Author: sergeyb
Date: Fri Dec 9 13:25:10 2011
New Revision: 1212397
URL: http://svn.apache.org/viewvc?rev=1212397&view=rev
Log:
[CXF-3967] Adding UserSubject which OAuth filters may optionally use to create SecurityContexts
Added:
cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/UserSubject.java
(with props)
Modified:
cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Token.java
cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/AbstractAuthFilter.java
cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthInfo.java
cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthRequestFilter.java
cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthServletFilter.java
cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AbstractOAuthService.java
cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestHandler.java
cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestService.java
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Token.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Token.java?rev=1212397&r1=1212396&r2=1212397&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Token.java
(original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Token.java
Fri Dec 9 13:25:10 2011
@@ -33,6 +33,7 @@ public abstract class Token {
private Client client;
private List<String> scopes = Collections.emptyList();
private List<String> uris = Collections.emptyList();
+ private UserSubject subject;
protected Token(Client client, String tokenKey,
String tokenSecret, long lifetime, long issuedAt) {
@@ -115,4 +116,12 @@ public abstract class Token {
this.uris = uris;
}
+ public void setSubject(UserSubject subject) {
+ this.subject = subject;
+ }
+
+ public UserSubject getSubject() {
+ return subject;
+ }
+
}
Added: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/UserSubject.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/UserSubject.java?rev=1212397&view=auto
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/UserSubject.java
(added)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/UserSubject.java
Fri Dec 9 13:25:10 2011
@@ -0,0 +1,49 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth.data;
+
+import java.util.List;
+
+/**
+ * Represents a user alias or login name which AuthorizationService
+ * may capture after the end user approved a given third party request
+ */
+public class UserSubject {
+
+ private String login;
+ private List<String> roles;
+
+ public void setLogin(String login) {
+ this.login = login;
+ }
+
+ public String getLogin() {
+ return login;
+ }
+
+ public void setRoles(List<String> roles) {
+ this.roles = roles;
+ }
+
+ public List<String> getRoles() {
+ return roles;
+ }
+
+
+}
Propchange: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/UserSubject.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/UserSubject.java
------------------------------------------------------------------------------
svn:keywords = Rev Date
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/AbstractAuthFilter.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/AbstractAuthFilter.java?rev=1212397&r1=1212396&r2=1212397&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/AbstractAuthFilter.java
(original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/AbstractAuthFilter.java
Fri Dec 9 13:25:10 2011
@@ -35,6 +35,7 @@ import org.apache.cxf.common.security.Si
import org.apache.cxf.rs.security.oauth.data.AccessToken;
import org.apache.cxf.rs.security.oauth.data.Client;
import org.apache.cxf.rs.security.oauth.data.OAuthPermission;
+import org.apache.cxf.rs.security.oauth.data.UserSubject;
import org.apache.cxf.rs.security.oauth.provider.OAuthDataProvider;
import org.apache.cxf.rs.security.oauth.utils.OAuthUtils;
import org.apache.cxf.security.SecurityContext;
@@ -43,7 +44,7 @@ import org.apache.cxf.security.SecurityC
* Base OAuth filter which can be used to protect end-user endpoints
*/
public class AbstractAuthFilter {
-
+ protected static final String USE_USER_SUBJECT = "org.apache.cxf.rs.security.oauth.use_user_subject";
private static final Logger LOG = LogUtils.getL7dLogger(AbstractAuthFilter.class);
private static final String[] REQUIRED_PARAMETERS =
new String[] {
@@ -78,7 +79,8 @@ public class AbstractAuthFilter {
* @throws Exception
* @throws OAuthProblemException
*/
- public OAuthInfo handleOAuthRequest(HttpServletRequest req) throws
+ protected OAuthInfo handleOAuthRequest(HttpServletRequest req,
+ boolean useUserSubject) throws
Exception, OAuthProblemException {
if (LOG.isLoggable(Level.FINE)) {
LOG.log(Level.FINE, "OAuth security filter for url: {0}", req.getRequestURL());
@@ -101,6 +103,9 @@ public class AbstractAuthFilter {
client = accessToken.getClient();
} else {
+ // TODO: the secret may not be included and only used to create a signature
+ // so the header will effectively be similar to the one used during
+ // RequestToken requests; we'd need to handle this case too
String consumerKey = oAuthMessage.getParameter(OAuth.OAUTH_CONSUMER_KEY);
String consumerSecret = oAuthMessage.getParameter("oauth_consumer_secret");
client = dataProvider.getClient(consumerKey);
@@ -129,7 +134,7 @@ public class AbstractAuthFilter {
checkNoAccessTokenIsAllowed(client, accessToken, perm);
}
- return new OAuthInfo(client, accessToken, permissions);
+ return new OAuthInfo(client, accessToken, permissions, useUserSubject);
}
@@ -164,17 +169,26 @@ public class AbstractAuthFilter {
protected SecurityContext createSecurityContext(HttpServletRequest request,
final OAuthInfo info) {
request.setAttribute("oauth_authorities", info.getRoles());
+ final UserSubject subject = info.getToken().getSubject();
return new SecurityContext() {
public Principal getUserPrincipal() {
- return new SimplePrincipal(info.getClient().getLoginName());
+ String login = info.useUserSubject()
+ ? (subject != null ? subject.getLogin() : null)
+ : info.getClient().getLoginName();
+ return new SimplePrincipal(login);
}
public boolean isUserInRole(String role) {
- List<String> roles = info.getRoles();
- for (String authority : roles) {
- if (authority.equals(role)) {
- return true;
+ if (info.useUserSubject()) {
+ return subject != null
+ ? info.getToken().getSubject().getRoles().contains(role) : false;
+ } else {
+ List<String> roles = info.getRoles();
+ for (String authority : roles) {
+ if (authority.equals(role)) {
+ return true;
+ }
}
}
return false;
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthInfo.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthInfo.java?rev=1212397&r1=1212396&r2=1212397&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthInfo.java
(original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthInfo.java
Fri Dec 9 13:25:10 2011
@@ -32,10 +32,15 @@ public class OAuthInfo {
private Client client;
private AccessToken token;
private List<OAuthPermission> permissions;
- public OAuthInfo(Client client, AccessToken token, List<OAuthPermission> permissions)
{
+ private boolean useUserSubject;
+ public OAuthInfo(Client client,
+ AccessToken token,
+ List<OAuthPermission> permissions,
+ boolean useUserSubject) {
this.client = client;
this.token = token;
this.permissions = permissions;
+ this.useUserSubject = useUserSubject;
}
public Client getClient() {
return client;
@@ -52,5 +57,8 @@ public class OAuthInfo {
return authorities;
}
+ public boolean useUserSubject() {
+ return useUserSubject;
+ }
}
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthRequestFilter.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthRequestFilter.java?rev=1212397&r1=1212396&r2=1212397&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthRequestFilter.java
(original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthRequestFilter.java
Fri Dec 9 13:25:10 2011
@@ -28,6 +28,7 @@ import org.apache.cxf.jaxrs.ext.MessageC
import org.apache.cxf.jaxrs.ext.RequestHandler;
import org.apache.cxf.jaxrs.model.ClassResourceInfo;
import org.apache.cxf.message.Message;
+import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.security.SecurityContext;
/**
@@ -40,7 +41,9 @@ public class OAuthRequestFilter extends
public Response handleRequest(Message m, ClassResourceInfo resourceClass) {
try {
- OAuthInfo info = handleOAuthRequest(mc.getHttpServletRequest());
+
+ OAuthInfo info = handleOAuthRequest(
+ mc.getHttpServletRequest(), MessageUtils.isTrue(m.getContextualProperty(USE_USER_SUBJECT)));
setSecurityContext(m, info);
} catch (OAuthProblemException e) {
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthServletFilter.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthServletFilter.java?rev=1212397&r1=1212396&r2=1212397&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthServletFilter.java
(original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthServletFilter.java
Fri Dec 9 13:25:10 2011
@@ -34,6 +34,7 @@ import javax.servlet.http.HttpServletRes
import net.oauth.OAuthProblemException;
import net.oauth.server.OAuthServlet;
+import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.rs.security.oauth.utils.OAuthUtils;
import org.apache.cxf.security.SecurityContext;
@@ -41,10 +42,11 @@ import org.apache.cxf.security.SecurityC
* HTTP Servlet filter which can be used to protect end user endpoints
*/
public class OAuthServletFilter extends AbstractAuthFilter implements javax.servlet.Filter
{
-
+ private boolean useUserSubject;
public void init(FilterConfig filterConfig) throws ServletException {
ServletContext servletContext = filterConfig.getServletContext();
super.setDataProvider(OAuthUtils.getOAuthDataProvider(servletContext));
+ useUserSubject = MessageUtils.isTrue(servletContext.getInitParameter(USE_USER_SUBJECT));
}
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws
@@ -53,7 +55,7 @@ public class OAuthServletFilter extends
HttpServletResponse resp = (HttpServletResponse)response;
try {
- OAuthInfo info = handleOAuthRequest(req);
+ OAuthInfo info = handleOAuthRequest(req, useUserSubject);
req = setSecurityContext(req, info);
chain.doFilter(req, resp);
} catch (OAuthProblemException e) {
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AbstractOAuthService.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AbstractOAuthService.java?rev=1212397&r1=1212396&r2=1212397&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AbstractOAuthService.java
(original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AbstractOAuthService.java
Fri Dec 9 13:25:10 2011
@@ -20,6 +20,7 @@ package org.apache.cxf.rs.security.oauth
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.core.Context;
+import javax.ws.rs.core.SecurityContext;
import javax.ws.rs.core.UriInfo;
import org.apache.cxf.jaxrs.ext.MessageContext;
@@ -54,4 +55,8 @@ public abstract class AbstractOAuthServi
protected UriInfo getUriInfo() {
return mc.getUriInfo();
}
+
+ protected SecurityContext getSecurityContext() {
+ return mc.getSecurityContext();
+ }
}
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestHandler.java?rev=1212397&r1=1212396&r2=1212397&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestHandler.java
(original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestHandler.java
Fri Dec 9 13:25:10 2011
@@ -20,8 +20,12 @@ package org.apache.cxf.rs.security.oauth
import java.io.IOException;
import java.net.URI;
+import java.security.Principal;
+import java.util.ArrayList;
import java.util.HashMap;
+import java.util.List;
import java.util.Map;
+import java.util.Set;
import java.util.UUID;
import java.util.logging.Level;
import java.util.logging.Logger;
@@ -30,6 +34,7 @@ import javax.servlet.http.HttpServletReq
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import javax.ws.rs.core.Response;
+import javax.ws.rs.core.SecurityContext;
import javax.ws.rs.core.UriBuilder;
import net.oauth.OAuth;
@@ -40,10 +45,12 @@ import org.apache.cxf.common.logging.Log
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.rs.security.oauth.data.OAuthAuthorizationData;
import org.apache.cxf.rs.security.oauth.data.RequestToken;
+import org.apache.cxf.rs.security.oauth.data.UserSubject;
import org.apache.cxf.rs.security.oauth.provider.DefaultOAuthValidator;
import org.apache.cxf.rs.security.oauth.provider.OAuthDataProvider;
import org.apache.cxf.rs.security.oauth.utils.OAuthConstants;
import org.apache.cxf.rs.security.oauth.utils.OAuthUtils;
+import org.apache.cxf.security.LoginSecurityContext;
public class AuthorizationRequestHandler {
@@ -78,6 +85,21 @@ public class AuthorizationRequestHandler
Map<String, String> queryParams = new HashMap<String, String>();
if (allow) {
+ SecurityContext sc =
+ (SecurityContext)request.getAttribute(SecurityContext.class.getName());
+ if (sc != null) {
+ UserSubject subject = new UserSubject();
+ subject.setLogin(sc.getUserPrincipal().getName());
+ if (sc instanceof LoginSecurityContext) {
+ List<String> roleNames = new ArrayList<String>();
+ Set<Principal> roles = ((LoginSecurityContext)sc).getUserRoles();
+ for (Principal p : roles) {
+ roleNames.add(p.getName());
+ }
+ subject.setRoles(roleNames);
+ }
+ token.setSubject(subject);
+ }
String verifier = dataProvider.setRequestTokenVerifier(token);
queryParams.put(OAuth.OAUTH_VERIFIER, verifier);
} else {
@@ -167,4 +189,6 @@ public class AuthorizationRequestHandler
session.removeAttribute(OAuthConstants.AUTHENTICITY_TOKEN);
return b;
}
+
+
}
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestService.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestService.java?rev=1212397&r1=1212396&r2=1212397&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestService.java
(original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestService.java
Fri Dec 9 13:25:10 2011
@@ -19,12 +19,14 @@
package org.apache.cxf.rs.security.oauth.services;
+import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Response;
+import javax.ws.rs.core.SecurityContext;
import org.apache.cxf.rs.security.oauth.data.OAuthAuthorizationData;
@@ -48,7 +50,10 @@ public class AuthorizationRequestService
@GET
@Produces({"application/xhtml+xml", "text/html", "application/xml", "application/json"
})
public Response authorize() {
- Response response = handler.handle(getHttpRequest(), getDataProvider());
+ HttpServletRequest httpRequest = getHttpRequest();
+ httpRequest.setAttribute(SecurityContext.class.getName(),
+ super.getSecurityContext());
+ Response response = handler.handle(httpRequest, getDataProvider());
if (response.getEntity() instanceof OAuthAuthorizationData) {
String replyTo = getUriInfo().getAbsolutePathBuilder().path("decision").build().toString();
((OAuthAuthorizationData)response.getEntity()).setReplyTo(replyTo);
|