com.sap.cloud.security.oauth2

Class OAuthAuthorization

java.lang.Object

com.sap.cloud.security.oauth2.OAuthAuthorization

public abstract class OAuthAuthorization
extends Object

An abstract class used to access OAuthAuthorization implementation.

Field Summary

Fields

Modifier and Type	Field and Description
static String	ACCESS_FORBIDDEN Error code passed as a httpRequest parameter attribute with a name reason, in case of faild authorization.
static String	INVALID_ACCESS_TOKEN Error code passed as a httpRequest parameter attribute with a name reason in case of failed authorization when the passed access token does not exist or when it has already expired.
static String	MISSING_ACCESS_TOKEN Error code passed as a httpRequest parameter attribute with a name reason in case of failed authorization when the access token is not passed as an HTTP "Authorization" request header.

Constructor Summary

Constructors

Constructor and Description
OAuthAuthorization()

Method Summary

Methods

Modifier and Type	Method and Description
static OAuthAuthorization	getOAuthAuthorizationService() Returns OAuth Authorization object that is used to perform the protected resource access check by retrieving from the Authorization Server the scopes associated with the given Access Token.
abstract boolean	isAuthorized(HttpServletRequest httpRequest) This method is only for authentication purpose with the given Access Token.
abstract boolean	isAuthorized(HttpServletRequest httpRequest, Set<String> scopes) Performs the protected resource access check by retrieving from the Authorization Server the scopes associated with the given Access Token, compares them with the passed scopes and checks the Token validity.
abstract boolean	isAuthorized(HttpServletRequest httpRequest, String scope) Performs the protected resource access check by retrieving from the Authorization Server the scopes associated with the given Access Token, compares them with the passed scopes and checks the Token validity.
abstract boolean	isAuthorized(Set<String> scopes) Performs the protected resource access check by retrieving the scopes from the currently logged in user and comparing them with the passed scopes.
abstract boolean	isAuthorized(String scope) Performs the protected resource access check by retrieving the scopes from the currently logged in user and comparing them with the passed scope.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

ACCESS_FORBIDDEN

public static final String ACCESS_FORBIDDEN

Error code passed as a httpRequest parameter attribute with a name reason, in case of faild authorization.

See Also:

Constant Field Values

MISSING_ACCESS_TOKEN

public static final String MISSING_ACCESS_TOKEN

Error code passed as a httpRequest parameter attribute with a name reason in case of failed authorization when the access token is not passed as an HTTP "Authorization" request header.

See Also:

Constant Field Values

INVALID_ACCESS_TOKEN

public static final String INVALID_ACCESS_TOKEN

Error code passed as a httpRequest parameter attribute with a name reason in case of failed authorization when the passed access token does not exist or when it has already expired.

See Also:

Constant Field Values

Constructor Detail

OAuthAuthorization

public OAuthAuthorization()

Method Detail

getOAuthAuthorizationService

public static OAuthAuthorization getOAuthAuthorizationService()

Returns OAuth Authorization object that is used to perform the protected resource access check by retrieving from the Authorization Server the scopes associated with the given Access Token.

Returns:

Returns OAuthAuthorization object

isAuthorized

public abstract boolean isAuthorized(HttpServletRequest httpRequest)
                              throws OAuthSystemException

This method is only for authentication purpose with the given Access Token. Use this method for accessing a public resource, accessible for any scope. Access token must be passed by using the HTTP "Authorization" request header field. The value of this header must be the token type and access token value. The currently supported token type is "bearer".

For example the header could look like:

 "Authorization: Bearer mF_9.B5f-4.1JqM"
 

The given example is provided for illustration purposes only.

Parameters:

httpRequest -

Returns:

true - Resource access request is successful and the authentication with access token is successful. On success two attributes are passed in the request: "user_id" - Id of the user that performs the request and "client_id" - Id of the client for which the access token is issued.

false - Resource access request fails. The passed token is not available or expired for the current client. In this case the error's reason can be retrieve from request's attributes with a name "reason".

Throws:

OAuthSystemException - In case of communication errors between the OAuth Resource Server and the Authorization Server.

isAuthorized

public abstract boolean isAuthorized(HttpServletRequest httpRequest,
                   String scope)
                              throws OAuthSystemException

Performs the protected resource access check by retrieving from the Authorization Server the scopes associated with the given Access Token, compares them with the passed scopes and checks the Token validity. Access token must be passed by using the HTTP "Authorization" request header field. The value of this header must be the token type and access token value. The currently supported token type is "bearer".

For example the header could look like:

 "Authorization: Bearer mF_9.B5f-4.1JqM"
 

The given example is provided for illustration purposes only.

Parameters:

httpRequest -

scope - - Scope for which the protected resource access is performed

Returns:

true - Resource access request is successful. This means that all scopes passed as an input parameter are access token scopes and the token has not expired.
On success two attributes are passed in the request: "user_id" - Id of the user that performs the request and "client_id" - Id of the client for which the access token is issued.

false - Resource access request fails. In this case the error's reason can be retrieve from request's attributes with a name "reason".

Throws:

OAuthSystemException - In case of communication errors between the OAuth Resource Server and the Authorization Server.

isAuthorized

public abstract boolean isAuthorized(String scope)
                              throws OAuthSystemException

Performs the protected resource access check by retrieving the scopes from the currently logged in user and comparing them with the passed scope.

Parameters:

scope - - Scope for which the protected resource access is performed

Returns:

true - Resource access request is successful. This means that the scope passed as an input parameter was granted to the currently logged in user.

false - Resource access request fails.

Throws:

OAuthSystemException - In case of communication errors between the OAuth Resource Server and the Authorization Server.

isAuthorized

public abstract boolean isAuthorized(HttpServletRequest httpRequest,
                   Set<String> scopes)
                              throws OAuthSystemException

Performs the protected resource access check by retrieving from the Authorization Server the scopes associated with the given Access Token, compares them with the passed scopes and checks the Token validity. Access token must be passed by using the HTTP "Authorization" request header field. The value of this header must be the token type and access token value. The currently supported token type is "bearer".

For example the header could look like:

 "Authorization: Bearer mF_9.B5f-4.1JqM"
 

The given example is provided for illustration purposes only.

Parameters:

httpRequest -

scopes - - Scopes for which the protected resource access is performed.

Returns:

true - Resource access request is successful. This means that all scopes passed as an input parameter are access token scopes and the token has not expired.
On success two attributes are passed in the request: "user_id" - Id of the user that performs the request and "client_id" - Id of the client for which the access token is issued.

false - Resource access request fails. In this case the error's reason can be retrieve from request's attributes with a name "reason".

Throws:

OAuthSystemException - In case of communication errors between the OAuth Resource Server and the Authorization Server.

isAuthorized

public abstract boolean isAuthorized(Set<String> scopes)
                              throws OAuthSystemException

Performs the protected resource access check by retrieving the scopes from the currently logged in user and comparing them with the passed scopes.

Parameters:

scopes - - Scopes for which the protected resource access is performed.

Returns:

true - Resource access request is successful. This means that all scopes passed as an input parameter were granted to the currently logged in user.

false - Resource access request fails.

Throws:

OAuthSystemException - In case of communication errors between the OAuth Resource Server and the Authorization Server.