cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Widening a startUri coverage OOB in ClientCodeRequestFilter as suggested by Colm
Date Thu, 07 Jul 2016 11:32:00 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.1.x-fixes 9135ee4d2 -> 87091eefd


Widening a startUri coverage OOB in ClientCodeRequestFilter as suggested by Colm


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/87091eef
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/87091eef
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/87091eef

Branch: refs/heads/3.1.x-fixes
Commit: 87091eefd18770ea7de6c6257a150fb0a217c160
Parents: 9135ee4
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Thu Jul 7 12:28:05 2016 +0100
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Thu Jul 7 12:30:06 2016 +0100

----------------------------------------------------------------------
 .../oauth2/client/ClientCodeRequestFilter.java   | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/87091eef/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java
index ac3ccfe..8df02a8 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java
@@ -22,6 +22,7 @@ import java.io.IOException;
 import java.net.URI;
 import java.nio.charset.StandardCharsets;
 import java.util.List;
+import java.util.logging.Logger;
 
 import javax.annotation.Priority;
 import javax.ws.rs.Priorities;
@@ -36,6 +37,7 @@ import javax.ws.rs.core.SecurityContext;
 import javax.ws.rs.core.UriBuilder;
 import javax.ws.rs.core.UriInfo;
 
+import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.common.util.Base64UrlUtility;
 import org.apache.cxf.jaxrs.client.WebClient;
 import org.apache.cxf.jaxrs.ext.MessageContext;
@@ -55,12 +57,14 @@ import org.apache.cxf.rt.security.crypto.CryptoUtils;
 @PreMatching
 @Priority(Priorities.AUTHENTICATION + 1)
 public class ClientCodeRequestFilter implements ContainerRequestFilter {
+    protected static final Logger LOG = LogUtils.getL7dLogger(ClientCodeRequestFilter.class);
+    private static final String WILDCARD = "*";
     @Context
     private MessageContext mc;
     
     private String scopes;
     private String completeUri;
-    private String startUri;
+    private String startUri = "*";
     private String authorizationServiceUri;
     private Consumer consumer;
     private ClientCodeStateManager clientStateManager;
@@ -87,10 +91,14 @@ public class ClientCodeRequestFilter implements ContainerRequestFilter
{
             if (referer != null && referer.startsWith(authorizationServiceUri)) {
                 completeUri = absoluteRequestUri;
                 sameUriRedirect = true;
+            } else {
+                LOG.warning("Complete URI is not initialized, authentication flow can not
be completed");
+                rc.abortWith(Response.status(500).build());
+                return;
             }
         }
         
-        if (!sameUriRedirect && absoluteRequestUri.endsWith(startUri)) {
+        if (!sameUriRedirect && isStartUriMatched(absoluteRequestUri)) {
             ClientTokenContext request = getClientTokenContext(rc);
             if (request != null) {
                 setClientCodeRequest(request);
@@ -105,9 +113,16 @@ public class ClientCodeRequestFilter implements ContainerRequestFilter
{
             MultivaluedMap<String, String> requestParams = toRequestState(rc, ui);
             processCodeResponse(rc, ui, requestParams);
             checkSecurityContextEnd(rc, requestParams);
+        } else {
+            rc.abortWith(Response.status(401).build());
         }
     }
 
+    protected boolean isStartUriMatched(String absoluteRequestUri) {
+        return startUri.equals(WILDCARD) && !absoluteRequestUri.endsWith(completeUri)
+            || absoluteRequestUri.endsWith(startUri);
+    }
+
     protected void checkSecurityContextStart(ContainerRequestContext rc) {
         SecurityContext sc = rc.getSecurityContext();
         if (sc == null || sc.getUserPrincipal() == null) {


Mime
View raw message