You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2013/06/10 18:20:21 UTC
svn commit: r1491522 - in /cxf/trunk/rt/rs/security/oauth-parent:
oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/
oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/
oauth2/src/main/java/org/apache/cxf/rs/security/oa...
Author: sergeyb
Date: Mon Jun 10 16:20:20 2013
New Revision: 1491522
URL: http://svn.apache.org/r1491522
Log:
Few OAuth2 code updates to get a case with omitted redirect_uri supported better
Modified:
cxf/trunk/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/Saml2BearerGrantHandler.java
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGrantHandler.java
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrantHandler.java
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/refresh/RefreshTokenGrantHandler.java
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/Saml2BearerGrantHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/Saml2BearerGrantHandler.java?rev=1491522&r1=1491521&r2=1491522&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/Saml2BearerGrantHandler.java (original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/Saml2BearerGrantHandler.java Mon Jun 10 16:20:20 2013
@@ -85,7 +85,7 @@ public class Saml2BearerGrantHandler ext
private SecurityContextProvider scProvider = new SecurityContextProviderImpl();
public Saml2BearerGrantHandler() {
- super(Constants.SAML2_BEARER_GRANT, true);
+ super(Constants.SAML2_BEARER_GRANT);
}
@Override
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java?rev=1491522&r1=1491521&r2=1491522&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java (original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java Mon Jun 10 16:20:20 2013
@@ -41,11 +41,10 @@ public abstract class AbstractGrantHandl
private String supportedGrant;
private OAuthDataProvider dataProvider;
- private boolean isClientConfidential;
private boolean partialMatchScopeValidation;
- protected AbstractGrantHandler(String grant, boolean isClientConfidential) {
+ private boolean canSupportPublicClients;
+ protected AbstractGrantHandler(String grant) {
supportedGrant = grant;
- this.isClientConfidential = isClientConfidential;
}
public void setDataProvider(OAuthDataProvider dataProvider) {
@@ -60,7 +59,9 @@ public abstract class AbstractGrantHandl
}
protected void checkIfGrantSupported(Client client) {
- if (!OAuthUtils.isGrantSupportedForClient(client, isClientConfidential, supportedGrant)) {
+ if (!OAuthUtils.isGrantSupportedForClient(client,
+ canSupportPublicClients,
+ OAuthConstants.AUTHORIZATION_CODE_GRANT)) {
throw new OAuthServiceException(OAuthConstants.UNAUTHORIZED_CLIENT);
}
}
@@ -92,4 +93,12 @@ public abstract class AbstractGrantHandl
public void setPartialMatchScopeValidation(boolean partialMatchScopeValidation) {
this.partialMatchScopeValidation = partialMatchScopeValidation;
}
+
+ public void setCanSupportPublicClients(boolean support) {
+ canSupportPublicClients = support;
+ }
+
+ public boolean isCanSupportPublicClients() {
+ return canSupportPublicClients;
+ }
}
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGrantHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGrantHandler.java?rev=1491522&r1=1491521&r2=1491522&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGrantHandler.java (original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGrantHandler.java Mon Jun 10 16:20:20 2013
@@ -34,7 +34,7 @@ public class ClientCredentialsGrantHandl
public ClientCredentialsGrantHandler() {
- super(OAuthConstants.CLIENT_CREDENTIALS_GRANT, true);
+ super(OAuthConstants.CLIENT_CREDENTIALS_GRANT);
}
public ServerAccessToken createAccessToken(Client client, MultivaluedMap<String, String> params)
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java?rev=1491522&r1=1491521&r2=1491522&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java (original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java Mon Jun 10 16:20:20 2013
@@ -35,14 +35,13 @@ import org.apache.cxf.rs.security.oauth2
public class AuthorizationCodeGrantHandler extends AbstractGrantHandler {
public AuthorizationCodeGrantHandler() {
- super(OAuthConstants.AUTHORIZATION_CODE_GRANT, true);
+ super(OAuthConstants.AUTHORIZATION_CODE_GRANT);
}
public ServerAccessToken createAccessToken(Client client, MultivaluedMap<String, String> params)
throws OAuthServiceException {
- // Only confidential clients can use it
checkIfGrantSupported(client);
-
+
// Get the grant representation from the provider
String codeValue = params.getFirst(OAuthConstants.AUTHORIZATION_CODE_VALUE);
ServerAuthorizationCodeGrant grant =
@@ -59,14 +58,19 @@ public class AuthorizationCodeGrantHandl
}
// redirect URIs must match too
String expectedRedirectUri = grant.getRedirectUri();
- if (expectedRedirectUri != null) {
- String providedRedirectUri = params.getFirst(OAuthConstants.REDIRECT_URI);
-
- if (providedRedirectUri != null && !providedRedirectUri.equals(expectedRedirectUri)) {
+ String providedRedirectUri = params.getFirst(OAuthConstants.REDIRECT_URI);
+ if (providedRedirectUri != null) {
+ if (expectedRedirectUri == null || !providedRedirectUri.equals(expectedRedirectUri)) {
throw new OAuthServiceException(OAuthConstants.INVALID_REQUEST);
}
+ } else if (expectedRedirectUri == null && !isCanSupportPublicClients()
+ || expectedRedirectUri != null
+ && (client.getRedirectUris().size() != 1
+ || !client.getRedirectUris().contains(expectedRedirectUri))) {
+ throw new OAuthServiceException(OAuthConstants.INVALID_REQUEST);
}
return doCreateAccessToken(client, grant.getSubject(), grant.getApprovedScopes());
}
+
}
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrantHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrantHandler.java?rev=1491522&r1=1491521&r2=1491522&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrantHandler.java (original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrantHandler.java Mon Jun 10 16:20:20 2013
@@ -35,7 +35,7 @@ public class ResourceOwnerGrantHandler e
private ResourceOwnerLoginHandler loginHandler;
public ResourceOwnerGrantHandler() {
- super(OAuthConstants.RESOURCE_OWNER_GRANT, true);
+ super(OAuthConstants.RESOURCE_OWNER_GRANT);
}
public ServerAccessToken createAccessToken(Client client, MultivaluedMap<String, String> params)
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/refresh/RefreshTokenGrantHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/refresh/RefreshTokenGrantHandler.java?rev=1491522&r1=1491521&r2=1491522&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/refresh/RefreshTokenGrantHandler.java (original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/refresh/RefreshTokenGrantHandler.java Mon Jun 10 16:20:20 2013
@@ -35,6 +35,7 @@ public class RefreshTokenGrantHandler im
private OAuthDataProvider dataProvider;
private boolean partialMatchScopeValidation;
+ private boolean canSupportPublicClients;
public void setDataProvider(OAuthDataProvider dataProvider) {
this.dataProvider = dataProvider;
@@ -46,7 +47,8 @@ public class RefreshTokenGrantHandler im
public ServerAccessToken createAccessToken(Client client, MultivaluedMap<String, String> params)
throws OAuthServiceException {
- if (!OAuthUtils.isGrantSupportedForClient(client, true, OAuthConstants.REFRESH_TOKEN_GRANT)) {
+ if (!OAuthUtils.isGrantSupportedForClient(client, canSupportPublicClients,
+ OAuthConstants.REFRESH_TOKEN_GRANT)) {
throw new OAuthServiceException(OAuthConstants.UNAUTHORIZED_CLIENT);
}
String refreshToken = params.getFirst(OAuthConstants.REFRESH_TOKEN);
@@ -60,4 +62,8 @@ public class RefreshTokenGrantHandler im
public void setPartialMatchScopeValidation(boolean partialMatchScopeValidation) {
this.partialMatchScopeValidation = partialMatchScopeValidation;
}
+
+ public void setCanSupportPublicClients(boolean support) {
+ canSupportPublicClients = support;
+ }
}
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java?rev=1491522&r1=1491521&r2=1491522&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java (original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java Mon Jun 10 16:20:20 2013
@@ -79,7 +79,7 @@ public class AuthorizationCodeGrantServi
return createErrorResponse(params, redirectUri, OAuthConstants.ACCESS_DENIED);
}
- if (!client.isConfidential()) {
+ if (redirectUri == null) {
OOBAuthorizationResponse oobResponse = new OOBAuthorizationResponse();
oobResponse.setClientId(client.getClientId());
oobResponse.setAuthorizationCode(grant.getCode());
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java?rev=1491522&r1=1491521&r2=1491522&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java (original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java Mon Jun 10 16:20:20 2013
@@ -58,6 +58,7 @@ public abstract class RedirectionBasedGr
private String supportedResponseType;
private String supportedGrantType;
private boolean partialMatchScopeValidation;
+ private boolean useRegisteredRedirectUriIfPossible = true;
private SessionAuthenticityTokenProvider sessionAuthenticityTokenProvider;
private SubjectCreator subjectCreator;
private ResourceOwnerNameProvider resourceOwnerNameProvider;
@@ -164,7 +165,7 @@ public abstract class RedirectionBasedGr
// Return the authorization challenge data to the end user
OAuthAuthorizationData data =
- createAuthorizationData(client, params, permissions);
+ createAuthorizationData(client, params, redirectUri, permissions);
personalizeData(data, userSubject);
return Response.ok(data).build();
@@ -174,7 +175,7 @@ public abstract class RedirectionBasedGr
* Create the authorization challenge data
*/
protected OAuthAuthorizationData createAuthorizationData(
- Client client, MultivaluedMap<String, String> params, List<OAuthPermission> perms) {
+ Client client, MultivaluedMap<String, String> params, String redirectUri, List<OAuthPermission> perms) {
OAuthAuthorizationData secData = new OAuthAuthorizationData();
@@ -183,7 +184,9 @@ public abstract class RedirectionBasedGr
secData.setPermissions(perms);
secData.setProposedScope(OAuthUtils.convertPermissionsToScope(perms));
secData.setClientId(client.getClientId());
- secData.setRedirectUri(params.getFirst(OAuthConstants.REDIRECT_URI));
+ if (redirectUri != null) {
+ secData.setRedirectUri(redirectUri);
+ }
secData.setState(params.getFirst(OAuthConstants.STATE));
secData.setApplicationName(client.getApplicationName());
@@ -313,10 +316,10 @@ public abstract class RedirectionBasedGr
if (!uris.contains(redirectUri)) {
redirectUri = null;
}
- } else if (uris.size() == 1) {
+ } else if (uris.size() == 1 && useRegisteredRedirectUriIfPossible) {
redirectUri = uris.get(0);
}
- if (redirectUri == null && !canRedirectUriBeEmpty(client)) {
+ if (redirectUri == null && uris.size() == 0 && !canRedirectUriBeEmpty(client)) {
reportInvalidRequestError("Client Redirect Uri is invalid");
}
return redirectUri;
@@ -385,6 +388,14 @@ public abstract class RedirectionBasedGr
public void setPartialMatchScopeValidation(boolean partialMatchScopeValidation) {
this.partialMatchScopeValidation = partialMatchScopeValidation;
}
+ /**
+ * If a client does not include a redirect_uri parameter but has an exactly one
+ * pre-registered redirect_uri then use that redirect_uri
+ * @param use allows to use a single registered redirect_uri if set to true (default)
+ */
+ public void setUseRegisteredRedirectUriIfPossible(boolean use) {
+ this.useRegisteredRedirectUriIfPossible = use;
+ }
protected abstract boolean canSupportPublicClient(Client c);
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java?rev=1491522&r1=1491521&r2=1491522&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java (original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java Mon Jun 10 16:20:20 2013
@@ -79,11 +79,13 @@ public final class OAuthUtils {
}
public static boolean isGrantSupportedForClient(Client client,
- boolean isConfidential,
+ boolean canSupportPublicClients,
String grantType) {
+ if (!client.isConfidential() && !canSupportPublicClients) {
+ return false;
+ }
List<String> allowedGrants = client.getAllowedGrantTypes();
- return isConfidential == client.isConfidential()
- && (allowedGrants.isEmpty() || allowedGrants.contains(grantType));
+ return allowedGrants.isEmpty() || allowedGrants.contains(grantType);
}
public static List<String> parseScope(String requestedScope) {