You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2013/08/28 19:12:27 UTC
svn commit: r1518287 - in /cxf/trunk:
rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/auth/saml/
rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/
rt/rs/security...
Author: sergeyb
Date: Wed Aug 28 17:12:27 2013
New Revision: 1518287
URL: http://svn.apache.org/r1518287
Log:
[CXF-5239] Support for transient client secrets in auth code flow
Added:
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/Base64UrlUtility.java
- copied, changed from r1517477, cxf/trunk/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/Base64UrlUtility.java
Removed:
cxf/trunk/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/Base64UrlUtility.java
Modified:
cxf/trunk/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/auth/saml/Saml2BearerAuthHandler.java
cxf/trunk/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/auth/saml/Saml2BearerAuthOutInterceptor.java
cxf/trunk/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/AbstractSaml2BearerGrant.java
cxf/trunk/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/Saml2BearerGrantHandler.java
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeRegistration.java
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/MessageDigestGenerator.java
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java
cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/JAXRSOAuth2Test.java
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/auth/saml/Saml2BearerAuthHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/auth/saml/Saml2BearerAuthHandler.java?rev=1518287&r1=1518286&r2=1518287&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/auth/saml/Saml2BearerAuthHandler.java (original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/auth/saml/Saml2BearerAuthHandler.java Wed Aug 28 17:12:27 2013
@@ -36,9 +36,9 @@ import org.apache.cxf.jaxrs.utils.FormUt
import org.apache.cxf.jaxrs.utils.HttpUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.message.Message;
-import org.apache.cxf.rs.security.oauth2.saml.Base64UrlUtility;
import org.apache.cxf.rs.security.oauth2.saml.Constants;
import org.apache.cxf.rs.security.oauth2.saml.SamlOAuthValidator;
+import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility;
import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
import org.apache.cxf.rs.security.saml.AbstractSamlInHandler;
import org.apache.cxf.rs.security.saml.SAMLUtils;
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/auth/saml/Saml2BearerAuthOutInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/auth/saml/Saml2BearerAuthOutInterceptor.java?rev=1518287&r1=1518286&r2=1518287&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/auth/saml/Saml2BearerAuthOutInterceptor.java (original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/auth/saml/Saml2BearerAuthOutInterceptor.java Wed Aug 28 17:12:27 2013
@@ -21,8 +21,8 @@ package org.apache.cxf.rs.security.oauth
import javax.ws.rs.core.Form;
import org.apache.cxf.common.util.Base64Exception;
-import org.apache.cxf.rs.security.oauth2.saml.Base64UrlUtility;
import org.apache.cxf.rs.security.oauth2.saml.Constants;
+import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility;
import org.apache.cxf.rs.security.saml.SamlFormOutInterceptor;
public class Saml2BearerAuthOutInterceptor extends SamlFormOutInterceptor {
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/AbstractSaml2BearerGrant.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/AbstractSaml2BearerGrant.java?rev=1518287&r1=1518286&r2=1518287&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/AbstractSaml2BearerGrant.java (original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/AbstractSaml2BearerGrant.java Wed Aug 28 17:12:27 2013
@@ -23,7 +23,7 @@ import javax.ws.rs.core.MultivaluedMap;
import org.apache.cxf.jaxrs.impl.MetadataMap;
import org.apache.cxf.rs.security.oauth2.common.AccessTokenGrant;
import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
-import org.apache.cxf.rs.security.oauth2.saml.Base64UrlUtility;
+import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility;
import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
public abstract class AbstractSaml2BearerGrant implements AccessTokenGrant {
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/Saml2BearerGrantHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/Saml2BearerGrantHandler.java?rev=1518287&r1=1518286&r2=1518287&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/Saml2BearerGrantHandler.java (original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/Saml2BearerGrantHandler.java Wed Aug 28 17:12:27 2013
@@ -47,9 +47,9 @@ import org.apache.cxf.rs.security.oauth2
import org.apache.cxf.rs.security.oauth2.common.UserSubject;
import org.apache.cxf.rs.security.oauth2.grants.AbstractGrantHandler;
import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
-import org.apache.cxf.rs.security.oauth2.saml.Base64UrlUtility;
import org.apache.cxf.rs.security.oauth2.saml.Constants;
import org.apache.cxf.rs.security.oauth2.saml.SamlOAuthValidator;
+import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility;
import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
import org.apache.cxf.rs.security.saml.authorization.JAXRSSAMLSecurityContext;
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java?rev=1518287&r1=1518286&r2=1518287&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java (original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java Wed Aug 28 17:12:27 2013
@@ -19,12 +19,17 @@
package org.apache.cxf.rs.security.oauth2.grants.code;
+import java.io.StringWriter;
+
import javax.ws.rs.core.MultivaluedMap;
+import org.apache.cxf.common.util.Base64Exception;
import org.apache.cxf.rs.security.oauth2.common.Client;
import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
import org.apache.cxf.rs.security.oauth2.grants.AbstractGrantHandler;
import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
+import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility;
+import org.apache.cxf.rs.security.oauth2.utils.MessageDigestGenerator;
import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
@@ -68,11 +73,37 @@ public class AuthorizationCodeGrantHandl
|| !client.getRedirectUris().contains(expectedRedirectUri))) {
throw new OAuthServiceException(OAuthConstants.INVALID_REQUEST);
}
+
+ String tempClientSecretHash = grant.getTempClientSecretHash();
+ if (tempClientSecretHash != null) {
+ String tempClientSecret = params.getFirst(OAuthConstants.TEMP_CLIENT_SECRET);
+ if (!compareTcshWithTch(tempClientSecretHash, tempClientSecret)) {
+ throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
+ }
+ }
+
return doCreateAccessToken(client,
grant.getSubject(),
grant.getApprovedScopes(),
grant.getAudience());
}
-
+ private boolean compareTcshWithTch(String tempClientSecretHash, String tempClientSecret) {
+ if (tempClientSecret == null) {
+ return false;
+ }
+ MessageDigestGenerator mdg = new MessageDigestGenerator();
+ byte[] digest = mdg.createDigest(tempClientSecret, "SHA-256");
+ int length = digest.length > 128 / 8 ? 128 / 8 : digest.length;
+
+ StringWriter stringWriter = new StringWriter();
+ try {
+ Base64UrlUtility.encode(digest, 0, length, stringWriter);
+ } catch (Base64Exception e) {
+ throw new OAuthServiceException("server_error", e);
+ }
+ String expectedHash = stringWriter.toString();
+ return tempClientSecretHash.equals(expectedHash);
+
+ }
}
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeRegistration.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeRegistration.java?rev=1518287&r1=1518286&r2=1518287&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeRegistration.java (original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeRegistration.java Wed Aug 28 17:12:27 2013
@@ -35,6 +35,7 @@ public class AuthorizationCodeRegistrati
private String redirectUri;
private UserSubject subject;
private String audience;
+ private String tempClientSecretHash;
/**
* Sets the {@link Client} reference
@@ -119,4 +120,10 @@ public class AuthorizationCodeRegistrati
public void setAudience(String audience) {
this.audience = audience;
}
+ public String getTempClientSecretHash() {
+ return tempClientSecretHash;
+ }
+ public void setTempClientSecretHash(String tempClientSecretHash) {
+ this.tempClientSecretHash = tempClientSecretHash;
+ }
}
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java?rev=1518287&r1=1518286&r2=1518287&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java (original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java Wed Aug 28 17:12:27 2013
@@ -39,6 +39,7 @@ public class ServerAuthorizationCodeGran
private List<String> approvedScopes = Collections.emptyList();
private UserSubject subject;
private String audience;
+ private String tempClientSecretHash;
public ServerAuthorizationCodeGrant(Client client,
long lifetime) {
@@ -123,4 +124,12 @@ public class ServerAuthorizationCodeGran
public void setAudience(String audience) {
this.audience = audience;
}
+
+ public String getTempClientSecretHash() {
+ return tempClientSecretHash;
+ }
+
+ public void setTempClientSecretHash(String tempClientSecretHash) {
+ this.tempClientSecretHash = tempClientSecretHash;
+ }
}
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java?rev=1518287&r1=1518286&r2=1518287&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java (original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java Wed Aug 28 17:12:27 2013
@@ -72,6 +72,7 @@ public class AuthorizationCodeGrantServi
codeReg.setApprovedScope(approvedScope);
codeReg.setSubject(userSubject);
codeReg.setAudience(params.getFirst(OAuthConstants.CLIENT_AUDIENCE));
+ codeReg.setTempClientSecretHash(params.getFirst(OAuthConstants.TEMP_CLIENT_SECRET_HASH));
ServerAuthorizationCodeGrant grant = null;
try {
Copied: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/Base64UrlUtility.java (from r1517477, cxf/trunk/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/Base64UrlUtility.java)
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/Base64UrlUtility.java?p2=cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/Base64UrlUtility.java&p1=cxf/trunk/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/Base64UrlUtility.java&r1=1517477&r2=1518287&rev=1518287&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/saml/Base64UrlUtility.java (original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/Base64UrlUtility.java Wed Aug 28 17:12:27 2013
@@ -17,7 +17,7 @@
* under the License.
*/
-package org.apache.cxf.rs.security.oauth2.saml;
+package org.apache.cxf.rs.security.oauth2.utils;
/**
* Base64 URL Encoding/Decoding utility (character 62 is '-', 63 - '_')
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/MessageDigestGenerator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/MessageDigestGenerator.java?rev=1518287&r1=1518286&r2=1518287&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/MessageDigestGenerator.java (original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/MessageDigestGenerator.java Wed Aug 28 17:12:27 2013
@@ -18,6 +18,7 @@
*/
package org.apache.cxf.rs.security.oauth2.utils;
+import java.io.UnsupportedEncodingException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
@@ -36,10 +37,7 @@ public class MessageDigestGenerator {
}
try {
- MessageDigest md = MessageDigest.getInstance(algorithm);
- md.reset();
- md.update(input);
- byte[] messageDigest = md.digest();
+ byte[] messageDigest = createDigest(input, algorithm);
StringBuffer hexString = new StringBuffer();
for (int i = 0; i < messageDigest.length; i++) {
hexString.append(Integer.toHexString(0xFF & messageDigest[i]));
@@ -51,6 +49,23 @@ public class MessageDigestGenerator {
}
}
+ public byte[] createDigest(String input, String algo) {
+ try {
+ return createDigest(input.getBytes("UTF-8"), algo);
+ } catch (UnsupportedEncodingException e) {
+ throw new OAuthServiceException("server_error", e);
+ } catch (NoSuchAlgorithmException e) {
+ throw new OAuthServiceException("server_error", e);
+ }
+ }
+
+ public byte[] createDigest(byte[] input, String algo) throws NoSuchAlgorithmException {
+ MessageDigest md = MessageDigest.getInstance(algo);
+ md.reset();
+ md.update(input);
+ return md.digest();
+ }
+
public void setAlgorithm(String algo) {
this.algorithm = algo;
}
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java?rev=1518287&r1=1518286&r2=1518287&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java (original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java Wed Aug 28 17:12:27 2013
@@ -26,7 +26,10 @@ public final class OAuthConstants {
// Common OAuth2 constants
public static final String CLIENT_ID = "client_id";
public static final String CLIENT_SECRET = "client_secret";
+ public static final String TEMP_CLIENT_SECRET = "tcs";
+ public static final String TEMP_CLIENT_SECRET_HASH = "tcsh";
public static final String CLIENT_AUDIENCE = "audience";
+
public static final String REDIRECT_URI = "redirect_uri";
public static final String SCOPE = "scope";
public static final String STATE = "state";
Modified: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/JAXRSOAuth2Test.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/JAXRSOAuth2Test.java?rev=1518287&r1=1518286&r2=1518287&view=diff
==============================================================================
--- cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/JAXRSOAuth2Test.java (original)
+++ cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/JAXRSOAuth2Test.java Wed Aug 28 17:12:27 2013
@@ -37,8 +37,8 @@ import org.apache.cxf.rs.security.oauth2
import org.apache.cxf.rs.security.oauth2.common.AccessTokenGrant;
import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
import org.apache.cxf.rs.security.oauth2.grants.saml.Saml2BearerGrant;
-import org.apache.cxf.rs.security.oauth2.saml.Base64UrlUtility;
import org.apache.cxf.rs.security.oauth2.saml.Constants;
+import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility;
import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
import org.apache.cxf.rs.security.saml.SAMLUtils;
import org.apache.cxf.rs.security.saml.SAMLUtils.SelfSignInfo;