cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: [CXF-5607] Very basic prototyping of the incremental authorization case
Date Mon, 22 Jun 2015 17:26:12 GMT
Repository: cxf
Updated Branches:
  refs/heads/master b6aaae80c -> 9a3dd438d


[CXF-5607] Very basic prototyping of the incremental authorization case


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/9a3dd438
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/9a3dd438
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/9a3dd438

Branch: refs/heads/master
Commit: 9a3dd438dc52e2c957fc6c98e2db5426884c1a5c
Parents: b6aaae8
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Mon Jun 22 18:25:51 2015 +0100
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Mon Jun 22 18:25:51 2015 +0100

----------------------------------------------------------------------
 .../oidc/rp/OidcClientCodeRequestFilter.java    |  2 +-
 .../oidc/rp/OidcRpAuthenticationFilter.java     | 87 ++++++++++++++++++++
 .../oidc/rp/OidcRpAuthenticationService.java    | 42 ++++++++++
 .../rs/security/oidc/rp/OidcRpStateManager.java | 32 +++++++
 4 files changed, 162 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/9a3dd438/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java
index 4475aff..088f826 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java
@@ -52,7 +52,7 @@ public class OidcClientCodeRequestFilter extends ClientCodeRequestFilter
{
     @Override
     protected void checkSecurityContextStart(ContainerRequestContext rc) {
         SecurityContext sc = rc.getSecurityContext();
-        if (sc != null && sc.getUserPrincipal() != null) {
+        if (sc != null && !(sc instanceof OidcSecurityContext)) {
             throw ExceptionUtils.toNotAuthorizedException(null, null);
         }
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/9a3dd438/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java
new file mode 100644
index 0000000..c589161
--- /dev/null
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java
@@ -0,0 +1,87 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oidc.rp;
+
+import java.util.Map;
+
+import javax.ws.rs.container.ContainerRequestContext;
+import javax.ws.rs.container.ContainerRequestFilter;
+import javax.ws.rs.core.Cookie;
+import javax.ws.rs.core.HttpHeaders;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.MultivaluedMap;
+import javax.ws.rs.core.Response;
+import javax.ws.rs.core.UriBuilder;
+
+import org.apache.cxf.jaxrs.impl.MetadataMap;
+import org.apache.cxf.jaxrs.utils.FormUtils;
+import org.apache.cxf.jaxrs.utils.JAXRSUtils;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
+
+public class OidcRpAuthenticationFilter implements ContainerRequestFilter {
+    
+    private OidcRpStateManager stateManager;
+    private String rpServiceAddress;
+    
+    public void filter(ContainerRequestContext rc) {
+        if (checkSecurityContext(rc)) {
+            return;
+        } else {
+            String token = OAuthUtils.generateRandomTokenKey();
+            MultivaluedMap<String, String> state = toRequestState(rc);
+            stateManager.setRequestState(token, state);
+            UriBuilder ub = UriBuilder.fromUri(rpServiceAddress);
+            ub.queryParam("state", token);
+            rc.abortWith(Response.seeOther(ub.build())
+                           .header(HttpHeaders.CACHE_CONTROL, "no-cache, no-store")
+                           .header("Pragma", "no-cache") 
+                           .build());
+        }
+    }
+    protected boolean checkSecurityContext(ContainerRequestContext rc) {
+        Map<String, Cookie> cookies = rc.getCookies();
+        
+        Cookie securityContextCookie = cookies.get("org.apache.cxf.websso.context");
+        if (securityContextCookie == null) {
+            return false;
+        }
+        String contextKey = securityContextCookie.getValue();
+        
+        OidcClientTokenContext tokenContext = stateManager.getTokenContext(contextKey);
+        
+        if (tokenContext == null) {
+            return false;
+        }
+        rc.setSecurityContext(new OidcSecurityContext(tokenContext));
+        return true;
+    }
+    private MultivaluedMap<String, String> toRequestState(ContainerRequestContext rc)
{
+        MultivaluedMap<String, String> requestState = new MetadataMap<String, String>();
+        requestState.putAll(rc.getUriInfo().getQueryParameters(true));
+        if (MediaType.APPLICATION_FORM_URLENCODED_TYPE.isCompatible(rc.getMediaType())) {
+            String body = FormUtils.readBody(rc.getEntityStream(), "UTF-8");
+            FormUtils.populateMapFromString(requestState, JAXRSUtils.getCurrentMessage(),
body, 
+                                            "UTF-8", true);
+        }
+        return requestState;
+    }
+    public void setRpServiceAddress(String rpServiceAddress) {
+        this.rpServiceAddress = rpServiceAddress;
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/9a3dd438/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationService.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationService.java
new file mode 100644
index 0000000..5541e80
--- /dev/null
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationService.java
@@ -0,0 +1,42 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oidc.rp;
+
+import java.net.URI;
+
+import javax.ws.rs.GET;
+import javax.ws.rs.Path;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.Response;
+
+import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
+
+@Path("rp")
+public class OidcRpAuthenticationService {
+    private OidcRpStateManager stateManager;
+    
+    @GET
+    @Path("complete")
+    public Response completeAuthentication(@Context OidcClientTokenContext context) {
+        String key = OAuthUtils.generateRandomTokenKey();
+        stateManager.setTokenContext(key, context);
+        URI uri = URI.create(context.getState().getFirst("location"));
+        return Response.seeOther(uri).header("SetCookie", "contextKey=" + key).build();
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/9a3dd438/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpStateManager.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpStateManager.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpStateManager.java
new file mode 100644
index 0000000..564e53e
--- /dev/null
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpStateManager.java
@@ -0,0 +1,32 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oidc.rp;
+
+import java.io.Closeable;
+
+import javax.ws.rs.core.MultivaluedMap;
+
+public interface OidcRpStateManager extends Closeable {
+    void setRequestState(String token, MultivaluedMap<String, String> state);
+    MultivaluedMap<String, String> removeRequestState(String token);
+    
+    void setTokenContext(String contextKey, OidcClientTokenContext state);
+    OidcClientTokenContext getTokenContext(String contextKey);
+    OidcClientTokenContext removeTokenContext(String contextKey);
+}


Mime
View raw message