You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2015/12/14 15:11:55 UTC

cxf git commit: Require a nonce for the implicit flow

Repository: cxf
Updated Branches:
  refs/heads/master ad149504c -> 9d918465c


Require a nonce for the implicit flow


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/9d918465
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/9d918465
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/9d918465

Branch: refs/heads/master
Commit: 9d918465c9bfbc30cc6a5fe745a15145ef4e7544
Parents: ad14950
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Dec 14 14:11:43 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Dec 14 14:11:43 2015 +0000

----------------------------------------------------------------------
 .../oauth2/common/OAuthAuthorizationData.java     |  8 --------
 .../rs/security/oidc/idp/OidcImplicitService.java | 18 ++++++++++++++++++
 2 files changed, 18 insertions(+), 8 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/9d918465/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
index d5fe5bc..d0665e9 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
@@ -39,7 +39,6 @@ public class OAuthAuthorizationData extends OAuthRedirectionState implements Ser
     private String endUserName;
     private String authenticityToken;
     private String replyTo;
-    private String responseType;
     
     private String applicationName;
     private String applicationWebUri;
@@ -203,11 +202,4 @@ public class OAuthAuthorizationData extends OAuthRedirectionState implements Ser
         this.implicitFlow = implicitFlow;
     }
 
-    public String getResponseType() {
-        return responseType;
-    }
-
-    public void setResponseType(String responseType) {
-        this.responseType = responseType;
-    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/9d918465/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
index 908d141..edf8e98 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
@@ -22,10 +22,17 @@ import java.util.Arrays;
 import java.util.HashSet;
 import java.util.List;
 
+import javax.ws.rs.core.MultivaluedMap;
+import javax.ws.rs.core.Response;
+
 import org.apache.cxf.rs.security.oauth2.common.Client;
+import org.apache.cxf.rs.security.oauth2.common.OAuthError;
 import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
 import org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState;
+import org.apache.cxf.rs.security.oauth2.common.UserSubject;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
 import org.apache.cxf.rs.security.oauth2.services.ImplicitGrantService;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
 
 
 public class OidcImplicitService extends ImplicitGrantService {
@@ -48,6 +55,17 @@ public class OidcImplicitService extends ImplicitGrantService {
     }
     
     @Override
+    protected Response startAuthorization(MultivaluedMap<String, String> params, 
+                                          UserSubject userSubject,
+                                          Client client) {    
+        // Validate the nonce, it must be present for the Implicit flow
+        if (params.getFirst(OAuthConstants.NONCE) == null) {
+            throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_REQUEST));
+        }
+        return super.startAuthorization(params, userSubject, client);
+    }
+    
+    @Override
     protected boolean canAuthorizationBeSkipped(Client client,
                                                 List<String> requestedScope,
                                                 List<OAuthPermission> permissions) {