Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 60C7BDFDE for ; Thu, 11 Oct 2012 11:50:14 +0000 (UTC) Received: (qmail 42393 invoked by uid 500); 11 Oct 2012 11:50:14 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 42114 invoked by uid 500); 11 Oct 2012 11:50:12 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 42088 invoked by uid 99); 11 Oct 2012 11:50:11 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 11 Oct 2012 11:50:11 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 11 Oct 2012 11:50:08 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 9E62B23888E3; Thu, 11 Oct 2012 11:49:23 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1397001 - in /cxf/branches/2.6.x-fixes: ./ rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/ rt/rs/securit... Date: Thu, 11 Oct 2012 11:49:23 -0000 To: commits@cxf.apache.org From: sergeyb@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20121011114923.9E62B23888E3@eris.apache.org> Author: sergeyb Date: Thu Oct 11 11:49:22 2012 New Revision: 1397001 URL: http://svn.apache.org/viewvc?rev=1397001&view=rev Log: Merged revisions 1396988 via svnmerge from https://svn.apache.org/repos/asf/cxf/trunk ........ r1396988 | sergeyb | 2012-10-11 12:27:08 +0100 (Thu, 11 Oct 2012) | 1 line [CXF-4548,CXF-4549] Enabling the use of customized session providers, adding more information to OAuthContext, patches applied with thanks to Thorsten Hoeger ........ Added: cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java - copied unchanged from r1396988, cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java Modified: cxf/branches/2.6.x-fixes/ (props changed) cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java Propchange: cxf/branches/2.6.x-fixes/ ------------------------------------------------------------------------------ Merged /cxf/trunk:r1396988 Propchange: cxf/branches/2.6.x-fixes/ ------------------------------------------------------------------------------ Binary property 'svnmerge-integrated' - no diff available. Modified: cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java?rev=1397001&r1=1397000&r2=1397001&view=diff ============================================================================== --- cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java (original) +++ cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java Thu Oct 11 11:49:22 2012 @@ -31,6 +31,8 @@ public class OAuthContext { private UserSubject subject; private List permissions; private String tokenGrantType; + private String clientId; + private String tokenKey; public OAuthContext(UserSubject subject, List perms, @@ -66,5 +68,35 @@ public class OAuthContext { return tokenGrantType; } - + /** + * Returns the client which obtained the access token + * @return the client id + */ + public String getClientId() { + return clientId; + } + + /** + * Sets the client which obtained the access token + * @param clientId + */ + public void setClientId(String clientId) { + this.clientId = clientId; + } + + /** + * Returns the access token the client is using now during the current request + * @return the token + */ + public String getTokenKey() { + return tokenKey; + } + + /** + * Sets the access token the client is using now during the current request + * @param tokenKey + */ + public void setTokenKey(String tokenKey) { + this.tokenKey = tokenKey; + } } Modified: cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java?rev=1397001&r1=1397000&r2=1397001&view=diff ============================================================================== --- cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java (original) +++ cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java Thu Oct 11 11:49:22 2012 @@ -79,9 +79,14 @@ public class OAuthRequestFilter extends m.put(SecurityContext.class, sc); // Also set the OAuthContext - m.setContent(OAuthContext.class, new OAuthContext(accessTokenV.getTokenSubject(), - matchingPermissions, - accessTokenV.getTokenGrantType())); + OAuthContext oauthContext = new OAuthContext(accessTokenV.getTokenSubject(), + matchingPermissions, + accessTokenV.getTokenGrantType()); + + oauthContext.setClientId(accessTokenV.getClientId()); + oauthContext.setTokenKey(accessTokenV.getTokenKey()); + + m.setContent(OAuthContext.class, oauthContext); return null; } Modified: cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java?rev=1397001&r1=1397000&r2=1397001&view=diff ============================================================================== --- cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java (original) +++ cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java Thu Oct 11 11:49:22 2012 @@ -41,6 +41,7 @@ import org.apache.cxf.rs.security.oauth2 import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken; import org.apache.cxf.rs.security.oauth2.common.UserSubject; import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException; +import org.apache.cxf.rs.security.oauth2.provider.SessionAuthenticityTokenProvider; import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants; import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils; import org.apache.cxf.security.SecurityContext; @@ -53,6 +54,8 @@ public abstract class RedirectionBasedGr private String supportedResponseType; private String supportedGrantType; private boolean isClientConfidential; + private SessionAuthenticityTokenProvider sessionAuthenticityTokenProvider; + protected RedirectionBasedGrantService(String supportedResponseType, String supportedGrantType, boolean isConfidential) { @@ -234,6 +237,10 @@ public abstract class RedirectionBasedGr } + public void setSessionAuthenticityTokenProvider(SessionAuthenticityTokenProvider sessionAuthenticityTokenProvider) { + this.sessionAuthenticityTokenProvider = sessionAuthenticityTokenProvider; + } + private UserSubject createUserSubject(SecurityContext securityContext) { return OAuthUtils.createSubject(securityContext); } @@ -279,22 +286,33 @@ public abstract class RedirectionBasedGr } private void addAuthenticityTokenToSession(OAuthAuthorizationData secData) { - HttpSession session = getMessageContext().getHttpServletRequest().getSession(); - String value = UUID.randomUUID().toString(); - secData.setAuthenticityToken(value); - session.setAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN, value); + final String sessionToken; + if (this.sessionAuthenticityTokenProvider != null) { + sessionToken = this.sessionAuthenticityTokenProvider.createSessionToken(getMessageContext()); + } else { + HttpSession session = getMessageContext().getHttpServletRequest().getSession(); + sessionToken = UUID.randomUUID().toString(); + session.setAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN, sessionToken); + } + secData.setAuthenticityToken(sessionToken); } private boolean compareRequestAndSessionTokens(String requestToken) { - HttpSession session = getMessageContext().getHttpServletRequest().getSession(); - String sessionToken = (String)session.getAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN); - + final String sessionToken; + if (this.sessionAuthenticityTokenProvider != null) { + sessionToken = sessionAuthenticityTokenProvider.removeSessionToken(getMessageContext()); + } else { + HttpSession session = getMessageContext().getHttpServletRequest().getSession(); + sessionToken = (String)session.getAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN); + if (sessionToken != null) { + session.removeAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN); + } + } if (StringUtils.isEmpty(sessionToken)) { return false; + } else { + return requestToken.equals(sessionToken); } - - session.removeAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN); - return requestToken.equals(sessionToken); } }