Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 7993C18160 for ; Wed, 23 Dec 2015 13:23:51 +0000 (UTC) Received: (qmail 45861 invoked by uid 500); 23 Dec 2015 13:23:51 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 45799 invoked by uid 500); 23 Dec 2015 13:23:51 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 45790 invoked by uid 99); 23 Dec 2015 13:23:51 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 23 Dec 2015 13:23:51 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 0221CE002C; Wed, 23 Dec 2015 13:23:51 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: sergeyb@apache.org To: commits@cxf.apache.org Message-Id: X-Mailer: ASF-Git Admin Mailer Subject: cxf git commit: More OAuth2 token management updates Date: Wed, 23 Dec 2015 13:23:51 +0000 (UTC) Repository: cxf Updated Branches: refs/heads/master d887fef43 -> 92a87246b More OAuth2 token management updates Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/92a87246 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/92a87246 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/92a87246 Branch: refs/heads/master Commit: 92a87246bc4cac50cf5174313614294c45b3694c Parents: d887fef Author: Sergey Beryozkin Authored: Wed Dec 23 13:23:33 2015 +0000 Committer: Sergey Beryozkin Committed: Wed Dec 23 13:23:33 2015 +0000 ---------------------------------------------------------------------- .../grants/code/AbstractCodeDataProvider.java | 9 +++++-- .../code/DefaultEHCacheCodeDataProvider.java | 21 +++++++++++++-- .../code/DefaultEncryptingCodeDataProvider.java | 22 +++++++++++++--- .../provider/AbstractOAuthDataProvider.java | 25 ++++++++++++------ .../DefaultEHCacheOAuthDataProvider.java | 27 ++++++++++++-------- .../DefaultEncryptingOAuthDataProvider.java | 21 ++++++++++----- 6 files changed, 93 insertions(+), 32 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/92a87246/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java index 14858c1..23fd17e 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java @@ -20,6 +20,7 @@ package org.apache.cxf.rs.security.oauth2.grants.code; import java.util.List; +import org.apache.cxf.rs.security.oauth2.common.Client; import org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthDataProvider; import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException; @@ -46,7 +47,11 @@ public abstract class AbstractCodeDataProvider extends AbstractOAuthDataProvider public void setCodeLifetime(long codeLifetime) { this.codeLifetime = codeLifetime; } - + protected void removeClientCodeGrants(Client c) { + for (ServerAuthorizationCodeGrant grant : getCodeGrants(c)) { + removeCodeGrant(grant.getCode()); + } + } public static ServerAuthorizationCodeGrant initCodeGrant(AuthorizationCodeRegistration reg, long lifetime) { ServerAuthorizationCodeGrant grant = new ServerAuthorizationCodeGrant(reg.getClient(), lifetime); grant.setRedirectUri(reg.getRedirectUri()); @@ -59,5 +64,5 @@ public abstract class AbstractCodeDataProvider extends AbstractOAuthDataProvider return grant; } protected abstract void saveCodeGrant(ServerAuthorizationCodeGrant grant); - public abstract List getCodeGrants(); + public abstract List getCodeGrants(Client c); } http://git-wip-us.apache.org/repos/asf/cxf/blob/92a87246/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEHCacheCodeDataProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEHCacheCodeDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEHCacheCodeDataProvider.java index de86647..768b969 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEHCacheCodeDataProvider.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEHCacheCodeDataProvider.java @@ -26,6 +26,7 @@ import net.sf.ehcache.Ehcache; import org.apache.cxf.Bus; import org.apache.cxf.BusFactory; import org.apache.cxf.helpers.CastUtils; +import org.apache.cxf.rs.security.oauth2.common.Client; import org.apache.cxf.rs.security.oauth2.provider.DefaultEHCacheOAuthDataProvider; import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException; @@ -56,6 +57,19 @@ public class DefaultEHCacheCodeDataProvider extends DefaultEHCacheOAuthDataProvi } @Override + public Client removeClient(String clientId) { + Client c = super.removeClient(clientId); + removeClientCodeGrants(c); + return c; + } + + protected void removeClientCodeGrants(Client c) { + for (ServerAuthorizationCodeGrant grant : getCodeGrants(c)) { + removeCodeGrant(grant.getCode()); + } + } + + @Override public ServerAuthorizationCodeGrant createCodeGrant(AuthorizationCodeRegistration reg) throws OAuthServiceException { ServerAuthorizationCodeGrant grant = doCreateCodeGrant(reg); @@ -68,12 +82,15 @@ public class DefaultEHCacheCodeDataProvider extends DefaultEHCacheOAuthDataProvi return AbstractCodeDataProvider.initCodeGrant(reg, codeLifetime); } - public List getCodeGrants() { + public List getCodeGrants(Client c) { List keys = CastUtils.cast(codeGrantCache.getKeys()); List grants = new ArrayList(keys.size()); for (String key : keys) { - grants.add(getCodeGrant(key)); + ServerAuthorizationCodeGrant grant = getCodeGrant(key); + if (grant.getClient().getClientId().equals(c.getClientId())) { + grants.add(grant); + } } return grants; } http://git-wip-us.apache.org/repos/asf/cxf/blob/92a87246/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEncryptingCodeDataProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEncryptingCodeDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEncryptingCodeDataProvider.java index a96659b..63c1e26 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEncryptingCodeDataProvider.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEncryptingCodeDataProvider.java @@ -26,6 +26,7 @@ import java.util.Set; import javax.crypto.SecretKey; +import org.apache.cxf.rs.security.oauth2.common.Client; import org.apache.cxf.rs.security.oauth2.provider.DefaultEncryptingOAuthDataProvider; import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException; import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils; @@ -46,6 +47,18 @@ public class DefaultEncryptingCodeDataProvider extends DefaultEncryptingOAuthDat super(key); } @Override + public Client removeClient(String clientId) { + Client c = super.removeClient(clientId); + removeClientCodeGrants(c); + return c; + } + + protected void removeClientCodeGrants(Client c) { + for (ServerAuthorizationCodeGrant grant : getCodeGrants(c)) { + removeCodeGrant(grant.getCode()); + } + } + @Override public ServerAuthorizationCodeGrant createCodeGrant(AuthorizationCodeRegistration reg) throws OAuthServiceException { ServerAuthorizationCodeGrant grant = doCreateCodeGrant(reg); @@ -53,11 +66,14 @@ public class DefaultEncryptingCodeDataProvider extends DefaultEncryptingOAuthDat return grant; } - public List getCodeGrants() { + public List getCodeGrants(Client c) { List list = new ArrayList(grants.size()); - for (String grant : grants) { - list.add(getCodeGrant(grant)); + for (String key : grants) { + ServerAuthorizationCodeGrant grant = getCodeGrant(key); + if (grant.getClient().getClientId().equals(c.getClientId())) { + list.add(grant); + } } return list; } http://git-wip-us.apache.org/repos/asf/cxf/blob/92a87246/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java index df3cb31..b586a22 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java @@ -80,7 +80,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl public ServerAccessToken refreshAccessToken(Client client, String refreshTokenKey, List restrictedScopes) throws OAuthServiceException { RefreshToken currentRefreshToken = recycleRefreshTokens - ? revokeRefreshToken(client, refreshTokenKey) : getRefreshToken(client, refreshTokenKey); + ? revokeRefreshToken(refreshTokenKey) : getRefreshToken(refreshTokenKey); if (currentRefreshToken == null || OAuthUtils.isExpired(currentRefreshToken.getIssuedAt(), currentRefreshToken.getExpiresIn())) { throw new OAuthServiceException(OAuthConstants.ACCESS_DENIED); @@ -108,20 +108,20 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl if (accessToken != null) { handleLinkedRefreshToken(accessToken); } else if (!OAuthConstants.ACCESS_TOKEN.equals(tokenTypeHint)) { - RefreshToken currentRefreshToken = revokeRefreshToken(client, tokenKey); + RefreshToken currentRefreshToken = revokeRefreshToken(tokenKey); revokeAccessTokens(currentRefreshToken); } } protected void handleLinkedRefreshToken(ServerAccessToken accessToken) { if (accessToken != null && accessToken.getRefreshToken() != null) { - RefreshToken rt = getRefreshToken(accessToken.getClient(), accessToken.getRefreshToken()); + RefreshToken rt = getRefreshToken(accessToken.getRefreshToken()); if (rt == null) { return; } unlinkRefreshAccessToken(rt, accessToken.getTokenKey()); if (rt.getAccessTokens().isEmpty()) { - revokeRefreshToken(accessToken.getClient(), rt.getTokenKey()); + revokeRefreshToken(rt.getTokenKey()); } else { saveRefreshToken(null, rt); } @@ -270,12 +270,21 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl this.messageContext = messageContext; } + protected void removeClientTokens(Client c) { + for (RefreshToken rt : getRefreshTokens(c)) { + revokeRefreshToken(rt.getTokenKey()); + } + for (ServerAccessToken at : getAccessTokens(c)) { + revokeAccessToken(at.getTokenKey()); + } + } + protected abstract void saveAccessToken(ServerAccessToken serverToken); protected abstract void saveRefreshToken(ServerAccessToken at, RefreshToken refreshToken); protected abstract ServerAccessToken revokeAccessToken(String accessTokenKey); - protected abstract List getAccessTokens(); - protected abstract List getRefreshTokens(); - protected abstract RefreshToken revokeRefreshToken(Client client, String refreshTokenKey); - protected abstract RefreshToken getRefreshToken(Client client, String refreshTokenKey); + protected abstract List getAccessTokens(Client c); + protected abstract List getRefreshTokens(Client c); + protected abstract RefreshToken revokeRefreshToken(String refreshTokenKey); + protected abstract RefreshToken getRefreshToken(String refreshTokenKey); } http://git-wip-us.apache.org/repos/asf/cxf/blob/92a87246/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultEHCacheOAuthDataProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultEHCacheOAuthDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultEHCacheOAuthDataProvider.java index 5d78d87..b87a7f5 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultEHCacheOAuthDataProvider.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultEHCacheOAuthDataProvider.java @@ -83,6 +83,7 @@ public class DefaultEHCacheOAuthDataProvider extends AbstractOAuthDataProvider { public Client removeClient(String clientId) { Client c = getClient(clientId); clientCache.remove(clientId); + removeClientTokens(c); return c; } @@ -97,21 +98,27 @@ public class DefaultEHCacheOAuthDataProvider extends AbstractOAuthDataProvider { } @Override - protected List getAccessTokens() { + protected List getAccessTokens(Client c) { List keys = CastUtils.cast(accessTokenCache.getKeys()); List tokens = new ArrayList(keys.size()); for (String key : keys) { - tokens.add(getAccessToken(key)); + ServerAccessToken token = getAccessToken(key); + if (token.getClient().getClientId().equals(c.getClientId())) { + tokens.add(token); + } } return tokens; } @Override - protected List getRefreshTokens() { + protected List getRefreshTokens(Client c) { List keys = CastUtils.cast(refreshTokenCache.getKeys()); List tokens = new ArrayList(keys.size()); for (String key : keys) { - tokens.add(getRefreshToken(null, key)); + RefreshToken token = getRefreshToken(key); + if (token.getClient().getClientId().equals(c.getClientId())) { + tokens.add(token); + } } return tokens; } @@ -120,7 +127,7 @@ public class DefaultEHCacheOAuthDataProvider extends AbstractOAuthDataProvider { public ServerAccessToken getAccessToken(String accessToken) throws OAuthServiceException { return getCacheValue(accessTokenCache, accessToken, ServerAccessToken.class); } - + @Override protected ServerAccessToken revokeAccessToken(String accessTokenKey) { ServerAccessToken at = getAccessToken(accessTokenKey); if (at != null) { @@ -128,13 +135,13 @@ public class DefaultEHCacheOAuthDataProvider extends AbstractOAuthDataProvider { } return at; } - - protected RefreshToken getRefreshToken(Client client, String refreshTokenKey) { + @Override + protected RefreshToken getRefreshToken(String refreshTokenKey) { return getCacheValue(refreshTokenCache, refreshTokenKey, RefreshToken.class); } - - protected RefreshToken revokeRefreshToken(Client client, String refreshTokenKey) { - RefreshToken refreshToken = getRefreshToken(client, refreshTokenKey); + @Override + protected RefreshToken revokeRefreshToken(String refreshTokenKey) { + RefreshToken refreshToken = getRefreshToken(refreshTokenKey); if (refreshToken != null) { refreshTokenCache.remove(refreshTokenKey); } http://git-wip-us.apache.org/repos/asf/cxf/blob/92a87246/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultEncryptingOAuthDataProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultEncryptingOAuthDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultEncryptingOAuthDataProvider.java index bdb63a2..dd7dffb 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultEncryptingOAuthDataProvider.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultEncryptingOAuthDataProvider.java @@ -64,6 +64,7 @@ public class DefaultEncryptingOAuthDataProvider extends AbstractOAuthDataProvide public Client removeClient(String clientId) { Client client = getClient(clientId); clientsMap.remove(clientId); + removeClientTokens(client); return client; } @Override @@ -75,18 +76,24 @@ public class DefaultEncryptingOAuthDataProvider extends AbstractOAuthDataProvide return clients; } @Override - protected List getAccessTokens() { + protected List getAccessTokens(Client c) { List list = new ArrayList(tokens.size()); for (String tokenKey : tokens) { - list.add(getAccessToken(tokenKey)); + ServerAccessToken token = getAccessToken(tokenKey); + if (token.getClient().getClientId().equals(c.getClientId())) { + list.add(token); + } } return list; } @Override - protected List getRefreshTokens() { + protected List getRefreshTokens(Client c) { List list = new ArrayList(refreshTokens.size()); for (String tokenKey : tokens) { - list.add(getRefreshToken(null, tokenKey)); + RefreshToken token = getRefreshToken(tokenKey); + if (token.getClient().getClientId().equals(c.getClientId())) { + list.add(token); + } } return list; } @@ -118,10 +125,10 @@ public class DefaultEncryptingOAuthDataProvider extends AbstractOAuthDataProvide } @Override - protected RefreshToken revokeRefreshToken(Client client, String refreshTokenKey) { + protected RefreshToken revokeRefreshToken(String refreshTokenKey) { RefreshToken rt = null; if (refreshTokens.containsKey(refreshTokenKey)) { - rt = getRefreshToken(client, refreshTokenKey); + rt = getRefreshToken(refreshTokenKey); refreshTokens.remove(refreshTokenKey); } return rt; @@ -135,7 +142,7 @@ public class DefaultEncryptingOAuthDataProvider extends AbstractOAuthDataProvide token.setTokenKey(encryptedToken); } @Override - protected RefreshToken getRefreshToken(Client client, String refreshTokenKey) { + protected RefreshToken getRefreshToken(String refreshTokenKey) { try { return ModelEncryptionSupport.decryptRefreshToken(this, refreshTokenKey, key); } catch (SecurityException ex) {