cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject svn commit: r1491526 - in /cxf/branches/2.6.x-fixes: ./ rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/ rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ rt/...
Date Mon, 10 Jun 2013 16:26:06 GMT
Author: sergeyb
Date: Mon Jun 10 16:26:06 2013
New Revision: 1491526

URL: http://svn.apache.org/r1491526
Log:
Merged revisions 1491525 via svnmerge from 
https://svn.apache.org/repos/asf/cxf/branches/2.7.x-fixes

................
  r1491525 | sergeyb | 2013-06-10 17:23:04 +0100 (Mon, 10 Jun 2013) | 9 lines
  
  Merged revisions 1491522 via svnmerge from 
  https://svn.apache.org/repos/asf/cxf/trunk
  
  ........
    r1491522 | sergeyb | 2013-06-10 17:20:20 +0100 (Mon, 10 Jun 2013) | 1 line
    
    Few OAuth2 code updates to get a case with omitted redirect_uri supported better
  ........
................

Modified:
    cxf/branches/2.6.x-fixes/   (props changed)
    cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
    cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGrantHandler.java
    cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
    cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrantHandler.java
    cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/refresh/RefreshTokenGrantHandler.java
    cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
    cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
    cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java

Propchange: cxf/branches/2.6.x-fixes/
------------------------------------------------------------------------------
  Merged /cxf/branches/2.7.x-fixes:r1491525
  Merged /cxf/trunk:r1491522

Propchange: cxf/branches/2.6.x-fixes/
------------------------------------------------------------------------------
Binary property 'svnmerge-integrated' - no diff available.

Modified: cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java?rev=1491526&r1=1491525&r2=1491526&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
(original)
+++ cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
Mon Jun 10 16:26:06 2013
@@ -41,11 +41,10 @@ public abstract class AbstractGrantHandl
     
     private String supportedGrant;
     private OAuthDataProvider dataProvider;
-    private boolean isClientConfidential;
     private boolean partialMatchScopeValidation;
-    protected AbstractGrantHandler(String grant, boolean isClientConfidential) {
+    private boolean canSupportPublicClients;
+    protected AbstractGrantHandler(String grant) {
         supportedGrant = grant;
-        this.isClientConfidential = isClientConfidential;
     }
     
     public void setDataProvider(OAuthDataProvider dataProvider) {
@@ -60,7 +59,9 @@ public abstract class AbstractGrantHandl
     }
     
     protected void checkIfGrantSupported(Client client) {
-        if (!OAuthUtils.isGrantSupportedForClient(client, isClientConfidential, supportedGrant))
{
+        if (!OAuthUtils.isGrantSupportedForClient(client, 
+                                                  canSupportPublicClients,
+                                                  OAuthConstants.AUTHORIZATION_CODE_GRANT))
{
             throw new OAuthServiceException(OAuthConstants.UNAUTHORIZED_CLIENT);    
         }
     }
@@ -92,4 +93,12 @@ public abstract class AbstractGrantHandl
     public void setPartialMatchScopeValidation(boolean partialMatchScopeValidation) {
         this.partialMatchScopeValidation = partialMatchScopeValidation;
     }
+    
+    public void setCanSupportPublicClients(boolean support) {
+        canSupportPublicClients = support;
+    }
+    
+    public boolean isCanSupportPublicClients() {
+        return canSupportPublicClients;
+    }
 }

Modified: cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGrantHandler.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGrantHandler.java?rev=1491526&r1=1491525&r2=1491526&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGrantHandler.java
(original)
+++ cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGrantHandler.java
Mon Jun 10 16:26:06 2013
@@ -34,7 +34,7 @@ public class ClientCredentialsGrantHandl
    
     
     public ClientCredentialsGrantHandler() {
-        super(OAuthConstants.CLIENT_CREDENTIALS_GRANT, true);
+        super(OAuthConstants.CLIENT_CREDENTIALS_GRANT);
     }
 
     public ServerAccessToken createAccessToken(Client client, MultivaluedMap<String, String>
params)

Modified: cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java?rev=1491526&r1=1491525&r2=1491526&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
(original)
+++ cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
Mon Jun 10 16:26:06 2013
@@ -35,14 +35,13 @@ import org.apache.cxf.rs.security.oauth2
 public class AuthorizationCodeGrantHandler extends AbstractGrantHandler {
     
     public AuthorizationCodeGrantHandler() {
-        super(OAuthConstants.AUTHORIZATION_CODE_GRANT, true);
+        super(OAuthConstants.AUTHORIZATION_CODE_GRANT);
     }
     
     public ServerAccessToken createAccessToken(Client client, MultivaluedMap<String, String>
params) 
         throws OAuthServiceException {
-        // Only confidential clients can use it
         checkIfGrantSupported(client);
-        
+                
         // Get the grant representation from the provider 
         String codeValue = params.getFirst(OAuthConstants.AUTHORIZATION_CODE_VALUE);
         ServerAuthorizationCodeGrant grant = 
@@ -59,14 +58,19 @@ public class AuthorizationCodeGrantHandl
         }
         // redirect URIs must match too
         String expectedRedirectUri = grant.getRedirectUri();
-        if (expectedRedirectUri != null) {
-            String providedRedirectUri = params.getFirst(OAuthConstants.REDIRECT_URI);
-            
-            if (providedRedirectUri != null && !providedRedirectUri.equals(expectedRedirectUri))
{
+        String providedRedirectUri = params.getFirst(OAuthConstants.REDIRECT_URI);
+        if (providedRedirectUri != null) {
+            if (expectedRedirectUri == null || !providedRedirectUri.equals(expectedRedirectUri))
{
                 throw new OAuthServiceException(OAuthConstants.INVALID_REQUEST);
             }
+        } else if (expectedRedirectUri == null && !isCanSupportPublicClients()
+            || expectedRedirectUri != null 
+                && (client.getRedirectUris().size() != 1 
+                || !client.getRedirectUris().contains(expectedRedirectUri))) {
+            throw new OAuthServiceException(OAuthConstants.INVALID_REQUEST);
         }
         return doCreateAccessToken(client, grant.getSubject(), grant.getApprovedScopes());
     }
     
+    
 }

Modified: cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrantHandler.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrantHandler.java?rev=1491526&r1=1491525&r2=1491526&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrantHandler.java
(original)
+++ cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrantHandler.java
Mon Jun 10 16:26:06 2013
@@ -35,7 +35,7 @@ public class ResourceOwnerGrantHandler e
     private ResourceOwnerLoginHandler loginHandler;
     
     public ResourceOwnerGrantHandler() {
-        super(OAuthConstants.RESOURCE_OWNER_GRANT, true);
+        super(OAuthConstants.RESOURCE_OWNER_GRANT);
     }
 
     public ServerAccessToken createAccessToken(Client client, MultivaluedMap<String, String>
params)

Modified: cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/refresh/RefreshTokenGrantHandler.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/refresh/RefreshTokenGrantHandler.java?rev=1491526&r1=1491525&r2=1491526&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/refresh/RefreshTokenGrantHandler.java
(original)
+++ cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/refresh/RefreshTokenGrantHandler.java
Mon Jun 10 16:26:06 2013
@@ -35,6 +35,7 @@ public class RefreshTokenGrantHandler im
 
     private OAuthDataProvider dataProvider;
     private boolean partialMatchScopeValidation;
+    private boolean canSupportPublicClients;
     
     public void setDataProvider(OAuthDataProvider dataProvider) {
         this.dataProvider = dataProvider;
@@ -46,7 +47,8 @@ public class RefreshTokenGrantHandler im
 
     public ServerAccessToken createAccessToken(Client client, MultivaluedMap<String, String>
params)
         throws OAuthServiceException {
-        if (!OAuthUtils.isGrantSupportedForClient(client, true, OAuthConstants.REFRESH_TOKEN_GRANT))
{
+        if (!OAuthUtils.isGrantSupportedForClient(client, canSupportPublicClients, 
+                                                  OAuthConstants.REFRESH_TOKEN_GRANT)) {
             throw new OAuthServiceException(OAuthConstants.UNAUTHORIZED_CLIENT);    
         }
         String refreshToken = params.getFirst(OAuthConstants.REFRESH_TOKEN);
@@ -60,4 +62,8 @@ public class RefreshTokenGrantHandler im
     public void setPartialMatchScopeValidation(boolean partialMatchScopeValidation) {
         this.partialMatchScopeValidation = partialMatchScopeValidation;
     }
+    
+    public void setCanSupportPublicClients(boolean support) {
+        canSupportPublicClients = support;
+    }
 }

Modified: cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java?rev=1491526&r1=1491525&r2=1491526&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
(original)
+++ cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
Mon Jun 10 16:26:06 2013
@@ -79,7 +79,7 @@ public class AuthorizationCodeGrantServi
             return createErrorResponse(params, redirectUri, OAuthConstants.ACCESS_DENIED);
         }
         
-        if (!client.isConfidential()) {
+        if (redirectUri == null) {
             OOBAuthorizationResponse oobResponse = new OOBAuthorizationResponse();
             oobResponse.setClientId(client.getClientId());
             oobResponse.setAuthorizationCode(grant.getCode());

Modified: cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java?rev=1491526&r1=1491525&r2=1491526&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
(original)
+++ cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
Mon Jun 10 16:26:06 2013
@@ -57,6 +57,7 @@ public abstract class RedirectionBasedGr
     private String supportedResponseType;
     private String supportedGrantType;
     private boolean partialMatchScopeValidation;
+    private boolean useRegisteredRedirectUriIfPossible = true;
     private SessionAuthenticityTokenProvider sessionAuthenticityTokenProvider;
     private SubjectCreator subjectCreator;
     private ResourceOwnerNameProvider resourceOwnerNameProvider;
@@ -163,7 +164,7 @@ public abstract class RedirectionBasedGr
     
         // Return the authorization challenge data to the end user 
         OAuthAuthorizationData data = 
-            createAuthorizationData(client, params, permissions);
+            createAuthorizationData(client, params, redirectUri, permissions);
         personalizeData(data, userSubject);
         return Response.ok(data).build();
         
@@ -173,7 +174,7 @@ public abstract class RedirectionBasedGr
      * Create the authorization challenge data 
      */
     protected OAuthAuthorizationData createAuthorizationData(
-        Client client, MultivaluedMap<String, String> params, List<OAuthPermission>
perms) {
+        Client client, MultivaluedMap<String, String> params, String redirectUri, List<OAuthPermission>
perms) {
         
         OAuthAuthorizationData secData = new OAuthAuthorizationData();
         
@@ -182,7 +183,9 @@ public abstract class RedirectionBasedGr
         secData.setPermissions(perms);
         secData.setProposedScope(OAuthUtils.convertPermissionsToScope(perms));
         secData.setClientId(client.getClientId());
-        secData.setRedirectUri(params.getFirst(OAuthConstants.REDIRECT_URI));
+        if (redirectUri != null) {
+            secData.setRedirectUri(redirectUri);
+        }
         secData.setState(params.getFirst(OAuthConstants.STATE));
         
         secData.setApplicationName(client.getApplicationName()); 
@@ -312,10 +315,10 @@ public abstract class RedirectionBasedGr
             if (!uris.contains(redirectUri)) {
                 redirectUri = null;
             } 
-        } else if (uris.size() == 1) {
+        } else if (uris.size() == 1 && useRegisteredRedirectUriIfPossible) {
             redirectUri = uris.get(0);
         }
-        if (redirectUri == null && !canRedirectUriBeEmpty(client)) {
+        if (redirectUri == null && uris.size() == 0 && !canRedirectUriBeEmpty(client))
{
             reportInvalidRequestError("Client Redirect Uri is invalid");    
         }
         return redirectUri;
@@ -359,6 +362,14 @@ public abstract class RedirectionBasedGr
     public void setPartialMatchScopeValidation(boolean partialMatchScopeValidation) {
         this.partialMatchScopeValidation = partialMatchScopeValidation;
     }
+    /**
+     * If a client does not include a redirect_uri parameter but has an exactly one
+     * pre-registered redirect_uri then use that redirect_uri
+     * @param use allows to use a single registered redirect_uri if set to true (default)
+     */
+    public void setUseRegisteredRedirectUriIfPossible(boolean use) {
+        this.useRegisteredRedirectUriIfPossible = use;
+    }
     
     protected abstract boolean canSupportPublicClient(Client c);
     

Modified: cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java?rev=1491526&r1=1491525&r2=1491526&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
(original)
+++ cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
Mon Jun 10 16:26:06 2013
@@ -79,11 +79,13 @@ public final class OAuthUtils {
     }
     
     public static boolean isGrantSupportedForClient(Client client, 
-                                                    boolean isConfidential, 
+                                                    boolean canSupportPublicClients, 
                                                     String grantType) {
+        if (!client.isConfidential() && !canSupportPublicClients) {
+            return false;
+        }
         List<String> allowedGrants = client.getAllowedGrantTypes();
-        return isConfidential == client.isConfidential()
-            && (allowedGrants.isEmpty() || allowedGrants.contains(grantType));
+        return allowedGrants.isEmpty() || allowedGrants.contains(grantType);
     }
     
     public static List<String> parseScope(String requestedScope) {



Mime
View raw message