cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject svn commit: r1212397 - in /cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth: data/ filters/ services/
Date Fri, 09 Dec 2011 13:25:11 GMT
Author: sergeyb
Date: Fri Dec  9 13:25:10 2011
New Revision: 1212397

URL: http://svn.apache.org/viewvc?rev=1212397&view=rev
Log:
[CXF-3967] Adding UserSubject which OAuth filters may optionally use to create SecurityContexts

Added:
    cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/UserSubject.java
  (with props)
Modified:
    cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Token.java
    cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/AbstractAuthFilter.java
    cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthInfo.java
    cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthRequestFilter.java
    cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthServletFilter.java
    cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AbstractOAuthService.java
    cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestHandler.java
    cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestService.java

Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Token.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Token.java?rev=1212397&r1=1212396&r2=1212397&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Token.java
(original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Token.java
Fri Dec  9 13:25:10 2011
@@ -33,6 +33,7 @@ public abstract class Token {
     private Client client;
     private List<String> scopes = Collections.emptyList();
     private List<String> uris = Collections.emptyList();
+    private UserSubject subject;
     
     protected Token(Client client, String tokenKey,
                     String tokenSecret, long lifetime, long issuedAt) {
@@ -115,4 +116,12 @@ public abstract class Token {
         this.uris = uris;
     }
     
+    public void setSubject(UserSubject subject) {
+        this.subject = subject;
+    }
+
+    public UserSubject getSubject() {
+        return subject;
+    }
+
 }

Added: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/UserSubject.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/UserSubject.java?rev=1212397&view=auto
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/UserSubject.java
(added)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/UserSubject.java
Fri Dec  9 13:25:10 2011
@@ -0,0 +1,49 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth.data;
+
+import java.util.List;
+
+/**
+ * Represents a user alias or login name which AuthorizationService
+ * may capture after the end user approved a given third party request
+ */
+public class UserSubject {
+    
+    private String login;
+    private List<String> roles;
+    
+    public void setLogin(String login) {
+        this.login = login;
+    }
+
+    public String getLogin() {
+        return login;
+    }
+
+    public void setRoles(List<String> roles) {
+        this.roles = roles;
+    }
+
+    public List<String> getRoles() {
+        return roles;
+    }
+    
+
+}

Propchange: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/UserSubject.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/UserSubject.java
------------------------------------------------------------------------------
    svn:keywords = Rev Date

Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/AbstractAuthFilter.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/AbstractAuthFilter.java?rev=1212397&r1=1212396&r2=1212397&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/AbstractAuthFilter.java
(original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/AbstractAuthFilter.java
Fri Dec  9 13:25:10 2011
@@ -35,6 +35,7 @@ import org.apache.cxf.common.security.Si
 import org.apache.cxf.rs.security.oauth.data.AccessToken;
 import org.apache.cxf.rs.security.oauth.data.Client;
 import org.apache.cxf.rs.security.oauth.data.OAuthPermission;
+import org.apache.cxf.rs.security.oauth.data.UserSubject;
 import org.apache.cxf.rs.security.oauth.provider.OAuthDataProvider;
 import org.apache.cxf.rs.security.oauth.utils.OAuthUtils;
 import org.apache.cxf.security.SecurityContext;
@@ -43,7 +44,7 @@ import org.apache.cxf.security.SecurityC
  * Base OAuth filter which can be used to protect end-user endpoints
  */
 public class AbstractAuthFilter {
-
+    protected static final String USE_USER_SUBJECT = "org.apache.cxf.rs.security.oauth.use_user_subject";
     private static final Logger LOG = LogUtils.getL7dLogger(AbstractAuthFilter.class);
     private static final String[] REQUIRED_PARAMETERS = 
         new String[] {
@@ -78,7 +79,8 @@ public class AbstractAuthFilter {
      * @throws Exception
      * @throws OAuthProblemException
      */
-    public OAuthInfo handleOAuthRequest(HttpServletRequest req) throws
+    protected OAuthInfo handleOAuthRequest(HttpServletRequest req,
+                                           boolean useUserSubject) throws
         Exception, OAuthProblemException {
         if (LOG.isLoggable(Level.FINE)) {
             LOG.log(Level.FINE, "OAuth security filter for url: {0}", req.getRequestURL());
@@ -101,6 +103,9 @@ public class AbstractAuthFilter {
             client = accessToken.getClient(); 
             
         } else {
+            // TODO: the secret may not be included and only used to create a signature
+            //       so the header will effectively be similar to the one used during 
+            //       RequestToken requests; we'd need to handle this case too
             String consumerKey = oAuthMessage.getParameter(OAuth.OAUTH_CONSUMER_KEY);
             String consumerSecret = oAuthMessage.getParameter("oauth_consumer_secret");
             client = dataProvider.getClient(consumerKey);
@@ -129,7 +134,7 @@ public class AbstractAuthFilter {
             checkNoAccessTokenIsAllowed(client, accessToken, perm);
         }
         
-        return new OAuthInfo(client, accessToken, permissions);
+        return new OAuthInfo(client, accessToken, permissions, useUserSubject);
         
     }
     
@@ -164,17 +169,26 @@ public class AbstractAuthFilter {
     protected SecurityContext createSecurityContext(HttpServletRequest request, 
                                                     final OAuthInfo info) {
         request.setAttribute("oauth_authorities", info.getRoles());
+        final UserSubject subject = info.getToken().getSubject();
         return new SecurityContext() {
 
             public Principal getUserPrincipal() {
-                return new SimplePrincipal(info.getClient().getLoginName());
+                String login = info.useUserSubject() 
+                    ? (subject != null ? subject.getLogin() : null)
+                    : info.getClient().getLoginName();  
+                return new SimplePrincipal(login);
             }
 
             public boolean isUserInRole(String role) {
-                List<String> roles = info.getRoles();
-                for (String authority : roles) {
-                    if (authority.equals(role)) {
-                        return true;
+                if (info.useUserSubject()) {
+                    return subject != null
+                        ? info.getToken().getSubject().getRoles().contains(role) : false;
   
+                } else {
+                    List<String> roles = info.getRoles();
+                    for (String authority : roles) {
+                        if (authority.equals(role)) {
+                            return true;
+                        }
                     }
                 }
                 return false;

Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthInfo.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthInfo.java?rev=1212397&r1=1212396&r2=1212397&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthInfo.java
(original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthInfo.java
Fri Dec  9 13:25:10 2011
@@ -32,10 +32,15 @@ public class OAuthInfo {
     private Client client;
     private AccessToken token;
     private List<OAuthPermission> permissions;
-    public OAuthInfo(Client client, AccessToken token, List<OAuthPermission> permissions)
{
+    private boolean useUserSubject;
+    public OAuthInfo(Client client, 
+                     AccessToken token, 
+                     List<OAuthPermission> permissions,
+                     boolean useUserSubject) {
         this.client = client;
         this.token = token;
         this.permissions = permissions;
+        this.useUserSubject = useUserSubject;
     }
     public Client getClient() {
         return client;
@@ -52,5 +57,8 @@ public class OAuthInfo {
         return authorities;
     }
     
+    public boolean useUserSubject() {
+        return useUserSubject;
+    }
     
 }

Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthRequestFilter.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthRequestFilter.java?rev=1212397&r1=1212396&r2=1212397&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthRequestFilter.java
(original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthRequestFilter.java
Fri Dec  9 13:25:10 2011
@@ -28,6 +28,7 @@ import org.apache.cxf.jaxrs.ext.MessageC
 import org.apache.cxf.jaxrs.ext.RequestHandler;
 import org.apache.cxf.jaxrs.model.ClassResourceInfo;
 import org.apache.cxf.message.Message;
+import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.security.SecurityContext;
 
 /**
@@ -40,7 +41,9 @@ public class OAuthRequestFilter extends 
    
     public Response handleRequest(Message m, ClassResourceInfo resourceClass) {
         try {
-            OAuthInfo info = handleOAuthRequest(mc.getHttpServletRequest());
+            
+            OAuthInfo info = handleOAuthRequest(
+                mc.getHttpServletRequest(), MessageUtils.isTrue(m.getContextualProperty(USE_USER_SUBJECT)));
             setSecurityContext(m, info);
             
         } catch (OAuthProblemException e) {

Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthServletFilter.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthServletFilter.java?rev=1212397&r1=1212396&r2=1212397&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthServletFilter.java
(original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthServletFilter.java
Fri Dec  9 13:25:10 2011
@@ -34,6 +34,7 @@ import javax.servlet.http.HttpServletRes
 import net.oauth.OAuthProblemException;
 import net.oauth.server.OAuthServlet;
 
+import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.rs.security.oauth.utils.OAuthUtils;
 import org.apache.cxf.security.SecurityContext;
 
@@ -41,10 +42,11 @@ import org.apache.cxf.security.SecurityC
  * HTTP Servlet filter which can be used to protect end user endpoints
  */
 public class OAuthServletFilter extends AbstractAuthFilter implements javax.servlet.Filter
{
-
+    private boolean useUserSubject;
     public void init(FilterConfig filterConfig) throws ServletException {
         ServletContext servletContext = filterConfig.getServletContext();
         super.setDataProvider(OAuthUtils.getOAuthDataProvider(servletContext));
+        useUserSubject = MessageUtils.isTrue(servletContext.getInitParameter(USE_USER_SUBJECT));
     }
 
     public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws
@@ -53,7 +55,7 @@ public class OAuthServletFilter extends 
         HttpServletResponse resp = (HttpServletResponse)response;
 
         try {
-            OAuthInfo info = handleOAuthRequest(req);
+            OAuthInfo info = handleOAuthRequest(req, useUserSubject);
             req = setSecurityContext(req, info);
             chain.doFilter(req, resp);
         } catch (OAuthProblemException e) {

Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AbstractOAuthService.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AbstractOAuthService.java?rev=1212397&r1=1212396&r2=1212397&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AbstractOAuthService.java
(original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AbstractOAuthService.java
Fri Dec  9 13:25:10 2011
@@ -20,6 +20,7 @@ package org.apache.cxf.rs.security.oauth
 
 import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.core.Context;
+import javax.ws.rs.core.SecurityContext;
 import javax.ws.rs.core.UriInfo;
 
 import org.apache.cxf.jaxrs.ext.MessageContext;
@@ -54,4 +55,8 @@ public abstract class AbstractOAuthServi
     protected UriInfo getUriInfo() {
         return mc.getUriInfo();
     }
+    
+    protected SecurityContext getSecurityContext() {
+        return mc.getSecurityContext();
+    }
 }

Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestHandler.java?rev=1212397&r1=1212396&r2=1212397&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestHandler.java
(original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestHandler.java
Fri Dec  9 13:25:10 2011
@@ -20,8 +20,12 @@ package org.apache.cxf.rs.security.oauth
 
 import java.io.IOException;
 import java.net.URI;
+import java.security.Principal;
+import java.util.ArrayList;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import java.util.UUID;
 import java.util.logging.Level;
 import java.util.logging.Logger;
@@ -30,6 +34,7 @@ import javax.servlet.http.HttpServletReq
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 import javax.ws.rs.core.Response;
+import javax.ws.rs.core.SecurityContext;
 import javax.ws.rs.core.UriBuilder;
 
 import net.oauth.OAuth;
@@ -40,10 +45,12 @@ import org.apache.cxf.common.logging.Log
 import org.apache.cxf.common.util.StringUtils;
 import org.apache.cxf.rs.security.oauth.data.OAuthAuthorizationData;
 import org.apache.cxf.rs.security.oauth.data.RequestToken;
+import org.apache.cxf.rs.security.oauth.data.UserSubject;
 import org.apache.cxf.rs.security.oauth.provider.DefaultOAuthValidator;
 import org.apache.cxf.rs.security.oauth.provider.OAuthDataProvider;
 import org.apache.cxf.rs.security.oauth.utils.OAuthConstants;
 import org.apache.cxf.rs.security.oauth.utils.OAuthUtils;
+import org.apache.cxf.security.LoginSecurityContext;
 
 
 public class AuthorizationRequestHandler {
@@ -78,6 +85,21 @@ public class AuthorizationRequestHandler
 
             Map<String, String> queryParams = new HashMap<String, String>();
             if (allow) {
+                SecurityContext sc = 
+                    (SecurityContext)request.getAttribute(SecurityContext.class.getName());
+                if (sc != null) {
+                    UserSubject subject = new UserSubject();
+                    subject.setLogin(sc.getUserPrincipal().getName());
+                    if (sc instanceof LoginSecurityContext) {
+                        List<String> roleNames = new ArrayList<String>();
+                        Set<Principal> roles = ((LoginSecurityContext)sc).getUserRoles();
+                        for (Principal p : roles) {
+                            roleNames.add(p.getName());
+                        }
+                        subject.setRoles(roleNames);
+                    }
+                    token.setSubject(subject);
+                }
                 String verifier = dataProvider.setRequestTokenVerifier(token);
                 queryParams.put(OAuth.OAUTH_VERIFIER, verifier);
             } else {
@@ -167,4 +189,6 @@ public class AuthorizationRequestHandler
         session.removeAttribute(OAuthConstants.AUTHENTICITY_TOKEN);
         return b;
     }
+
+    
 }

Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestService.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestService.java?rev=1212397&r1=1212396&r2=1212397&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestService.java
(original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestService.java
Fri Dec  9 13:25:10 2011
@@ -19,12 +19,14 @@
 
 package org.apache.cxf.rs.security.oauth.services;
 
+import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.Consumes;
 import javax.ws.rs.GET;
 import javax.ws.rs.POST;
 import javax.ws.rs.Path;
 import javax.ws.rs.Produces;
 import javax.ws.rs.core.Response;
+import javax.ws.rs.core.SecurityContext;
 
 import org.apache.cxf.rs.security.oauth.data.OAuthAuthorizationData;
 
@@ -48,7 +50,10 @@ public class AuthorizationRequestService
     @GET
     @Produces({"application/xhtml+xml", "text/html", "application/xml", "application/json"
})
     public Response authorize() {
-        Response response = handler.handle(getHttpRequest(), getDataProvider());
+        HttpServletRequest httpRequest = getHttpRequest();
+        httpRequest.setAttribute(SecurityContext.class.getName(),
+                                 super.getSecurityContext());
+        Response response = handler.handle(httpRequest, getDataProvider());
         if (response.getEntity() instanceof OAuthAuthorizationData) {
             String replyTo = getUriInfo().getAbsolutePathBuilder().path("decision").build().toString();
             ((OAuthAuthorizationData)response.getEntity()).setReplyTo(replyTo);



Mime
View raw message