View Javadoc
1   package org.springframework.security.oauth2.provider.endpoint;
2   
3   import org.springframework.security.oauth2.provider.AuthorizationRequest;
4   import org.springframework.security.web.csrf.CsrfToken;
5   import org.springframework.web.bind.annotation.RequestMapping;
6   import org.springframework.web.bind.annotation.SessionAttributes;
7   import org.springframework.web.servlet.ModelAndView;
8   import org.springframework.web.servlet.View;
9   import org.springframework.web.servlet.support.ServletUriComponentsBuilder;
10  import org.springframework.web.util.HtmlUtils;
11  
12  import javax.servlet.http.HttpServletRequest;
13  import javax.servlet.http.HttpServletResponse;
14  import java.util.Map;
15  
16  /**
17   * Controller for displaying the approval page for the authorization server.
18   * 
19   * @author Dave Syer
20   */
21  @FrameworkEndpoint
22  @SessionAttributes("authorizationRequest")
23  public class WhitelabelApprovalEndpoint {
24  
25  	@RequestMapping("/oauth/confirm_access")
26  	public ModelAndView getAccessConfirmation(Map<String, Object> model, HttpServletRequest request) throws Exception {
27  		final String approvalContent = createTemplate(model, request);
28  		if (request.getAttribute("_csrf") != null) {
29  			model.put("_csrf", request.getAttribute("_csrf"));
30  		}
31  		View approvalView = new View() {
32  			@Override
33  			public String getContentType() {
34  				return "text/html";
35  			}
36  
37  			@Override
38  			public void render(Map<String, ?> model, HttpServletRequest request, HttpServletResponse response) throws Exception {
39  				response.setContentType(getContentType());
40  				response.getWriter().append(approvalContent);
41  			}
42  		};
43  		return new ModelAndView(approvalView, model);
44  	}
45  
46  	protected String createTemplate(Map<String, Object> model, HttpServletRequest request) {
47  		AuthorizationRequest authorizationRequest = (AuthorizationRequest) model.get("authorizationRequest");
48  		String clientId = authorizationRequest.getClientId();
49  
50  		StringBuilder builder = new StringBuilder();
51  		builder.append("<html><body><h1>OAuth Approval</h1>");
52  		builder.append("<p>Do you authorize \"").append(HtmlUtils.htmlEscape(clientId));
53  		builder.append("\" to access your protected resources?</p>");
54  		builder.append("<form id=\"confirmationForm\" name=\"confirmationForm\" action=\"");
55  
56  		String requestPath = ServletUriComponentsBuilder.fromContextPath(request).build().getPath();
57  		if (requestPath == null) {
58  			requestPath = "";
59  		}
60  
61  		builder.append(requestPath).append("/oauth/authorize\" method=\"post\">");
62  		builder.append("<input name=\"user_oauth_approval\" value=\"true\" type=\"hidden\"/>");
63  
64  		String csrfTemplate = null;
65  		CsrfToken csrfToken = (CsrfToken) (model.containsKey("_csrf") ? model.get("_csrf") : request.getAttribute("_csrf"));
66  		if (csrfToken != null) {
67  			csrfTemplate = "<input type=\"hidden\" name=\"" + HtmlUtils.htmlEscape(csrfToken.getParameterName()) +
68  					"\" value=\"" + HtmlUtils.htmlEscape(csrfToken.getToken()) + "\" />";
69  		}
70  		if (csrfTemplate != null) {
71  			builder.append(csrfTemplate);
72  		}
73  
74  		String authorizeInputTemplate = "<label><input name=\"authorize\" value=\"Authorize\" type=\"submit\"/></label></form>";
75  
76  		if (model.containsKey("scopes") || request.getAttribute("scopes") != null) {
77  			builder.append(createScopes(model, request));
78  			builder.append(authorizeInputTemplate);
79  		} else {
80  			builder.append(authorizeInputTemplate);
81  			builder.append("<form id=\"denialForm\" name=\"denialForm\" action=\"");
82  			builder.append(requestPath).append("/oauth/authorize\" method=\"post\">");
83  			builder.append("<input name=\"user_oauth_approval\" value=\"false\" type=\"hidden\"/>");
84  			if (csrfTemplate != null) {
85  				builder.append(csrfTemplate);
86  			}
87  			builder.append("<label><input name=\"deny\" value=\"Deny\" type=\"submit\"/></label></form>");
88  		}
89  
90  		builder.append("</body></html>");
91  
92  		return builder.toString();
93  	}
94  
95  	private CharSequence createScopes(Map<String, Object> model, HttpServletRequest request) {
96  		StringBuilder builder = new StringBuilder("<ul>");
97  		@SuppressWarnings("unchecked")
98  		Map<String, String> scopes = (Map<String, String>) (model.containsKey("scopes") ?
99  				model.get("scopes") : request.getAttribute("scopes"));
100 		for (String scope : scopes.keySet()) {
101 			String approved = "true".equals(scopes.get(scope)) ? " checked" : "";
102 			String denied = !"true".equals(scopes.get(scope)) ? " checked" : "";
103 			scope = HtmlUtils.htmlEscape(scope);
104 
105 			builder.append("<li><div class=\"form-group\">");
106 			builder.append(scope).append(": <input type=\"radio\" name=\"");
107 			builder.append(scope).append("\" value=\"true\"").append(approved).append(">Approve</input> ");
108 			builder.append("<input type=\"radio\" name=\"").append(scope).append("\" value=\"false\"");
109 			builder.append(denied).append(">Deny</input></div></li>");
110 		}
111 		builder.append("</ul>");
112 		return builder.toString();
113 	}
114 }