cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Fixing NPE if the authorization is skipped and disabling the skipping the authorization in the restricted case unless a user is fine
Date Thu, 22 Oct 2015 11:23:03 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 6cc192c2f -> 743b191f3


Fixing NPE if the authorization is skipped and disabling the skipping the authorization in
the restricted case unless a user is fine


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/743b191f
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/743b191f
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/743b191f

Branch: refs/heads/master
Commit: 743b191f333a49c527f2e750d7d03aa0ea30af33
Parents: 6cc192c
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Thu Oct 22 12:22:47 2015 +0100
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Thu Oct 22 12:22:47 2015 +0100

----------------------------------------------------------------------
 .../services/RedirectionBasedGrantService.java     | 17 +++++++++++------
 .../oidc/idp/OidcAuthorizationCodeService.java     | 12 +++++++++---
 2 files changed, 20 insertions(+), 9 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/743b191f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
index 46a263f..c174429 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
@@ -145,9 +145,9 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
             return createErrorResponse(params, redirectUri, OAuthConstants.INVALID_SCOPE);
         }
         // Convert the requested scopes to OAuthPermission instances
-        List<OAuthPermission> permissions = null;
+        List<OAuthPermission> requestedPermissions = null;
         try {
-            permissions = getDataProvider().convertScopeToPermissions(client, requestedScope);
+            requestedPermissions = getDataProvider().convertScopeToPermissions(client, requestedScope);
         } catch (OAuthServiceException ex) {
             return createErrorResponse(params, redirectUri, OAuthConstants.INVALID_SCOPE);
         }
@@ -161,18 +161,21 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
         ServerAccessToken preAuthorizedToken = getDataProvider().getPreauthorizedToken(
             client, requestedScope, userSubject, supportedGrantType);
         final boolean authorizationCanBeSkipped = 
-            preAuthorizedToken != null || canAuthorizationBeSkipped(client, permissions);
+            preAuthorizedToken != null 
+            || canAuthorizationBeSkipped(client, requestedScope, requestedPermissions);
         
         // Populate the authorization challenge data 
         OAuthAuthorizationData data = 
-            createAuthorizationData(client, params, redirectUri, userSubject, permissions,

+            createAuthorizationData(client, params, redirectUri, userSubject, requestedPermissions,

                                     authorizationCanBeSkipped);
         
         if (authorizationCanBeSkipped) {
+            List<OAuthPermission> approvedScopes = 
+                preAuthorizedToken != null ? preAuthorizedToken.getScopes() : requestedPermissions;

             return createGrant(data,
                                client, 
                                requestedScope,
-                               OAuthUtils.convertPermissionsToScopeList(preAuthorizedToken.getScopes()),
+                               OAuthUtils.convertPermissionsToScopeList(approvedScopes),
                                userSubject,
                                preAuthorizedToken);
         }
@@ -181,7 +184,9 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
         
     }
     
-    protected boolean canAuthorizationBeSkipped(Client client, List<OAuthPermission>
permissions) {
+    protected boolean canAuthorizationBeSkipped(Client client, 
+                                                List<String> requestedScope, 
+                                                List<OAuthPermission> permissions)
{
         return false;
     }
 

http://git-wip-us.apache.org/repos/asf/cxf/blob/743b191f/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java
index 77cd1a2..bb3b27e 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java
@@ -29,13 +29,19 @@ import org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService;
 @Path("/login")
 public class OidcAuthorizationCodeService extends AuthorizationCodeGrantService {
     private static final String OPEN_ID_CONNECT_SCOPE = "openid";
+    private boolean skipAuthorizationWithOidcScope;
     @Override
-    protected boolean canAuthorizationBeSkipped(Client client, List<OAuthPermission>
permissions) {
+    protected boolean canAuthorizationBeSkipped(Client client,
+                                                List<String> requestedScope,
+                                                List<OAuthPermission> permissions)
{
         // No need to challenge the authenticated user with the authorization form 
         // if all the client application redirecting a user needs is to get this user authenticated
         // with OIDC IDP
-        return permissions.size() == 1 
-            && OPEN_ID_CONNECT_SCOPE.equals(permissions.get(0).getPermission());
+        return requestedScope.size() == 1 && skipAuthorizationWithOidcScope
+            && OPEN_ID_CONNECT_SCOPE.equals(requestedScope.get(0));
+    }
+    public void setSkipAuthorizationWithOidcScope(boolean skipAuthorizationWithOidcScope)
{
+        this.skipAuthorizationWithOidcScope = skipAuthorizationWithOidcScope;
     }
     
 }


Mime
View raw message