cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Restoring the option to store client id in a session
Date Tue, 09 Feb 2016 13:01:35 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.1.x-fixes 448fdcf01 -> d0e42861b


Restoring the option to store client id in a session


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/d0e42861
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/d0e42861
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/d0e42861

Branch: refs/heads/3.1.x-fixes
Commit: d0e42861b5df45cf24985d956372f75bf04800f3
Parents: 448fdcf
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Tue Feb 9 13:00:41 2016 +0000
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Tue Feb 9 13:01:22 2016 +0000

----------------------------------------------------------------------
 .../oauth2/common/OAuthAuthorizationData.java   | 17 -----------------
 .../oauth2/common/OAuthRedirectionState.java    | 19 +++++++++++++++++++
 .../provider/JoseSessionTokenProvider.java      | 20 +++++++++++++-------
 .../services/RedirectionBasedGrantService.java  |  8 ++++++--
 4 files changed, 38 insertions(+), 26 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/d0e42861/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
index 8cf1102..27cb511 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
@@ -39,7 +39,6 @@ import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
 public class OAuthAuthorizationData extends OAuthRedirectionState implements Serializable
{
     private static final long serialVersionUID = -7755998413495017637L;
     
-    private String clientId;
     private String endUserName;
     private String authenticityToken;
     private String replyTo;
@@ -60,22 +59,6 @@ public class OAuthAuthorizationData extends OAuthRedirectionState implements
Ser
     }
 
     /**
-     * Sets the client id which needs to be retained in a hidden form field
-     * @param clientId the client id
-     */
-    public void setClientId(String clientId) {
-        this.clientId = clientId;
-    }
-
-    /**
-     * Gets the client id which needs to be retained in a hidden form field
-     * @return the client id
-     */
-    public String getClientId() {
-        return clientId;
-    }
-    
-    /**
      * Get the client application name
      * @return application name
      */

http://git-wip-us.apache.org/repos/asf/cxf/blob/d0e42861/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthRedirectionState.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthRedirectionState.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthRedirectionState.java
index 761d41f..4a413a0 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthRedirectionState.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthRedirectionState.java
@@ -23,6 +23,8 @@ import java.io.Serializable;
 public class OAuthRedirectionState implements Serializable {
     
     private static final long serialVersionUID = -661649302262699347L;
+    
+    private String clientId;
     private String redirectUri;
     private String state;
     private String proposedScope;
@@ -34,6 +36,21 @@ public class OAuthRedirectionState implements Serializable {
     public OAuthRedirectionState() {
     }
 
+    /**
+     * Sets the client id which needs to be retained in a hidden form field
+     * @param clientId the client id
+     */
+    public void setClientId(String clientId) {
+        this.clientId = clientId;
+    }
+
+    /**
+     * Gets the client id which needs to be retained in a hidden form field
+     * @return the client id
+     */
+    public String getClientId() {
+        return clientId;
+    }
     
     /**
      * Sets the redirect uri which needs to be retained in a hidden form field
@@ -117,4 +134,6 @@ public class OAuthRedirectionState implements Serializable {
     public void setResponseType(String responseType) {
         this.responseType = responseType;
     }
+    
+    
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/d0e42861/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JoseSessionTokenProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JoseSessionTokenProvider.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JoseSessionTokenProvider.java
index 9722e16..0c23db1 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JoseSessionTokenProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JoseSessionTokenProvider.java
@@ -148,31 +148,37 @@ public class JoseSessionTokenProvider implements SessionAuthenticityTokenProvide
         String[] parts = ModelEncryptionSupport.getParts(stateString);
         OAuthRedirectionState state = new OAuthRedirectionState();
         if (!StringUtils.isEmpty(parts[0])) {
-            state.setAudience(parts[0]);
+            state.setClientId(parts[0]);
         }
         if (!StringUtils.isEmpty(parts[1])) {
-            state.setClientCodeChallenge(parts[1]);
+            state.setAudience(parts[1]);
         }
         if (!StringUtils.isEmpty(parts[2])) {
-            state.setState(parts[2]);
+            state.setClientCodeChallenge(parts[2]);
         }
         if (!StringUtils.isEmpty(parts[3])) {
-            state.setProposedScope(parts[3]);
+            state.setState(parts[3]);
         }
         if (!StringUtils.isEmpty(parts[4])) {
-            state.setRedirectUri(parts[4]);
+            state.setProposedScope(parts[4]);
         }
         if (!StringUtils.isEmpty(parts[5])) {
-            state.setNonce(parts[5]);
+            state.setRedirectUri(parts[5]);
         }
         if (!StringUtils.isEmpty(parts[6])) {
-            state.setResponseType(parts[6]);
+            state.setNonce(parts[6]);
+        }
+        if (!StringUtils.isEmpty(parts[7])) {
+            state.setResponseType(parts[7]);
         }
         return state;
     }
     protected String convertStateToString(OAuthRedirectionState secData) {
         //TODO: make it simpler, convert it to JwtClaims -> JSON
         StringBuilder state = new StringBuilder();
+        // 0: client id
+        state.append(ModelEncryptionSupport.tokenizeString(secData.getClientId()));
+        state.append(ModelEncryptionSupport.SEP);
         // 1: client audience
         state.append(ModelEncryptionSupport.tokenizeString(secData.getAudience()));
         state.append(ModelEncryptionSupport.SEP);

http://git-wip-us.apache.org/repos/asf/cxf/blob/d0e42861/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
index d7cd724..ab4bba8 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
@@ -274,13 +274,15 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
             state = sessionAuthenticityTokenProvider.getSessionState(super.getMessageContext(),

                                                                      sessionToken,
                                                                      subject);
+            if (!state.getClientId().equals(params.getFirst(OAuthConstants.CLIENT_ID))) {
+                throw ExceptionUtils.toBadRequestException(null, null);
+            }
         }
         if (state == null) {
             state = new OAuthRedirectionState();
+            state.setClientId(params.getFirst(OAuthConstants.CLIENT_ID));
             state.setRedirectUri(params.getFirst(OAuthConstants.REDIRECT_URI));
             state.setAudience(params.getFirst(OAuthConstants.CLIENT_AUDIENCE));
-            // or if no audience parameter is available, set the list of client
-            // audiences for the users to see ?
             state.setProposedScope(params.getFirst(OAuthConstants.SCOPE));
             state.setState(params.getFirst(OAuthConstants.STATE));
             state.setNonce(params.getFirst(OAuthConstants.NONCE));
@@ -310,6 +312,8 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
     protected Response completeAuthorization(MultivaluedMap<String, String> params)
{
         // Make sure the end user has authenticated, check if HTTPS is used
         SecurityContext securityContext = getAndValidateSecurityContext(params);
+        // Client id may also be preserved in a session but it must be set 
+        // as a authorization form parameter
         Client client = getClient(params.getFirst(OAuthConstants.CLIENT_ID));
         
         UserSubject userSubject = createUserSubject(securityContext, client, params);


Mime
View raw message