cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: [CXF-7476] Making sure public clients can be processed
Date Wed, 16 Aug 2017 16:30:56 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.1.x-fixes f7c55ceac -> 65869aff8


[CXF-7476] Making sure public clients can be processed


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/65869aff
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/65869aff
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/65869aff

Branch: refs/heads/3.1.x-fixes
Commit: 65869aff83e123e6b19dbb69c5287ec892e6f4e2
Parents: f7c55ce
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Wed Aug 16 17:26:45 2017 +0100
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Wed Aug 16 17:30:39 2017 +0100

----------------------------------------------------------------------
 .../oauth2/services/AbstractTokenService.java   | 23 ++++++++++----------
 .../oauth2/common/OAuthDataProviderImpl.java    |  4 ++++
 .../oauth2/grants/BookServerOAuth2.java         |  1 +
 .../security/oauth2/grants/JAXRSOAuth2Test.java | 13 +++++++++++
 .../jaxrs/security/oauth2/grants/server.xml     | 15 +++++++++++++
 5 files changed, 45 insertions(+), 11 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/65869aff/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
index e8df855..3a41e41 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
@@ -67,6 +67,11 @@ public class AbstractTokenService extends AbstractOAuthService {
                     client = getClient(clientId, params);
                     checkCertificateBinding(client, getTlsSessionInfo());
                     validateClientAuthenticationMethod(client, OAuthConstants.TOKEN_ENDPOINT_AUTH_TLS);
+                } else if (canSupportPublicClients) {
+                    client = getValidClient(clientId, params);
+                    if (!isValidPublicClient(client, clientId)) {
+                        client = null;
+                    }
                 }
             }
         } else {
@@ -121,9 +126,6 @@ public class AbstractTokenService extends AbstractOAuthService {
         if (!client.getClientId().equals(clientId)) {
             reportInvalidClient();
         }
-        if (isValidPublicClient(client, clientId, providedClientSecret)) {
-            return client;
-        }
         if (!client.isConfidential()
             || !isConfidenatialClientSecretValid(client, providedClientSecret)) {
             reportInvalidClient();
@@ -138,11 +140,10 @@ public class AbstractTokenService extends AbstractOAuthService {
                 && providedClientSecret != null && client.getClientSecret().equals(providedClientSecret);
         }
     }
-    protected boolean isValidPublicClient(Client client, String clientId, String clientSecret)
{
-        return canSupportPublicClients 
-            && !client.isConfidential() 
-            && client.getClientSecret() == null 
-            && clientSecret == null;
+    protected boolean isValidPublicClient(Client client, String clientId) {
+        return canSupportPublicClients
+            && !client.isConfidential()
+            && client.getClientSecret() == null;
     }
     
     protected Client getClientFromBasicAuthScheme(MultivaluedMap<String, String> params)
{
@@ -158,20 +159,20 @@ public class AbstractTokenService extends AbstractOAuthService {
     protected void checkCertificateBinding(Client client, TLSSessionInfo tlsSessionInfo)
{
         String subjectDn = client.getProperties().get(OAuthConstants.TLS_CLIENT_AUTH_SUBJECT_DN);
         if (subjectDn == null && client.getApplicationCertificates().isEmpty()) {
-            LOG.warning("Client \"" + client.getClientId() + "\" can not be bound to the
TLS cerificate");
+            LOG.warning("Client \"" + client.getClientId() + "\" can not be bound to the
TLS certificate");
             reportInvalidClient();
         }
         X509Certificate cert = OAuthUtils.getRootTLSCertificate(tlsSessionInfo);
         
         if (subjectDn != null 
             && !subjectDn.equals(OAuthUtils.getSubjectDnFromTLSCertificates(cert)))
{
-            LOG.warning("Client \"" + client.getClientId() + "\" can not be bound to the
TLS cerificate");
+            LOG.warning("Client \"" + client.getClientId() + "\" can not be bound to the
TLS certificate");
             reportInvalidClient();
         }
         String issuerDn = client.getProperties().get(OAuthConstants.TLS_CLIENT_AUTH_ISSUER_DN);
         if (issuerDn != null 
             && !issuerDn.equals(OAuthUtils.getIssuerDnFromTLSCertificates(cert)))
{
-            LOG.warning("Client \"" + client.getClientId() + "\" can not be bound to the
TLS cerificate");
+            LOG.warning("Client \"" + client.getClientId() + "\" can not be bound to the
TLS certificate");
             reportInvalidClient();
         }
         if (!client.getApplicationCertificates().isEmpty()) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/65869aff/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/OAuthDataProviderImpl.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/OAuthDataProviderImpl.java
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/OAuthDataProviderImpl.java
index 75c922a..3ec0169 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/OAuthDataProviderImpl.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/OAuthDataProviderImpl.java
@@ -115,6 +115,10 @@ public class OAuthDataProviderImpl extends DefaultEHCacheCodeDataProvider
{
         client.getAllowedGrantTypes().add("custom_grant");
         this.setClient(client);
         
+        client = new Client("fredPublic", null, false);
+        client.getAllowedGrantTypes().add("custom_grant");
+        this.setClient(client);
+        
         client = new Client("fred", "password", true);
         client.getAllowedGrantTypes().add("custom_grant");
         this.setClient(client);

http://git-wip-us.apache.org/repos/asf/cxf/blob/65869aff/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/BookServerOAuth2.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/BookServerOAuth2.java
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/BookServerOAuth2.java
index 88b7e33..9ecf190 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/BookServerOAuth2.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/BookServerOAuth2.java
@@ -29,6 +29,7 @@ import org.apache.cxf.testutil.common.TestUtil;
     
 public class BookServerOAuth2 extends AbstractBusTestServerBase {
     public static final String PORT = TestUtil.getPortNumber("jaxrs-oauth2");
+    public static final String PORT_PUBLIC = TestUtil.getPortNumber("jaxrs-oauth2-public");
     private static final URL SERVER_CONFIG_FILE =
         BookServerOAuth2.class.getResource("server.xml");
     

http://git-wip-us.apache.org/repos/asf/cxf/blob/65869aff/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/JAXRSOAuth2Test.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/JAXRSOAuth2Test.java
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/JAXRSOAuth2Test.java
index e52a77f..0a84808 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/JAXRSOAuth2Test.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/JAXRSOAuth2Test.java
@@ -160,6 +160,19 @@ public class JAXRSOAuth2Test extends AbstractBusClientServerTestBase
{
     }
     
     @Test
+    public void testPublicClientIdOnly() throws Exception {
+        String address = "http://localhost:" + BookServerOAuth2.PORT_PUBLIC + "/oauth2Public/token";
+        WebClient wc = WebClient.create(address);
+
+        
+        ClientAccessToken at = OAuthClientUtils.getAccessToken(wc,
+                                                               new Consumer("fredPublic"),
+                                                               new CustomGrant(),
+                                                               false);
+        assertNotNull(at.getTokenKey());
+    }
+    
+    @Test
     public void testTwoWayTLSAuthenticationCustomGrant() throws Exception {
         String address = "https://localhost:" + PORT + "/oauth2/token";
         WebClient wc = createWebClient(address);

http://git-wip-us.apache.org/repos/asf/cxf/blob/65869aff/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/server.xml
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/server.xml
b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/server.xml
index 410a2c1..879973d 100644
--- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/server.xml
+++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/server.xml
@@ -88,6 +88,16 @@ under the License.
                 <ref bean="clientCredGrantHandler"/>
             </list>
         </property>
+        <property name="canSupportPublicClients" value="true"/>
+    </bean>
+    <bean id="serviceBeanPublic" class="org.apache.cxf.rs.security.oauth2.services.AccessTokenService">
+        <property name="dataProvider" ref="dataProvider"/>
+        <property name="grantHandlers">
+            <list>
+                <ref bean="customGrantHandler"/>
+            </list>
+        </property>
+        <property name="canSupportPublicClients" value="true"/>
     </bean>
     <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-oauth2}/oauth2">
         <jaxrs:serviceBeans>
@@ -102,6 +112,11 @@ under the License.
             <entry key="rs.security.signature.algorithm" value="RS256" />
         </jaxrs:properties>
     </jaxrs:server>
+    <jaxrs:server address="http://localhost:${testutil.ports.jaxrs-oauth2-public}/oauth2Public">
+        <jaxrs:serviceBeans>
+            <ref bean="serviceBeanPublic"/>
+        </jaxrs:serviceBeans>
+    </jaxrs:server>
     <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-oauth2}/oauth2-auth">
         <jaxrs:serviceBeans>
             <ref bean="serviceBean"/>


Mime
View raw message