HttpSessionBasedTokenServices.java example

Explorer
spring-security-oauth-master
/*
 * Copyright 2008 Web Cohesion
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.springframework.security.oauth.consumer.token;

import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth.consumer.OAuthConsumerToken;
import org.springframework.security.oauth.consumer.OAuthSecurityContext;
import org.springframework.security.oauth.consumer.OAuthSecurityContextHolder;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;

/**
 * Stores the tokens in an HTTP session.
 *
 * @author Ryan Heaton
 */
public class HttpSessionBasedTokenServices implements OAuthConsumerTokenServices {

  public static final String KEY_PREFIX = "OAUTH_TOKEN";


  public OAuthConsumerToken getToken(String resourceId) throws AuthenticationException {
    HttpSession session = getSession();
    OAuthConsumerToken consumerToken = (OAuthConsumerToken) session.getAttribute(KEY_PREFIX + "#" + resourceId);
    if (consumerToken != null) {
      Long expiration = (Long) session.getAttribute(KEY_PREFIX + "#" + resourceId + "#EXPIRATION");
      if (expiration != null && (System.currentTimeMillis() > expiration)) {
        //token expired; remove it
        removeToken(resourceId);
        consumerToken = null;
      }
    }

    return consumerToken;
  }

  public void storeToken(String resourceId, OAuthConsumerToken token) {
    HttpSession session = getSession();
    session.setAttribute(KEY_PREFIX + "#" + resourceId, token);

    //adding support for oauth session extension (http://oauth.googlecode.com/svn/spec/ext/session/1.0/drafts/1/spec.html)
    Long expiration = null;
    String expiresInValue = token.getAdditionalParameters() != null ? token.getAdditionalParameters().get("oauth_expires_in") : null;
    if (expiresInValue != null) {
      try {
        expiration = System.currentTimeMillis() + (Integer.parseInt(expiresInValue) * 1000);
      }
      catch (NumberFormatException e) {
        //fall through.
      }
    }

    if (expiration != null) {
      session.setAttribute(KEY_PREFIX + "#" + resourceId + "#EXPIRATION", expiration);
    }
  }

  public void removeToken(String resourceId) {
    getSession().removeAttribute(KEY_PREFIX + "#" + resourceId);
  }

  protected HttpSession getSession() {
    OAuthSecurityContext context = OAuthSecurityContextHolder.getContext();
    if (context == null) {
      throw new IllegalStateException("A security context must be established.");
    }

    HttpServletRequest request;
    try {
      request = (HttpServletRequest) context.getDetails();
    }
    catch (ClassCastException e) {
      throw new IllegalStateException("The security context must have the HTTP servlet request as its details.");
    }

    if (request == null) {
      throw new IllegalStateException("The security context must have the HTTP servlet request as its details.");
    }

    HttpSession session = request.getSession(true);
    if (session == null) {
      throw new IllegalStateException("Unable to create a session in which to store the tokens.");
    }

    return session;
  }

}