cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [3/3] cxf-fediz git commit: Got OIDC system test working using a browser
Date Thu, 25 Feb 2016 17:40:25 GMT
Got OIDC system test working using a browser


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/785104b7
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/785104b7
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/785104b7

Branch: refs/heads/master
Commit: 785104b796e706851a80c51d1999fcbc291b2e99
Parents: ed9727c
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Thu Feb 25 17:39:59 2016 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Thu Feb 25 17:39:59 2016 +0000

----------------------------------------------------------------------
 .../oidc/src/test/resources/cxf-service.xml     |  17 ++-
 .../fediz/oidc/idp/example/BasicAuthFilter.java |   1 +
 .../idp/example/EHCacheOIDCTokenProvider.java   |  53 ++++++++
 .../example/EHCacheRefreshTokenProvider.java    |  53 --------
 .../oidc/idp/example/IdTokenProviderImpl.java   |   5 +-
 .../src/main/resources/clienttrust.jks          | Bin 1512 -> 0 bytes
 .../src/main/resources/stsKeystoreB.properties  |   6 -
 .../src/main/webapp/WEB-INF/cxf-service.xml     |  17 ++-
 .../WEB-INF/views/oAuthAuthorizationData.jsp    | 133 +++++++++++++++++++
 systests/federation/pom.xml                     |   1 +
 10 files changed, 218 insertions(+), 68 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/785104b7/systests/federation/oidc/src/test/resources/cxf-service.xml
----------------------------------------------------------------------
diff --git a/systests/federation/oidc/src/test/resources/cxf-service.xml b/systests/federation/oidc/src/test/resources/cxf-service.xml
index 4201a96..acc0a9a 100644
--- a/systests/federation/oidc/src/test/resources/cxf-service.xml
+++ b/systests/federation/oidc/src/test/resources/cxf-service.xml
@@ -77,7 +77,7 @@
        </property>
    </bean>
    
-   <bean id="oauthProvider" class="org.apache.cxf.fediz.oidc.idp.example.EHCacheRefreshTokenProvider">
+   <bean id="oauthProvider" class="org.apache.cxf.fediz.oidc.idp.example.EHCacheOIDCTokenProvider">
       <property name="client" ref="client"/>
    </bean>
    
@@ -96,22 +96,31 @@
       <property name="responseFilter" ref="idTokenFilter"/>
    </bean>
    
-   <bean id="jackson" class="com.fasterxml.jackson.jaxrs.json.JacksonJsonProvider"/>
+   <bean id="oauthJSONProvider" class="org.apache.cxf.rs.security.oauth2.provider.OAuthJSONProvider"/>
    
+   <bean id="viewProvider" class="org.apache.cxf.jaxrs.provider.RequestDispatcherProvider">
+       <property name="useClassNames" value="true"/>
+       <property name="locationPrefix" value="/WEB-INF/views/"/>
+       <property name="beanName" value="data"/>
+       <property name="dispatcherName" value="jsp"/>
+   </bean>
+    
    <jaxrs:server address="/services">
        <jaxrs:serviceBeans>
            <ref bean="authorizationService"/>
            <ref bean="tokenService"/>
        </jaxrs:serviceBeans>
        <jaxrs:providers>
-           <ref bean="jackson"/>
+           <ref bean="oauthJSONProvider"/>
            <ref bean="basicAuthFilter"/>
+           <ref bean="viewProvider"/>
        </jaxrs:providers>
        <jaxrs:properties>
            <entry key="rs.security.keystore.type" value="jks" />
            <entry key="rs.security.keystore.alias" value="realmb"/>
            <entry key="rs.security.key.password" value="realmb"/>
-           <entry key="rs.security.keystore.file" value="stsKeystoreB.properties" />
+           <entry key="rs.security.keystore.password" value="storepass"/>
+           <entry key="rs.security.keystore.file" value="stsrealm_b.jks" />
            <entry key="rs.security.signature.algorithm" value="RS256" />
        </jaxrs:properties>
    </jaxrs:server>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/785104b7/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/BasicAuthFilter.java
----------------------------------------------------------------------
diff --git a/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/BasicAuthFilter.java
b/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/BasicAuthFilter.java
index a85c8c9..7a4e48e 100644
--- a/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/BasicAuthFilter.java
+++ b/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/BasicAuthFilter.java
@@ -42,6 +42,7 @@ public class BasicAuthFilter extends WSS4JBasicAuthValidator implements
Containe
         if (policy == null || policy.getUserName() == null || policy.getPassword() == null)
{
             requestContext.abortWith(
                 Response.status(401).header("WWW-Authenticate", "Basic realm=\"IdP\"").build());
+            return;
         }
 
         try {

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/785104b7/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/EHCacheOIDCTokenProvider.java
----------------------------------------------------------------------
diff --git a/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/EHCacheOIDCTokenProvider.java
b/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/EHCacheOIDCTokenProvider.java
new file mode 100644
index 0000000..2dfb7de
--- /dev/null
+++ b/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/EHCacheOIDCTokenProvider.java
@@ -0,0 +1,53 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.oidc.idp.example;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import org.apache.cxf.rs.security.oauth2.common.Client;
+import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
+import org.apache.cxf.rs.security.oauth2.grants.code.DefaultEHCacheCodeDataProvider;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
+
+/**
+ * Extend the DefaultEHCacheCodeDataProvider to allow OpenId
+ */
+public class EHCacheOIDCTokenProvider extends DefaultEHCacheCodeDataProvider {
+    
+    @Override
+    public List<OAuthPermission> convertScopeToPermissions(Client client, List<String>
requestedScopes) {
+        if (requestedScopes.isEmpty()) {
+            return Collections.emptyList();
+        }
+        
+        List<OAuthPermission> permissions = new ArrayList<>();
+        for (String requestedScope : requestedScopes) {
+            if ("openid".equals(requestedScope)) {
+                OAuthPermission permission = new OAuthPermission("openid", "Authenticate
user");
+                permissions.add(permission);
+            } else {
+                throw new OAuthServiceException("invalid_scope");
+            }
+        }
+        
+        return permissions;
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/785104b7/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/EHCacheRefreshTokenProvider.java
----------------------------------------------------------------------
diff --git a/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/EHCacheRefreshTokenProvider.java
b/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/EHCacheRefreshTokenProvider.java
deleted file mode 100644
index 43c72d6..0000000
--- a/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/EHCacheRefreshTokenProvider.java
+++ /dev/null
@@ -1,53 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.fediz.oidc.idp.example;
-
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.List;
-
-import org.apache.cxf.rs.security.oauth2.common.Client;
-import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
-import org.apache.cxf.rs.security.oauth2.grants.code.DefaultEHCacheCodeDataProvider;
-import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
-
-/**
- * Extend the DefaultEHCacheCodeDataProvider to allow OpenId
- */
-public class EHCacheRefreshTokenProvider extends DefaultEHCacheCodeDataProvider {
-    
-    @Override
-    public List<OAuthPermission> convertScopeToPermissions(Client client, List<String>
requestedScopes) {
-        if (requestedScopes.isEmpty()) {
-            return Collections.emptyList();
-        }
-        
-        List<OAuthPermission> permissions = new ArrayList<>();
-        for (String requestedScope : requestedScopes) {
-            if ("openid".equals(requestedScope)) {
-                OAuthPermission permission = new OAuthPermission("openid", "Authenticate
user");
-                permissions.add(permission);
-            } else {
-                throw new OAuthServiceException("invalid_scope");
-            }
-        }
-        
-        return permissions;
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/785104b7/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/IdTokenProviderImpl.java
----------------------------------------------------------------------
diff --git a/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/IdTokenProviderImpl.java
b/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/IdTokenProviderImpl.java
index 52f8fa8..a6d1684 100644
--- a/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/IdTokenProviderImpl.java
+++ b/systests/federation/oidcIdpWebapp/src/main/java/org/apache/cxf/fediz/oidc/idp/example/IdTokenProviderImpl.java
@@ -21,6 +21,7 @@ package org.apache.cxf.fediz.oidc.idp.example;
 import java.util.Calendar;
 import java.util.Date;
 import java.util.List;
+import java.util.UUID;
 
 import org.apache.cxf.rs.security.oauth2.common.UserSubject;
 import org.apache.cxf.rs.security.oidc.common.IdToken;
@@ -41,7 +42,9 @@ public class IdTokenProviderImpl implements IdTokenProvider {
         token.setExpiryTime(cal.getTimeInMillis() / 1000L);
         token.setIssuedAt(new Date().getTime() / 1000L);
         token.setAudience(clientId);
-        token.setSubject(authenticatedUser.getLogin());
+        token.setTokenId(UUID.randomUUID().toString());
+        token.setSubject(authenticatedUser.getLogin().toLowerCase());
+        token.setClaim("preferred_username", authenticatedUser.getLogin().toLowerCase());
         token.setIssuer("OIDC IdP");
         
         return token;

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/785104b7/systests/federation/oidcIdpWebapp/src/main/resources/clienttrust.jks
----------------------------------------------------------------------
diff --git a/systests/federation/oidcIdpWebapp/src/main/resources/clienttrust.jks b/systests/federation/oidcIdpWebapp/src/main/resources/clienttrust.jks
deleted file mode 100644
index c3ad459..0000000
Binary files a/systests/federation/oidcIdpWebapp/src/main/resources/clienttrust.jks and /dev/null
differ

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/785104b7/systests/federation/oidcIdpWebapp/src/main/resources/stsKeystoreB.properties
----------------------------------------------------------------------
diff --git a/systests/federation/oidcIdpWebapp/src/main/resources/stsKeystoreB.properties
b/systests/federation/oidcIdpWebapp/src/main/resources/stsKeystoreB.properties
deleted file mode 100644
index 16f4a3c..0000000
--- a/systests/federation/oidcIdpWebapp/src/main/resources/stsKeystoreB.properties
+++ /dev/null
@@ -1,6 +0,0 @@
-org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
-org.apache.ws.security.crypto.merlin.keystore.type=jks
-org.apache.ws.security.crypto.merlin.keystore.password=storepass
-org.apache.ws.security.crypto.merlin.keystore.alias=realmb
-org.apache.ws.security.crypto.merlin.keystore.file=stsrealm_b.jks
-

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/785104b7/systests/federation/oidcIdpWebapp/src/main/webapp/WEB-INF/cxf-service.xml
----------------------------------------------------------------------
diff --git a/systests/federation/oidcIdpWebapp/src/main/webapp/WEB-INF/cxf-service.xml b/systests/federation/oidcIdpWebapp/src/main/webapp/WEB-INF/cxf-service.xml
index 4201a96..acc0a9a 100644
--- a/systests/federation/oidcIdpWebapp/src/main/webapp/WEB-INF/cxf-service.xml
+++ b/systests/federation/oidcIdpWebapp/src/main/webapp/WEB-INF/cxf-service.xml
@@ -77,7 +77,7 @@
        </property>
    </bean>
    
-   <bean id="oauthProvider" class="org.apache.cxf.fediz.oidc.idp.example.EHCacheRefreshTokenProvider">
+   <bean id="oauthProvider" class="org.apache.cxf.fediz.oidc.idp.example.EHCacheOIDCTokenProvider">
       <property name="client" ref="client"/>
    </bean>
    
@@ -96,22 +96,31 @@
       <property name="responseFilter" ref="idTokenFilter"/>
    </bean>
    
-   <bean id="jackson" class="com.fasterxml.jackson.jaxrs.json.JacksonJsonProvider"/>
+   <bean id="oauthJSONProvider" class="org.apache.cxf.rs.security.oauth2.provider.OAuthJSONProvider"/>
    
+   <bean id="viewProvider" class="org.apache.cxf.jaxrs.provider.RequestDispatcherProvider">
+       <property name="useClassNames" value="true"/>
+       <property name="locationPrefix" value="/WEB-INF/views/"/>
+       <property name="beanName" value="data"/>
+       <property name="dispatcherName" value="jsp"/>
+   </bean>
+    
    <jaxrs:server address="/services">
        <jaxrs:serviceBeans>
            <ref bean="authorizationService"/>
            <ref bean="tokenService"/>
        </jaxrs:serviceBeans>
        <jaxrs:providers>
-           <ref bean="jackson"/>
+           <ref bean="oauthJSONProvider"/>
            <ref bean="basicAuthFilter"/>
+           <ref bean="viewProvider"/>
        </jaxrs:providers>
        <jaxrs:properties>
            <entry key="rs.security.keystore.type" value="jks" />
            <entry key="rs.security.keystore.alias" value="realmb"/>
            <entry key="rs.security.key.password" value="realmb"/>
-           <entry key="rs.security.keystore.file" value="stsKeystoreB.properties" />
+           <entry key="rs.security.keystore.password" value="storepass"/>
+           <entry key="rs.security.keystore.file" value="stsrealm_b.jks" />
            <entry key="rs.security.signature.algorithm" value="RS256" />
        </jaxrs:properties>
    </jaxrs:server>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/785104b7/systests/federation/oidcIdpWebapp/src/main/webapp/WEB-INF/views/oAuthAuthorizationData.jsp
----------------------------------------------------------------------
diff --git a/systests/federation/oidcIdpWebapp/src/main/webapp/WEB-INF/views/oAuthAuthorizationData.jsp
b/systests/federation/oidcIdpWebapp/src/main/webapp/WEB-INF/views/oAuthAuthorizationData.jsp
new file mode 100644
index 0000000..1a71624
--- /dev/null
+++ b/systests/federation/oidcIdpWebapp/src/main/webapp/WEB-INF/views/oAuthAuthorizationData.jsp
@@ -0,0 +1,133 @@
+<%@ page import="javax.servlet.http.HttpServletRequest" %>
+<%@ page import="java.util.List" %>
+<%@ page import="org.apache.cxf.rs.security.oauth2.common.OAuthAuthorizationData" %>
+<%@ page import="org.apache.cxf.rs.security.oauth2.common.OAuthPermission" %>
+
+
+<%
+    OAuthAuthorizationData data = (OAuthAuthorizationData)request.getAttribute("data");
+    List<String> authorizedScopes = data.getAlreadyAuthorizedPermissionsAsStrings();
+%>
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+    <title>Third Party Authorization Form</title>
+    <STYLE TYPE="text/css">
+	<!--
+	  input,button {font-family:verdana, arial, helvetica, sans-serif;font-size:20px;line-height:40px;}

+	-->
+</STYLE>
+</head>
+<body>
+<h1 align="center">Third Party Authorization Form</h1>
+<table align="center">
+       <tr align="center">
+                <td>
+
+                    <form action="<%= data.getReplyTo() %>" method="POST">
+                    
+                        <input type="hidden" name="client_id"
+                               value="<%= data.getClientId() %>"/>
+                        <%
+                            if (data.getState() != null) {
+                        %>       
+                        <input type="hidden" name="state"
+                               value="<%= data.getState() %>"/>
+                        <%
+                            }
+                        %>
+                        <%
+                            if (data.getClientCodeChallenge() != null) {
+                        %>       
+                        <input type="hidden" name="code_challenge"
+                               value="<%= data.getClientCodeChallenge() %>"/>
+                        <%
+                            }
+                        %>
+                        <%
+                            if (data.getNonce() != null) {
+                        %>       
+                        <input type="hidden" name="nonce"
+                               value="<%= data.getNonce() %>"/>
+                        <%
+                            }
+                        %>       
+                        <input type="hidden" name="scope"
+                               value="<%= data.getProposedScope() %>"/>
+                        <input type="hidden" name="response_type"
+                               value="<%= data.getResponseType() %>"/>
+                        
+                        <%
+                            if (data.getRedirectUri() != null) {
+                        %>       
+                        <input type="hidden" name="redirect_uri"
+                               value="<%= data.getRedirectUri() %>"/>
+                        <%
+                            }
+                        %>                     
+                        <input type="hidden"
+                               name="<%= org.apache.cxf.rs.security.oauth2.utils.OAuthConstants
+                                   .SESSION_AUTHENTICITY_TOKEN %>"
+                               value="<%= data.getAuthenticityToken() %>"/>
+						<%
+                            if (data.getApplicationLogoUri() != null) {
+                        %>                        
+                        <img src="<%= data.getApplicationLogoUri() %>" alt="Application
Logo" width="100" height="100">
+                        <%
+                            }
+                        %>
+
+                        <h2>Would you like to grant <%= data.getApplicationName()
%><br />the following permissions:</h2>
+
+                        <table> 
+                            <%
+                               for (OAuthPermission perm : data.getAllPermissions()) {
+                            %>
+                               <tr>
+                                <td>
+                                  <input type="checkbox" 
+                                    <%
+                                      if (perm.isDefault() || authorizedScopes.contains(perm.getPermission()))
{
+                                    %>
+                                    disabled="disabled"
+                                    <%
+                                      }
+                                    %> 
+                                    checked="checked"
+                                    name="<%= perm.getPermission()%>_status" 
+                                    value="allow"
+                                  ><big><big><%= perm.getDescription()
%></big></big></input>
+                                    <%
+                                      if (perm.isDefault()) {
+                                    %>
+                                    <input type="hidden" name="<%= perm.getPermission()%>_status"
value="allow" />
+                                    <%
+                                      }
+                                    %>
+                                </td>
+                               </tr>
+                            <%   
+                               }
+                            %> 
+                        </table>    
+                        <br/></p>
+                        <button name="<%= org.apache.cxf.rs.security.oauth2.utils.OAuthConstants
+                            .AUTHORIZATION_DECISION_KEY %>"
+                                type="submit"
+                                value="<%= org.apache.cxf.rs.security.oauth2.utils.OAuthConstants
+                                    .AUTHORIZATION_DECISION_ALLOW %>">
+                            OK
+                        </button>
+                        <button name="<%= org.apache.cxf.rs.security.oauth2.utils.OAuthConstants
+                            .AUTHORIZATION_DECISION_KEY %>"
+                                type="submit"
+                                value="<%= org.apache.cxf.rs.security.oauth2.utils.OAuthConstants
+                                    .AUTHORIZATION_DECISION_DENY %>">
+                            No,thanks
+                        </button>
+                    </form>
+                </td>
+            </tr>
+        </table>
+    
+</body>
+</html>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/785104b7/systests/federation/pom.xml
----------------------------------------------------------------------
diff --git a/systests/federation/pom.xml b/systests/federation/pom.xml
index 28e830b..7190b07 100644
--- a/systests/federation/pom.xml
+++ b/systests/federation/pom.xml
@@ -32,6 +32,7 @@
 
     <modules>
         <module>samlIdpWebapp</module>
+        <module>oidcIdpWebapp</module>
         <module>samlsso</module>
         <module>wsfed</module>
     </modules>


Mime
View raw message