Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 5234710804 for ; Mon, 26 Aug 2013 15:51:34 +0000 (UTC) Received: (qmail 42961 invoked by uid 500); 26 Aug 2013 15:51:33 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 42857 invoked by uid 500); 26 Aug 2013 15:51:33 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 42850 invoked by uid 99); 26 Aug 2013 15:51:33 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 26 Aug 2013 15:51:33 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 26 Aug 2013 15:51:31 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id AD6EE23888E7; Mon, 26 Aug 2013 15:51:11 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1517570 - in /cxf/branches/2.7.x-fixes: ./ rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/ rt/rs/securit... Date: Mon, 26 Aug 2013 15:51:11 -0000 To: commits@cxf.apache.org From: sergeyb@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20130826155111.AD6EE23888E7@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: sergeyb Date: Mon Aug 26 15:51:10 2013 New Revision: 1517570 URL: http://svn.apache.org/r1517570 Log: Merged revisions 1517566,1517568 via svnmerge from https://svn.apache.org/repos/asf/cxf/trunk ........ r1517566 | sergeyb | 2013-08-26 16:46:25 +0100 (Mon, 26 Aug 2013) | 1 line [CXF-5209] Getting an audience parameter recognized by redirection-based grant handlers ........ r1517568 | sergeyb | 2013-08-26 16:49:06 +0100 (Mon, 26 Aug 2013) | 1 line [CXF-5209] Removing the getter ........ Modified: cxf/branches/2.7.x-fixes/ (props changed) cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeRegistration.java cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractAccessTokenValidator.java cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java Propchange: cxf/branches/2.7.x-fixes/ ------------------------------------------------------------------------------ Merged /cxf/trunk:r1517566-1517568 Propchange: cxf/branches/2.7.x-fixes/ ------------------------------------------------------------------------------ Binary property 'svnmerge-integrated' - no diff available. Modified: cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java?rev=1517570&r1=1517569&r2=1517570&view=diff ============================================================================== --- cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java (original) +++ cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java Mon Aug 26 15:51:10 2013 @@ -40,6 +40,7 @@ public class Client { private boolean isConfidential; private List allowedGrantTypes = new LinkedList(); private List registeredScopes = new LinkedList(); + private List registeredAudiences = new LinkedList(); private List properties = new LinkedList(); private UserSubject subject; @@ -253,4 +254,12 @@ public class Client { public void setRegisteredScopes(List registeredScopes) { this.registeredScopes = registeredScopes; } + + public List getRegisteredAudiences() { + return registeredAudiences; + } + + public void setRegisteredAudiences(List registeredAudiences) { + this.registeredAudiences = registeredAudiences; + } } Modified: cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java?rev=1517570&r1=1517569&r2=1517570&view=diff ============================================================================== --- cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java (original) +++ cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java Mon Aug 26 15:51:10 2013 @@ -50,7 +50,7 @@ public class OAuthAuthorizationData impl private List extraApplicationProperties = new LinkedList(); private List permissions; - + private String audience; public OAuthAuthorizationData() { } @@ -253,4 +253,12 @@ public class OAuthAuthorizationData impl this.endUserName = endUserName; } + public String getAudience() { + return audience; + } + + public void setAudience(String audience) { + this.audience = audience; + } + } Modified: cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java?rev=1517570&r1=1517569&r2=1517570&view=diff ============================================================================== --- cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java (original) +++ cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java Mon Aug 26 15:51:10 2013 @@ -34,6 +34,7 @@ import org.apache.cxf.jaxrs.ext.RequestH import org.apache.cxf.jaxrs.model.ClassResourceInfo; import org.apache.cxf.message.Message; import org.apache.cxf.message.MessageUtils; +import org.apache.cxf.phase.PhaseInterceptorChain; import org.apache.cxf.rs.security.oauth2.common.AccessTokenValidation; import org.apache.cxf.rs.security.oauth2.common.OAuthContext; import org.apache.cxf.rs.security.oauth2.common.OAuthPermission; @@ -50,6 +51,7 @@ public class OAuthRequestFilter extends private static final Logger LOG = LogUtils.getL7dLogger(OAuthRequestFilter.class); private boolean useUserSubject; + private boolean audienceIsEndpointAddress; public Response handleRequest(Message m, ClassResourceInfo resourceClass) { @@ -166,5 +168,22 @@ public class OAuthRequestFilter extends // and set a message "local_preflight" property to true return MessageUtils.isTrue(m.get("local_preflight")); } + + protected boolean validateAudience(String audience) { + if (audience == null) { + return true; + } + + boolean isValid = super.validateAudience(audience); + if (isValid && audienceIsEndpointAddress) { + String requestPath = (String)PhaseInterceptorChain.getCurrentMessage().get(Message.REQUEST_URL); + isValid = requestPath.startsWith(audience); + } + return isValid; + } + + public void setAudienceIsEndpointAddress(boolean audienceIsEndpointAddress) { + this.audienceIsEndpointAddress = audienceIsEndpointAddress; + } } Modified: cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java?rev=1517570&r1=1517569&r2=1517570&view=diff ============================================================================== --- cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java (original) +++ cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java Mon Aug 26 15:51:10 2013 @@ -134,6 +134,10 @@ public abstract class AbstractGrantHandl partialMatchScopeValidation)) { throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_SCOPE)); } + if (!OAuthUtils.validateAudience(audience, client.getRegisteredAudiences())) { + throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_GRANT)); + } + // Check if a pre-authorized token available ServerAccessToken token = dataProvider.getPreauthorizedToken( client, requestedScope, subject, requestedGrant); Modified: cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java?rev=1517570&r1=1517569&r2=1517570&view=diff ============================================================================== --- cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java (original) +++ cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java Mon Aug 26 15:51:10 2013 @@ -71,7 +71,7 @@ public class AuthorizationCodeGrantHandl return doCreateAccessToken(client, grant.getSubject(), grant.getApprovedScopes(), - params.getFirst(OAuthConstants.CLIENT_AUDIENCE)); + grant.getAudience()); } Modified: cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeRegistration.java URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeRegistration.java?rev=1517570&r1=1517569&r2=1517570&view=diff ============================================================================== --- cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeRegistration.java (original) +++ cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeRegistration.java Mon Aug 26 15:51:10 2013 @@ -34,6 +34,7 @@ public class AuthorizationCodeRegistrati private List approvedScope = Collections.emptyList(); private String redirectUri; private UserSubject subject; + private String audience; /** * Sets the {@link Client} reference @@ -112,4 +113,10 @@ public class AuthorizationCodeRegistrati public UserSubject getSubject() { return subject; } + public String getAudience() { + return audience; + } + public void setAudience(String audience) { + this.audience = audience; + } } Modified: cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java?rev=1517570&r1=1517569&r2=1517570&view=diff ============================================================================== --- cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java (original) +++ cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java Mon Aug 26 15:51:10 2013 @@ -35,6 +35,7 @@ public class ServerAuthorizationCodeGran private Client client; private List approvedScopes = Collections.emptyList(); private UserSubject subject; + private String audience; public ServerAuthorizationCodeGrant(Client client, long lifetime) { @@ -111,4 +112,12 @@ public class ServerAuthorizationCodeGran public UserSubject getSubject() { return subject; } + + public String getAudience() { + return audience; + } + + public void setAudience(String audience) { + this.audience = audience; + } } Modified: cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractAccessTokenValidator.java URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractAccessTokenValidator.java?rev=1517570&r1=1517569&r2=1517570&view=diff ============================================================================== --- cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractAccessTokenValidator.java (original) +++ cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractAccessTokenValidator.java Mon Aug 26 15:51:10 2013 @@ -140,15 +140,17 @@ public abstract class AbstractAccessToke } // Check audiences - if (accessTokenV.getAudience() != null - && !audiences.isEmpty() - && !audiences.contains(accessTokenV.getAudience())) { + if (!validateAudience(accessTokenV.getAudience())) { AuthorizationUtils.throwAuthorizationFailure(supportedSchemes, realm); } return accessTokenV; } + protected boolean validateAudience(String audience) { + return OAuthUtils.validateAudience(audience, audiences); + } + public void setRealm(String realm) { this.realm = realm; } Modified: cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java?rev=1517570&r1=1517569&r2=1517570&view=diff ============================================================================== --- cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java (original) +++ cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java Mon Aug 26 15:51:10 2013 @@ -71,6 +71,7 @@ public class AuthorizationCodeGrantServi codeReg.setRequestedScope(requestedScope); codeReg.setApprovedScope(approvedScope); codeReg.setSubject(userSubject); + codeReg.setAudience(params.getFirst(OAuthConstants.CLIENT_AUDIENCE)); ServerAuthorizationCodeGrant grant = null; try { Modified: cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java?rev=1517570&r1=1517569&r2=1517570&view=diff ============================================================================== --- cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java (original) +++ cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java Mon Aug 26 15:51:10 2013 @@ -68,6 +68,7 @@ public class ImplicitGrantService extend reg.setSubject(userSubject); reg.setRequestedScope(requestedScope); reg.setApprovedScope(approvedScope); + reg.setAudience(params.getFirst(OAuthConstants.CLIENT_AUDIENCE)); token = getDataProvider().createAccessToken(reg); } else { token = preAuthorizedToken; Modified: cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java?rev=1517570&r1=1517569&r2=1517570&view=diff ============================================================================== --- cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java (original) +++ cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java Mon Aug 26 15:51:10 2013 @@ -193,6 +193,7 @@ public abstract class RedirectionBasedGr secData.setApplicationWebUri(client.getApplicationWebUri()); secData.setApplicationDescription(client.getApplicationDescription()); secData.setApplicationLogoUri(client.getApplicationLogoUri()); + secData.setAudience(params.getFirst(OAuthConstants.CLIENT_AUDIENCE)); List extraProperties = client.getProperties(); secData.setExtraApplicationProperties(extraProperties == null ? Collections.emptyList() : Collections.unmodifiableList(extraProperties)); Modified: cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java?rev=1517570&r1=1517569&r2=1517570&view=diff ============================================================================== --- cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java (original) +++ cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java Mon Aug 26 15:51:10 2013 @@ -123,6 +123,10 @@ public final class OAuthUtils { && issuedAt + lifetime < System.currentTimeMillis() / 1000; } + public static boolean validateAudience(String audience, List audiences) { + return audience == null || !audiences.isEmpty() && audiences.contains(audience); + } + public static boolean checkRequestURI(String servletPath, String uri) { boolean wildcard = uri.endsWith("*"); String theURI = wildcard ? uri.substring(0, uri.length() - 1) : uri;