You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2012/07/25 00:55:49 UTC
svn commit: r1365332 - in
/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2:
client/ common/ services/ tokens/mac/ utils/
Author: sergeyb
Date: Tue Jul 24 22:55:49 2012
New Revision: 1365332
URL: http://svn.apache.org/viewvc?rev=1365332&view=rev
Log:
[CXF-4431] Aligning the code with the MAC spec draft v5
Modified:
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthClientUtils.java
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessToken.java
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ClientAccessToken.java
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/mac/MacAuthorizationScheme.java
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthClientUtils.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthClientUtils.java?rev=1365332&r1=1365331&r2=1365332&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthClientUtils.java (original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthClientUtils.java Tue Jul 24 22:55:49 2012
@@ -213,6 +213,9 @@ public final class OAuthClientUtils {
if (expiresInStr != null) {
token.setExpiresIn(Long.valueOf(expiresInStr));
}
+ String issuedAtStr = map.remove(OAuthConstants.ACCESS_TOKEN_ISSUED_AT);
+ token.setIssuedAt(issuedAtStr != null ? Long.valueOf(issuedAtStr)
+ : System.currentTimeMillis() / 1000);
String scope = map.remove(OAuthConstants.SCOPE);
if (scope != null) {
token.setApprovedScope(scope);
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessToken.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessToken.java?rev=1365332&r1=1365331&r2=1365332&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessToken.java (original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessToken.java Tue Jul 24 22:55:49 2012
@@ -29,6 +29,9 @@ public abstract class AccessToken {
private String tokenKey;
private String tokenType;
private String refreshToken;
+ private long expiresIn = -1;
+ private long issuedAt = -1;
+
private Map<String, String> parameters = new LinkedHashMap<String, String>();
@@ -36,6 +39,14 @@ public abstract class AccessToken {
this.tokenType = tokenType;
this.tokenKey = tokenKey;
}
+
+ protected AccessToken(String tokenType, String tokenKey,
+ long expiresIn, long issuedAt) {
+ this.tokenType = tokenType;
+ this.tokenKey = tokenKey;
+ this.expiresIn = expiresIn;
+ this.issuedAt = issuedAt;
+ }
/**
* Returns the token type such as bearer, mac, etc
@@ -72,14 +83,6 @@ public abstract class AccessToken {
}
/**
- * Sets token parameters
- * @param parameters the token parameters
- */
- public void setParameters(Map<String, String> parameters) {
- this.parameters = parameters;
- }
-
- /**
* Gets token parameters
* @return
*/
@@ -87,4 +90,33 @@ public abstract class AccessToken {
return parameters;
}
+ /**
+ * The token lifetime
+ * @return the lifetime, -1 means no 'expires_in' parameter was returned
+ */
+ public long getExpiresIn() {
+ return expiresIn;
+ }
+
+ public void setExpiresIn(long expiresIn) {
+ this.expiresIn = expiresIn;
+ }
+
+ public long getIssuedAt() {
+ return issuedAt;
+ }
+
+ // Can be set at the server or at the moment
+ // the token is deserialized on the client
+ public void setIssuedAt(long issuedAt) {
+ this.issuedAt = issuedAt;
+ }
+
+ /**
+ * Sets additional token parameters
+ * @param parameters the token parameters
+ */
+ public void setParameters(Map<String, String> parameters) {
+ this.parameters = parameters;
+ }
}
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ClientAccessToken.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ClientAccessToken.java?rev=1365332&r1=1365331&r2=1365332&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ClientAccessToken.java (original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ClientAccessToken.java Tue Jul 24 22:55:49 2012
@@ -29,8 +29,7 @@ package org.apache.cxf.rs.security.oauth
public class ClientAccessToken extends AccessToken {
private String scope;
- private long expiresIn = -1;
-
+
public ClientAccessToken(String tokenType, String tokenKey) {
super(tokenType, tokenKey);
}
@@ -53,18 +52,4 @@ public class ClientAccessToken extends A
return scope;
}
-
-
- /**
- * The token lifetime
- * @return the lifetime, -1 means no 'expires_in' parameter was returned
- */
- public long getExpiresIn() {
- return expiresIn;
- }
-
- public void setExpiresIn(long expiresIn) {
- this.expiresIn = expiresIn;
- }
-
}
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java?rev=1365332&r1=1365331&r2=1365332&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java (original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java Tue Jul 24 22:55:49 2012
@@ -26,8 +26,6 @@ import java.util.List;
*/
public abstract class ServerAccessToken extends AccessToken {
private String grantType;
- private long issuedAt;
- private long lifetime;
private Client client;
private List<OAuthPermission> scopes = Collections.emptyList();
private UserSubject subject;
@@ -35,12 +33,10 @@ public abstract class ServerAccessToken
protected ServerAccessToken(Client client,
String tokenType,
String tokenKey,
- long lifetime,
+ long expiresIn,
long issuedAt) {
- super(tokenType, tokenKey);
+ super(tokenType, tokenKey, expiresIn, issuedAt);
this.client = client;
- this.lifetime = lifetime;
- this.issuedAt = issuedAt;
}
/**
@@ -51,20 +47,13 @@ public abstract class ServerAccessToken
return client;
}
- /**
- * Returns the time (in seconds) when this token was issued at
- * @return the seconds
- */
- public long getIssuedAt() {
- return issuedAt;
- }
-
+ @Deprecated
/**
* Returns the number of seconds this token can be valid after it was issued
* @return the seconds
*/
public long getLifetime() {
- return lifetime;
+ return getExpiresIn();
}
/**
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java?rev=1365332&r1=1365331&r2=1365332&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java (original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java Tue Jul 24 22:55:49 2012
@@ -110,7 +110,7 @@ public class AccessTokenService extends
serverToken.getTokenKey());
clientToken.setRefreshToken(serverToken.getRefreshToken());
if (writeOptionalParameters) {
- clientToken.setExpiresIn(serverToken.getLifetime());
+ clientToken.setExpiresIn(serverToken.getExpiresIn());
List<OAuthPermission> perms = serverToken.getScopes();
if (!perms.isEmpty()) {
clientToken.setApprovedScope(OAuthUtils.convertPermissionsToScope(perms));
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/mac/MacAuthorizationScheme.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/mac/MacAuthorizationScheme.java?rev=1365332&r1=1365331&r2=1365332&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/mac/MacAuthorizationScheme.java (original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/mac/MacAuthorizationScheme.java Tue Jul 24 22:55:49 2012
@@ -40,14 +40,14 @@ public class MacAuthorizationScheme {
this.props = props;
this.macKey = token.getTokenKey();
this.timestamp = Long.toString(System.currentTimeMillis());
- this.nonce = generateNonce();
+ this.nonce = generateNonce(token.getIssuedAt());
}
public MacAuthorizationScheme(HttpRequestProperties props,
Map<String, String> schemeParams) {
this.props = props;
- this.macKey = schemeParams.get(OAuthConstants.MAC_TOKEN_KEY);
- this.timestamp = schemeParams.get(OAuthConstants.MAC_TOKEN_TIMESTAMP);
+ this.macKey = schemeParams.get(OAuthConstants.MAC_TOKEN_ID);
+ this.timestamp = schemeParams.get(OAuthConstants.MAC_TOKEN_EXTENSION);
this.nonce = schemeParams.get(OAuthConstants.MAC_TOKEN_NONCE);
}
@@ -70,10 +70,12 @@ public class MacAuthorizationScheme {
StringBuilder sb = new StringBuilder();
sb.append(OAuthConstants.MAC_AUTHORIZATION_SCHEME).append(" ");
- addParameter(sb, OAuthConstants.MAC_TOKEN_KEY, macKey, false);
- addParameter(sb, OAuthConstants.MAC_TOKEN_TIMESTAMP, timestamp, false);
+ addParameter(sb, OAuthConstants.MAC_TOKEN_ID, macKey, false);
addParameter(sb, OAuthConstants.MAC_TOKEN_NONCE, nonce, false);
- addParameter(sb, OAuthConstants.MAC_TOKEN_SIGNATURE, signature, true);
+ addParameter(sb, OAuthConstants.MAC_TOKEN_SIGNATURE, signature, false);
+ // lets pass a timestamp via an extension parameter
+ addParameter(sb, OAuthConstants.MAC_TOKEN_EXTENSION, timestamp, false);
+
return sb.toString();
}
@@ -87,20 +89,20 @@ public class MacAuthorizationScheme {
}
public String getNormalizedRequestString() {
+ String requestURI = props.getRequestPath();
+ if (!StringUtils.isEmpty(props.getRequestQuery())) {
+ requestURI += "?" + normalizeQuery(props.getRequestQuery());
+ }
+
- String value = macKey + SEPARATOR
- + timestamp + SEPARATOR
- + nonce + SEPARATOR
- + props.getHttpMethod().toUpperCase() + SEPARATOR
+ String value = nonce + SEPARATOR
+ + props.getHttpMethod().toUpperCase() + SEPARATOR
+ + requestURI + SEPARATOR
+ props.getHostName() + SEPARATOR
+ props.getPort() + SEPARATOR
- + props.getRequestPath() + SEPARATOR;
+ + "" + SEPARATOR
+ + timestamp + SEPARATOR;
- if (!StringUtils.isEmpty(props.getRequestQuery())) {
- value += normalizeQuery(props.getRequestQuery()) + SEPARATOR;
- }
-
- value += SEPARATOR;
return value;
}
@@ -108,10 +110,16 @@ public class MacAuthorizationScheme {
return query;
}
- private static String generateNonce() {
+ private static String generateNonce(long issuedAt) {
+ long ageInSecs = System.currentTimeMillis() / 1000 - issuedAt;
+ if (ageInSecs == 0) {
+ ageInSecs = 1;
+ }
byte[] randomBytes = new byte[20];
new SecureRandom().nextBytes(randomBytes);
- return Base64Utility.encode(randomBytes);
+ String random = Base64Utility.encode(randomBytes);
+
+ return Long.toString(ageInSecs) + ":" + random;
}
}
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java?rev=1365332&r1=1365331&r2=1365332&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java (original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java Tue Jul 24 22:55:49 2012
@@ -56,10 +56,10 @@ public final class OAuthConstants {
public static final String MAC_TOKEN_ALGO_HMAC_SHA_256 = "hmac-sha-256";
// Set in Authorization header
- public static final String MAC_TOKEN_KEY = "token";
- public static final String MAC_TOKEN_TIMESTAMP = "timestamp";
+ public static final String MAC_TOKEN_ID = "id";
+ public static final String MAC_TOKEN_EXTENSION = "ext";
public static final String MAC_TOKEN_NONCE = "nonce";
- public static final String MAC_TOKEN_SIGNATURE = "signature";
+ public static final String MAC_TOKEN_SIGNATURE = "mac";
// Token Authorization schemes
public static final String BEARER_AUTHORIZATION_SCHEME = "Bearer";
@@ -97,6 +97,12 @@ public final class OAuthConstants {
public static final String INVALID_SCOPE = "invalid_scope";
public static final String ACCESS_DENIED = "access_denied";
+ // CXF-Specific parameters
+ public static final String ACCESS_TOKEN_ISSUED_AT = "issued_at";
+ // End Of CXF-Specific
+
+
+
private OAuthConstants() {
}