cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject svn commit: r1234635 - in /cxf/branches/2.5.x-fixes: ./ distribution/src/main/release/samples/oauth/server/src/main/java/demo/oauth/server/controllers/ rt/rs/security/oauth-parent/oauth-test/src/main/java/org/apache/cxf/rs/security/oauth/test/ rt/rs/se...
Date Sun, 22 Jan 2012 22:19:39 GMT
Author: sergeyb
Date: Sun Jan 22 22:19:39 2012
New Revision: 1234635

URL: http://svn.apache.org/viewvc?rev=1234635&view=rev
Log:
Merged revisions 1234634 via svnmerge from 
https://svn.apache.org/repos/asf/cxf/trunk

........
  r1234634 | sergeyb | 2012-01-22 22:12:29 +0000 (Sun, 22 Jan 2012) | 1 line
  
  [CXF-4051] Fixes to do with supporting OAuth scopes
........

Modified:
    cxf/branches/2.5.x-fixes/   (props changed)
    cxf/branches/2.5.x-fixes/distribution/src/main/release/samples/oauth/server/src/main/java/demo/oauth/server/controllers/MemoryOAuthDataProvider.java
    cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth-test/src/main/java/org/apache/cxf/rs/security/oauth/test/MemoryOAuthDataProvider.java
    cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/client/OAuthClientUtils.java
    cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthPermission.java
    cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/AbstractAuthFilter.java
    cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AccessTokenHandler.java
    cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestHandler.java
    cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/RequestTokenHandler.java
    cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/utils/OAuthUtils.java

Propchange: cxf/branches/2.5.x-fixes/
------------------------------------------------------------------------------
    svn:mergeinfo = /cxf/trunk:1234634

Propchange: cxf/branches/2.5.x-fixes/
------------------------------------------------------------------------------
Binary property 'svnmerge-integrated' - no diff available.

Modified: cxf/branches/2.5.x-fixes/distribution/src/main/release/samples/oauth/server/src/main/java/demo/oauth/server/controllers/MemoryOAuthDataProvider.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/distribution/src/main/release/samples/oauth/server/src/main/java/demo/oauth/server/controllers/MemoryOAuthDataProvider.java?rev=1234635&r1=1234634&r2=1234635&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/distribution/src/main/release/samples/oauth/server/src/main/java/demo/oauth/server/controllers/MemoryOAuthDataProvider.java
(original)
+++ cxf/branches/2.5.x-fixes/distribution/src/main/release/samples/oauth/server/src/main/java/demo/oauth/server/controllers/MemoryOAuthDataProvider.java
Sun Jan 22 22:19:39 2012
@@ -20,6 +20,7 @@
 package demo.oauth.server.controllers;
 
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.List;
 import java.util.Map;
 import java.util.UUID;
@@ -52,9 +53,10 @@ public class MemoryOAuthDataProvider imp
     static {
         AVAILABLE_PERMISSIONS
                 .put("read_info", new OAuthPermission("read_info", "Read your personal information",
-                        "ROLE_USER"));
+                                                      Collections.singletonList("ROLE_USER")));
         AVAILABLE_PERMISSIONS.put("modify_info",
-                new OAuthPermission("modify_info", "Modify your personal information", "ROLE_ADMIN"));
+                new OAuthPermission("modify_info", "Modify your personal information", 
+                                    Collections.singletonList("ROLE_ADMIN")));
     }
 
     protected ConcurrentHashMap<String, Client> clientAuthInfo = new ConcurrentHashMap<String,
Client>();

Modified: cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth-test/src/main/java/org/apache/cxf/rs/security/oauth/test/MemoryOAuthDataProvider.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth-test/src/main/java/org/apache/cxf/rs/security/oauth/test/MemoryOAuthDataProvider.java?rev=1234635&r1=1234634&r2=1234635&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth-test/src/main/java/org/apache/cxf/rs/security/oauth/test/MemoryOAuthDataProvider.java
(original)
+++ cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth-test/src/main/java/org/apache/cxf/rs/security/oauth/test/MemoryOAuthDataProvider.java
Sun Jan 22 22:19:39 2012
@@ -20,6 +20,7 @@
 package org.apache.cxf.rs.security.oauth.test;
 
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.List;
 import java.util.Map;
 import java.util.UUID;
@@ -44,9 +45,10 @@ public class MemoryOAuthDataProvider imp
     static {
         AVAILABLE_PERMISSIONS
                 .put("read_info", new OAuthPermission("read_info", "Read your personal information",
-                        "ROLE_USER"));
+                        Collections.singletonList("ROLE_USER")));
         AVAILABLE_PERMISSIONS.put("modify_info",
-                new OAuthPermission("modify_info", "Modify your personal information", "ROLE_ADMIN"));
+                new OAuthPermission("modify_info", "Modify your personal information", 
+                                    Collections.singletonList("ROLE_ADMIN")));
     }
 
     protected ConcurrentHashMap<String, Client> clientAuthInfo = new ConcurrentHashMap<String,
Client>();

Modified: cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/client/OAuthClientUtils.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/client/OAuthClientUtils.java?rev=1234635&r1=1234634&r2=1234635&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/client/OAuthClientUtils.java
(original)
+++ cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/client/OAuthClientUtils.java
Sun Jan 22 22:19:39 2012
@@ -161,7 +161,16 @@ public final class OAuthClientUtils {
             String method, String requestURI, Map<String, String> parameters) {
         try {
             OAuthMessage msg = accessor.newRequestMessage(method, requestURI, parameters.entrySet());
-            return msg.getAuthorizationHeader(null);
+            StringBuilder sb = new StringBuilder();
+            sb.append(msg.getAuthorizationHeader(null));
+            for (Map.Entry<String, String> entry : parameters.entrySet()) {
+                if (!entry.getKey().startsWith("oauth_")) {
+                    sb.append(", ");
+                    sb.append(OAuth.percentEncode(entry.getKey())).append("=\"");
+                    sb.append(OAuth.percentEncode(entry.getValue())).append('"');
+                }
+            }
+            return sb.toString();
         } catch (Exception ex) {
             throw new ClientWebApplicationException(ex);
         }

Modified: cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthPermission.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthPermission.java?rev=1234635&r1=1234634&r2=1234635&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthPermission.java
(original)
+++ cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthPermission.java
Sun Jan 22 22:19:39 2012
@@ -30,8 +30,8 @@ public class OAuthPermission extends Per
     private List<String> uri = Collections.emptyList();
     private boolean authorizationKeyRequired = true;
     
-    public OAuthPermission(String permission, String description, String role) {
-        this(permission, description, Collections.singletonList(role));
+    public OAuthPermission(String permission, String description) {
+        super(permission, description);
     }
     
     public OAuthPermission(String permission, String description, List<String> roles)
{

Modified: cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/AbstractAuthFilter.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/AbstractAuthFilter.java?rev=1234635&r1=1234634&r2=1234635&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/AbstractAuthFilter.java
(original)
+++ cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/AbstractAuthFilter.java
Sun Jan 22 22:19:39 2012
@@ -19,11 +19,17 @@
 package org.apache.cxf.rs.security.oauth.filters;
 
 import java.security.Principal;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.HashSet;
 import java.util.List;
+import java.util.Map;
+import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
 
 import net.oauth.OAuth;
 import net.oauth.OAuthMessage;
@@ -38,6 +44,7 @@ import org.apache.cxf.rs.security.oauth.
 import org.apache.cxf.rs.security.oauth.data.OAuthPermission;
 import org.apache.cxf.rs.security.oauth.data.UserSubject;
 import org.apache.cxf.rs.security.oauth.provider.OAuthDataProvider;
+import org.apache.cxf.rs.security.oauth.utils.OAuthConstants;
 import org.apache.cxf.rs.security.oauth.utils.OAuthUtils;
 import org.apache.cxf.security.SecurityContext;
 
@@ -57,6 +64,14 @@ public class AbstractAuthFilter {
             OAuth.OAUTH_NONCE
         };
     
+    private static final Set<String> ALLOWED_OAUTH_PARAMETERS;
+    static {
+        ALLOWED_OAUTH_PARAMETERS = new HashSet<String>();
+        ALLOWED_OAUTH_PARAMETERS.addAll(Arrays.asList(REQUIRED_PARAMETERS));
+        ALLOWED_OAUTH_PARAMETERS.add(OAuthConstants.X_OAUTH_SCOPE);
+        ALLOWED_OAUTH_PARAMETERS.add(OAuthConstants.X_OAUTH_URI);
+    }
+    
     private OAuthDataProvider dataProvider;
 
     protected AbstractAuthFilter() {
@@ -90,7 +105,8 @@ public class AbstractAuthFilter {
         AccessToken accessToken = null;
         Client client = null;
         
-        OAuthMessage oAuthMessage = OAuthServlet.getMessage(req, req.getRequestURL().toString());
+        OAuthMessage oAuthMessage = OAuthServlet.getMessage(new CustomHttpServletWrapper(req),

+                                                            OAuthServlet.getRequestURL(req));
         if (oAuthMessage.getParameter(OAuth.OAUTH_TOKEN) != null) {
             oAuthMessage.requireParameters(REQUIRED_PARAMETERS);
 
@@ -205,4 +221,24 @@ public class AbstractAuthFilter {
         }
         return new OAuthContext(subject, info.getPermissions());
     }
+    
+    private static class CustomHttpServletWrapper extends HttpServletRequestWrapper {
+        public CustomHttpServletWrapper(HttpServletRequest req) {
+            super(req);
+        }
+        
+        public Map<String, String[]> getParameterMap() {
+            Map<String, String[]> params = super.getParameterMap();
+            if (ALLOWED_OAUTH_PARAMETERS.containsAll(params.keySet())) {
+                return params;
+            }
+            Map<String, String[]> newParams = new HashMap<String, String[]>();
+            for (Map.Entry<String, String[]> entry : params.entrySet()) {
+                if (ALLOWED_OAUTH_PARAMETERS.contains(entry.getKey())) {    
+                    newParams.put(entry.getKey(), entry.getValue());
+                }
+            }
+            return newParams;
+        }
+    }
 }

Modified: cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AccessTokenHandler.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AccessTokenHandler.java?rev=1234635&r1=1234634&r2=1234635&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AccessTokenHandler.java
(original)
+++ cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AccessTokenHandler.java
Sun Jan 22 22:19:39 2012
@@ -84,8 +84,11 @@ public class AccessTokenHandler {
             if (LOG.isLoggable(Level.WARNING)) {
                 LOG.log(Level.WARNING, "An OAuth-related problem: {0}", new Object[] {e.fillInStackTrace()});
             }
-            return OAuthUtils.handleException(e, e.getHttpStatusCode(),
-                String.valueOf(e.getParameters().get("realm")));
+            int code = e.getHttpStatusCode();
+            if (code == 200) {
+                code = HttpServletResponse.SC_UNAUTHORIZED; 
+            }
+            return OAuthUtils.handleException(e, code, String.valueOf(e.getParameters().get("realm")));
         } catch (Exception e) {
             if (LOG.isLoggable(Level.WARNING)) {
                 LOG.log(Level.WARNING, "Server Exception: {0}", new Object[] {e.fillInStackTrace()});

Modified: cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestHandler.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestHandler.java?rev=1234635&r1=1234634&r2=1234635&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestHandler.java
(original)
+++ cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestHandler.java
Sun Jan 22 22:19:39 2012
@@ -115,8 +115,11 @@ public class AuthorizationRequestHandler
             if (LOG.isLoggable(Level.WARNING)) {
                 LOG.log(Level.WARNING, "An OAuth related problem: {0}", new Object[]{e.fillInStackTrace()});
             }
-            return OAuthUtils.handleException(e, e.getHttpStatusCode(),
-                    String.valueOf(e.getParameters().get("realm")));
+            int code = e.getHttpStatusCode();
+            if (code == 200) {
+                code = HttpServletResponse.SC_UNAUTHORIZED; 
+            }
+            return OAuthUtils.handleException(e, code, String.valueOf(e.getParameters().get("realm")));
         } catch (Exception e) {
             if (LOG.isLoggable(Level.SEVERE)) {
                 LOG.log(Level.SEVERE, "Server exception: {0}", new Object[]{e.fillInStackTrace()});

Modified: cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/RequestTokenHandler.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/RequestTokenHandler.java?rev=1234635&r1=1234634&r2=1234635&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/RequestTokenHandler.java
(original)
+++ cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/RequestTokenHandler.java
Sun Jan 22 22:19:39 2012
@@ -67,12 +67,7 @@ public class RequestTokenHandler {
                 .getClient(oAuthMessage.getParameter(OAuth.OAUTH_CONSUMER_KEY));
             //client credentials not found
             if (client == null) {
-                OAuthProblemException problemEx = new OAuthProblemException(
-                    OAuth.Problems.CONSUMER_KEY_UNKNOWN);
-                problemEx
-                    .setParameter(OAuthProblemException.HTTP_STATUS_CODE,
-                        HttpServletResponse.SC_UNAUTHORIZED);
-                throw problemEx;
+                throw new OAuthProblemException(OAuth.Problems.CONSUMER_KEY_UNKNOWN);
             }
 
             OAuthUtils.validateMessage(oAuthMessage, client, null, dataProvider);
@@ -112,8 +107,11 @@ public class RequestTokenHandler {
             if (LOG.isLoggable(Level.WARNING)) {
                 LOG.log(Level.WARNING, "An OAuth-related problem: {0}", new Object[] {e.fillInStackTrace()});
             }
-            return OAuthUtils.handleException(e, e.getHttpStatusCode(),
-                String.valueOf(e.getParameters().get("realm")));
+            int code = e.getHttpStatusCode();
+            if (code == 200) {
+                code = HttpServletResponse.SC_UNAUTHORIZED; 
+            }
+            return OAuthUtils.handleException(e, code, String.valueOf(e.getParameters().get("realm")));
         } catch (Exception e) {
             if (LOG.isLoggable(Level.SEVERE)) {
                 LOG.log(Level.SEVERE, "Unexpected internal server exception: {0}",

Modified: cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/utils/OAuthUtils.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/utils/OAuthUtils.java?rev=1234635&r1=1234634&r2=1234635&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/utils/OAuthUtils.java
(original)
+++ cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/utils/OAuthUtils.java
Sun Jan 22 22:19:39 2012
@@ -201,7 +201,7 @@ public final class OAuthUtils {
                 scopeList.add(token);
             }
         }
-        if (defaultValue != null) {
+        if (defaultValue != null && !scopeList.contains(defaultValue)) {
             scopeList.add(defaultValue);
         }
         return scopeList;



Mime
View raw message