You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2015/12/08 18:16:05 UTC
cxf-fediz git commit: Simplifying ODataManager a bit
Repository: cxf-fediz
Updated Branches:
refs/heads/master 56a360597 -> a5bafcdfd
Simplifying ODataManager a bit
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/a5bafcdf
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/a5bafcdf
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/a5bafcdf
Branch: refs/heads/master
Commit: a5bafcdfdf4595dd78a4316ed878cecc833a4b48
Parents: 56a3605
Author: Sergey Beryozkin <sb...@gmail.com>
Authored: Tue Dec 8 17:15:38 2015 +0000
Committer: Sergey Beryozkin <sb...@gmail.com>
Committed: Tue Dec 8 17:15:38 2015 +0000
----------------------------------------------------------------------
.../fediz/service/oidc/OAuthDataManager.java | 100 +++++--------------
.../src/main/webapp/WEB-INF/data-manager.xml | 2 +-
2 files changed, 25 insertions(+), 77 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/a5bafcdf/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java
index a48a865..9bb58eb 100644
--- a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java
+++ b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java
@@ -19,16 +19,10 @@
package org.apache.cxf.fediz.service.oidc;
import java.security.Principal;
-import java.util.ArrayList;
-import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.apache.cxf.fediz.core.FedizPrincipal;
-import org.apache.cxf.jaxrs.ext.MessageContext;
-import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactProducer;
-import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider;
-import org.apache.cxf.rs.security.jose.jws.JwsUtils;
import org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration;
import org.apache.cxf.rs.security.oauth2.common.Client;
import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
@@ -39,38 +33,14 @@ import org.apache.cxf.rs.security.oauth2.grants.code.DefaultEHCacheCodeDataProvi
import org.apache.cxf.rs.security.oauth2.grants.code.ServerAuthorizationCodeGrant;
import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
-import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
import org.apache.cxf.rs.security.oidc.common.IdToken;
import org.apache.cxf.rs.security.oidc.idp.OidcUserSubject;
import org.apache.cxf.rs.security.oidc.utils.OidcUtils;
public class OAuthDataManager extends DefaultEHCacheCodeDataProvider {
-
- private static final OAuthPermission OPENID_PERMISSION;
- private static final OAuthPermission REFRESH_TOKEN_PERMISSION;
-
- static {
- OPENID_PERMISSION = new OAuthPermission(OidcUtils.OPENID_SCOPE,
- "Access the authentication claims");
- OPENID_PERMISSION.setDefault(true);
- REFRESH_TOKEN_PERMISSION = new OAuthPermission(OAuthConstants.REFRESH_TOKEN_SCOPE,
- "Refresh access tokens");
- REFRESH_TOKEN_PERMISSION.setInvisibleToClient(true);
- }
-
- private Map<String, OAuthPermission> permissionMap = new HashMap<String, OAuthPermission>();
- private MessageContext messageContext;
private SamlTokenConverter tokenConverter = new LocalSamlTokenConverter();
- private boolean signIdTokenWithClientSecret;
-
public OAuthDataManager() {
- permissionMap.put(OPENID_PERMISSION.getPermission(), OPENID_PERMISSION);
- permissionMap.put(REFRESH_TOKEN_PERMISSION.getPermission(), REFRESH_TOKEN_PERMISSION);
- }
-
- public OAuthDataManager(Map<String, OAuthPermission> permissionMap) {
- this.permissionMap = permissionMap;
}
@Override
@@ -100,40 +70,14 @@ public class OAuthDataManager extends DefaultEHCacheCodeDataProvider {
return token;
}
- // Scope to Permission conversion
@Override
- public List<OAuthPermission> convertScopeToPermissions(Client client, List<String> scopes)
- throws OAuthServiceException {
- List<OAuthPermission> list = new ArrayList<OAuthPermission>();
- for (String scope : scopes) {
- OAuthPermission permission = permissionMap.get(scope);
- if (permission == null) {
- throw new OAuthServiceException("Unexpected scope: " + scope);
- }
- list.add(permission);
- }
- if (!list.contains(OPENID_PERMISSION)) {
- throw new OAuthServiceException("Required scope is missing");
- }
- return list;
- }
-
- public void setMessageContext(MessageContext messageContext) {
- this.messageContext = messageContext;
- }
-
- public void setScopes(Map<String, String> scopes) {
- for (Map.Entry<String, String> entry : scopes.entrySet()) {
- OAuthPermission permission = new OAuthPermission(entry.getKey(), entry.getValue());
- if (OidcUtils.OPENID_SCOPE.equals(entry.getKey())) {
- permission.setDefault(true);
- } else if (OAuthConstants.REFRESH_TOKEN_SCOPE.equals(entry.getKey())) {
- permission.setInvisibleToClient(true);
- }
- permissionMap.put(entry.getKey(), permission);
+ public List<OAuthPermission> convertScopeToPermissions(Client client, List<String> requestedScopes) {
+ if (!requestedScopes.contains(OidcUtils.OPENID_SCOPE)) {
+ throw new OAuthServiceException("Required scope is missing");
}
+ return super.convertScopeToPermissions(client, requestedScopes);
}
-
+
protected OidcUserSubject createOidcSubject(Client client, UserSubject subject, String nonce) {
IdToken idToken = getIdToken(client, nonce);
if (idToken != null) {
@@ -143,13 +87,9 @@ public class OAuthDataManager extends DefaultEHCacheCodeDataProvider {
}
return null;
}
- protected String getJoseIdToken(Client client, IdToken idToken) {
- JwsJwtCompactProducer p = new JwsJwtCompactProducer(idToken);
- return p.signWith(getJwsSignatureProvider(client));
- // the JWS compact output may also need to be encrypted
- }
+
protected IdToken getIdToken(Client client, String nonce) {
- Principal principal = messageContext.getSecurityContext().getUserPrincipal();
+ Principal principal = getMessageContext().getSecurityContext().getUserPrincipal();
if (principal instanceof FedizPrincipal) {
FedizPrincipal fedizPrincipal = (FedizPrincipal)principal;
@@ -162,17 +102,25 @@ public class OAuthDataManager extends DefaultEHCacheCodeDataProvider {
return null;
}
- protected JwsSignatureProvider getJwsSignatureProvider(Client client) {
- if (signIdTokenWithClientSecret && client.isConfidential()) {
- return OAuthUtils.getClientSecretSignatureProvider(client.getClientSecret());
- }
- return JwsUtils.loadSignatureProvider(true);
-
- }
-
public void setTokenConverter(SamlTokenConverter tokenConverter) {
this.tokenConverter = tokenConverter;
}
-
+ @Override
+ public void init() {
+ super.init();
+ Map<String, OAuthPermission> perms = super.getPermissionMap();
+ if (!perms.containsKey(OidcUtils.OPENID_SCOPE)) {
+ perms.put(OidcUtils.OPENID_SCOPE,
+ new OAuthPermission(OidcUtils.OPENID_SCOPE, "Access the authentication claims"));
+ }
+ perms.get(OidcUtils.OPENID_SCOPE).setDefault(true);
+
+ if (!perms.containsKey(OAuthConstants.REFRESH_TOKEN_SCOPE)) {
+ perms.put(OAuthConstants.REFRESH_TOKEN_SCOPE,
+ new OAuthPermission(OAuthConstants.REFRESH_TOKEN_SCOPE, "Refresh access tokens"));
+ }
+ perms.get(OAuthConstants.REFRESH_TOKEN_SCOPE).setInvisibleToClient(true);
+
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/a5bafcdf/services/oidc/src/main/webapp/WEB-INF/data-manager.xml
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/webapp/WEB-INF/data-manager.xml b/services/oidc/src/main/webapp/WEB-INF/data-manager.xml
index 38ba86e..33789ee 100644
--- a/services/oidc/src/main/webapp/WEB-INF/data-manager.xml
+++ b/services/oidc/src/main/webapp/WEB-INF/data-manager.xml
@@ -30,7 +30,7 @@
<property name="issuer" value="accounts.fediz.com"/>
</bean>
<bean id="oauthProvider" class="org.apache.cxf.fediz.service.oidc.OAuthDataManager"
- destroy-method="close">
+ init-method="init" destroy-method="close">
<!--
<property name="scopes">
<map>