You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2013/12/20 14:45:31 UTC
svn commit: r1552667 -
/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/
Author: sergeyb
Date: Fri Dec 20 13:45:30 2013
New Revision: 1552667
URL: http://svn.apache.org/r1552667
Log:
[CXF-5472] Making a digest-based code verifier check optional as per the latest draft
Added:
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractAuthorizationCodeDataProvider.java (with props)
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/CodeVerifierTransformer.java (with props)
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DigestCodeVerifier.java (with props)
Modified:
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
Added: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractAuthorizationCodeDataProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractAuthorizationCodeDataProvider.java?rev=1552667&view=auto
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractAuthorizationCodeDataProvider.java (added)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractAuthorizationCodeDataProvider.java Fri Dec 20 13:45:30 2013
@@ -0,0 +1,66 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rs.security.oauth2.grants.code;
+
+import java.util.List;
+
+import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
+
+
+/**
+ * Abstract AuthorizationCodeDataProvider implementation
+ */
+public abstract class AbstractAuthorizationCodeDataProvider implements AuthorizationCodeDataProvider {
+
+ private long grantLifetime;
+
+ public ServerAuthorizationCodeGrant createCodeGrant(AuthorizationCodeRegistration reg)
+ throws OAuthServiceException {
+ ServerAuthorizationCodeGrant grant =
+ new ServerAuthorizationCodeGrant(reg.getClient(), getCode(reg), getGrantLifetime(), getIssuedAt());
+ grant.setApprovedScopes(getApprovedScopes(reg));
+ grant.setAudience(reg.getAudience());
+ grant.setClientCodeVerifier(reg.getClientCodeVerifier());
+ grant.setSubject(reg.getSubject());
+ grant.setRedirectUri(reg.getRedirectUri());
+ return grant;
+ }
+
+ protected List<String> getApprovedScopes(AuthorizationCodeRegistration reg) {
+ return reg.getApprovedScope();
+ }
+
+ protected String getCode(AuthorizationCodeRegistration reg) {
+ return OAuthUtils.generateRandomTokenKey();
+ }
+
+ public long getGrantLifetime() {
+ return grantLifetime;
+ }
+
+ public void setGrantLifetime(long lifetime) {
+ this.grantLifetime = lifetime;
+ }
+
+ protected long getIssuedAt() {
+ return OAuthUtils.getIssuedAt();
+ }
+}
Propchange: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractAuthorizationCodeDataProvider.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractAuthorizationCodeDataProvider.java
------------------------------------------------------------------------------
svn:keywords = Rev Date
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java?rev=1552667&r1=1552666&r2=1552667&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java (original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java Fri Dec 20 13:45:30 2013
@@ -19,17 +19,12 @@
package org.apache.cxf.rs.security.oauth2.grants.code;
-import java.io.StringWriter;
-
import javax.ws.rs.core.MultivaluedMap;
-import org.apache.cxf.common.util.Base64Exception;
import org.apache.cxf.rs.security.oauth2.common.Client;
import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
import org.apache.cxf.rs.security.oauth2.grants.AbstractGrantHandler;
import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
-import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility;
-import org.apache.cxf.rs.security.oauth2.utils.MessageDigestGenerator;
import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
@@ -39,6 +34,8 @@ import org.apache.cxf.rs.security.oauth2
*/
public class AuthorizationCodeGrantHandler extends AbstractGrantHandler {
+ private CodeVerifierTransformer codeVerifierTransformer;
+
public AuthorizationCodeGrantHandler() {
super(OAuthConstants.AUTHORIZATION_CODE_GRANT);
}
@@ -92,18 +89,13 @@ public class AuthorizationCodeGrantHandl
if (clientCodeChallenge == null) {
return false;
}
- MessageDigestGenerator mdg = new MessageDigestGenerator();
- byte[] digest = mdg.createDigest(clientCodeVerifier, "SHA-256");
- int length = digest.length > 128 / 8 ? 128 / 8 : digest.length;
-
- StringWriter stringWriter = new StringWriter();
- try {
- Base64UrlUtility.encode(digest, 0, length, stringWriter);
- } catch (Base64Exception e) {
- throw new OAuthServiceException("server_error", e);
- }
- String expectedHash = stringWriter.toString();
- return clientCodeChallenge.equals(expectedHash);
+ String transformedCodeVerifier = codeVerifierTransformer == null
+ ? clientCodeVerifier : codeVerifierTransformer.transformCodeVerifier(clientCodeVerifier);
+ return clientCodeChallenge.equals(transformedCodeVerifier);
}
+
+ public void setCodeVerifierTransformer(CodeVerifierTransformer codeVerifier) {
+ this.codeVerifierTransformer = codeVerifier;
+ }
}
Added: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/CodeVerifierTransformer.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/CodeVerifierTransformer.java?rev=1552667&view=auto
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/CodeVerifierTransformer.java (added)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/CodeVerifierTransformer.java Fri Dec 20 13:45:30 2013
@@ -0,0 +1,23 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.grants.code;
+
+public interface CodeVerifierTransformer {
+ String transformCodeVerifier(String codeVerifier);
+}
Propchange: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/CodeVerifierTransformer.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/CodeVerifierTransformer.java
------------------------------------------------------------------------------
svn:keywords = Rev Date
Added: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DigestCodeVerifier.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DigestCodeVerifier.java?rev=1552667&view=auto
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DigestCodeVerifier.java (added)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DigestCodeVerifier.java Fri Dec 20 13:45:30 2013
@@ -0,0 +1,46 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.grants.code;
+
+import java.io.StringWriter;
+
+import org.apache.cxf.common.util.Base64Exception;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
+import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility;
+import org.apache.cxf.rs.security.oauth2.utils.MessageDigestGenerator;
+
+public class DigestCodeVerifier implements CodeVerifierTransformer {
+
+ public String transformCodeVerifier(String codeVerifier) {
+ MessageDigestGenerator mdg = new MessageDigestGenerator();
+ byte[] digest = mdg.createDigest(codeVerifier, "SHA-256");
+ int length = digest.length > 128 / 8 ? 128 / 8 : digest.length;
+
+ StringWriter stringWriter = new StringWriter();
+ try {
+ Base64UrlUtility.encode(digest, 0, length, stringWriter);
+ } catch (Base64Exception e) {
+ throw new OAuthServiceException("server_error", e);
+ }
+ return stringWriter.toString();
+ }
+
+
+
+}
Propchange: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DigestCodeVerifier.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DigestCodeVerifier.java
------------------------------------------------------------------------------
svn:keywords = Rev Date