cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: [CXF-7264, CXF-7286] JPA change userSubject pk to id and fixing PersistenceException on refreshAccessToken, patch from Adrian Gonzalez applied, This closes #246
Date Mon, 20 Mar 2017 11:12:39 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.1.x-fixes addf51d4c -> 2458c5c8f


[CXF-7264,CXF-7286] JPA change userSubject pk to id and fixing PersistenceException on refreshAccessToken,
patch from Adrian Gonzalez applied, This closes #246


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2458c5c8
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2458c5c8
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2458c5c8

Branch: refs/heads/3.1.x-fixes
Commit: 2458c5c8f6b74c034337acbd9ea96bb51563a5eb
Parents: addf51d
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Mon Mar 20 11:09:59 2017 +0000
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Mon Mar 20 11:11:01 2017 +0000

----------------------------------------------------------------------
 .../rs/security/oauth2/common/UserSubject.java  | 16 ++++++++---
 .../oauth2/grants/code/JPACodeDataProvider.java |  2 +-
 .../provider/AbstractOAuthDataProvider.java     |  6 ++--
 .../oauth2/provider/JPAOAuthDataProvider.java   | 16 ++++++-----
 .../provider/JPAOAuthDataProviderTest.java      | 30 ++++++++++++++++++++
 .../src/test/resources/META-INF/persistence.xml |  2 ++
 6 files changed, 58 insertions(+), 14 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/2458c5c8/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/UserSubject.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/UserSubject.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/UserSubject.java
index 8d27148..3e8abdd 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/UserSubject.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/UserSubject.java
@@ -32,6 +32,9 @@ import javax.persistence.MapKeyColumn;
 import javax.persistence.OrderColumn;
 import javax.xml.bind.annotation.XmlRootElement;
 
+import org.apache.cxf.common.util.Base64UrlUtility;
+import org.apache.cxf.rt.security.crypto.CryptoUtils;
+
 /**
  * Represents a login name which AuthorizationService
  * may capture after the end user approved a given third party request
@@ -49,26 +52,28 @@ public class UserSubject implements Serializable {
     private AuthenticationMethod am;
 
     public UserSubject() {
-
+        this.id = newId();
     }
 
     public UserSubject(String login) {
+        this();
         this.login = login;
     }
 
     public UserSubject(String login, List<String> roles) {
+        this();
         this.login = login;
         this.roles = roles;
     }
 
     public UserSubject(String login, String id) {
         this.login = login;
-        this.id = id;
+        this.id = id != null ? id : newId();
     }
 
     public UserSubject(String login, String id, List<String> roles) {
         this.login = login;
-        this.id = id;
+        this.id = id != null ? id : newId();
         this.roles = roles;
     }
 
@@ -76,7 +81,10 @@ public class UserSubject implements Serializable {
         this(sub.getLogin(), sub.getId(), sub.getRoles());
         this.properties = sub.getProperties();
         this.am = sub.getAuthenticationMethod();
+    }
 
+    private String newId() {
+        return Base64UrlUtility.encode(CryptoUtils.generateSecureRandomBytes(16));
     }
 
     /**
@@ -84,7 +92,6 @@ public class UserSubject implements Serializable {
      *
      * @return the login name
      */
-    @Id
     public String getLogin() {
         return login;
     }
@@ -145,6 +152,7 @@ public class UserSubject implements Serializable {
      *
      * @return the user's id
      */
+    @Id
     public String getId() {
         return this.id;
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/2458c5c8/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JPACodeDataProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JPACodeDataProvider.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JPACodeDataProvider.java
index 84bfb8e..a0b2001 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JPACodeDataProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JPACodeDataProvider.java
@@ -50,7 +50,7 @@ public class JPACodeDataProvider extends JPAOAuthDataProvider implements
Authori
             @Override
             public Void execute(EntityManager em) {
                 if (grant.getSubject() != null) {
-                    UserSubject sub = em.find(UserSubject.class, grant.getSubject().getLogin());
+                    UserSubject sub = em.find(UserSubject.class, grant.getSubject().getId());
                     if (sub == null) {
                         em.persist(grant.getSubject());
                     } else {

http://git-wip-us.apache.org/repos/asf/cxf/blob/2458c5c8/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
index b360d62..c032f75 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
@@ -369,14 +369,16 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider,
Cl
                                                      RefreshToken oldRefreshToken, 
                                                      List<String> restrictedScopes)
{
         ServerAccessToken at = createNewAccessToken(client, oldRefreshToken.getSubject());
-        at.setAudiences(oldRefreshToken.getAudiences());
+        at.setAudiences(oldRefreshToken.getAudiences() != null
+                ? new ArrayList<String>(oldRefreshToken.getAudiences()) : null);
         at.setGrantType(oldRefreshToken.getGrantType());
         at.setGrantCode(oldRefreshToken.getGrantCode());
         at.setSubject(oldRefreshToken.getSubject());
         at.setNonce(oldRefreshToken.getNonce());
         at.setClientCodeVerifier(oldRefreshToken.getClientCodeVerifier());
         if (restrictedScopes.isEmpty()) {
-            at.setScopes(oldRefreshToken.getScopes());
+            at.setScopes(oldRefreshToken.getScopes() != null
+                    ? new ArrayList<OAuthPermission>(oldRefreshToken.getScopes()) :
null);
         } else {
             List<OAuthPermission> theNewScopes = convertScopeToPermissions(client,
restrictedScopes);
             if (oldRefreshToken.getScopes().containsAll(theNewScopes)) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/2458c5c8/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JPAOAuthDataProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JPAOAuthDataProvider.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JPAOAuthDataProvider.java
index 183014b..60a7615 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JPAOAuthDataProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JPAOAuthDataProvider.java
@@ -105,7 +105,7 @@ public class JPAOAuthDataProvider extends AbstractOAuthDataProvider {
             public Void execute(EntityManager em) {
                 if (client.getResourceOwnerSubject() != null) {
                     UserSubject sub =
-                            em.find(UserSubject.class, client.getResourceOwnerSubject().getLogin());
+                            em.find(UserSubject.class, client.getResourceOwnerSubject().getId());
                     if (sub == null) {
                         em.persist(client.getResourceOwnerSubject());
                     } else {
@@ -263,12 +263,14 @@ public class JPAOAuthDataProvider extends AbstractOAuthDataProvider
{
                 }
                 serverToken.setScopes(perms);
 
-                UserSubject sub = em.find(UserSubject.class, serverToken.getSubject().getLogin());
-                if (sub == null) {
-                    em.persist(serverToken.getSubject());
-                } else {
-                    sub = em.merge(serverToken.getSubject());
-                    serverToken.setSubject(sub);
+                if (serverToken.getSubject() != null) {
+                    UserSubject sub = em.find(UserSubject.class, serverToken.getSubject().getId());
+                    if (sub == null) {
+                        em.persist(serverToken.getSubject());
+                    } else {
+                        sub = em.merge(serverToken.getSubject());
+                        serverToken.setSubject(sub);
+                    }
                 }
                 // ensure we have a managed association
                 // (needed for OpenJPA : InvalidStateException: Encountered unmanaged object)

http://git-wip-us.apache.org/repos/asf/cxf/blob/2458c5c8/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/provider/JPAOAuthDataProviderTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/provider/JPAOAuthDataProviderTest.java
b/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/provider/JPAOAuthDataProviderTest.java
index 0b9e04a..70a882c 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/provider/JPAOAuthDataProviderTest.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/provider/JPAOAuthDataProviderTest.java
@@ -199,6 +199,36 @@ public class JPAOAuthDataProviderTest extends Assert {
         assertEquals(0, tokens.size());
     }
 
+    /**
+     * Checks that having multiple token each with its own
+     * userSubject (but having same login) works.
+     */
+    @Test
+    public void testAddGetDeleteMultipleAccessToken() {
+        Client c = addClient("101", "bob");
+
+        AccessTokenRegistration atr = new AccessTokenRegistration();
+        atr.setClient(c);
+        atr.setApprovedScope(Collections.singletonList("a"));
+        atr.setSubject(c.getResourceOwnerSubject());
+        ServerAccessToken at = getProvider().createAccessToken(atr);
+        at = getProvider().getAccessToken(at.getTokenKey());
+
+        AccessTokenRegistration atr2 = new AccessTokenRegistration();
+        atr2.setClient(c);
+        atr2.setApprovedScope(Collections.singletonList("a"));
+        atr2.setSubject(new TestingUserSubject(c.getResourceOwnerSubject().getLogin()));
+        ServerAccessToken at2 = getProvider().createAccessToken(atr2);
+        at2 = getProvider().getAccessToken(at2.getTokenKey());
+
+        assertNotNull(at.getSubject().getId());
+        assertTrue(at.getSubject() instanceof UserSubject);
+        assertNotNull(at2.getSubject().getId());
+        assertTrue(at2.getSubject() instanceof TestingUserSubject);
+        assertEquals(at.getSubject().getLogin(), at2.getSubject().getLogin());
+        assertNotEquals(at.getSubject().getId(), at2.getSubject().getId());
+    }
+
     @Test
     public void testAddGetDeleteRefreshToken() {
         Client c = addClient("101", "bob");

http://git-wip-us.apache.org/repos/asf/cxf/blob/2458c5c8/rt/rs/security/oauth-parent/oauth2/src/test/resources/META-INF/persistence.xml
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/test/resources/META-INF/persistence.xml
b/rt/rs/security/oauth-parent/oauth2/src/test/resources/META-INF/persistence.xml
index b572fbd..6be18f9 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/test/resources/META-INF/persistence.xml
+++ b/rt/rs/security/oauth-parent/oauth2/src/test/resources/META-INF/persistence.xml
@@ -15,6 +15,7 @@
         <class>org.apache.cxf.rs.security.oauth2.common.OAuthPermission</class>
         <class>org.apache.cxf.rs.security.oauth2.common.Permission</class>
         <class>org.apache.cxf.rs.security.oauth2.tokens.refresh.RefreshToken</class>
+        <class>org.apache.cxf.rs.security.oauth2.provider.TestingUserSubject</class>
         <exclude-unlisted-classes>true</exclude-unlisted-classes>
         <shared-cache-mode>ENABLE_SELECTIVE</shared-cache-mode>
         <properties>
@@ -43,6 +44,7 @@
         <class>org.apache.cxf.rs.security.oauth2.common.OAuthPermission</class>
         <class>org.apache.cxf.rs.security.oauth2.common.Permission</class>
         <class>org.apache.cxf.rs.security.oauth2.tokens.refresh.RefreshToken</class>
+        <class>org.apache.cxf.rs.security.oauth2.provider.TestingUserSubject</class>
         <exclude-unlisted-classes>true</exclude-unlisted-classes>
         <shared-cache-mode>ENABLE_SELECTIVE</shared-cache-mode>
         <properties>


Mime
View raw message