org.xdi.oxauth.session.ws.rs.EndSessionRestWebServiceImpl クラス

org.xdi.oxauth.session.ws.rs.EndSessionRestWebServiceImpl の継承関係図

org.xdi.oxauth.session.ws.rs.EndSessionRestWebServiceImpl 連携図

公開メンバ関数
Response	requestEndSession (String idTokenHint, String postLogoutRedirectUri, String state, String sessionId, HttpServletRequest httpRequest, HttpServletResponse httpResponse, SecurityContext sec)
Response	httpBased (String postLogoutRedirectUri, String state, Pair< SessionId, AuthorizationGrant > pair)
Response	requestEndSession ( @QueryParam(EndSessionRequestParam.ID_TOKEN_HINT) @ApiParam(value="Previously issued ID Token (id_token) passed to the logout endpoint as a hint about the End-User's current authenticated session with the Client. This is used as an indication of the identity of the End-User that the RP is requesting be logged out by the OP. The OP need not be listed as an audience of the ID Token when it is used as an id_token_hint value.", required=true) String idTokenHint, @QueryParam(EndSessionRequestParam.POST_LOGOUT_REDIRECT_URI) @ApiParam(value="URL to which the RP is requesting that the End-User's User Agent be redirected after a logout has been performed. The value MUST have been previously registered with the OP, either using the post_logout_redirect_uris Registration parameter or via another mechanism. If supplied, the OP SHOULD honor this request following the logout.", required=false) String postLogoutRedirectUri, @QueryParam(EndSessionRequestParam.STATE) @ApiParam(value="Opaque value used by the RP to maintain state between the logout request and the callback to the endpoint specified by the post_logout_redirect_uri parameter. If included in the logout request, the OP passes this value back to the RP using the state query parameter when redirecting the User Agent back to the RP.", required=false) String state, @QueryParam("session_id") @ApiParam(value="Session Id", required=false) String sessionId, @Context HttpServletRequest httpRequest, @Context HttpServletResponse httpResponse, @Context SecurityContext securityContext)

非公開メンバ関数
void	validateSessionIdRequestParameter (String sessionId)
void	validateIdTokenHint (String idTokenHint)
String	validatePostLogoutRedirectUri (String postLogoutRedirectUri, Pair< SessionId, AuthorizationGrant > pair)
Pair< SessionId, AuthorizationGrant >	endSession (String idTokenHint, String sessionId, HttpServletRequest httpRequest, HttpServletResponse httpResponse)
Set< String >	getRpFrontchannelLogoutUris (Pair< SessionId, AuthorizationGrant > pair)
SessionId	removeSessionId (String sessionId, HttpServletRequest httpRequest, HttpServletResponse httpResponse)
SessionId	removeConsentSessionId (HttpServletRequest httpRequest, HttpServletResponse httpResponse)
String	constructPage (Set< String > logoutUris, String postLogoutUrl, String state)
void	auditLogging (HttpServletRequest request, Pair< SessionId, AuthorizationGrant > pair)

非公開変数類
Logger	log
ErrorResponseFactory	errorResponseFactory
RedirectionUriService	redirectionUriService
AuthorizationGrantList	authorizationGrantList
ExternalApplicationSessionService	externalApplicationSessionService
SessionIdService	sessionIdService
ClientService	clientService
GrantService	grantService
Identity	identity
ApplicationAuditLogger	applicationAuditLogger
AppConfiguration	appConfiguration

詳解

著者

Javier Rojas Blum

Yuriy Movchan

Yuriy Zabrovarnyy

バージョン

August 9, 2017

関数詳解

auditLogging()

void org.xdi.oxauth.session.ws.rs.EndSessionRestWebServiceImpl.auditLogging ( HttpServletRequest  request, Pair< SessionId, AuthorizationGrant >  pair  )

inlineprivate

                                                                                                    {
        SessionId sessionId = pair.getFirst();
        AuthorizationGrant authorizationGrant = pair.getSecond();

        OAuth2AuditLog oAuth2AuditLog = new OAuth2AuditLog(ServerUtil.getIpAddress(request), Action.SESSION_DESTROYED);
        oAuth2AuditLog.setSuccess(true);

        if (authorizationGrant != null) {
                oAuth2AuditLog.setClientId(authorizationGrant.getClientId());
                oAuth2AuditLog.setScope(StringUtils.join(authorizationGrant.getScopes(), " "));
                oAuth2AuditLog.setUsername(authorizationGrant.getUserId());
        } else if (sessionId != null) {
            oAuth2AuditLog.setClientId(sessionId.getPermissionGrantedMap().getClientIds(true).toString());
            oAuth2AuditLog.setScope(sessionId.getSessionAttributes().get(AuthorizeRequestParam.SCOPE));
            oAuth2AuditLog.setUsername(sessionId.getUserDn());
        }

        applicationAuditLogger.sendMessage(oAuth2AuditLog);
    }

constructPage()

String org.xdi.oxauth.session.ws.rs.EndSessionRestWebServiceImpl.constructPage ( Set< String >  logoutUris, String  postLogoutUrl, String  state  )

inlineprivate

                                                                                             {
        String iframes = "";
        for (String logoutUri : logoutUris) {
            iframes = iframes + String.format("<iframe height=\"0\" width=\"0\" src=\"%s\"></iframe>", logoutUri);
        }

        String html = "<!DOCTYPE html>" +
                "<html>" +
                "<head>";

        if (!Util.isNullOrEmpty(postLogoutUrl)) {

            if (!Util.isNullOrEmpty(state)) {
                if (postLogoutUrl.contains("?")) {
                    postLogoutUrl += "&state=" + state;
                } else {
                    postLogoutUrl += "?state=" + state;
                }
            }

            html += "<script>" +
                    "window.onload=function() {" +
                    "window.location='" + postLogoutUrl + "'" +
                    "}" +
                    "</script>";
        }

        html += "<title>Gluu Generated logout page</title>" +
                "</head>" +
                "<body>" +
                "Logout requests sent.<br/>" +
                iframes +
                "</body>" +
                "</html>";
        return html;
    }

endSession()

Pair<SessionId, AuthorizationGrant> org.xdi.oxauth.session.ws.rs.EndSessionRestWebServiceImpl.endSession ( String  idTokenHint, String  sessionId, HttpServletRequest  httpRequest, HttpServletResponse  httpResponse  )

inlineprivate

                                                                                                                                                                   {
        AuthorizationGrant authorizationGrant = authorizationGrantList.getAuthorizationGrantByIdToken(idTokenHint);
        if (authorizationGrant == null) {
            Boolean endSessionWithAccessToken = appConfiguration.getEndSessionWithAccessToken();
            if ((endSessionWithAccessToken != null) && endSessionWithAccessToken) {
                authorizationGrant = authorizationGrantList.getAuthorizationGrantByAccessToken(idTokenHint);
            }
        }

        SessionId ldapSessionId = removeSessionId(sessionId, httpRequest, httpResponse);
        if ((authorizationGrant == null) && (ldapSessionId == null)) {
            log.info("Failed to find out authorization grant for id_token_hint '{}' and session_id '{}'", idTokenHint, sessionId);

            //see https://github.com/GluuFederation/oxAuth/issues/575
            return new Pair<SessionId, AuthorizationGrant>(null, null);
        }
        
        // Clean up authorization session
        removeConsentSessionId(httpRequest, httpResponse);

        boolean isExternalLogoutPresent;
        boolean externalLogoutResult = false;

        isExternalLogoutPresent = externalApplicationSessionService.isEnabled();
        if (isExternalLogoutPresent && (ldapSessionId != null)) {
            String userName = ldapSessionId.getSessionAttributes().get(Constants.AUTHENTICATED_USER);
            externalLogoutResult = externalApplicationSessionService.executeExternalEndSessionMethods(httpRequest, ldapSessionId);
            log.info("End session result for '{}': '{}'", userName, "logout", externalLogoutResult);
        }

        boolean isGrantAndExternalLogoutSuccessful = isExternalLogoutPresent && externalLogoutResult;
        if (isExternalLogoutPresent && !isGrantAndExternalLogoutSuccessful) {
            errorResponseFactory.throwUnauthorizedException(EndSessionErrorResponseType.INVALID_GRANT);
        }

        if (ldapSessionId != null) {
            grantService.removeAllTokensBySession(ldapSessionId.getDn());
        }

        if (identity != null) {
            identity.logout();
        }

        return new Pair<SessionId, AuthorizationGrant>(ldapSessionId, authorizationGrant);
    }

getRpFrontchannelLogoutUris()

Set<String> org.xdi.oxauth.session.ws.rs.EndSessionRestWebServiceImpl.getRpFrontchannelLogoutUris ( Pair< SessionId, AuthorizationGrant >  pair )

inlineprivate

                                                                                              {
        final Set<String> result = Sets.newHashSet();

        SessionId sessionId = pair.getFirst();
        AuthorizationGrant authorizationGrant = pair.getSecond();
        if (sessionId == null) {
            log.error("session_id is not passed to endpoint (as cookie or manually). Therefore unable to match clients for session_id." +
                    "Http based html will contain no iframes.");
            return result;
        }

        final Set<Client> clientsByDns = sessionId.getPermissionGrantedMap() != null ?
                clientService.getClient(sessionId.getPermissionGrantedMap().getClientIds(true), true) :
                Sets.<Client>newHashSet();
        if (authorizationGrant != null) {
            clientsByDns.add(authorizationGrant.getClient());
        }

        for (Client client : clientsByDns) {
            String[] logoutUris = client.getFrontChannelLogoutUri();

            if (logoutUris == null) {
                continue;
            }

            for (String logoutUri : logoutUris) {
                if (Util.isNullOrEmpty(logoutUri)) {
                    continue; // skip client if logout_uri is blank
                }

                if (client.getFrontChannelLogoutSessionRequired() != null && client.getFrontChannelLogoutSessionRequired()) {
                    if (logoutUri.contains("?")) {
                        logoutUri = logoutUri + "&sid=" + sessionId.getId();
                    } else {
                        logoutUri = logoutUri + "?sid=" + sessionId.getId();
                    }
                }
                result.add(logoutUri);
            }
        }
        return result;
    }

httpBased()

Response org.xdi.oxauth.session.ws.rs.EndSessionRestWebServiceImpl.httpBased ( String  postLogoutRedirectUri, String  state, Pair< SessionId, AuthorizationGrant >  pair  )

inline

                                                                                                                    {
        final String redirectUri = validatePostLogoutRedirectUri(postLogoutRedirectUri, pair);
        final Set<String> frontchannelLogoutUris = getRpFrontchannelLogoutUris(pair);
        final String html = constructPage(frontchannelLogoutUris, redirectUri, state);
        log.debug("Constructed http logout page: " + html);
        return Response.ok().
                cacheControl(ServerUtil.cacheControl(true, true)).
                header("Pragma", "no-cache").
                type(MediaType.TEXT_HTML_TYPE).entity(html).
                build();
    }

removeConsentSessionId()

SessionId org.xdi.oxauth.session.ws.rs.EndSessionRestWebServiceImpl.removeConsentSessionId ( HttpServletRequest  httpRequest, HttpServletResponse  httpResponse  )

inlineprivate

                                                                                                               {
        SessionId ldapSessionId = null;

        try {
            String id = sessionIdService.getConsentSessionIdFromCookie(httpRequest);

            if (StringHelper.isNotEmpty(id)) {
                ldapSessionId = sessionIdService.getSessionId(id);
                if (ldapSessionId != null) {
                    boolean result = sessionIdService.remove(ldapSessionId);
                    if (!result) {
                        log.error("Failed to remove consent_session_id '{}'", id);
                    }
                } else {
                    log.error("Failed to load session by consent_session_id: '{}'", id);
                }
            }
        } catch (Exception e) {
            log.error(e.getMessage(), e);
        } finally {
            sessionIdService.removeConsentSessionIdCookie(httpResponse);
        }
        return ldapSessionId;
    }

removeSessionId()

SessionId org.xdi.oxauth.session.ws.rs.EndSessionRestWebServiceImpl.removeSessionId ( String  sessionId, HttpServletRequest  httpRequest, HttpServletResponse  httpResponse  )

inlineprivate

                                                                                                                          {
        SessionId ldapSessionId = null;

        try {
            String id = sessionId;
            if (StringHelper.isEmpty(id)) {
                id = sessionIdService.getSessionIdFromCookie(httpRequest);
            }

            if (StringHelper.isNotEmpty(id)) {
                ldapSessionId = sessionIdService.getSessionId(id);
                if (ldapSessionId != null) {
                    boolean result = sessionIdService.remove(ldapSessionId);
                    if (!result) {
                        log.error("Failed to remove session_id '{}'", id);
                    }
                } else {
                    log.error("Failed to load session by session_id: '{}'", id);
                }
            }
        } catch (Exception e) {
            log.error(e.getMessage(), e);
        } finally {
            sessionIdService.removeSessionIdCookie(httpResponse);
        }
        return ldapSessionId;
    }

requestEndSession() [1/2]

Response org.xdi.oxauth.session.ws.rs.EndSessionRestWebService.requestEndSession ( @QueryParam(EndSessionRequestParam.ID_TOKEN_HINT) @ApiParam(value="Previously issued ID Token (id_token) passed to the logout endpoint as a hint about the End-User's current authenticated session with the Client. This is used as an indication of the identity of the End-User that the RP is requesting be logged out by the OP. The OP need not be listed as an audience of the ID Token when it is used as an id_token_hint value.", required=true) String  idTokenHint, @QueryParam(EndSessionRequestParam.POST_LOGOUT_REDIRECT_URI) @ApiParam(value="URL to which the RP is requesting that the End-User's User Agent be redirected after a logout has been performed. The value MUST have been previously registered with the OP, either using the post_logout_redirect_uris Registration parameter or via another mechanism. If supplied, the OP SHOULD honor this request following the logout.", required=false) String  postLogoutRedirectUri, @QueryParam(EndSessionRequestParam.STATE) @ApiParam(value="Opaque value used by the RP to maintain state between the logout request and the callback to the endpoint specified by the post_logout_redirect_uri parameter. If included in the logout request, the OP passes this value back to the RP using the state query parameter when redirecting the User Agent back to the RP.", required=false) String  state, @QueryParam("session_id") @ApiParam(value="Session Id", required=false) String  sessionId, @Context HttpServletRequest  httpRequest, @Context HttpServletResponse  httpResponse, @Context SecurityContext  securityContext  )

inherited

requestEndSession() [2/2]

Response org.xdi.oxauth.session.ws.rs.EndSessionRestWebServiceImpl.requestEndSession ( String  idTokenHint, String  postLogoutRedirectUri, String  state, String  sessionId, HttpServletRequest  httpRequest, HttpServletResponse  httpResponse, SecurityContext  sec  )

inline

                                                                                                                             {
        log.debug("Attempting to end session, idTokenHint: {}, postLogoutRedirectUri: {}, sessionId: {}, Is Secure = {}",
                idTokenHint, postLogoutRedirectUri, sessionId, sec.isSecure());

        validateIdTokenHint(idTokenHint);
        validateSessionIdRequestParameter(sessionId);

        final Pair<SessionId, AuthorizationGrant> pair = endSession(idTokenHint, sessionId, httpRequest, httpResponse);

        auditLogging(httpRequest, pair);

        //Perform redirect to RP if id_token is expired (see https://github.com/GluuFederation/oxAuth/issues/575)
        // yuriyz : we have to re-visit this since it doesn't look safe to redirect error to uri which is not validated.
        if (pair.getFirst() == null && pair.getSecond() == null && StringUtils.isNotBlank(postLogoutRedirectUri)) {
            try {
                String error = errorResponseFactory.getErrorAsJson(EndSessionErrorResponseType.INVALID_GRANT_AND_SESSION);
                return Response.temporaryRedirect(new URI(postLogoutRedirectUri)).entity(error).build();
            } catch (URISyntaxException e) {
                log.error("Can't perform redirect", e);
            }
        }

        return httpBased(postLogoutRedirectUri, state, pair);
    }

validateIdTokenHint()

void org.xdi.oxauth.session.ws.rs.EndSessionRestWebServiceImpl.validateIdTokenHint ( String  idTokenHint )

inlineprivate

                                                         {
        // id_token_hint is not required but if it is present then we must validate it #831
        if (StringUtils.isNotBlank(idTokenHint)) {
            AuthorizationGrant authorizationGrant = authorizationGrantList.getAuthorizationGrantByIdToken(idTokenHint);
            if (authorizationGrant == null) {
                final String reason = "id_token_hint is not valid. Logout is rejected. id_token_hint can be skipped or otherwise valid value must be provided.";
                log.error(reason);
                throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(
                        errorResponseFactory.errorAsJson(EndSessionErrorResponseType.INVALID_GRANT_AND_SESSION, reason)).build());
            }
        }
    }

validatePostLogoutRedirectUri()

String org.xdi.oxauth.session.ws.rs.EndSessionRestWebServiceImpl.validatePostLogoutRedirectUri ( String  postLogoutRedirectUri, Pair< SessionId, AuthorizationGrant >  pair  )

inlineprivate

                                                                                                                         {
        try {
            if (pair.getSecond() == null) {
                return redirectionUriService.validatePostLogoutRedirectUri(pair.getFirst(), postLogoutRedirectUri);
            } else {
                return redirectionUriService.validatePostLogoutRedirectUri(pair.getSecond().getClient().getClientId(), postLogoutRedirectUri);
            }
        } catch (WebApplicationException e) {
            if (pair.getFirst() != null) { // session_id was found and removed
                String reason = "Session was removed successfully but redirect to post_logout_redirect_uri fails since AS failed to validate it against clients associated with session (which was just removed).";
                log.error(reason, e);
                throw new WebApplicationException(Response.status(Response.Status.OK).entity(
                        errorResponseFactory.errorAsJson(EndSessionErrorResponseType.POST_LOGOUT_URI_NOT_ASSOCIATED_WITH_CLIENT, reason)).build());
            } else {
                throw e;
            }
        }
    }

validateSessionIdRequestParameter()

void org.xdi.oxauth.session.ws.rs.EndSessionRestWebServiceImpl.validateSessionIdRequestParameter ( String  sessionId )

inlineprivate

                                                                     {
        // session_id is not required but if it is present then we must validate it #831
        if (StringUtils.isNotBlank(sessionId)) {
            SessionId sessionIdObject = sessionIdService.getSessionId(sessionId);;
            if (sessionIdObject == null) {
                final String reason = "session_id parameter in request is not valid. Logout is rejected. session_id parameter in request can be skipped or otherwise valid value must be provided.";
                log.error(reason);
                throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(
                        errorResponseFactory.errorAsJson(EndSessionErrorResponseType.INVALID_GRANT_AND_SESSION, reason)).build());
            }
        }
    }

メンバ詳解

appConfiguration

AppConfiguration org.xdi.oxauth.session.ws.rs.EndSessionRestWebServiceImpl.appConfiguration

private

applicationAuditLogger

ApplicationAuditLogger org.xdi.oxauth.session.ws.rs.EndSessionRestWebServiceImpl.applicationAuditLogger

private

authorizationGrantList

AuthorizationGrantList org.xdi.oxauth.session.ws.rs.EndSessionRestWebServiceImpl.authorizationGrantList

private

clientService

ClientService org.xdi.oxauth.session.ws.rs.EndSessionRestWebServiceImpl.clientService

private

errorResponseFactory

ErrorResponseFactory org.xdi.oxauth.session.ws.rs.EndSessionRestWebServiceImpl.errorResponseFactory

private

externalApplicationSessionService

ExternalApplicationSessionService org.xdi.oxauth.session.ws.rs.EndSessionRestWebServiceImpl.externalApplicationSessionService

private

grantService

GrantService org.xdi.oxauth.session.ws.rs.EndSessionRestWebServiceImpl.grantService

private

identity

Identity org.xdi.oxauth.session.ws.rs.EndSessionRestWebServiceImpl.identity

private

log

Logger org.xdi.oxauth.session.ws.rs.EndSessionRestWebServiceImpl.log

private

redirectionUriService

RedirectionUriService org.xdi.oxauth.session.ws.rs.EndSessionRestWebServiceImpl.redirectionUriService

private

sessionIdService

SessionIdService org.xdi.oxauth.session.ws.rs.EndSessionRestWebServiceImpl.sessionIdService

private

---

このクラス詳解は次のファイルから抽出されました:

• D:/AppData/OpenId/gluu/src/oxAuth/Server/src/main/java/org/xdi/oxauth/session/ws/rs/EndSessionRestWebServiceImpl.java