cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Adding some initial OAuth2 client filter support
Date Tue, 07 Apr 2015 16:47:17 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.0.x-fixes 51f2c53a9 -> cdcdb5d29


Adding some initial OAuth2 client filter support


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/cdcdb5d2
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/cdcdb5d2
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/cdcdb5d2

Branch: refs/heads/3.0.x-fixes
Commit: cdcdb5d29d41f94ca691fffe9b225e4ec7eaf479
Parents: 51f2c53
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Tue Apr 7 17:45:36 2015 +0100
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Tue Apr 7 17:47:00 2015 +0100

----------------------------------------------------------------------
 .../oauth2/client/AbstractAuthSupplier.java     |  37 ++++++
 .../oauth2/client/BearerAuthSupplier.java       | 130 +++++++++++++++++++
 .../oauth2/client/BearerClientFilter.java       |  43 ++++++
 .../oauth2/common/ClientAccessToken.java        |   4 +
 4 files changed, 214 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/cdcdb5d2/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/AbstractAuthSupplier.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/AbstractAuthSupplier.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/AbstractAuthSupplier.java
new file mode 100644
index 0000000..5932f28
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/AbstractAuthSupplier.java
@@ -0,0 +1,37 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rs.security.oauth2.client;
+
+import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
+
+public abstract class AbstractAuthSupplier {
+    protected ClientAccessToken clientAccessToken = new ClientAccessToken();
+    protected AbstractAuthSupplier(String type) {
+        clientAccessToken = new ClientAccessToken();
+        clientAccessToken.setTokenType(type);
+    }
+    public void setAccessToken(String accessToken) {
+        clientAccessToken.setTokenKey(accessToken);
+    }
+    protected String createAuthorizationHeader() {
+        return clientAccessToken.getTokenType() + " " + clientAccessToken.getTokenKey();
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/cdcdb5d2/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/BearerAuthSupplier.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/BearerAuthSupplier.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/BearerAuthSupplier.java
new file mode 100644
index 0000000..557a825
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/BearerAuthSupplier.java
@@ -0,0 +1,130 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rs.security.oauth2.client;
+
+import java.net.URI;
+import java.util.Collections;
+
+import org.apache.cxf.configuration.security.AuthorizationPolicy;
+import org.apache.cxf.jaxrs.client.WebClient;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthJSONProvider;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
+import org.apache.cxf.transport.http.auth.HttpAuthSupplier;
+
+public class BearerAuthSupplier extends AbstractAuthSupplier implements HttpAuthSupplier
{
+    private Consumer consumer; 
+    private String accessTokenServiceUri;
+    private boolean refreshEarly; 
+    public BearerAuthSupplier() {
+        super(OAuthConstants.BEARER_AUTHORIZATION_SCHEME);
+    }
+
+    public boolean requiresRequestCaching() {
+        return true;
+    }
+
+    public String getAuthorization(AuthorizationPolicy authPolicy,
+                                   URI currentURI,
+                                   Message message,
+                                   String fullHeader) {
+        if (clientAccessToken.getTokenKey() == null) {
+            return null;
+        }
+        
+        
+        if (fullHeader == null) {
+            // regular authorization
+            if (refreshEarly) {
+                refreshAccessTokenIfExpired(authPolicy);
+            }
+            return createAuthorizationHeader();
+        }
+        // the last call resulted in 401, trying to refresh the token(s)
+        if (refreshAccessToken(authPolicy)) {
+            return createAuthorizationHeader();
+        } else {
+            return null;
+            
+        }
+    }
+    private void refreshAccessTokenIfExpired(AuthorizationPolicy authPolicy) {
+        if (clientAccessToken.getExpiresIn() != -1 
+            && OAuthUtils.isExpired(clientAccessToken.getIssuedAt(), 
+                                    clientAccessToken.getExpiresIn())) {
+            refreshAccessToken(authPolicy);
+        }
+        
+    }
+
+
+    private boolean refreshAccessToken(AuthorizationPolicy authPolicy) {
+        if (clientAccessToken.getRefreshToken() == null) {
+            return false;
+        }
+        // Client id and secret are needed to refresh the tokens
+        // AuthorizationPolicy can hold them by default, Consumer can also be injected into
this supplier
+        // and checked if the policy is null. 
+        // Client TLS authentication is also fine as an alternative authentication mechanism,
+        // how can we check here that a 2-way TLS has been set up ?
+        Consumer theConsumer = consumer;
+        if (theConsumer == null 
+            && authPolicy != null && authPolicy.getUserName() != null &&
authPolicy.getPassword() != null) {
+            theConsumer = new Consumer(authPolicy.getUserName(), authPolicy.getPassword());
+            return false;
+        }
+        if (theConsumer == null) {
+            return false;
+        }
+        // Can WebCient be safely constructed at HttpConduit initialization time ?
+        // If yes then createAccessTokenServiceClient() can be called inside
+        // setAccessTokenServiceUri, though given that the token refreshment would
+        // not be done on every request the current approach is quite reasonable 
+        
+        WebClient accessTokenService = createAccessTokenServiceClient();
+        clientAccessToken = OAuthClientUtils.refreshAccessToken(accessTokenService, theConsumer,
clientAccessToken);
+        return true;
+    }
+
+    private WebClient createAccessTokenServiceClient() {
+        return WebClient.create(accessTokenServiceUri, Collections.singletonList(new OAuthJSONProvider()));
+    }
+
+    public void setRefreshToken(String refreshToken) {
+        clientAccessToken.setRefreshToken(refreshToken);
+    }
+
+    public void setAccessTokenServiceUri(String uri) {
+        this.accessTokenServiceUri = uri;
+    }
+
+    public Consumer getConsumer() {
+        return consumer;
+    }
+    public void setConsumer(Consumer consumer) {
+        this.consumer = consumer;
+    }
+
+    public void setRefreshEarly(boolean refreshEarly) {
+        this.refreshEarly = refreshEarly;
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/cdcdb5d2/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/BearerClientFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/BearerClientFilter.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/BearerClientFilter.java
new file mode 100644
index 0000000..30a7eeb
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/BearerClientFilter.java
@@ -0,0 +1,43 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rs.security.oauth2.client;
+
+import java.io.IOException;
+
+import javax.ws.rs.client.ClientRequestContext;
+import javax.ws.rs.client.ClientRequestFilter;
+import javax.ws.rs.core.HttpHeaders;
+
+import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
+
+public class BearerClientFilter extends AbstractAuthSupplier implements ClientRequestFilter
{
+
+    public BearerClientFilter() {
+        super(OAuthConstants.BEARER_AUTHORIZATION_SCHEME);
+    }
+    
+    @Override
+    public void filter(ClientRequestContext requestContext) throws IOException {
+        requestContext.getHeaders().putSingle(HttpHeaders.AUTHORIZATION, 
+                                              createAuthorizationHeader());
+        
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/cdcdb5d2/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ClientAccessToken.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ClientAccessToken.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ClientAccessToken.java
index 745339a..e59075d 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ClientAccessToken.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ClientAccessToken.java
@@ -31,6 +31,10 @@ public class ClientAccessToken extends AccessToken {
     private static final long serialVersionUID = 831870452726298523L;
     private String scope;
         
+    public ClientAccessToken() {
+        
+    }
+    
     public ClientAccessToken(String tokenType, String tokenKey) {
         super(tokenType, tokenKey);
     }


Mime
View raw message