cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Prototyping the code to let OAuth2 code filter handle access_denied code errors from authenticated users
Date Mon, 09 Nov 2015 14:40:08 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 8a5fae177 -> 2e7d95de8


Prototyping the code to let OAuth2 code filter handle access_denied code errors from authenticated
users


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2e7d95de
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2e7d95de
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2e7d95de

Branch: refs/heads/master
Commit: 2e7d95de89e29a9b49ab504a09b84ea72ef85c4f
Parents: 8a5fae1
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Mon Nov 9 14:39:51 2015 +0000
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Mon Nov 9 14:39:51 2015 +0000

----------------------------------------------------------------------
 .../oauth2/client/AccessDeniedResponse.java     | 23 ++++++++++
 .../oauth2/client/ClientCodeRequestFilter.java  | 44 ++++++++++++++++----
 2 files changed, 58 insertions(+), 9 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/2e7d95de/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/AccessDeniedResponse.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/AccessDeniedResponse.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/AccessDeniedResponse.java
new file mode 100644
index 0000000..9ec28ab
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/AccessDeniedResponse.java
@@ -0,0 +1,23 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.client;
+
+public class AccessDeniedResponse {
+
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/2e7d95de/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java
index 1b9d293..bd49445 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java
@@ -65,6 +65,8 @@ public class ClientCodeRequestFilter implements ContainerRequestFilter {
     private long expiryThreshold;
     private String redirectUri;
     private boolean setFormPostResponseMode;
+    private boolean faultAccessDeniedResponses;
+    private boolean applicationCanHandleAccessDenied;
         
     @Override
     public void filter(ContainerRequestContext rc) throws IOException {
@@ -93,20 +95,34 @@ public class ClientCodeRequestFilter implements ContainerRequestFilter
{
             Response codeResponse = createCodeResponse(rc,  ui);
             rc.abortWith(codeResponse);
         } else if (absoluteRequestUri.endsWith(completeUri)) {
-            processCodeResponse(rc, ui);
-            checkSecurityContextEnd(rc);
+            MultivaluedMap<String, String> requestParams = toRequestState(rc, ui);
+            processCodeResponse(rc, ui, requestParams);
+            checkSecurityContextEnd(rc, requestParams);
         }
     }
 
     protected void checkSecurityContextStart(ContainerRequestContext rc) {
-        checkSecurityContextEnd(rc);
-    }
-    private void checkSecurityContextEnd(ContainerRequestContext rc) {
         SecurityContext sc = rc.getSecurityContext();
         if (sc == null || sc.getUserPrincipal() == null) {
             throw ExceptionUtils.toNotAuthorizedException(null, null);
         }
     }
+    private void checkSecurityContextEnd(ContainerRequestContext rc,
+                                         MultivaluedMap<String, String> requestParams)
{
+        String codeParam = requestParams.getFirst(OAuthConstants.AUTHORIZATION_CODE_VALUE);
+        SecurityContext sc = rc.getSecurityContext();
+        if (sc == null || sc.getUserPrincipal() == null) {
+            if (codeParam == null 
+                && requestParams.containsKey(OAuthConstants.ACCESS_DENIED)
+                && !faultAccessDeniedResponses) {
+                if (!applicationCanHandleAccessDenied) {
+                    rc.abortWith(Response.ok(new AccessDeniedResponse()).build());    
+                }
+            } else {
+                throw ExceptionUtils.toNotAuthorizedException(null, null);
+            }
+        }
+    }
 
     private Response createCodeResponse(ContainerRequestContext rc, UriInfo ui) {
         MultivaluedMap<String, String> redirectState = createRedirectState(rc, ui);
@@ -141,15 +157,17 @@ public class ClientCodeRequestFilter implements ContainerRequestFilter
{
             return ui.getAbsolutePath();
         }
     }
-    protected void processCodeResponse(ContainerRequestContext rc, UriInfo ui) {
-        MultivaluedMap<String, String> params = toRequestState(rc, ui);
-        String codeParam = params.getFirst(OAuthConstants.AUTHORIZATION_CODE_VALUE);
+    protected void processCodeResponse(ContainerRequestContext rc, 
+                                       UriInfo ui,
+                                       MultivaluedMap<String, String> requestParams)
{
+        
+        String codeParam = requestParams.getFirst(OAuthConstants.AUTHORIZATION_CODE_VALUE);
         ClientAccessToken at = null;
         if (codeParam != null) {
             AccessTokenGrant grant = new AuthorizationCodeGrant(codeParam, getAbsoluteRedirectUri(ui));
             at = OAuthClientUtils.getAccessToken(accessTokenServiceClient, consumer, grant);
         }
-        ClientTokenContext tokenContext = initializeClientTokenContext(rc, at, params);
+        ClientTokenContext tokenContext = initializeClientTokenContext(rc, at, requestParams);
         if (at != null && clientTokenContextManager != null) {
             clientTokenContextManager.setClientTokenContext(mc, tokenContext);
         }
@@ -287,4 +305,12 @@ public class ClientCodeRequestFilter implements ContainerRequestFilter
{
     public void setSetFormPostResponseMode(boolean setFormPostResponseMode) {
         this.setFormPostResponseMode = setFormPostResponseMode;
     }
+
+    public void setBlockAccessDeniedResponses(boolean blockAccessDeniedResponses) {
+        this.faultAccessDeniedResponses = blockAccessDeniedResponses;
+    }
+
+    public void setApplicationCanHandleAccessDenied(boolean applicationCanHandleAccessDenied)
{
+        this.applicationCanHandleAccessDenied = applicationCanHandleAccessDenied;
+    }
 }


Mime
View raw message