cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Adding filter interceptors to post process OAuth2 token and code responses
Date Fri, 07 Nov 2014 12:50:12 GMT
Repository: cxf
Updated Branches:
  refs/heads/master dbf25b79e -> e9d6f160f


Adding filter interceptors to post process OAuth2 token and code responses


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/e9d6f160
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/e9d6f160
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/e9d6f160

Branch: refs/heads/master
Commit: e9d6f160f9254c1d49a91f4b2cd4b609dbd9fc71
Parents: dbf25b7
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Fri Nov 7 12:49:49 2014 +0000
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Fri Nov 7 12:49:49 2014 +0000

----------------------------------------------------------------------
 .../provider/AccessTokenResponseFilter.java     | 26 +++++++++++
 .../AuthorizationCodeResponseFilter.java        | 25 +++++++++++
 .../oauth2/services/AccessTokenService.java     | 30 +++++++------
 .../services/AuthorizationCodeGrantService.java | 17 +++++--
 .../oauth2/services/ImplicitGrantService.java   | 47 +++++++++++++-------
 .../oauth2/tokens/hawk/HawkAccessToken.java     | 12 +++--
 .../rs/security/oauth2/utils/OAuthUtils.java    | 17 +++++++
 .../hawk/HawkAccessTokenValidatorTest.java      |  2 +-
 8 files changed, 139 insertions(+), 37 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/e9d6f160/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AccessTokenResponseFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AccessTokenResponseFilter.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AccessTokenResponseFilter.java
new file mode 100644
index 0000000..4c5d76d
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AccessTokenResponseFilter.java
@@ -0,0 +1,26 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.provider;
+
+import org.apache.cxf.rs.security.oauth2.common.Client;
+import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
+
+public interface AccessTokenResponseFilter {
+    void process(Client client, ClientAccessToken ct);
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/e9d6f160/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AuthorizationCodeResponseFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AuthorizationCodeResponseFilter.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AuthorizationCodeResponseFilter.java
new file mode 100644
index 0000000..b657332
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AuthorizationCodeResponseFilter.java
@@ -0,0 +1,25 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.provider;
+
+import org.apache.cxf.rs.security.oauth2.common.Client;
+
+public interface AuthorizationCodeResponseFilter {
+    String process(Client client, String code);
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/e9d6f160/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java
index e3af68a..ae51f3f 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java
@@ -35,11 +35,11 @@ import javax.ws.rs.core.Response;
 import org.apache.cxf.rs.security.oauth2.common.Client;
 import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
 import org.apache.cxf.rs.security.oauth2.common.OAuthError;
-import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
 import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
 import org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeDataProvider;
 import org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeGrantHandler;
 import org.apache.cxf.rs.security.oauth2.provider.AccessTokenGrantHandler;
+import org.apache.cxf.rs.security.oauth2.provider.AccessTokenResponseFilter;
 import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
@@ -50,6 +50,7 @@ import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
 @Path("/token")
 public class AccessTokenService extends AbstractTokenService {
     private List<AccessTokenGrantHandler> grantHandlers = new LinkedList<AccessTokenGrantHandler>();
+    private List<AccessTokenResponseFilter> responseHandlers = new LinkedList<AccessTokenResponseFilter>();
     private List<String> audiences = new LinkedList<String>();
     
     /**
@@ -67,7 +68,14 @@ public class AccessTokenService extends AbstractTokenService {
     public void setGrantHandler(AccessTokenGrantHandler handler) {
         grantHandlers.add(handler);
     }
+
+    public void setResponseFilters(List<AccessTokenResponseFilter> handlers) {
+        this.responseHandlers = handlers;
+    }
     
+    public void setResponseFilter(AccessTokenResponseFilter responseHandler) {
+        responseHandlers.add(responseHandler);
+    }
     /**
      * Processes an access token request
      * @param params the form parameters representing the access token grant 
@@ -111,25 +119,19 @@ public class AccessTokenService extends AbstractTokenService {
         }
         
         // Extract the information to be of use for the client
-        ClientAccessToken clientToken = new ClientAccessToken(serverToken.getTokenType(),
-                                                              serverToken.getTokenKey());
-        clientToken.setRefreshToken(serverToken.getRefreshToken());
-        if (isWriteOptionalParameters()) {
-            clientToken.setExpiresIn(serverToken.getExpiresIn());
-            List<OAuthPermission> perms = serverToken.getScopes();
-            if (!perms.isEmpty()) {
-                clientToken.setApprovedScope(OAuthUtils.convertPermissionsToScope(perms));
   
-            }
-            clientToken.setParameters(serverToken.getParameters());
-        }
-        
+        ClientAccessToken clientToken = OAuthUtils.toClientAccessToken(serverToken, isWriteOptionalParameters());
+        processClientAccessToken(client, clientToken);    
         // Return it to the client
         return Response.ok(clientToken)
                        .header(HttpHeaders.CACHE_CONTROL, "no-store")
                        .header("Pragma", "no-cache")
                         .build();
     }
-    
+    protected void processClientAccessToken(Client client, ClientAccessToken clientToken)
{
+        for (AccessTokenResponseFilter filter : responseHandlers) {
+            filter.process(client, clientToken); 
+        }
+    }
     protected void checkAudience(MultivaluedMap<String, String> params) { 
         if (audiences.isEmpty()) {
             return;

http://git-wip-us.apache.org/repos/asf/cxf/blob/e9d6f160/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
index a4b48ce..1d0c97e 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
@@ -34,6 +34,7 @@ import org.apache.cxf.rs.security.oauth2.common.UserSubject;
 import org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeDataProvider;
 import org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeRegistration;
 import org.apache.cxf.rs.security.oauth2.grants.code.ServerAuthorizationCodeGrant;
+import org.apache.cxf.rs.security.oauth2.provider.AuthorizationCodeResponseFilter;
 import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
 import org.apache.cxf.rs.security.oauth2.provider.OOBResponseDeliverer;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
@@ -50,6 +51,7 @@ import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
 public class AuthorizationCodeGrantService extends RedirectionBasedGrantService {
     private boolean canSupportPublicClients;
     private OOBResponseDeliverer oobDeliverer;
+    private AuthorizationCodeResponseFilter codeResponseFilter;
     
     public AuthorizationCodeGrantService() {
         super(OAuthConstants.CODE_RESPONSE_TYPE, OAuthConstants.AUTHORIZATION_CODE_GRANT);
@@ -80,7 +82,7 @@ public class AuthorizationCodeGrantService extends RedirectionBasedGrantService
         } catch (OAuthServiceException ex) {
             return createErrorResponse(params, redirectUri, OAuthConstants.ACCESS_DENIED);
         }
-        
+        String grantCode = processCodeGrant(client, grant.getCode());
         if (redirectUri == null) {
             OOBAuthorizationResponse oobResponse = new OOBAuthorizationResponse();
             oobResponse.setClientId(client.getClientId());
@@ -91,11 +93,16 @@ public class AuthorizationCodeGrantService extends RedirectionBasedGrantService
         } else {
             // return the code by appending it as a query parameter to the redirect URI
             UriBuilder ub = getRedirectUriBuilder(params.getFirst(OAuthConstants.STATE),
redirectUri);
-            ub.queryParam(OAuthConstants.AUTHORIZATION_CODE_VALUE, grant.getCode());
+            ub.queryParam(OAuthConstants.AUTHORIZATION_CODE_VALUE, grantCode);
             return Response.seeOther(ub.build()).build();
         }
     }
-    
+    protected String processCodeGrant(Client client, String code) {
+        if (codeResponseFilter != null) {
+            return codeResponseFilter.process(client, code);
+        }
+        return code;
+    }
     protected Response deliverOOBResponse(OOBAuthorizationResponse response) {
         if (oobDeliverer != null) {    
             return oobDeliverer.deliver(response);
@@ -137,6 +144,10 @@ public class AuthorizationCodeGrantService extends RedirectionBasedGrantService
     public void setCanSupportPublicClients(boolean support) {
         this.canSupportPublicClients = support;
     }
+
+    public void setCodeResponseFilter(AuthorizationCodeResponseFilter filter) {
+        this.codeResponseFilter = filter;
+    }
     
     
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/e9d6f160/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java
index e68d343..39ec3d1 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java
@@ -20,18 +20,22 @@
 package org.apache.cxf.rs.security.oauth2.services;
 
 import java.net.URI;
+import java.util.LinkedList;
 import java.util.List;
+import java.util.Map;
 
 import javax.ws.rs.Path;
 import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.core.Response;
 
+import org.apache.cxf.common.util.StringUtils;
 import org.apache.cxf.jaxrs.utils.HttpUtils;
 import org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration;
 import org.apache.cxf.rs.security.oauth2.common.Client;
-import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
+import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
 import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
 import org.apache.cxf.rs.security.oauth2.common.UserSubject;
+import org.apache.cxf.rs.security.oauth2.provider.AccessTokenResponseFilter;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
 
@@ -49,6 +53,7 @@ import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
 public class ImplicitGrantService extends RedirectionBasedGrantService {
     // For a client to validate that this client is a targeted recipient.
     private boolean reportClientId;
+    private List<AccessTokenResponseFilter> responseHandlers = new LinkedList<AccessTokenResponseFilter>();
     
     public ImplicitGrantService() {
         super(OAuthConstants.TOKEN_RESPONSE_TYPE, OAuthConstants.IMPLICIT_GRANT);
@@ -74,42 +79,44 @@ public class ImplicitGrantService extends RedirectionBasedGrantService
{
         } else {
             token = preAuthorizedToken;
         }
-
+        ClientAccessToken clientToken = OAuthUtils.toClientAccessToken(token, isWriteOptionalParameters());
+        processClientAccessToken(client, clientToken);
    
-       // return the code by appending it as a fragment parameter to the redirect URI
+        // return the token by appending it as a fragment parameter to the redirect URI
         
         StringBuilder sb = getUriWithFragment(redirectUri);
         
-        sb.append(OAuthConstants.ACCESS_TOKEN).append("=").append(token.getTokenKey());
+        sb.append(OAuthConstants.ACCESS_TOKEN).append("=").append(clientToken.getTokenKey());
         String state = params.getFirst(OAuthConstants.STATE);
         if (state != null) {
             sb.append("&");
             sb.append(OAuthConstants.STATE).append("=").append(state);   
         }
         sb.append("&")
-            .append(OAuthConstants.ACCESS_TOKEN_TYPE).append("=").append(token.getTokenType());
+            .append(OAuthConstants.ACCESS_TOKEN_TYPE).append("=").append(clientToken.getTokenType());
         
         if (isWriteOptionalParameters()) {
             sb.append("&").append(OAuthConstants.ACCESS_TOKEN_EXPIRES_IN)
-                .append("=").append(token.getExpiresIn());
-            // Reporting scope is required if the approved scope is different and
-            // optional - otherwise; lets always report it for now if it is non-empty 
-            List<OAuthPermission> perms = token.getScopes();
-            if (!perms.isEmpty()) {
-                String scope = OAuthUtils.convertPermissionsToScope(perms);
+                .append("=").append(clientToken.getExpiresIn());
+            if (!StringUtils.isEmpty(clientToken.getApprovedScope())) {
                 sb.append("&").append(OAuthConstants.SCOPE).append("=")
-                    .append(HttpUtils.queryEncode(scope));
+                    .append(HttpUtils.queryEncode(clientToken.getApprovedScope()));
+            }
+            for (Map.Entry<String, String> entry : clientToken.getParameters().entrySet())
{
+                sb.append("&").append(entry.getKey()).append("=").append(HttpUtils.queryEncode(entry.getValue()));
             }
-            //TODO: also report other token parameters if any if needed  
         }
         if (reportClientId) {
-            sb.append("&")
-                .append(OAuthConstants.CLIENT_ID).append("=").append(client.getClientId());
+            sb.append("&").append(OAuthConstants.CLIENT_ID).append("=").append(client.getClientId());
         }
         
         return Response.seeOther(URI.create(sb.toString())).build();
     }
-    
+    protected void processClientAccessToken(Client client, ClientAccessToken clientToken)
{
+        for (AccessTokenResponseFilter filter : responseHandlers) {
+            filter.process(client, clientToken); 
+        }
+    }
     protected Response createErrorResponse(MultivaluedMap<String, String> params,
                                            String redirectUri,
                                            String error) {
@@ -134,6 +141,14 @@ public class ImplicitGrantService extends RedirectionBasedGrantService
{
     public void setReportClientId(boolean reportClientId) {
         this.reportClientId = reportClientId;
     }
+    
+    public void setResponseFilters(List<AccessTokenResponseFilter> handlers) {
+        this.responseHandlers = handlers;
+    }
+    
+    public void setResponseFilter(AccessTokenResponseFilter responseHandler) {
+        responseHandlers.add(responseHandler);
+    }
 
     @Override
     protected boolean canSupportPublicClient(Client c) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/e9d6f160/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/hawk/HawkAccessToken.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/hawk/HawkAccessToken.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/hawk/HawkAccessToken.java
index ff75484..ce3ca25 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/hawk/HawkAccessToken.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/hawk/HawkAccessToken.java
@@ -21,6 +21,7 @@ package org.apache.cxf.rs.security.oauth2.tokens.hawk;
 import org.apache.cxf.common.util.crypto.HmacUtils;
 import org.apache.cxf.rs.security.oauth2.common.Client;
 import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
 
@@ -57,8 +58,7 @@ public class HawkAccessToken extends ServerAccessToken {
                           String tokenKey,
                           long lifetime, 
                           long issuedAt) {
-        super(client, OAuthConstants.HAWK_TOKEN_TYPE, tokenKey, lifetime, issuedAt);
-        this.setExtraParameters(algo, null);
+        this(client, algo, tokenKey, null, lifetime, issuedAt);
     }
     
     public HawkAccessToken(Client client,
@@ -67,7 +67,7 @@ public class HawkAccessToken extends ServerAccessToken {
                           String macKey,
                           long lifetime, 
                           long issuedAt) {
-        super(client, OAuthConstants.HAWK_TOKEN_TYPE, tokenKey, lifetime, issuedAt);
+        super(checkClient(client), OAuthConstants.HAWK_TOKEN_TYPE, tokenKey, lifetime, issuedAt);
         this.setExtraParameters(algo, macKey);
     }
     
@@ -94,4 +94,10 @@ public class HawkAccessToken extends ServerAccessToken {
     public String getMacAlgorithm() {
         return super.getParameters().get(OAuthConstants.HAWK_TOKEN_ALGORITHM);
     }
+    private static Client checkClient(Client c) {
+        if (!c.isConfidential()) {
+            throw new OAuthServiceException("Public clients can not keep a MAC secret");
+        }
+        return c;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/e9d6f160/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
index b33b929..83716b1 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
@@ -33,7 +33,9 @@ import org.apache.cxf.common.util.crypto.MessageDigestUtils;
 import org.apache.cxf.jaxrs.impl.MetadataMap;
 import org.apache.cxf.jaxrs.model.URITemplate;
 import org.apache.cxf.rs.security.oauth2.common.Client;
+import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
 import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
+import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
 import org.apache.cxf.rs.security.oauth2.common.UserSubject;
 import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
 import org.apache.cxf.security.LoginSecurityContext;
@@ -187,4 +189,19 @@ public final class OAuthUtils {
         }
         return true;
     }
+
+    public static ClientAccessToken toClientAccessToken(ServerAccessToken serverToken, boolean
supportOptionalParams) {
+        ClientAccessToken clientToken = new ClientAccessToken(serverToken.getTokenType(),
+                                                              serverToken.getTokenKey());
+        clientToken.setRefreshToken(serverToken.getRefreshToken());
+        if (supportOptionalParams) {
+            clientToken.setExpiresIn(serverToken.getExpiresIn());
+            List<OAuthPermission> perms = serverToken.getScopes();
+            if (!perms.isEmpty()) {
+                clientToken.setApprovedScope(OAuthUtils.convertPermissionsToScope(perms));
   
+            }
+            clientToken.setParameters(serverToken.getParameters());
+        }
+        return clientToken;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/e9d6f160/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/tokens/hawk/HawkAccessTokenValidatorTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/tokens/hawk/HawkAccessTokenValidatorTest.java
b/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/tokens/hawk/HawkAccessTokenValidatorTest.java
index b034016..65de61d 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/tokens/hawk/HawkAccessTokenValidatorTest.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/tokens/hawk/HawkAccessTokenValidatorTest.java
@@ -49,7 +49,7 @@ public class HawkAccessTokenValidatorTest extends Assert {
     @Test
     public void testValidateAccessToken() throws Exception {
         HawkAccessToken macAccessToken = new HawkAccessToken(new Client("testClientId", "testClientSecret",
-                                                                          false), 
+                                                                          true), 
                                                                           HmacAlgorithm.HmacSHA256,
-1);
         HttpServletRequest httpRequest = mockHttpRequest();
         UriInfo uriInfo = mockUriInfo();


Mime
View raw message