cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject svn commit: r1517570 - in /cxf/branches/2.7.x-fixes: ./ rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/ rt/rs/securit...
Date Mon, 26 Aug 2013 15:51:11 GMT
Author: sergeyb
Date: Mon Aug 26 15:51:10 2013
New Revision: 1517570

URL: http://svn.apache.org/r1517570
Log:
Merged revisions 1517566,1517568 via svnmerge from 
https://svn.apache.org/repos/asf/cxf/trunk

........
  r1517566 | sergeyb | 2013-08-26 16:46:25 +0100 (Mon, 26 Aug 2013) | 1 line
  
  [CXF-5209] Getting an audience parameter recognized by redirection-based grant handlers
........
  r1517568 | sergeyb | 2013-08-26 16:49:06 +0100 (Mon, 26 Aug 2013) | 1 line
  
  [CXF-5209] Removing the getter
........

Modified:
    cxf/branches/2.7.x-fixes/   (props changed)
    cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java
    cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
    cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
    cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
    cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
    cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeRegistration.java
    cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java
    cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractAccessTokenValidator.java
    cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
    cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java
    cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
    cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java

Propchange: cxf/branches/2.7.x-fixes/
------------------------------------------------------------------------------
  Merged /cxf/trunk:r1517566-1517568

Propchange: cxf/branches/2.7.x-fixes/
------------------------------------------------------------------------------
Binary property 'svnmerge-integrated' - no diff available.

Modified: cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java?rev=1517570&r1=1517569&r2=1517570&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java
(original)
+++ cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java
Mon Aug 26 15:51:10 2013
@@ -40,6 +40,7 @@ public class Client {
     private boolean isConfidential;
     private List<String> allowedGrantTypes = new LinkedList<String>();
     private List<String> registeredScopes = new LinkedList<String>();
+    private List<String> registeredAudiences = new LinkedList<String>();
     
     private List<Property> properties = new LinkedList<Property>();
     private UserSubject subject;
@@ -253,4 +254,12 @@ public class Client {
     public void setRegisteredScopes(List<String> registeredScopes) {
         this.registeredScopes = registeredScopes;
     }
+
+    public List<String> getRegisteredAudiences() {
+        return registeredAudiences;
+    }
+
+    public void setRegisteredAudiences(List<String> registeredAudiences) {
+        this.registeredAudiences = registeredAudiences;
+    }
 }

Modified: cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java?rev=1517570&r1=1517569&r2=1517570&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
(original)
+++ cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
Mon Aug 26 15:51:10 2013
@@ -50,7 +50,7 @@ public class OAuthAuthorizationData impl
     private List<Property> extraApplicationProperties = new LinkedList<Property>();
     
     private List<? extends Permission> permissions;
-    
+    private String audience;
     
     public OAuthAuthorizationData() {
     }
@@ -253,4 +253,12 @@ public class OAuthAuthorizationData impl
         this.endUserName = endUserName;
     }
 
+    public String getAudience() {
+        return audience;
+    }
+
+    public void setAudience(String audience) {
+        this.audience = audience;
+    }
+
 }

Modified: cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java?rev=1517570&r1=1517569&r2=1517570&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
(original)
+++ cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
Mon Aug 26 15:51:10 2013
@@ -34,6 +34,7 @@ import org.apache.cxf.jaxrs.ext.RequestH
 import org.apache.cxf.jaxrs.model.ClassResourceInfo;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.message.MessageUtils;
+import org.apache.cxf.phase.PhaseInterceptorChain;
 import org.apache.cxf.rs.security.oauth2.common.AccessTokenValidation;
 import org.apache.cxf.rs.security.oauth2.common.OAuthContext;
 import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
@@ -50,6 +51,7 @@ public class OAuthRequestFilter extends 
     private static final Logger LOG = LogUtils.getL7dLogger(OAuthRequestFilter.class);
     
     private boolean useUserSubject;
+    private boolean audienceIsEndpointAddress;
     
     public Response handleRequest(Message m, ClassResourceInfo resourceClass) {
         
@@ -166,5 +168,22 @@ public class OAuthRequestFilter extends 
         // and set a message "local_preflight" property to true
         return MessageUtils.isTrue(m.get("local_preflight"));
     }
+
+    protected boolean validateAudience(String audience) {
+        if (audience == null) {
+            return true;
+        }
+        
+        boolean isValid = super.validateAudience(audience);
+        if (isValid && audienceIsEndpointAddress) {
+            String requestPath = (String)PhaseInterceptorChain.getCurrentMessage().get(Message.REQUEST_URL);
+            isValid = requestPath.startsWith(audience);
+        }
+        return isValid;
+    }
+    
+    public void setAudienceIsEndpointAddress(boolean audienceIsEndpointAddress) {
+        this.audienceIsEndpointAddress = audienceIsEndpointAddress;
+    }
     
 }

Modified: cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java?rev=1517570&r1=1517569&r2=1517570&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
(original)
+++ cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
Mon Aug 26 15:51:10 2013
@@ -134,6 +134,10 @@ public abstract class AbstractGrantHandl
                                        partialMatchScopeValidation)) {
             throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_SCOPE));
    
         }
+        if (!OAuthUtils.validateAudience(audience, client.getRegisteredAudiences())) {
+            throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_GRANT));
+        }
+        
         // Check if a pre-authorized  token available
         ServerAccessToken token = dataProvider.getPreauthorizedToken(
                                      client, requestedScope, subject, requestedGrant);

Modified: cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java?rev=1517570&r1=1517569&r2=1517570&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
(original)
+++ cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
Mon Aug 26 15:51:10 2013
@@ -71,7 +71,7 @@ public class AuthorizationCodeGrantHandl
         return doCreateAccessToken(client, 
                                    grant.getSubject(), 
                                    grant.getApprovedScopes(),
-                                   params.getFirst(OAuthConstants.CLIENT_AUDIENCE));
+                                   grant.getAudience());
     }
     
     

Modified: cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeRegistration.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeRegistration.java?rev=1517570&r1=1517569&r2=1517570&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeRegistration.java
(original)
+++ cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeRegistration.java
Mon Aug 26 15:51:10 2013
@@ -34,6 +34,7 @@ public class AuthorizationCodeRegistrati
     private List<String> approvedScope = Collections.emptyList();
     private String redirectUri;
     private UserSubject subject;
+    private String audience;
     
     /**
      * Sets the {@link Client} reference
@@ -112,4 +113,10 @@ public class AuthorizationCodeRegistrati
     public UserSubject getSubject() {
         return subject;
     }
+    public String getAudience() {
+        return audience;
+    }
+    public void setAudience(String audience) {
+        this.audience = audience;
+    }
 }

Modified: cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java?rev=1517570&r1=1517569&r2=1517570&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java
(original)
+++ cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java
Mon Aug 26 15:51:10 2013
@@ -35,6 +35,7 @@ public class ServerAuthorizationCodeGran
     private Client client;
     private List<String> approvedScopes = Collections.emptyList();
     private UserSubject subject;
+    private String audience;
     
     public ServerAuthorizationCodeGrant(Client client, 
                                         long lifetime) {
@@ -111,4 +112,12 @@ public class ServerAuthorizationCodeGran
     public UserSubject getSubject() {
         return subject;
     }
+
+    public String getAudience() {
+        return audience;
+    }
+
+    public void setAudience(String audience) {
+        this.audience = audience;
+    }
 }

Modified: cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractAccessTokenValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractAccessTokenValidator.java?rev=1517570&r1=1517569&r2=1517570&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractAccessTokenValidator.java
(original)
+++ cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractAccessTokenValidator.java
Mon Aug 26 15:51:10 2013
@@ -140,15 +140,17 @@ public abstract class AbstractAccessToke
         }
         
         // Check audiences
-        if (accessTokenV.getAudience() != null 
-            && !audiences.isEmpty()
-            && !audiences.contains(accessTokenV.getAudience())) {
+        if (!validateAudience(accessTokenV.getAudience())) {
             AuthorizationUtils.throwAuthorizationFailure(supportedSchemes, realm);
         }
         
         return accessTokenV;
     }
 
+    protected boolean validateAudience(String audience) {
+        return OAuthUtils.validateAudience(audience, audiences);
+    }
+    
     public void setRealm(String realm) {
         this.realm = realm;
     }

Modified: cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java?rev=1517570&r1=1517569&r2=1517570&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
(original)
+++ cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
Mon Aug 26 15:51:10 2013
@@ -71,6 +71,7 @@ public class AuthorizationCodeGrantServi
         codeReg.setRequestedScope(requestedScope);
         codeReg.setApprovedScope(approvedScope);
         codeReg.setSubject(userSubject);
+        codeReg.setAudience(params.getFirst(OAuthConstants.CLIENT_AUDIENCE));
         
         ServerAuthorizationCodeGrant grant = null;
         try {

Modified: cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java?rev=1517570&r1=1517569&r2=1517570&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java
(original)
+++ cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java
Mon Aug 26 15:51:10 2013
@@ -68,6 +68,7 @@ public class ImplicitGrantService extend
             reg.setSubject(userSubject);
             reg.setRequestedScope(requestedScope);        
             reg.setApprovedScope(approvedScope);
+            reg.setAudience(params.getFirst(OAuthConstants.CLIENT_AUDIENCE));
             token = getDataProvider().createAccessToken(reg);
         } else {
             token = preAuthorizedToken;

Modified: cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java?rev=1517570&r1=1517569&r2=1517570&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
(original)
+++ cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
Mon Aug 26 15:51:10 2013
@@ -193,6 +193,7 @@ public abstract class RedirectionBasedGr
         secData.setApplicationWebUri(client.getApplicationWebUri());
         secData.setApplicationDescription(client.getApplicationDescription());
         secData.setApplicationLogoUri(client.getApplicationLogoUri());
+        secData.setAudience(params.getFirst(OAuthConstants.CLIENT_AUDIENCE));
         List<Property> extraProperties = client.getProperties();
         secData.setExtraApplicationProperties(extraProperties == null ? Collections.<Property>emptyList()
             : Collections.unmodifiableList(extraProperties));

Modified: cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java?rev=1517570&r1=1517569&r2=1517570&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
(original)
+++ cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
Mon Aug 26 15:51:10 2013
@@ -123,6 +123,10 @@ public final class OAuthUtils {
             && issuedAt + lifetime < System.currentTimeMillis() / 1000;
     }
     
+    public static boolean validateAudience(String audience, List<String> audiences)
{
+        return audience == null || !audiences.isEmpty() && audiences.contains(audience);
+    }
+    
     public static boolean checkRequestURI(String servletPath, String uri) {
         boolean wildcard = uri.endsWith("*");
         String theURI = wildcard ? uri.substring(0, uri.length() - 1) : uri;



Mime
View raw message