You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2014/02/13 14:26:04 UTC
svn commit: r1567916 - in /cxf/branches/2.7.x-fixes: ./
rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/
rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/
rt/rs/secur...
Author: sergeyb
Date: Thu Feb 13 13:26:03 2014
New Revision: 1567916
URL: http://svn.apache.org/r1567916
Log:
Merged revisions 1567907-1567908,1567911 via svnmerge from
https://svn.apache.org/repos/asf/cxf/trunk
........
r1567907 | sergeyb | 2014-02-13 12:38:36 +0000 (Thu, 13 Feb 2014) | 1 line
[CXF-5561] Updating AccessTokenValidatorService to ensure an authenticated Principal is available
........
r1567908 | sergeyb | 2014-02-13 12:44:54 +0000 (Thu, 13 Feb 2014) | 1 line
[CXF-5561] More updates
........
r1567911 | sergeyb | 2014-02-13 13:02:14 +0000 (Thu, 13 Feb 2014) | 1 line
[CXF-5561] Introducing constants
........
Modified:
cxf/branches/2.7.x-fixes/ (props changed)
cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenValidatorClient.java
cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestInterceptor.java
cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractAccessTokenValidator.java
cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenValidatorService.java
cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java
Propchange: cxf/branches/2.7.x-fixes/
------------------------------------------------------------------------------
Merged /cxf/trunk:r1567907-1567911
Propchange: cxf/branches/2.7.x-fixes/
------------------------------------------------------------------------------
Binary property 'svnmerge-integrated' - no diff available.
Modified: cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenValidatorClient.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenValidatorClient.java?rev=1567916&r1=1567915&r2=1567916&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenValidatorClient.java (original)
+++ cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenValidatorClient.java Thu Feb 13 13:26:03 2014
@@ -21,7 +21,7 @@ package org.apache.cxf.rs.security.oauth
import java.util.Collections;
import java.util.List;
-import javax.ws.rs.core.HttpHeaders;
+import javax.ws.rs.core.Form;
import org.apache.cxf.jaxrs.client.WebClient;
import org.apache.cxf.jaxrs.ext.MessageContext;
@@ -43,8 +43,9 @@ public class AccessTokenValidatorClient
String authSchemeData)
throws OAuthServiceException {
WebClient client = WebClient.fromClient(tokenValidatorClient, true);
- client.header(HttpHeaders.AUTHORIZATION, authScheme + " " + authSchemeData);
- return client.get(AccessTokenValidation.class);
+ Form form = new Form().param(OAuthConstants.AUTHORIZATION_SCHEME_TYPE, authScheme)
+ .param(OAuthConstants.AUTHORIZATION_SCHEME_DATA, authSchemeData);
+ return client.post(form, AccessTokenValidation.class);
}
public void setTokenValidatorClient(WebClient tokenValidatorClient) {
Modified: cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java?rev=1567916&r1=1567915&r2=1567916&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java (original)
+++ cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java Thu Feb 13 13:26:03 2014
@@ -40,6 +40,7 @@ import org.apache.cxf.rs.security.oauth2
import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
import org.apache.cxf.rs.security.oauth2.common.UserSubject;
import org.apache.cxf.rs.security.oauth2.services.AbstractAccessTokenValidator;
+import org.apache.cxf.rs.security.oauth2.utils.AuthorizationUtils;
import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
import org.apache.cxf.security.SecurityContext;
@@ -63,8 +64,15 @@ public class OAuthRequestFilter extends
return;
}
+ // Get the scheme and its data, Bearer only is supported by default
+ // WWW-Authenticate with the list of supported schemes will be sent back
+ // if the scheme is not accepted
+ String[] authParts = getAuthorizationParts(m);
+ String authScheme = authParts[0];
+ String authSchemeData = authParts[1];
+
// Get the access token
- AccessTokenValidation accessTokenV = getAccessTokenValidation();
+ AccessTokenValidation accessTokenV = getAccessTokenValidation(authScheme, authSchemeData);
// Find the scopes which match the current request
@@ -188,4 +196,7 @@ public class OAuthRequestFilter extends
this.audienceIsEndpointAddress = audienceIsEndpointAddress;
}
+ protected String[] getAuthorizationParts(Message m) {
+ return AuthorizationUtils.getAuthorizationParts(getMessageContext(), supportedSchemes);
+ }
}
Modified: cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestInterceptor.java?rev=1567916&r1=1567915&r2=1567916&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestInterceptor.java (original)
+++ cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestInterceptor.java Thu Feb 13 13:26:03 2014
@@ -34,6 +34,16 @@ public class OAuthRequestInterceptor ext
validateRequest(message);
}
+ protected String[] getAuthorizationParts(Message message) {
+ return super.getAuthorizationParts(message);
+
+// You can customise it, extract the token from the message, example, get
+// WS-Security Binary token put on the message by WSS4JInInterceptor
+//
+// String token = getTokenFromCurrentMessage(mc);
+// return new String[] {"Bearer", token};
+ }
+
public Collection<PhaseInterceptor<? extends Message>> getAdditionalInterceptors() {
return null;
}
@@ -57,14 +67,4 @@ public class OAuthRequestInterceptor ext
public void handleFault(Message message) {
}
-// protected String[] getAuthorizationParts() {
-// // the current message is wrapped in MessageContext
-// MessageContext mc = getMessageContext();
-//
-// // extract the token from the message, example, get
-// // WS-Security Binary token put on the message by WSS4JInInterceptor
-//
-// String token = getTokenFromCurrentMessage(mc);
-// return new String[] {"Bearer", token};
-// }
}
Modified: cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractAccessTokenValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractAccessTokenValidator.java?rev=1567916&r1=1567915&r2=1567916&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractAccessTokenValidator.java (original)
+++ cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractAccessTokenValidator.java Thu Feb 13 13:26:03 2014
@@ -43,16 +43,14 @@ public abstract class AbstractAccessToke
private static final String DEFAULT_AUTH_SCHEME = OAuthConstants.BEARER_AUTHORIZATION_SCHEME;
+
+ protected Set<String> supportedSchemes = new HashSet<String>();
+ protected String realm;
private MessageContext mc;
-
private List<AccessTokenValidator> tokenHandlers = Collections.emptyList();
private List<String> audiences = new LinkedList<String>();
-
- private Set<String> supportedSchemes = new HashSet<String>();
-
private OAuthDataProvider dataProvider;
- private String realm;
public void setTokenValidator(AccessTokenValidator validator) {
setTokenValidators(Collections.singletonList(validator));
@@ -92,19 +90,12 @@ public abstract class AbstractAccessToke
/**
* Get the access token
*/
- protected AccessTokenValidation getAccessTokenValidation() {
+ protected AccessTokenValidation getAccessTokenValidation(String authScheme, String authSchemeData) {
AccessTokenValidation accessTokenV = null;
if (dataProvider == null && tokenHandlers.isEmpty()) {
throw ExceptionUtils.toInternalServerErrorException(null, null);
}
- // Get the scheme and its data, Bearer only is supported by default
- // WWW-Authenticate with the list of supported schemes will be sent back
- // if the scheme is not accepted
- String[] authParts = getAuthorizationParts();
- String authScheme = authParts[0];
- String authSchemeData = authParts[1];
-
// Get the registered handler capable of processing the token
AccessTokenValidator handler = findTokenValidator(authScheme);
if (handler != null) {
@@ -164,9 +155,4 @@ public abstract class AbstractAccessToke
public void setAudiences(List<String> audiences) {
this.audiences = audiences;
}
-
- protected String[] getAuthorizationParts() {
- return AuthorizationUtils.getAuthorizationParts(getMessageContext(), supportedSchemes);
- }
-
}
Modified: cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenValidatorService.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenValidatorService.java?rev=1567916&r1=1567915&r2=1567916&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenValidatorService.java (original)
+++ cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenValidatorService.java Thu Feb 13 13:26:03 2014
@@ -18,18 +18,29 @@
*/
package org.apache.cxf.rs.security.oauth2.services;
-import javax.ws.rs.GET;
+import javax.ws.rs.Consumes;
+import javax.ws.rs.Encoded;
+import javax.ws.rs.FormParam;
+import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.MediaType;
import org.apache.cxf.rs.security.oauth2.common.AccessTokenValidation;
+import org.apache.cxf.rs.security.oauth2.utils.AuthorizationUtils;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
@Path("validate")
public class AccessTokenValidatorService extends AbstractAccessTokenValidator {
- @GET
+ @POST
@Produces({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
- public AccessTokenValidation getTokenValidationInfo() {
- return super.getAccessTokenValidation();
+ @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
+ public AccessTokenValidation getTokenValidationInfo(
+ @FormParam(OAuthConstants.AUTHORIZATION_SCHEME_TYPE) String authScheme,
+ @Encoded @FormParam(OAuthConstants.AUTHORIZATION_SCHEME_DATA) String authSchemeData) {
+ if (getMessageContext().getSecurityContext().getUserPrincipal() == null) {
+ AuthorizationUtils.throwAuthorizationFailure(supportedSchemes, realm);
+ }
+ return super.getAccessTokenValidation(authScheme, authSchemeData);
}
}
Modified: cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java?rev=1567916&r1=1567915&r2=1567916&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java (original)
+++ cxf/branches/2.7.x-fixes/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java Thu Feb 13 13:26:03 2014
@@ -106,7 +106,10 @@ public final class OAuthConstants {
public static final String INVALID_SCOPE = "invalid_scope";
public static final String ACCESS_DENIED = "access_denied";
-
+ // Authorization scheme constants, used internally by AccessTokenValidation client and service
+ public static final String AUTHORIZATION_SCHEME_TYPE = "authScheme";
+ public static final String AUTHORIZATION_SCHEME_DATA = "authSchemeData";
+
private OAuthConstants() {
}