cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: [CXF-6686] Prototyping RFC7622 introspection code
Date Fri, 15 Jan 2016 14:33:26 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.1.x-fixes 205c61c48 -> 560c72ef7


[CXF-6686] Prototyping RFC7622 introspection code


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/560c72ef
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/560c72ef
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/560c72ef

Branch: refs/heads/3.1.x-fixes
Commit: 560c72ef7ad2fef318c0fd65412a39bb9507cf09
Parents: 205c61c
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Fri Jan 15 14:23:26 2016 +0000
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Fri Jan 15 14:31:27 2016 +0000

----------------------------------------------------------------------
 .../oauth2/common/AccessTokenValidation.java    |   7 +
 .../security/oauth2/common/OAuthPermission.java |   4 +
 .../oauth2/common/TokenIntrospection.java       | 127 +++++++++++++++++++
 .../filters/AccessTokenIntrospectionClient.java |  91 +++++++++++++
 .../oauth2/provider/OAuthJSONProvider.java      |  89 ++++++++++++-
 .../services/AccessTokenValidatorService.java   |   4 -
 .../services/TokenIntrospectionService.java     | 105 +++++++++++++++
 .../oauth2/services/TokenRevocationService.java |   4 +-
 .../security/oauth2/utils/OAuthConstants.java   |   6 +-
 9 files changed, 421 insertions(+), 16 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/560c72ef/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java
index 5fb14a6..508b37f 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java
@@ -26,6 +26,13 @@ import java.util.Map;
 import javax.xml.bind.annotation.XmlRootElement;
 
 // Represents the information about the validated ServerAccessToken.
+// It is returned by AccessTokenValidatorService and is checked by CXF OAuthRequestFilter
+// protecting the service resources.
+
+// If the protected resources are not CXF based then use TokenIntrospectionService which
+// returns RFC 7622 compliant TokenIntrospection response. 
+
+
 // The problem with reading specific ServerAccessToken instances is that
 // the (JAXB) reader needs to be specifically aware of the concrete token
 // classes like BearerAccessToken, etc, even though classes like BearerAccessToken

http://git-wip-us.apache.org/repos/asf/cxf/blob/560c72ef/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthPermission.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthPermission.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthPermission.java
index 0421581..05b3395 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthPermission.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthPermission.java
@@ -40,6 +40,10 @@ public class OAuthPermission extends Permission {
         
     }
     
+    public OAuthPermission(String permission) {
+        this.permission = permission;
+    }
+    
     public OAuthPermission(String permission, String description) {
         super(permission, description);
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/560c72ef/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/TokenIntrospection.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/TokenIntrospection.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/TokenIntrospection.java
new file mode 100644
index 0000000..4e3911f
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/TokenIntrospection.java
@@ -0,0 +1,127 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.common;
+
+import java.util.HashMap;
+import java.util.Map;
+
+// RFC 7622 Introspection Response
+public class TokenIntrospection {
+    private boolean active;
+    private String scope;
+    private String clientId;
+    private String username;
+    private String tokenType;
+    private Long iat;
+    private Long exp;
+    private Long nbf;
+    private String sub;
+    private String aud;
+    private String iss;
+    private String jti;
+    
+    private Map<String, String> extensions = new HashMap<String, String>();
+    
+    public TokenIntrospection() {
+        
+    }
+    
+    public TokenIntrospection(boolean active) {
+        this.active = active;
+    }
+
+    public boolean isActive() {
+        return active;
+    }
+    public void setActive(boolean active) {
+        this.active = active;
+    }
+    public String getScope() {
+        return scope;
+    }
+    public void setScope(String scope) {
+        this.scope = scope;
+    }
+    public String getClientId() {
+        return clientId;
+    }
+    public void setClientId(String clientId) {
+        this.clientId = clientId;
+    }
+    public String getUsername() {
+        return username;
+    }
+    public void setUsername(String username) {
+        this.username = username;
+    }
+    public String getTokenType() {
+        return tokenType;
+    }
+    public void setTokenType(String tokenType) {
+        this.tokenType = tokenType;
+    }
+    public Long getIat() {
+        return iat;
+    }
+    public void setIat(Long iat) {
+        this.iat = iat;
+    }
+    public Long getExp() {
+        return exp;
+    }
+    public void setExp(Long exp) {
+        this.exp = exp;
+    }
+    public Long getNbf() {
+        return nbf;
+    }
+    public void setNbf(Long nbf) {
+        this.nbf = nbf;
+    }
+    public String getSub() {
+        return sub;
+    }
+    public void setSub(String sub) {
+        this.sub = sub;
+    }
+    public String getAud() {
+        return aud;
+    }
+    public void setAud(String aud) {
+        this.aud = aud;
+    }
+    public String getIss() {
+        return iss;
+    }
+    public void setIss(String iss) {
+        this.iss = iss;
+    }
+    public String getJti() {
+        return jti;
+    }
+    public void setJti(String jti) {
+        this.jti = jti;
+    }
+    public Map<String, String> getExtensions() {
+        return extensions;
+    }
+    public void setExtensions(Map<String, String> extensions) {
+        this.extensions = extensions;
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/560c72ef/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenIntrospectionClient.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenIntrospectionClient.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenIntrospectionClient.java
new file mode 100644
index 0000000..c730c9c
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenIntrospectionClient.java
@@ -0,0 +1,91 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.filters;
+
+import java.util.Collections;
+import java.util.LinkedList;
+import java.util.List;
+
+import javax.ws.rs.WebApplicationException;
+import javax.ws.rs.core.MultivaluedMap;
+
+import org.apache.cxf.common.util.StringUtils;
+import org.apache.cxf.jaxrs.client.WebClient;
+import org.apache.cxf.jaxrs.ext.MessageContext;
+import org.apache.cxf.jaxrs.impl.MetadataMap;
+import org.apache.cxf.rs.security.oauth2.common.AccessTokenValidation;
+import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
+import org.apache.cxf.rs.security.oauth2.common.TokenIntrospection;
+import org.apache.cxf.rs.security.oauth2.provider.AccessTokenValidator;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
+
+public class AccessTokenIntrospectionClient implements AccessTokenValidator {
+
+    private WebClient tokenValidatorClient;
+    public List<String> getSupportedAuthorizationSchemes() {
+        return Collections.singletonList(OAuthConstants.BEARER_AUTHORIZATION_SCHEME);
+    }
+
+    public AccessTokenValidation validateAccessToken(MessageContext mc,
+                                                     String authScheme, 
+                                                     String authSchemeData,
+                                                     MultivaluedMap<String, String>
extraProps) 
+        throws OAuthServiceException {
+        WebClient client = WebClient.fromClient(tokenValidatorClient, true);
+        MultivaluedMap<String, String> props = new MetadataMap<String, String>();
+        props.putSingle(OAuthConstants.TOKEN_ID, authSchemeData);
+        try {
+            TokenIntrospection response = client.post(props, TokenIntrospection.class);
+            return convertIntrospectionToValidation(response);
+        } catch (WebApplicationException ex) {
+            throw new OAuthServiceException(ex);
+        }
+    }
+
+    private AccessTokenValidation convertIntrospectionToValidation(TokenIntrospection response)
{
+        AccessTokenValidation atv = new AccessTokenValidation();
+        atv.setInitialValidationSuccessful(response.isActive());
+        if (!response.isActive()) {
+            return atv;
+        }
+        atv.setClientId(response.getClientId());
+        atv.setTokenIssuedAt(response.getIat());
+        atv.setTokenLifetime(response.getExp() - response.getIat());
+        atv.setAudience(response.getAud());
+        if (response.getScope() != null) {
+            String[] scopes = response.getScope().split(" ");
+            List<OAuthPermission> perms = new LinkedList<OAuthPermission>();
+            for (String s : scopes) {    
+                if (!StringUtils.isEmpty(s)) {
+                    perms.add(new OAuthPermission(s.trim()));
+                }
+            }
+            atv.setTokenScopes(perms);
+        }
+        
+        return atv;
+    }
+
+    public void setTokenValidatorClient(WebClient tokenValidatorClient) {
+        this.tokenValidatorClient = tokenValidatorClient;
+    }
+    
+
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/560c72ef/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJSONProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJSONProvider.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJSONProvider.java
index c850cef..46db726 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJSONProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJSONProvider.java
@@ -41,6 +41,7 @@ import org.apache.cxf.helpers.IOUtils;
 import org.apache.cxf.rs.security.oauth2.client.OAuthClientUtils;
 import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
 import org.apache.cxf.rs.security.oauth2.common.OAuthError;
+import org.apache.cxf.rs.security.oauth2.common.TokenIntrospection;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
 
 @Provider
@@ -54,7 +55,7 @@ public class OAuthJSONProvider implements MessageBodyWriter<Object>,
     }
 
     public boolean isWriteable(Class<?> cls, Type t, Annotation[] anns, MediaType mt)
{
-        return cls == ClientAccessToken.class || cls == OAuthError.class;
+        return cls == ClientAccessToken.class || cls == OAuthError.class || cls == TokenIntrospection.class;
     }
     
     public void writeTo(Object obj, Class<?> cls, Type t, Annotation[] anns, MediaType
mt,
@@ -62,11 +63,46 @@ public class OAuthJSONProvider implements MessageBodyWriter<Object>,
         WebApplicationException {
         if (obj instanceof ClientAccessToken) {
             writeAccessToken((ClientAccessToken)obj, os);
+        } else if (obj instanceof TokenIntrospection) {
+            writeTokenIntrospection((TokenIntrospection)obj, os);
         } else {
             writeOAuthError((OAuthError)obj, os);
         }
     }
 
+    private void writeTokenIntrospection(TokenIntrospection obj, OutputStream os) throws
IOException {
+        StringBuilder sb = new StringBuilder();
+        sb.append("{");
+        appendJsonPair(sb, "active", obj.isActive(), false);
+        if (obj.getClientId() != null) {
+            sb.append(",");
+            appendJsonPair(sb, OAuthConstants.CLIENT_ID, obj.getClientId());
+        }
+        if (obj.getUsername() != null) {
+            sb.append(",");
+            appendJsonPair(sb, "username", obj.getUsername());
+        }
+        if (obj.getTokenType() != null) {
+            sb.append(",");
+            appendJsonPair(sb, OAuthConstants.ACCESS_TOKEN_TYPE, obj.getTokenType());
+        }
+        if (obj.getScope() != null) {
+            sb.append(",");
+            appendJsonPair(sb, OAuthConstants.SCOPE, obj.getScope());
+        }
+        if (obj.getAud() != null) {
+            sb.append(",");
+            appendJsonPair(sb, "aud", obj.getAud());
+        }
+        appendJsonPair(sb, "iat", obj.getIat(), false);
+        appendJsonPair(sb, "exp", obj.getExp(), false);
+        sb.append("}");
+        String result = sb.toString();
+        os.write(result.getBytes(StandardCharsets.UTF_8));
+        os.flush();
+        
+    }
+
     private void writeOAuthError(OAuthError obj, OutputStream os) throws IOException {
         StringBuilder sb = new StringBuilder();
         sb.append("{");
@@ -133,7 +169,9 @@ public class OAuthJSONProvider implements MessageBodyWriter<Object>,
     }
     
     public boolean isReadable(Class<?> cls, Type t, Annotation[] anns, MediaType mt)
{
-        return Map.class.isAssignableFrom(cls) || ClientAccessToken.class.isAssignableFrom(cls);
+        return Map.class.isAssignableFrom(cls) 
+            || ClientAccessToken.class.isAssignableFrom(cls)
+            || TokenIntrospection.class.isAssignableFrom(cls);
     }
 
     public Object readFrom(Class<Object> cls, Type t, Annotation[] anns, 
@@ -142,16 +180,53 @@ public class OAuthJSONProvider implements MessageBodyWriter<Object>,
         Map<String, String> params = readJSONResponse(is);
         if (Map.class.isAssignableFrom(cls)) {
             return params;
-        }
-        ClientAccessToken token = OAuthClientUtils.fromMapToClientToken(params);
-        if (token == null) {
-            throw new WebApplicationException(500);
+        } else if (ClientAccessToken.class.isAssignableFrom(cls)) {
+            ClientAccessToken token = OAuthClientUtils.fromMapToClientToken(params);
+            if (token == null) {
+                throw new WebApplicationException(500);
+            } else {
+                return token;
+            }
         } else {
-            return token;
+            return fromMapToTokenIntrospection(params);
         }
         
     }
 
+    private Object fromMapToTokenIntrospection(Map<String, String> params) {
+        TokenIntrospection resp = new TokenIntrospection();
+        resp.setActive(Boolean.valueOf(params.get("active")));
+        String clientId = params.get(OAuthConstants.CLIENT_ID);
+        if (clientId != null) {
+            resp.setClientId(clientId);
+        }
+        String username = params.get("username");
+        if (username != null) {
+            resp.setUsername(username);
+        }
+        String scope = params.get(OAuthConstants.SCOPE);
+        if (scope != null) {
+            resp.setScope(scope);
+        }
+        String tokenType = params.get(OAuthConstants.ACCESS_TOKEN_TYPE);
+        if (tokenType != null) {
+            resp.setTokenType(tokenType);
+        }
+        String aud = params.get("aud");
+        if (aud != null) {
+            resp.setAud(aud);
+        }
+        String iat = params.get("iat");
+        if (iat != null) {
+            resp.setIat(Long.valueOf(iat));
+        }
+        String exp = params.get("exp");
+        if (exp != null) {
+            resp.setExp(Long.valueOf(exp));
+        }
+        return resp;
+    }
+
     public Map<String, String> readJSONResponse(InputStream is) throws IOException
 {
         String str = IOUtils.readStringFromStream(is).trim();
         if (str.length() == 0) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/560c72ef/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenValidatorService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenValidatorService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenValidatorService.java
index d87dd2f..496ffd4 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenValidatorService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenValidatorService.java
@@ -76,10 +76,6 @@ public class AccessTokenValidatorService extends AbstractAccessTokenValidator
{
         this.blockUnsecureRequests = blockUnsecureRequests;
     }
 
-    public boolean isBlockUnauthorizedRequests() {
-        return blockUnauthorizedRequests;
-    }
-
     public void setBlockUnauthorizedRequests(boolean blockUnauthorizedRequests) {
         this.blockUnauthorizedRequests = blockUnauthorizedRequests;
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/560c72ef/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java
new file mode 100644
index 0000000..11485fe
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java
@@ -0,0 +1,105 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.services;
+
+import java.util.logging.Logger;
+
+import javax.ws.rs.Consumes;
+import javax.ws.rs.Encoded;
+import javax.ws.rs.POST;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.MultivaluedMap;
+import javax.ws.rs.core.SecurityContext;
+
+import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.jaxrs.ext.MessageContext;
+import org.apache.cxf.jaxrs.utils.ExceptionUtils;
+import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
+import org.apache.cxf.rs.security.oauth2.common.TokenIntrospection;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthDataProvider;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
+
+@Path("introspect")
+public class TokenIntrospectionService {
+    private static final Logger LOG = LogUtils.getL7dLogger(TokenIntrospectionService.class);
+    private boolean blockUnsecureRequests;
+    private boolean blockUnauthorizedRequests = true;
+    private MessageContext mc;
+    private OAuthDataProvider dataProvider;
+    @POST
+    @Produces({MediaType.APPLICATION_JSON })
+    @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
+    public TokenIntrospection getTokenIntrospection(@Encoded MultivaluedMap<String, String>
params) {
+        checkSecurityContext();
+        String tokenId = params.getFirst(OAuthConstants.TOKEN_ID);
+        ServerAccessToken at = dataProvider.getAccessToken(tokenId);
+        if (at == null || OAuthUtils.isExpired(at.getIssuedAt(), at.getExpiresIn())) { 
+            return new TokenIntrospection(false);
+        }
+        TokenIntrospection response = new TokenIntrospection(true);
+        response.setClientId(at.getClient().getClientId());
+        if (!at.getScopes().isEmpty()) {
+            response.setScope(OAuthUtils.convertPermissionsToScope(at.getScopes()));
+        }
+        if (at.getSubject() != null) {
+            response.setUsername(at.getSubject().getLogin());
+        }
+        if (at.getAudience() != null) {
+            response.setAud(at.getAudience());
+        }
+        response.setIat(at.getIssuedAt());
+        response.setExp(at.getIssuedAt() + at.getExpiresIn());
+        response.setTokenType(at.getTokenType());
+        return response;
+    }
+
+    private void checkSecurityContext() {
+        SecurityContext sc = mc.getSecurityContext();
+        if (!sc.isSecure() && blockUnsecureRequests) {
+            LOG.warning("Unsecure HTTP, Transport Layer Security is recommended");
+            ExceptionUtils.toNotAuthorizedException(null,  null);
+        }
+        if (sc.getUserPrincipal() == null && blockUnauthorizedRequests) {
+            LOG.warning("Authenticated Principal is not available");
+            ExceptionUtils.toNotAuthorizedException(null, null);
+        }
+        
+    }
+
+    public void setBlockUnsecureRequests(boolean blockUnsecureRequests) {
+        this.blockUnsecureRequests = blockUnsecureRequests;
+    }
+
+    public void setBlockUnauthorizedRequests(boolean blockUnauthorizedRequests) {
+        this.blockUnauthorizedRequests = blockUnauthorizedRequests;
+    }
+
+    public void setDataProvider(OAuthDataProvider dataProvider) {
+        this.dataProvider = dataProvider;
+    }
+    
+    @Context
+    public void setMessageContext(MessageContext context) {
+        this.mc = context;
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/560c72ef/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenRevocationService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenRevocationService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenRevocationService.java
index 26be81f..483ffd8 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenRevocationService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenRevocationService.java
@@ -48,11 +48,11 @@ public class TokenRevocationService extends AbstractTokenService {
         
         // Make sure the client is authenticated
         Client client = authenticateClientIfNeeded(params);
-        String token = params.getFirst(OAuthConstants.REVOKED_TOKEN_ID);
+        String token = params.getFirst(OAuthConstants.TOKEN_ID);
         if (token == null) {
             return createErrorResponse(params, OAuthConstants.UNSUPPORTED_TOKEN_TYPE);
         }
-        String tokenTypeHint = params.getFirst(OAuthConstants.REVOKED_TOKEN_TYPE_HINT);
+        String tokenTypeHint = params.getFirst(OAuthConstants.TOKEN_TYPE_HINT);
         if (tokenTypeHint != null 
             && !OAuthConstants.ACCESS_TOKEN.equals(tokenTypeHint)
             && !OAuthConstants.REFRESH_TOKEN.equals(tokenTypeHint)) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/560c72ef/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java
index 8a98eff..71d517c 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java
@@ -119,9 +119,9 @@ public final class OAuthConstants {
     public static final String INVALID_SCOPE = "invalid_scope";
     public static final String ACCESS_DENIED = "access_denied";
     
-    // Token Revocation
-    public static final String REVOKED_TOKEN_ID = "token";
-    public static final String REVOKED_TOKEN_TYPE_HINT = "token_type_hint";
+    // Token Revocation, Introspection
+    public static final String TOKEN_ID = "token";
+    public static final String TOKEN_TYPE_HINT = "token_type_hint";
     public static final String UNSUPPORTED_TOKEN_TYPE = "unsupported_token_type";
     
     // Authorization scheme constants, used internally by AccessTokenValidation client and
service


Mime
View raw message