cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Avoiding linking UserSubject to indiv clients too early
Date Tue, 09 Feb 2016 16:18:01 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.1.x-fixes 87fd53f90 -> b0ccc3f87


Avoiding linking UserSubject to indiv clients too early


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/b0ccc3f8
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/b0ccc3f8
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/b0ccc3f8

Branch: refs/heads/3.1.x-fixes
Commit: b0ccc3f87b373009f4bd9d9a6a7aa9484e7aca73
Parents: 87fd53f
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Tue Feb 9 16:17:00 2016 +0000
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Tue Feb 9 16:17:44 2016 +0000

----------------------------------------------------------------------
 .../oauth2/provider/DefaultSubjectCreator.java        |  2 --
 .../rs/security/oauth2/provider/SubjectCreator.java   |  3 ---
 .../oauth2/services/AbstractImplicitGrantService.java |  6 +++---
 .../oauth2/services/DirectAuthorizationService.java   |  6 +++---
 .../oauth2/services/RedirectionBasedGrantService.java | 14 ++++----------
 .../rs/security/oidc/idp/IdTokenResponseFilter.java   |  2 ++
 .../cxf/rs/security/oidc/idp/OidcImplicitService.java |  4 +++-
 7 files changed, 15 insertions(+), 22 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/b0ccc3f8/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultSubjectCreator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultSubjectCreator.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultSubjectCreator.java
index 53c1d54..6dc9dd8 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultSubjectCreator.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultSubjectCreator.java
@@ -21,7 +21,6 @@ package org.apache.cxf.rs.security.oauth2.provider;
 import javax.ws.rs.core.MultivaluedMap;
 
 import org.apache.cxf.jaxrs.ext.MessageContext;
-import org.apache.cxf.rs.security.oauth2.common.Client;
 import org.apache.cxf.rs.security.oauth2.common.UserSubject;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
 import org.apache.cxf.security.SecurityContext;
@@ -30,7 +29,6 @@ public class DefaultSubjectCreator implements SubjectCreator {
 
     @Override
     public UserSubject createUserSubject(MessageContext mc, 
-                                         Client client,
                                          MultivaluedMap<String, String> params) throws
OAuthServiceException {
         return OAuthUtils.createSubject(mc, 
                                         (SecurityContext)mc.get(SecurityContext.class.getName()));

http://git-wip-us.apache.org/repos/asf/cxf/blob/b0ccc3f8/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SubjectCreator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SubjectCreator.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SubjectCreator.java
index 4ddee90..25a14e6 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SubjectCreator.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SubjectCreator.java
@@ -22,7 +22,6 @@ package org.apache.cxf.rs.security.oauth2.provider;
 import javax.ws.rs.core.MultivaluedMap;
 
 import org.apache.cxf.jaxrs.ext.MessageContext;
-import org.apache.cxf.rs.security.oauth2.common.Client;
 import org.apache.cxf.rs.security.oauth2.common.UserSubject;
 
 /**
@@ -35,12 +34,10 @@ public interface SubjectCreator {
     /**
      * Create a {@link UserSubject} 
      * @param mc the {@link MessageContext} of this request
-     * @param client the client
      * @param params the request parameters
      * @return {@link UserSubject}
      * @throws OAuthServiceException
      */
     UserSubject createUserSubject(MessageContext mc,
-                                  Client client,
                                   MultivaluedMap<String, String> params) throws OAuthServiceException;
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/b0ccc3f8/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java
index 6c9349d..f3c466b 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java
@@ -108,16 +108,16 @@ public abstract class AbstractImplicitGrantService extends RedirectionBasedGrant
             processRefreshToken(sb, token.getRefreshToken());
         }
         
-        return finalizeResponse(sb, client, state);
+        return finalizeResponse(sb, state);
     }
     
-    protected Response finalizeResponse(StringBuilder sb, Client client, OAuthRedirectionState
state) {
+    protected Response finalizeResponse(StringBuilder sb, OAuthRedirectionState state) {
         if (state.getState() != null) {
             sb.append("&");
             sb.append(OAuthConstants.STATE).append("=").append(state.getState());   
         }
         if (reportClientId) {
-            sb.append("&").append(OAuthConstants.CLIENT_ID).append("=").append(client.getClientId());
+            sb.append("&").append(OAuthConstants.CLIENT_ID).append("=").append(state.getClientId());
         }
         
         return Response.seeOther(URI.create(sb.toString())).build();

http://git-wip-us.apache.org/repos/asf/cxf/blob/b0ccc3f8/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DirectAuthorizationService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DirectAuthorizationService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DirectAuthorizationService.java
index e8b5e16..a9fa8be 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DirectAuthorizationService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DirectAuthorizationService.java
@@ -53,7 +53,7 @@ public class DirectAuthorizationService extends AbstractOAuthService {
         SecurityContext sc = getAndValidateSecurityContext(params);
         Client client = getClient(params);
         // Create a UserSubject representing the end user 
-        UserSubject userSubject = createUserSubject(sc, client, params);
+        UserSubject userSubject = createUserSubject(sc, params);
         
         
         AccessTokenRegistration reg = new AccessTokenRegistration();
@@ -83,11 +83,11 @@ public class DirectAuthorizationService extends AbstractOAuthService {
         checkTransportSecurity();
         return securityContext;
     }
-    protected UserSubject createUserSubject(SecurityContext securityContext, Client client,
+    protected UserSubject createUserSubject(SecurityContext securityContext,
                                             MultivaluedMap<String, String> params)
{
         UserSubject subject = null;
         if (subjectCreator != null) {
-            subject = subjectCreator.createUserSubject(getMessageContext(), client, params);
+            subject = subjectCreator.createUserSubject(getMessageContext(), params);
             if (subject != null) {
                 return subject; 
             }

http://git-wip-us.apache.org/repos/asf/cxf/blob/b0ccc3f8/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
index ab4bba8..094c5af 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
@@ -120,7 +120,7 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
         SecurityContext sc = getAndValidateSecurityContext(params);
         Client client = getClient(params);
         // Create a UserSubject representing the end user 
-        UserSubject userSubject = createUserSubject(sc, client, params);
+        UserSubject userSubject = createUserSubject(sc, params);
         return startAuthorization(params, userSubject, client);
     }
         
@@ -274,9 +274,6 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
             state = sessionAuthenticityTokenProvider.getSessionState(super.getMessageContext(),

                                                                      sessionToken,
                                                                      subject);
-            if (!state.getClientId().equals(params.getFirst(OAuthConstants.CLIENT_ID))) {
-                throw ExceptionUtils.toBadRequestException(null, null);
-            }
         }
         if (state == null) {
             state = new OAuthRedirectionState();
@@ -312,11 +309,8 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
     protected Response completeAuthorization(MultivaluedMap<String, String> params)
{
         // Make sure the end user has authenticated, check if HTTPS is used
         SecurityContext securityContext = getAndValidateSecurityContext(params);
-        // Client id may also be preserved in a session but it must be set 
-        // as a authorization form parameter
-        Client client = getClient(params.getFirst(OAuthConstants.CLIENT_ID));
         
-        UserSubject userSubject = createUserSubject(securityContext, client, params);
+        UserSubject userSubject = createUserSubject(securityContext, params);
         
         // Make sure the session is valid
         String sessionTokenParamName = params.getFirst(OAuthConstants.SESSION_AUTHENTICITY_TOKEN_PARAM_NAME);
@@ -330,6 +324,8 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
         
         OAuthRedirectionState state = 
             recreateRedirectionStateFromSession(userSubject, params, sessionToken);
+        
+        Client client = getClient(state.getClientId());
         String redirectUri = validateRedirectUri(client, state.getRedirectUri());
         
         // Get the end user decision value
@@ -375,12 +371,10 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
     }
     
     protected UserSubject createUserSubject(SecurityContext securityContext, 
-                                            Client client,
                                             MultivaluedMap<String, String> params)
{
         UserSubject subject = null;
         if (subjectCreator != null) {
             subject = subjectCreator.createUserSubject(getMessageContext(),
-                                                       client,
                                                        params);
             if (subject != null) {
                 return subject; 

http://git-wip-us.apache.org/repos/asf/cxf/blob/b0ccc3f8/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
index 7051090..6e7bb92 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
@@ -59,6 +59,8 @@ public class IdTokenResponseFilter extends OAuthServerJoseJwtProducer implements
         } else if (st.getSubject() instanceof OidcUserSubject) {
             OidcUserSubject sub = (OidcUserSubject)st.getSubject();
             IdToken idToken = new IdToken(sub.getIdToken());
+            idToken.setAudience(st.getClient().getClientId());
+            idToken.setAuthorizedParty(st.getClient().getClientId());
             // if this token was refreshed then the cloned IDToken might need to have its
             // issuedAt and expiry time properties adjusted if it proves to be necessary
             setAtHashAndNonce(idToken, st);

http://git-wip-us.apache.org/repos/asf/cxf/blob/b0ccc3f8/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
index 40f29ea4..60b638d 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
@@ -101,7 +101,7 @@ public class OidcImplicitService extends ImplicitGrantService {
         if (idToken != null) {
             sb.append(OidcUtils.ID_TOKEN).append("=").append(idToken);
         }
-        return finalizeResponse(sb, client, state);
+        return finalizeResponse(sb, state);
     }
     
     private String getProcessedIdToken(OAuthRedirectionState state, UserSubject subject)
{
@@ -110,6 +110,8 @@ public class OidcImplicitService extends ImplicitGrantService {
         } else if (subject instanceof OidcUserSubject) {
             OidcUserSubject sub = (OidcUserSubject)subject;
             IdToken idToken = new IdToken(sub.getIdToken());
+            idToken.setAudience(state.getClientId());
+            idToken.setAuthorizedParty(state.getClientId());
             idToken.setNonce(state.getNonce());
             JoseJwtProducer processor = idTokenHandler == null ? new JoseJwtProducer() :
idTokenHandler; 
             return processor.processJwt(new JwtToken(idToken));


Mime
View raw message