Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 2FA3010EBA for ; Mon, 10 Jun 2013 16:26:33 +0000 (UTC) Received: (qmail 21054 invoked by uid 500); 10 Jun 2013 16:26:32 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 20942 invoked by uid 500); 10 Jun 2013 16:26:32 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 20934 invoked by uid 99); 10 Jun 2013 16:26:32 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 10 Jun 2013 16:26:32 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 10 Jun 2013 16:26:27 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 06D3C238889B; Mon, 10 Jun 2013 16:26:07 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1491526 - in /cxf/branches/2.6.x-fixes: ./ rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/ rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ rt/... Date: Mon, 10 Jun 2013 16:26:06 -0000 To: commits@cxf.apache.org From: sergeyb@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20130610162607.06D3C238889B@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: sergeyb Date: Mon Jun 10 16:26:06 2013 New Revision: 1491526 URL: http://svn.apache.org/r1491526 Log: Merged revisions 1491525 via svnmerge from https://svn.apache.org/repos/asf/cxf/branches/2.7.x-fixes ................ r1491525 | sergeyb | 2013-06-10 17:23:04 +0100 (Mon, 10 Jun 2013) | 9 lines Merged revisions 1491522 via svnmerge from https://svn.apache.org/repos/asf/cxf/trunk ........ r1491522 | sergeyb | 2013-06-10 17:20:20 +0100 (Mon, 10 Jun 2013) | 1 line Few OAuth2 code updates to get a case with omitted redirect_uri supported better ........ ................ Modified: cxf/branches/2.6.x-fixes/ (props changed) cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGrantHandler.java cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrantHandler.java cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/refresh/RefreshTokenGrantHandler.java cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java Propchange: cxf/branches/2.6.x-fixes/ ------------------------------------------------------------------------------ Merged /cxf/branches/2.7.x-fixes:r1491525 Merged /cxf/trunk:r1491522 Propchange: cxf/branches/2.6.x-fixes/ ------------------------------------------------------------------------------ Binary property 'svnmerge-integrated' - no diff available. Modified: cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java?rev=1491526&r1=1491525&r2=1491526&view=diff ============================================================================== --- cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java (original) +++ cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java Mon Jun 10 16:26:06 2013 @@ -41,11 +41,10 @@ public abstract class AbstractGrantHandl private String supportedGrant; private OAuthDataProvider dataProvider; - private boolean isClientConfidential; private boolean partialMatchScopeValidation; - protected AbstractGrantHandler(String grant, boolean isClientConfidential) { + private boolean canSupportPublicClients; + protected AbstractGrantHandler(String grant) { supportedGrant = grant; - this.isClientConfidential = isClientConfidential; } public void setDataProvider(OAuthDataProvider dataProvider) { @@ -60,7 +59,9 @@ public abstract class AbstractGrantHandl } protected void checkIfGrantSupported(Client client) { - if (!OAuthUtils.isGrantSupportedForClient(client, isClientConfidential, supportedGrant)) { + if (!OAuthUtils.isGrantSupportedForClient(client, + canSupportPublicClients, + OAuthConstants.AUTHORIZATION_CODE_GRANT)) { throw new OAuthServiceException(OAuthConstants.UNAUTHORIZED_CLIENT); } } @@ -92,4 +93,12 @@ public abstract class AbstractGrantHandl public void setPartialMatchScopeValidation(boolean partialMatchScopeValidation) { this.partialMatchScopeValidation = partialMatchScopeValidation; } + + public void setCanSupportPublicClients(boolean support) { + canSupportPublicClients = support; + } + + public boolean isCanSupportPublicClients() { + return canSupportPublicClients; + } } Modified: cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGrantHandler.java URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGrantHandler.java?rev=1491526&r1=1491525&r2=1491526&view=diff ============================================================================== --- cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGrantHandler.java (original) +++ cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGrantHandler.java Mon Jun 10 16:26:06 2013 @@ -34,7 +34,7 @@ public class ClientCredentialsGrantHandl public ClientCredentialsGrantHandler() { - super(OAuthConstants.CLIENT_CREDENTIALS_GRANT, true); + super(OAuthConstants.CLIENT_CREDENTIALS_GRANT); } public ServerAccessToken createAccessToken(Client client, MultivaluedMap params) Modified: cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java?rev=1491526&r1=1491525&r2=1491526&view=diff ============================================================================== --- cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java (original) +++ cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java Mon Jun 10 16:26:06 2013 @@ -35,14 +35,13 @@ import org.apache.cxf.rs.security.oauth2 public class AuthorizationCodeGrantHandler extends AbstractGrantHandler { public AuthorizationCodeGrantHandler() { - super(OAuthConstants.AUTHORIZATION_CODE_GRANT, true); + super(OAuthConstants.AUTHORIZATION_CODE_GRANT); } public ServerAccessToken createAccessToken(Client client, MultivaluedMap params) throws OAuthServiceException { - // Only confidential clients can use it checkIfGrantSupported(client); - + // Get the grant representation from the provider String codeValue = params.getFirst(OAuthConstants.AUTHORIZATION_CODE_VALUE); ServerAuthorizationCodeGrant grant = @@ -59,14 +58,19 @@ public class AuthorizationCodeGrantHandl } // redirect URIs must match too String expectedRedirectUri = grant.getRedirectUri(); - if (expectedRedirectUri != null) { - String providedRedirectUri = params.getFirst(OAuthConstants.REDIRECT_URI); - - if (providedRedirectUri != null && !providedRedirectUri.equals(expectedRedirectUri)) { + String providedRedirectUri = params.getFirst(OAuthConstants.REDIRECT_URI); + if (providedRedirectUri != null) { + if (expectedRedirectUri == null || !providedRedirectUri.equals(expectedRedirectUri)) { throw new OAuthServiceException(OAuthConstants.INVALID_REQUEST); } + } else if (expectedRedirectUri == null && !isCanSupportPublicClients() + || expectedRedirectUri != null + && (client.getRedirectUris().size() != 1 + || !client.getRedirectUris().contains(expectedRedirectUri))) { + throw new OAuthServiceException(OAuthConstants.INVALID_REQUEST); } return doCreateAccessToken(client, grant.getSubject(), grant.getApprovedScopes()); } + } Modified: cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrantHandler.java URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrantHandler.java?rev=1491526&r1=1491525&r2=1491526&view=diff ============================================================================== --- cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrantHandler.java (original) +++ cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrantHandler.java Mon Jun 10 16:26:06 2013 @@ -35,7 +35,7 @@ public class ResourceOwnerGrantHandler e private ResourceOwnerLoginHandler loginHandler; public ResourceOwnerGrantHandler() { - super(OAuthConstants.RESOURCE_OWNER_GRANT, true); + super(OAuthConstants.RESOURCE_OWNER_GRANT); } public ServerAccessToken createAccessToken(Client client, MultivaluedMap params) Modified: cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/refresh/RefreshTokenGrantHandler.java URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/refresh/RefreshTokenGrantHandler.java?rev=1491526&r1=1491525&r2=1491526&view=diff ============================================================================== --- cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/refresh/RefreshTokenGrantHandler.java (original) +++ cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/refresh/RefreshTokenGrantHandler.java Mon Jun 10 16:26:06 2013 @@ -35,6 +35,7 @@ public class RefreshTokenGrantHandler im private OAuthDataProvider dataProvider; private boolean partialMatchScopeValidation; + private boolean canSupportPublicClients; public void setDataProvider(OAuthDataProvider dataProvider) { this.dataProvider = dataProvider; @@ -46,7 +47,8 @@ public class RefreshTokenGrantHandler im public ServerAccessToken createAccessToken(Client client, MultivaluedMap params) throws OAuthServiceException { - if (!OAuthUtils.isGrantSupportedForClient(client, true, OAuthConstants.REFRESH_TOKEN_GRANT)) { + if (!OAuthUtils.isGrantSupportedForClient(client, canSupportPublicClients, + OAuthConstants.REFRESH_TOKEN_GRANT)) { throw new OAuthServiceException(OAuthConstants.UNAUTHORIZED_CLIENT); } String refreshToken = params.getFirst(OAuthConstants.REFRESH_TOKEN); @@ -60,4 +62,8 @@ public class RefreshTokenGrantHandler im public void setPartialMatchScopeValidation(boolean partialMatchScopeValidation) { this.partialMatchScopeValidation = partialMatchScopeValidation; } + + public void setCanSupportPublicClients(boolean support) { + canSupportPublicClients = support; + } } Modified: cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java?rev=1491526&r1=1491525&r2=1491526&view=diff ============================================================================== --- cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java (original) +++ cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java Mon Jun 10 16:26:06 2013 @@ -79,7 +79,7 @@ public class AuthorizationCodeGrantServi return createErrorResponse(params, redirectUri, OAuthConstants.ACCESS_DENIED); } - if (!client.isConfidential()) { + if (redirectUri == null) { OOBAuthorizationResponse oobResponse = new OOBAuthorizationResponse(); oobResponse.setClientId(client.getClientId()); oobResponse.setAuthorizationCode(grant.getCode()); Modified: cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java?rev=1491526&r1=1491525&r2=1491526&view=diff ============================================================================== --- cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java (original) +++ cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java Mon Jun 10 16:26:06 2013 @@ -57,6 +57,7 @@ public abstract class RedirectionBasedGr private String supportedResponseType; private String supportedGrantType; private boolean partialMatchScopeValidation; + private boolean useRegisteredRedirectUriIfPossible = true; private SessionAuthenticityTokenProvider sessionAuthenticityTokenProvider; private SubjectCreator subjectCreator; private ResourceOwnerNameProvider resourceOwnerNameProvider; @@ -163,7 +164,7 @@ public abstract class RedirectionBasedGr // Return the authorization challenge data to the end user OAuthAuthorizationData data = - createAuthorizationData(client, params, permissions); + createAuthorizationData(client, params, redirectUri, permissions); personalizeData(data, userSubject); return Response.ok(data).build(); @@ -173,7 +174,7 @@ public abstract class RedirectionBasedGr * Create the authorization challenge data */ protected OAuthAuthorizationData createAuthorizationData( - Client client, MultivaluedMap params, List perms) { + Client client, MultivaluedMap params, String redirectUri, List perms) { OAuthAuthorizationData secData = new OAuthAuthorizationData(); @@ -182,7 +183,9 @@ public abstract class RedirectionBasedGr secData.setPermissions(perms); secData.setProposedScope(OAuthUtils.convertPermissionsToScope(perms)); secData.setClientId(client.getClientId()); - secData.setRedirectUri(params.getFirst(OAuthConstants.REDIRECT_URI)); + if (redirectUri != null) { + secData.setRedirectUri(redirectUri); + } secData.setState(params.getFirst(OAuthConstants.STATE)); secData.setApplicationName(client.getApplicationName()); @@ -312,10 +315,10 @@ public abstract class RedirectionBasedGr if (!uris.contains(redirectUri)) { redirectUri = null; } - } else if (uris.size() == 1) { + } else if (uris.size() == 1 && useRegisteredRedirectUriIfPossible) { redirectUri = uris.get(0); } - if (redirectUri == null && !canRedirectUriBeEmpty(client)) { + if (redirectUri == null && uris.size() == 0 && !canRedirectUriBeEmpty(client)) { reportInvalidRequestError("Client Redirect Uri is invalid"); } return redirectUri; @@ -359,6 +362,14 @@ public abstract class RedirectionBasedGr public void setPartialMatchScopeValidation(boolean partialMatchScopeValidation) { this.partialMatchScopeValidation = partialMatchScopeValidation; } + /** + * If a client does not include a redirect_uri parameter but has an exactly one + * pre-registered redirect_uri then use that redirect_uri + * @param use allows to use a single registered redirect_uri if set to true (default) + */ + public void setUseRegisteredRedirectUriIfPossible(boolean use) { + this.useRegisteredRedirectUriIfPossible = use; + } protected abstract boolean canSupportPublicClient(Client c); Modified: cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java?rev=1491526&r1=1491525&r2=1491526&view=diff ============================================================================== --- cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java (original) +++ cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java Mon Jun 10 16:26:06 2013 @@ -79,11 +79,13 @@ public final class OAuthUtils { } public static boolean isGrantSupportedForClient(Client client, - boolean isConfidential, + boolean canSupportPublicClients, String grantType) { + if (!client.isConfidential() && !canSupportPublicClients) { + return false; + } List allowedGrants = client.getAllowedGrantTypes(); - return isConfidential == client.isConfidential() - && (allowedGrants.isEmpty() || allowedGrants.contains(grantType)); + return allowedGrants.isEmpty() || allowedGrants.contains(grantType); } public static List parseScope(String requestedScope) {