cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: [CXF-6157] Support storing of OAuth2 redirection state in a session token
Date Tue, 16 Dec 2014 16:27:46 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 35c2f3f04 -> 27c2c25dc


[CXF-6157] Support storing of OAuth2 redirection state in a session token


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/27c2c25d
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/27c2c25d
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/27c2c25d

Branch: refs/heads/master
Commit: 27c2c25dc3c2c3019543e31afdca7b166911f278
Parents: 35c2f3f
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Tue Dec 16 16:27:26 2014 +0000
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Tue Dec 16 16:27:26 2014 +0000

----------------------------------------------------------------------
 .../cxf/rs/security/jose/jws/JwsUtils.java      |   4 +-
 .../oauth2/common/OAuthAuthorizationData.java   |  82 +--------
 .../oauth2/common/OAuthRedirectionState.java    | 115 +++++++++++++
 .../provider/JoseSessionTokenProvider.java      | 171 +++++++++++++++++++
 .../SessionAuthenticityTokenProvider.java       |  25 ++-
 .../services/AuthorizationCodeGrantService.java |  41 +++--
 .../oauth2/services/ImplicitGrantService.java   |  17 +-
 .../services/RedirectionBasedGrantService.java  | 159 ++++++++++-------
 .../rs/security/oauth2/utils/OAuthUtils.java    |  30 ++++
 .../utils/crypto/ModelEncryptionSupport.java    |   8 +-
 10 files changed, 475 insertions(+), 177 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/27c2c25d/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
index 20058ad..53ac53e 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
@@ -267,14 +267,14 @@ public final class JwsUtils {
             return JoseConstants.RS_SHA_256_ALGO;
         }
     }
-    private static JwsCompactConsumer verify(JwsSignatureVerifier v, String content) {
+    public static JwsCompactConsumer verify(JwsSignatureVerifier v, String content) {
         JwsCompactConsumer jws = new JwsCompactConsumer(content);
         if (!jws.verifySignatureWith(v)) {
             throw new SecurityException();
         }
         return jws;
     }
-    private static String sign(JwsSignatureProvider jwsSig, String content, String ct) {
+    public static String sign(JwsSignatureProvider jwsSig, String content, String ct) {
         JoseHeaders headers = new JoseHeaders();
         if (ct != null) {
             headers.setContentType(ct);

http://git-wip-us.apache.org/repos/asf/cxf/blob/27c2c25d/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
index 5c3201f..7f26bf4 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
@@ -33,15 +33,10 @@ import javax.xml.bind.annotation.XmlRootElement;
  */
 @XmlRootElement(name = "authorizationData", 
                 namespace = "http://org.apache.cxf.rs.security.oauth")
-public class OAuthAuthorizationData implements Serializable {
+public class OAuthAuthorizationData extends OAuthRedirectionState implements Serializable {
     private static final long serialVersionUID = -7755998413495017637L;
     
-    private String clientId;
     private String endUserName;
-    private String redirectUri;
-    private String state;
-    private String proposedScope;
-    
     private String authenticityToken;
     private String replyTo;
     
@@ -53,7 +48,6 @@ public class OAuthAuthorizationData implements Serializable {
     private Map<String, String> extraApplicationProperties = new HashMap<String, String>();
     
     private List<? extends Permission> permissions;
-    private String audience;
     
     public OAuthAuthorizationData() {
     }
@@ -127,54 +121,6 @@ public class OAuthAuthorizationData implements Serializable {
     }
 
     /**
-     * Sets the client id which needs to be retained in a hidden form field
-     * @param clientId the client id
-     */
-    public void setClientId(String clientId) {
-        this.clientId = clientId;
-    }
-
-    /**
-     * Gets the client id which needs to be retained in a hidden form field
-     * @return the client id
-     */
-    public String getClientId() {
-        return clientId;
-    }
-
-    /**
-     * Sets the redirect uri which needs to be retained in a hidden form field
-     * @param redirectUri the redirect uri
-     */
-    public void setRedirectUri(String redirectUri) {
-        this.redirectUri = redirectUri;
-    }
-
-    /**
-     * Gets the redirect uri which needs to be retained in a hidden form field
-     * @return the redirect uri
-     */
-    public String getRedirectUri() {
-        return redirectUri;
-    }
-
-    /**
-     * Sets the client state token which needs to be retained in a hidden form field
-     * @param state the state
-     */
-    public void setState(String state) {
-        this.state = state;
-    }
-
-    /**
-     * Gets the client state token which needs to be retained in a hidden form field
-     * @return
-     */
-    public String getState() {
-        return state;
-    }
-
-    /**
      * Sets the application web URI
      * @param applicationWebUri the application URI
      */
@@ -207,22 +153,6 @@ public class OAuthAuthorizationData implements Serializable {
     }
 
     /**
-     * Sets the requested scope which needs to be retained in a hidden form field
-     * @param proposedScope the scope
-     */
-    public void setProposedScope(String proposedScope) {
-        this.proposedScope = proposedScope;
-    }
-
-    /**
-     * Gets the requested scope which needs to be retained in a hidden form field
-     * @return the scope
-     */
-    public String getProposedScope() {
-        return proposedScope;
-    }
-
-    /**
      * Sets the absolute URI where the authorization decision data 
      * will need to be sent to
      * @param replyTo authorization decision handler URI
@@ -255,15 +185,6 @@ public class OAuthAuthorizationData implements Serializable {
     public void setEndUserName(String endUserName) {
         this.endUserName = endUserName;
     }
-
-    public String getAudience() {
-        return audience;
-    }
-
-    public void setAudience(String audience) {
-        this.audience = audience;
-    }
-
     public List<String> getApplicationCertificates() {
         return applicationCertificates;
     }
@@ -271,5 +192,4 @@ public class OAuthAuthorizationData implements Serializable {
     public void setApplicationCertificates(List<String> applicationCertificates) {
         this.applicationCertificates = applicationCertificates;
     }
-
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/27c2c25d/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthRedirectionState.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthRedirectionState.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthRedirectionState.java
new file mode 100644
index 0000000..a386a80
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthRedirectionState.java
@@ -0,0 +1,115 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.common;
+
+import java.io.Serializable;
+
+public class OAuthRedirectionState implements Serializable {
+    
+    private static final long serialVersionUID = -661649302262699347L;
+    private String clientId;
+    private String redirectUri;
+    private String state;
+    private String proposedScope;
+    private String audience;
+    private String clientCodeVerifier;
+    
+    public OAuthRedirectionState() {
+    }
+
+    
+    /**
+     * Sets the client id which needs to be retained in a hidden form field
+     * @param clientId the client id
+     */
+    public void setClientId(String clientId) {
+        this.clientId = clientId;
+    }
+
+    /**
+     * Gets the client id which needs to be retained in a hidden form field
+     * @return the client id
+     */
+    public String getClientId() {
+        return clientId;
+    }
+
+    /**
+     * Sets the redirect uri which needs to be retained in a hidden form field
+     * @param redirectUri the redirect uri
+     */
+    public void setRedirectUri(String redirectUri) {
+        this.redirectUri = redirectUri;
+    }
+
+    /**
+     * Gets the redirect uri which needs to be retained in a hidden form field
+     * @return the redirect uri
+     */
+    public String getRedirectUri() {
+        return redirectUri;
+    }
+
+    /**
+     * Sets the client state token which needs to be retained in a hidden form field
+     * @param state the state
+     */
+    public void setState(String state) {
+        this.state = state;
+    }
+
+    /**
+     * Gets the client state token which needs to be retained in a hidden form field
+     * @return
+     */
+    public String getState() {
+        return state;
+    }
+    
+    /**
+     * Sets the requested scope which needs to be retained in a hidden form field
+     * @param proposedScope the scope
+     */
+    public void setProposedScope(String proposedScope) {
+        this.proposedScope = proposedScope;
+    }
+
+    /**
+     * Gets the requested scope which needs to be retained in a hidden form field
+     * @return the scope
+     */
+    public String getProposedScope() {
+        return proposedScope;
+    }
+
+    public String getAudience() {
+        return audience;
+    }
+
+    public void setAudience(String audience) {
+        this.audience = audience;
+    }
+
+    public String getClientCodeVerifier() {
+        return clientCodeVerifier;
+    }
+    public void setClientCodeVerifier(String clientCodeVerifier) {
+        this.clientCodeVerifier = clientCodeVerifier;
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/27c2c25d/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JoseSessionTokenProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JoseSessionTokenProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JoseSessionTokenProvider.java
new file mode 100644
index 0000000..2e8f3bf
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JoseSessionTokenProvider.java
@@ -0,0 +1,171 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.provider;
+
+import javax.ws.rs.core.MultivaluedMap;
+
+import org.apache.cxf.common.util.StringUtils;
+import org.apache.cxf.jaxrs.ext.MessageContext;
+import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider;
+import org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider;
+import org.apache.cxf.rs.security.jose.jwe.JweUtils;
+import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider;
+import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
+import org.apache.cxf.rs.security.jose.jws.JwsUtils;
+import org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState;
+import org.apache.cxf.rs.security.oauth2.common.UserSubject;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.ModelEncryptionSupport;
+
+public class JoseSessionTokenProvider implements SessionAuthenticityTokenProvider {
+    private JwsSignatureProvider jwsProvider;
+    private JwsSignatureVerifier jwsVerifier;
+    private JweEncryptionProvider jweEncryptor;
+    private JweDecryptionProvider jweDecryptor;
+    private boolean jwsRequired;
+    private int maxDefaultSessionInterval;
+    @Override
+    public String createSessionToken(MessageContext mc, MultivaluedMap<String, String> params,
+                                     UserSubject subject, OAuthRedirectionState secData) {
+        String stateString = convertStateToString(secData);
+        String sessionToken = encryptStateString(stateString);
+        return OAuthUtils.setDefaultSessionToken(mc, sessionToken, maxDefaultSessionInterval);
+    }
+
+    @Override
+    public String getSessionToken(MessageContext mc, MultivaluedMap<String, String> params,
+                                  UserSubject subject) {
+        return OAuthUtils.getDefaultSessionToken(mc);
+    }
+
+    @Override
+    public String removeSessionToken(MessageContext mc, MultivaluedMap<String, String> params,
+                                     UserSubject subject) {
+        return getSessionToken(mc, params, subject);
+    }
+
+    @Override
+    public OAuthRedirectionState getSessionState(MessageContext messageContext, String sessionToken,
+                                                 UserSubject subject) {
+        
+        String stateString = decryptStateString(sessionToken);
+        return convertStateStringToState(stateString);
+        
+    }
+
+    public void setJwsProvider(JwsSignatureProvider jwsProvider) {
+        this.jwsProvider = jwsProvider;
+    }
+
+    public void setJwsVerifier(JwsSignatureVerifier jwsVerifier) {
+        this.jwsVerifier = jwsVerifier;
+    }
+
+    public void setJweEncryptor(JweEncryptionProvider jweEncryptor) {
+        this.jweEncryptor = jweEncryptor;
+    }
+
+    public void setJweDecryptor(JweDecryptionProvider jweDecryptor) {
+        this.jweDecryptor = jweDecryptor;
+    }
+
+    protected JwsSignatureProvider getInitializedSigProvider() {
+        if (jwsProvider != null) {
+            return jwsProvider;    
+        } 
+        return JwsUtils.loadSignatureProvider(jwsRequired);
+    }
+    protected JweEncryptionProvider getInitializedEncryptionProvider() {
+        if (jweEncryptor != null) {
+            return jweEncryptor;    
+        }
+        return JweUtils.loadEncryptionProvider(true);
+    }
+
+    public void setJwsRequired(boolean jwsRequired) {
+        this.jwsRequired = jwsRequired;
+    }
+
+    protected JweDecryptionProvider getInitializedDecryptionProvider() {
+        if (jweDecryptor != null) {
+            return jweDecryptor;    
+        } 
+        return JweUtils.loadDecryptionProvider(true);
+    }
+    protected JwsSignatureVerifier getInitializedSigVerifier() {
+        if (jwsVerifier != null) {
+            return jwsVerifier;    
+        } 
+        return JwsUtils.loadSignatureVerifier(jwsRequired);
+    }
+
+    private String decryptStateString(String sessionToken) {
+        JweDecryptionProvider jwe = getInitializedDecryptionProvider();
+        String stateString = jwe.decrypt(sessionToken).getContentText();
+        JwsSignatureVerifier jws = getInitializedSigVerifier();
+        if (jws != null) {
+            stateString = JwsUtils.verify(jws, stateString).getUnsignedEncodedSequence();
+        }
+        return stateString;
+    }
+
+    private String encryptStateString(String stateString) {
+        JwsSignatureProvider jws = getInitializedSigProvider();
+        if (jws != null) {
+            stateString = JwsUtils.sign(jws, stateString, null);
+        } 
+        
+        JweEncryptionProvider jwe = getInitializedEncryptionProvider();
+        return jwe.encrypt(StringUtils.toBytesUTF8(stateString), null);
+    }
+    
+    private OAuthRedirectionState convertStateStringToState(String stateString) {
+        String[] parts = ModelEncryptionSupport.getParts(stateString);
+        OAuthRedirectionState state = new OAuthRedirectionState();
+        state.setClientId(parts[0]);
+        state.setAudience(parts[1]);
+        state.setClientCodeVerifier(parts[2]);
+        state.setState(parts[3]);
+        state.setProposedScope(parts[4]);
+        return state;
+    }
+    protected String convertStateToString(OAuthRedirectionState secData) {
+        StringBuilder state = new StringBuilder();
+        // 0: client id
+        state.append(ModelEncryptionSupport.tokenizeString(secData.getClientId()));
+        state.append(ModelEncryptionSupport.SEP);
+        // 1: client audience
+        state.append(ModelEncryptionSupport.tokenizeString(secData.getAudience()));
+        state.append(ModelEncryptionSupport.SEP);
+        // 2: client code verifier
+        state.append(ModelEncryptionSupport.tokenizeString(secData.getClientCodeVerifier()));
+        state.append(ModelEncryptionSupport.SEP);
+        // 3: state
+        state.append(ModelEncryptionSupport.tokenizeString(secData.getState()));
+        state.append(ModelEncryptionSupport.SEP);
+        // 4: scope
+        state.append(ModelEncryptionSupport.tokenizeString(secData.getProposedScope()));
+        
+        return null;
+    }
+
+    public void setMaxDefaultSessionInterval(int maxDefaultSessionInterval) {
+        this.maxDefaultSessionInterval = maxDefaultSessionInterval;
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/27c2c25d/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java
index 741acb0..02cee8b 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java
@@ -22,6 +22,7 @@ package org.apache.cxf.rs.security.oauth2.provider;
 import javax.ws.rs.core.MultivaluedMap;
 
 import org.apache.cxf.jaxrs.ext.MessageContext;
+import org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState;
 import org.apache.cxf.rs.security.oauth2.common.UserSubject;
 
 /**
@@ -31,21 +32,23 @@ import org.apache.cxf.rs.security.oauth2.common.UserSubject;
 public interface SessionAuthenticityTokenProvider {
 
     /**
-     * Creates a new session token and stores it
+     * Create a new session token and stores it
      * 
      * @param mc the {@link MessageContext} of this request
      * @param params redirection-based grant request parameters
      * @param subject authenticated end user
+     * @param secData 
      * @return the created session token
      */
     String createSessionToken(MessageContext mc,
                               MultivaluedMap<String, String> params,
-                              UserSubject subject);
+                              UserSubject subject, 
+                              OAuthRedirectionState secData);
 
     /**
-     * Retrieves the stored session token
+     * Retrieve the stored session token
      * 
-     * @param mc the {@link MessageContext} of this request
+     * @param mc the {@link MessageContext} of this request   
      * @param params grant authorization parameters
      * @param subject authenticated end user
      * @return the stored token
@@ -55,7 +58,7 @@ public interface SessionAuthenticityTokenProvider {
                            UserSubject subject);
 
     /**
-     * Removes the stored session token
+     * Remove the stored session token
      * 
      * @param mc the {@link MessageContext} of this request
      * @param params grant authorization parameters
@@ -65,4 +68,16 @@ public interface SessionAuthenticityTokenProvider {
                               MultivaluedMap<String, String> params,
                               UserSubject subject);
 
+    /**
+     * Expand the session token
+     * 
+     * @param mc the {@link MessageContext} of this request
+     * @param sessionToken the token
+     * @param subject authenticated end user
+     * @return the expanded token or null
+     */
+    OAuthRedirectionState getSessionState(MessageContext messageContext,
+                                          String sessionToken,
+                                          UserSubject subject);
+
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/27c2c25d/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
index 19d3710..6a149e5 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
@@ -28,6 +28,9 @@ import javax.ws.rs.core.Response;
 import javax.ws.rs.core.UriBuilder;
 
 import org.apache.cxf.rs.security.oauth2.common.Client;
+import org.apache.cxf.rs.security.oauth2.common.OAuthAuthorizationData;
+import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
+import org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState;
 import org.apache.cxf.rs.security.oauth2.common.OOBAuthorizationResponse;
 import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
 import org.apache.cxf.rs.security.oauth2.common.UserSubject;
@@ -58,6 +61,25 @@ public class AuthorizationCodeGrantService extends RedirectionBasedGrantService
     public AuthorizationCodeGrantService() {
         super(OAuthConstants.CODE_RESPONSE_TYPE, OAuthConstants.AUTHORIZATION_CODE_GRANT);
     }
+    protected OAuthAuthorizationData createAuthorizationData(Client client, 
+                                                             MultivaluedMap<String, String> params,
+                                                             UserSubject subject,
+                                                             List<OAuthPermission> perms,
+                                                             boolean preAuthorizedTokenAvailable) {
+        OAuthAuthorizationData data = 
+            super.createAuthorizationData(client, params, subject, perms, preAuthorizedTokenAvailable);
+        setCodeQualifier(data, params);
+        return data;
+    }
+    protected OAuthRedirectionState recreateRedirectionStateFromSession(
+        UserSubject subject, MultivaluedMap<String, String> params, String sessionToken) {
+        OAuthRedirectionState state = super.recreateRedirectionStateFromSession(subject, params, sessionToken);
+        setCodeQualifier(state, params);
+        return state;
+    }
+    private static void setCodeQualifier(OAuthRedirectionState data, MultivaluedMap<String, String> params) {
+        data.setClientCodeVerifier(params.getFirst(OAuthConstants.AUTHORIZATION_CODE_VERIFIER));
+    }
     protected Response startAuthorization(MultivaluedMap<String, String> params, 
                                           UserSubject userSubject,
                                           Client client) {
@@ -66,9 +88,8 @@ public class AuthorizationCodeGrantService extends RedirectionBasedGrantService
         }
         return super.startAuthorization(params, userSubject, client);
     }
-    protected Response createGrant(MultivaluedMap<String, String> params,
+    protected Response createGrant(OAuthRedirectionState state,
                                    Client client,
-                                   String redirectUri,
                                    List<String> requestedScope,
                                    List<String> approvedScope,
                                    UserSubject userSubject,
@@ -78,21 +99,21 @@ public class AuthorizationCodeGrantService extends RedirectionBasedGrantService
         AuthorizationCodeRegistration codeReg = new AuthorizationCodeRegistration(); 
         
         codeReg.setClient(client);
-        codeReg.setRedirectUri(redirectUri);
+        codeReg.setRedirectUri(state.getRedirectUri());
         codeReg.setRequestedScope(requestedScope);
         codeReg.setApprovedScope(approvedScope);
         codeReg.setSubject(userSubject);
-        codeReg.setAudience(params.getFirst(OAuthConstants.CLIENT_AUDIENCE));
-        codeReg.setClientCodeVerifier(params.getFirst(OAuthConstants.AUTHORIZATION_CODE_VERIFIER));
+        codeReg.setAudience(state.getAudience());
+        codeReg.setClientCodeVerifier(state.getClientCodeVerifier());
         
         ServerAuthorizationCodeGrant grant = null;
         try {
             grant = ((AuthorizationCodeDataProvider)getDataProvider()).createCodeGrant(codeReg);
         } catch (OAuthServiceException ex) {
-            return createErrorResponse(params, redirectUri, OAuthConstants.ACCESS_DENIED);
+            return createErrorResponse(state.getState(), state.getRedirectUri(), OAuthConstants.ACCESS_DENIED);
         }
         String grantCode = processCodeGrant(client, grant.getCode(), grant.getSubject());
-        if (redirectUri == null) {
+        if (state.getRedirectUri() == null) {
             OOBAuthorizationResponse oobResponse = new OOBAuthorizationResponse();
             oobResponse.setClientId(client.getClientId());
             oobResponse.setAuthorizationCode(grant.getCode());
@@ -101,7 +122,7 @@ public class AuthorizationCodeGrantService extends RedirectionBasedGrantService
             return deliverOOBResponse(oobResponse);
         } else {
             // return the code by appending it as a query parameter to the redirect URI
-            UriBuilder ub = getRedirectUriBuilder(params.getFirst(OAuthConstants.STATE), redirectUri);
+            UriBuilder ub = getRedirectUriBuilder(state.getState(), state.getRedirectUri());
             ub.queryParam(OAuthConstants.AUTHORIZATION_CODE_VALUE, grantCode);
             return Response.seeOther(ub.build()).build();
         }
@@ -120,13 +141,13 @@ public class AuthorizationCodeGrantService extends RedirectionBasedGrantService
         }
     }
     
-    protected Response createErrorResponse(MultivaluedMap<String, String> params,
+    protected Response createErrorResponse(String state,
                                            String redirectUri,
                                            String error) {
         if (redirectUri == null) {
             return Response.status(401).entity(error).build();
         } else {
-            UriBuilder ub = getRedirectUriBuilder(params.getFirst(OAuthConstants.STATE), redirectUri);
+            UriBuilder ub = getRedirectUriBuilder(state, redirectUri);
             ub.queryParam(OAuthConstants.ERROR_KEY, error);
             return Response.seeOther(ub.build()).build();
         }

http://git-wip-us.apache.org/repos/asf/cxf/blob/27c2c25d/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java
index aa1e44b..b0aa290 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java
@@ -25,7 +25,6 @@ import java.util.List;
 import java.util.Map;
 
 import javax.ws.rs.Path;
-import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.core.Response;
 
 import org.apache.cxf.common.util.StringUtils;
@@ -33,6 +32,7 @@ import org.apache.cxf.jaxrs.utils.HttpUtils;
 import org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration;
 import org.apache.cxf.rs.security.oauth2.common.Client;
 import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
+import org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState;
 import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
 import org.apache.cxf.rs.security.oauth2.common.UserSubject;
 import org.apache.cxf.rs.security.oauth2.provider.AccessTokenResponseFilter;
@@ -59,9 +59,8 @@ public class ImplicitGrantService extends RedirectionBasedGrantService {
         super(OAuthConstants.TOKEN_RESPONSE_TYPE, OAuthConstants.IMPLICIT_GRANT);
     }
     
-    protected Response createGrant(MultivaluedMap<String, String> params,
+    protected Response createGrant(OAuthRedirectionState state,
                                    Client client,
-                                   String redirectUri,
                                    List<String> requestedScope,
                                    List<String> approvedScope,
                                    UserSubject userSubject,
@@ -74,7 +73,7 @@ public class ImplicitGrantService extends RedirectionBasedGrantService {
             reg.setSubject(userSubject);
             reg.setRequestedScope(requestedScope);        
             reg.setApprovedScope(approvedScope);
-            reg.setAudience(params.getFirst(OAuthConstants.CLIENT_AUDIENCE));
+            reg.setAudience(state.getAudience());
             token = getDataProvider().createAccessToken(reg);
         } else {
             token = preAuthorizedToken;
@@ -84,13 +83,12 @@ public class ImplicitGrantService extends RedirectionBasedGrantService {
    
         // return the token by appending it as a fragment parameter to the redirect URI
         
-        StringBuilder sb = getUriWithFragment(redirectUri);
+        StringBuilder sb = getUriWithFragment(state.getRedirectUri());
         
         sb.append(OAuthConstants.ACCESS_TOKEN).append("=").append(clientToken.getTokenKey());
-        String state = params.getFirst(OAuthConstants.STATE);
-        if (state != null) {
+        if (state.getState() != null) {
             sb.append("&");
-            sb.append(OAuthConstants.STATE).append("=").append(state);   
+            sb.append(OAuthConstants.STATE).append("=").append(state.getState());   
         }
         sb.append("&")
             .append(OAuthConstants.ACCESS_TOKEN_TYPE).append("=").append(clientToken.getTokenType());
@@ -117,12 +115,11 @@ public class ImplicitGrantService extends RedirectionBasedGrantService {
             filter.process(clientToken, serverToken); 
         }
     }
-    protected Response createErrorResponse(MultivaluedMap<String, String> params,
+    protected Response createErrorResponse(String state,
                                            String redirectUri,
                                            String error) {
         StringBuilder sb = getUriWithFragment(redirectUri);
         sb.append(OAuthConstants.ERROR_KEY).append("=").append(error);
-        String state = params.getFirst(OAuthConstants.STATE);
         if (state != null) {
             sb.append("&");
             sb.append(OAuthConstants.STATE).append("=").append(state);   

http://git-wip-us.apache.org/repos/asf/cxf/blob/27c2c25d/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
index 9450a8a..e680bc3 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
@@ -24,7 +24,6 @@ import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
 
-import javax.servlet.http.HttpSession;
 import javax.ws.rs.Consumes;
 import javax.ws.rs.GET;
 import javax.ws.rs.POST;
@@ -37,7 +36,9 @@ import org.apache.cxf.common.util.StringUtils;
 import org.apache.cxf.jaxrs.utils.ExceptionUtils;
 import org.apache.cxf.rs.security.oauth2.common.Client;
 import org.apache.cxf.rs.security.oauth2.common.OAuthAuthorizationData;
+import org.apache.cxf.rs.security.oauth2.common.OAuthError;
 import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
+import org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState;
 import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
 import org.apache.cxf.rs.security.oauth2.common.UserSubject;
 import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
@@ -60,6 +61,7 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
     private SessionAuthenticityTokenProvider sessionAuthenticityTokenProvider;
     private SubjectCreator subjectCreator;
     private ResourceOwnerNameProvider resourceOwnerNameProvider;
+    private int maxDefaultSessionInterval;
     
     protected RedirectionBasedGrantService(String supportedResponseType,
                                            String supportedGrantType) {
@@ -133,30 +135,15 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
             return createErrorResponse(params, redirectUri, OAuthConstants.UNSUPPORTED_RESPONSE_TYPE);
         }
         // Get the requested scopes
+        String providedScope = params.getFirst(OAuthConstants.SCOPE);
         List<String> requestedScope = null;
-        
         try {
             requestedScope = OAuthUtils.getRequestedScopes(client, 
-                                                           params.getFirst(OAuthConstants.SCOPE), 
+                                                           providedScope, 
                                                            partialMatchScopeValidation);
         } catch (OAuthServiceException ex) {
             return createErrorResponse(params, redirectUri, OAuthConstants.INVALID_SCOPE);
         }
-        
-        
-        // Request a new grant only if no pre-authorized token is available
-        ServerAccessToken preauthorizedToken = getDataProvider().getPreauthorizedToken(
-            client, requestedScope, userSubject, supportedGrantType);
-        if (preauthorizedToken != null) {
-            return createGrant(params,
-                               client, 
-                               redirectUri,
-                               requestedScope,
-                               Collections.<String>emptyList(),
-                               userSubject,
-                               preauthorizedToken);
-        }
-        
         // Convert the requested scopes to OAuthPermission instances
         List<OAuthPermission> permissions = null;
         try {
@@ -164,11 +151,30 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
         } catch (OAuthServiceException ex) {
             return createErrorResponse(params, redirectUri, OAuthConstants.INVALID_SCOPE);
         }
+        // Validate the audience
+        if (!OAuthUtils.validateAudience(params.getFirst(OAuthConstants.CLIENT_AUDIENCE), 
+                                         client.getRegisteredAudiences())) {
+            throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_REQUEST));
+        }
     
-        // Return the authorization challenge data to the end user 
+        // Request a new grant only if no pre-authorized token is available
+        ServerAccessToken preAuthorizedToken = getDataProvider().getPreauthorizedToken(
+            client, requestedScope, userSubject, supportedGrantType);
+        final boolean preAuthorizedTokenAvailable = preAuthorizedToken != null;
+        
+        // Populate the authorization challenge data 
         OAuthAuthorizationData data = 
-            createAuthorizationData(client, params, userSubject, redirectUri, permissions);
-        personalizeData(data, userSubject);
+            createAuthorizationData(client, params, userSubject, permissions, preAuthorizedTokenAvailable);
+        
+        if (preAuthorizedTokenAvailable) {
+            return createGrant(data,
+                               client, 
+                               requestedScope,
+                               Collections.<String>emptyList(),
+                               userSubject,
+                               preAuthorizedToken);
+        }
+        
         return Response.ok(data).build();
         
     }
@@ -179,35 +185,53 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
     protected OAuthAuthorizationData createAuthorizationData(Client client, 
                                                              MultivaluedMap<String, String> params,
                                                              UserSubject subject,
-                                                             String redirectUri, 
-                                                             List<OAuthPermission> perms) {
+                                                             List<OAuthPermission> perms,
+                                                             boolean preAuthorizedTokenAvailable) {
         
         OAuthAuthorizationData secData = new OAuthAuthorizationData();
         
-        addAuthenticityTokenToSession(secData, params, subject);
-                
-        secData.setPermissions(perms);
-        secData.setProposedScope(OAuthUtils.convertPermissionsToScope(perms));
-        secData.setClientId(client.getClientId());
-        if (redirectUri != null) {
-            secData.setRedirectUri(redirectUri);
-        }
         secData.setState(params.getFirst(OAuthConstants.STATE));
-        
-        secData.setApplicationName(client.getApplicationName()); 
-        secData.setApplicationWebUri(client.getApplicationWebUri());
-        secData.setApplicationDescription(client.getApplicationDescription());
-        secData.setApplicationLogoUri(client.getApplicationLogoUri());
+        secData.setRedirectUri(params.getFirst(OAuthConstants.REDIRECT_URI));
         secData.setAudience(params.getFirst(OAuthConstants.CLIENT_AUDIENCE));
-        secData.setApplicationCertificates(client.getApplicationCertificates());
-        Map<String, String> extraProperties = client.getProperties();
-        secData.setExtraApplicationProperties(extraProperties);
-        String replyTo = getMessageContext().getUriInfo()
-            .getAbsolutePathBuilder().path("decision").build().toString();
-        secData.setReplyTo(replyTo);
+        secData.setClientId(client.getClientId());
+        secData.setProposedScope(params.getFirst(OAuthConstants.SCOPE));
+        if (!preAuthorizedTokenAvailable) {
+            secData.setPermissions(perms);
+            secData.setApplicationName(client.getApplicationName()); 
+            secData.setApplicationWebUri(client.getApplicationWebUri());
+            secData.setApplicationDescription(client.getApplicationDescription());
+            secData.setApplicationLogoUri(client.getApplicationLogoUri());
+            secData.setApplicationCertificates(client.getApplicationCertificates());
+            Map<String, String> extraProperties = client.getProperties();
+            secData.setExtraApplicationProperties(extraProperties);
+            String replyTo = getMessageContext().getUriInfo()
+                .getAbsolutePathBuilder().path("decision").build().toString();
+            secData.setReplyTo(replyTo);
+            personalizeData(secData, subject);
+            
+            addAuthenticityTokenToSession(secData, params, subject);
+        }
         
         return secData;
     }
+    protected OAuthRedirectionState recreateRedirectionStateFromSession(
+        UserSubject subject, MultivaluedMap<String, String> params, String sessionToken) {
+        OAuthRedirectionState state = null; 
+        if (sessionAuthenticityTokenProvider != null) {
+            state = sessionAuthenticityTokenProvider.getSessionState(super.getMessageContext(), 
+                                                                     sessionToken,
+                                                                     subject);
+        }
+        if (state == null) {
+            state = new OAuthRedirectionState();
+            state.setClientId(params.getFirst(OAuthConstants.CLIENT_ID));
+            state.setRedirectUri(params.getFirst(OAuthConstants.REDIRECT_URI));
+            state.setAudience(params.getFirst(OAuthConstants.CLIENT_AUDIENCE));
+            state.setProposedScope(params.getFirst(OAuthConstants.SCOPE));
+            state.setState(params.getFirst(OAuthConstants.STATE));
+        }
+        return state;
+    }
     
     protected void personalizeData(OAuthAuthorizationData data, UserSubject userSubject) {
         if (resourceOwnerNameProvider != null) {
@@ -232,11 +256,11 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
         if (!compareRequestAndSessionTokens(sessionToken, params, userSubject)) {
             throw ExceptionUtils.toBadRequestException(null, null);     
         }
-        //TODO: additionally we can check that the Principal that got authenticated
-        // in startAuthorization is the same that got authenticated in completeAuthorization
         
-        Client client = getClient(params);
-        String redirectUri = validateRedirectUri(client, params.getFirst(OAuthConstants.REDIRECT_URI));
+        OAuthRedirectionState state = 
+            recreateRedirectionStateFromSession(userSubject, params, sessionToken);
+        Client client = getClient(state.getClientId());
+        String redirectUri = validateRedirectUri(client, state.getRedirectUri());
         
         // Get the end user decision value
         String decision = params.getFirst(OAuthConstants.AUTHORIZATION_DECISION_KEY);
@@ -248,7 +272,7 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
         }
         
         // Check if the end user may have had a chance to down-scope the requested scopes
-        List<String> requestedScope = OAuthUtils.parseScope(params.getFirst(OAuthConstants.SCOPE));
+        List<String> requestedScope = OAuthUtils.parseScope(state.getProposedScope());
         List<String> approvedScope = new LinkedList<String>(); 
         for (String rScope : requestedScope) {
             String param = params.getFirst(rScope + "_status");
@@ -263,9 +287,8 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
         }
         
         // Request a new grant
-        return createGrant(params,
+        return createGrant(state,
                            client, 
-                           redirectUri,
                            requestedScope,
                            approvedScope,
                            userSubject,
@@ -298,13 +321,17 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
         }
     }
     
-    protected abstract Response createErrorResponse(MultivaluedMap<String, String> params,
+    protected Response createErrorResponse(MultivaluedMap<String, String> params,
+                                           String redirectUri,
+                                           String error) {
+        return createErrorResponse(params.getFirst(OAuthConstants.STATE), redirectUri, error);
+    }
+    protected abstract Response createErrorResponse(String state,
                                                     String redirectUri,
                                                     String error);
     
-    protected abstract Response createGrant(MultivaluedMap<String, String> params,
+    protected abstract Response createGrant(OAuthRedirectionState state,
                                             Client client,
-                                            String redirectUri,
                                             List<String> requestedScope,
                                             List<String> approvedScope,
                                             UserSubject userSubject,
@@ -341,13 +368,12 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
                                                UserSubject subject) {
         final String sessionToken;
         if (this.sessionAuthenticityTokenProvider != null) {
-            sessionToken = this.sessionAuthenticityTokenProvider.createSessionToken(getMessageContext(),
-                                                                                    params,
-                                                                                    subject);
+            sessionToken = sessionAuthenticityTokenProvider.createSessionToken(getMessageContext(),
+                                                                               params,
+                                                                               subject,
+                                                                               secData);
         } else {
-            HttpSession session = getMessageContext().getHttpServletRequest().getSession();
-            sessionToken = OAuthUtils.generateRandomTokenKey();
-            session.setAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN, sessionToken);
+            sessionToken = OAuthUtils.setDefaultSessionToken(getMessageContext(), maxDefaultSessionInterval);
         }
         secData.setAuthenticityToken(sessionToken);
     }
@@ -361,11 +387,7 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
                                                                                params,
                                                                                subject);
         } else {
-            HttpSession session = getMessageContext().getHttpServletRequest().getSession();
-            sessionToken = (String)session.getAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN);
-            if (sessionToken != null) {
-                session.removeAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN);    
-            }
+            sessionToken = OAuthUtils.getDefaultSessionToken(getMessageContext());
         }
         if (StringUtils.isEmpty(sessionToken)) {
             return false;
@@ -382,11 +404,11 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
      *         the error is returned directly to the end user without 
      *         following the redirect URI if any
      */
-    protected Client getClient(MultivaluedMap<String, String> params) {
+    protected Client getClient(String clientId) {
         Client client = null;
         
         try {
-            client = getValidClient(params);
+            client = getValidClient(clientId);
         } catch (OAuthServiceException ex) {
             if (ex.getError() != null) {
                 reportInvalidRequestError(ex.getError(), null);
@@ -399,6 +421,9 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
         return client;
         
     }
+    protected Client getClient(MultivaluedMap<String, String> params) {
+        return this.getClient(params.getFirst(OAuthConstants.CLIENT_ID));
+    }
 
     public void setResourceOwnerNameProvider(ResourceOwnerNameProvider resourceOwnerNameProvider) {
         this.resourceOwnerNameProvider = resourceOwnerNameProvider;
@@ -419,4 +444,8 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
     protected abstract boolean canSupportPublicClient(Client c);
     
     protected abstract boolean canRedirectUriBeEmpty(Client c);
+
+    public void setMaxDefaultSessionInterval(int maxDefaultSessionInterval) {
+        this.maxDefaultSessionInterval = maxDefaultSessionInterval;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/27c2c25d/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
index 1d4088f..c28da43 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
@@ -25,10 +25,12 @@ import java.util.LinkedList;
 import java.util.List;
 import java.util.Set;
 
+import javax.servlet.http.HttpSession;
 import javax.ws.rs.core.MultivaluedMap;
 
 import org.apache.cxf.common.util.StringUtils;
 import org.apache.cxf.common.util.crypto.CryptoUtils;
+import org.apache.cxf.jaxrs.ext.MessageContext;
 import org.apache.cxf.jaxrs.impl.MetadataMap;
 import org.apache.cxf.jaxrs.model.URITemplate;
 import org.apache.cxf.rs.security.oauth2.common.Client;
@@ -48,6 +50,32 @@ public final class OAuthUtils {
     private OAuthUtils() {
     }
     
+    public static String setDefaultSessionToken(MessageContext mc) {
+        return setDefaultSessionToken(mc, 0);
+    }
+    public static String setDefaultSessionToken(MessageContext mc, int maxInactiveInterval) {
+        return setDefaultSessionToken(mc, generateRandomTokenKey());
+    }
+    public static String setDefaultSessionToken(MessageContext mc, String sessionToken) {
+        return setDefaultSessionToken(mc, sessionToken, 0);
+    }
+    public static String setDefaultSessionToken(MessageContext mc, String sessionToken, int maxInactiveInterval) {
+        HttpSession session = mc.getHttpServletRequest().getSession();
+        if (maxInactiveInterval > 0) {
+            session.setMaxInactiveInterval(maxInactiveInterval);
+        }
+        session.setAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN, sessionToken);
+        return sessionToken;
+    }
+    public static String getDefaultSessionToken(MessageContext mc) {
+        HttpSession session = mc.getHttpServletRequest().getSession();
+        String sessionToken = (String)session.getAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN);
+        if (sessionToken != null) {
+            session.removeAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN);    
+        }
+        return sessionToken;
+    }
+    
     public static UserSubject createSubject(SecurityContext securityContext) {
         List<String> roleNames = Collections.emptyList();
         if (securityContext instanceof LoginSecurityContext) {
@@ -197,4 +225,6 @@ public final class OAuthUtils {
         }
         return clientToken;
     }
+
+    
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/27c2c25d/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java
index e0a5730..02afb04 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java
@@ -44,7 +44,7 @@ import org.apache.cxf.rs.security.oauth2.tokens.refresh.RefreshToken;
  * Default Model Encryption helpers
  */
 public final class ModelEncryptionSupport {
-    private static final String SEP = "|";
+    public static final String SEP = "|";
     private ModelEncryptionSupport() {
     }
     
@@ -431,7 +431,7 @@ public final class ModelEncryptionSupport {
         return state.toString();
     }
     
-    private static String getStringPart(String str) {
+    public static String getStringPart(String str) {
         return " ".equals(str) ? null : str;
     }
     
@@ -458,7 +458,7 @@ public final class ModelEncryptionSupport {
         return props;
     }
     
-    private static String[] getParts(String sequence) {
+    public static String[] getParts(String sequence) {
         return sequence.split("\\" + SEP);
     }
     
@@ -493,7 +493,7 @@ public final class ModelEncryptionSupport {
         }
     }
     
-    private static String tokenizeString(String str) {
+    public static String tokenizeString(String str) {
         return str != null ? str : " ";
     }
 }


Mime
View raw message