cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Adding OAuth2 Consumers bean helper, and prototyping checking the authentication method of the resource owner
Date Fri, 01 May 2015 12:41:49 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.0.x-fixes b4547504a -> e785feb1a


Adding OAuth2 Consumers bean helper, and prototyping checking the authentication method of
the resource owner


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/e785feb1
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/e785feb1
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/e785feb1

Branch: refs/heads/3.0.x-fixes
Commit: e785feb1a375183533f825e9076aed52adbb6197
Parents: b454750
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Fri May 1 13:32:25 2015 +0100
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Fri May 1 13:41:29 2015 +0100

----------------------------------------------------------------------
 .../rs/security/oauth2/client/Consumers.java    | 35 ++++++++++++
 .../oauth2/client/OAuthClientUtils.java         | 16 +++++-
 .../oauth2/common/AuthenticationMethod.java     | 25 +++++++++
 .../cxf/rs/security/oauth2/common/Client.java   | 56 ++++++++++++++------
 .../rs/security/oauth2/common/UserSubject.java  | 10 +++-
 .../oauth2/filters/OAuthRequestFilter.java      | 13 ++++-
 .../rs/security/oauth2/utils/OAuthUtils.java    | 11 +++-
 7 files changed, 146 insertions(+), 20 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/e785feb1/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/Consumers.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/Consumers.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/Consumers.java
new file mode 100644
index 0000000..461a75e
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/Consumers.java
@@ -0,0 +1,35 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.client;
+
+import java.util.HashSet;
+import java.util.Set;
+
+public class Consumers {
+    
+    private Set<OAuthClientUtils.Consumer> consumers = new HashSet<OAuthClientUtils.Consumer>();
+    
+    public Consumers(Consumers consumers) {
+        this.consumers = consumers.getConsumers();
+    }
+
+    public Set<OAuthClientUtils.Consumer> getConsumers() {
+        return consumers;
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/e785feb1/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthClientUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthClientUtils.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthClientUtils.java
index f8738ae..5367d72 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthClientUtils.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthClientUtils.java
@@ -412,6 +412,7 @@ public final class OAuthClientUtils {
         
         private String key;
         private String secret;
+        private String description;
         
         public Consumer(String key, String secret) {
             this.key = key;
@@ -424,7 +425,20 @@ public final class OAuthClientUtils {
         public String getSecret() {
             return secret;
         }
-        
+        public String getDescription() {
+            return description;
+        }
+        public void setDescription(String description) {
+            this.description = description;
+        }
+        @Override
+        public int hashCode() {
+            return key.hashCode();
+        }
+        @Override
+        public boolean equals(Object o) {
+            return o instanceof Consumer && key.equals(((Consumer)o).key);
+        }
         
     }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/e785feb1/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AuthenticationMethod.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AuthenticationMethod.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AuthenticationMethod.java
new file mode 100644
index 0000000..2036ab4
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AuthenticationMethod.java
@@ -0,0 +1,25 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.common;
+
+public enum AuthenticationMethod {
+    PASSWORD,
+    TWO_FACTOR
+    //etc
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/e785feb1/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java
index 494a00d..4f1b395 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java
@@ -49,6 +49,7 @@ public class Client implements Serializable {
     
     private Map<String, String> properties = new HashMap<String, String>();
     private UserSubject subject;
+    private UserSubject resourceOwnerSubject;
         
     public Client() {
         
@@ -96,7 +97,7 @@ public class Client implements Serializable {
     }
         
     /**
-     * Gets the name of the third-party application
+     * Get the name of the third-party application
      * this client represents
      * @return the application name
      */
@@ -105,7 +106,7 @@ public class Client implements Serializable {
     }
 
     /**
-     * Sets the name of the third-party application
+     * Set the name of the third-party application
      * this client represents
      * @param applicationName the name
      */
@@ -114,7 +115,7 @@ public class Client implements Serializable {
     }
 
     /**
-     * Gets the public URI of the third-party application.
+     * Get the public URI of the third-party application.
      * @return the application URI
      */
     public String getApplicationWebUri() {
@@ -122,7 +123,7 @@ public class Client implements Serializable {
     }
 
     /**
-     * Sets the public URI of the third-party application.
+     * Set the public URI of the third-party application.
      * @param applicationWebUri the application URI
      */
     public void setApplicationWebUri(String applicationWebUri) {
@@ -130,7 +131,7 @@ public class Client implements Serializable {
     }
 
     /**
-     * Sets the description of the third-party application.
+     * Set the description of the third-party application.
      * @param applicationDescription the description
      */
     public void setApplicationDescription(String applicationDescription) {
@@ -138,7 +139,7 @@ public class Client implements Serializable {
     }
 
     /**
-     * Gets the description of the third-party application.
+     * Get the description of the third-party application.
      * @return the application description
      */
     public String getApplicationDescription() {
@@ -146,7 +147,7 @@ public class Client implements Serializable {
     }
     
     /**
-     * Sets the URI pointing to a logo image of the client application
+     * Set the URI pointing to a logo image of the client application
      * @param logoPath the logo URI
      */
     public void setApplicationLogoUri(String logoPath) {
@@ -162,7 +163,7 @@ public class Client implements Serializable {
     }
 
     /**
-     * Sets the confidentiality status of this client application.
+     * Set the confidentiality status of this client application.
      * This can be used to restrict which OAuth2 flows this client
      * can participate in.
      * 
@@ -173,7 +174,7 @@ public class Client implements Serializable {
     }
 
     /**
-     * Gets the confidentiality status of this client application.
+     * Get the confidentiality status of this client application.
      * @return the confidentiality status
      */
     public boolean isConfidential() {
@@ -190,7 +191,7 @@ public class Client implements Serializable {
     }
 
     /**
-     * Gets a list of URIs the AuthorizationService
+     * Get a list of URIs the AuthorizationService
      * may return the authorization code to
      * @return the redirect uris
      */
@@ -199,7 +200,7 @@ public class Client implements Serializable {
     }
 
     /**
-     * Sets the list of access token grant types this client
+     * Set the list of access token grant types this client
      * can use to obtain the access tokens.
      * @param allowedGrantTypes the list of grant types
      */
@@ -208,7 +209,7 @@ public class Client implements Serializable {
     }
 
     /**
-     * Gets the list of access token grant types this client
+     * Get the list of access token grant types this client
      * can use to obtain the access tokens.
      * @return the list of grant types
      */
@@ -217,8 +218,11 @@ public class Client implements Serializable {
     }
 
     /**
-     * Sets the {@link UserSubject} representing this Client 
-     * authentication, may be setup during the registration. 
+     * Set the {@link UserSubject} representing this Client 
+     * authentication. This property may be set during the registration
+     * in cases where a 3rd party client needs to authenticate first before
+     * registering as OAuth2 client. This property may also wrap a clientId
+     * in cases where a client credentials flow is used   
      *
      * @param subject the user subject
      */
@@ -227,13 +231,35 @@ public class Client implements Serializable {
     }
 
     /**
-     * Gets the {@link UserSubject} representing this Client 
+     * Get the {@link UserSubject} representing this Client 
      * authentication
      * @return the user subject
      */
     public UserSubject getSubject() {
         return subject;
     }
+
+    /**
+     * Set the {@link UserSubject} representing the resource owner 
+     * who has registered this client. This property may be set in cases where
+     * each account (resource) owner registers account specific Clients
+     *
+     * @param subject the resource owner user subject
+     */
+
+    public void setResourceOwnerSubject(UserSubject resourceOwnerSubject) {
+        this.resourceOwnerSubject = resourceOwnerSubject;
+    }
+
+
+    /**
+     * Get the {@link UserSubject} representing the resource owner 
+     * who has registered this client
+     * @return the resource owner user subject
+     */
+    public UserSubject getResourceOwnerSubject() {
+        return resourceOwnerSubject;
+    }
     
     /**
      * Get the list of additional client properties

http://git-wip-us.apache.org/repos/asf/cxf/blob/e785feb1/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/UserSubject.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/UserSubject.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/UserSubject.java
index 43502b2..6972220 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/UserSubject.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/UserSubject.java
@@ -39,7 +39,7 @@ public class UserSubject implements Serializable {
     private String id;
     private List<String> roles = new LinkedList<String>();
     private Map<String, String> properties = new HashMap<String, String>();
-    
+    private AuthenticationMethod am;
     public UserSubject() {
         
     }
@@ -129,5 +129,13 @@ public class UserSubject implements Serializable {
     public void setId(String id) {
         this.id = id;
     }
+
+    public AuthenticationMethod getAuthenticationMethod() {
+        return am;
+    }
+
+    public void setAthenticationMethod(AuthenticationMethod method) {
+        this.am = method;
+    }
     
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/e785feb1/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
index 22af72c..c11cbc2 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
@@ -46,6 +46,7 @@ import org.apache.cxf.message.Message;
 import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.phase.PhaseInterceptorChain;
 import org.apache.cxf.rs.security.oauth2.common.AccessTokenValidation;
+import org.apache.cxf.rs.security.oauth2.common.AuthenticationMethod;
 import org.apache.cxf.rs.security.oauth2.common.OAuthContext;
 import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
 import org.apache.cxf.rs.security.oauth2.common.UserSubject;
@@ -72,7 +73,7 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator
     private List<String> requiredScopes = Collections.emptyList();
     private boolean allPermissionsMatch;
     private boolean blockPublicClients;
-    
+    private AuthenticationMethod am;
     public void filter(ContainerRequestContext context) {
         validateRequest(JAXRSUtils.getCurrentMessage());
     }    
@@ -128,6 +129,13 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator
             LOG.warning(message);
             throw ExceptionUtils.toForbiddenException(null, null);
         }
+        if (am != null && !am.equals(accessTokenV.getTokenSubject().getAuthenticationMethod()))
{
+            String message = "The token has been authorized by the resource owner "
+                + "using an unsupported authentication method";
+            LOG.warning(message);
+            throw ExceptionUtils.toForbiddenException(null, null);
+            
+        }
         
         // Create the security context and make it available on the message
         SecurityContext sc = createSecurityContext(req, accessTokenV);
@@ -283,5 +291,8 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator
     public void setBlockPublicClients(boolean blockPublicClients) {
         this.blockPublicClients = blockPublicClients;
     }
+    public void setTokenSubjectAuthenticationMethod(AuthenticationMethod method) {
+        this.am = method;
+    }
     
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/e785feb1/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
index 79f9f51..a80e4ef 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
@@ -30,6 +30,9 @@ import javax.ws.rs.core.MultivaluedMap;
 import org.apache.cxf.common.util.StringUtils;
 import org.apache.cxf.jaxrs.impl.MetadataMap;
 import org.apache.cxf.jaxrs.model.URITemplate;
+import org.apache.cxf.jaxrs.utils.JAXRSUtils;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.rs.security.oauth2.common.AuthenticationMethod;
 import org.apache.cxf.rs.security.oauth2.common.Client;
 import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
 import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
@@ -57,8 +60,12 @@ public final class OAuthUtils {
                 roleNames.add(p.getName());
             }
         }
-        return 
-            new UserSubject(securityContext.getUserPrincipal().getName(), roleNames);
+        UserSubject subject = new UserSubject(securityContext.getUserPrincipal().getName(),
roleNames);
+        Message m = JAXRSUtils.getCurrentMessage();
+        if (m != null && m.get(AuthenticationMethod.class) != null) {
+            subject.setAthenticationMethod(m.get(AuthenticationMethod.class));
+        }
+        return subject;
     }
     
     public static String convertPermissionsToScope(List<OAuthPermission> perms) {


Mime
View raw message