You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2015/12/14 15:17:08 UTC
[2/2] cxf git commit: Require a nonce for the implicit flow
Require a nonce for the implicit flow
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2d3592e6
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2d3592e6
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2d3592e6
Branch: refs/heads/3.1.x-fixes
Commit: 2d3592e667e0ed5c2345b8fe1ae248a6b0fb1b43
Parents: ad1822e
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Dec 14 14:11:43 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Dec 14 14:14:54 2015 +0000
----------------------------------------------------------------------
.../oauth2/common/OAuthAuthorizationData.java | 8 --------
.../rs/security/oidc/idp/OidcImplicitService.java | 18 ++++++++++++++++++
2 files changed, 18 insertions(+), 8 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/2d3592e6/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
index 8a29946..383cd3b 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
@@ -39,7 +39,6 @@ public class OAuthAuthorizationData extends OAuthRedirectionState implements Ser
private String endUserName;
private String authenticityToken;
private String replyTo;
- private String responseType;
private String applicationName;
private String applicationWebUri;
@@ -203,11 +202,4 @@ public class OAuthAuthorizationData extends OAuthRedirectionState implements Ser
this.implicitFlow = implicitFlow;
}
- public String getResponseType() {
- return responseType;
- }
-
- public void setResponseType(String responseType) {
- this.responseType = responseType;
- }
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/2d3592e6/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
index 908d141..edf8e98 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
@@ -22,10 +22,17 @@ import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
+import javax.ws.rs.core.MultivaluedMap;
+import javax.ws.rs.core.Response;
+
import org.apache.cxf.rs.security.oauth2.common.Client;
+import org.apache.cxf.rs.security.oauth2.common.OAuthError;
import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
import org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState;
+import org.apache.cxf.rs.security.oauth2.common.UserSubject;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
import org.apache.cxf.rs.security.oauth2.services.ImplicitGrantService;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
public class OidcImplicitService extends ImplicitGrantService {
@@ -48,6 +55,17 @@ public class OidcImplicitService extends ImplicitGrantService {
}
@Override
+ protected Response startAuthorization(MultivaluedMap<String, String> params,
+ UserSubject userSubject,
+ Client client) {
+ // Validate the nonce, it must be present for the Implicit flow
+ if (params.getFirst(OAuthConstants.NONCE) == null) {
+ throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_REQUEST));
+ }
+ return super.startAuthorization(params, userSubject, client);
+ }
+
+ @Override
protected boolean canAuthorizationBeSkipped(Client client,
List<String> requestedScope,
List<OAuthPermission> permissions) {