cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Making it easier to validate the nonce flows with the Memory provider
Date Thu, 19 Nov 2015 14:13:17 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 8c49fffad -> db4f6b540


Making it easier to validate the nonce flows with the Memory provider


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/db4f6b54
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/db4f6b54
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/db4f6b54

Branch: refs/heads/master
Commit: db4f6b540889d7d66e665f03dc562fc31eec60b4
Parents: 8c49fff
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Thu Nov 19 14:13:01 2015 +0000
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Thu Nov 19 14:13:01 2015 +0000

----------------------------------------------------------------------
 .../oauth2/client/JoseClientCodeStateManager.java        |  2 +-
 .../oauth2/client/MemoryClientCodeStateManager.java      | 11 ++++++++++-
 .../org/apache/cxf/rs/security/oidc/common/IdToken.java  |  3 ++-
 .../rs/security/oidc/rp/OidcClientCodeRequestFilter.java |  2 +-
 4 files changed, 14 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/db4f6b54/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/JoseClientCodeStateManager.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/JoseClientCodeStateManager.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/JoseClientCodeStateManager.java
index afc5c96..e269d19 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/JoseClientCodeStateManager.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/JoseClientCodeStateManager.java
@@ -61,7 +61,7 @@ public class JoseClientCodeStateManager implements ClientCodeStateManager
{
         if (generateNonce && theSigProvider != null) {
             JwsCompactProducer nonceProducer = new JwsCompactProducer(OAuthUtils.generateRandomTokenKey());
             String nonceParam = nonceProducer.signWith(theSigProvider);
-            requestState.putSingle("nonce", nonceParam);
+            requestState.putSingle(OAuthConstants.NONCE, nonceParam);
         }
         Map<String, Object> stateMap = CastUtils.cast((Map<?, ?>)requestState);
         String json = jsonp.toJson(stateMap);

http://git-wip-us.apache.org/repos/asf/cxf/blob/db4f6b54/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/MemoryClientCodeStateManager.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/MemoryClientCodeStateManager.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/MemoryClientCodeStateManager.java
index 727839b..6403eda 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/MemoryClientCodeStateManager.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/MemoryClientCodeStateManager.java
@@ -27,15 +27,21 @@ import org.apache.cxf.jaxrs.impl.MetadataMap;
 import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
+import org.apache.cxf.rt.security.crypto.CryptoUtils;
+import org.apache.cxf.rt.security.crypto.MessageDigestUtils;
 
 public class MemoryClientCodeStateManager implements ClientCodeStateManager {
     private ConcurrentHashMap<String, MultivaluedMap<String, String>> map = 
             new ConcurrentHashMap<String, MultivaluedMap<String, String>>();
-    
+    private boolean generateNonce;
     @Override
     public MultivaluedMap<String, String> toRedirectState(MessageContext mc, 
                                                           MultivaluedMap<String, String>
requestState) {
         String stateParam = OAuthUtils.generateRandomTokenKey();
+        if (generateNonce) {
+            String nonceParam = MessageDigestUtils.generate(CryptoUtils.generateSecureRandomBytes(16));
+            requestState.putSingle(OAuthConstants.NONCE, nonceParam);
+        }
         map.put(stateParam, requestState);
         OAuthUtils.setSessionToken(mc, stateParam, "state", 0);
         MultivaluedMap<String, String> redirectMap = new MetadataMap<String, String>();
@@ -53,4 +59,7 @@ public class MemoryClientCodeStateManager implements ClientCodeStateManager
{
         }
         return map.remove(stateParam);
     }
+    public void setGenerateNonce(boolean generateNonce) {
+        this.generateNonce = generateNonce;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/db4f6b54/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/IdToken.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/IdToken.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/IdToken.java
index ed5f7f4..7b0b1ad 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/IdToken.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/IdToken.java
@@ -23,10 +23,11 @@ import java.util.Map;
 
 import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
 
 public class IdToken extends UserInfo {
     public static final String AUTH_TIME_CLAIM = "auth_time";
-    public static final String NONCE_CLAIM = "nonce";
+    public static final String NONCE_CLAIM = OAuthConstants.NONCE;
     public static final String ACR_CLAIM = "acr";
     public static final String AZP_CLAIM = "azp";
     public static final String AMR_CLAIM = "amr";

http://git-wip-us.apache.org/repos/asf/cxf/blob/db4f6b54/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java
index 18d7e40..43ec050 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java
@@ -85,7 +85,7 @@ public class OidcClientCodeRequestFilter extends ClientCodeRequestFilter
{
     }
     private void validateIdToken(IdToken idToken, MultivaluedMap<String, String> state)
{
         
-        String nonce = state.getFirst("nonce");
+        String nonce = state.getFirst(IdToken.NONCE_CLAIM);
         String tokenNonce = idToken.getNonce();
         if (nonce != null && (tokenNonce == null || !nonce.equals(tokenNonce))) {
             throw ExceptionUtils.toNotAuthorizedException(null, null);


Mime
View raw message