cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject git commit: [CXF-6081] Make it easier to control the way AccessTokenService checks the passwords
Date Tue, 04 Nov 2014 13:35:11 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.0.x-fixes 4328ed18d -> 0987d4052


[CXF-6081] Make it easier to control the way AccessTokenService checks the passwords


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/0987d405
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/0987d405
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/0987d405

Branch: refs/heads/3.0.x-fixes
Commit: 0987d405261d3d3ea34da8ffef2a98646104c448
Parents: 4328ed1
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Tue Nov 4 13:33:10 2014 +0000
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Tue Nov 4 13:34:52 2014 +0000

----------------------------------------------------------------------
 .../oauth2/provider/ClientIdProvider.java       |  2 +-
 .../oauth2/provider/ClientSecretVerifier.java   | 37 ++++++++++++++++++++
 .../oauth2/services/AbstractOAuthService.java   | 16 +++++++++
 .../oauth2/services/AbstractTokenService.java   | 33 +++++++++++------
 .../oauth2/utils/AuthorizationUtils.java        | 16 ++++++---
 5 files changed, 88 insertions(+), 16 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/0987d405/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/ClientIdProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/ClientIdProvider.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/ClientIdProvider.java
index f0b9a7a..26bc9db 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/ClientIdProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/ClientIdProvider.java
@@ -22,7 +22,7 @@ package org.apache.cxf.rs.security.oauth2.provider;
 import org.apache.cxf.jaxrs.ext.MessageContext;
 
 /**
- * ClientIdProvider responsible for providing a mapping between
+ * ClientIdProvider is responsible for providing a mapping between
  * the authenticated client and its id  
  */
 public interface ClientIdProvider {

http://git-wip-us.apache.org/repos/asf/cxf/blob/0987d405/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/ClientSecretVerifier.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/ClientSecretVerifier.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/ClientSecretVerifier.java
new file mode 100644
index 0000000..fd5f1dc
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/ClientSecretVerifier.java
@@ -0,0 +1,37 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rs.security.oauth2.provider;
+
+import org.apache.cxf.rs.security.oauth2.common.Client;
+
+/**
+ * ClientSecretVerifier is responsible for validating a client secret  
+ */
+public interface ClientSecretVerifier {
+
+    /**
+     * Validate a client secret
+     * 
+     * @param client the {@link Client} the Client
+     * @param clientSecret the secret
+     * @return true if the secret is valid, false otherwise
+     */
+    boolean validateClientSecret(Client client, String clientSecret);
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/0987d405/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractOAuthService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractOAuthService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractOAuthService.java
index 375fd40..c0a4207 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractOAuthService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractOAuthService.java
@@ -18,6 +18,7 @@
  */
 package org.apache.cxf.rs.security.oauth2.services;
 
+import java.lang.reflect.Method;
 import java.util.logging.Logger;
 
 import javax.ws.rs.core.Context;
@@ -44,6 +45,7 @@ public abstract class AbstractOAuthService {
     private OAuthDataProvider dataProvider;
     private boolean blockUnsecureRequests;
     private boolean writeOptionalParameters = true;
+    private Method dataProviderContextMethod;
     
     public void setWriteOptionalParameters(boolean write) {
         writeOptionalParameters = write;
@@ -56,6 +58,13 @@ public abstract class AbstractOAuthService {
     @Context 
     public void setMessageContext(MessageContext context) {
         this.mc = context;    
+        if (dataProviderContextMethod != null) {
+            try {
+                dataProviderContextMethod.invoke(dataProvider, new Object[]{mc});
+            } catch (Throwable t) {
+                throw new RuntimeException(t); 
+            }
+        }
     }
     
     public MessageContext getMessageContext() {
@@ -64,6 +73,13 @@ public abstract class AbstractOAuthService {
 
     public void setDataProvider(OAuthDataProvider dataProvider) {
         this.dataProvider = dataProvider;
+        try {
+            dataProviderContextMethod = dataProvider.getClass().getMethod("setMessageContext",

+                                                                          new Class[]{MessageContext.class});
+        } catch (Throwable t) {
+            // ignore
+        }
+        
     }
 
     public OAuthDataProvider getDataProvider() {

http://git-wip-us.apache.org/repos/asf/cxf/blob/0987d405/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
index c70e6d6..f7feec8 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
@@ -39,6 +39,7 @@ import org.apache.cxf.jaxrs.utils.JAXRSUtils;
 import org.apache.cxf.rs.security.oauth2.common.Client;
 import org.apache.cxf.rs.security.oauth2.common.OAuthError;
 import org.apache.cxf.rs.security.oauth2.provider.ClientIdProvider;
+import org.apache.cxf.rs.security.oauth2.provider.ClientSecretVerifier;
 import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
 import org.apache.cxf.rs.security.oauth2.utils.AuthorizationUtils;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
@@ -48,6 +49,7 @@ public class AbstractTokenService extends AbstractOAuthService {
     private boolean canSupportPublicClients;
     private boolean writeCustomErrors;
     private ClientIdProvider clientIdProvider;
+    private ClientSecretVerifier clientSecretVerifier;
     
     /**
      * Make sure the client is authenticated
@@ -107,25 +109,34 @@ public class AbstractTokenService extends AbstractOAuthService {
     // Get the Client and check the id and secret
     protected Client getAndValidateClientFromIdAndSecret(String clientId, String clientSecret)
{
         Client client = getClient(clientId);
-        if (canSupportPublicClients 
-            && !client.isConfidential() 
-            && client.getClientSecret() == null 
-            && clientSecret == null) {
+        if (!client.getClientId().equals(clientId)) {
+            throw ExceptionUtils.toNotAuthorizedException(null, null);
+        }
+        if (isValidPublicClient(client, clientId, clientSecret)) {
             return client;
         }
-        if (clientSecret == null || client.getClientSecret() == null 
-            || !client.getClientId().equals(clientId) 
-            || !client.getClientSecret().equals(clientSecret)) {
+        if (!client.isConfidential()
+            || clientSecret == null || client.getClientSecret() == null 
+            || !isClientSecretValid(client, clientSecret)) {
             throw ExceptionUtils.toNotAuthorizedException(null, null);
         }
         return client;
     }
+    protected boolean isClientSecretValid(Client client, String clientSecret) {
+        return clientSecretVerifier != null ? clientSecretVerifier.validateClientSecret(client,
clientSecret)
+            : client.getClientSecret().equals(clientSecret);
+    }
+    protected boolean isValidPublicClient(Client client, String clientId, String clientSecret)
{
+        return canSupportPublicClients 
+            && !client.isConfidential() 
+            && client.getClientSecret() == null 
+            && clientSecret == null;
+    }
     
     protected Client getClientFromBasicAuthScheme() {
-        String[] parts = AuthorizationUtils.getAuthorizationParts(getMessageContext());
-        if (OAuthConstants.BASIC_SCHEME.equalsIgnoreCase(parts[0])) {
-            String[] authInfo = AuthorizationUtils.getBasicAuthParts(parts[1]);
-            return getAndValidateClientFromIdAndSecret(authInfo[0], authInfo[1]);
+        String[] userInfo = AuthorizationUtils.getBasicAuthUserInfo(getMessageContext());
+        if (userInfo != null && userInfo.length == 2) {
+            return getAndValidateClientFromIdAndSecret(userInfo[0], userInfo[1]);
         } else {
             return null;
         }

http://git-wip-us.apache.org/repos/asf/cxf/blob/0987d405/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/AuthorizationUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/AuthorizationUtils.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/AuthorizationUtils.java
index 21f758c..a22f171 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/AuthorizationUtils.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/AuthorizationUtils.java
@@ -38,11 +38,18 @@ import org.apache.cxf.jaxrs.utils.JAXRSUtils;
 public final class AuthorizationUtils {
     private AuthorizationUtils() {
     }
-    
-    public static String[] getBasicAuthParts(String data) {
+    public static String[] getBasicAuthUserInfo(MessageContext mc) {
+        String[] parts = AuthorizationUtils.getAuthorizationParts(mc);
+        if (parts.length == 2) {
+            return getBasicAuthParts(parts[1]);
+        } else {
+            return null;
+        }
+    }
+    public static String[] getBasicAuthParts(String basicAuthData) {
         String authDecoded = null;
         try {
-            authDecoded = new String(Base64Utility.decode(data));
+            authDecoded = new String(Base64Utility.decode(basicAuthData));
         } catch (Exception ex) {
             throw ExceptionUtils.toNotAuthorizedException(ex, null);
         }
@@ -68,7 +75,8 @@ public final class AuthorizationUtils {
         List<String> headers = mc.getHttpHeaders().getRequestHeader("Authorization");
         if (headers.size() == 1) {
             String[] parts = headers.get(0).split(" ");
-            if (parts.length == 2) {
+            if (parts.length > 0 
+                && (challenges == null || challenges.isEmpty() || challenges.contains(parts[0])))
{
                 return parts;       
             }
         }


Mime
View raw message