You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2016/01/25 18:17:39 UTC
cxf git commit: Prototyong the code for better supporting
pre-authorized tokens
Repository: cxf
Updated Branches:
refs/heads/master 96b9016d8 -> 5638cae66
Prototyong the code for better supporting pre-authorized tokens
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/5638cae6
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/5638cae6
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/5638cae6
Branch: refs/heads/master
Commit: 5638cae66ca25c603af6113a539e590c035ee33a
Parents: 96b9016
Author: Sergey Beryozkin <sb...@gmail.com>
Authored: Mon Jan 25 17:17:23 2016 +0000
Committer: Sergey Beryozkin <sb...@gmail.com>
Committed: Mon Jan 25 17:17:23 2016 +0000
----------------------------------------------------------------------
.../oauth2/grants/AbstractGrantHandler.java | 1 +
.../grants/code/AbstractCodeDataProvider.java | 1 +
.../code/AuthorizationCodeGrantHandler.java | 5 +++
.../code/AuthorizationCodeRegistration.java | 8 ++++-
.../code/ServerAuthorizationCodeGrant.java | 9 +++++
.../provider/AbstractOAuthDataProvider.java | 36 ++++++++++++++++++--
.../services/AuthorizationCodeGrantService.java | 2 +-
7 files changed, 57 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/5638cae6/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
index 1c552cb..3df087b 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
@@ -164,6 +164,7 @@ public abstract class AbstractGrantHandler implements AccessTokenGrantHandler {
// Get a pre-authorized token if available
return dataProvider.getPreauthorizedToken(
client, requestedScopes, subject, requestedGrant);
+
}
public boolean isPartialMatchScopeValidation() {
http://git-wip-us.apache.org/repos/asf/cxf/blob/5638cae6/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java
index de61bb8..12fd14e 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java
@@ -54,6 +54,7 @@ public abstract class AbstractCodeDataProvider extends AbstractOAuthDataProvider
ServerAuthorizationCodeGrant grant = new ServerAuthorizationCodeGrant(reg.getClient(), lifetime);
grant.setRedirectUri(reg.getRedirectUri());
grant.setSubject(reg.getSubject());
+ grant.setPreauthorizedTokenAvailable(reg.isPreauthorizedTokenAvailable());
grant.setRequestedScopes(reg.getRequestedScope());
grant.setApprovedScopes(reg.getApprovedScope());
grant.setAudience(reg.getAudience());
http://git-wip-us.apache.org/repos/asf/cxf/blob/5638cae6/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
index a490812..4a01328 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
@@ -111,6 +111,11 @@ public class AuthorizationCodeGrantHandler extends AbstractGrantHandler {
getAudiences(client, grant.getAudience()));
if (token != null) {
return token;
+ } else if (grant.isPreauthorizedTokenAvailable()) {
+ // the grant was issued based on the authorization time check confirming the
+ // token was available but it has expired by now or been removed then
+ // creating a completely new token can be wrong - though this needs to be reviewed
+ throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
}
// Delegate to the data provider to create the one
http://git-wip-us.apache.org/repos/asf/cxf/blob/5638cae6/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeRegistration.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeRegistration.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeRegistration.java
index 1319cad..a3185b7 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeRegistration.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeRegistration.java
@@ -37,7 +37,7 @@ public class AuthorizationCodeRegistration {
private String audience;
private String nonce;
private String clientCodeChallenge;
-
+ private boolean preauthorizedTokenAvailable;
/**
* Sets the {@link Client} reference
* @param client the client
@@ -133,4 +133,10 @@ public class AuthorizationCodeRegistration {
public void setNonce(String nonce) {
this.nonce = nonce;
}
+ public boolean isPreauthorizedTokenAvailable() {
+ return preauthorizedTokenAvailable;
+ }
+ public void setPreauthorizedTokenAvailable(boolean preauthorizedTokenAvailable) {
+ this.preauthorizedTokenAvailable = preauthorizedTokenAvailable;
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/5638cae6/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java
index 026a835..119cc59 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java
@@ -41,6 +41,7 @@ public class ServerAuthorizationCodeGrant extends AuthorizationCodeGrant {
private String audience;
private String clientCodeChallenge;
private String nonce;
+ private boolean preauthorizedTokenAvailable;
public ServerAuthorizationCodeGrant() {
@@ -165,4 +166,12 @@ public class ServerAuthorizationCodeGrant extends AuthorizationCodeGrant {
public void setNonce(String nonce) {
this.nonce = nonce;
}
+
+ public boolean isPreauthorizedTokenAvailable() {
+ return preauthorizedTokenAvailable;
+ }
+
+ public void setPreauthorizedTokenAvailable(boolean preauthorizedTokenAvailable) {
+ this.preauthorizedTokenAvailable = preauthorizedTokenAvailable;
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/5638cae6/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
index 5183385..6ac6922 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
@@ -44,6 +44,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
private List<String> defaultScopes;
private List<String> requiredScopes;
private List<String> invisibleToClientScopes;
+ private boolean supportPreauthorizedTokens;
protected AbstractOAuthDataProvider() {
@@ -175,10 +176,31 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
}
@Override
- public ServerAccessToken getPreauthorizedToken(Client client, List<String> requestedScopes,
- UserSubject subject, String grantType)
- throws OAuthServiceException {
+ public ServerAccessToken getPreauthorizedToken(Client client,
+ List<String> requestedScopes,
+ UserSubject sub,
+ String grantType) throws OAuthServiceException {
+ if (!supportPreauthorizedTokens) {
+ return null;
+ }
+
+ ServerAccessToken token = null;
+ for (ServerAccessToken at : getAccessTokens(client, sub)) {
+ if (at.getClient().getClientId().equals(client.getClientId())
+ && at.getGrantType().equals(grantType)
+ && (sub == null || at.getSubject().getLogin().equals(sub.getLogin()))
+ && OAuthUtils.convertPermissionsToScopeList(
+ at.getScopes()).containsAll(requestedScopes)) {
+ token = at;
+ break;
+ }
+ }
+ if (token != null
+ && OAuthUtils.isExpired(token.getIssuedAt(), token.getExpiresIn())) {
+ revokeToken(client, token.getTokenKey(), OAuthConstants.ACCESS_TOKEN);
+ }
return null;
+
}
protected boolean isRefreshTokenSupported(List<String> theScopes) {
@@ -323,4 +345,12 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
this.invisibleToClientScopes = invisibleToClientScopes;
}
+ public void setSupportPreauthorizedTokens(boolean supportPreauthorizedTokens) {
+ // This property can be enabled by default as it is generally a good thing to check
+ // if a token for a given client (+ user) pair exists but doing the queries on every
+ // authorization request for all the client-user combinations might be not cheap,
+ // hence this property is currently disabled by default
+ this.supportPreauthorizedTokens = supportPreauthorizedTokens;
+ }
+
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/5638cae6/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
index 36615e7..9a8609a 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
@@ -103,7 +103,7 @@ public class AuthorizationCodeGrantService extends RedirectionBasedGrantService
// in this flow the code is still created, the preauthorized token
// will be retrieved by the authorization code grant handler
AuthorizationCodeRegistration codeReg = new AuthorizationCodeRegistration();
-
+ codeReg.setPreauthorizedTokenAvailable(preauthorizedToken != null);
codeReg.setClient(client);
codeReg.setRedirectUri(state.getRedirectUri());
codeReg.setRequestedScope(requestedScope);