cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject git commit: If OAuth2 Client has registered a certificate then enforce 2-way TLS
Date Wed, 04 Jun 2014 16:14:54 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 82606afa2 -> 9221cf999


If OAuth2 Client has registered a certificate then enforce 2-way TLS


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/9221cf99
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/9221cf99
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/9221cf99

Branch: refs/heads/master
Commit: 9221cf9995f0e42c4f5e5c40e6f4f42c3c98ac7b
Parents: 82606af
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Wed Jun 4 17:14:28 2014 +0100
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Wed Jun 4 17:14:28 2014 +0100

----------------------------------------------------------------------
 .../oauth2/services/AbstractTokenService.java   | 41 ++++++++++----------
 .../security/oauth2/OAuthDataProviderImpl.java  | 23 ++++++++++-
 2 files changed, 41 insertions(+), 23 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/9221cf99/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
index 7b50586..8c79579 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
@@ -62,38 +62,36 @@ public class AbstractTokenService extends AbstractOAuthService {
                 client = getAndValidateClientFromIdAndSecret(clientId,
                                               params.getFirst(OAuthConstants.CLIENT_SECRET));
             }
+        } else if (principal.getName() != null) {
+            client = getClient(principal.getName());
         } else {
-            // Client has already been authenticated
-            if (principal.getName() != null) {
-                client = getClient(principal.getName());
-            } else {
-                String clientId = retrieveClientId(params);
-                if (clientId != null) {
-                    client = getClient(clientId);
-                } 
-            }
-        } 
-        
+            String clientId = retrieveClientId(params);
+            if (clientId != null) {
+                client = getClient(clientId);
+            } 
+        }
         if (client == null) {
-            TLSSessionInfo tlsSessionInfo = 
-                (TLSSessionInfo)getMessageContext().get(TLSSessionInfo.class.getName());
-            client = getClientFromTLSCertificates(sc, tlsSessionInfo);
+            client = getClientFromTLSCertificates(sc, getTlsSessionInfo());
             if (client == null) {
                 // Basic Authentication is expected by default
                 client = getClientFromBasicAuthScheme();
             }
-            if (client != null && tlsSessionInfo != null) {
-                // Validate the client application certificates
-                compareTlsCertificates(tlsSessionInfo, client.getApplicationCertificate());
-            }
         }
-        
+        if (client != null && client.getApplicationCertificate() != null) {
+            // Validate the client application certificates
+            compareTlsCertificates(getTlsSessionInfo(), client.getApplicationCertificate());
+        }
         if (client == null) {
             reportInvalidClient();
         }
         return client;
     }
     
+    private TLSSessionInfo getTlsSessionInfo() {
+
+        return (TLSSessionInfo)getMessageContext().get(TLSSessionInfo.class.getName());
+    }
+    
     protected String retrieveClientId(MultivaluedMap<String, String> params) {
         String clientId = params.getFirst(OAuthConstants.CLIENT_ID);
         if (clientId == null) {
@@ -154,7 +152,7 @@ public class AbstractTokenService extends AbstractOAuthService {
     }
     
     protected void compareTlsCertificates(TLSSessionInfo tlsInfo, String base64EncodedCert)
{
-        if (tlsInfo != null && base64EncodedCert != null) {
+        if (tlsInfo != null) {
             Certificate[] clientCerts = tlsInfo.getPeerCertificates();
             try {
                 X509Certificate cert = (X509Certificate)clientCerts[0];
@@ -164,9 +162,10 @@ public class AbstractTokenService extends AbstractOAuthService {
                     return;
                 }
             } catch (Exception ex) {
-                reportInvalidClient();
+                // throw exception later
             }
         }
+        reportInvalidClient();
     }
     
     

http://git-wip-us.apache.org/repos/asf/cxf/blob/9221cf99/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/OAuthDataProviderImpl.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/OAuthDataProviderImpl.java
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/OAuthDataProviderImpl.java
index 54917f4..8647414 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/OAuthDataProviderImpl.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/OAuthDataProviderImpl.java
@@ -18,10 +18,14 @@
  */
 package org.apache.cxf.systest.jaxrs.security.oauth2;
 
+import java.io.InputStream;
+import java.security.KeyStore;
+import java.security.cert.Certificate;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
+import org.apache.cxf.common.util.Base64Utility;
 import org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration;
 import org.apache.cxf.rs.security.oauth2.common.Client;
 import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
@@ -37,20 +41,35 @@ public class OAuthDataProviderImpl implements OAuthDataProvider {
 
     private Map<String, Client> clients = new HashMap<String, Client>();
     
-    public OAuthDataProviderImpl() {
+    public OAuthDataProviderImpl() throws Exception {
         Client client = new Client("alice", "alice", true);
         client.getAllowedGrantTypes().add(Constants.SAML2_BEARER_GRANT);
         client.getAllowedGrantTypes().add("custom_grant");
         clients.put(client.getClientId(), client);
+
+        
+        KeyStore keyStore = loadKeyStore(); 
+        Certificate cert = keyStore.getCertificate("morpit");
+        String encodedCert = Base64Utility.encode(cert.getEncoded());
         
         Client client2 = new Client("CN=whateverhost.com,OU=Morpit,O=ApacheTest,L=Syracuse,C=US",

                                     null,
                                     true,
                                     null,
                                     null);
-        client.getAllowedGrantTypes().add("custom_grant");
+        client2.getAllowedGrantTypes().add("custom_grant");
+        client2.setApplicationCertificate(encodedCert);
         clients.put(client2.getClientId(), client2);
     }
+
+    private KeyStore loadKeyStore() throws Exception {
+        KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
+        InputStream is = this.getClass().getResourceAsStream("/org/apache/cxf/systest/http/resources/Truststore.jks");
+        ks.load(is, new char[]{'p', 'a', 's', 's', 'w', 'o', 'r', 'd'});
+        return ks;
+    }
+
+    
     
     @Override
     public Client getClient(String clientId) throws OAuthServiceException {


Mime
View raw message