cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject svn commit: r1295681 - in /cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2: common/ filters/ grants/ grants/code/ services/ utils/
Date Thu, 01 Mar 2012 17:13:46 GMT
Author: sergeyb
Date: Thu Mar  1 17:13:45 2012
New Revision: 1295681

URL: http://svn.apache.org/viewvc?rev=1295681&view=rev
Log:
[CXF-4112] Preparing the code to deal with multiple grant types better

Added:
    cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
  (with props)
Modified:
    cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessToken.java
    cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java
    cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java
    cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
    cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
    cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractOAuthService.java
    cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java
    cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
    cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java

Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessToken.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessToken.java?rev=1295681&r1=1295680&r2=1295681&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessToken.java
(original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessToken.java
Thu Mar  1 17:13:45 2012
@@ -18,6 +18,7 @@
  */
 package org.apache.cxf.rs.security.oauth2.common;
 
+import java.util.Collections;
 import java.util.Map;
 
 /**
@@ -27,7 +28,7 @@ public abstract class AccessToken {
 
     private String tokenKey;
     private String tokenType;
-    private Map<String, String> parameters;
+    private Map<String, String> parameters = Collections.emptyMap();
     
     protected AccessToken(String tokenType, String tokenKey) {
         this.tokenType = tokenType;

Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java?rev=1295681&r1=1295680&r2=1295681&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java
(original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java
Thu Mar  1 17:13:45 2012
@@ -29,10 +29,14 @@ public class OAuthContext {
 
     private UserSubject subject;
     private List<OAuthPermission> permissions;
+    private String tokenGrantType;
     
-    public OAuthContext(UserSubject subject, List<OAuthPermission> perms) {
+    public OAuthContext(UserSubject subject, 
+                        List<OAuthPermission> perms,
+                        String tokenGrantType) {
         this.subject = subject;
         this.permissions = perms;
+        this.tokenGrantType = tokenGrantType;
     }
     
     public UserSubject getSubject() {
@@ -42,6 +46,11 @@ public class OAuthContext {
     public List<OAuthPermission> getPermissions() {
         return Collections.unmodifiableList(permissions);
     }
+
+    
+    public String getTokenGrantType() {
+        return tokenGrantType;
+    }
     
 
 }

Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java?rev=1295681&r1=1295680&r2=1295681&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java
(original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java
Thu Mar  1 17:13:45 2012
@@ -25,7 +25,7 @@ import java.util.List;
  * Base Token representation
  */
 public abstract class ServerAccessToken extends AccessToken {
-
+    private String grantType;
     private long issuedAt;
     private long lifetime;
     private Client client;
@@ -103,4 +103,12 @@ public abstract class ServerAccessToken 
         return subject;
     }
 
+    public void setGrantType(String grantType) {
+        this.grantType = grantType;
+    }
+
+    public String getGrantType() {
+        return grantType;
+    }
+
 }

Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java?rev=1295681&r1=1295680&r2=1295681&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
(original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
Thu Mar  1 17:13:45 2012
@@ -96,7 +96,7 @@ public class OAuthRequestFilter implemen
       
         OAuthInfo info = new OAuthInfo(accessToken, matchingPermissions);
         SecurityContext sc = createSecurityContext(req, info);
-        m.setContent(SecurityContext.class, sc);
+        m.put(SecurityContext.class, sc);
         m.setContent(OAuthContext.class, createOAuthContext(info));
         
         return null;
@@ -196,16 +196,20 @@ public class OAuthRequestFilter implemen
         UserSubject subject = info.getToken().getSubject();
 
         final UserSubject theSubject = subject;
+        final String login = OAuthRequestFilter.this.useUserSubject 
+                    ? (theSubject != null ? theSubject.getLogin() : null)
+                        : info.getToken().getClient().getLoginName();
+                    
         return new SecurityContext() {
 
             public Principal getUserPrincipal() {
-                String login = OAuthRequestFilter.this.useUserSubject 
-                    ? (theSubject != null ? theSubject.getLogin() : null)
-                    : info.getToken().getClient().getLoginName();  
-                return new SimplePrincipal(login);
+                return login != null ? new SimplePrincipal(login) : null;
             }
 
             public boolean isUserInRole(String role) {
+                if (login == null) {
+                    return false;
+                }
                 List<String> roles = null;
                 if (OAuthRequestFilter.this.useUserSubject && theSubject != null)
{
                     roles = theSubject.getRoles();    
@@ -218,12 +222,10 @@ public class OAuthRequestFilter implemen
         };
     }
     
-    protected OAuthContext createOAuthContext(OAuthInfo info) {
-        UserSubject subject = null;
-        if (info.getToken() != null) {
-            subject = info.getToken().getSubject();
-        }
-        return new OAuthContext(subject, info.getMatchedPermissions());
+    private OAuthContext createOAuthContext(OAuthInfo info) {
+        return new OAuthContext(info.getToken().getSubject(),
+                                info.getMatchedPermissions(),
+                                info.getToken().getGrantType());
     }
     
     private static class OAuthInfo {

Added: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java?rev=1295681&view=auto
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
(added)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
Thu Mar  1 17:13:45 2012
@@ -0,0 +1,75 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rs.security.oauth2.grants;
+
+import java.util.Collections;
+import java.util.List;
+import java.util.UUID;
+
+import org.apache.cxf.rs.security.oauth2.provider.AccessTokenGrantHandler;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthDataProvider;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
+import org.apache.cxf.rs.security.oauth2.utils.MD5SequenceGenerator;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
+
+
+
+public abstract class AbstractGrantHandler implements AccessTokenGrantHandler {
+    
+    private static final long DEFAULT_TOKEN_LIFETIME = 3600L;
+    
+    private long tokenLifetime = DEFAULT_TOKEN_LIFETIME;
+    private List<String> supportedGrants;
+    private OAuthDataProvider dataProvider;
+        
+    protected AbstractGrantHandler(String grant) {
+        supportedGrants = Collections.singletonList(grant);
+    }
+    
+    public void setDataProvider(OAuthDataProvider dataProvider) {
+        this.dataProvider = dataProvider;
+    }
+    public OAuthDataProvider getDataProvider() {
+        return dataProvider;
+    }
+    
+    public List<String> getSupportedGrantTypes() {
+        return supportedGrants;
+    }
+    
+    protected static String generateRandomTokenKey() throws OAuthServiceException {
+        try {
+            byte[] bytes = UUID.randomUUID().toString().getBytes("UTF-8");
+            return new MD5SequenceGenerator().generate(bytes);
+        } catch (Exception ex) {
+            throw new OAuthServiceException(OAuthConstants.SERVER_ERROR, ex);
+        }
+    }
+
+    public void setTokenLifetime(long tokenLifetime) {
+        this.tokenLifetime = tokenLifetime;
+    }
+
+    public long getTokenLifetime() {
+        return tokenLifetime;
+    }
+    
+    
+}

Propchange: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
------------------------------------------------------------------------------
    svn:keywords = Rev Date

Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java?rev=1295681&r1=1295680&r2=1295681&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
(original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
Thu Mar  1 17:13:45 2012
@@ -19,38 +19,29 @@
 
 package org.apache.cxf.rs.security.oauth2.grants.code;
 
-import java.util.Collections;
-import java.util.List;
-import java.util.UUID;
-
 import javax.ws.rs.core.MultivaluedMap;
 
 import org.apache.cxf.rs.security.oauth2.common.Client;
 import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
-import org.apache.cxf.rs.security.oauth2.provider.AccessTokenGrantHandler;
+import org.apache.cxf.rs.security.oauth2.grants.AbstractGrantHandler;
 import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
 import org.apache.cxf.rs.security.oauth2.tokens.bearer.BearerAccessToken;
-import org.apache.cxf.rs.security.oauth2.utils.MD5SequenceGenerator;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
 
 
 
-public class AuthorizationCodeGrantHandler implements AccessTokenGrantHandler {
-    
-    private static final long DEFAULT_TOKEN_LIFETIME = 3600L;
-    
-    private AuthorizationCodeDataProvider codeProvider;
-    private long tokenLifetime = DEFAULT_TOKEN_LIFETIME;
+public class AuthorizationCodeGrantHandler extends AbstractGrantHandler {
     
-    public List<String> getSupportedGrantTypes() {
-        return Collections.singletonList(OAuthConstants.AUTHORIZATION_CODE_GRANT);
+    public AuthorizationCodeGrantHandler() {
+        super(OAuthConstants.AUTHORIZATION_CODE_GRANT);
     }
+    
     public ServerAccessToken createAccessToken(Client client, MultivaluedMap<String, String>
params) 
         throws OAuthServiceException {
-        
+        String codeValue = params.getFirst(OAuthConstants.AUTHORIZATION_CODE_VALUE);
         ServerAuthorizationCodeGrant grant = 
-            codeProvider.removeCodeGrant(params.getFirst(OAuthConstants.AUTHORIZATION_CODE_VALUE));
+            ((AuthorizationCodeDataProvider)getDataProvider()).removeCodeGrant(codeValue);
         if (grant == null) {
             return null;
         }
@@ -66,27 +57,13 @@ public class AuthorizationCodeGrantHandl
             }
         }
         BearerAccessToken token = new BearerAccessToken(client, 
-                                                        generateTokenKey(),
-                                                        tokenLifetime, 
+                                                        generateRandomTokenKey(),
+                                                        getTokenLifetime(), 
                                                         System.currentTimeMillis() / 1000);
         token.setScopes(grant.getApprovedScopes());
         token.setSubject(grant.getSubject());
+        token.setGrantType(OAuthConstants.AUTHORIZATION_CODE_GRANT);
         return token;
     }
-    public void setCodeProvider(AuthorizationCodeDataProvider codeProvider) {
-        this.codeProvider = codeProvider;
-    }
-    
-    protected String generateTokenKey() throws OAuthServiceException {
-        try {
-            byte[] bytes = UUID.randomUUID().toString().getBytes("UTF-8");
-            return new MD5SequenceGenerator().generate(bytes);
-        } catch (Exception ex) {
-            throw new OAuthServiceException(OAuthConstants.SERVER_ERROR, ex);
-        }
-    }
-    public void setTokenLifetime(long tokenLifetime) {
-        this.tokenLifetime = tokenLifetime;
-    }
     
 }

Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractOAuthService.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractOAuthService.java?rev=1295681&r1=1295680&r2=1295681&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractOAuthService.java
(original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractOAuthService.java
Thu Mar  1 17:13:45 2012
@@ -18,12 +18,15 @@
  */
 package org.apache.cxf.rs.security.oauth2.services;
 
+import java.util.logging.Logger;
+
 import javax.ws.rs.WebApplicationException;
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.core.Response;
 
+import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.jaxrs.ext.MessageContext;
 import org.apache.cxf.rs.security.oauth2.common.Client;
 import org.apache.cxf.rs.security.oauth2.common.OAuthError;
@@ -35,8 +38,10 @@ import org.apache.cxf.rs.security.oauth2
  * Abstract utility class which OAuth services extend
  */
 public abstract class AbstractOAuthService {
+    private static final Logger LOG = LogUtils.getL7dLogger(AbstractOAuthService.class);
     private MessageContext mc;
     private OAuthDataProvider dataProvider;
+    private boolean blockUnsecureRequests;
     
     @Context 
     public void setMessageContext(MessageContext context) {
@@ -79,10 +84,23 @@ public abstract class AbstractOAuthServi
         
     }
     
+    protected void checkTransportSecurity() {  
+        if (!mc.getSecurityContext().isSecure()) {
+            LOG.warning("Unsecure HTTP, Transport Layer Security is recommended");
+            if (blockUnsecureRequests) {
+                throw new WebApplicationException(400);    
+            }
+        }
+    }
+    
     protected void reportInvalidRequestError(String errorDescription) {
         OAuthError error = 
             new OAuthError(OAuthConstants.INVALID_REQUEST, errorDescription);
         throw new WebApplicationException(
                   Response.status(400).type(MediaType.APPLICATION_JSON).entity(error).build());
     }
+
+    public void setBlockUnsecureRequests(boolean blockUnsecureRequests) {
+        this.blockUnsecureRequests = blockUnsecureRequests;
+    }
 }

Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java?rev=1295681&r1=1295680&r2=1295681&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java
(original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java
Thu Mar  1 17:13:45 2012
@@ -108,6 +108,8 @@ public class AccessTokenService extends 
                 Object clientIdProp = getMessageContext().get(OAuthConstants.CLIENT_ID);
                 if (clientIdProp != null) {
                     client = getClient(clientIdProp.toString());
+                    //TODO: 
+                    // consider matching client.getLoginName() against principal.getName()
?
                 }
             }
         } else {
@@ -145,7 +147,7 @@ public class AccessTokenService extends 
             if (grantHandlers.size() == 0) {
                 AuthorizationCodeGrantHandler handler = new AuthorizationCodeGrantHandler();
                 if (handler.getSupportedGrantTypes().contains(grantType)) {
-                    handler.setCodeProvider(
+                    handler.setDataProvider(
                             (AuthorizationCodeDataProvider)super.getDataProvider());
                     return handler;
                 }

Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java?rev=1295681&r1=1295680&r2=1295681&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
(original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
Thu Mar  1 17:13:45 2012
@@ -36,7 +36,6 @@ import javax.ws.rs.Produces;
 import javax.ws.rs.WebApplicationException;
 import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.core.Response;
-import javax.ws.rs.core.SecurityContext;
 import javax.ws.rs.core.UriBuilder;
 
 import org.apache.cxf.common.util.StringUtils;
@@ -50,6 +49,7 @@ import org.apache.cxf.rs.security.oauth2
 import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
 import org.apache.cxf.security.LoginSecurityContext;
+import org.apache.cxf.security.SecurityContext;
 
 
 /**
@@ -61,7 +61,6 @@ import org.apache.cxf.security.LoginSecu
  */
 @Path("/authorize")
 public class AuthorizationCodeGrantService extends AbstractOAuthService {
-
     private static final long DEFAULT_CODE_GRANT_LIFETIME = 3600L;
     
     private long grantLifetime = DEFAULT_CODE_GRANT_LIFETIME;
@@ -88,6 +87,8 @@ public class AuthorizationCodeGrantServi
     }
     
     protected Response startAuthorization(MultivaluedMap<String, String> params) {
+        getAndValidateSecurityContext();
+        
         Client client = getClient(params); 
         String redirectUri = validateRedirectUri(client, params.getFirst(OAuthConstants.REDIRECT_URI));

         if (!client.isConfidential()) {
@@ -159,10 +160,13 @@ public class AuthorizationCodeGrantServi
     }
     
     protected Response completeAuthorization(MultivaluedMap<String, String> params)
{
+        SecurityContext securityContext = getAndValidateSecurityContext();
         
         if (!compareRequestAndSessionTokens(params.getFirst(OAuthConstants.SESSION_AUTHENTICITY_TOKEN)))
{
             throw new WebApplicationException(400);     
         }
+        //TODO: additionally we can check that the Principal that got authenticated
+        // in startAuthorization is the same that got authenticated in completeAuthorization
         
         Client client = getClient(params);
         String originalRedirectUri = params.getFirst(OAuthConstants.REDIRECT_URI);
@@ -202,17 +206,15 @@ public class AuthorizationCodeGrantServi
         }
         codeReg.setApprovedScope(approvedScope);
         
-        SecurityContext sc = getMessageContext().getSecurityContext();
         List<String> roleNames = Collections.emptyList();
-        if (sc instanceof LoginSecurityContext) {
+        if (securityContext instanceof LoginSecurityContext) {
             roleNames = new ArrayList<String>();
-            Set<Principal> roles = ((LoginSecurityContext)sc).getUserRoles();
+            Set<Principal> roles = ((LoginSecurityContext)securityContext).getUserRoles();
             for (Principal p : roles) {
                 roleNames.add(p.getName());
             }
         }
-        codeReg.setSubject(new UserSubject(sc.getUserPrincipal() == null 
-            ? null : sc.getUserPrincipal().getName(), roleNames));
+        codeReg.setSubject(new UserSubject(securityContext.getUserPrincipal().getName(),
roleNames));
         
         ServerAuthorizationCodeGrant grant = null;
         try {
@@ -222,15 +224,25 @@ public class AuthorizationCodeGrantServi
         }
         
         UriBuilder ub = getRedirectUriBuilder(params.getFirst(OAuthConstants.STATE), actualRedirectUri);
-        ub.queryParam("code", grant.getCode());
+        ub.queryParam(OAuthConstants.AUTHORIZATION_CODE_VALUE, grant.getCode());
         return Response.seeOther(ub.build()).build();    
     }
     
+    private SecurityContext getAndValidateSecurityContext() {
+        SecurityContext securityContext =  
+            (SecurityContext)getMessageContext().get(SecurityContext.class.getName());
+        if (securityContext == null || securityContext.getUserPrincipal() == null) {
+            throw new WebApplicationException(401);
+        }
+        checkTransportSecurity();
+        return securityContext;
+    }
+    
     protected Response createErrorResponse(MultivaluedMap<String, String> params,
                                            String redirectUri,
                                            String error) {
         UriBuilder ub = getRedirectUriBuilder(params.getFirst(OAuthConstants.STATE), redirectUri);
-        ub.queryParam("error", error);
+        ub.queryParam(OAuthConstants.ERROR_KEY, error);
         return Response.seeOther(ub.build()).build();
     }
     

Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java?rev=1295681&r1=1295680&r2=1295681&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java
(original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java
Thu Mar  1 17:13:45 2012
@@ -37,6 +37,7 @@ public final class OAuthConstants {
     
     // Well-known grant types
     public static final String AUTHORIZATION_CODE_GRANT = "authorization_code";
+    public static final String CLIENT_CREDENTIALS_GRANT = "client_credentials";
     // etc
     
     // Well-known token types



Mime
View raw message