Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id A5E871811F for ; Mon, 14 Dec 2015 14:11:55 +0000 (UTC) Received: (qmail 33078 invoked by uid 500); 14 Dec 2015 14:11:55 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 33019 invoked by uid 500); 14 Dec 2015 14:11:55 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 33010 invoked by uid 99); 14 Dec 2015 14:11:55 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 14 Dec 2015 14:11:55 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 4076BDFF8D; Mon, 14 Dec 2015 14:11:55 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: coheigea@apache.org To: commits@cxf.apache.org Message-Id: <32e8c3e6583b4a75a26815002d21b6c7@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: cxf git commit: Require a nonce for the implicit flow Date: Mon, 14 Dec 2015 14:11:55 +0000 (UTC) Repository: cxf Updated Branches: refs/heads/master ad149504c -> 9d918465c Require a nonce for the implicit flow Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/9d918465 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/9d918465 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/9d918465 Branch: refs/heads/master Commit: 9d918465c9bfbc30cc6a5fe745a15145ef4e7544 Parents: ad14950 Author: Colm O hEigeartaigh Authored: Mon Dec 14 14:11:43 2015 +0000 Committer: Colm O hEigeartaigh Committed: Mon Dec 14 14:11:43 2015 +0000 ---------------------------------------------------------------------- .../oauth2/common/OAuthAuthorizationData.java | 8 -------- .../rs/security/oidc/idp/OidcImplicitService.java | 18 ++++++++++++++++++ 2 files changed, 18 insertions(+), 8 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/9d918465/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java index d5fe5bc..d0665e9 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java @@ -39,7 +39,6 @@ public class OAuthAuthorizationData extends OAuthRedirectionState implements Ser private String endUserName; private String authenticityToken; private String replyTo; - private String responseType; private String applicationName; private String applicationWebUri; @@ -203,11 +202,4 @@ public class OAuthAuthorizationData extends OAuthRedirectionState implements Ser this.implicitFlow = implicitFlow; } - public String getResponseType() { - return responseType; - } - - public void setResponseType(String responseType) { - this.responseType = responseType; - } } http://git-wip-us.apache.org/repos/asf/cxf/blob/9d918465/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java index 908d141..edf8e98 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java @@ -22,10 +22,17 @@ import java.util.Arrays; import java.util.HashSet; import java.util.List; +import javax.ws.rs.core.MultivaluedMap; +import javax.ws.rs.core.Response; + import org.apache.cxf.rs.security.oauth2.common.Client; +import org.apache.cxf.rs.security.oauth2.common.OAuthError; import org.apache.cxf.rs.security.oauth2.common.OAuthPermission; import org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState; +import org.apache.cxf.rs.security.oauth2.common.UserSubject; +import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException; import org.apache.cxf.rs.security.oauth2.services.ImplicitGrantService; +import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants; public class OidcImplicitService extends ImplicitGrantService { @@ -48,6 +55,17 @@ public class OidcImplicitService extends ImplicitGrantService { } @Override + protected Response startAuthorization(MultivaluedMap params, + UserSubject userSubject, + Client client) { + // Validate the nonce, it must be present for the Implicit flow + if (params.getFirst(OAuthConstants.NONCE) == null) { + throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_REQUEST)); + } + return super.startAuthorization(params, userSubject, client); + } + + @Override protected boolean canAuthorizationBeSkipped(Client client, List requestedScope, List permissions) {