cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: making it simpler to use refresh tokens as oAuth2 client ids and avoiding using UUID to generate tokens
Date Mon, 15 Dec 2014 15:03:54 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.0.x-fixes 5452608c3 -> 7cc912790


making it simpler to use refresh tokens as oAuth2 client ids and avoiding using UUID to generate
tokens


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/7cc91279
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/7cc91279
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/7cc91279

Branch: refs/heads/3.0.x-fixes
Commit: 7cc912790b4e871012efc2539b6e80cb7289194d
Parents: 5452608
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Mon Dec 15 15:02:15 2014 +0000
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Mon Dec 15 15:03:37 2014 +0000

----------------------------------------------------------------------
 .../org/apache/cxf/common/util/StringUtils.java |  8 +++++++
 .../common/util/crypto/MessageDigestUtils.java  | 11 ++++-----
 .../oauth2/services/AbstractTokenService.java   | 17 +++++++------
 .../services/RedirectionBasedGrantService.java  |  3 +--
 .../rs/security/oauth2/utils/OAuthUtils.java    | 25 +++++++-------------
 5 files changed, 32 insertions(+), 32 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/7cc91279/core/src/main/java/org/apache/cxf/common/util/StringUtils.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/common/util/StringUtils.java b/core/src/main/java/org/apache/cxf/common/util/StringUtils.java
index 40e45a5..7df3d52 100644
--- a/core/src/main/java/org/apache/cxf/common/util/StringUtils.java
+++ b/core/src/main/java/org/apache/cxf/common/util/StringUtils.java
@@ -216,4 +216,12 @@ public final class StringUtils {
     public static byte[] toBytes(String str, String enc) throws UnsupportedEncodingException
{
         return str.getBytes(enc);
     }
+
+    public static String toHexString(byte[] bytes) {
+        StringBuilder hexString = new StringBuilder();
+        for (int i = 0; i < bytes.length; i++) {
+            hexString.append(Integer.toHexString(0xFF & bytes[i]));
+        }
+        return hexString.toString();
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/7cc91279/core/src/main/java/org/apache/cxf/common/util/crypto/MessageDigestUtils.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/common/util/crypto/MessageDigestUtils.java
b/core/src/main/java/org/apache/cxf/common/util/crypto/MessageDigestUtils.java
index 24b096b..b8e84e2 100644
--- a/core/src/main/java/org/apache/cxf/common/util/crypto/MessageDigestUtils.java
+++ b/core/src/main/java/org/apache/cxf/common/util/crypto/MessageDigestUtils.java
@@ -22,6 +22,8 @@ import java.io.UnsupportedEncodingException;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 
+import org.apache.cxf.common.util.StringUtils;
+
 /**
  * The utility Message Digest generator which can be used for generating
  * random values
@@ -37,18 +39,13 @@ public final class MessageDigestUtils {
     }
         
     public static String generate(byte[] input) {
-        return generate(input, ALGO_MD5);
+        return generate(input, ALGO_SHA_256);
     }   
     
     public static String generate(byte[] input, String algo) {    
         try {
             byte[] messageDigest = createDigest(input, algo);
-            StringBuilder hexString = new StringBuilder();
-            for (int i = 0; i < messageDigest.length; i++) {
-                hexString.append(Integer.toHexString(0xFF & messageDigest[i]));
-            }
-
-            return hexString.toString();
+            return StringUtils.toHexString(messageDigest);
         } catch (NoSuchAlgorithmException e) {
             throw new SecurityException(e);
         }

http://git-wip-us.apache.org/repos/asf/cxf/blob/7cc91279/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
index f7feec8..23d8053 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
@@ -107,24 +107,27 @@ public class AbstractTokenService extends AbstractOAuthService {
     }
     
     // Get the Client and check the id and secret
-    protected Client getAndValidateClientFromIdAndSecret(String clientId, String clientSecret)
{
+    protected Client getAndValidateClientFromIdAndSecret(String clientId, String providedClientSecret)
{
         Client client = getClient(clientId);
         if (!client.getClientId().equals(clientId)) {
             throw ExceptionUtils.toNotAuthorizedException(null, null);
         }
-        if (isValidPublicClient(client, clientId, clientSecret)) {
+        if (isValidPublicClient(client, clientId, providedClientSecret)) {
             return client;
         }
         if (!client.isConfidential()
-            || clientSecret == null || client.getClientSecret() == null 
-            || !isClientSecretValid(client, clientSecret)) {
+            || !isConfidenatialClientSecretValid(client, providedClientSecret)) {
             throw ExceptionUtils.toNotAuthorizedException(null, null);
         }
         return client;
     }
-    protected boolean isClientSecretValid(Client client, String clientSecret) {
-        return clientSecretVerifier != null ? clientSecretVerifier.validateClientSecret(client,
clientSecret)
-            : client.getClientSecret().equals(clientSecret);
+    protected boolean isConfidenatialClientSecretValid(Client client, String providedClientSecret)
{
+        if (clientSecretVerifier != null) {
+            return clientSecretVerifier.validateClientSecret(client, providedClientSecret);
+        } else {
+            return client.getClientSecret() != null 
+                && providedClientSecret != null && client.getClientSecret().equals(providedClientSecret);
+        }
     }
     protected boolean isValidPublicClient(Client client, String clientId, String clientSecret)
{
         return canSupportPublicClients 

http://git-wip-us.apache.org/repos/asf/cxf/blob/7cc91279/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
index 3168f75..9450a8a 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
@@ -23,7 +23,6 @@ import java.util.Collections;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
-import java.util.UUID;
 
 import javax.servlet.http.HttpSession;
 import javax.ws.rs.Consumes;
@@ -347,7 +346,7 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
                                                                                     subject);
         } else {
             HttpSession session = getMessageContext().getHttpServletRequest().getSession();
-            sessionToken = UUID.randomUUID().toString();
+            sessionToken = OAuthUtils.generateRandomTokenKey();
             session.setAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN, sessionToken);
         }
         secData.setAuthenticityToken(sessionToken);

http://git-wip-us.apache.org/repos/asf/cxf/blob/7cc91279/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
index 83716b1..1d4088f 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
@@ -24,12 +24,11 @@ import java.util.Collections;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Set;
-import java.util.UUID;
 
 import javax.ws.rs.core.MultivaluedMap;
 
 import org.apache.cxf.common.util.StringUtils;
-import org.apache.cxf.common.util.crypto.MessageDigestUtils;
+import org.apache.cxf.common.util.crypto.CryptoUtils;
 import org.apache.cxf.jaxrs.impl.MetadataMap;
 import org.apache.cxf.jaxrs.model.URITemplate;
 import org.apache.cxf.rs.security.oauth2.common.Client;
@@ -48,7 +47,7 @@ public final class OAuthUtils {
 
     private OAuthUtils() {
     }
-
+    
     public static UserSubject createSubject(SecurityContext securityContext) {
         List<String> roleNames = Collections.emptyList();
         if (securityContext instanceof LoginSecurityContext) {
@@ -105,25 +104,19 @@ public final class OAuthUtils {
     }
 
     public static String generateRandomTokenKey() throws OAuthServiceException {
-        return generateRandomTokenKey(null);
+        return generateRandomTokenKey(16);
+    }
+    public static String generateRandomTokenKey(int byteSize) {
+        if (byteSize < 16) {
+            throw new OAuthServiceException();
+        }
+        return StringUtils.toHexString(CryptoUtils.generateSecureRandomBytes(byteSize));
     }
     
     public static long getIssuedAt() {
         return System.currentTimeMillis() / 1000;
     }
     
-    public static String generateRandomTokenKey(String digestAlgo) throws OAuthServiceException
{
-        try {
-            byte[] bytes = UUID.randomUUID().toString().getBytes("UTF-8");
-            if (digestAlgo == null) {
-                digestAlgo = MessageDigestUtils.ALGO_MD5;
-            }
-            return MessageDigestUtils.generate(bytes, digestAlgo);
-        } catch (Exception ex) {
-            throw new OAuthServiceException(OAuthConstants.SERVER_ERROR, ex);
-        }
-    }
-    
     public static boolean isExpired(Long issuedAt, Long lifetime) {
         return lifetime != -1
             && issuedAt + lifetime < System.currentTimeMillis() / 1000;


Mime
View raw message