Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id D8AA911631 for ; Fri, 25 Apr 2014 11:45:14 +0000 (UTC) Received: (qmail 96014 invoked by uid 500); 25 Apr 2014 11:44:51 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 95584 invoked by uid 500); 25 Apr 2014 11:44:45 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 95392 invoked by uid 99); 25 Apr 2014 11:44:42 -0000 Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org) (140.211.11.114) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 25 Apr 2014 11:44:42 +0000 Received: by tyr.zones.apache.org (Postfix, from userid 65534) id CAAFE9512DA; Fri, 25 Apr 2014 11:44:41 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: sergeyb@apache.org To: commits@cxf.apache.org Message-Id: X-Mailer: ASF-Git Admin Mailer Subject: git commit: [CXF-5712] SessionAuthenticityTokenProvider must be able to access form data Date: Fri, 25 Apr 2014 11:44:41 +0000 (UTC) Repository: cxf Updated Branches: refs/heads/master 5150a2a64 -> 7e2f8ba3b [CXF-5712] SessionAuthenticityTokenProvider must be able to access form data Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/7e2f8ba3 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/7e2f8ba3 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/7e2f8ba3 Branch: refs/heads/master Commit: 7e2f8ba3b8e5a3622bcaf3977e3bc59deb0aa405 Parents: 5150a2a Author: Sergey Beryozkin Authored: Fri Apr 25 12:44:23 2014 +0100 Committer: Sergey Beryozkin Committed: Fri Apr 25 12:44:23 2014 +0100 ---------------------------------------------------------------------- .../SessionAuthenticityTokenProvider.java | 21 +++++++++++-- .../services/RedirectionBasedGrantService.java | 32 ++++++++++++++------ 2 files changed, 40 insertions(+), 13 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/7e2f8ba3/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java index 34c581c..741acb0 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java @@ -19,7 +19,10 @@ package org.apache.cxf.rs.security.oauth2.provider; +import javax.ws.rs.core.MultivaluedMap; + import org.apache.cxf.jaxrs.ext.MessageContext; +import org.apache.cxf.rs.security.oauth2.common.UserSubject; /** * SessionAuthenticityTokenProvider responsible for storing and retrieving tokens @@ -31,23 +34,35 @@ public interface SessionAuthenticityTokenProvider { * Creates a new session token and stores it * * @param mc the {@link MessageContext} of this request + * @param params redirection-based grant request parameters + * @param subject authenticated end user * @return the created session token */ - String createSessionToken(MessageContext mc); + String createSessionToken(MessageContext mc, + MultivaluedMap params, + UserSubject subject); /** * Retrieves the stored session token * * @param mc the {@link MessageContext} of this request + * @param params grant authorization parameters + * @param subject authenticated end user * @return the stored token */ - String getSessionToken(MessageContext mc); + String getSessionToken(MessageContext mc, + MultivaluedMap params, + UserSubject subject); /** * Removes the stored session token * * @param mc the {@link MessageContext} of this request + * @param params grant authorization parameters + * @param subject authenticated end user */ - String removeSessionToken(MessageContext mc); + String removeSessionToken(MessageContext mc, + MultivaluedMap params, + UserSubject subject); } http://git-wip-us.apache.org/repos/asf/cxf/blob/7e2f8ba3/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java index a4d76bc..72ff6fb 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java @@ -164,7 +164,7 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService // Return the authorization challenge data to the end user OAuthAuthorizationData data = - createAuthorizationData(client, params, redirectUri, permissions); + createAuthorizationData(client, params, userSubject, redirectUri, permissions); personalizeData(data, userSubject); return Response.ok(data).build(); @@ -173,12 +173,15 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService /** * Create the authorization challenge data */ - protected OAuthAuthorizationData createAuthorizationData( - Client client, MultivaluedMap params, String redirectUri, List perms) { + protected OAuthAuthorizationData createAuthorizationData(Client client, + MultivaluedMap params, + UserSubject subject, + String redirectUri, + List perms) { OAuthAuthorizationData secData = new OAuthAuthorizationData(); - addAuthenticityTokenToSession(secData); + addAuthenticityTokenToSession(secData, params, subject); secData.setPermissions(perms); secData.setProposedScope(OAuthUtils.convertPermissionsToScope(perms)); @@ -214,9 +217,11 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService protected Response completeAuthorization(MultivaluedMap params) { // Make sure the end user has authenticated, check if HTTPS is used SecurityContext securityContext = getAndValidateSecurityContext(); + UserSubject userSubject = createUserSubject(securityContext); // Make sure the session is valid - if (!compareRequestAndSessionTokens(params.getFirst(OAuthConstants.SESSION_AUTHENTICITY_TOKEN))) { + String sessionToken = params.getFirst(OAuthConstants.SESSION_AUTHENTICITY_TOKEN); + if (!compareRequestAndSessionTokens(sessionToken, params, userSubject)) { throw ExceptionUtils.toBadRequestException(null, null); } //TODO: additionally we can check that the Principal that got authenticated @@ -248,7 +253,6 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService partialMatchScopeValidation)) { return createErrorResponse(params, redirectUri, OAuthConstants.INVALID_SCOPE); } - UserSubject userSubject = createUserSubject(securityContext); // Request a new grant return createGrant(params, @@ -324,10 +328,14 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService return redirectUri; } - private void addAuthenticityTokenToSession(OAuthAuthorizationData secData) { + private void addAuthenticityTokenToSession(OAuthAuthorizationData secData, + MultivaluedMap params, + UserSubject subject) { final String sessionToken; if (this.sessionAuthenticityTokenProvider != null) { - sessionToken = this.sessionAuthenticityTokenProvider.createSessionToken(getMessageContext()); + sessionToken = this.sessionAuthenticityTokenProvider.createSessionToken(getMessageContext(), + params, + subject); } else { HttpSession session = getMessageContext().getHttpServletRequest().getSession(); sessionToken = UUID.randomUUID().toString(); @@ -336,10 +344,14 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService secData.setAuthenticityToken(sessionToken); } - private boolean compareRequestAndSessionTokens(String requestToken) { + private boolean compareRequestAndSessionTokens(String requestToken, + MultivaluedMap params, + UserSubject subject) { final String sessionToken; if (this.sessionAuthenticityTokenProvider != null) { - sessionToken = sessionAuthenticityTokenProvider.removeSessionToken(getMessageContext()); + sessionToken = sessionAuthenticityTokenProvider.removeSessionToken(getMessageContext(), + params, + subject); } else { HttpSession session = getMessageContext().getHttpServletRequest().getSession(); sessionToken = (String)session.getAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN);