You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2012/07/23 16:23:35 UTC
svn commit: r1364642 - in /cxf/branches/2.5.x-fixes: ./
rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/
rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/
rt/rs/security/...
Author: sergeyb
Date: Mon Jul 23 14:23:35 2012
New Revision: 1364642
URL: http://svn.apache.org/viewvc?rev=1364642&view=rev
Log:
Merged revisions 1362118 via svnmerge from
https://svn.apache.org/repos/asf/cxf/branches/2.6.x-fixes
................
r1362118 | sergeyb | 2012-07-16 17:25:59 +0100 (Mon, 16 Jul 2012) | 9 lines
Merged revisions 1362114 via svnmerge from
https://svn.apache.org/repos/asf/cxf/trunk
........
r1362114 | sergeyb | 2012-07-16 17:20:32 +0100 (Mon, 16 Jul 2012) | 1 line
[CXF-4225] Reusing default validator instance between requests, making it possible to customize the validation
........
................
Modified:
cxf/branches/2.5.x-fixes/ (props changed)
cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/AbstractAuthFilter.java
cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthServletFilter.java
cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AbstractOAuthService.java
cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AccessTokenHandler.java
cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AccessTokenService.java
cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/RequestTokenHandler.java
cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/RequestTokenService.java
cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/utils/OAuthConstants.java
cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/utils/OAuthUtils.java
Propchange: cxf/branches/2.5.x-fixes/
------------------------------------------------------------------------------
--- svn:mergeinfo (added)
+++ svn:mergeinfo Mon Jul 23 14:23:35 2012
@@ -0,0 +1,2 @@
+/cxf/branches/2.6.x-fixes:1362118
+/cxf/trunk:1362114
Propchange: cxf/branches/2.5.x-fixes/
------------------------------------------------------------------------------
Binary property 'svnmerge-integrated' - no diff available.
Modified: cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/AbstractAuthFilter.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/AbstractAuthFilter.java?rev=1364642&r1=1364641&r2=1364642&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/AbstractAuthFilter.java (original)
+++ cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/AbstractAuthFilter.java Mon Jul 23 14:23:35 2012
@@ -35,6 +35,7 @@ import javax.servlet.http.HttpServletReq
import net.oauth.OAuth;
import net.oauth.OAuthMessage;
import net.oauth.OAuthProblemException;
+import net.oauth.OAuthValidator;
import net.oauth.server.OAuthServlet;
import org.apache.cxf.common.logging.LogUtils;
@@ -47,6 +48,7 @@ import org.apache.cxf.rs.security.oauth.
import org.apache.cxf.rs.security.oauth.data.OAuthContext;
import org.apache.cxf.rs.security.oauth.data.OAuthPermission;
import org.apache.cxf.rs.security.oauth.data.UserSubject;
+import org.apache.cxf.rs.security.oauth.provider.DefaultOAuthValidator;
import org.apache.cxf.rs.security.oauth.provider.OAuthDataProvider;
import org.apache.cxf.rs.security.oauth.utils.OAuthConstants;
import org.apache.cxf.rs.security.oauth.utils.OAuthUtils;
@@ -77,7 +79,8 @@ public class AbstractAuthFilter {
private boolean useUserSubject;
private OAuthDataProvider dataProvider;
-
+ private OAuthValidator validator = new DefaultOAuthValidator();
+
protected AbstractAuthFilter() {
}
@@ -130,7 +133,8 @@ public class AbstractAuthFilter {
}
client = accessToken.getClient();
- OAuthUtils.validateMessage(oAuthMessage, client, accessToken, dataProvider);
+ OAuthUtils.validateMessage(oAuthMessage, client, accessToken,
+ dataProvider, validator);
} else {
String consumerKey = null;
String consumerSecret = null;
@@ -161,7 +165,8 @@ public class AbstractAuthFilter {
LOG.warning("Client secret is invalid");
throw new OAuthProblemException(OAuth.Problems.CONSUMER_KEY_UNKNOWN);
} else {
- OAuthUtils.validateMessage(oAuthMessage, client, null, dataProvider);
+ OAuthUtils.validateMessage(oAuthMessage, client, null,
+ dataProvider, validator);
}
accessToken = client.getPreAuthorizedToken();
if (accessToken == null || !accessToken.isPreAuthorized()) {
@@ -265,6 +270,10 @@ public class AbstractAuthFilter {
return new OAuthContext(subject, info.getMatchedPermissions());
}
+ public void setValidator(OAuthValidator validator) {
+ this.validator = validator;
+ }
+
private static class CustomHttpServletWrapper extends HttpServletRequestWrapper {
public CustomHttpServletWrapper(HttpServletRequest req) {
super(req);
Modified: cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthServletFilter.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthServletFilter.java?rev=1364642&r1=1364641&r2=1364642&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthServletFilter.java (original)
+++ cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthServletFilter.java Mon Jul 23 14:23:35 2012
@@ -48,6 +48,7 @@ public class OAuthServletFilter extends
public void init(FilterConfig filterConfig) throws ServletException {
ServletContext servletContext = filterConfig.getServletContext();
super.setDataProvider(OAuthUtils.getOAuthDataProvider(servletContext));
+ super.setValidator(OAuthUtils.getOAuthValidator(servletContext));
super.setUseUserSubject(MessageUtils.isTrue(servletContext.getInitParameter(USE_USER_SUBJECT)));
}
Modified: cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AbstractOAuthService.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AbstractOAuthService.java?rev=1364642&r1=1364641&r2=1364642&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AbstractOAuthService.java (original)
+++ cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AbstractOAuthService.java Mon Jul 23 14:23:35 2012
@@ -20,7 +20,10 @@ package org.apache.cxf.rs.security.oauth
import javax.ws.rs.core.Context;
+import net.oauth.OAuthValidator;
+
import org.apache.cxf.jaxrs.ext.MessageContext;
+import org.apache.cxf.rs.security.oauth.provider.DefaultOAuthValidator;
import org.apache.cxf.rs.security.oauth.provider.OAuthDataProvider;
import org.apache.cxf.rs.security.oauth.utils.OAuthUtils;
@@ -31,6 +34,7 @@ public abstract class AbstractOAuthServi
private MessageContext mc;
private OAuthDataProvider dataProvider;
+ private OAuthValidator validator = new DefaultOAuthValidator();
@Context
public void setMessageContext(MessageContext context) {
@@ -48,6 +52,14 @@ public abstract class AbstractOAuthServi
protected OAuthDataProvider getDataProvider() {
return OAuthUtils.getOAuthDataProvider(dataProvider, mc.getServletContext());
}
+
+ public OAuthValidator getValidator() {
+ return validator;
+ }
+
+ public void setValidator(OAuthValidator validator) {
+ this.validator = validator;
+ }
}
Modified: cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AccessTokenHandler.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AccessTokenHandler.java?rev=1364642&r1=1364641&r2=1364642&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AccessTokenHandler.java (original)
+++ cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AccessTokenHandler.java Mon Jul 23 14:23:35 2012
@@ -29,6 +29,7 @@ import javax.ws.rs.core.Response;
import net.oauth.OAuth;
import net.oauth.OAuthMessage;
import net.oauth.OAuthProblemException;
+import net.oauth.OAuthValidator;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.StringUtils;
@@ -54,7 +55,9 @@ public class AccessTokenHandler {
OAuth.OAUTH_NONCE
};
- public Response handle(MessageContext mc, OAuthDataProvider dataProvider) {
+ public Response handle(MessageContext mc,
+ OAuthDataProvider dataProvider,
+ OAuthValidator validator) {
try {
OAuthMessage oAuthMessage =
OAuthUtils.getOAuthMessage(mc, mc.getHttpServletRequest(), REQUIRED_PARAMETERS);
@@ -75,8 +78,11 @@ public class AccessTokenHandler {
throw new OAuthProblemException(OAuthConstants.VERIFIER_INVALID);
}
- OAuthUtils.validateMessage(oAuthMessage, requestToken.getClient(), requestToken,
- dataProvider);
+ OAuthUtils.validateMessage(oAuthMessage,
+ requestToken.getClient(),
+ requestToken,
+ dataProvider,
+ validator);
AccessTokenRegistration reg = new AccessTokenRegistration();
reg.setRequestToken(requestToken);
Modified: cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AccessTokenService.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AccessTokenService.java?rev=1364642&r1=1364641&r2=1364642&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AccessTokenService.java (original)
+++ cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AccessTokenService.java Mon Jul 23 14:23:35 2012
@@ -49,6 +49,8 @@ public class AccessTokenService extends
@POST
@Produces("application/x-www-form-urlencoded")
public Response getAccessToken() {
- return handler.handle(getMessageContext(), getDataProvider());
+ return handler.handle(getMessageContext(),
+ getDataProvider(),
+ getValidator());
}
}
Modified: cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/RequestTokenHandler.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/RequestTokenHandler.java?rev=1364642&r1=1364641&r2=1364642&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/RequestTokenHandler.java (original)
+++ cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/RequestTokenHandler.java Mon Jul 23 14:23:35 2012
@@ -30,6 +30,7 @@ import javax.ws.rs.core.Response;
import net.oauth.OAuth;
import net.oauth.OAuthMessage;
import net.oauth.OAuthProblemException;
+import net.oauth.OAuthValidator;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.StringUtils;
@@ -57,7 +58,9 @@ public class RequestTokenHandler {
private long tokenLifetime = 3600L;
private String defaultScope;
- public Response handle(MessageContext mc, OAuthDataProvider dataProvider) {
+ public Response handle(MessageContext mc,
+ OAuthDataProvider dataProvider,
+ OAuthValidator validator) {
try {
OAuthMessage oAuthMessage =
OAuthUtils.getOAuthMessage(mc, mc.getHttpServletRequest(), REQUIRED_PARAMETERS);
@@ -69,7 +72,8 @@ public class RequestTokenHandler {
throw new OAuthProblemException(OAuth.Problems.CONSUMER_KEY_UNKNOWN);
}
- OAuthUtils.validateMessage(oAuthMessage, client, null, dataProvider);
+ OAuthUtils.validateMessage(oAuthMessage, client, null,
+ dataProvider, validator);
String callback = oAuthMessage.getParameter(OAuth.OAUTH_CALLBACK);
validateCallbackURL(client, callback);
Modified: cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/RequestTokenService.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/RequestTokenService.java?rev=1364642&r1=1364641&r2=1364642&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/RequestTokenService.java (original)
+++ cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/RequestTokenService.java Mon Jul 23 14:23:35 2012
@@ -48,6 +48,8 @@ public class RequestTokenService extends
@POST
@Produces("application/x-www-form-urlencoded")
public Response getRequestToken() {
- return handler.handle(getMessageContext(), getDataProvider());
+ return handler.handle(getMessageContext(),
+ getDataProvider(),
+ getValidator());
}
}
Modified: cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/utils/OAuthConstants.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/utils/OAuthConstants.java?rev=1364642&r1=1364641&r2=1364642&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/utils/OAuthConstants.java (original)
+++ cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/utils/OAuthConstants.java Mon Jul 23 14:23:35 2012
@@ -25,8 +25,9 @@ package org.apache.cxf.rs.security.oauth
public final class OAuthConstants {
public static final String OAUTH_DATA_PROVIDER_CLASS = "oauth.data.provider-class";
- public static final String OAUTH_DATA_VALIDATOR_CLASS = "oauth.data.validator-class";
+ public static final String OAUTH_VALIDATOR_CLASS = "oauth.data.validator-class";
public static final String OAUTH_DATA_PROVIDER_INSTANCE_KEY = "oauth.data.provider-instance.key";
+ public static final String OAUTH_VALIDATOR_INSTANCE_KEY = "oauth.data.validator-instance.key";
public static final String VERIFIER_INVALID = "verifier_invalid";
Modified: cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/utils/OAuthUtils.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/utils/OAuthUtils.java?rev=1364642&r1=1364641&r2=1364642&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/utils/OAuthUtils.java (original)
+++ cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/utils/OAuthUtils.java Mon Jul 23 14:23:35 2012
@@ -41,6 +41,7 @@ import net.oauth.OAuthAccessor;
import net.oauth.OAuthConsumer;
import net.oauth.OAuthMessage;
import net.oauth.OAuthProblemException;
+import net.oauth.OAuthValidator;
import net.oauth.server.OAuthServlet;
import org.apache.cxf.common.classloader.ClassLoaderUtils;
@@ -85,7 +86,8 @@ public final class OAuthUtils {
public static void validateMessage(OAuthMessage oAuthMessage,
Client client,
Token token,
- OAuthDataProvider provider)
+ OAuthDataProvider provider,
+ OAuthValidator validator)
throws Exception {
OAuthConsumer consumer = new OAuthConsumer(null, client.getConsumerKey(),
client.getSecretKey(), null);
@@ -98,11 +100,16 @@ public final class OAuthUtils {
}
accessor.tokenSecret = token.getTokenSecret();
}
-
- DefaultOAuthValidator validator = new DefaultOAuthValidator();
- validator.validateMessage(oAuthMessage, accessor);
- if (token != null) {
- validator.validateToken(token, provider);
+ try {
+ validator.validateMessage(oAuthMessage, accessor);
+ } catch (Exception ex) {
+ if (token != null) {
+ provider.removeToken(token);
+ throw ex;
+ }
+ }
+ if (token != null && validator instanceof DefaultOAuthValidator) {
+ ((DefaultOAuthValidator)validator).validateToken(token, provider);
}
}
@@ -228,14 +235,6 @@ public final class OAuthUtils {
+ " ] context init param in web.xml");
}
- String oauthValidatorClassName = servletContext
- .getInitParameter(OAuthConstants.OAUTH_DATA_VALIDATOR_CLASS);
-
- if (StringUtils.isEmpty(oauthValidatorClassName)) {
- //if no validator was provided fallback to default validator
- oauthValidatorClassName = DefaultOAuthValidator.class.getName();
- }
-
try {
dataProvider = (OAuthDataProvider) OAuthUtils
.instantiateClass(dataProviderClassName);
@@ -250,4 +249,32 @@ public final class OAuthUtils {
return dataProvider;
}
+
+ public static synchronized OAuthValidator getOAuthValidator(ServletContext servletContext) {
+
+ OAuthValidator dataProvider = (OAuthValidator) servletContext
+ .getAttribute(OAuthConstants.OAUTH_VALIDATOR_INSTANCE_KEY);
+
+ if (dataProvider == null) {
+ String dataProviderClassName = servletContext
+ .getInitParameter(OAuthConstants.OAUTH_VALIDATOR_CLASS);
+
+ if (!StringUtils.isEmpty(dataProviderClassName)) {
+
+ try {
+ dataProvider = (OAuthValidator) OAuthUtils
+ .instantiateClass(dataProviderClassName);
+
+ servletContext
+ .setAttribute(OAuthConstants.OAUTH_VALIDATOR_INSTANCE_KEY, dataProvider);
+ } catch (Exception e) {
+ throw new RuntimeException(
+ "Cannot instantiate OAuthValidator class: " + dataProviderClassName, e);
+ }
+ }
+ }
+
+ return dataProvider == null ? new DefaultOAuthValidator() : dataProvider;
+ }
+
}