Getter
 public class UnauthorizedHandler implements AuthenticationEntryPoint {
     private final AuthExceptionHandler handler;
 
 
@@ -9,9 +9,12 @@
  */
 package org.zowe.apiml.security.common.token;
 
+import java.util.Set;
+
 public interface AccessTokenProvider {
 
     void invalidateToken(String token) throws Exception;
     boolean isInvalidated(String token) throws Exception;
-    String getToken(String username, int expirationTime);
+    String getToken(String username, int expirationTime, Set<String> scopes);
+    boolean isValidForScopes(String token, String serviceId);
 }
@@ -125,8 +125,15 @@ messages:
       type: ERROR
       text: "Invalid body provided in request to create personal access token"
       reason: "The request body is not valid"
-      action: "Use a valid body in the request"
+      action: "Use a valid body in the request. Format of a message: {validity: int , scopes: [string]}."
 
+    # Personal access token messages
+    - key: org.zowe.apiml.security.token.accessTokenBodyMissingScopes
+      number: ZWEAT606
+      type: ERROR
+      text: "Body in the HTTP request for Personal Access Token does not contain scopes"
+      reason: "The request body is not valid"
+      action: "Provide a list of services for which this token will be valid"
     # Service specific messages
     # 700-999
 
 
@@ -22,19 +22,29 @@
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.io.PrintWriter;
+import java.util.HashSet;
+import java.util.Set;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.anyInt;
-import static org.mockito.Mockito.*;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+import static org.zowe.apiml.security.common.filter.StoreAccessTokenInfoFilter.TOKEN_REQUEST;
 
 class SuccessfulAccessTokenHandlerTest {
     private final TokenAuthentication dummyAuth = new TokenAuthentication("user", "TEST_TOKEN_STRING");
     private SuccessfulAccessTokenHandler underTest;
     private AccessTokenProvider accessTokenProvider;
     private MockHttpServletRequest httpServletRequest;
     private MockHttpServletResponse httpServletResponse;
+    static Set<String> scopes = new HashSet<>();
+    static SuccessfulAccessTokenHandler.AccessTokenRequest accessTokenRequest = new SuccessfulAccessTokenHandler.AccessTokenRequest(80, scopes);
+
+    static {
+        scopes.add("gateway");
+    }
 
     @BeforeEach
     void setup() {
@@ -43,32 +53,30 @@ void setup() {
         accessTokenProvider = mock(AccessTokenProvider.class);
 
         underTest = new SuccessfulAccessTokenHandler(accessTokenProvider);
+        httpServletRequest.setAttribute(TOKEN_REQUEST, accessTokenRequest);
     }
 
     @Nested
     class WhenCallingOnAuthentication {
         @Test
         void thenReturn200() throws ServletException, IOException {
-            httpServletRequest.setAttribute("expirationTime", 90);
-            when(accessTokenProvider.getToken(any(), anyInt())).thenReturn("jwtToken");
+            when(accessTokenProvider.getToken(any(), anyInt(), any())).thenReturn("jwtToken");
             executeLoginHandler();
 
             assertEquals(HttpStatus.OK.value(), httpServletResponse.getStatus());
         }
 
         @Test
         void givenNullExpiration_thenReturn200() throws ServletException, IOException {
-            httpServletRequest.setAttribute("expirationTime", "");
-            when(accessTokenProvider.getToken(any(), anyInt())).thenReturn("jwtToken");
+            when(accessTokenProvider.getToken(any(), anyInt(), any())).thenReturn("jwtToken");
             executeLoginHandler();
 
             assertEquals(HttpStatus.OK.value(), httpServletResponse.getStatus());
         }
 
         @Test
         void givenResponseNotCommitted_thenThrowIOException() throws IOException {
-            httpServletRequest.setAttribute("expirationTime", 90);
-            when(accessTokenProvider.getToken(any(), anyInt())).thenReturn("jwtToken");
+            when(accessTokenProvider.getToken(any(), anyInt(), any())).thenReturn("jwtToken");
             HttpServletResponse servletResponse = mock(HttpServletResponse.class);
             PrintWriter mockWriter = mock(PrintWriter.class);
             when(servletResponse.getWriter()).thenReturn(mockWriter);