cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Prototyong the code for better supporting pre-authorized tokens
Date Mon, 25 Jan 2016 17:17:39 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 96b9016d8 -> 5638cae66


Prototyong the code for better supporting pre-authorized tokens


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/5638cae6
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/5638cae6
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/5638cae6

Branch: refs/heads/master
Commit: 5638cae66ca25c603af6113a539e590c035ee33a
Parents: 96b9016
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Mon Jan 25 17:17:23 2016 +0000
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Mon Jan 25 17:17:23 2016 +0000

----------------------------------------------------------------------
 .../oauth2/grants/AbstractGrantHandler.java     |  1 +
 .../grants/code/AbstractCodeDataProvider.java   |  1 +
 .../code/AuthorizationCodeGrantHandler.java     |  5 +++
 .../code/AuthorizationCodeRegistration.java     |  8 ++++-
 .../code/ServerAuthorizationCodeGrant.java      |  9 +++++
 .../provider/AbstractOAuthDataProvider.java     | 36 ++++++++++++++++++--
 .../services/AuthorizationCodeGrantService.java |  2 +-
 7 files changed, 57 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/5638cae6/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
index 1c552cb..3df087b 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
@@ -164,6 +164,7 @@ public abstract class AbstractGrantHandler implements AccessTokenGrantHandler
{
         // Get a pre-authorized token if available
         return dataProvider.getPreauthorizedToken(
                                      client, requestedScopes, subject, requestedGrant);
+        
     }
     
     public boolean isPartialMatchScopeValidation() {

http://git-wip-us.apache.org/repos/asf/cxf/blob/5638cae6/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java
index de61bb8..12fd14e 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java
@@ -54,6 +54,7 @@ public abstract class AbstractCodeDataProvider extends AbstractOAuthDataProvider
         ServerAuthorizationCodeGrant grant = new ServerAuthorizationCodeGrant(reg.getClient(),
lifetime);
         grant.setRedirectUri(reg.getRedirectUri());
         grant.setSubject(reg.getSubject());
+        grant.setPreauthorizedTokenAvailable(reg.isPreauthorizedTokenAvailable());
         grant.setRequestedScopes(reg.getRequestedScope());
         grant.setApprovedScopes(reg.getApprovedScope());
         grant.setAudience(reg.getAudience());

http://git-wip-us.apache.org/repos/asf/cxf/blob/5638cae6/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
index a490812..4a01328 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
@@ -111,6 +111,11 @@ public class AuthorizationCodeGrantHandler extends AbstractGrantHandler
{
                                                         getAudiences(client, grant.getAudience()));
         if (token != null) {
             return token;
+        } else if (grant.isPreauthorizedTokenAvailable()) {
+            // the grant was issued based on the authorization time check confirming the
+            // token was available but it has expired by now or been removed then
+            // creating a completely new token can be wrong - though this needs to be reviewed

+            throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
         }
         
         // Delegate to the data provider to create the one

http://git-wip-us.apache.org/repos/asf/cxf/blob/5638cae6/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeRegistration.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeRegistration.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeRegistration.java
index 1319cad..a3185b7 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeRegistration.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeRegistration.java
@@ -37,7 +37,7 @@ public class AuthorizationCodeRegistration {
     private String audience;
     private String nonce;
     private String clientCodeChallenge;
-    
+    private boolean preauthorizedTokenAvailable;
     /**
      * Sets the {@link Client} reference
      * @param client the client
@@ -133,4 +133,10 @@ public class AuthorizationCodeRegistration {
     public void setNonce(String nonce) {
         this.nonce = nonce;
     }
+    public boolean isPreauthorizedTokenAvailable() {
+        return preauthorizedTokenAvailable;
+    }
+    public void setPreauthorizedTokenAvailable(boolean preauthorizedTokenAvailable) {
+        this.preauthorizedTokenAvailable = preauthorizedTokenAvailable;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/5638cae6/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java
index 026a835..119cc59 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java
@@ -41,6 +41,7 @@ public class ServerAuthorizationCodeGrant extends AuthorizationCodeGrant
{
     private String audience;
     private String clientCodeChallenge;
     private String nonce;
+    private boolean preauthorizedTokenAvailable;
     
     public ServerAuthorizationCodeGrant() {
         
@@ -165,4 +166,12 @@ public class ServerAuthorizationCodeGrant extends AuthorizationCodeGrant
{
     public void setNonce(String nonce) {
         this.nonce = nonce;
     }
+
+    public boolean isPreauthorizedTokenAvailable() {
+        return preauthorizedTokenAvailable;
+    }
+
+    public void setPreauthorizedTokenAvailable(boolean preauthorizedTokenAvailable) {
+        this.preauthorizedTokenAvailable = preauthorizedTokenAvailable;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/5638cae6/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
index 5183385..6ac6922 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
@@ -44,6 +44,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider,
Cl
     private List<String> defaultScopes;
     private List<String> requiredScopes;
     private List<String> invisibleToClientScopes;
+    private boolean supportPreauthorizedTokens;
     
     
     protected AbstractOAuthDataProvider() {
@@ -175,10 +176,31 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider,
Cl
     }
 
     @Override
-    public ServerAccessToken getPreauthorizedToken(Client client, List<String> requestedScopes,
-                                                   UserSubject subject, String grantType)
-        throws OAuthServiceException {
+    public ServerAccessToken getPreauthorizedToken(Client client, 
+                                                   List<String> requestedScopes,
+                                                   UserSubject sub, 
+                                                   String grantType) throws OAuthServiceException
{
+        if (!supportPreauthorizedTokens) {
+            return null;
+        }
+
+        ServerAccessToken token = null;
+        for (ServerAccessToken at : getAccessTokens(client, sub)) {
+            if (at.getClient().getClientId().equals(client.getClientId())
+                && at.getGrantType().equals(grantType)
+                && (sub == null || at.getSubject().getLogin().equals(sub.getLogin()))
+                && OAuthUtils.convertPermissionsToScopeList(
+                    at.getScopes()).containsAll(requestedScopes)) {
+                token = at;
+                break;
+            }
+        }
+        if (token != null 
+            && OAuthUtils.isExpired(token.getIssuedAt(), token.getExpiresIn())) {
+            revokeToken(client, token.getTokenKey(), OAuthConstants.ACCESS_TOKEN);
+        }
         return null;
+        
     }
     
     protected boolean isRefreshTokenSupported(List<String> theScopes) {
@@ -323,4 +345,12 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider,
Cl
         this.invisibleToClientScopes = invisibleToClientScopes;
     }
 
+    public void setSupportPreauthorizedTokens(boolean supportPreauthorizedTokens) {
+        // This property can be enabled by default as it is generally a good thing to check
+        // if a token for a given client (+ user) pair exists but doing the queries on every
+        // authorization request for all the client-user combinations might be not cheap,
+        // hence this property is currently disabled by default
+        this.supportPreauthorizedTokens = supportPreauthorizedTokens;
+    }
+
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/5638cae6/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
index 36615e7..9a8609a 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
@@ -103,7 +103,7 @@ public class AuthorizationCodeGrantService extends RedirectionBasedGrantService
         // in this flow the code is still created, the preauthorized token
         // will be retrieved by the authorization code grant handler
         AuthorizationCodeRegistration codeReg = new AuthorizationCodeRegistration(); 
-        
+        codeReg.setPreauthorizedTokenAvailable(preauthorizedToken != null);
         codeReg.setClient(client);
         codeReg.setRedirectUri(state.getRedirectUri());
         codeReg.setRequestedScope(requestedScope);


Mime
View raw message