You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2015/12/14 15:11:55 UTC
cxf git commit: Require a nonce for the implicit flow
Repository: cxf
Updated Branches:
refs/heads/master ad149504c -> 9d918465c
Require a nonce for the implicit flow
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/9d918465
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/9d918465
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/9d918465
Branch: refs/heads/master
Commit: 9d918465c9bfbc30cc6a5fe745a15145ef4e7544
Parents: ad14950
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Dec 14 14:11:43 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Dec 14 14:11:43 2015 +0000
----------------------------------------------------------------------
.../oauth2/common/OAuthAuthorizationData.java | 8 --------
.../rs/security/oidc/idp/OidcImplicitService.java | 18 ++++++++++++++++++
2 files changed, 18 insertions(+), 8 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/9d918465/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
index d5fe5bc..d0665e9 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
@@ -39,7 +39,6 @@ public class OAuthAuthorizationData extends OAuthRedirectionState implements Ser
private String endUserName;
private String authenticityToken;
private String replyTo;
- private String responseType;
private String applicationName;
private String applicationWebUri;
@@ -203,11 +202,4 @@ public class OAuthAuthorizationData extends OAuthRedirectionState implements Ser
this.implicitFlow = implicitFlow;
}
- public String getResponseType() {
- return responseType;
- }
-
- public void setResponseType(String responseType) {
- this.responseType = responseType;
- }
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/9d918465/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
index 908d141..edf8e98 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
@@ -22,10 +22,17 @@ import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
+import javax.ws.rs.core.MultivaluedMap;
+import javax.ws.rs.core.Response;
+
import org.apache.cxf.rs.security.oauth2.common.Client;
+import org.apache.cxf.rs.security.oauth2.common.OAuthError;
import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
import org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState;
+import org.apache.cxf.rs.security.oauth2.common.UserSubject;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
import org.apache.cxf.rs.security.oauth2.services.ImplicitGrantService;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
public class OidcImplicitService extends ImplicitGrantService {
@@ -48,6 +55,17 @@ public class OidcImplicitService extends ImplicitGrantService {
}
@Override
+ protected Response startAuthorization(MultivaluedMap<String, String> params,
+ UserSubject userSubject,
+ Client client) {
+ // Validate the nonce, it must be present for the Implicit flow
+ if (params.getFirst(OAuthConstants.NONCE) == null) {
+ throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_REQUEST));
+ }
+ return super.startAuthorization(params, userSubject, client);
+ }
+
+ @Override
protected boolean canAuthorizationBeSkipped(Client client,
List<String> requestedScope,
List<OAuthPermission> permissions) {