cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: More nonce related updates and making sure the OAuthServiceException mappers can be reused in case of nonce/etc validation issues
Date Thu, 19 Nov 2015 16:34:29 GMT
Repository: cxf
Updated Branches:
  refs/heads/master db4f6b540 -> cd2c481ef


More nonce related updates and making sure the OAuthServiceException mappers can be reused
in case of nonce/etc validation issues


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/cd2c481e
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/cd2c481e
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/cd2c481e

Branch: refs/heads/master
Commit: cd2c481ef654e884aef3089152230e7016167248
Parents: db4f6b5
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Thu Nov 19 16:34:10 2015 +0000
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Thu Nov 19 16:34:10 2015 +0000

----------------------------------------------------------------------
 .../security/oauth2/client/JoseClientCodeStateManager.java   | 7 ++++---
 .../security/oauth2/client/MemoryClientCodeStateManager.java | 4 +++-
 .../cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java | 8 +++++---
 3 files changed, 12 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/cd2c481e/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/JoseClientCodeStateManager.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/JoseClientCodeStateManager.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/JoseClientCodeStateManager.java
index e269d19..18802b9 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/JoseClientCodeStateManager.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/JoseClientCodeStateManager.java
@@ -57,11 +57,13 @@ public class JoseClientCodeStateManager implements ClientCodeStateManager
{
         if (theEncryptionProvider == null && theSigProvider == null) {
             throw new OAuthServiceException("The state can not be protected");
         }
+        MultivaluedMap<String, String> redirectMap = new MetadataMap<String, String>();
         
         if (generateNonce && theSigProvider != null) {
             JwsCompactProducer nonceProducer = new JwsCompactProducer(OAuthUtils.generateRandomTokenKey());
             String nonceParam = nonceProducer.signWith(theSigProvider);
             requestState.putSingle(OAuthConstants.NONCE, nonceParam);
+            redirectMap.putSingle(OAuthConstants.NONCE, nonceParam);
         }
         Map<String, Object> stateMap = CastUtils.cast((Map<?, ?>)requestState);
         String json = jsonp.toJson(stateMap);
@@ -75,15 +77,14 @@ public class JoseClientCodeStateManager implements ClientCodeStateManager
{
         if (theEncryptionProvider != null) {
             stateParam = theEncryptionProvider.encrypt(StringUtils.toBytesUTF8(stateParam),
null);
         }
-        MultivaluedMap<String, String> map = new MetadataMap<String, String>();
         if (storeInSession) {
             String sessionStateAttribute = OAuthUtils.generateRandomTokenKey();
             OAuthUtils.setSessionToken(mc, stateParam, sessionStateAttribute, 0);
             stateParam = sessionStateAttribute;
         }
-        map.putSingle(OAuthConstants.STATE, stateParam);
+        redirectMap.putSingle(OAuthConstants.STATE, stateParam);
         
-        return map;
+        return redirectMap;
     }
 
     @Override

http://git-wip-us.apache.org/repos/asf/cxf/blob/cd2c481e/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/MemoryClientCodeStateManager.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/MemoryClientCodeStateManager.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/MemoryClientCodeStateManager.java
index 6403eda..33a95df 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/MemoryClientCodeStateManager.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/MemoryClientCodeStateManager.java
@@ -38,13 +38,15 @@ public class MemoryClientCodeStateManager implements ClientCodeStateManager
{
     public MultivaluedMap<String, String> toRedirectState(MessageContext mc, 
                                                           MultivaluedMap<String, String>
requestState) {
         String stateParam = OAuthUtils.generateRandomTokenKey();
+        MultivaluedMap<String, String> redirectMap = new MetadataMap<String, String>();
+        
         if (generateNonce) {
             String nonceParam = MessageDigestUtils.generate(CryptoUtils.generateSecureRandomBytes(16));
             requestState.putSingle(OAuthConstants.NONCE, nonceParam);
+            redirectMap.putSingle(OAuthConstants.NONCE, nonceParam);
         }
         map.put(stateParam, requestState);
         OAuthUtils.setSessionToken(mc, stateParam, "state", 0);
-        MultivaluedMap<String, String> redirectMap = new MetadataMap<String, String>();
         redirectMap.putSingle(OAuthConstants.STATE, stateParam);
         return redirectMap;
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/cd2c481e/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java
index 43ec050..7d90457 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java
@@ -32,6 +32,8 @@ import org.apache.cxf.jaxrs.utils.ExceptionUtils;
 import org.apache.cxf.rs.security.oauth2.client.ClientCodeRequestFilter;
 import org.apache.cxf.rs.security.oauth2.client.ClientTokenContext;
 import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
 import org.apache.cxf.rs.security.oidc.common.IdToken;
 
 public class OidcClientCodeRequestFilter extends ClientCodeRequestFilter {
@@ -88,20 +90,20 @@ public class OidcClientCodeRequestFilter extends ClientCodeRequestFilter
{
         String nonce = state.getFirst(IdToken.NONCE_CLAIM);
         String tokenNonce = idToken.getNonce();
         if (nonce != null && (tokenNonce == null || !nonce.equals(tokenNonce))) {
-            throw ExceptionUtils.toNotAuthorizedException(null, null);
+            throw new OAuthServiceException(OAuthConstants.INVALID_REQUEST);
         }
         if (maxAgeOffset != null) {
             Long authTime = Long.parseLong(state.getFirst(MAX_AGE_PARAMETER));
             Long tokenAuthTime = idToken.getAuthenticationTime();
             if (tokenAuthTime > authTime) {
-                throw ExceptionUtils.toNotAuthorizedException(null, null);
+                throw new OAuthServiceException(OAuthConstants.INVALID_REQUEST);
             }
         }
         
         String acr = idToken.getAuthenticationContextRef();
         // Skip the check if the acr is not set given it is a voluntary claim
         if (acr != null && authenticationContextRef != null && !authenticationContextRef.contains(acr))
{
-            throw ExceptionUtils.toNotAuthorizedException(null, null);
+            throw new OAuthServiceException(OAuthConstants.INVALID_REQUEST);
         }
         
     }


Mime
View raw message