diff --git a/src/main/java/org/gcube/portal/oidc/lr62/InvalidTokenException.java b/src/main/java/org/gcube/portal/oidc/lr62/InvalidTokenException.java
new file mode 100644
index 0000000..eaa70bb
--- /dev/null
+++ b/src/main/java/org/gcube/portal/oidc/lr62/InvalidTokenException.java
@@ -0,0 +1,22 @@
+package org.gcube.portal.oidc.lr62;
+
+public class InvalidTokenException extends OIDCException {
+
+ private static final long serialVersionUID = 6104023137356404839L;
+
+ public InvalidTokenException() {
+ }
+
+ public InvalidTokenException(String message) {
+ super(message);
+ }
+
+ public InvalidTokenException(Throwable cause) {
+ super(cause);
+ }
+
+ public InvalidTokenException(String message, Throwable cause) {
+ super(message, cause);
+ }
+
+}
diff --git a/src/main/java/org/gcube/portal/oidc/lr62/MissingTokenException.java b/src/main/java/org/gcube/portal/oidc/lr62/MissingTokenException.java
new file mode 100644
index 0000000..7102e6f
--- /dev/null
+++ b/src/main/java/org/gcube/portal/oidc/lr62/MissingTokenException.java
@@ -0,0 +1,22 @@
+package org.gcube.portal.oidc.lr62;
+
+public class MissingTokenException extends OIDCException {
+
+ private static final long serialVersionUID = -3156396867055045014L;
+
+ public MissingTokenException() {
+ }
+
+ public MissingTokenException(String message) {
+ super(message);
+ }
+
+ public MissingTokenException(Throwable cause) {
+ super(cause);
+ }
+
+ public MissingTokenException(String message, Throwable cause) {
+ super(message, cause);
+ }
+
+}
diff --git a/src/main/java/org/gcube/portal/oidc/lr62/NotAuthorizedException.java b/src/main/java/org/gcube/portal/oidc/lr62/NotAuthorizedException.java
new file mode 100644
index 0000000..edaff0d
--- /dev/null
+++ b/src/main/java/org/gcube/portal/oidc/lr62/NotAuthorizedException.java
@@ -0,0 +1,22 @@
+package org.gcube.portal.oidc.lr62;
+
+public class NotAuthorizedException extends OIDCException {
+
+ private static final long serialVersionUID = 67891107946900764L;
+
+ public NotAuthorizedException() {
+ }
+
+ public NotAuthorizedException(String message) {
+ super(message);
+ }
+
+ public NotAuthorizedException(Throwable cause) {
+ super(cause);
+ }
+
+ public NotAuthorizedException(String message, Throwable cause) {
+ super(message, cause);
+ }
+
+}
diff --git a/src/main/java/org/gcube/portal/oidc/lr62/OIDCException.java b/src/main/java/org/gcube/portal/oidc/lr62/OIDCException.java
new file mode 100644
index 0000000..9b21a98
--- /dev/null
+++ b/src/main/java/org/gcube/portal/oidc/lr62/OIDCException.java
@@ -0,0 +1,31 @@
+package org.gcube.portal.oidc.lr62;
+
+public class OIDCException extends Exception {
+
+ private static final long serialVersionUID = -882800971125567037L;
+
+ public OIDCException() {
+ // TODO Auto-generated constructor stub
+ }
+
+ public OIDCException(String message) {
+ super(message);
+ // TODO Auto-generated constructor stub
+ }
+
+ public OIDCException(Throwable cause) {
+ super(cause);
+ // TODO Auto-generated constructor stub
+ }
+
+ public OIDCException(String message, Throwable cause) {
+ super(message, cause);
+ // TODO Auto-generated constructor stub
+ }
+
+ public OIDCException(String message, Throwable cause, boolean enableSuppression, boolean writableStackTrace) {
+ super(message, cause, enableSuppression, writableStackTrace);
+ // TODO Auto-generated constructor stub
+ }
+
+}
diff --git a/src/main/java/org/gcube/portal/oidc/lr62/OIDCUmaUtil.java b/src/main/java/org/gcube/portal/oidc/lr62/OIDCUmaUtil.java
index e63dfda..b0227f5 100644
--- a/src/main/java/org/gcube/portal/oidc/lr62/OIDCUmaUtil.java
+++ b/src/main/java/org/gcube/portal/oidc/lr62/OIDCUmaUtil.java
@@ -17,7 +17,11 @@ import org.gcube.oidc.rest.OpenIdConnectRESTHelperException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import com.liferay.portal.kernel.exception.PortalException;
+import com.liferay.portal.kernel.exception.SystemException;
import com.liferay.portal.model.User;
+import com.liferay.portal.service.UserLocalServiceUtil;
+import com.liferay.portal.util.PortalUtil;
public class OIDCUmaUtil {
@@ -25,7 +29,7 @@ public class OIDCUmaUtil {
private static final boolean REFRESH_UMA_TOKEN = false;
private static final String LOGOUT_URI = "/c/portal/logout";
- private static final boolean FORCE_LOGOUT_ON_INVALID_OIDC = true;
+ private static final boolean FORCE_LOGOUT_ON_INVALID_TOKEN = true;
private static final boolean FORCE_LOGOUT_ON_MISSING_OIDC = true;
private static final boolean FORCE_LOGOUT_ON_OIDC_REFRESH_ERROR = true;
private static final int MAX_AUTHORIZATION_RETRY_ATTEMPTS = 4;
@@ -76,19 +80,109 @@ public class OIDCUmaUtil {
}
}
+ /**
+ * Used to request a temporary UMA/RPT token to the OIDC server in a specific context for an user.
+ *
+ * The OIDC access token in the {@link JWTCacheProxy} for the user in the current session will be used.
+ *
+ * @param request the current HTTP request
+ * @param screenName the user's user id
+ * @param scope the scope to issue the token for (e.g. "/gcube")
+ * @return the temporary token in the requested context for the user
+ * @throws UMAException if a generic error related to the UMA/RPT token issue occurs
+ * @throws InvalidTokenException if the OIDC access token is become invalid for the user
+ * @throws MissingTokenException if the OIDC token is missing for the user in the cache proxy
+ * @throws RefreshException if an error occurs refreshing the OIDC token that is expired
+ * @throws NotAuthorizedException if the user is not authorized to access the requested context
+ */
+ public static JWTToken getUMAToken(HttpServletRequest request, Long userId, String scope)
+ throws UMAException, InvalidTokenException, MissingTokenException, RefreshException,
+ NotAuthorizedException {
- public static void checkUMATicketAndProvideInThreadLocal(HttpServletRequest request, HttpServletResponse response,
- User user, HttpSession session, String scope) {
+ return getUMAToken(request, userId, scope, true);
+ }
+
+ private static JWTToken getUMAToken(HttpServletRequest request, Long userId, String scope, boolean temporary)
+ throws UMAException, InvalidTokenException, MissingTokenException, RefreshException,
+ NotAuthorizedException {
+
+ try {
+ return getUMAToken(request, UserLocalServiceUtil.getUser(userId), scope, temporary);
+ } catch (PortalException | SystemException e) {
+ throw new UMAException("Cannot get liferay user from userId", e);
+ }
+ }
+
+ /**
+ * Used to request a temporary UMA/RPT token to the OIDC server in a specific context for an user.
+ *
+ * The OIDC access token in the {@link JWTCacheProxy} for the user in the current session will be used.
+ *
+ * @param request the current HTTP request
+ * @param screenName the user's screen name
+ * @param scope the scope to issue the token for (e.g. "/gcube")
+ * @return the temporary token in the requested context for the user
+ * @throws UMAException if a generic error related to the UMA/RPT token issue occurs
+ * @throws InvalidTokenException if the OIDC access token is become invalid for the user
+ * @throws MissingTokenException if the OIDC token is missing for the user in the cache proxy
+ * @throws RefreshException if an error occurs refreshing the OIDC token that is expired
+ * @throws NotAuthorizedException if the user is not authorized to access the requested context
+ */
+ public static JWTToken getUMAToken(HttpServletRequest request, String screenName, String scope)
+ throws UMAException, InvalidTokenException, MissingTokenException, RefreshException,
+ NotAuthorizedException {
+
+ return getUMAToken(request, screenName, scope, true);
+ }
+
+ private static JWTToken getUMAToken(HttpServletRequest request, String screenName, String scope, boolean temporary)
+ throws UMAException, InvalidTokenException, MissingTokenException, RefreshException,
+ NotAuthorizedException {
+
+ try {
+ return getUMAToken(request,
+ UserLocalServiceUtil.getUserByScreenName(PortalUtil.getCompanyId(request), screenName), scope, temporary);
+
+ } catch (PortalException | SystemException e) {
+ throw new UMAException("Cannot get liferay user from companyId and screenName", e);
+ }
+ }
+
+ public static JWTToken getUMAToken(HttpServletRequest request, User user, String scope)
+ throws InvalidTokenException, MissingTokenException, RefreshException, NotAuthorizedException,
+ UMAException {
+
+ return getUMAToken(request, user, scope, true);
+ }
+
+ private static JWTToken getUMAToken(HttpServletRequest request, User user, String scope, boolean temporary)
+ throws InvalidTokenException, MissingTokenException, RefreshException, NotAuthorizedException,
+ UMAException {
+
+ return getUMAToken(request, user, request.getSession(false), scope, temporary);
+ }
+
+// public static JWTToken getUMAToken(HttpServletRequest request, User user, HttpSession session, String scope)
+// throws InvalidTokenException, MissingTokenException, RefreshException, NotAuthorizedException,
+// UMAException {
+//
+// return getUMAToken(request, user, session, scope, true);
+// }
+
+ private static JWTToken getUMAToken(HttpServletRequest request, User user, HttpSession session, String scope,
+ boolean temporary)
+ throws InvalidTokenException, MissingTokenException, RefreshException, NotAuthorizedException,
+ UMAException {
if (user == null) {
- log.error("Current user not found, cannot continue");
- return;
+ log.error("User is null, cannot continue");
+ return null;
}
log.debug("Current user is: {} [{}]", user.getScreenName(), user.getEmailAddress());
if (session == null) {
log.debug("Session is null, cannot continue");
- return;
+ throw new UMAException("Session is null");
}
String sessionId = session.getId();
log.debug("Current session ID is {}", sessionId);
@@ -99,14 +193,15 @@ public class OIDCUmaUtil {
} catch (UnsupportedEncodingException e) {
// Almost impossible
log.error("Cannot URL encode scope", e);
- return;
+ return null;
}
log.debug("URL encoded scope is: {}", urlEncodedScope);
JWTToken umaToken = null;
- synchronized (JWTCacheProxy.getInstance().getMutexFor(user)) {
+ JWTCacheProxy jwtCacheProxy = JWTCacheProxy.getInstance();
+ synchronized (jwtCacheProxy.getMutexFor(user)) {
log.trace("Getting UMA token for user {}, and session {}", user.getScreenName(), sessionId);
- umaToken = JWTCacheProxy.getInstance().getUMAToken(user, sessionId);
+ umaToken = jwtCacheProxy.getUMAToken(user, sessionId);
if (umaToken != null && !umaToken.isExpired() && umaToken.getAud().contains(urlEncodedScope)) {
log.trace("Current UMA token is OK {}", umaToken.getTokenEssentials());
} else {
@@ -124,17 +219,13 @@ public class OIDCUmaUtil {
log.debug("Setting the refreshed UMA token in cache proxy for user {}, and session]",
user.getScreenName(), sessionId);
- JWTCacheProxy.getInstance().setUMAToken(user, sessionId, umaToken);
+ // This is independent from "temporary" setting since is a refresh of an expired token
+ // issued for the same context
+ jwtCacheProxy.setUMAToken(user, sessionId, umaToken);
} catch (OpenIdConnectRESTHelperException e) {
if (e.hasJSONPayload()) {
if (OpenIdConnectRESTHelper.isInvalidBearerTokenError(e.getResponseString())) {
- if (FORCE_LOGOUT_ON_INVALID_OIDC) {
- log.warn("OIDC token is become invalid, forcing redirect to logout URI");
- forceLogout(response);
- } else {
- log.warn("OIDC token is become invalid, cannot continue");
- }
- return;
+ throw new InvalidTokenException("UMA token become invalid", e);
} else if (OpenIdConnectRESTHelper.isTokenNotActiveError(e.getResponseString())) {
log.info("UMA token is no more active, get new one");
} else {
@@ -148,7 +239,7 @@ public class OIDCUmaUtil {
"Removing inactive UMA token from cache proxy if present for user {} and session {}",
user.getScreenName(), sessionId);
- JWTCacheProxy.getInstance().removeUMAToken(user, sessionId);
+ jwtCacheProxy.removeUMAToken(user, sessionId);
}
} else {
log.debug("Suitable UMA token found but it is expired."
@@ -159,7 +250,7 @@ public class OIDCUmaUtil {
log.debug("Removing inactive UMA token from cache proxy if present for user {} and session {}",
user.getScreenName(), sessionId);
- JWTCacheProxy.getInstance().removeUMAToken(user, sessionId);
+ jwtCacheProxy.removeUMAToken(user, sessionId);
}
}
if (umaToken == null || !umaToken.getAud().contains(urlEncodedScope)) {
@@ -174,15 +265,9 @@ public class OIDCUmaUtil {
log.debug("Getting OIDC token from cache proxy for user {} and session {}", user.getScreenName(),
sessionId);
- JWTToken authToken = JWTCacheProxy.getInstance().getOIDCToken(user, sessionId);
+ JWTToken authToken = jwtCacheProxy.getOIDCToken(user, sessionId);
if (authToken == null) {
- if (FORCE_LOGOUT_ON_MISSING_OIDC) {
- log.debug("OIDC token is null in cache proxy, force redirecting to logut URI");
- forceLogout(response);
- } else {
- log.debug("OIDC token is null in cache proxy, cannot continue!");
- }
- return;
+ throw new MissingTokenException("Token is null in proxy");
} else {
log.debug("OIDC token is {}", authToken.getTokenEssentials());
}
@@ -214,16 +299,10 @@ public class OIDCUmaUtil {
authToken = OpenIdConnectRESTHelper.refreshToken(configuration.getTokenURL(),
authToken);
} catch (OpenIdConnectRESTHelperException e) {
- if (FORCE_LOGOUT_ON_OIDC_REFRESH_ERROR) {
- log.warn("Error refreshing OIDC token, force redirecting to logut URI");
- forceLogout(response);
- } else {
- log.error("Refreshing OIDC token on server", e);
- }
- return;
+ throw new RefreshException("Refreshing OIDC token", e);
}
log.debug("Setting refreshed OIDC token in cache proxy");
- JWTCacheProxy.getInstance().setOIDCToken(user, sessionId, authToken);
+ jwtCacheProxy.setOIDCToken(user, sessionId, authToken);
}
log.info("Getting UMA token from OIDC endpoint for scope: " + urlEncodedScope);
umaToken = OpenIdConnectRESTHelper.queryUMAToken(configuration.getTokenURL(),
@@ -233,13 +312,7 @@ public class OIDCUmaUtil {
} catch (OpenIdConnectRESTHelperException e) {
if (e.hasJSONPayload()) {
if (OpenIdConnectRESTHelper.isInvalidBearerTokenError(e.getResponseString())) {
- if (FORCE_LOGOUT_ON_INVALID_OIDC) {
- log.warn("OIDC token is become invalid, forcing redirect to logout URI");
- forceLogout(response);
- } else {
- log.error("OIDC token is become invalid, cannot continue");
- }
- return;
+ throw new InvalidTokenException("OIDC token is become invalid", e);
} else if (OpenIdConnectRESTHelper
.isAccessDeniedNotAuthorizedError(e.getResponseString())) {
@@ -257,29 +330,66 @@ public class OIDCUmaUtil {
ie.printStackTrace();
}
} else {
- log.warn("OIDC token refresh attempts exhausted");
- return;
+ throw new NotAuthorizedException("OIDC token refresh attempts exhausted");
}
}
} else {
- log.error("Getting UMA token from server", e);
- return;
+ throw new UMAException(e);
}
}
} while (isNotAuthorized);
}
- log.debug("Setting UMA token in cache proxy for user {} and session {}", user.getScreenName(),
- sessionId);
+ if (!temporary) {
+ log.debug("Setting UMA token in cache proxy for user {} and session {}", user.getScreenName(),
+ sessionId);
- JWTCacheProxy.getInstance().setUMAToken(user, sessionId, umaToken);
+ jwtCacheProxy.setUMAToken(user, sessionId, umaToken);
+ }
}
}
+ return umaToken;
+ }
- log.trace("Current UMA token in use is: {}", umaToken.getTokenEssentials());
+ public static void checkUMATicketAndProvideInThreadLocal(HttpServletRequest request, HttpServletResponse response,
+ User user, HttpSession session, String scope) {
+
+ try {
+ JWTToken umaToken = getUMAToken(request, user, scope, false);
+ log.trace("Current UMA token in use is: {}", umaToken.getTokenEssentials());
+
+ log.debug("Setting UMA token with jti {} in UMA JWT provider", umaToken.getJti());
+ UmaJWTProvider.instance.set(umaToken.getRaw());
+ } catch (MissingTokenException e) {
+ if (FORCE_LOGOUT_ON_MISSING_OIDC) {
+ log.debug("OIDC token is null in cache proxy, force redirecting to logut URI");
+ forceLogout(response);
+ } else {
+ log.debug("OIDC token is null in cache proxy, cannot continue");
+ }
+ return;
+ } catch (RefreshException e) {
+ if (FORCE_LOGOUT_ON_OIDC_REFRESH_ERROR) {
+ log.warn("Error refreshing OIDC token, force redirecting to logut URI");
+ forceLogout(response);
+ } else {
+ log.error("Refreshing OIDC token on server", e);
+ }
+ return;
+ } catch (InvalidTokenException e) {
+ if (FORCE_LOGOUT_ON_INVALID_TOKEN) {
+ log.warn("OIDC token is become invalid, forcing redirect to logout URI");
+ forceLogout(response);
+ } else {
+ log.error("OIDC token is become invalid, cannot continue");
+ }
+ return;
+ } catch (NotAuthorizedException e) {
+ log.error("", e);
+ } catch (UMAException e) {
+ log.error("Getting UMA token from server", e);
+ }
- log.debug("Setting UMA token with jti {} in UMA JWT provider", umaToken.getJti());
- UmaJWTProvider.instance.set(umaToken.getRaw());
}
protected static void forceLogout(HttpServletResponse response) {
diff --git a/src/main/java/org/gcube/portal/oidc/lr62/RefreshException.java b/src/main/java/org/gcube/portal/oidc/lr62/RefreshException.java
new file mode 100644
index 0000000..a009266
--- /dev/null
+++ b/src/main/java/org/gcube/portal/oidc/lr62/RefreshException.java
@@ -0,0 +1,22 @@
+package org.gcube.portal.oidc.lr62;
+
+public class RefreshException extends OIDCException {
+
+ private static final long serialVersionUID = -8657006296380516704L;
+
+ public RefreshException() {
+ }
+
+ public RefreshException(String message) {
+ super(message);
+ }
+
+ public RefreshException(Throwable cause) {
+ super(cause);
+ }
+
+ public RefreshException(String message, Throwable cause) {
+ super(message, cause);
+ }
+
+}
diff --git a/src/main/java/org/gcube/portal/oidc/lr62/UMAException.java b/src/main/java/org/gcube/portal/oidc/lr62/UMAException.java
new file mode 100644
index 0000000..ac63046
--- /dev/null
+++ b/src/main/java/org/gcube/portal/oidc/lr62/UMAException.java
@@ -0,0 +1,26 @@
+package org.gcube.portal.oidc.lr62;
+
+public class UMAException extends Exception {
+
+ private static final long serialVersionUID = 9158301486748240970L;
+
+ public UMAException() {
+ }
+
+ public UMAException(String message) {
+ super(message);
+ }
+
+ public UMAException(Throwable cause) {
+ super(cause);
+ }
+
+ public UMAException(String message, Throwable cause) {
+ super(message, cause);
+ }
+
+ public UMAException(String message, Throwable cause, boolean enableSuppression, boolean writableStackTrace) {
+ super(message, cause, enableSuppression, writableStackTrace);
+ }
+
+}