Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id F2300102C4 for ; Tue, 4 Nov 2014 13:33:35 +0000 (UTC) Received: (qmail 71144 invoked by uid 500); 4 Nov 2014 13:33:35 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 71082 invoked by uid 500); 4 Nov 2014 13:33:35 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 71073 invoked by uid 99); 4 Nov 2014 13:33:35 -0000 Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org) (140.211.11.114) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 04 Nov 2014 13:33:35 +0000 Received: by tyr.zones.apache.org (Postfix, from userid 65534) id 99EB9A094D6; Tue, 4 Nov 2014 13:33:35 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: sergeyb@apache.org To: commits@cxf.apache.org Message-Id: <45484f5204e0412d9bebdc42c31f7235@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: git commit: [CXF-6081] Make it easier to control the way AccessTokenService checks the passwords Date: Tue, 4 Nov 2014 13:33:35 +0000 (UTC) Repository: cxf Updated Branches: refs/heads/master 7f7c42b77 -> 3cf19d0f7 [CXF-6081] Make it easier to control the way AccessTokenService checks the passwords Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/3cf19d0f Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/3cf19d0f Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/3cf19d0f Branch: refs/heads/master Commit: 3cf19d0f734d5196ccaa0148972b4ddfd19529ef Parents: 7f7c42b Author: Sergey Beryozkin Authored: Tue Nov 4 13:33:10 2014 +0000 Committer: Sergey Beryozkin Committed: Tue Nov 4 13:33:10 2014 +0000 ---------------------------------------------------------------------- .../oauth2/provider/ClientIdProvider.java | 2 +- .../oauth2/provider/ClientSecretVerifier.java | 37 ++++++++++++++++++++ .../oauth2/services/AbstractOAuthService.java | 16 +++++++++ .../oauth2/services/AbstractTokenService.java | 33 +++++++++++------ .../oauth2/utils/AuthorizationUtils.java | 16 ++++++--- 5 files changed, 88 insertions(+), 16 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/3cf19d0f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/ClientIdProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/ClientIdProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/ClientIdProvider.java index f0b9a7a..26bc9db 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/ClientIdProvider.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/ClientIdProvider.java @@ -22,7 +22,7 @@ package org.apache.cxf.rs.security.oauth2.provider; import org.apache.cxf.jaxrs.ext.MessageContext; /** - * ClientIdProvider responsible for providing a mapping between + * ClientIdProvider is responsible for providing a mapping between * the authenticated client and its id */ public interface ClientIdProvider { http://git-wip-us.apache.org/repos/asf/cxf/blob/3cf19d0f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/ClientSecretVerifier.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/ClientSecretVerifier.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/ClientSecretVerifier.java new file mode 100644 index 0000000..fd5f1dc --- /dev/null +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/ClientSecretVerifier.java @@ -0,0 +1,37 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.rs.security.oauth2.provider; + +import org.apache.cxf.rs.security.oauth2.common.Client; + +/** + * ClientSecretVerifier is responsible for validating a client secret + */ +public interface ClientSecretVerifier { + + /** + * Validate a client secret + * + * @param client the {@link Client} the Client + * @param clientSecret the secret + * @return true if the secret is valid, false otherwise + */ + boolean validateClientSecret(Client client, String clientSecret); +} http://git-wip-us.apache.org/repos/asf/cxf/blob/3cf19d0f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractOAuthService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractOAuthService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractOAuthService.java index 375fd40..c0a4207 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractOAuthService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractOAuthService.java @@ -18,6 +18,7 @@ */ package org.apache.cxf.rs.security.oauth2.services; +import java.lang.reflect.Method; import java.util.logging.Logger; import javax.ws.rs.core.Context; @@ -44,6 +45,7 @@ public abstract class AbstractOAuthService { private OAuthDataProvider dataProvider; private boolean blockUnsecureRequests; private boolean writeOptionalParameters = true; + private Method dataProviderContextMethod; public void setWriteOptionalParameters(boolean write) { writeOptionalParameters = write; @@ -56,6 +58,13 @@ public abstract class AbstractOAuthService { @Context public void setMessageContext(MessageContext context) { this.mc = context; + if (dataProviderContextMethod != null) { + try { + dataProviderContextMethod.invoke(dataProvider, new Object[]{mc}); + } catch (Throwable t) { + throw new RuntimeException(t); + } + } } public MessageContext getMessageContext() { @@ -64,6 +73,13 @@ public abstract class AbstractOAuthService { public void setDataProvider(OAuthDataProvider dataProvider) { this.dataProvider = dataProvider; + try { + dataProviderContextMethod = dataProvider.getClass().getMethod("setMessageContext", + new Class[]{MessageContext.class}); + } catch (Throwable t) { + // ignore + } + } public OAuthDataProvider getDataProvider() { http://git-wip-us.apache.org/repos/asf/cxf/blob/3cf19d0f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java index c70e6d6..f7feec8 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java @@ -39,6 +39,7 @@ import org.apache.cxf.jaxrs.utils.JAXRSUtils; import org.apache.cxf.rs.security.oauth2.common.Client; import org.apache.cxf.rs.security.oauth2.common.OAuthError; import org.apache.cxf.rs.security.oauth2.provider.ClientIdProvider; +import org.apache.cxf.rs.security.oauth2.provider.ClientSecretVerifier; import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException; import org.apache.cxf.rs.security.oauth2.utils.AuthorizationUtils; import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants; @@ -48,6 +49,7 @@ public class AbstractTokenService extends AbstractOAuthService { private boolean canSupportPublicClients; private boolean writeCustomErrors; private ClientIdProvider clientIdProvider; + private ClientSecretVerifier clientSecretVerifier; /** * Make sure the client is authenticated @@ -107,25 +109,34 @@ public class AbstractTokenService extends AbstractOAuthService { // Get the Client and check the id and secret protected Client getAndValidateClientFromIdAndSecret(String clientId, String clientSecret) { Client client = getClient(clientId); - if (canSupportPublicClients - && !client.isConfidential() - && client.getClientSecret() == null - && clientSecret == null) { + if (!client.getClientId().equals(clientId)) { + throw ExceptionUtils.toNotAuthorizedException(null, null); + } + if (isValidPublicClient(client, clientId, clientSecret)) { return client; } - if (clientSecret == null || client.getClientSecret() == null - || !client.getClientId().equals(clientId) - || !client.getClientSecret().equals(clientSecret)) { + if (!client.isConfidential() + || clientSecret == null || client.getClientSecret() == null + || !isClientSecretValid(client, clientSecret)) { throw ExceptionUtils.toNotAuthorizedException(null, null); } return client; } + protected boolean isClientSecretValid(Client client, String clientSecret) { + return clientSecretVerifier != null ? clientSecretVerifier.validateClientSecret(client, clientSecret) + : client.getClientSecret().equals(clientSecret); + } + protected boolean isValidPublicClient(Client client, String clientId, String clientSecret) { + return canSupportPublicClients + && !client.isConfidential() + && client.getClientSecret() == null + && clientSecret == null; + } protected Client getClientFromBasicAuthScheme() { - String[] parts = AuthorizationUtils.getAuthorizationParts(getMessageContext()); - if (OAuthConstants.BASIC_SCHEME.equalsIgnoreCase(parts[0])) { - String[] authInfo = AuthorizationUtils.getBasicAuthParts(parts[1]); - return getAndValidateClientFromIdAndSecret(authInfo[0], authInfo[1]); + String[] userInfo = AuthorizationUtils.getBasicAuthUserInfo(getMessageContext()); + if (userInfo != null && userInfo.length == 2) { + return getAndValidateClientFromIdAndSecret(userInfo[0], userInfo[1]); } else { return null; } http://git-wip-us.apache.org/repos/asf/cxf/blob/3cf19d0f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/AuthorizationUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/AuthorizationUtils.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/AuthorizationUtils.java index 21f758c..a22f171 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/AuthorizationUtils.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/AuthorizationUtils.java @@ -38,11 +38,18 @@ import org.apache.cxf.jaxrs.utils.JAXRSUtils; public final class AuthorizationUtils { private AuthorizationUtils() { } - - public static String[] getBasicAuthParts(String data) { + public static String[] getBasicAuthUserInfo(MessageContext mc) { + String[] parts = AuthorizationUtils.getAuthorizationParts(mc); + if (parts.length == 2) { + return getBasicAuthParts(parts[1]); + } else { + return null; + } + } + public static String[] getBasicAuthParts(String basicAuthData) { String authDecoded = null; try { - authDecoded = new String(Base64Utility.decode(data)); + authDecoded = new String(Base64Utility.decode(basicAuthData)); } catch (Exception ex) { throw ExceptionUtils.toNotAuthorizedException(ex, null); } @@ -68,7 +75,8 @@ public final class AuthorizationUtils { List headers = mc.getHttpHeaders().getRequestHeader("Authorization"); if (headers.size() == 1) { String[] parts = headers.get(0).split(" "); - if (parts.length == 2) { + if (parts.length > 0 + && (challenges == null || challenges.isEmpty() || challenges.contains(parts[0]))) { return parts; } }