You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2016/07/28 18:28:08 UTC
cxf-fediz git commit: [FEDIZ-172] Enforcing the oidc scope at the
Fediz data provider level
Repository: cxf-fediz
Updated Branches:
refs/heads/master 167455bbe -> 86f7a5eb6
[FEDIZ-172] Enforcing the oidc scope at the Fediz data provider level
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/86f7a5eb
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/86f7a5eb
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/86f7a5eb
Branch: refs/heads/master
Commit: 86f7a5eb68d56363ee919235ba94c52ca1e5fdaf
Parents: 167455b
Author: Sergey Beryozkin <sb...@gmail.com>
Authored: Thu Jul 28 21:27:32 2016 +0300
Committer: Sergey Beryozkin <sb...@gmail.com>
Committed: Thu Jul 28 21:27:32 2016 +0300
----------------------------------------------------------------------
.../service/oidc/OAuthDataProviderImpl.java | 23 +++++++++++++++++---
.../src/main/webapp/WEB-INF/data-manager.xml | 2 --
2 files changed, 20 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/86f7a5eb/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataProviderImpl.java
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataProviderImpl.java b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataProviderImpl.java
index 7c37cc2..ff34955 100644
--- a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataProviderImpl.java
+++ b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataProviderImpl.java
@@ -19,10 +19,15 @@
package org.apache.cxf.fediz.service.oidc;
import java.security.Principal;
+import java.util.Collections;
+import java.util.List;
import org.apache.cxf.rs.security.oauth2.common.Client;
+import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
import org.apache.cxf.rs.security.oauth2.grants.code.DefaultEHCacheCodeDataProvider;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
+import org.apache.cxf.rs.security.oidc.utils.OidcUtils;
public class OAuthDataProviderImpl extends DefaultEHCacheCodeDataProvider {
@@ -30,10 +35,12 @@ public class OAuthDataProviderImpl extends DefaultEHCacheCodeDataProvider {
@Override
public Client getClient(String clientId) {
+ //TODO: push most of this code into the abstract class
Client client = super.getClient(clientId);
if (client != null || checkOnlyRegisteredClients) {
return client;
}
+
String grantType = (String)getMessageContext().get(OAuthConstants.GRANT_TYPE);
if (OAuthConstants.CLIENT_CREDENTIALS_GRANT.equals(grantType)) {
// Pre-registering the OAuth2 Client representations for
@@ -46,15 +53,25 @@ public class OAuthDataProviderImpl extends DefaultEHCacheCodeDataProvider {
} else {
Principal p = super.getMessageContext().getSecurityContext().getUserPrincipal();
if (clientId.equals(p.getName())) {
- // Client was already authenticated with Servlet Security
- // or CXF (JAAS/etc) filters
- return new Client(clientId, null, true);
+ Client c = new Client(clientId, null, true);
+ c.setAllowedGrantTypes(Collections.singletonList(OAuthConstants.CLIENT_CREDENTIALS_GRANT));
+ return c;
}
}
}
return null;
}
+ @Override
+ public List<OAuthPermission> convertScopeToPermissions(Client client, List<String> requestedScopes) {
+ //TODO: push this code into the abstract class
+ if (!client.getAllowedGrantTypes().contains(OAuthConstants.CLIENT_CREDENTIALS_GRANT)
+ && !requestedScopes.contains(OidcUtils.OPENID_SCOPE)) {
+ throw new OAuthServiceException("Required scopes are missing");
+ }
+ return super.convertScopeToPermissions(client, requestedScopes);
+ }
+
protected Client authenticateClient(String clientId, String clientSecret) {
// If the authentication is successful:
// return new Client(clientId, clientSecret, true)
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/86f7a5eb/services/oidc/src/main/webapp/WEB-INF/data-manager.xml
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/webapp/WEB-INF/data-manager.xml b/services/oidc/src/main/webapp/WEB-INF/data-manager.xml
index 5640443..0fd539a 100644
--- a/services/oidc/src/main/webapp/WEB-INF/data-manager.xml
+++ b/services/oidc/src/main/webapp/WEB-INF/data-manager.xml
@@ -60,8 +60,6 @@
init-method="init" destroy-method="close">
<!-- List of accepted scopes -->
<property name="supportedScopes" ref="supportedScopes"/>
- <!-- List of required scopes -->
- <property name="requiredScopes" ref="coreScopes"/>
<!--
List of scopes that the consent/authorization form should make
selected by default. For example, asking a user to do an extra click