You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2020/11/13 10:23:30 UTC
[cxf] 02/02: CXF-8368 -
org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService#createAuthorizationData
wrongly sets code_challenge
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git
commit dcf6d7ab478444d26afb97b677cbc2f292ddfbb8
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Fri Nov 13 10:22:50 2020 +0000
CXF-8368 - org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService#createAuthorizationData wrongly sets code_challenge
---
.../services/AuthorizationCodeGrantService.java | 26 ++-------
.../services/RedirectionBasedGrantService.java | 1 +
.../security/oauth2/grants/PublicClientTest.java | 65 ++++++++++++++++------
...public.xml => grants-server-public-session.xml} | 59 ++++++++++----------
.../oauth2/grants/grants-server-public.xml | 6 --
5 files changed, 84 insertions(+), 73 deletions(-)
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
index f4da8b6..d63e85ed 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
@@ -28,8 +28,6 @@ import javax.ws.rs.core.UriBuilder;
import org.apache.cxf.rs.security.oauth2.common.Client;
import org.apache.cxf.rs.security.oauth2.common.FormAuthorizationResponse;
-import org.apache.cxf.rs.security.oauth2.common.OAuthAuthorizationData;
-import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
import org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState;
import org.apache.cxf.rs.security.oauth2.common.OOBAuthorizationResponse;
import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
@@ -61,29 +59,13 @@ public class AuthorizationCodeGrantService extends RedirectionBasedGrantService
public AuthorizationCodeGrantService() {
super(OAuthConstants.CODE_RESPONSE_TYPE, OAuthConstants.AUTHORIZATION_CODE_GRANT);
}
- @Override
- protected OAuthAuthorizationData createAuthorizationData(Client client,
- MultivaluedMap<String, String> params,
- String redirectUri,
- UserSubject subject,
- List<OAuthPermission> requestedPerms,
- List<OAuthPermission> alreadyAuthorizedPerms,
- boolean authorizationCanBeSkipped) {
- OAuthAuthorizationData data =
- super.createAuthorizationData(client, params, redirectUri, subject,
- requestedPerms, alreadyAuthorizedPerms, authorizationCanBeSkipped);
- setCodeChallenge(data, params);
- return data;
- }
- protected OAuthRedirectionState recreateRedirectionStateFromParams(
- MultivaluedMap<String, String> params) {
+
+ protected OAuthRedirectionState recreateRedirectionStateFromParams(MultivaluedMap<String, String> params) {
OAuthRedirectionState state = super.recreateRedirectionStateFromParams(params);
- setCodeChallenge(state, params);
+ state.setClientCodeChallenge(params.getFirst(OAuthConstants.AUTHORIZATION_CODE_CHALLENGE));
return state;
}
- private static void setCodeChallenge(OAuthRedirectionState data, MultivaluedMap<String, String> params) {
- data.setClientCodeChallenge(params.getFirst(OAuthConstants.AUTHORIZATION_CODE_CHALLENGE));
- }
+
protected Response createGrant(OAuthRedirectionState state,
Client client,
List<String> requestedScope,
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
index cee3334..63f65a7 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
@@ -292,6 +292,7 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
}
secData.setProposedScope(builder.toString().trim());
}
+ secData.setClientCodeChallenge(params.getFirst(OAuthConstants.AUTHORIZATION_CODE_CHALLENGE));
if (!authorizationCanBeSkipped) {
secData.setPermissions(requestedPerms);
secData.setAlreadyAuthorizedPermissions(alreadyAuthorizedPerms);
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/PublicClientTest.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/PublicClientTest.java
index 4fa89db..dab76fc 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/PublicClientTest.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/PublicClientTest.java
@@ -38,6 +38,8 @@ import org.apache.cxf.testutil.common.AbstractClientServerTestBase;
import org.apache.cxf.testutil.common.TestUtil;
import org.junit.BeforeClass;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull;
@@ -47,26 +49,49 @@ import static org.junit.Assert.fail;
/**
* Some tests for public clients.
*/
+@RunWith(value = org.junit.runners.Parameterized.class)
public class PublicClientTest extends AbstractClientServerTestBase {
public static final String JCACHE_PORT = TestUtil.getPortNumber("jaxrs-oauth2-grants-jcache-public");
public static final String JCACHE_PORT2 = TestUtil.getPortNumber("jaxrs-oauth2-grants2-jcache-public");
- // services2 doesn't require basic auth
- private static final String TOKEN_SERVICE_ADDRESS_PLAIN = "https://localhost:" + JCACHE_PORT + "/services2/";
- // services3 doesn't require basic auth
- private static final String TOKEN_SERVICE_ADDRESS_DIGEST = "https://localhost:" + JCACHE_PORT + "/services3/";
+ public static final String JCACHE_PORT_SESSION =
+ TestUtil.getPortNumber("jaxrs-oauth2-grants-jcache-public-session");
+ public static final String JCACHE_PORT_SESSION2 =
+ TestUtil.getPortNumber("jaxrs-oauth2-grants2-jcache-public-session");
+
+ final String port;
+
+ private final String tokenServiceAddressPlain;
+ private final String tokenServiceAddressDigest;
+
+ public PublicClientTest(String port) {
+ this.port = port;
+ // services2 doesn't require basic auth
+ tokenServiceAddressPlain = "https://localhost:" + port + "/services2/";
+ // services3 doesn't require basic auth
+ tokenServiceAddressDigest = "https://localhost:" + port + "/services3/";
+ }
@BeforeClass
public static void startServers() throws Exception {
assertTrue("server did not launch correctly",
- launchServer(BookServerOAuth2GrantsJCache.class, true));
+ launchServer(BookServerOAuth2GrantsJCache.class, true));
+ assertTrue("server did not launch correctly",
+ launchServer(BookServerOAuth2GrantsJCacheSession.class, true));
+ }
+
+ @Parameterized.Parameters(name = "{0}")
+ public static String[] data() {
+ return new String[] {
+ JCACHE_PORT,
+ JCACHE_PORT_SESSION};
}
@org.junit.Test
public void testAuthorizationCodeGrant() throws Exception {
URL busFile = PublicClientTest.class.getResource("publicclient.xml");
- String address = "https://localhost:" + JCACHE_PORT + "/services/";
+ String address = "https://localhost:" + port + "/services/";
WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(),
"alice", "security", busFile.toString());
// Save the Cookie for the second request...
@@ -78,7 +103,7 @@ public class PublicClientTest extends AbstractClientServerTestBase {
assertNotNull(code);
// Now get the access token - note services2 doesn't require basic auth
- String address2 = "https://localhost:" + JCACHE_PORT + "/services2/";
+ String address2 = "https://localhost:" + port + "/services2/";
client = WebClient.create(address2, busFile.toString());
ClientAccessToken accessToken =
@@ -90,7 +115,7 @@ public class PublicClientTest extends AbstractClientServerTestBase {
public void testAuthorizationCodeGrantNoRedirectURI() throws Exception {
URL busFile = PublicClientTest.class.getResource("publicclient.xml");
- String address = "https://localhost:" + JCACHE_PORT + "/services/";
+ String address = "https://localhost:" + port + "/services/";
WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(),
"alice", "security", busFile.toString());
// Save the Cookie for the second request...
@@ -108,38 +133,38 @@ public class PublicClientTest extends AbstractClientServerTestBase {
@org.junit.Test
public void testPKCEPlain() throws Exception {
- testPKCE(new PlainCodeVerifier(), TOKEN_SERVICE_ADDRESS_PLAIN);
+ testPKCE(new PlainCodeVerifier(), tokenServiceAddressPlain);
}
@org.junit.Test
public void testPKCEPlainMissingVerifier() throws Exception {
- testPKCEMissingVerifier(new PlainCodeVerifier(), TOKEN_SERVICE_ADDRESS_PLAIN);
+ testPKCEMissingVerifier(new PlainCodeVerifier(), tokenServiceAddressPlain);
}
@org.junit.Test
public void testPKCEPlainDifferentVerifier() throws Exception {
- testPKCEDifferentVerifier(new PlainCodeVerifier(), TOKEN_SERVICE_ADDRESS_PLAIN);
+ testPKCEDifferentVerifier(new PlainCodeVerifier(), tokenServiceAddressPlain);
}
@org.junit.Test
public void testPKCEDigest() {
- testPKCE(new DigestCodeVerifier(), TOKEN_SERVICE_ADDRESS_DIGEST);
+ testPKCE(new DigestCodeVerifier(), tokenServiceAddressDigest);
}
@org.junit.Test
public void testPKCEDigestMissingVerifier() {
- testPKCEMissingVerifier(new DigestCodeVerifier(), TOKEN_SERVICE_ADDRESS_DIGEST);
+ testPKCEMissingVerifier(new DigestCodeVerifier(), tokenServiceAddressDigest);
}
@org.junit.Test
public void testPKCEDigestDifferentVerifier() {
- testPKCEDifferentVerifier(new DigestCodeVerifier(), TOKEN_SERVICE_ADDRESS_DIGEST);
+ testPKCEDifferentVerifier(new DigestCodeVerifier(), tokenServiceAddressDigest);
}
private void testPKCE(CodeVerifierTransformer transformer, String tokenServiceAddress) {
URL busFile = PublicClientTest.class.getResource("publicclient.xml");
- String address = "https://localhost:" + JCACHE_PORT + "/services/";
+ String address = "https://localhost:" + port + "/services/";
WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(),
"alice", "security", busFile.toString());
// Save the Cookie for the second request...
@@ -169,7 +194,7 @@ public class PublicClientTest extends AbstractClientServerTestBase {
private void testPKCEMissingVerifier(CodeVerifierTransformer transformer, String tokenServiceAddress) {
URL busFile = PublicClientTest.class.getResource("publicclient.xml");
- String address = "https://localhost:" + JCACHE_PORT + "/services/";
+ String address = "https://localhost:" + port + "/services/";
WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(),
"alice", "security", busFile.toString());
// Save the Cookie for the second request...
@@ -202,7 +227,7 @@ public class PublicClientTest extends AbstractClientServerTestBase {
private void testPKCEDifferentVerifier(CodeVerifierTransformer transformer, String tokenServiceAddress) {
URL busFile = PublicClientTest.class.getResource("publicclient.xml");
- String address = "https://localhost:" + JCACHE_PORT + "/services/";
+ String address = "https://localhost:" + port + "/services/";
WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(),
"alice", "security", busFile.toString());
// Save the Cookie for the second request...
@@ -243,4 +268,10 @@ public class PublicClientTest extends AbstractClientServerTestBase {
}
}
+ public static class BookServerOAuth2GrantsJCacheSession extends AbstractBusTestServerBase {
+ protected void run() {
+ setBus(new SpringBusFactory().createBus(getClass().getResource("grants-server-public-session.xml")));
+ }
+ }
+
}
diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-server-public.xml b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-server-public-session.xml
similarity index 72%
copy from systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-server-public.xml
copy to systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-server-public-session.xml
index e922f21..0b9cd88 100644
--- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-server-public.xml
+++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-server-public-session.xml
@@ -48,7 +48,7 @@ under the License.
<bean id="oauthJson" class="org.apache.cxf.rs.security.oauth2.provider.OAuthJSONProvider"/>
<httpj:engine-factory id="tls-config">
- <httpj:engine port="${testutil.ports.jaxrs-oauth2-grants-jcache-public}">
+ <httpj:engine port="${testutil.ports.jaxrs-oauth2-grants-jcache-public-session}">
<httpj:tlsServerParameters>
<sec:keyManagers keyPassword="password">
<sec:keyStore type="JKS" password="password" resource="keys/Bethal.jks"/>
@@ -63,15 +63,19 @@ under the License.
</httpj:engine-factory>
<bean id="oauthProvider" class="org.apache.cxf.systest.jaxrs.security.oauth2.common.JCacheOAuthDataProviderImpl">
- <constructor-arg><value>${testutil.ports.jaxrs-oauth2-grants2-jcache-public}</value></constructor-arg>
+ <constructor-arg><value>${testutil.ports.jaxrs-oauth2-grants2-jcache-public-session}</value></constructor-arg>
<constructor-arg><value>null</value></constructor-arg>
<constructor-arg><value>false</value></constructor-arg>
<constructor-arg><value>true</value></constructor-arg>
</bean>
-
+
+ <bean id="sessionTokenProvider" class="org.apache.cxf.rs.security.oauth2.provider.JoseSessionTokenProvider">
+ </bean>
+
<bean id="authorizationService" class="org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService">
<property name="dataProvider" ref="oauthProvider"/>
<property name="canSupportPublicClients" value="true"/>
+ <property name="sessionAuthenticityTokenProvider" ref="sessionTokenProvider"/>
</bean>
<bean id="implicitService" class="org.apache.cxf.rs.security.oauth2.services.ImplicitGrantService">
@@ -106,10 +110,12 @@ under the License.
<bean id="basicAuthFilter" class="org.apache.cxf.systest.jaxrs.security.oauth2.common.WSS4JBasicAuthFilter">
<property name="callbackHandler" ref="callbackHandler"/>
</bean>
-
+
+ <bean id="keyPasswordProvider" class="org.apache.cxf.systest.jaxrs.security.jose.jwejws.PrivateKeyPasswordProviderImpl"/>
+
<jaxrs:server
depends-on="tls-config"
- address="https://localhost:${testutil.ports.jaxrs-oauth2-grants-jcache-public}/services">
+ address="https://localhost:${testutil.ports.jaxrs-oauth2-grants-jcache-public-session}/services">
<jaxrs:serviceBeans>
<ref bean="authorizationService"/>
<ref bean="implicitService"/>
@@ -118,30 +124,28 @@ under the License.
<ref bean="basicAuthFilter"/>
</jaxrs:providers>
<jaxrs:properties>
- <entry key="security.signature.properties"
- value="org/apache/cxf/systest/jaxrs/security/bob.properties"/>
- <entry key="rs.security.keystore.type" value="jks" />
- <entry key="rs.security.keystore.alias" value="alice"/>
- <entry key="rs.security.keystore.password" value="password"/>
- <entry key="rs.security.keystore.file" value="keys/alice.jks" />
- <entry key="rs.security.signature.algorithm" value="RS256" />
+ <entry key="rs.security.signature.out.properties" value="org/apache/cxf/systest/jaxrs/security/alice.rs.properties"/>
+ <entry key="rs.security.encryption.in.properties" value="org/apache/cxf/systest/jaxrs/security/bob.rs.properties"/>
+ <entry key="rs.security.encryption.out.properties" value="org/apache/cxf/systest/jaxrs/security/bob.rs.properties"/>
+ <entry key="rs.security.signature.in.properties" value="org/apache/cxf/systest/jaxrs/security/alice.rs.properties"/>
+ <entry key="rs.security.signature.key.password.provider" value-ref="keyPasswordProvider"/>
+ <entry key="rs.security.decryption.key.password.provider" value-ref="keyPasswordProvider"/>
</jaxrs:properties>
</jaxrs:server>
<jaxrs:server
depends-on="tls-config"
- address="https://localhost:${testutil.ports.jaxrs-oauth2-grants-jcache-public}/services2">
+ address="https://localhost:${testutil.ports.jaxrs-oauth2-grants-jcache-public-session}/services2">
<jaxrs:serviceBeans>
<ref bean="tokenService"/>
</jaxrs:serviceBeans>
<jaxrs:properties>
- <entry key="security.signature.properties"
- value="org/apache/cxf/systest/jaxrs/security/bob.properties"/>
- <entry key="rs.security.keystore.type" value="jks" />
- <entry key="rs.security.keystore.alias" value="alice"/>
- <entry key="rs.security.keystore.password" value="password"/>
- <entry key="rs.security.keystore.file" value="keys/alice.jks" />
- <entry key="rs.security.signature.algorithm" value="RS256" />
+ <entry key="rs.security.signature.out.properties" value="org/apache/cxf/systest/jaxrs/security/alice.rs.properties"/>
+ <entry key="rs.security.encryption.in.properties" value="org/apache/cxf/systest/jaxrs/security/bob.rs.properties"/>
+ <entry key="rs.security.encryption.out.properties" value="org/apache/cxf/systest/jaxrs/security/bob.rs.properties"/>
+ <entry key="rs.security.signature.in.properties" value="org/apache/cxf/systest/jaxrs/security/alice.rs.properties"/>
+ <entry key="rs.security.signature.key.password.provider" value-ref="keyPasswordProvider"/>
+ <entry key="rs.security.decryption.key.password.provider" value-ref="keyPasswordProvider"/>
</jaxrs:properties>
</jaxrs:server>
@@ -163,18 +167,17 @@ under the License.
<jaxrs:server
depends-on="tls-config"
- address="https://localhost:${testutil.ports.jaxrs-oauth2-grants-jcache-public}/services3">
+ address="https://localhost:${testutil.ports.jaxrs-oauth2-grants-jcache-public-session}/services3">
<jaxrs:serviceBeans>
<ref bean="digestTokenService"/>
</jaxrs:serviceBeans>
<jaxrs:properties>
- <entry key="security.signature.properties"
- value="org/apache/cxf/systest/jaxrs/security/bob.properties"/>
- <entry key="rs.security.keystore.type" value="jks" />
- <entry key="rs.security.keystore.alias" value="alice"/>
- <entry key="rs.security.keystore.password" value="password"/>
- <entry key="rs.security.keystore.file" value="keys/alice.jks" />
- <entry key="rs.security.signature.algorithm" value="RS256" />
+ <entry key="rs.security.signature.out.properties" value="org/apache/cxf/systest/jaxrs/security/alice.rs.properties"/>
+ <entry key="rs.security.encryption.in.properties" value="org/apache/cxf/systest/jaxrs/security/bob.rs.properties"/>
+ <entry key="rs.security.encryption.out.properties" value="org/apache/cxf/systest/jaxrs/security/bob.rs.properties"/>
+ <entry key="rs.security.signature.in.properties" value="org/apache/cxf/systest/jaxrs/security/alice.rs.properties"/>
+ <entry key="rs.security.signature.key.password.provider" value-ref="keyPasswordProvider"/>
+ <entry key="rs.security.decryption.key.password.provider" value-ref="keyPasswordProvider"/>
</jaxrs:properties>
</jaxrs:server>
diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-server-public.xml b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-server-public.xml
index e922f21..91c8f8f 100644
--- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-server-public.xml
+++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-server-public.xml
@@ -118,8 +118,6 @@ under the License.
<ref bean="basicAuthFilter"/>
</jaxrs:providers>
<jaxrs:properties>
- <entry key="security.signature.properties"
- value="org/apache/cxf/systest/jaxrs/security/bob.properties"/>
<entry key="rs.security.keystore.type" value="jks" />
<entry key="rs.security.keystore.alias" value="alice"/>
<entry key="rs.security.keystore.password" value="password"/>
@@ -135,8 +133,6 @@ under the License.
<ref bean="tokenService"/>
</jaxrs:serviceBeans>
<jaxrs:properties>
- <entry key="security.signature.properties"
- value="org/apache/cxf/systest/jaxrs/security/bob.properties"/>
<entry key="rs.security.keystore.type" value="jks" />
<entry key="rs.security.keystore.alias" value="alice"/>
<entry key="rs.security.keystore.password" value="password"/>
@@ -168,8 +164,6 @@ under the License.
<ref bean="digestTokenService"/>
</jaxrs:serviceBeans>
<jaxrs:properties>
- <entry key="security.signature.properties"
- value="org/apache/cxf/systest/jaxrs/security/bob.properties"/>
<entry key="rs.security.keystore.type" value="jks" />
<entry key="rs.security.keystore.alias" value="alice"/>
<entry key="rs.security.keystore.password" value="password"/>