cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From r...@apache.org
Subject [06/20] cxf git commit: More ClientCodeRequestFilter updates
Date Sat, 16 Jul 2016 15:53:30 GMT
More ClientCodeRequestFilter updates


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/79ce1f4c
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/79ce1f4c
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/79ce1f4c

Branch: refs/heads/master-jaxrs-2.1
Commit: 79ce1f4ca105b045f538c72b58e66747ca289f41
Parents: 120d20f
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Thu Jul 14 17:11:00 2016 +0300
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Thu Jul 14 17:11:00 2016 +0300

----------------------------------------------------------------------
 .../oauth2/client/ClientCodeRequestFilter.java  | 54 +++++++++++---------
 .../oidc/rp/OidcRpAuthenticationFilter.java     |  2 +-
 2 files changed, 32 insertions(+), 24 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/79ce1f4c/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java
index 85aa526..3576c9d 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java
@@ -58,13 +58,12 @@ import org.apache.cxf.rt.security.crypto.CryptoUtils;
 @Priority(Priorities.AUTHENTICATION + 1)
 public class ClientCodeRequestFilter implements ContainerRequestFilter {
     protected static final Logger LOG = LogUtils.getL7dLogger(ClientCodeRequestFilter.class);
-    private static final String WILDCARD = "*";
     @Context
     private MessageContext mc;
     
     private String scopes;
     private String completeUri;
-    private String startUri = "*";
+    private String startUri;
     private String authorizationServiceUri;
     private Consumer consumer;
     private ClientCodeStateManager clientStateManager;
@@ -85,54 +84,63 @@ public class ClientCodeRequestFilter implements ContainerRequestFilter
{
         UriInfo ui = rc.getUriInfo();
         String absoluteRequestUri = ui.getAbsolutePath().toString();
         
-        boolean sameUriRedirect = false;
         if (completeUri == null) {
             String referer = rc.getHeaderString("Referer");
             if (referer != null && referer.startsWith(authorizationServiceUri)) {
                 completeUri = absoluteRequestUri;
-                sameUriRedirect = true;
             } 
         }
         
-        if (!sameUriRedirect && isStartUriMatched(ui, absoluteRequestUri)) {
+        if (isStartUriMatched(ui, absoluteRequestUri)) {
             ClientTokenContext request = getClientTokenContext(rc);
             if (request != null) {
                 setClientCodeRequest(request);
                 if (completeUri != null) {
                     rc.setRequestUri(URI.create(completeUri));
                 }
+                // let the request continue if the token context is already available
                 return;
             }
-            Response codeResponse = createCodeResponse(rc,  ui);
+            // start the code flow
+            Response codeResponse = createCodeResponse(rc, ui);
             rc.abortWith(codeResponse);
-        } else if (completeUri == null) {
-            LOG.warning("Complete URI is not initialized, authentication flow can not be
completed");
-            rc.abortWith(Response.status(500).build());
             return;
-        } else if (absoluteRequestUri.endsWith(completeUri)) {
-            MultivaluedMap<String, String> requestParams = toRequestState(rc, ui);
-            processCodeResponse(rc, ui, requestParams);
-            checkSecurityContextEnd(rc, requestParams);
         } else {
-            rc.abortWith(Response.status(401).build());
-        }
+            // complete the code flow if possible
+            MultivaluedMap<String, String> requestParams = toRequestState(rc, ui);
+            if (codeResponseQueryParamsAvailable(requestParams)
+                && (completeUri == null || absoluteRequestUri.endsWith(completeUri)))
{
+                processCodeResponse(rc, ui, requestParams);
+                checkSecurityContextEnd(rc, requestParams);
+                // let the request continue
+                return;
+            }
+        } 
+        // neither the start nor the end of the flow 
+        rc.abortWith(Response.status(401).build());
     }
 
     protected boolean isStartUriMatched(UriInfo ui, String absoluteRequestUri) {
-        if (startUri.equals(WILDCARD) && (completeUri == null || !absoluteRequestUri.endsWith(completeUri)))
{
+        // If all request URIs can initiate a code flow then it is a match 
+        // unless the current request URI matches a non-null completeUri 
+        if (startUri == null && completeUri != null && !absoluteRequestUri.endsWith(completeUri))
{
             return true;
         }
-        if (!absoluteRequestUri.endsWith(startUri)) {
-            return false;
-        }
-        if (startUri.equals(completeUri)) {
+        // If completeUri is null or startUri equals to it then check the code flow
+        // response properties, if code parameters are set then it is the end of the flow
+        if (completeUri == null || startUri != null && startUri.equals(completeUri))
{
             MultivaluedMap<String, String> queries = ui.getQueryParameters();
-            if (queries.containsKey(OAuthConstants.AUTHORIZATION_CODE_VALUE) 
-                || queries.containsKey(OAuthConstants.ERROR_KEY)) {
+            if (codeResponseQueryParamsAvailable(queries)) {
                 return false;
             }
         }
-        return true;
+        // Finally compare start URI with the request URI
+        return startUri == null || absoluteRequestUri.endsWith(startUri);
+    }
+
+    private boolean codeResponseQueryParamsAvailable(MultivaluedMap<String, String>
queries) {
+        return queries.containsKey(OAuthConstants.AUTHORIZATION_CODE_VALUE) 
+            || queries.containsKey(OAuthConstants.ERROR_KEY);
     }
 
     protected void checkSecurityContextStart(ContainerRequestContext rc) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/79ce1f4c/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java
index 3cead95..9a6823b 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java
@@ -47,7 +47,7 @@ import org.apache.cxf.rs.security.oauth2.client.ClientTokenContextManager;
 import org.apache.cxf.rs.security.oidc.common.IdToken;
 
 @PreMatching
-@Priority(Priorities.AUTHENTICATION)
+@Priority(Priorities.AUTHENTICATION + 2)
 public class OidcRpAuthenticationFilter implements ContainerRequestFilter {
     @Context
     private MessageContext mc;


Mime
View raw message