1 package org.springframework.security.oauth2.provider.endpoint;
2
3 import org.springframework.security.oauth2.provider.AuthorizationRequest;
4 import org.springframework.security.web.csrf.CsrfToken;
5 import org.springframework.web.bind.annotation.RequestMapping;
6 import org.springframework.web.bind.annotation.SessionAttributes;
7 import org.springframework.web.servlet.ModelAndView;
8 import org.springframework.web.servlet.View;
9 import org.springframework.web.servlet.support.ServletUriComponentsBuilder;
10 import org.springframework.web.util.HtmlUtils;
11
12 import javax.servlet.http.HttpServletRequest;
13 import javax.servlet.http.HttpServletResponse;
14 import java.util.Map;
15
16
17
18
19
20
21 @FrameworkEndpoint
22 @SessionAttributes("authorizationRequest")
23 public class WhitelabelApprovalEndpoint {
24
25 @RequestMapping("/oauth/confirm_access")
26 public ModelAndView getAccessConfirmation(Map<String, Object> model, HttpServletRequest request) throws Exception {
27 final String approvalContent = createTemplate(model, request);
28 if (request.getAttribute("_csrf") != null) {
29 model.put("_csrf", request.getAttribute("_csrf"));
30 }
31 View approvalView = new View() {
32 @Override
33 public String getContentType() {
34 return "text/html";
35 }
36
37 @Override
38 public void render(Map<String, ?> model, HttpServletRequest request, HttpServletResponse response) throws Exception {
39 response.setContentType(getContentType());
40 response.getWriter().append(approvalContent);
41 }
42 };
43 return new ModelAndView(approvalView, model);
44 }
45
46 protected String createTemplate(Map<String, Object> model, HttpServletRequest request) {
47 AuthorizationRequest authorizationRequest = (AuthorizationRequest) model.get("authorizationRequest");
48 String clientId = authorizationRequest.getClientId();
49
50 StringBuilder builder = new StringBuilder();
51 builder.append("<html><body><h1>OAuth Approval</h1>");
52 builder.append("<p>Do you authorize \"").append(HtmlUtils.htmlEscape(clientId));
53 builder.append("\" to access your protected resources?</p>");
54 builder.append("<form id=\"confirmationForm\" name=\"confirmationForm\" action=\"");
55
56 String requestPath = ServletUriComponentsBuilder.fromContextPath(request).build().getPath();
57 if (requestPath == null) {
58 requestPath = "";
59 }
60
61 builder.append(requestPath).append("/oauth/authorize\" method=\"post\">");
62 builder.append("<input name=\"user_oauth_approval\" value=\"true\" type=\"hidden\"/>");
63
64 String csrfTemplate = null;
65 CsrfToken csrfToken = (CsrfToken) (model.containsKey("_csrf") ? model.get("_csrf") : request.getAttribute("_csrf"));
66 if (csrfToken != null) {
67 csrfTemplate = "<input type=\"hidden\" name=\"" + HtmlUtils.htmlEscape(csrfToken.getParameterName()) +
68 "\" value=\"" + HtmlUtils.htmlEscape(csrfToken.getToken()) + "\" />";
69 }
70 if (csrfTemplate != null) {
71 builder.append(csrfTemplate);
72 }
73
74 String authorizeInputTemplate = "<label><input name=\"authorize\" value=\"Authorize\" type=\"submit\"/></label></form>";
75
76 if (model.containsKey("scopes") || request.getAttribute("scopes") != null) {
77 builder.append(createScopes(model, request));
78 builder.append(authorizeInputTemplate);
79 } else {
80 builder.append(authorizeInputTemplate);
81 builder.append("<form id=\"denialForm\" name=\"denialForm\" action=\"");
82 builder.append(requestPath).append("/oauth/authorize\" method=\"post\">");
83 builder.append("<input name=\"user_oauth_approval\" value=\"false\" type=\"hidden\"/>");
84 if (csrfTemplate != null) {
85 builder.append(csrfTemplate);
86 }
87 builder.append("<label><input name=\"deny\" value=\"Deny\" type=\"submit\"/></label></form>");
88 }
89
90 builder.append("</body></html>");
91
92 return builder.toString();
93 }
94
95 private CharSequence createScopes(Map<String, Object> model, HttpServletRequest request) {
96 StringBuilder builder = new StringBuilder("<ul>");
97 @SuppressWarnings("unchecked")
98 Map<String, String> scopes = (Map<String, String>) (model.containsKey("scopes") ?
99 model.get("scopes") : request.getAttribute("scopes"));
100 for (String scope : scopes.keySet()) {
101 String approved = "true".equals(scopes.get(scope)) ? " checked" : "";
102 String denied = !"true".equals(scopes.get(scope)) ? " checked" : "";
103 scope = HtmlUtils.htmlEscape(scope);
104
105 builder.append("<li><div class=\"form-group\">");
106 builder.append(scope).append(": <input type=\"radio\" name=\"");
107 builder.append(scope).append("\" value=\"true\"").append(approved).append(">Approve</input> ");
108 builder.append("<input type=\"radio\" name=\"").append(scope).append("\" value=\"false\"");
109 builder.append(denied).append(">Deny</input></div></li>");
110 }
111 builder.append("</ul>");
112 return builder.toString();
113 }
114 }