cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [1/2] cxf git commit: Make it possible to set a roleClaim on the OIDC filters so that we can implement authorization
Date Wed, 20 Jul 2016 13:41:57 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 2ed93ca44 -> ce2d945bf


Make it possible to set a roleClaim on the OIDC filters so that we can implement authorization


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/689632b8
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/689632b8
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/689632b8

Branch: refs/heads/master
Commit: 689632b877f8aefcfd72211845f8e89d547e8592
Parents: 2ed93ca
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Wed Jul 20 14:36:02 2016 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Wed Jul 20 14:41:45 2016 +0100

----------------------------------------------------------------------
 .../oidc/rp/OidcClientCodeRequestFilter.java         |  9 ++++++++-
 .../security/oidc/rp/OidcIdTokenRequestFilter.java   | 10 +++++++++-
 .../cxf/rs/security/oidc/rp/OidcSecurityContext.java | 15 +++++++++++++++
 3 files changed, 32 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/689632b8/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java
index 015be15..d9e75d9 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java
@@ -52,6 +52,7 @@ public class OidcClientCodeRequestFilter extends ClientCodeRequestFilter
{
     private Long maxAgeOffset;
     private String claims;
     private String claimsLocales;
+    private String roleClaim;
     
     public OidcClientCodeRequestFilter() {
         super();
@@ -87,7 +88,9 @@ public class OidcClientCodeRequestFilter extends ClientCodeRequestFilter
{
                                                            ctx.getIdToken(),
                                                            getConsumer()));
             }
-            rc.setSecurityContext(new OidcSecurityContext(ctx));
+            OidcSecurityContext oidcSecCtx = new OidcSecurityContext(ctx);
+            oidcSecCtx.setRoleClaim(roleClaim);
+            rc.setSecurityContext(oidcSecCtx);
         }
         
         return ctx;
@@ -193,4 +196,8 @@ public class OidcClientCodeRequestFilter extends ClientCodeRequestFilter
{
     public void setClaimsLocales(String claimsLocales) {
         this.claimsLocales = claimsLocales;
     }
+    
+    public void setRoleClaim(String roleClaim) {
+        this.roleClaim = roleClaim;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/689632b8/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcIdTokenRequestFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcIdTokenRequestFilter.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcIdTokenRequestFilter.java
index 1babee7..fa9d850 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcIdTokenRequestFilter.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcIdTokenRequestFilter.java
@@ -39,6 +39,7 @@ public class OidcIdTokenRequestFilter implements ContainerRequestFilter
{
     private String tokenFormParameter = "id_token"; 
     private IdTokenReader idTokenReader;
     private Consumer consumer;
+    private String roleClaim;
     
     @Override
     public void filter(ContainerRequestContext requestContext) throws IOException {
@@ -51,9 +52,12 @@ public class OidcIdTokenRequestFilter implements ContainerRequestFilter
{
         
         IdToken idToken = idTokenReader.getIdToken(idTokenParamValue, consumer);
         JAXRSUtils.getCurrentMessage().setContent(IdToken.class, idToken);
-        requestContext.setSecurityContext(new OidcSecurityContext(idToken));
         
+        OidcSecurityContext oidcSecCtx = new OidcSecurityContext(idToken);
+        oidcSecCtx.setRoleClaim(roleClaim);
+        requestContext.setSecurityContext(oidcSecCtx);
     }
+    
     private MultivaluedMap<String, String> toFormData(ContainerRequestContext rc) {
         MultivaluedMap<String, String> requestState = new MetadataMap<String, String>();
         if (MediaType.APPLICATION_FORM_URLENCODED_TYPE.isCompatible(rc.getMediaType())) {
@@ -74,4 +78,8 @@ public class OidcIdTokenRequestFilter implements ContainerRequestFilter
{
     public void setConsumer(Consumer consumer) {
         this.consumer = consumer;
     }
+    
+    public void setRoleClaim(String roleClaim) {
+        this.roleClaim = roleClaim;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/689632b8/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcSecurityContext.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcSecurityContext.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcSecurityContext.java
index f84ca1c..552a6a1 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcSecurityContext.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcSecurityContext.java
@@ -28,6 +28,7 @@ import org.apache.cxf.rs.security.oidc.common.IdToken;
 
 public class OidcSecurityContext extends SimpleSecurityContext implements SecurityContext
{
     private OidcClientTokenContext oidcContext;
+    private String roleClaim;
 
     public OidcSecurityContext(IdToken token) {
         this(new OidcClientTokenContextImpl(token));
@@ -82,4 +83,18 @@ public class OidcSecurityContext extends SimpleSecurityContext implements
Securi
     public String getAuthenticationScheme() {
         return "OIDC";
     }
+    
+    @Override
+    public boolean isUserInRole(String role) {
+        return roleClaim != null && role != null && oidcContext.getIdToken()
!= null
+            && oidcContext.getIdToken().containsProperty(roleClaim)
+            && role.equals(oidcContext.getIdToken().getProperty(roleClaim));
+    }
+    
+    /**
+     * Set the claim name that corresponds to the "role" of the Subject of the IdToken.
+     */
+    public void setRoleClaim(String roleClaim) {
+        this.roleClaim = roleClaim;
+    }
 }


Mime
View raw message