cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From r...@apache.org
Subject [20/33] cxf git commit: [CXF-6692] Updates to the way some claims are set
Date Sat, 13 Aug 2016 21:30:58 GMT
[CXF-6692] Updates to the way some claims are set


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/b69f76c6
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/b69f76c6
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/b69f76c6

Branch: refs/heads/master-jaxrs-2.1
Commit: b69f76c6a43376f85c4b3bc5135b58f717463e8f
Parents: 0f51e22
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Fri Aug 12 13:18:42 2016 +0100
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Fri Aug 12 13:18:42 2016 +0100

----------------------------------------------------------------------
 .../oauth2/filters/JwtAccessTokenValidator.java | 27 +++++++++++---------
 .../provider/AbstractOAuthDataProvider.java     | 15 ++++++-----
 .../oauth2/utils/JwtAccessTokenUtils.java       | 20 +++++----------
 .../oauth2/filters/OAuth2JwtFiltersTest.java    |  5 ++--
 4 files changed, 33 insertions(+), 34 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/b69f76c6/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/JwtAccessTokenValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/JwtAccessTokenValidator.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/JwtAccessTokenValidator.java
index 252bed7..769f7bb 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/JwtAccessTokenValidator.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/JwtAccessTokenValidator.java
@@ -40,6 +40,10 @@ import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
 
 public class JwtAccessTokenValidator extends JoseJwtConsumer implements AccessTokenValidator
{
 
+    private static final String USERNAME_CLAIM = "username";
+    
+    private String usernameClaim = USERNAME_CLAIM;
+    
     public List<String> getSupportedAuthorizationSchemes() {
         return Collections.singletonList(OAuthConstants.BEARER_AUTHORIZATION_SCHEME);
     }
@@ -61,8 +65,9 @@ public class JwtAccessTokenValidator extends JoseJwtConsumer implements
AccessTo
     private AccessTokenValidation convertClaimsToValidation(JwtClaims claims) {
         AccessTokenValidation atv = new AccessTokenValidation();
         atv.setInitialValidationSuccessful(true);
-        if (claims.getAudience() != null) {
-            atv.setClientId(claims.getAudience());
+        String clientId = claims.getStringProperty(OAuthConstants.CLIENT_ID);
+        if (clientId != null) {
+            atv.setClientId(clientId);
         }
         if (claims.getIssuedAt() != null) {
             atv.setTokenIssuedAt(claims.getIssuedAt());
@@ -72,15 +77,9 @@ public class JwtAccessTokenValidator extends JoseJwtConsumer implements
AccessTo
         if (claims.getExpiryTime() != null) {
             atv.setTokenLifetime(claims.getExpiryTime() - atv.getTokenIssuedAt());
         }
-        Object resourceAud = claims.getClaim(OAuthConstants.RESOURCE_INDICATOR);
-        if (resourceAud != null) {
-            List<String> auds = null;
-            if (resourceAud instanceof List) {
-                auds = CastUtils.cast((List<?>)resourceAud);
-            } else {
-                auds = Collections.singletonList((String)resourceAud);
-            } 
-            atv.setAudiences(auds);
+        List<String> audiences = claims.getAudiences();
+        if (audiences != null && !audiences.isEmpty()) {
+            atv.setAudiences(claims.getAudiences());
         }
         if (claims.getIssuer() != null) {
             atv.setTokenIssuer(claims.getIssuer());
@@ -97,7 +96,7 @@ public class JwtAccessTokenValidator extends JoseJwtConsumer implements
AccessTo
             }
             atv.setTokenScopes(perms);
         }
-        String username = (String)claims.getClaim("preferred_username");
+        String username = (String)claims.getClaim(usernameClaim);
         if (username != null) {
             UserSubject userSubject = new UserSubject(username);
             if (claims.getSubject() != null) {
@@ -110,4 +109,8 @@ public class JwtAccessTokenValidator extends JoseJwtConsumer implements
AccessTo
         return atv;
     }
 
+    public void setUsernameClaim(String usernameClaim) {
+        this.usernameClaim = usernameClaim;
+    }
+
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/b69f76c6/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
index ec8ead5..736a9bb 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
@@ -92,7 +92,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider,
Cl
     protected JwtClaims createJwtAccessToken(ServerAccessToken at) {
         JwtClaims claims = new JwtClaims();
         claims.setTokenId(at.getTokenKey());
-        claims.setAudience(at.getClient().getClientId());
+        claims.setClaim(OAuthConstants.CLIENT_ID, at.getClient().getClientId());
         claims.setIssuedAt(at.getIssuedAt());
         if (at.getExpiresIn() > 0) {
             claims.setExpiryTime(at.getIssuedAt() + at.getExpiresIn());
@@ -101,11 +101,9 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider,
Cl
         if (userSubject != null) {
             if (userSubject.getId() != null) {
                 claims.setSubject(userSubject.getId());
-                claims.setClaim("preferred_username", userSubject.getLogin());
-            } else {
-                claims.setSubject(userSubject.getLogin());
             }
-            
+            // to be consistent with the token introspection response
+            claims.setClaim("username", userSubject.getLogin());
         }
         if (at.getIssuer() != null) {
             claims.setIssuer(at.getIssuer());
@@ -117,8 +115,11 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider,
Cl
         // OAuth2 resource indicators (resource server audience)
         if (!at.getAudiences().isEmpty()) {
             List<String> resourceAudiences = at.getAudiences();
-            claims.setClaim(OAuthConstants.RESOURCE_INDICATOR, 
-                            resourceAudiences.size() == 1 ? resourceAudiences.get(0) : resourceAudiences);
+            if (resourceAudiences.size() == 1) {
+                claims.setAudience(resourceAudiences.get(0));
+            } else {
+                claims.setAudiences(resourceAudiences);
+            }
         }
         if (!at.getExtraProperties().isEmpty()) {
             claims.setClaim("extra_properties", at.getExtraProperties());

http://git-wip-us.apache.org/repos/asf/cxf/blob/b69f76c6/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/JwtAccessTokenUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/JwtAccessTokenUtils.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/JwtAccessTokenUtils.java
index c513ba3..92fdf6e 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/JwtAccessTokenUtils.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/JwtAccessTokenUtils.java
@@ -18,7 +18,6 @@
  */
 package org.apache.cxf.rs.security.oauth2.utils;
 
-import java.util.Collections;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
@@ -45,21 +44,16 @@ public final class JwtAccessTokenUtils {
                                                              ClientRegistrationProvider clientProvider)
{
         JwtClaims claims = consumer.getJwtToken(jose).getClaims();
        
-        Client c = clientProvider.getClient(claims.getStringProperty(JwtConstants.CLAIM_AUDIENCE));
+        Client c = clientProvider.getClient(claims.getStringProperty(OAuthConstants.CLIENT_ID));
         long issuedAt = claims.getLongProperty(JwtConstants.CLAIM_ISSUED_AT);
         long lifetime = claims.getLongProperty(JwtConstants.CLAIM_EXPIRY) - issuedAt;
         BearerAccessToken at = new BearerAccessToken(c, jose, lifetime, issuedAt);
        
-        Object resourceAud = claims.getClaim(OAuthConstants.RESOURCE_INDICATOR);
-        if (resourceAud != null) {
-            List<String> auds = null;
-            if (resourceAud instanceof List) {
-                auds = CastUtils.cast((List<?>)resourceAud);
-            } else {
-                auds = Collections.singletonList((String)resourceAud);
-            } 
-            at.setAudiences(auds);
+        List<String> audiences = claims.getAudiences();
+        if (audiences != null && !audiences.isEmpty()) {
+            at.setAudiences(claims.getAudiences());
         }
+        
         String issuer = claims.getStringProperty(JwtConstants.CLAIM_ISSUER);
         if (issuer != null) {
             at.setIssuer(issuer);
@@ -76,8 +70,8 @@ public final class JwtAccessTokenUtils {
             }
             at.setScopes(perms);
         }
-        String username = claims.getStringProperty("preferred_username");
-        String subject = claims.getStringProperty(JwtConstants.CLAIM_SUBJECT);
+        String username = claims.getStringProperty("username");
+        String subject = claims.getSubject();
         if (username != null) {
             UserSubject userSubject = new UserSubject(username);
             if (subject != null) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/b69f76c6/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/filters/OAuth2JwtFiltersTest.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/filters/OAuth2JwtFiltersTest.java
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/filters/OAuth2JwtFiltersTest.java
index e2d1722..0b5e53e 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/filters/OAuth2JwtFiltersTest.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/filters/OAuth2JwtFiltersTest.java
@@ -29,6 +29,7 @@ import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
 import org.apache.cxf.rs.security.jose.jws.JwsUtils;
 import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
 import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
 import org.apache.cxf.systest.jaxrs.security.Book;
 import org.apache.cxf.systest.jaxrs.security.oauth2.common.OAuth2TestUtils;
 import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
@@ -98,8 +99,8 @@ public class OAuth2JwtFiltersTest extends AbstractBusClientServerTestBase
{
             "org/apache/cxf/systest/jaxrs/security/alice.rs.properties", null);
         assertTrue(jwtConsumer.verifySignatureWith(verifier));
         JwtClaims claims = jwtConsumer.getJwtClaims();
-        assertEquals("consumer-id", claims.getAudience());
-        assertEquals("alice", claims.getSubject());
+        assertEquals("consumer-id", claims.getStringProperty(OAuthConstants.CLIENT_ID));
+        assertEquals("alice", claims.getStringProperty("username"));
         // Now invoke on the service with the access token
         WebClient client = WebClient.create(rsAddress, OAuth2TestUtils.setupProviders(),
                                             busFile.toString());


Mime
View raw message