From fb26284c00e09e656732eb7ca4570afd052e0067 Mon Sep 17 00:00:00 2001 From: Jacek Kowalski <Jacek@jacekk.info> Date: Fri, 21 Jun 2024 11:47:01 +0000 Subject: [PATCH] Improve error reporting in CAS ticket validation --- src/main/java/org/keycloak/protocol/cas/endpoints/AbstractValidateEndpoint.java | 27 +++++++++++---------------- 1 files changed, 11 insertions(+), 16 deletions(-) diff --git a/src/main/java/org/keycloak/protocol/cas/endpoints/AbstractValidateEndpoint.java b/src/main/java/org/keycloak/protocol/cas/endpoints/AbstractValidateEndpoint.java index 2330cdc..e166bb0 100644 --- a/src/main/java/org/keycloak/protocol/cas/endpoints/AbstractValidateEndpoint.java +++ b/src/main/java/org/keycloak/protocol/cas/endpoints/AbstractValidateEndpoint.java @@ -95,7 +95,7 @@ throw new CASValidationException(CASErrorCode.INVALID_TICKET_SPEC, "Malformed service ticket", Response.Status.BAD_REQUEST); } - Boolean isreuse = ticket.startsWith(CASLoginProtocol.PROXY_GRANTING_TICKET_PREFIX); + boolean isReusable = ticket.startsWith(CASLoginProtocol.PROXY_GRANTING_TICKET_PREFIX); String[] parsed = DOT.split(ticket.substring(prefix.length()), 3); if (parsed.length != 3) { @@ -103,20 +103,12 @@ throw new CASValidationException(CASErrorCode.INVALID_TICKET_SPEC, "Invalid format of the code", Response.Status.BAD_REQUEST); } + String codeUUID = parsed[0]; String userSessionId = parsed[1]; String clientUUID = parsed[2]; event.detail(Details.CODE_ID, userSessionId); event.session(userSessionId); - - // Parse UUID - String codeUUID; - try { - codeUUID = parsed[0]; - } catch (IllegalArgumentException re) { - event.error(Errors.INVALID_CODE); - throw new CASValidationException(CASErrorCode.INVALID_TICKET_SPEC, "Invalid format of the UUID in the code", Response.Status.BAD_REQUEST); - } // Retrieve UserSession UserSessionModel userSession = new UserSessionCrossDCManager(session).getUserSessionWithClient(realm, userSessionId, clientUUID); @@ -125,28 +117,31 @@ userSession = session.sessions().getUserSession(realm, userSessionId); if (userSession == null) { event.error(Errors.USER_SESSION_NOT_FOUND); - throw new CASValidationException(CASErrorCode.INVALID_TICKET, "User session not found", Response.Status.BAD_REQUEST); + throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code not valid", Response.Status.BAD_REQUEST); } } clientSession = userSession.getAuthenticatedClientSessionByClient(clientUUID); if (clientSession == null) { + event.error(Errors.INVALID_CODE); throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code not valid", Response.Status.BAD_REQUEST); } SingleUseObjectProvider codeStore = session.singleUseObjects(); - Map<String, String> codeDataSerialized = isreuse? codeStore.get(prefix + codeUUID) : codeStore.remove(prefix + codeUUID); + Map<String, String> codeDataSerialized = isReusable ? codeStore.get(prefix + codeUUID) : codeStore.remove(prefix + codeUUID); // Either code not available if (codeDataSerialized == null) { - throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code already used", Response.Status.BAD_REQUEST); + event.error(Errors.INVALID_CODE); + throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code not valid", Response.Status.BAD_REQUEST); } OAuth2Code codeData = OAuth2Code.deserializeCode(codeDataSerialized); String persistedUserSessionId = codeData.getUserSessionId(); if (!userSessionId.equals(persistedUserSessionId)) { - throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code "+codeUUID+"' is bound to a different session", Response.Status.BAD_REQUEST); + event.error(Errors.INVALID_CODE); + throw new CASValidationException(CASErrorCode.INVALID_TICKET, "Code not valid", Response.Status.BAD_REQUEST); } // Finally doublecheck if code is not expired @@ -181,7 +176,7 @@ } else { if (!client.getClientId().equals(clientSession.getClient().getClientId())) { event.error(Errors.INVALID_CODE); - throw new CASValidationException(CASErrorCode.INVALID_SERVICE, "Auth error", Response.Status.BAD_REQUEST); + throw new CASValidationException(CASErrorCode.INVALID_SERVICE, "Invalid service", Response.Status.BAD_REQUEST); } } @@ -213,7 +208,7 @@ this.pgtIou = pgtIou; } catch (Exception e) { event.error(Errors.INVALID_REQUEST); - throw new CASValidationException(CASErrorCode.PROXY_CALLBACK_ERROR, "Proxy callback return with error", Response.Status.BAD_REQUEST); + throw new CASValidationException(CASErrorCode.PROXY_CALLBACK_ERROR, "Proxy callback returned an error", Response.Status.BAD_REQUEST); } } -- Gitblit v1.9.1