Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 9487F200B52 for ; Mon, 11 Jul 2016 02:14:14 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 93125160A85; Mon, 11 Jul 2016 00:14:14 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id E4A95160A81 for ; Mon, 11 Jul 2016 02:14:13 +0200 (CEST) Received: (qmail 39801 invoked by uid 500); 11 Jul 2016 00:14:07 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 37277 invoked by uid 99); 11 Jul 2016 00:14:06 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 11 Jul 2016 00:14:06 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 5AA17ED496; Mon, 11 Jul 2016 00:14:06 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: reta@apache.org To: commits@cxf.apache.org Date: Mon, 11 Jul 2016 00:14:17 -0000 Message-Id: <2db2975a5da34a0ab0e7f1ec7e0891dd@git.apache.org> In-Reply-To: <8cbfd51cd2674d03bacf70303de6a5e9@git.apache.org> References: <8cbfd51cd2674d03bacf70303de6a5e9@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [12/33] cxf git commit: Widening a startUri coverage OOB in ClientCodeRequestFilter as suggested by Colm archived-at: Mon, 11 Jul 2016 00:14:14 -0000 Widening a startUri coverage OOB in ClientCodeRequestFilter as suggested by Colm Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/120f9974 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/120f9974 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/120f9974 Branch: refs/heads/master-jaxrs-2.1 Commit: 120f9974c2598d4a05cb4dc816f80cf944626f6d Parents: a2d869b Author: Sergey Beryozkin Authored: Thu Jul 7 12:28:05 2016 +0100 Committer: Sergey Beryozkin Committed: Thu Jul 7 12:28:05 2016 +0100 ---------------------------------------------------------------------- .../oauth2/client/ClientCodeRequestFilter.java | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/120f9974/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java index c777083..cb233f4 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java @@ -22,6 +22,7 @@ import java.io.IOException; import java.net.URI; import java.nio.charset.StandardCharsets; import java.util.List; +import java.util.logging.Logger; import javax.annotation.Priority; import javax.ws.rs.Priorities; @@ -36,6 +37,7 @@ import javax.ws.rs.core.SecurityContext; import javax.ws.rs.core.UriBuilder; import javax.ws.rs.core.UriInfo; +import org.apache.cxf.common.logging.LogUtils; import org.apache.cxf.common.util.Base64UrlUtility; import org.apache.cxf.jaxrs.client.WebClient; import org.apache.cxf.jaxrs.ext.MessageContext; @@ -55,12 +57,14 @@ import org.apache.cxf.rt.security.crypto.CryptoUtils; @PreMatching @Priority(Priorities.AUTHENTICATION + 1) public class ClientCodeRequestFilter implements ContainerRequestFilter { + protected static final Logger LOG = LogUtils.getL7dLogger(ClientCodeRequestFilter.class); + private static final String WILDCARD = "*"; @Context private MessageContext mc; private String scopes; private String completeUri; - private String startUri; + private String startUri = "*"; private String authorizationServiceUri; private Consumer consumer; private ClientCodeStateManager clientStateManager; @@ -87,10 +91,14 @@ public class ClientCodeRequestFilter implements ContainerRequestFilter { if (referer != null && referer.startsWith(authorizationServiceUri)) { completeUri = absoluteRequestUri; sameUriRedirect = true; + } else { + LOG.warning("Complete URI is not initialized, authentication flow can not be completed"); + rc.abortWith(Response.status(500).build()); + return; } } - if (!sameUriRedirect && absoluteRequestUri.endsWith(startUri)) { + if (!sameUriRedirect && isStartUriMatched(absoluteRequestUri)) { ClientTokenContext request = getClientTokenContext(rc); if (request != null) { setClientCodeRequest(request); @@ -105,9 +113,16 @@ public class ClientCodeRequestFilter implements ContainerRequestFilter { MultivaluedMap requestParams = toRequestState(rc, ui); processCodeResponse(rc, ui, requestParams); checkSecurityContextEnd(rc, requestParams); + } else { + rc.abortWith(Response.status(401).build()); } } + protected boolean isStartUriMatched(String absoluteRequestUri) { + return startUri.equals(WILDCARD) && !absoluteRequestUri.endsWith(completeUri) + || absoluteRequestUri.endsWith(startUri); + } + protected void checkSecurityContextStart(ContainerRequestContext rc) { SecurityContext sc = rc.getSecurityContext(); if (sc == null || sc.getUserPrincipal() == null) {