cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject svn commit: r1396988 - in /cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2: common/ filters/ provider/ services/
Date Thu, 11 Oct 2012 11:27:08 GMT
Author: sergeyb
Date: Thu Oct 11 11:27:08 2012
New Revision: 1396988

URL: http://svn.apache.org/viewvc?rev=1396988&view=rev
Log:
[CXF-4548,CXF-4549] Enabling the use of customized session providers, adding more information
to OAuthContext, patches applied with thanks to Thorsten Hoeger

Added:
    cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java
  (with props)
Modified:
    cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java
    cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
    cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java

Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java?rev=1396988&r1=1396987&r2=1396988&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java
(original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java
Thu Oct 11 11:27:08 2012
@@ -31,6 +31,8 @@ public class OAuthContext {
     private UserSubject subject;
     private List<OAuthPermission> permissions;
     private String tokenGrantType;
+    private String clientId;
+    private String tokenKey;
     
     public OAuthContext(UserSubject subject, 
                         List<OAuthPermission> perms,
@@ -66,5 +68,35 @@ public class OAuthContext {
         return tokenGrantType;
     }
     
-
+    /**
+      * Returns the client which obtained the access token
+      * @return the client id
+    */
+    public String getClientId() {
+        return clientId;
+    }
+    
+    /**
+     * Sets the client which obtained the access token
+     * @param clientId
+    */
+    public void setClientId(String clientId) {
+        this.clientId = clientId;
+    }
+    
+    /**
+     * Returns the access token the client is using now during the current request
+     * @return the token
+     */
+    public String getTokenKey() {
+        return tokenKey;
+    }
+    
+    /**
+     * Sets the access token the client is using now during the current request
+     * @param tokenKey
+     */
+    public void setTokenKey(String tokenKey) {
+        this.tokenKey = tokenKey;
+    }
 }

Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java?rev=1396988&r1=1396987&r2=1396988&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
(original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
Thu Oct 11 11:27:08 2012
@@ -79,9 +79,14 @@ public class OAuthRequestFilter extends 
         m.put(SecurityContext.class, sc);
         
         // Also set the OAuthContext
-        m.setContent(OAuthContext.class, new OAuthContext(accessTokenV.getTokenSubject(),
-                                                          matchingPermissions,
-                                                          accessTokenV.getTokenGrantType()));
+        OAuthContext oauthContext = new OAuthContext(accessTokenV.getTokenSubject(),
+                                                     matchingPermissions,
+                                                     accessTokenV.getTokenGrantType());
+        
+        oauthContext.setClientId(accessTokenV.getClientId());
+        oauthContext.setTokenKey(accessTokenV.getTokenKey());
+        
+        m.setContent(OAuthContext.class, oauthContext);
         
         return null;
     }

Added: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java?rev=1396988&view=auto
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java
(added)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java
Thu Oct 11 11:27:08 2012
@@ -0,0 +1,53 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rs.security.oauth2.provider;
+
+import org.apache.cxf.jaxrs.ext.MessageContext;
+
+/**
+ * SessionAuthenticityTokenProvider responsible for storing and retrieving tokens 
+ * to validate the authenticity of request sessions
+ */
+public interface SessionAuthenticityTokenProvider {
+
+    /**
+     * Creates a new session token and stores it
+     * 
+     * @param mc the {@link MessageContext} of this request
+     * @return the created session token
+     */
+    String createSessionToken(MessageContext mc);
+
+    /**
+     * Retrieves the stored session token
+     * 
+     * @param mc the {@link MessageContext} of this request
+     * @return the stored token
+     */
+    String getSessionToken(MessageContext mc);
+
+    /**
+     * Removes the stored session token
+     * 
+     * @param mc the {@link MessageContext} of this request
+     */
+    String removeSessionToken(MessageContext mc);
+
+}

Propchange: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java
------------------------------------------------------------------------------
    svn:keywords = Rev Date

Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java?rev=1396988&r1=1396987&r2=1396988&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
(original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
Thu Oct 11 11:27:08 2012
@@ -41,6 +41,7 @@ import org.apache.cxf.rs.security.oauth2
 import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
 import org.apache.cxf.rs.security.oauth2.common.UserSubject;
 import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
+import org.apache.cxf.rs.security.oauth2.provider.SessionAuthenticityTokenProvider;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
 import org.apache.cxf.security.SecurityContext;
@@ -53,6 +54,8 @@ public abstract class RedirectionBasedGr
     private String supportedResponseType;
     private String supportedGrantType;
     private boolean isClientConfidential;
+    private SessionAuthenticityTokenProvider sessionAuthenticityTokenProvider;
+    
     protected RedirectionBasedGrantService(String supportedResponseType,
                                            String supportedGrantType,
                                            boolean isConfidential) {
@@ -234,6 +237,10 @@ public abstract class RedirectionBasedGr
         
     }
     
+    public void setSessionAuthenticityTokenProvider(SessionAuthenticityTokenProvider sessionAuthenticityTokenProvider)
{
+        this.sessionAuthenticityTokenProvider = sessionAuthenticityTokenProvider;
+    }
+    
     private UserSubject createUserSubject(SecurityContext securityContext) {
         return OAuthUtils.createSubject(securityContext);
     }
@@ -279,22 +286,33 @@ public abstract class RedirectionBasedGr
     }
     
     private void addAuthenticityTokenToSession(OAuthAuthorizationData secData) {
-        HttpSession session = getMessageContext().getHttpServletRequest().getSession();
-        String value = UUID.randomUUID().toString();
-        secData.setAuthenticityToken(value);
-        session.setAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN, value);
+        final String sessionToken;
+        if (this.sessionAuthenticityTokenProvider != null) {
+            sessionToken = this.sessionAuthenticityTokenProvider.createSessionToken(getMessageContext());
+        } else {
+            HttpSession session = getMessageContext().getHttpServletRequest().getSession();
+            sessionToken = UUID.randomUUID().toString();
+            session.setAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN, sessionToken);
+        }
+        secData.setAuthenticityToken(sessionToken);
     }
     
     private boolean compareRequestAndSessionTokens(String requestToken) {
-        HttpSession session = getMessageContext().getHttpServletRequest().getSession();
-        String sessionToken = (String)session.getAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN);
-        
+        final String sessionToken;
+        if (this.sessionAuthenticityTokenProvider != null) {
+            sessionToken = sessionAuthenticityTokenProvider.removeSessionToken(getMessageContext());
+        } else {
+            HttpSession session = getMessageContext().getHttpServletRequest().getSession();
+            sessionToken = (String)session.getAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN);
+            if (sessionToken != null) {
+                session.removeAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN);    
+            }
+        }
         if (StringUtils.isEmpty(sessionToken)) {
             return false;
+        } else {
+            return requestToken.equals(sessionToken);
         }
-        
-        session.removeAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN);
-        return requestToken.equals(sessionToken);
     }
     
 }



Mime
View raw message