cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject [2/2] cxf git commit: Trying to finalize the current token introspection/audience code
Date Fri, 22 Jan 2016 14:01:55 GMT
Trying to finalize the current token introspection/audience code


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/4604ca12
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/4604ca12
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/4604ca12

Branch: refs/heads/3.1.x-fixes
Commit: 4604ca122a129ee311bbbfc041fbd48777f5354f
Parents: 5705d3d
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Fri Jan 22 13:45:34 2016 +0000
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Fri Jan 22 14:01:33 2016 +0000

----------------------------------------------------------------------
 .../rs/security/oauth2/common/AccessToken.java  |  9 +++++
 .../oauth2/common/AccessTokenValidation.java    | 11 +++++-
 .../rs/security/oauth2/common/OAuthContext.java | 19 ++++++++---
 .../filters/AccessTokenIntrospectionClient.java | 20 +++++++----
 .../oauth2/filters/OAuthRequestFilter.java      | 35 +++++++++++++-------
 .../oauth2/provider/OAuthJSONProvider.java      | 18 +++++++---
 .../services/TokenIntrospectionService.java     |  9 ++++-
 7 files changed, 92 insertions(+), 29 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/4604ca12/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessToken.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessToken.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessToken.java
index e31ae7c..dd0415f 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessToken.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessToken.java
@@ -34,6 +34,7 @@ public abstract class AccessToken implements Serializable {
     private String refreshToken;
     private long expiresIn = -1;
     private long issuedAt = -1;
+    private String issuer;
     
     
     private Map<String, String> parameters = new LinkedHashMap<String, String>();
@@ -140,4 +141,12 @@ public abstract class AccessToken implements Serializable {
     public void setParameters(Map<String, String> parameters) {
         this.parameters = parameters;
     }
+
+    public String getIssuer() {
+        return issuer;
+    }
+
+    public void setIssuer(String issuer) {
+        this.issuer = issuer;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/4604ca12/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java
index 6a33e2b..f7b945d 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java
@@ -53,6 +53,7 @@ public class AccessTokenValidation {
     private String tokenGrantType;
     private long tokenIssuedAt;
     private long tokenLifetime;
+    private String tokenIssuer;
     private UserSubject tokenSubject;
     private List<OAuthPermission> tokenScopes = new LinkedList<OAuthPermission>();
     private List<String> audiences = new LinkedList<String>();
@@ -73,7 +74,7 @@ public class AccessTokenValidation {
         this.tokenGrantType = token.getGrantType();
         this.tokenIssuedAt = token.getIssuedAt();
         this.tokenLifetime = token.getExpiresIn();
-        
+        this.tokenIssuer = token.getIssuer();
         this.tokenSubject = token.getSubject();
         this.tokenScopes = token.getScopes();
         this.setAudiences(token.getAudiences());
@@ -183,5 +184,13 @@ public class AccessTokenValidation {
     public void setAudiences(List<String> audiences) {
         this.audiences = audiences;
     }
+
+    public String getTokenIssuer() {
+        return tokenIssuer;
+    }
+
+    public void setTokenIssuer(String tokenIssuer) {
+        this.tokenIssuer = tokenIssuer;
+    }
     
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/4604ca12/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java
index 6e83e08..74d7fc2 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java
@@ -35,7 +35,8 @@ public class OAuthContext {
     private String clientId;
     private boolean isClientConfidential;
     private String tokenKey;
-    private List<String> tokenAudiences;
+    private String tokenAudience;
+    private String tokenIssuer;
     private String[] tokenRequestParts;
     
     public OAuthContext(UserSubject resourceOwnerSubject,
@@ -113,12 +114,12 @@ public class OAuthContext {
         this.tokenKey = tokenKey;
     }
 
-    public List<String> getTokenAudiences() {
-        return tokenAudiences;
+    public String getTokenAudience() {
+        return tokenAudience;
     }
 
-    public void setTokenAudiences(List<String> audiences) {
-        this.tokenAudiences = audiences;
+    public void setTokenAudience(String audience) {
+        this.tokenAudience = audience;
     }
     
     public String[] getTokenRequestParts() {
@@ -134,4 +135,12 @@ public class OAuthContext {
     public void setClientConfidential(boolean isConfidential) {
         this.isClientConfidential = isConfidential;
     }
+
+    public String getTokenIssuer() {
+        return tokenIssuer;
+    }
+
+    public void setTokenIssuer(String tokenIssuer) {
+        this.tokenIssuer = tokenIssuer;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/4604ca12/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenIntrospectionClient.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenIntrospectionClient.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenIntrospectionClient.java
index 0b1a267..778b732 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenIntrospectionClient.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenIntrospectionClient.java
@@ -62,13 +62,21 @@ public class AccessTokenIntrospectionClient implements AccessTokenValidator
{
     private AccessTokenValidation convertIntrospectionToValidation(TokenIntrospection response)
{
         AccessTokenValidation atv = new AccessTokenValidation();
         atv.setInitialValidationSuccessful(response.isActive());
-        if (!response.isActive()) {
-            return atv;
+        if (response.getClientId() != null) {
+            atv.setClientId(response.getClientId());
+        }
+        if (response.getIat() != null) {
+            atv.setTokenIssuedAt(response.getIat());
+        }
+        if (response.getExp() != null) {
+            atv.setTokenLifetime(response.getExp() - response.getIat());
+        }
+        if (!StringUtils.isEmpty(response.getAud())) {
+            atv.setAudiences(response.getAud());
+        }
+        if (response.getIss() != null) {
+            atv.setTokenIssuer(response.getIss());
         }
-        atv.setClientId(response.getClientId());
-        atv.setTokenIssuedAt(response.getIat());
-        atv.setTokenLifetime(response.getExp() - response.getIat());
-        atv.setAudiences(response.getAud());
         if (response.getScope() != null) {
             String[] scopes = response.getScope().split(" ");
             List<OAuthPermission> perms = new LinkedList<OAuthPermission>();

http://git-wip-us.apache.org/repos/asf/cxf/blob/4604ca12/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
index 40f4a41..5fb6108 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
@@ -70,6 +70,7 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator
     
     private boolean useUserSubject;
     private String audience;
+    private String issuer;
     private boolean completeAudienceMatch;
     private boolean audienceIsEndpointAddress = true;
     private boolean checkFormData;
@@ -99,10 +100,13 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator
         // Get the access token
         AccessTokenValidation accessTokenV = getAccessTokenValidation(authScheme, authSchemeData,
null); 
         if (!accessTokenV.isInitialValidationSuccessful()) {
-            throw ExceptionUtils.toNotAuthorizedException(null, null);
+            AuthorizationUtils.throwAuthorizationFailure(supportedSchemes, realm);
         }
         // Check audiences
-        if (!validateAudiences(accessTokenV.getAudiences())) {
+        String validAudience = validateAudiences(accessTokenV.getAudiences());
+        
+        // Check if token was issued by the supported issuer
+        if (issuer != null && issuer.equals(accessTokenV.getTokenIssuer())) {
             AuthorizationUtils.throwAuthorizationFailure(supportedSchemes, realm);
         }
         // Find the scopes which match the current request
@@ -162,7 +166,8 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator
         oauthContext.setClientId(accessTokenV.getClientId());
         oauthContext.setClientConfidential(accessTokenV.isClientConfidential());
         oauthContext.setTokenKey(accessTokenV.getTokenKey());
-        oauthContext.setTokenAudiences(accessTokenV.getAudiences());
+        oauthContext.setTokenAudience(validAudience);
+        oauthContext.setTokenIssuer(accessTokenV.getTokenIssuer());
         oauthContext.setTokenRequestParts(authParts);
         m.setContent(OAuthContext.class, oauthContext);
     }
@@ -241,26 +246,28 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator
         return MessageUtils.isTrue(m.get("local_preflight"));
     }
 
-    protected boolean validateAudiences(List<String> audiences) {
+    protected String validateAudiences(List<String> audiences) {
         if (StringUtils.isEmpty(audiences) && audience == null) {
-            return true;
+            return null;
         }
         if (audience != null) {
-            return audiences.contains(audience);
+            if (audiences.contains(audience)) {
+                return audience;
+            }
+            AuthorizationUtils.throwAuthorizationFailure(supportedSchemes, realm);
         } 
         if (!audienceIsEndpointAddress) {
-            return true;
+            return null;
         }
-        boolean matched = false;
         String requestPath = (String)PhaseInterceptorChain.getCurrentMessage().get(Message.REQUEST_URL);
         for (String s : audiences) {
-            matched = completeAudienceMatch ? requestPath.equals(s) : requestPath.startsWith(s);
+            boolean matched = completeAudienceMatch ? requestPath.equals(s) : requestPath.startsWith(s);
             if (matched) {
-                break;
+                return s;
             }
         }
-        return matched;
-        
+        AuthorizationUtils.throwAuthorizationFailure(supportedSchemes, realm);
+        return null;
     }
     
     public void setCheckFormData(boolean checkFormData) {
@@ -331,5 +338,9 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator
     public void setAudienceIsEndpointAddress(boolean audienceIsEndpointAddress) {
         this.audienceIsEndpointAddress = audienceIsEndpointAddress;
     }
+
+    public void setIssuer(String issuer) {
+        this.issuer = issuer;
+    }
     
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/4604ca12/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJSONProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJSONProvider.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJSONProvider.java
index 1a3283b..01b7d5a 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJSONProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJSONProvider.java
@@ -99,8 +99,8 @@ public class OAuthJSONProvider implements MessageBodyWriter<Object>,
                 if (obj.getAud().size() == 1) {
                     appendJsonPair(sb, "aud", obj.getAud().get(0));
                 } else {
-                    sb.append("[");
                     StringBuilder arr = new StringBuilder();
+                    arr.append("[");
                     List<String> auds = obj.getAud();
                     for (int i = 0; i < auds.size(); i++) {
                         if (i > 0) {
@@ -108,15 +108,21 @@ public class OAuthJSONProvider implements MessageBodyWriter<Object>,
                         }
                         arr.append("\"").append(auds.get(i)).append("\"");
                     }
-                    sb.append("]");
+                    arr.append("]");
                     appendJsonPair(sb, "aud", arr.toString(), false);
                     
                 }
             }
+            if (obj.getIss() != null) {
+                sb.append(",");
+                appendJsonPair(sb, "iss", obj.getExp(), false);
+            }
             sb.append(",");
             appendJsonPair(sb, "iat", obj.getIat(), false);
-            sb.append(",");
-            appendJsonPair(sb, "exp", obj.getExp(), false);
+            if (obj.getExp() != null) {
+                sb.append(",");
+                appendJsonPair(sb, "exp", obj.getExp(), false);
+            }
         }
         sb.append("}");
         String result = sb.toString();
@@ -250,6 +256,10 @@ public class OAuthJSONProvider implements MessageBodyWriter<Object>,
                     resp.setAud(Collections.singletonList(aud));
                 }
             }
+            String iss = params.get("iss");
+            if (iss != null) {
+                resp.setIss(iss);
+            }
             String iat = params.get("iat");
             if (iat != null) {
                 resp.setIat(Long.valueOf(iat));

http://git-wip-us.apache.org/repos/asf/cxf/blob/4604ca12/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java
index 9dc4bf8..65c1af6 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java
@@ -73,8 +73,15 @@ public class TokenIntrospectionService {
         if (!StringUtils.isEmpty(at.getAudiences())) {
             response.setAud(at.getAudiences());
         }
+        if (at.getIssuer() != null) {
+            response.setIss(at.getIssuer());
+        }
+        
         response.setIat(at.getIssuedAt());
-        response.setExp(at.getIssuedAt() + at.getExpiresIn());
+        if (at.getExpiresIn() > 0) {
+            response.setExp(at.getIssuedAt() + at.getExpiresIn());
+        }
+        
         response.setTokenType(at.getTokenType());
         return response;
     }


Mime
View raw message