Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id A0A73B595 for ; Sun, 22 Jan 2012 22:12:53 +0000 (UTC) Received: (qmail 56536 invoked by uid 500); 22 Jan 2012 22:12:53 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 56424 invoked by uid 500); 22 Jan 2012 22:12:52 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 56417 invoked by uid 99); 22 Jan 2012 22:12:52 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 22 Jan 2012 22:12:52 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 22 Jan 2012 22:12:50 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 2FDCF238897D for ; Sun, 22 Jan 2012 22:12:30 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1234634 - in /cxf/trunk: distribution/src/main/release/samples/oauth/server/src/main/java/demo/oauth/server/controllers/ rt/rs/security/oauth-parent/oauth-test/src/main/java/org/apache/cxf/rs/security/oauth/test/ rt/rs/security/oauth-paren... Date: Sun, 22 Jan 2012 22:12:29 -0000 To: commits@cxf.apache.org From: sergeyb@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20120122221230.2FDCF238897D@eris.apache.org> Author: sergeyb Date: Sun Jan 22 22:12:29 2012 New Revision: 1234634 URL: http://svn.apache.org/viewvc?rev=1234634&view=rev Log: [CXF-4051] Fixes to do with supporting OAuth scopes Modified: cxf/trunk/distribution/src/main/release/samples/oauth/server/src/main/java/demo/oauth/server/controllers/MemoryOAuthDataProvider.java cxf/trunk/rt/rs/security/oauth-parent/oauth-test/src/main/java/org/apache/cxf/rs/security/oauth/test/MemoryOAuthDataProvider.java cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/client/OAuthClientUtils.java cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthPermission.java cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/AbstractAuthFilter.java cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AccessTokenHandler.java cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestHandler.java cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/RequestTokenHandler.java cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/utils/OAuthUtils.java Modified: cxf/trunk/distribution/src/main/release/samples/oauth/server/src/main/java/demo/oauth/server/controllers/MemoryOAuthDataProvider.java URL: http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/oauth/server/src/main/java/demo/oauth/server/controllers/MemoryOAuthDataProvider.java?rev=1234634&r1=1234633&r2=1234634&view=diff ============================================================================== --- cxf/trunk/distribution/src/main/release/samples/oauth/server/src/main/java/demo/oauth/server/controllers/MemoryOAuthDataProvider.java (original) +++ cxf/trunk/distribution/src/main/release/samples/oauth/server/src/main/java/demo/oauth/server/controllers/MemoryOAuthDataProvider.java Sun Jan 22 22:12:29 2012 @@ -20,6 +20,7 @@ package demo.oauth.server.controllers; import java.util.ArrayList; +import java.util.Collections; import java.util.List; import java.util.Map; import java.util.UUID; @@ -52,9 +53,10 @@ public class MemoryOAuthDataProvider imp static { AVAILABLE_PERMISSIONS .put("read_info", new OAuthPermission("read_info", "Read your personal information", - "ROLE_USER")); + Collections.singletonList("ROLE_USER"))); AVAILABLE_PERMISSIONS.put("modify_info", - new OAuthPermission("modify_info", "Modify your personal information", "ROLE_ADMIN")); + new OAuthPermission("modify_info", "Modify your personal information", + Collections.singletonList("ROLE_ADMIN"))); } protected ConcurrentHashMap clientAuthInfo = new ConcurrentHashMap(); Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth-test/src/main/java/org/apache/cxf/rs/security/oauth/test/MemoryOAuthDataProvider.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth-test/src/main/java/org/apache/cxf/rs/security/oauth/test/MemoryOAuthDataProvider.java?rev=1234634&r1=1234633&r2=1234634&view=diff ============================================================================== --- cxf/trunk/rt/rs/security/oauth-parent/oauth-test/src/main/java/org/apache/cxf/rs/security/oauth/test/MemoryOAuthDataProvider.java (original) +++ cxf/trunk/rt/rs/security/oauth-parent/oauth-test/src/main/java/org/apache/cxf/rs/security/oauth/test/MemoryOAuthDataProvider.java Sun Jan 22 22:12:29 2012 @@ -20,6 +20,7 @@ package org.apache.cxf.rs.security.oauth.test; import java.util.ArrayList; +import java.util.Collections; import java.util.List; import java.util.Map; import java.util.UUID; @@ -44,9 +45,10 @@ public class MemoryOAuthDataProvider imp static { AVAILABLE_PERMISSIONS .put("read_info", new OAuthPermission("read_info", "Read your personal information", - "ROLE_USER")); + Collections.singletonList("ROLE_USER"))); AVAILABLE_PERMISSIONS.put("modify_info", - new OAuthPermission("modify_info", "Modify your personal information", "ROLE_ADMIN")); + new OAuthPermission("modify_info", "Modify your personal information", + Collections.singletonList("ROLE_ADMIN"))); } protected ConcurrentHashMap clientAuthInfo = new ConcurrentHashMap(); Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/client/OAuthClientUtils.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/client/OAuthClientUtils.java?rev=1234634&r1=1234633&r2=1234634&view=diff ============================================================================== --- cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/client/OAuthClientUtils.java (original) +++ cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/client/OAuthClientUtils.java Sun Jan 22 22:12:29 2012 @@ -161,7 +161,16 @@ public final class OAuthClientUtils { String method, String requestURI, Map parameters) { try { OAuthMessage msg = accessor.newRequestMessage(method, requestURI, parameters.entrySet()); - return msg.getAuthorizationHeader(null); + StringBuilder sb = new StringBuilder(); + sb.append(msg.getAuthorizationHeader(null)); + for (Map.Entry entry : parameters.entrySet()) { + if (!entry.getKey().startsWith("oauth_")) { + sb.append(", "); + sb.append(OAuth.percentEncode(entry.getKey())).append("=\""); + sb.append(OAuth.percentEncode(entry.getValue())).append('"'); + } + } + return sb.toString(); } catch (Exception ex) { throw new ClientWebApplicationException(ex); } Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthPermission.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthPermission.java?rev=1234634&r1=1234633&r2=1234634&view=diff ============================================================================== --- cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthPermission.java (original) +++ cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthPermission.java Sun Jan 22 22:12:29 2012 @@ -30,8 +30,8 @@ public class OAuthPermission extends Per private List uri = Collections.emptyList(); private boolean authorizationKeyRequired = true; - public OAuthPermission(String permission, String description, String role) { - this(permission, description, Collections.singletonList(role)); + public OAuthPermission(String permission, String description) { + super(permission, description); } public OAuthPermission(String permission, String description, List roles) { Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/AbstractAuthFilter.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/AbstractAuthFilter.java?rev=1234634&r1=1234633&r2=1234634&view=diff ============================================================================== --- cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/AbstractAuthFilter.java (original) +++ cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/AbstractAuthFilter.java Sun Jan 22 22:12:29 2012 @@ -19,11 +19,17 @@ package org.apache.cxf.rs.security.oauth.filters; import java.security.Principal; +import java.util.Arrays; +import java.util.HashMap; +import java.util.HashSet; import java.util.List; +import java.util.Map; +import java.util.Set; import java.util.logging.Level; import java.util.logging.Logger; import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletRequestWrapper; import net.oauth.OAuth; import net.oauth.OAuthMessage; @@ -38,6 +44,7 @@ import org.apache.cxf.rs.security.oauth. import org.apache.cxf.rs.security.oauth.data.OAuthPermission; import org.apache.cxf.rs.security.oauth.data.UserSubject; import org.apache.cxf.rs.security.oauth.provider.OAuthDataProvider; +import org.apache.cxf.rs.security.oauth.utils.OAuthConstants; import org.apache.cxf.rs.security.oauth.utils.OAuthUtils; import org.apache.cxf.security.SecurityContext; @@ -57,6 +64,14 @@ public class AbstractAuthFilter { OAuth.OAUTH_NONCE }; + private static final Set ALLOWED_OAUTH_PARAMETERS; + static { + ALLOWED_OAUTH_PARAMETERS = new HashSet(); + ALLOWED_OAUTH_PARAMETERS.addAll(Arrays.asList(REQUIRED_PARAMETERS)); + ALLOWED_OAUTH_PARAMETERS.add(OAuthConstants.X_OAUTH_SCOPE); + ALLOWED_OAUTH_PARAMETERS.add(OAuthConstants.X_OAUTH_URI); + } + private OAuthDataProvider dataProvider; protected AbstractAuthFilter() { @@ -90,7 +105,8 @@ public class AbstractAuthFilter { AccessToken accessToken = null; Client client = null; - OAuthMessage oAuthMessage = OAuthServlet.getMessage(req, req.getRequestURL().toString()); + OAuthMessage oAuthMessage = OAuthServlet.getMessage(new CustomHttpServletWrapper(req), + OAuthServlet.getRequestURL(req)); if (oAuthMessage.getParameter(OAuth.OAUTH_TOKEN) != null) { oAuthMessage.requireParameters(REQUIRED_PARAMETERS); @@ -205,4 +221,24 @@ public class AbstractAuthFilter { } return new OAuthContext(subject, info.getPermissions()); } + + private static class CustomHttpServletWrapper extends HttpServletRequestWrapper { + public CustomHttpServletWrapper(HttpServletRequest req) { + super(req); + } + + public Map getParameterMap() { + Map params = super.getParameterMap(); + if (ALLOWED_OAUTH_PARAMETERS.containsAll(params.keySet())) { + return params; + } + Map newParams = new HashMap(); + for (Map.Entry entry : params.entrySet()) { + if (ALLOWED_OAUTH_PARAMETERS.contains(entry.getKey())) { + newParams.put(entry.getKey(), entry.getValue()); + } + } + return newParams; + } + } } Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AccessTokenHandler.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AccessTokenHandler.java?rev=1234634&r1=1234633&r2=1234634&view=diff ============================================================================== --- cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AccessTokenHandler.java (original) +++ cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AccessTokenHandler.java Sun Jan 22 22:12:29 2012 @@ -84,8 +84,11 @@ public class AccessTokenHandler { if (LOG.isLoggable(Level.WARNING)) { LOG.log(Level.WARNING, "An OAuth-related problem: {0}", new Object[] {e.fillInStackTrace()}); } - return OAuthUtils.handleException(e, e.getHttpStatusCode(), - String.valueOf(e.getParameters().get("realm"))); + int code = e.getHttpStatusCode(); + if (code == 200) { + code = HttpServletResponse.SC_UNAUTHORIZED; + } + return OAuthUtils.handleException(e, code, String.valueOf(e.getParameters().get("realm"))); } catch (Exception e) { if (LOG.isLoggable(Level.WARNING)) { LOG.log(Level.WARNING, "Server Exception: {0}", new Object[] {e.fillInStackTrace()}); Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestHandler.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestHandler.java?rev=1234634&r1=1234633&r2=1234634&view=diff ============================================================================== --- cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestHandler.java (original) +++ cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestHandler.java Sun Jan 22 22:12:29 2012 @@ -115,8 +115,11 @@ public class AuthorizationRequestHandler if (LOG.isLoggable(Level.WARNING)) { LOG.log(Level.WARNING, "An OAuth related problem: {0}", new Object[]{e.fillInStackTrace()}); } - return OAuthUtils.handleException(e, e.getHttpStatusCode(), - String.valueOf(e.getParameters().get("realm"))); + int code = e.getHttpStatusCode(); + if (code == 200) { + code = HttpServletResponse.SC_UNAUTHORIZED; + } + return OAuthUtils.handleException(e, code, String.valueOf(e.getParameters().get("realm"))); } catch (Exception e) { if (LOG.isLoggable(Level.SEVERE)) { LOG.log(Level.SEVERE, "Server exception: {0}", new Object[]{e.fillInStackTrace()}); Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/RequestTokenHandler.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/RequestTokenHandler.java?rev=1234634&r1=1234633&r2=1234634&view=diff ============================================================================== --- cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/RequestTokenHandler.java (original) +++ cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/RequestTokenHandler.java Sun Jan 22 22:12:29 2012 @@ -67,12 +67,7 @@ public class RequestTokenHandler { .getClient(oAuthMessage.getParameter(OAuth.OAUTH_CONSUMER_KEY)); //client credentials not found if (client == null) { - OAuthProblemException problemEx = new OAuthProblemException( - OAuth.Problems.CONSUMER_KEY_UNKNOWN); - problemEx - .setParameter(OAuthProblemException.HTTP_STATUS_CODE, - HttpServletResponse.SC_UNAUTHORIZED); - throw problemEx; + throw new OAuthProblemException(OAuth.Problems.CONSUMER_KEY_UNKNOWN); } OAuthUtils.validateMessage(oAuthMessage, client, null, dataProvider); @@ -112,8 +107,11 @@ public class RequestTokenHandler { if (LOG.isLoggable(Level.WARNING)) { LOG.log(Level.WARNING, "An OAuth-related problem: {0}", new Object[] {e.fillInStackTrace()}); } - return OAuthUtils.handleException(e, e.getHttpStatusCode(), - String.valueOf(e.getParameters().get("realm"))); + int code = e.getHttpStatusCode(); + if (code == 200) { + code = HttpServletResponse.SC_UNAUTHORIZED; + } + return OAuthUtils.handleException(e, code, String.valueOf(e.getParameters().get("realm"))); } catch (Exception e) { if (LOG.isLoggable(Level.SEVERE)) { LOG.log(Level.SEVERE, "Unexpected internal server exception: {0}", Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/utils/OAuthUtils.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/utils/OAuthUtils.java?rev=1234634&r1=1234633&r2=1234634&view=diff ============================================================================== --- cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/utils/OAuthUtils.java (original) +++ cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/utils/OAuthUtils.java Sun Jan 22 22:12:29 2012 @@ -201,7 +201,7 @@ public final class OAuthUtils { scopeList.add(token); } } - if (defaultValue != null) { + if (defaultValue != null && !scopeList.contains(defaultValue)) { scopeList.add(defaultValue); } return scopeList;