Return-Path: <commits-return-42682-archive-asf-public=cust-asf.ponee.io@cxf.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id AAD67200B44
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Thu, 14 Jul 2016 16:11:18 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id A9D2F160A63; Thu, 14 Jul 2016 14:11:18 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id CB56E160A60
	for <archive-asf-public@cust-asf.ponee.io>; Thu, 14 Jul 2016 16:11:17 +0200 (CEST)
Received: (qmail 25979 invoked by uid 500); 14 Jul 2016 14:11:17 -0000
Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@cxf.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@cxf.apache.org>
List-Post: <mailto:commits@cxf.apache.org>
List-Id: <commits.cxf.apache.org>
Reply-To: dev@cxf.apache.org
Delivered-To: mailing list commits@cxf.apache.org
Received: (qmail 25967 invoked by uid 99); 14 Jul 2016 14:11:16 -0000
Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 14 Jul 2016 14:11:16 +0000
Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33)
	id CDEE6E383A; Thu, 14 Jul 2016 14:11:16 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: sergeyb@apache.org
To: commits@cxf.apache.org
Message-Id: <8b617ce74c424f9bb6890b5d498e18a5@git.apache.org>
X-Mailer: ASF-Git Admin Mailer
Subject: cxf git commit: More ClientCodeRequestFilter updates
Date: Thu, 14 Jul 2016 14:11:16 +0000 (UTC)
archived-at: Thu, 14 Jul 2016 14:11:18 -0000

Repository: cxf
Updated Branches:
  refs/heads/master 120d20f47 -> 79ce1f4ca


More ClientCodeRequestFilter updates


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/79ce1f4c
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/79ce1f4c
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/79ce1f4c

Branch: refs/heads/master
Commit: 79ce1f4ca105b045f538c72b58e66747ca289f41
Parents: 120d20f
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Thu Jul 14 17:11:00 2016 +0300
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Thu Jul 14 17:11:00 2016 +0300

----------------------------------------------------------------------
 .../oauth2/client/ClientCodeRequestFilter.java  | 54 +++++++++++---------
 .../oidc/rp/OidcRpAuthenticationFilter.java     |  2 +-
 2 files changed, 32 insertions(+), 24 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/79ce1f4c/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java
index 85aa526..3576c9d 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java
@@ -58,13 +58,12 @@ import org.apache.cxf.rt.security.crypto.CryptoUtils;
 @Priority(Priorities.AUTHENTICATION + 1)
 public class ClientCodeRequestFilter implements ContainerRequestFilter {
     protected static final Logger LOG = LogUtils.getL7dLogger(ClientCodeRequestFilter.class);
-    private static final String WILDCARD = "*";
     @Context
     private MessageContext mc;
     
     private String scopes;
     private String completeUri;
-    private String startUri = "*";
+    private String startUri;
     private String authorizationServiceUri;
     private Consumer consumer;
     private ClientCodeStateManager clientStateManager;
@@ -85,54 +84,63 @@ public class ClientCodeRequestFilter implements ContainerRequestFilter {
         UriInfo ui = rc.getUriInfo();
         String absoluteRequestUri = ui.getAbsolutePath().toString();
         
-        boolean sameUriRedirect = false;
         if (completeUri == null) {
             String referer = rc.getHeaderString("Referer");
             if (referer != null && referer.startsWith(authorizationServiceUri)) {
                 completeUri = absoluteRequestUri;
-                sameUriRedirect = true;
             } 
         }
         
-        if (!sameUriRedirect && isStartUriMatched(ui, absoluteRequestUri)) {
+        if (isStartUriMatched(ui, absoluteRequestUri)) {
             ClientTokenContext request = getClientTokenContext(rc);
             if (request != null) {
                 setClientCodeRequest(request);
                 if (completeUri != null) {
                     rc.setRequestUri(URI.create(completeUri));
                 }
+                // let the request continue if the token context is already available
                 return;
             }
-            Response codeResponse = createCodeResponse(rc,  ui);
+            // start the code flow
+            Response codeResponse = createCodeResponse(rc, ui);
             rc.abortWith(codeResponse);
-        } else if (completeUri == null) {
-            LOG.warning("Complete URI is not initialized, authentication flow can not be completed");
-            rc.abortWith(Response.status(500).build());
             return;
-        } else if (absoluteRequestUri.endsWith(completeUri)) {
-            MultivaluedMap<String, String> requestParams = toRequestState(rc, ui);
-            processCodeResponse(rc, ui, requestParams);
-            checkSecurityContextEnd(rc, requestParams);
         } else {
-            rc.abortWith(Response.status(401).build());
-        }
+            // complete the code flow if possible
+            MultivaluedMap<String, String> requestParams = toRequestState(rc, ui);
+            if (codeResponseQueryParamsAvailable(requestParams)
+                && (completeUri == null || absoluteRequestUri.endsWith(completeUri))) {
+                processCodeResponse(rc, ui, requestParams);
+                checkSecurityContextEnd(rc, requestParams);
+                // let the request continue
+                return;
+            }
+        } 
+        // neither the start nor the end of the flow 
+        rc.abortWith(Response.status(401).build());
     }
 
     protected boolean isStartUriMatched(UriInfo ui, String absoluteRequestUri) {
-        if (startUri.equals(WILDCARD) && (completeUri == null || !absoluteRequestUri.endsWith(completeUri))) {
+        // If all request URIs can initiate a code flow then it is a match 
+        // unless the current request URI matches a non-null completeUri 
+        if (startUri == null && completeUri != null && !absoluteRequestUri.endsWith(completeUri)) {
             return true;
         }
-        if (!absoluteRequestUri.endsWith(startUri)) {
-            return false;
-        }
-        if (startUri.equals(completeUri)) {
+        // If completeUri is null or startUri equals to it then check the code flow
+        // response properties, if code parameters are set then it is the end of the flow
+        if (completeUri == null || startUri != null && startUri.equals(completeUri)) {
             MultivaluedMap<String, String> queries = ui.getQueryParameters();
-            if (queries.containsKey(OAuthConstants.AUTHORIZATION_CODE_VALUE) 
-                || queries.containsKey(OAuthConstants.ERROR_KEY)) {
+            if (codeResponseQueryParamsAvailable(queries)) {
                 return false;
             }
         }
-        return true;
+        // Finally compare start URI with the request URI
+        return startUri == null || absoluteRequestUri.endsWith(startUri);
+    }
+
+    private boolean codeResponseQueryParamsAvailable(MultivaluedMap<String, String> queries) {
+        return queries.containsKey(OAuthConstants.AUTHORIZATION_CODE_VALUE) 
+            || queries.containsKey(OAuthConstants.ERROR_KEY);
     }
 
     protected void checkSecurityContextStart(ContainerRequestContext rc) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/79ce1f4c/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java
index 3cead95..9a6823b 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java
@@ -47,7 +47,7 @@ import org.apache.cxf.rs.security.oauth2.client.ClientTokenContextManager;
 import org.apache.cxf.rs.security.oidc.common.IdToken;
 
 @PreMatching
-@Priority(Priorities.AUTHENTICATION)
+@Priority(Priorities.AUTHENTICATION + 2)
 public class OidcRpAuthenticationFilter implements ContainerRequestFilter {
     @Context
     private MessageContext mc;