cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Converting most of AbstractJose* helpers into concrete classes to make it simpler to delegate to them without having to extend
Date Fri, 05 Feb 2016 14:16:13 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 5239e3a36 -> 5c8c5f5b0


Converting most of AbstractJose* helpers into concrete classes to make it simpler to delegate
to them without having to extend


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/5c8c5f5b
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/5c8c5f5b
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/5c8c5f5b

Branch: refs/heads/master
Commit: 5c8c5f5b0097c0d448f089e34b94b1f6ba2c97e7
Parents: 5239e3a
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Fri Feb 5 14:15:58 2016 +0000
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Fri Feb 5 14:15:58 2016 +0000

----------------------------------------------------------------------
 .../jaxrs/JwtAuthenticationClientFilter.java    |   4 +-
 .../jose/jaxrs/JwtAuthenticationFilter.java     |   4 +-
 .../jose/jwt/AbstractJoseJwtConsumer.java       | 107 -----------
 .../jose/jwt/AbstractJoseJwtProducer.java       |  91 ---------
 .../grants/code/JwtRequestCodeFilter.java       |   4 +-
 .../provider/AbstractOAuthJoseJwtConsumer.java  |  60 ------
 .../provider/AbstractOAuthJoseJwtProducer.java  |  71 -------
 .../AbstractOAuthServerJoseJwtProducer.java     |  65 -------
 .../jwt/AbstactJwtAccessTokenValidator.java     |   4 +-
 .../oidc/idp/IdTokenResponseFilter.java         |   4 +-
 .../rs/security/oidc/idp/UserInfoService.java   |   4 +-
 .../oidc/rp/AbstractTokenValidator.java         | 192 -------------------
 .../cxf/rs/security/oidc/rp/IdTokenReader.java  |   2 +-
 .../cxf/rs/security/oidc/rp/UserInfoClient.java |   2 +-
 14 files changed, 14 insertions(+), 600 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/5c8c5f5b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationClientFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationClientFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationClientFilter.java
index 0319e8b..9cbbdf5 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationClientFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationClientFilter.java
@@ -33,14 +33,14 @@ import org.apache.cxf.message.Message;
 import org.apache.cxf.phase.PhaseInterceptorChain;
 import org.apache.cxf.rs.security.jose.common.JoseException;
 import org.apache.cxf.rs.security.jose.jwe.JweHeaders;
-import org.apache.cxf.rs.security.jose.jwt.AbstractJoseJwtProducer;
+import org.apache.cxf.rs.security.jose.jwt.JoseJwtProducer;
 import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
 import org.apache.cxf.rs.security.jose.jwt.JwtConstants;
 import org.apache.cxf.rs.security.jose.jwt.JwtToken;
 import org.apache.cxf.rt.security.crypto.CryptoUtils;
 
 @Priority(Priorities.AUTHENTICATION)
-public class JwtAuthenticationClientFilter extends AbstractJoseJwtProducer 
+public class JwtAuthenticationClientFilter extends JoseJwtProducer 
     implements ClientRequestFilter {
 
     private static final String DEFAULT_AUTH_SCHEME = "JWT";

http://git-wip-us.apache.org/repos/asf/cxf/blob/5c8c5f5b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
index 50c6a13..eeda86d 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
@@ -35,14 +35,14 @@ import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.rs.security.jose.common.JoseConstants;
 import org.apache.cxf.rs.security.jose.common.JoseException;
 import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
-import org.apache.cxf.rs.security.jose.jwt.AbstractJoseJwtConsumer;
+import org.apache.cxf.rs.security.jose.jwt.JoseJwtConsumer;
 import org.apache.cxf.rs.security.jose.jwt.JwtToken;
 import org.apache.cxf.rs.security.jose.jwt.JwtUtils;
 import org.apache.cxf.security.SecurityContext;
 
 @PreMatching
 @Priority(Priorities.AUTHENTICATION)
-public class JwtAuthenticationFilter extends AbstractJoseJwtConsumer implements ContainerRequestFilter
{
+public class JwtAuthenticationFilter extends JoseJwtConsumer implements ContainerRequestFilter
{
     protected static final Logger LOG = LogUtils.getL7dLogger(JwtAuthenticationFilter.class);
     
     private static final String DEFAULT_AUTH_SCHEME = "JWT";

http://git-wip-us.apache.org/repos/asf/cxf/blob/5c8c5f5b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtConsumer.java
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtConsumer.java
deleted file mode 100644
index a2c358c..0000000
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtConsumer.java
+++ /dev/null
@@ -1,107 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.jose.jwt;
-
-import org.apache.cxf.rs.security.jose.common.AbstractJoseConsumer;
-import org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput;
-import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider;
-import org.apache.cxf.rs.security.jose.jwe.JweHeaders;
-import org.apache.cxf.rs.security.jose.jwe.JweJwtCompactConsumer;
-import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
-import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
-
-public abstract class AbstractJoseJwtConsumer extends AbstractJoseConsumer {
-    private boolean jwsRequired = true;
-    private boolean jweRequired;
-    
-    protected JwtToken getJwtToken(String wrappedJwtToken) {
-        return getJwtToken(wrappedJwtToken, null, null);
-    }
-    protected JwtToken getJwtToken(String wrappedJwtToken,
-                                   JweDecryptionProvider theDecryptor,
-                                   JwsSignatureVerifier theSigVerifier) {
-        if (!isJwsRequired() && !isJweRequired()) {
-            throw new JwtException("Unable to process JWT");
-        }
-        
-        JweHeaders jweHeaders = new JweHeaders();
-        if (isJweRequired()) {
-            JweJwtCompactConsumer jwtConsumer = new JweJwtCompactConsumer(wrappedJwtToken);
-            
-            if (theDecryptor == null) {
-                theDecryptor = getInitializedDecryptionProvider(jwtConsumer.getHeaders());
-            }
-            if (theDecryptor == null) {
-                throw new JwtException("Unable to decrypt JWT");
-            }
-            
-            if (!isJwsRequired()) {
-                return jwtConsumer.decryptWith(theDecryptor);    
-            }
-            
-            JweDecryptionOutput decOutput = theDecryptor.decrypt(wrappedJwtToken);
-            wrappedJwtToken = decOutput.getContentText();
-            jweHeaders = decOutput.getHeaders();
-        }
-        
-        JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(wrappedJwtToken);
-        JwtToken jwt = jwtConsumer.getJwtToken();
-        // Store the encryption headers as well
-        jwt = new JwtToken(jwt.getJwsHeaders(), jweHeaders, jwt.getClaims());
-        
-        if (isJwsRequired()) {
-            if (theSigVerifier == null) {
-                theSigVerifier = getInitializedSignatureVerifier(jwt);
-            }
-            if (theSigVerifier == null) {
-                throw new JwtException("Unable to validate JWT");
-            }
-            
-            if (!jwtConsumer.verifySignatureWith(theSigVerifier)) {
-                throw new JwtException("Invalid Signature");
-            }
-        }
-        
-        validateToken(jwt);
-        return jwt; 
-    }
-    
-    protected JwsSignatureVerifier getInitializedSignatureVerifier(JwtToken jwt) {
-        return super.getInitializedSignatureVerifier(jwt.getJwsHeaders());
-    }
-    
-    protected void validateToken(JwtToken jwt) {
-    }
-    public boolean isJwsRequired() {
-        return jwsRequired;
-    }
-
-    public void setJwsRequired(boolean jwsRequired) {
-        this.jwsRequired = jwsRequired;
-    }
-
-    public boolean isJweRequired() {
-        return jweRequired;
-    }
-
-    public void setJweRequired(boolean jweRequired) {
-        this.jweRequired = jweRequired;
-    }
-    
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5c8c5f5b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtProducer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtProducer.java
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtProducer.java
deleted file mode 100644
index f65ca2c..0000000
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtProducer.java
+++ /dev/null
@@ -1,91 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.jose.jwt;
-
-import org.apache.cxf.common.util.StringUtils;
-import org.apache.cxf.rs.security.jose.common.AbstractJoseProducer;
-import org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider;
-import org.apache.cxf.rs.security.jose.jwe.JweJwtCompactProducer;
-import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactProducer;
-import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider;
-
-public abstract class AbstractJoseJwtProducer extends AbstractJoseProducer {
-    private boolean jwsRequired = true;
-    private boolean jweRequired;
-    
-    protected String processJwt(JwtToken jwt) {
-        return processJwt(jwt, null, null);
-    }
-    protected String processJwt(JwtToken jwt,
-                                JweEncryptionProvider theEncProvider,
-                                JwsSignatureProvider theSigProvider) {
-        if (!isJwsRequired() && !isJweRequired()) {
-            throw new JwtException("Unable to secure JWT");
-        }
-        String data = null;
-        
-        if (isJweRequired() && theEncProvider == null) {
-            theEncProvider = getInitializedEncryptionProvider(jwt.getJweHeaders());
-            if (theEncProvider == null) {
-                throw new JwtException("Unable to encrypt JWT");
-            }
-        }
-        
-        if (isJwsRequired()) {
-            JwsJwtCompactProducer jws = new JwsJwtCompactProducer(jwt);
-            if (jws.isPlainText()) {
-                data = jws.getSignedEncodedJws();
-            } else {
-                if (theSigProvider == null) {
-                    theSigProvider = getInitializedSignatureProvider(jwt.getJwsHeaders());
-                }
-                
-                if (theSigProvider == null) {
-                    throw new JwtException("Unable to sign JWT");
-                }
-                
-                data = jws.signWith(theSigProvider);
-            }
-            if (theEncProvider != null) {
-                data = theEncProvider.encrypt(StringUtils.toBytesUTF8(data), null);
-            }
-        } else {
-            JweJwtCompactProducer jwe = new JweJwtCompactProducer(jwt);
-            data = jwe.encryptWith(theEncProvider);
-        }
-        return data;
-    }
-
-    public boolean isJwsRequired() {
-        return jwsRequired;
-    }
-
-    public void setJwsRequired(boolean jwsRequired) {
-        this.jwsRequired = jwsRequired;
-    }
-
-    public boolean isJweRequired() {
-        return jweRequired;
-    }
-
-    public void setJweRequired(boolean jweRequired) {
-        this.jweRequired = jweRequired;
-    }
-    
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5c8c5f5b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JwtRequestCodeFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JwtRequestCodeFilter.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JwtRequestCodeFilter.java
index ddb4f74..652f7f8 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JwtRequestCodeFilter.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JwtRequestCodeFilter.java
@@ -36,12 +36,12 @@ import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
 import org.apache.cxf.rs.security.jose.jwt.JwtToken;
 import org.apache.cxf.rs.security.oauth2.common.Client;
 import org.apache.cxf.rs.security.oauth2.common.UserSubject;
-import org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthJoseJwtConsumer;
 import org.apache.cxf.rs.security.oauth2.provider.AuthorizationCodeRequestFilter;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthJoseJwtConsumer;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
 import org.apache.cxf.rt.security.crypto.CryptoUtils;
 
-public class JwtRequestCodeFilter extends AbstractOAuthJoseJwtConsumer implements AuthorizationCodeRequestFilter
{
+public class JwtRequestCodeFilter extends OAuthJoseJwtConsumer implements AuthorizationCodeRequestFilter
{
     private static final String REQUEST_PARAM = "request";
     private static final String REQUEST_URI_PARAM = "request_uri";
     private boolean verifyWithClientCertificates;

http://git-wip-us.apache.org/repos/asf/cxf/blob/5c8c5f5b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java
deleted file mode 100644
index 4e6e7a7..0000000
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java
+++ /dev/null
@@ -1,60 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.oauth2.provider;
-
-import org.apache.cxf.common.util.StringUtils;
-import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider;
-import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
-import org.apache.cxf.rs.security.jose.jwt.AbstractJoseJwtConsumer;
-import org.apache.cxf.rs.security.jose.jwt.JwtToken;
-import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
-
-public abstract class AbstractOAuthJoseJwtConsumer extends AbstractJoseJwtConsumer {
-   
-    private boolean decryptWithClientSecret;
-    private boolean verifyWithClientSecret;
-    
-    protected JwtToken getJwtToken(String wrappedJwtToken, String clientSecret) {
-        return getJwtToken(wrappedJwtToken, 
-                           getInitializedDecryptionProvider(clientSecret),
-                           getInitializedSignatureVerifier(clientSecret));
-    }
-    
-    protected JwsSignatureVerifier getInitializedSignatureVerifier(String clientSecret) {
-        if (verifyWithClientSecret && !StringUtils.isEmpty(clientSecret)) {
-            return OAuthUtils.getClientSecretSignatureVerifier(clientSecret);
-        } else {
-            return null;
-        }
-    }
-    protected JweDecryptionProvider getInitializedDecryptionProvider(String clientSecret)
{
-        if (decryptWithClientSecret && !StringUtils.isEmpty(clientSecret)) {
-            return OAuthUtils.getClientSecretDecryptionProvider(clientSecret);
-        } else {
-            return null;
-        }
-    }
-
-    public void setDecryptWithClientSecret(boolean decryptWithClientSecret) {
-        this.decryptWithClientSecret = verifyWithClientSecret;
-    }
-    public void setVerifyWithClientSecret(boolean verifyWithClientSecret) {
-        this.verifyWithClientSecret = verifyWithClientSecret;
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5c8c5f5b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java
deleted file mode 100644
index 4563842..0000000
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java
+++ /dev/null
@@ -1,71 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.oauth2.provider;
-
-import org.apache.cxf.common.util.StringUtils;
-import org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider;
-import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider;
-import org.apache.cxf.rs.security.jose.jwt.AbstractJoseJwtProducer;
-import org.apache.cxf.rs.security.jose.jwt.JwtToken;
-import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
-
-public abstract class AbstractOAuthJoseJwtProducer extends AbstractJoseJwtProducer {
-    private boolean encryptWithClientSecret;
-    private boolean signWithClientSecret;
-    
-    protected String processJwt(JwtToken jwt, String clientSecret) {
-        return processJwt(jwt, 
-                         getInitializedEncryptionProvider(clientSecret),
-                         getInitializedSignatureProvider(clientSecret));
-    }
-    
-    protected JwsSignatureProvider getInitializedSignatureProvider(String clientSecret) {
-        if (signWithClientSecret && !StringUtils.isEmpty(clientSecret)) {
-            return OAuthUtils.getClientSecretSignatureProvider(clientSecret);
-        } else {
-            return null;
-        }
-    }
-    protected JweEncryptionProvider getInitializedEncryptionProvider(String clientSecret)
{
-        if (encryptWithClientSecret && !StringUtils.isEmpty(clientSecret)) {
-            return OAuthUtils.getClientSecretEncryptionProvider(clientSecret);
-        } else {
-            return null;
-        }
-    }
-
-    public void setEncryptWithClientSecret(boolean encryptWithClientSecret) {
-        if (signWithClientSecret) {
-            throw new SecurityException();
-        }
-        this.encryptWithClientSecret = encryptWithClientSecret;
-    }
-    public void setSignWithClientSecret(boolean signWithClientSecret) {
-        if (encryptWithClientSecret) {
-            throw new SecurityException();
-        }
-        this.signWithClientSecret = signWithClientSecret;
-    }
-    public boolean isSignWithClientSecret() {
-        return signWithClientSecret;
-    }
-    public boolean isEncryptWithClientSecret() {
-        return encryptWithClientSecret;
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5c8c5f5b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthServerJoseJwtProducer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthServerJoseJwtProducer.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthServerJoseJwtProducer.java
deleted file mode 100644
index 31d8506..0000000
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthServerJoseJwtProducer.java
+++ /dev/null
@@ -1,65 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.oauth2.provider;
-
-import java.security.cert.X509Certificate;
-import java.security.interfaces.RSAPublicKey;
-
-import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm;
-import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
-import org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider;
-import org.apache.cxf.rs.security.jose.jwe.JweUtils;
-import org.apache.cxf.rs.security.jose.jwt.JwtToken;
-import org.apache.cxf.rs.security.oauth2.common.Client;
-import org.apache.cxf.rt.security.crypto.CryptoUtils;
-
-public abstract class AbstractOAuthServerJoseJwtProducer extends AbstractOAuthJoseJwtProducer
{
-    private boolean encryptWithClientCertificates;
-    
-    protected String processJwt(JwtToken jwt, Client client) {
-        return processJwt(jwt, 
-                         getInitializedEncryptionProvider(client),
-                         getInitializedSignatureProvider(client.getClientSecret()));
-    }
-    
-    protected JweEncryptionProvider getInitializedEncryptionProvider(Client c) {
-        JweEncryptionProvider theEncryptionProvider = null;
-        if (encryptWithClientCertificates) {
-            X509Certificate cert = 
-                (X509Certificate)CryptoUtils.decodeCertificate(c.getApplicationCertificates().get(0));
-            theEncryptionProvider = JweUtils.createJweEncryptionProvider((RSAPublicKey)cert.getPublicKey(),

-                                                                         KeyAlgorithm.RSA_OAEP,

-                                                                         ContentAlgorithm.A128GCM,

-                                                                         null);
-        }
-        if (theEncryptionProvider == null) {
-            theEncryptionProvider = super.getInitializedEncryptionProvider(c.getClientSecret());
-        }
-        return theEncryptionProvider;
-        
-    }
-
-    public void setEncryptWithClientCertificates(boolean encryptWithClientCertificates) {
-        if (isEncryptWithClientSecret()) {
-            throw new SecurityException();
-        }
-        this.encryptWithClientCertificates = encryptWithClientCertificates;
-    }
-    
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5c8c5f5b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/jwt/AbstactJwtAccessTokenValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/jwt/AbstactJwtAccessTokenValidator.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/jwt/AbstactJwtAccessTokenValidator.java
index 668bf0c..cd7fdb6 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/jwt/AbstactJwtAccessTokenValidator.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/jwt/AbstactJwtAccessTokenValidator.java
@@ -24,14 +24,14 @@ import java.util.List;
 import javax.ws.rs.core.MultivaluedMap;
 
 import org.apache.cxf.jaxrs.ext.MessageContext;
-import org.apache.cxf.rs.security.jose.jwt.AbstractJoseJwtConsumer;
+import org.apache.cxf.rs.security.jose.jwt.JoseJwtConsumer;
 import org.apache.cxf.rs.security.oauth2.common.AccessTokenValidation;
 import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
 import org.apache.cxf.rs.security.oauth2.provider.AccessTokenValidator;
 import org.apache.cxf.rs.security.oauth2.provider.OAuthDataProvider;
 import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
 
-public abstract class AbstactJwtAccessTokenValidator extends AbstractJoseJwtConsumer 
+public abstract class AbstactJwtAccessTokenValidator extends JoseJwtConsumer 
     implements AccessTokenValidator {
     private OAuthDataProvider dataProvider;
     

http://git-wip-us.apache.org/repos/asf/cxf/blob/5c8c5f5b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
index b7a7478..7051090 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
@@ -27,14 +27,14 @@ import org.apache.cxf.rs.security.jose.jws.JwsUtils;
 import org.apache.cxf.rs.security.jose.jwt.JwtToken;
 import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
 import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
-import org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthServerJoseJwtProducer;
 import org.apache.cxf.rs.security.oauth2.provider.AccessTokenResponseFilter;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthServerJoseJwtProducer;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
 import org.apache.cxf.rs.security.oidc.common.IdToken;
 import org.apache.cxf.rs.security.oidc.utils.OidcUtils;
 
-public class IdTokenResponseFilter extends AbstractOAuthServerJoseJwtProducer implements
AccessTokenResponseFilter {
+public class IdTokenResponseFilter extends OAuthServerJoseJwtProducer implements AccessTokenResponseFilter
{
     private UserInfoProvider userInfoProvider;
     @Override
     public void process(ClientAccessToken ct, ServerAccessToken st) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/5c8c5f5b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java
index a3d682d..ae9a75a 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java
@@ -27,14 +27,14 @@ import javax.ws.rs.core.Response;
 import org.apache.cxf.jaxrs.ext.MessageContext;
 import org.apache.cxf.rs.security.jose.jwt.JwtToken;
 import org.apache.cxf.rs.security.oauth2.common.OAuthContext;
-import org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthServerJoseJwtProducer;
 import org.apache.cxf.rs.security.oauth2.provider.OAuthDataProvider;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthServerJoseJwtProducer;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthContextUtils;
 import org.apache.cxf.rs.security.oidc.common.IdToken;
 import org.apache.cxf.rs.security.oidc.common.UserInfo;
 
 @Path("/userinfo")
-public class UserInfoService extends AbstractOAuthServerJoseJwtProducer {
+public class UserInfoService extends OAuthServerJoseJwtProducer {
     private UserInfoProvider userInfoProvider;
     private OAuthDataProvider oauthDataProvider;
     

http://git-wip-us.apache.org/repos/asf/cxf/blob/5c8c5f5b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
deleted file mode 100644
index 35c8e87..0000000
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
+++ /dev/null
@@ -1,192 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.oidc.rp;
-
-import java.util.List;
-import java.util.concurrent.ConcurrentHashMap;
-
-import org.apache.cxf.common.util.StringUtils;
-import org.apache.cxf.jaxrs.client.WebClient;
-import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
-import org.apache.cxf.rs.security.jose.jwk.JsonWebKeys;
-import org.apache.cxf.rs.security.jose.jwk.JwkUtils;
-import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
-import org.apache.cxf.rs.security.jose.jws.JwsUtils;
-import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
-import org.apache.cxf.rs.security.jose.jwt.JwtException;
-import org.apache.cxf.rs.security.jose.jwt.JwtToken;
-import org.apache.cxf.rs.security.jose.jwt.JwtUtils;
-import org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthJoseJwtConsumer;
-import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
-import org.apache.cxf.rs.security.oidc.common.IdToken;
-
-public abstract class AbstractTokenValidator extends AbstractOAuthJoseJwtConsumer {
-    private static final String SELF_ISSUED_ISSUER = "https://self-issued.me";
-    private String issuerId;
-    private int clockOffset;
-    private int ttl;
-    private WebClient jwkSetClient;
-    private boolean supportSelfIssuedProvider;
-    private boolean strictTimeValidation;
-    private ConcurrentHashMap<String, JsonWebKey> keyMap = new ConcurrentHashMap<String,
JsonWebKey>(); 
-
-    /**
-     * Validate core JWT claims
-     * @param claims the claims
-     * @param clientId OAuth2 client id
-     * @param validateClaimsAlways if set to true then enforce that the claims 
-     *                             to be validated must be set
-     */
-    protected void validateJwtClaims(JwtClaims claims, String clientId, boolean validateClaimsAlways)
{
-        // validate the issuer
-        String issuer = claims.getIssuer();
-        if (issuer == null && validateClaimsAlways) {
-            throw new OAuthServiceException("Invalid issuer");
-        }
-        if (supportSelfIssuedProvider && issuerId == null 
-            && issuer != null && SELF_ISSUED_ISSUER.equals(issuer)) {
-            validateSelfIssuedProvider(claims, clientId, validateClaimsAlways);
-        } else {
-            if (issuer != null && !issuer.equals(issuerId)) {
-                throw new OAuthServiceException("Invalid issuer");
-            }
-            // validate subject
-            if (claims.getSubject() == null) {
-                throw new OAuthServiceException("Invalid subject");
-            }
-            
-            // validate authorized party
-            String authorizedParty = (String)claims.getClaim(IdToken.AZP_CLAIM);
-            if (authorizedParty != null && !authorizedParty.equals(clientId)) {
-                throw new OAuthServiceException("Invalid authorized party");
-            }
-            // validate audience
-            List<String> audiences = claims.getAudiences();
-            if (StringUtils.isEmpty(audiences) && validateClaimsAlways 
-                || !StringUtils.isEmpty(audiences) && !audiences.contains(clientId))
{
-                throw new OAuthServiceException("Invalid audience");
-            }
-    
-            // If strict time validation: if no issuedTime claim is set then an expiresAt
claim must be set
-            // Otherwise: validate only if expiresAt claim is set
-            boolean expiredRequired = 
-                validateClaimsAlways || strictTimeValidation && claims.getIssuedAt()
== null;
-            try {
-                JwtUtils.validateJwtExpiry(claims, clockOffset, expiredRequired);
-            } catch (JwtException ex) {
-                throw new OAuthServiceException("ID Token has expired", ex);
-            }
-            
-            // If strict time validation: If no expiresAt claim is set then an issuedAt claim
must be set
-            // Otherwise: validate only if issuedAt claim is set
-            boolean issuedAtRequired = 
-                validateClaimsAlways || strictTimeValidation && claims.getExpiryTime()
== null;
-            try {
-                JwtUtils.validateJwtIssuedAt(claims, ttl, clockOffset, issuedAtRequired);
-            } catch (JwtException ex) {
-                throw new OAuthServiceException("Invalid issuedAt claim", ex);
-            }
-            if (strictTimeValidation) {
-                try {
-                    JwtUtils.validateJwtNotBefore(claims, clockOffset, strictTimeValidation);
-                } catch (JwtException ex) {
-                    throw new OAuthServiceException("ID Token can not be used yet", ex);
-                }    
-            }
-        }
-    }
-    
-    private void validateSelfIssuedProvider(JwtClaims claims, String clientId, boolean validateClaimsAlways)
{
-    }
-
-    public void setIssuerId(String issuerId) {
-        this.issuerId = issuerId;
-    }
-
-    public void setJwkSetClient(WebClient jwkSetClient) {
-        this.jwkSetClient = jwkSetClient;
-    }
-
-    @Override
-    protected JwsSignatureVerifier getInitializedSignatureVerifier(JwtToken jwt) {
-        JsonWebKey key = null;
-        if (supportSelfIssuedProvider && SELF_ISSUED_ISSUER.equals(jwt.getClaim("issuer")))
{
-            String publicKeyJson = (String)jwt.getClaim("sub_jwk");
-            if (publicKeyJson != null) {
-                JsonWebKey publicKey = JwkUtils.readJwkKey(publicKeyJson);
-                String thumbprint = JwkUtils.getThumbprint(publicKey);
-                if (thumbprint.equals(jwt.getClaim("sub"))) {
-                    key = publicKey;
-                }
-            }
-            if (key == null) {
-                throw new SecurityException("Self-issued JWK key is invalid or not available");
-            }
-        } else {
-            String keyId = jwt.getJwsHeaders().getKeyId();
-            key = keyId != null ? keyMap.get(keyId) : null;
-            if (key == null && jwkSetClient != null) {
-                JsonWebKeys keys = jwkSetClient.get(JsonWebKeys.class);
-                if (keyId != null) {
-                    key = keys.getKey(keyId);
-                } else if (keys.getKeys().size() == 1) {
-                    key = keys.getKeys().get(0);
-                }
-                //jwkSetClient returns the most up-to-date keys
-                keyMap.clear();
-                keyMap.putAll(keys.getKeyIdMap());
-            }
-        }
-        JwsSignatureVerifier theJwsVerifier = null;
-        if (key != null) {
-            theJwsVerifier = JwsUtils.getSignatureVerifier(key);
-        } else {
-            theJwsVerifier = super.getInitializedSignatureVerifier(jwt.getJwsHeaders());
-        }
-        if (theJwsVerifier == null) {
-            throw new SecurityException("JWS Verifier is not available");
-        }
-        
-        return theJwsVerifier;
-    }
-
-    public void setSupportSelfIssuedProvider(boolean supportSelfIssuedProvider) {
-        this.supportSelfIssuedProvider = supportSelfIssuedProvider;
-    }
-
-    public int getClockOffset() {
-        return clockOffset;
-    }
-
-    public void setClockOffset(int clockOffset) {
-        this.clockOffset = clockOffset;
-    }
-
-    public void setStrictTimeValidation(boolean strictTimeValidation) {
-        this.strictTimeValidation = strictTimeValidation;
-    }
-
-    public int getTtl() {
-        return ttl;
-    }
-
-    public void setTtl(int ttl) {
-        this.ttl = ttl;
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5c8c5f5b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java
index 4c9071c..832813d 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java
@@ -24,7 +24,7 @@ import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
 import org.apache.cxf.rs.security.oidc.common.IdToken;
 import org.apache.cxf.rs.security.oidc.utils.OidcUtils;
 
-public class IdTokenReader extends AbstractTokenValidator {
+public class IdTokenReader extends OidcClaimsValidator {
     private boolean requireAtHash = true;
     public IdToken getIdToken(ClientAccessToken at, Consumer client) {
         JwtToken jwt = getIdJwtToken(at, client);

http://git-wip-us.apache.org/repos/asf/cxf/blob/5c8c5f5b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java
index 2c1f6ca..3ee566e 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java
@@ -29,7 +29,7 @@ import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
 import org.apache.cxf.rs.security.oidc.common.IdToken;
 import org.apache.cxf.rs.security.oidc.common.UserInfo;
 
-public class UserInfoClient extends AbstractTokenValidator {
+public class UserInfoClient extends OidcClaimsValidator {
     private boolean sendTokenAsFormParameter;
     private WebClient profileClient;
     private boolean getUserInfoFromJwt;


Mime
View raw message