Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id DD7CC1081A for ; Thu, 15 Aug 2013 10:31:08 +0000 (UTC) Received: (qmail 23443 invoked by uid 500); 15 Aug 2013 10:31:07 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 23386 invoked by uid 500); 15 Aug 2013 10:31:04 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 23375 invoked by uid 99); 15 Aug 2013 10:31:03 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 15 Aug 2013 10:31:03 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 15 Aug 2013 10:31:01 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 9482823888CD; Thu, 15 Aug 2013 10:30:41 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1514227 - in /cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2: common/ filters/ services/ utils/ Date: Thu, 15 Aug 2013 10:30:41 -0000 To: commits@cxf.apache.org From: sergeyb@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20130815103041.9482823888CD@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: sergeyb Date: Thu Aug 15 10:30:40 2013 New Revision: 1514227 URL: http://svn.apache.org/r1514227 Log: [CXF-5209] Support for OAuth2 audience parameter Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractAccessTokenValidator.java cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java?rev=1514227&r1=1514226&r2=1514227&view=diff ============================================================================== --- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java (original) +++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java Thu Aug 15 10:30:40 2013 @@ -44,6 +44,7 @@ public class AccessTokenValidation { private long tokenLifetime; private UserSubject tokenSubject; private List tokenScopes = new LinkedList(); + private String audience; public AccessTokenValidation() { @@ -60,7 +61,8 @@ public class AccessTokenValidation { this.tokenLifetime = token.getExpiresIn(); this.tokenSubject = token.getSubject(); - this.tokenScopes = token.getScopes(); + this.tokenScopes = token.getScopes(); + this.audience = token.getAudience(); } public String getClientId() { @@ -119,5 +121,13 @@ public class AccessTokenValidation { public void setTokenType(String tokenType) { this.tokenType = tokenType; } + + public String getAudience() { + return audience; + } + + public void setAudience(String audience) { + this.audience = audience; + } } Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java?rev=1514227&r1=1514226&r2=1514227&view=diff ============================================================================== --- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java (original) +++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java Thu Aug 15 10:30:40 2013 @@ -34,6 +34,7 @@ public class OAuthContext { private String tokenGrantType; private String clientId; private String tokenKey; + private String tokenAudience; public OAuthContext(UserSubject resourceOwnerSubject, UserSubject clientSubject, @@ -109,4 +110,12 @@ public class OAuthContext { public void setTokenKey(String tokenKey) { this.tokenKey = tokenKey; } + + public String getTokenAudience() { + return tokenAudience; + } + + public void setTokenAudience(String tokenAudience) { + this.tokenAudience = tokenAudience; + } } Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java?rev=1514227&r1=1514226&r2=1514227&view=diff ============================================================================== --- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java (original) +++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java Thu Aug 15 10:30:40 2013 @@ -29,6 +29,7 @@ public abstract class ServerAccessToken private Client client; private List scopes = new LinkedList(); private UserSubject subject; + private String audience; protected ServerAccessToken(Client client, String tokenType, @@ -108,4 +109,12 @@ public abstract class ServerAccessToken return grantType; } + public String getAudience() { + return audience; + } + + public void setAudience(String audience) { + this.audience = audience; + } + } Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java?rev=1514227&r1=1514226&r2=1514227&view=diff ============================================================================== --- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java (original) +++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java Thu Aug 15 10:30:40 2013 @@ -95,6 +95,7 @@ public class OAuthRequestFilter extends oauthContext.setClientId(accessTokenV.getClientId()); oauthContext.setTokenKey(accessTokenV.getTokenKey()); + oauthContext.setTokenAudience(accessTokenV.getAudience()); m.setContent(OAuthContext.class, oauthContext); } Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractAccessTokenValidator.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractAccessTokenValidator.java?rev=1514227&r1=1514226&r2=1514227&view=diff ============================================================================== --- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractAccessTokenValidator.java (original) +++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractAccessTokenValidator.java Thu Aug 15 10:30:40 2013 @@ -20,6 +20,7 @@ package org.apache.cxf.rs.security.oauth import java.util.Collections; import java.util.HashSet; +import java.util.LinkedList; import java.util.List; import java.util.Set; @@ -44,7 +45,10 @@ public abstract class AbstractAccessToke private MessageContext mc; private List tokenHandlers = Collections.emptyList(); + private List audiences = new LinkedList(); + private Set supportedSchemes = new HashSet(); + private OAuthDataProvider dataProvider; private String realm; @@ -134,12 +138,28 @@ public abstract class AbstractAccessToke } AuthorizationUtils.throwAuthorizationFailure(supportedSchemes, realm); } + + // Check audiences + if (accessTokenV.getAudience() != null + && !audiences.isEmpty() + && !audiences.contains(accessTokenV.getAudience())) { + AuthorizationUtils.throwAuthorizationFailure(supportedSchemes, realm); + } + return accessTokenV; } public void setRealm(String realm) { this.realm = realm; } + + public List getAudiences() { + return audiences; + } + + public void setAudiences(List audiences) { + this.audiences = audiences; + } } Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java?rev=1514227&r1=1514226&r2=1514227&view=diff ============================================================================== --- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java (original) +++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java Thu Aug 15 10:30:40 2013 @@ -19,6 +19,8 @@ package org.apache.cxf.rs.security.oauth2.services; +import java.net.MalformedURLException; +import java.net.URL; import java.util.LinkedList; import java.util.List; @@ -32,6 +34,7 @@ import javax.ws.rs.core.Response; import org.apache.cxf.rs.security.oauth2.common.Client; import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken; +import org.apache.cxf.rs.security.oauth2.common.OAuthError; import org.apache.cxf.rs.security.oauth2.common.OAuthPermission; import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken; import org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeDataProvider; @@ -47,6 +50,7 @@ import org.apache.cxf.rs.security.oauth2 @Path("/token") public class AccessTokenService extends AbstractTokenService { private List grantHandlers = new LinkedList(); + private List audiences = new LinkedList(); /** * Sets the list of optional grant handlers @@ -83,6 +87,11 @@ public class AccessTokenService extends return createErrorResponse(params, OAuthConstants.UNAUTHORIZED_CLIENT); } + try { + checkAudience(params); + } catch (OAuthServiceException ex) { + return super.createErrorResponseFromBean(ex.getError()); + } // Find the grant handler AccessTokenGrantHandler handler = findGrantHandler(params); @@ -121,6 +130,28 @@ public class AccessTokenService extends .build(); } + protected void checkAudience(MultivaluedMap params) { + if (audiences.isEmpty()) { + return; + } + + String audienceParam = params.getFirst(OAuthConstants.CLIENT_AUDIENCE); + if (audienceParam == null) { + throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_REQUEST)); + } + // must be URL + try { + new URL(audienceParam); + } catch (MalformedURLException ex) { + throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_REQUEST)); + } + + if (!audiences.contains(audienceParam)) { + throw new OAuthServiceException(new OAuthError(OAuthConstants.ACCESS_DENIED)); + } + + } + /** * Find the matching grant handler */ @@ -146,4 +177,12 @@ public class AccessTokenService extends return null; } + + public List getAudiences() { + return audiences; + } + + public void setAudiences(List audiences) { + this.audiences = audiences; + } } \ No newline at end of file Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java?rev=1514227&r1=1514226&r2=1514227&view=diff ============================================================================== --- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java (original) +++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java Thu Aug 15 10:30:40 2013 @@ -26,6 +26,7 @@ public final class OAuthConstants { // Common OAuth2 constants public static final String CLIENT_ID = "client_id"; public static final String CLIENT_SECRET = "client_secret"; + public static final String CLIENT_AUDIENCE = "audience"; public static final String REDIRECT_URI = "redirect_uri"; public static final String SCOPE = "scope"; public static final String STATE = "state";