cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject svn commit: r1235050 - in /cxf/trunk: distribution/src/main/release/samples/oauth/server/src/main/java/demo/oauth/server/controllers/ distribution/src/main/release/samples/oauth/server/src/main/webapp/ rt/rs/security/oauth-parent/oauth-test/src/main/ja...
Date Mon, 23 Jan 2012 22:50:29 GMT
Author: sergeyb
Date: Mon Jan 23 22:50:29 2012
New Revision: 1235050

URL: http://svn.apache.org/viewvc?rev=1235050&view=rev
Log:
[CXF-4059] Better support for 2-leg flows plus various refactorings

Modified:
    cxf/trunk/distribution/src/main/release/samples/oauth/server/src/main/java/demo/oauth/server/controllers/MemoryOAuthDataProvider.java
    cxf/trunk/distribution/src/main/release/samples/oauth/server/src/main/webapp/oAuthLogin.jsp
    cxf/trunk/rt/rs/security/oauth-parent/oauth-test/src/main/java/org/apache/cxf/rs/security/oauth/test/MemoryOAuthDataProvider.java
    cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Client.java
    cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthAuthorizationData.java
    cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthPermission.java
    cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Token.java
    cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/AbstractAuthFilter.java
    cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthInfo.java
    cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthRequestFilter.java
    cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthServletFilter.java
    cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestHandler.java
    cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/utils/OAuthConstants.java
    cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/utils/OAuthUtils.java

Modified: cxf/trunk/distribution/src/main/release/samples/oauth/server/src/main/java/demo/oauth/server/controllers/MemoryOAuthDataProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/oauth/server/src/main/java/demo/oauth/server/controllers/MemoryOAuthDataProvider.java?rev=1235050&r1=1235049&r2=1235050&view=diff
==============================================================================
--- cxf/trunk/distribution/src/main/release/samples/oauth/server/src/main/java/demo/oauth/server/controllers/MemoryOAuthDataProvider.java
(original)
+++ cxf/trunk/distribution/src/main/release/samples/oauth/server/src/main/java/demo/oauth/server/controllers/MemoryOAuthDataProvider.java
Mon Jan 23 22:50:29 2012
@@ -96,7 +96,6 @@ public class MemoryOAuthDataProvider imp
         RequestToken reqToken = new RequestToken(reg.getClient(), token, tokenSecret, 
                                                  reg.getLifetime(), reg.getIssuedAt());
         reqToken.setScopes(getPermissionsInfo(reg.getScopes()));
-        reqToken.setUris(reg.getUris());
         reqToken.setCallback(reg.getCallback());
         oauthTokens.put(token, reqToken);
         return reqToken;
@@ -132,8 +131,7 @@ public class MemoryOAuthDataProvider imp
             tokenSecretString, 3600, System.currentTimeMillis() / 1000);
 
         accessToken.setScopes(requestToken.getScopes());
-        accessToken.setUris(requestToken.getUris());
-
+ 
         synchronized (oauthTokens) {
             oauthTokens.remove(requestToken.getTokenKey());
             oauthTokens.put(accessTokenString, accessToken);

Modified: cxf/trunk/distribution/src/main/release/samples/oauth/server/src/main/webapp/oAuthLogin.jsp
URL: http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/oauth/server/src/main/webapp/oAuthLogin.jsp?rev=1235050&r1=1235049&r2=1235050&view=diff
==============================================================================
--- cxf/trunk/distribution/src/main/release/samples/oauth/server/src/main/webapp/oAuthLogin.jsp
(original)
+++ cxf/trunk/distribution/src/main/release/samples/oauth/server/src/main/webapp/oAuthLogin.jsp
Mon Jan 23 22:50:29 2012
@@ -50,16 +50,15 @@ under the License.
                             the
                             ability to access and update your data on Sample OAuth CXF server:
                             <br/></p>
-                        <b>Scopes:</b>
-                        <c:forEach items="${oauthauthorizationdata.uris}" var="uri">
-                            <li>${uri}</li>
-                        </c:forEach>
-
                         <br/>
                         <b>Permissions:</b>
 
                         <c:forEach items="${oauthauthorizationdata.permissions}" var="permission">
                             <li>${permission.description}</li>
+                            URIs:
+                            <c:forEach items="${permission.uris}" var="uri">
+                               <li>${uri}</li>
+                            </c:forEach>
                         </c:forEach>
                         <br/>
                         Please ensure that you trust this website with your information before

Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth-test/src/main/java/org/apache/cxf/rs/security/oauth/test/MemoryOAuthDataProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth-test/src/main/java/org/apache/cxf/rs/security/oauth/test/MemoryOAuthDataProvider.java?rev=1235050&r1=1235049&r2=1235050&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth-test/src/main/java/org/apache/cxf/rs/security/oauth/test/MemoryOAuthDataProvider.java
(original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth-test/src/main/java/org/apache/cxf/rs/security/oauth/test/MemoryOAuthDataProvider.java
Mon Jan 23 22:50:29 2012
@@ -92,7 +92,6 @@ public class MemoryOAuthDataProvider imp
         RequestToken reqToken = new RequestToken(reg.getClient(), token, tokenSecret, 
                                                  reg.getLifetime(), reg.getIssuedAt());
         reqToken.setScopes(getPermissionsInfo(reg.getScopes()));
-        reqToken.setUris(reg.getUris());
         
         oauthTokens.put(token, reqToken);
         return reqToken;
@@ -124,8 +123,7 @@ public class MemoryOAuthDataProvider imp
                                                   3600, System.currentTimeMillis() / 1000);
 
         accessToken.setScopes(requestToken.getScopes());
-        accessToken.setUris(requestToken.getUris());
-
+        
         synchronized (oauthTokens) {
             oauthTokens.remove(requestToken.getTokenKey());
             oauthTokens.put(accessTokenString, accessToken);

Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Client.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Client.java?rev=1235050&r1=1235049&r2=1235050&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Client.java
(original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Client.java
Mon Jan 23 22:50:29 2012
@@ -31,7 +31,6 @@ public class Client {
     
     private String loginName;
         
-    private List<String> uris = Collections.emptyList();
     private List<OAuthPermission> scopes = Collections.emptyList();
 
     public Client(String consumerId, 
@@ -132,22 +131,6 @@ public class Client {
         this.scopes = scopes;
     }
     
-    /**
-     * Returns a list of relative URIs the consumer wishes to access
-     * @return the uris
-     */
-    public List<String> getUris() {
-        return uris;
-    }
-
-    /**
-     * Sets a list of relative URIs the consumer wishes to access
-     * @param uris the uris
-     */
-    public void setUris(List<String> uris) {
-        this.uris = uris;
-    }
-    
     @Override
     public boolean equals(Object o) {
         if (this == o) {

Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthAuthorizationData.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthAuthorizationData.java?rev=1235050&r1=1235049&r2=1235050&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthAuthorizationData.java
(original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthAuthorizationData.java
Mon Jan 23 22:50:29 2012
@@ -38,8 +38,7 @@ public class OAuthAuthorizationData impl
     private String applicationURI;
     private String replyTo;
     private List<? extends Permission> permissions;
-    private List<String> uris;
-
+    
     public OAuthAuthorizationData() {
     }
 
@@ -71,14 +70,6 @@ public class OAuthAuthorizationData impl
         this.permissions = permissions;
     }
 
-    public void setUris(List<String> uris) {
-        this.uris = uris;
-    }
-
-    public List<String> getUris() {
-        return uris;
-    }
-
     public void setAuthenticityToken(String authenticityToken) {
         this.authenticityToken = authenticityToken;
     }

Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthPermission.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthPermission.java?rev=1235050&r1=1235049&r2=1235050&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthPermission.java
(original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthPermission.java
Mon Jan 23 22:50:29 2012
@@ -25,9 +25,11 @@ import java.util.List;
  * Provides the complete information about a given opaque permission.
  */
 public class OAuthPermission extends Permission {
+    private String subjectName;
     private List<String> roles = Collections.emptyList();
+    
     private List<String> httpVerbs = Collections.emptyList();
-    private List<String> uri = Collections.emptyList();
+    private List<String> uris = Collections.emptyList();
     private boolean authorizationKeyRequired = true;
     
     public OAuthPermission(String permission, String description) {
@@ -38,53 +40,45 @@ public class OAuthPermission extends Per
         super(permission, description);
         this.roles = roles;
     }
-    
-    public OAuthPermission(String permission, String description, 
-                           List<String> roles, List<String> httpVerbs) {
-        this(permission, description, roles);
-        this.httpVerbs = httpVerbs;
+
+    public void setSubjectName(String subjectName) {
+        this.subjectName = subjectName;
     }
-    
-    public OAuthPermission(String permission, 
-                           String description, 
-                           List<String> roles, 
-                           List<String> httpVerbs, 
-                           List<String> uris,
-                           boolean authorizeKeyRequired) {
-        this(permission, description, roles, httpVerbs);
-        this.uri = uris;
-        this.authorizationKeyRequired = authorizeKeyRequired;
+
+    public String getSubjectName() {
+        return subjectName;
     }
-    
-    /**
-     * Returns an optional list of role names
-     * @return the roles
-     */
+
+    public void setRoles(List<String> roles) {
+        this.roles = roles;
+    }
+
     public List<String> getRoles() {
-        return Collections.unmodifiableList(roles);
+        return roles;
+    }
+
+    public void setHttpVerbs(List<String> httpVerbs) {
+        this.httpVerbs = httpVerbs;
     }
 
-    /**
-     * Returns an optional list of HTTP verbs
-     * @return the list of verbs
-     */
     public List<String> getHttpVerbs() {
-        return Collections.unmodifiableList(httpVerbs);
+        return httpVerbs;
+    }
+
+    public void setUris(List<String> uri) {
+        this.uris = uri;
     }
 
-    /**
-     * Returns an optional list of URI    
-     * @return the uri
-     */
     public List<String> getUris() {
-        return Collections.unmodifiableList(uri);
+        return uris;
+    }
+
+    public void setAuthorizationKeyRequired(boolean authorizationKeyRequired) {
+        this.authorizationKeyRequired = authorizationKeyRequired;
     }
 
-    /**
-     * Indicates if the access token must be present or not
-     * @return the boolean value
-     */
     public boolean isAuthorizationKeyRequired() {
         return authorizationKeyRequired;
     }
+    
 }

Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Token.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Token.java?rev=1235050&r1=1235049&r2=1235050&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Token.java
(original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Token.java
Mon Jan 23 22:50:29 2012
@@ -32,7 +32,6 @@ public abstract class Token {
     private long lifetime = -1;
     private Client client;
     private List<OAuthPermission> scopes = Collections.emptyList();
-    private List<String> uris = Collections.emptyList();
     private UserSubject subject;
     
     protected Token(Client client, String tokenKey,
@@ -101,22 +100,6 @@ public abstract class Token {
     }
     
     /**
-     * Returns a list of relative URIs the consumer wishes to access
-     * @return the uris
-     */
-    public List<String> getUris() {
-        return uris;
-    }
-
-    /**
-     * Sets a list of relative URIs the consumer wishes to access
-     * @param uris the uris
-     */
-    public void setUris(List<String> uris) {
-        this.uris = uris;
-    }
-    
-    /**
      * Sets a subject capturing the login name 
      * the end user used to login to the resource server
      * when authorizing a given client request

Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/AbstractAuthFilter.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/AbstractAuthFilter.java?rev=1235050&r1=1235049&r2=1235050&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/AbstractAuthFilter.java
(original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/AbstractAuthFilter.java
Mon Jan 23 22:50:29 2012
@@ -19,6 +19,7 @@
 package org.apache.cxf.rs.security.oauth.filters;
 
 import java.security.Principal;
+import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -38,6 +39,9 @@ import net.oauth.server.OAuthServlet;
 
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.common.security.SimplePrincipal;
+import org.apache.cxf.configuration.security.AuthorizationPolicy;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.phase.PhaseInterceptorChain;
 import org.apache.cxf.rs.security.oauth.data.AccessToken;
 import org.apache.cxf.rs.security.oauth.data.Client;
 import org.apache.cxf.rs.security.oauth.data.OAuthContext;
@@ -68,10 +72,13 @@ public class AbstractAuthFilter {
     static {
         ALLOWED_OAUTH_PARAMETERS = new HashSet<String>();
         ALLOWED_OAUTH_PARAMETERS.addAll(Arrays.asList(REQUIRED_PARAMETERS));
+        ALLOWED_OAUTH_PARAMETERS.add(OAuth.OAUTH_VERSION);
         ALLOWED_OAUTH_PARAMETERS.add(OAuthConstants.X_OAUTH_SCOPE);
         ALLOWED_OAUTH_PARAMETERS.add(OAuthConstants.X_OAUTH_URI);
+        ALLOWED_OAUTH_PARAMETERS.add(OAuthConstants.OAUTH_CONSUMER_SECRET);
     }
     
+    private boolean useUserSubject;
     private OAuthDataProvider dataProvider;
 
     protected AbstractAuthFilter() {
@@ -86,6 +93,14 @@ public class AbstractAuthFilter {
         dataProvider = provider;
     }
     
+    public void setUseUserSubject(boolean useUserSubject) {
+        this.useUserSubject = useUserSubject;
+    }
+
+    public boolean isUseUserSubject() {
+        return useUserSubject;
+    }
+
     /**
      * Authenticates the third-party consumer and returns
      * {@link OAuthInfo} bean capturing the information about the request. 
@@ -95,8 +110,7 @@ public class AbstractAuthFilter {
      * @throws Exception
      * @throws OAuthProblemException
      */
-    protected OAuthInfo handleOAuthRequest(HttpServletRequest req,
-                                           boolean useUserSubject) throws
+    protected OAuthInfo handleOAuthRequest(HttpServletRequest req) throws
         Exception, OAuthProblemException {
         if (LOG.isLoggable(Level.FINE)) {
             LOG.log(Level.FINE, "OAuth security filter for url: {0}", req.getRequestURL());
@@ -119,53 +133,106 @@ public class AbstractAuthFilter {
             }
             client = accessToken.getClient(); 
             
+            OAuthUtils.validateMessage(oAuthMessage, client, accessToken, dataProvider);
   
         } else {
-            // TODO: the secret may not be included and only used to create a signature
-            //       so the header will effectively be similar to the one used during 
-            //       RequestToken requests; we'd need to handle this case too
-            String consumerKey = oAuthMessage.getParameter(OAuth.OAUTH_CONSUMER_KEY);
-            String consumerSecret = oAuthMessage.getParameter("oauth_consumer_secret");
-            client = dataProvider.getClient(consumerKey);
-            if (client == null || consumerSecret == null || !consumerSecret.equals(client.getSecretKey()))
{
+            String consumerKey = null;
+            String consumerSecret = null;
+            
+            String authHeader = oAuthMessage.getHeader("Authorization");
+            if (authHeader != null) {
+                if (authHeader.startsWith("OAuth")) {
+                    consumerKey = oAuthMessage.getParameter(OAuth.OAUTH_CONSUMER_KEY);
+                    consumerSecret = oAuthMessage.getParameter(OAuthConstants.OAUTH_CONSUMER_SECRET);
+                } else if (authHeader.startsWith("Basic")) {
+                    AuthorizationPolicy policy = getAuthorizationPolicy(authHeader);
+                    if (policy != null) {
+                        consumerKey = policy.getUserName();
+                        consumerSecret = policy.getPassword();
+                    }
+                }
+            }
+            
+            if (consumerKey != null) {
+                client = dataProvider.getClient(consumerKey);
+            }
+            if (client == null) {
                 LOG.warning("Client is invalid");
                 throw new OAuthProblemException(OAuth.Problems.CONSUMER_KEY_UNKNOWN);
             }
+            
+            if (consumerSecret != null && !consumerSecret.equals(client.getSecretKey()))
{
+                LOG.warning("Client secret is invalid");
+                throw new OAuthProblemException(OAuth.Problems.CONSUMER_KEY_UNKNOWN);
+            } else {
+                OAuthUtils.validateMessage(oAuthMessage, client, null, dataProvider);
+            }
+            
         }
 
-        OAuthUtils.validateMessage(oAuthMessage, client, accessToken, dataProvider);
-
-        //check valid URI
-        checkRequestURI(req, OAuthUtils.getAllUris(client, accessToken));
-        
         List<OAuthPermission> permissions = OAuthUtils.getAllScopes(client, accessToken);
+        List<OAuthPermission> matchingPermissions = new ArrayList<OAuthPermission>();
         
         for (OAuthPermission perm : permissions) {
-            checkRequestURI(req, perm.getUris());
-            if (!perm.getHttpVerbs().isEmpty() 
-                && !perm.getHttpVerbs().contains(req.getMethod())) {
-                String message = "Invalid http verb";
+            boolean uriOK = checkRequestURI(req, perm.getUris());
+            boolean verbOK = checkHttpVerb(req, perm.getHttpVerbs());
+            boolean accessOK = checkNoAccessTokenIsAllowed(client, accessToken, perm);
+            if (uriOK && verbOK && accessOK) {
+                matchingPermissions.add(perm);
+            }
+        }
+        
+        if (permissions.size() > 0 && matchingPermissions.isEmpty()) {
+            String message = "Client has no valid permissions";
+            LOG.warning(message);
+            throw new OAuthProblemException(message);
+        }
+        
+        String subjectName = null;
+        for (OAuthPermission perm : matchingPermissions) {
+            String currentName = perm.getSubjectName();
+            if (subjectName != null 
+                && (currentName == null || !subjectName.equals(currentName))) {
+                String message = "Inconsistent subject name";
                 LOG.warning(message);
-                throw new OAuthProblemException(message);
+                throw new OAuthProblemException(message);    
             }
-            checkNoAccessTokenIsAllowed(client, accessToken, perm);
+            subjectName = currentName;
         }
         
-        return new OAuthInfo(client, accessToken, permissions, useUserSubject);
         
+        return new OAuthInfo(client, accessToken, matchingPermissions);
+        
+    }
+    
+    protected AuthorizationPolicy getAuthorizationPolicy(String authorizationHeader) {
+        Message m = PhaseInterceptorChain.getCurrentMessage();
+        return m != null ? (AuthorizationPolicy)m.get(AuthorizationPolicy.class) : null;
     }
     
-    protected void checkNoAccessTokenIsAllowed(Client client, AccessToken token,
-            OAuthPermission perm) throws OAuthProblemException {
+    protected boolean checkNoAccessTokenIsAllowed(Client client, AccessToken token,
+            OAuthPermission perm) {
         if (token == null && perm.isAuthorizationKeyRequired()) {
-            throw new OAuthProblemException();
+            String message = "Token is expected";
+            LOG.fine(message);
+            return false;
         }
+        return true;
     }
     
-    protected void checkRequestURI(HttpServletRequest request, List<String> uris)
-        throws OAuthProblemException {
+    protected boolean checkHttpVerb(HttpServletRequest req, List<String> verbs) {
+        if (!verbs.isEmpty() 
+            && !verbs.contains(req.getMethod())) {
+            String message = "Invalid http verb";
+            LOG.fine(message);
+            return false;
+        }
+        return true;
+    }
+    
+    protected boolean checkRequestURI(HttpServletRequest request, List<String> uris)
{
         
         if (uris.isEmpty()) {
-            return;
+            return true;
         }
         String servletPath = request.getPathInfo();
         boolean foundValidScope = false;
@@ -177,37 +244,45 @@ public class AbstractAuthFilter {
         }
         if (!foundValidScope) {
             String message = "Invalid request URI";
-            LOG.warning(message);
-            throw new OAuthProblemException(message);
+            LOG.fine(message);
         }
+        return foundValidScope;
     }
     
     protected SecurityContext createSecurityContext(HttpServletRequest request, 
                                                     final OAuthInfo info) {
+        // TODO: 
+        // This custom parameter is only needed by the "oauth" 
+        // demo shipped in the distribution; needs to be removed.
         request.setAttribute("oauth_authorities", info.getRoles());
-        final UserSubject subject = info.getToken().getSubject();
+        
+        UserSubject subject = info.getToken() != null ? info.getToken().getSubject() : null;
+        if (subject == null) {
+            for (OAuthPermission perm : info.getPermissions()) {
+                if (perm.getSubjectName() != null) {
+                    subject = new UserSubject(perm.getSubjectName(), perm.getRoles());
+                }
+                break;
+            }
+        }
+        final UserSubject theSubject = subject;
         return new SecurityContext() {
 
             public Principal getUserPrincipal() {
-                String login = info.useUserSubject() 
-                    ? (subject != null ? subject.getLogin() : null)
+                String login = AbstractAuthFilter.this.useUserSubject 
+                    ? (theSubject != null ? theSubject.getLogin() : null)
                     : info.getClient().getLoginName();  
                 return new SimplePrincipal(login);
             }
 
             public boolean isUserInRole(String role) {
-                if (info.useUserSubject()) {
-                    return subject != null
-                        ? info.getToken().getSubject().getRoles().contains(role) : false;
   
+                List<String> roles = null;
+                if (AbstractAuthFilter.this.useUserSubject && theSubject != null)
{
+                    roles = theSubject.getRoles();    
                 } else {
-                    List<String> roles = info.getRoles();
-                    for (String authority : roles) {
-                        if (authority.equals(role)) {
-                            return true;
-                        }
-                    }
+                    roles = info.getRoles();
                 }
-                return false;
+                return roles == null ? false : roles.contains(role);
             }
              
         };
@@ -228,9 +303,11 @@ public class AbstractAuthFilter {
         
         public Map<String, String[]> getParameterMap() {
             Map<String, String[]> params = super.getParameterMap();
+            
             if (ALLOWED_OAUTH_PARAMETERS.containsAll(params.keySet())) {
                 return params;
             }
+            
             Map<String, String[]> newParams = new HashMap<String, String[]>();
             for (Map.Entry<String, String[]> entry : params.entrySet()) {
                 if (ALLOWED_OAUTH_PARAMETERS.contains(entry.getKey())) {    

Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthInfo.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthInfo.java?rev=1235050&r1=1235049&r2=1235050&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthInfo.java
(original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthInfo.java
Mon Jan 23 22:50:29 2012
@@ -32,15 +32,12 @@ public class OAuthInfo {
     private Client client;
     private AccessToken token;
     private List<OAuthPermission> permissions;
-    private boolean useUserSubject;
     public OAuthInfo(Client client, 
                      AccessToken token, 
-                     List<OAuthPermission> permissions,
-                     boolean useUserSubject) {
+                     List<OAuthPermission> permissions) {
         this.client = client;
         this.token = token;
         this.permissions = permissions;
-        this.useUserSubject = useUserSubject;
     }
     public Client getClient() {
         return client;
@@ -61,8 +58,5 @@ public class OAuthInfo {
         return permissions;
     }
     
-    public boolean useUserSubject() {
-        return useUserSubject;
-    }
-    
+        
 }

Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthRequestFilter.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthRequestFilter.java?rev=1235050&r1=1235049&r2=1235050&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthRequestFilter.java
(original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthRequestFilter.java
Mon Jan 23 22:50:29 2012
@@ -28,7 +28,6 @@ import org.apache.cxf.jaxrs.ext.MessageC
 import org.apache.cxf.jaxrs.ext.RequestHandler;
 import org.apache.cxf.jaxrs.model.ClassResourceInfo;
 import org.apache.cxf.message.Message;
-import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.rs.security.oauth.data.OAuthContext;
 import org.apache.cxf.security.SecurityContext;
 
@@ -43,8 +42,7 @@ public class OAuthRequestFilter extends 
     public Response handleRequest(Message m, ClassResourceInfo resourceClass) {
         try {
             
-            OAuthInfo info = handleOAuthRequest(
-                mc.getHttpServletRequest(), MessageUtils.isTrue(m.getContextualProperty(USE_USER_SUBJECT)));
+            OAuthInfo info = handleOAuthRequest(mc.getHttpServletRequest());
             setSecurityContext(m, info);
             
         } catch (OAuthProblemException e) {

Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthServletFilter.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthServletFilter.java?rev=1235050&r1=1235049&r2=1235050&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthServletFilter.java
(original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthServletFilter.java
Mon Jan 23 22:50:29 2012
@@ -43,11 +43,10 @@ import org.apache.cxf.security.SecurityC
  * HTTP Servlet filter which can be used to protect end user endpoints
  */
 public class OAuthServletFilter extends AbstractAuthFilter implements javax.servlet.Filter
{
-    private boolean useUserSubject;
     public void init(FilterConfig filterConfig) throws ServletException {
         ServletContext servletContext = filterConfig.getServletContext();
         super.setDataProvider(OAuthUtils.getOAuthDataProvider(servletContext));
-        useUserSubject = MessageUtils.isTrue(servletContext.getInitParameter(USE_USER_SUBJECT));
+        super.setUseUserSubject(MessageUtils.isTrue(servletContext.getInitParameter(USE_USER_SUBJECT)));
     }
 
     public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws
@@ -56,7 +55,7 @@ public class OAuthServletFilter extends 
         HttpServletResponse resp = (HttpServletResponse)response;
 
         try {
-            OAuthInfo info = handleOAuthRequest(req, useUserSubject);
+            OAuthInfo info = handleOAuthRequest(req);
             req = setSecurityContext(req, info);
             chain.doFilter(req, resp);
         } catch (OAuthProblemException e) {

Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestHandler.java?rev=1235050&r1=1235049&r2=1235050&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestHandler.java
(original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestHandler.java
Mon Jan 23 22:50:29 2012
@@ -96,8 +96,8 @@ public class AuthorizationRequestHandler
                         roleNames.add(p.getName());
                     }
                 }
-                token.setSubject(new UserSubject(sc.getUserPrincipal().getName(),
-                                                 roleNames));
+                token.setSubject(new UserSubject(sc.getUserPrincipal() == null 
+                    ? null : sc.getUserPrincipal().getName(), roleNames));
                 
                 String verifier = dataProvider.setRequestTokenVerifier(token);
                 queryParams.put(OAuth.OAUTH_VERIFIER, verifier);
@@ -157,7 +157,6 @@ public class AuthorizationRequestHandler
         secData.setApplicationURI(token.getClient().getApplicationURI());
         
         secData.setPermissions(OAuthUtils.getAllScopes(token.getClient(), token));
-        secData.setUris(OAuthUtils.getAllUris(token.getClient(), token));
         
         return secData;
     }

Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/utils/OAuthConstants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/utils/OAuthConstants.java?rev=1235050&r1=1235049&r2=1235050&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/utils/OAuthConstants.java
(original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/utils/OAuthConstants.java
Mon Jan 23 22:50:29 2012
@@ -31,13 +31,15 @@ public final class OAuthConstants {
     public static final String VERIFIER_INVALID = "verifier_invalid";
 
     public static final String AUTHENTICITY_TOKEN = "session_authenticity_token";
-    public static final String X_OAUTH_URI = "x_oauth_uri";
-    public static final String X_OAUTH_SCOPE = "x_oauth_scope";
-
+    
     public static final String AUTHORIZATION_DECISION_KEY = "oauthDecision";
     public static final String AUTHORIZATION_DECISION_ALLOW = "allow";
     public static final String AUTHORIZATION_DECISION_DENY = "deny";
 
+    public static final String X_OAUTH_URI = "x_oauth_uri";
+    public static final String X_OAUTH_SCOPE = "x_oauth_scope";
+    public static final String OAUTH_CONSUMER_SECRET = "oauth_consumer_secret";
+    
     private OAuthConstants() {
         
     }

Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/utils/OAuthUtils.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/utils/OAuthUtils.java?rev=1235050&r1=1235049&r2=1235050&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/utils/OAuthUtils.java
(original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/utils/OAuthUtils.java
Mon Jan 23 22:50:29 2012
@@ -92,15 +92,6 @@ public final class OAuthUtils {
         return scopes;
     }
     
-    public static List<String> getAllUris(Client client, Token token) {
-        List<String> uris = new LinkedList<String>();
-        if (token != null) {
-            uris.addAll(token.getUris());
-        }
-        uris.addAll(client.getUris());
-        return uris;
-    }
-    
     public static void validateMessage(OAuthMessage oAuthMessage, 
                                        Client client, 
                                        Token token,



Mime
View raw message