cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject git commit: [CXF-5712] SessionAuthenticityTokenProvider must be able to access form data
Date Fri, 25 Apr 2014 11:44:41 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 5150a2a64 -> 7e2f8ba3b


[CXF-5712] SessionAuthenticityTokenProvider must be able to access form data


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/7e2f8ba3
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/7e2f8ba3
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/7e2f8ba3

Branch: refs/heads/master
Commit: 7e2f8ba3b8e5a3622bcaf3977e3bc59deb0aa405
Parents: 5150a2a
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Fri Apr 25 12:44:23 2014 +0100
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Fri Apr 25 12:44:23 2014 +0100

----------------------------------------------------------------------
 .../SessionAuthenticityTokenProvider.java       | 21 +++++++++++--
 .../services/RedirectionBasedGrantService.java  | 32 ++++++++++++++------
 2 files changed, 40 insertions(+), 13 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/7e2f8ba3/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java
index 34c581c..741acb0 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java
@@ -19,7 +19,10 @@
 
 package org.apache.cxf.rs.security.oauth2.provider;
 
+import javax.ws.rs.core.MultivaluedMap;
+
 import org.apache.cxf.jaxrs.ext.MessageContext;
+import org.apache.cxf.rs.security.oauth2.common.UserSubject;
 
 /**
  * SessionAuthenticityTokenProvider responsible for storing and retrieving tokens 
@@ -31,23 +34,35 @@ public interface SessionAuthenticityTokenProvider {
      * Creates a new session token and stores it
      * 
      * @param mc the {@link MessageContext} of this request
+     * @param params redirection-based grant request parameters
+     * @param subject authenticated end user
      * @return the created session token
      */
-    String createSessionToken(MessageContext mc);
+    String createSessionToken(MessageContext mc,
+                              MultivaluedMap<String, String> params,
+                              UserSubject subject);
 
     /**
      * Retrieves the stored session token
      * 
      * @param mc the {@link MessageContext} of this request
+     * @param params grant authorization parameters
+     * @param subject authenticated end user
      * @return the stored token
      */
-    String getSessionToken(MessageContext mc);
+    String getSessionToken(MessageContext mc,
+                           MultivaluedMap<String, String> params,
+                           UserSubject subject);
 
     /**
      * Removes the stored session token
      * 
      * @param mc the {@link MessageContext} of this request
+     * @param params grant authorization parameters
+     * @param subject authenticated end user
      */
-    String removeSessionToken(MessageContext mc);
+    String removeSessionToken(MessageContext mc,
+                              MultivaluedMap<String, String> params,
+                              UserSubject subject);
 
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/7e2f8ba3/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
index a4d76bc..72ff6fb 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
@@ -164,7 +164,7 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
     
         // Return the authorization challenge data to the end user 
         OAuthAuthorizationData data = 
-            createAuthorizationData(client, params, redirectUri, permissions);
+            createAuthorizationData(client, params, userSubject, redirectUri, permissions);
         personalizeData(data, userSubject);
         return Response.ok(data).build();
         
@@ -173,12 +173,15 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
     /**
      * Create the authorization challenge data 
      */
-    protected OAuthAuthorizationData createAuthorizationData(
-        Client client, MultivaluedMap<String, String> params, String redirectUri, List<OAuthPermission>
perms) {
+    protected OAuthAuthorizationData createAuthorizationData(Client client, 
+                                                             MultivaluedMap<String, String>
params,
+                                                             UserSubject subject,
+                                                             String redirectUri, 
+                                                             List<OAuthPermission>
perms) {
         
         OAuthAuthorizationData secData = new OAuthAuthorizationData();
         
-        addAuthenticityTokenToSession(secData);
+        addAuthenticityTokenToSession(secData, params, subject);
                 
         secData.setPermissions(perms);
         secData.setProposedScope(OAuthUtils.convertPermissionsToScope(perms));
@@ -214,9 +217,11 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
     protected Response completeAuthorization(MultivaluedMap<String, String> params)
{
         // Make sure the end user has authenticated, check if HTTPS is used
         SecurityContext securityContext = getAndValidateSecurityContext();
+        UserSubject userSubject = createUserSubject(securityContext);
         
         // Make sure the session is valid
-        if (!compareRequestAndSessionTokens(params.getFirst(OAuthConstants.SESSION_AUTHENTICITY_TOKEN)))
{
+        String sessionToken = params.getFirst(OAuthConstants.SESSION_AUTHENTICITY_TOKEN);
+        if (!compareRequestAndSessionTokens(sessionToken, params, userSubject)) {
             throw ExceptionUtils.toBadRequestException(null, null);     
         }
         //TODO: additionally we can check that the Principal that got authenticated
@@ -248,7 +253,6 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
                                          partialMatchScopeValidation)) {
             return createErrorResponse(params, redirectUri, OAuthConstants.INVALID_SCOPE);
         }
-        UserSubject userSubject = createUserSubject(securityContext);
         
         // Request a new grant
         return createGrant(params,
@@ -324,10 +328,14 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
         return redirectUri;
     }
     
-    private void addAuthenticityTokenToSession(OAuthAuthorizationData secData) {
+    private void addAuthenticityTokenToSession(OAuthAuthorizationData secData,
+                                               MultivaluedMap<String, String> params,
+                                               UserSubject subject) {
         final String sessionToken;
         if (this.sessionAuthenticityTokenProvider != null) {
-            sessionToken = this.sessionAuthenticityTokenProvider.createSessionToken(getMessageContext());
+            sessionToken = this.sessionAuthenticityTokenProvider.createSessionToken(getMessageContext(),
+                                                                                    params,
+                                                                                    subject);
         } else {
             HttpSession session = getMessageContext().getHttpServletRequest().getSession();
             sessionToken = UUID.randomUUID().toString();
@@ -336,10 +344,14 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
         secData.setAuthenticityToken(sessionToken);
     }
     
-    private boolean compareRequestAndSessionTokens(String requestToken) {
+    private boolean compareRequestAndSessionTokens(String requestToken,
+                                                   MultivaluedMap<String, String> params,
+                                                   UserSubject subject) {
         final String sessionToken;
         if (this.sessionAuthenticityTokenProvider != null) {
-            sessionToken = sessionAuthenticityTokenProvider.removeSessionToken(getMessageContext());
+            sessionToken = sessionAuthenticityTokenProvider.removeSessionToken(getMessageContext(),
+                                                                               params,
+                                                                               subject);
         } else {
             HttpSession session = getMessageContext().getHttpServletRequest().getSession();
             sessionToken = (String)session.getAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN);


Mime
View raw message