1
2
3
4
5
6
7
8
9
10
11
12
13 package org.springframework.security.oauth2.provider.authentication;
14
15 import java.util.Collection;
16 import java.util.Set;
17
18 import org.springframework.beans.factory.InitializingBean;
19 import org.springframework.security.authentication.AuthenticationManager;
20 import org.springframework.security.core.Authentication;
21 import org.springframework.security.core.AuthenticationException;
22 import org.springframework.security.oauth2.client.resource.OAuth2AccessDeniedException;
23 import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
24 import org.springframework.security.oauth2.provider.AuthorizationRequest;
25 import org.springframework.security.oauth2.provider.ClientDetails;
26 import org.springframework.security.oauth2.provider.ClientDetailsService;
27 import org.springframework.security.oauth2.provider.ClientRegistrationException;
28 import org.springframework.security.oauth2.provider.OAuth2Authentication;
29 import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;
30 import org.springframework.util.Assert;
31
32
33
34
35
36
37
38 public class OAuth2AuthenticationManager implements AuthenticationManager, InitializingBean {
39
40 private ResourceServerTokenServices tokenServices;
41
42 private ClientDetailsService clientDetailsService;
43
44 private String resourceId;
45
46 public void setResourceId(String resourceId) {
47 this.resourceId = resourceId;
48 }
49
50 public void setClientDetailsService(ClientDetailsService clientDetailsService) {
51 this.clientDetailsService = clientDetailsService;
52 }
53
54
55
56
57 public void setTokenServices(ResourceServerTokenServices tokenServices) {
58 this.tokenServices = tokenServices;
59 }
60
61 public void afterPropertiesSet() {
62 Assert.state(tokenServices != null, "TokenServices are required");
63 }
64
65
66
67
68
69
70
71
72
73
74
75
76
77 public Authentication authenticate(Authentication authentication) throws AuthenticationException {
78
79 if (authentication == null) {
80 throw new InvalidTokenException("Invalid token (token not found)");
81 }
82 String token = (String) authentication.getPrincipal();
83 OAuth2Authentication auth = tokenServices.loadAuthentication(token);
84 if (auth == null) {
85 throw new InvalidTokenException("Invalid token: " + token);
86 }
87
88 Collection<String> resourceIds = auth.getOAuth2Request().getResourceIds();
89 if (resourceId != null && resourceIds != null && !resourceIds.isEmpty() && !resourceIds.contains(resourceId)) {
90 throw new OAuth2AccessDeniedException("Invalid token does not contain resource id (" + resourceId + ")");
91 }
92
93 checkClientDetails(auth);
94
95 if (authentication.getDetails() instanceof OAuth2AuthenticationDetails) {
96 OAuth2AuthenticationDetails details = (OAuth2AuthenticationDetails) authentication.getDetails();
97
98 if (!details.equals(auth.getDetails())) {
99
100 details.setDecodedDetails(auth.getDetails());
101 }
102 }
103 auth.setDetails(authentication.getDetails());
104 auth.setAuthenticated(true);
105 return auth;
106
107 }
108
109 private void checkClientDetails(OAuth2Authentication auth) {
110 if (clientDetailsService != null) {
111 ClientDetails client;
112 try {
113 client = clientDetailsService.loadClientByClientId(auth.getOAuth2Request().getClientId());
114 }
115 catch (ClientRegistrationException e) {
116 throw new OAuth2AccessDeniedException("Invalid token contains invalid client id");
117 }
118 Set<String> allowed = client.getScope();
119 for (String scope : auth.getOAuth2Request().getScope()) {
120 if (!allowed.contains(scope)) {
121 throw new OAuth2AccessDeniedException(
122 "Invalid token contains disallowed scope (" + scope + ") for this client");
123 }
124 }
125 }
126 }
127
128 }