You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2012/01/30 16:34:22 UTC
svn commit: r1237718 - in /cxf/branches/2.5.x-fixes: ./
rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/
rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/
rt/rs/security/oaut...
Author: sergeyb
Date: Mon Jan 30 15:34:22 2012
New Revision: 1237718
URL: http://svn.apache.org/viewvc?rev=1237718&view=rev
Log:
Merged revisions 1237715 via svnmerge from
https://svn.apache.org/repos/asf/cxf/trunk
........
r1237715 | sergeyb | 2012-01-30 15:26:04 +0000 (Mon, 30 Jan 2012) | 1 line
Support for pre-authorized tokens to do with the so called 2-way flow
........
Modified:
cxf/branches/2.5.x-fixes/ (props changed)
cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Client.java
cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthPermission.java
cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Token.java
cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/AbstractAuthFilter.java
cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthInfo.java
cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AccessTokenHandler.java
cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestHandler.java
cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/utils/OAuthUtils.java
Propchange: cxf/branches/2.5.x-fixes/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Mon Jan 30 15:34:22 2012
@@ -1 +1 @@
-/cxf/trunk:1236624,1236769,1236849
+/cxf/trunk:1236624,1236769,1236849,1237715
Propchange: cxf/branches/2.5.x-fixes/
------------------------------------------------------------------------------
Binary property 'svnmerge-integrated' - no diff available.
Modified: cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Client.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Client.java?rev=1237718&r1=1237717&r2=1237718&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Client.java (original)
+++ cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Client.java Mon Jan 30 15:34:22 2012
@@ -18,8 +18,6 @@
*/
package org.apache.cxf.rs.security.oauth.data;
-import java.util.Collections;
-import java.util.List;
/**
* Represents a registered third-party consumer
*/
@@ -31,7 +29,7 @@ public class Client {
private String loginName;
- private List<OAuthPermission> scopes = Collections.emptyList();
+ private AccessToken preAuthorizedToken;
public Client(String consumerId,
String secretKey,
@@ -115,22 +113,6 @@ public class Client {
this.loginName = name;
}
- /**
- * Returns a list of opaque permissions/scopes
- * @return the scopes
- */
- public List<OAuthPermission> getScopes() {
- return scopes;
- }
-
- /**
- * Sets a list of opaque permissions/scopes
- * @param scopes the scopes
- */
- public void setScopes(List<OAuthPermission> scopes) {
- this.scopes = scopes;
- }
-
@Override
public boolean equals(Object o) {
if (this == o) {
@@ -158,4 +140,12 @@ public class Client {
result = 31 * result + secretKey.hashCode();
return result;
}
+
+ public void setPreAuthorizedToken(AccessToken preAuthorizedToken) {
+ this.preAuthorizedToken = preAuthorizedToken;
+ }
+
+ public AccessToken getPreAuthorizedToken() {
+ return preAuthorizedToken;
+ }
}
Modified: cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthPermission.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthPermission.java?rev=1237718&r1=1237717&r2=1237718&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthPermission.java (original)
+++ cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthPermission.java Mon Jan 30 15:34:22 2012
@@ -25,12 +25,9 @@ import java.util.List;
* Provides the complete information about a given opaque permission.
*/
public class OAuthPermission extends Permission {
- private String subjectName;
private List<String> roles = Collections.emptyList();
-
private List<String> httpVerbs = Collections.emptyList();
private List<String> uris = Collections.emptyList();
- private boolean authorizationKeyRequired = true;
public OAuthPermission(String permission, String description) {
super(permission, description);
@@ -41,14 +38,6 @@ public class OAuthPermission extends Per
this.roles = roles;
}
- public void setSubjectName(String subjectName) {
- this.subjectName = subjectName;
- }
-
- public String getSubjectName() {
- return subjectName;
- }
-
public void setRoles(List<String> roles) {
this.roles = roles;
}
@@ -72,13 +61,5 @@ public class OAuthPermission extends Per
public List<String> getUris() {
return uris;
}
-
- public void setAuthorizationKeyRequired(boolean authorizationKeyRequired) {
- this.authorizationKeyRequired = authorizationKeyRequired;
- }
-
- public boolean isAuthorizationKeyRequired() {
- return authorizationKeyRequired;
- }
}
Modified: cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Token.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Token.java?rev=1237718&r1=1237717&r2=1237718&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Token.java (original)
+++ cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Token.java Mon Jan 30 15:34:22 2012
@@ -33,6 +33,7 @@ public abstract class Token {
private Client client;
private List<OAuthPermission> scopes = Collections.emptyList();
private UserSubject subject;
+ private boolean preAuthorized;
protected Token(Client client, String tokenKey,
String tokenSecret, long lifetime, long issuedAt) {
@@ -119,4 +120,12 @@ public abstract class Token {
return subject;
}
+ public void setPreAuthorized(boolean preAuthorized) {
+ this.preAuthorized = preAuthorized;
+ }
+
+ public boolean isPreAuthorized() {
+ return preAuthorized;
+ }
+
}
Modified: cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/AbstractAuthFilter.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/AbstractAuthFilter.java?rev=1237718&r1=1237717&r2=1237718&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/AbstractAuthFilter.java (original)
+++ cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/AbstractAuthFilter.java Mon Jan 30 15:34:22 2012
@@ -166,17 +166,20 @@ public class AbstractAuthFilter {
} else {
OAuthUtils.validateMessage(oAuthMessage, client, null, dataProvider);
}
-
+ accessToken = client.getPreAuthorizedToken();
+ if (accessToken == null || !accessToken.isPreAuthorized()) {
+ LOG.warning("Preauthorized access token is unavailable");
+ throw new OAuthProblemException(OAuth.Problems.TOKEN_REJECTED);
+ }
}
- List<OAuthPermission> permissions = OAuthUtils.getAllScopes(client, accessToken);
+ List<OAuthPermission> permissions = accessToken.getScopes();
List<OAuthPermission> matchingPermissions = new ArrayList<OAuthPermission>();
for (OAuthPermission perm : permissions) {
boolean uriOK = checkRequestURI(req, perm.getUris());
boolean verbOK = checkHttpVerb(req, perm.getHttpVerbs());
- boolean accessOK = checkNoAccessTokenIsAllowed(client, accessToken, perm);
- if (uriOK && verbOK && accessOK) {
+ if (uriOK && verbOK) {
matchingPermissions.add(perm);
}
}
@@ -186,21 +189,7 @@ public class AbstractAuthFilter {
LOG.warning(message);
throw new OAuthProblemException(message);
}
-
- String subjectName = null;
- for (OAuthPermission perm : matchingPermissions) {
- String currentName = perm.getSubjectName();
- if (subjectName != null
- && (currentName == null || !subjectName.equals(currentName))) {
- String message = "Inconsistent subject name";
- LOG.warning(message);
- throw new OAuthProblemException(message);
- }
- subjectName = currentName;
- }
-
-
- return new OAuthInfo(client, accessToken, matchingPermissions);
+ return new OAuthInfo(accessToken, matchingPermissions);
}
@@ -209,16 +198,6 @@ public class AbstractAuthFilter {
return m != null ? (AuthorizationPolicy)m.get(AuthorizationPolicy.class) : null;
}
- protected boolean checkNoAccessTokenIsAllowed(Client client, AccessToken token,
- OAuthPermission perm) {
- if (token == null && perm.isAuthorizationKeyRequired()) {
- String message = "Token is expected";
- LOG.fine(message);
- return false;
- }
- return true;
- }
-
protected boolean checkHttpVerb(HttpServletRequest req, List<String> verbs) {
if (!verbs.isEmpty()
&& !verbs.contains(req.getMethod())) {
@@ -256,22 +235,15 @@ public class AbstractAuthFilter {
// demo shipped in the distribution; needs to be removed.
request.setAttribute("oauth_authorities", info.getRoles());
- UserSubject subject = info.getToken() != null ? info.getToken().getSubject() : null;
- if (subject == null) {
- for (OAuthPermission perm : info.getPermissions()) {
- if (perm.getSubjectName() != null) {
- subject = new UserSubject(perm.getSubjectName(), perm.getRoles());
- }
- break;
- }
- }
+ UserSubject subject = info.getToken().getSubject();
+
final UserSubject theSubject = subject;
return new SecurityContext() {
public Principal getUserPrincipal() {
String login = AbstractAuthFilter.this.useUserSubject
? (theSubject != null ? theSubject.getLogin() : null)
- : info.getClient().getLoginName();
+ : info.getToken().getClient().getLoginName();
return new SimplePrincipal(login);
}
@@ -293,7 +265,7 @@ public class AbstractAuthFilter {
if (info.getToken() != null) {
subject = info.getToken().getSubject();
}
- return new OAuthContext(subject, info.getPermissions());
+ return new OAuthContext(subject, info.getMatchedPermissions());
}
private static class CustomHttpServletWrapper extends HttpServletRequestWrapper {
Modified: cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthInfo.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthInfo.java?rev=1237718&r1=1237717&r2=1237718&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthInfo.java (original)
+++ cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthInfo.java Mon Jan 30 15:34:22 2012
@@ -22,25 +22,18 @@ import java.util.ArrayList;
import java.util.List;
import org.apache.cxf.rs.security.oauth.data.AccessToken;
-import org.apache.cxf.rs.security.oauth.data.Client;
import org.apache.cxf.rs.security.oauth.data.OAuthPermission;
/**
* Captures the information about the current request
*/
public class OAuthInfo {
- private Client client;
private AccessToken token;
private List<OAuthPermission> permissions;
- public OAuthInfo(Client client,
- AccessToken token,
- List<OAuthPermission> permissions) {
- this.client = client;
+ public OAuthInfo(AccessToken token,
+ List<OAuthPermission> matchedPermissions) {
this.token = token;
- this.permissions = permissions;
- }
- public Client getClient() {
- return client;
+ this.permissions = matchedPermissions;
}
public AccessToken getToken() {
return token;
@@ -54,7 +47,7 @@ public class OAuthInfo {
return authorities;
}
- public List<OAuthPermission> getPermissions() {
+ public List<OAuthPermission> getMatchedPermissions() {
return permissions;
}
Modified: cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AccessTokenHandler.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AccessTokenHandler.java?rev=1237718&r1=1237717&r2=1237718&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AccessTokenHandler.java (original)
+++ cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AccessTokenHandler.java Mon Jan 30 15:34:22 2012
@@ -50,8 +50,7 @@ public class AccessTokenHandler {
OAuth.OAUTH_SIGNATURE_METHOD,
OAuth.OAUTH_SIGNATURE,
OAuth.OAUTH_TIMESTAMP,
- OAuth.OAUTH_NONCE,
- OAuth.OAUTH_VERIFIER
+ OAuth.OAUTH_NONCE
};
public Response handle(MessageContext mc, OAuthDataProvider dataProvider) {
@@ -63,8 +62,15 @@ public class AccessTokenHandler {
if (requestToken == null) {
throw new OAuthProblemException(OAuth.Problems.TOKEN_REJECTED);
}
+
String oauthVerifier = oAuthMessage.getParameter(OAuth.OAUTH_VERIFIER);
- if (oauthVerifier == null || !oauthVerifier.equals(requestToken.getVerifier())) {
+ if (oauthVerifier == null) {
+ if (requestToken.getSubject() != null && requestToken.isPreAuthorized()) {
+ LOG.fine("Preauthorized request token");
+ } else {
+ throw new OAuthProblemException(OAuthConstants.VERIFIER_INVALID);
+ }
+ } else if (!oauthVerifier.equals(requestToken.getVerifier())) {
throw new OAuthProblemException(OAuthConstants.VERIFIER_INVALID);
}
Modified: cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestHandler.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestHandler.java?rev=1237718&r1=1237717&r2=1237718&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestHandler.java (original)
+++ cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestHandler.java Mon Jan 30 15:34:22 2012
@@ -156,7 +156,7 @@ public class AuthorizationRequestHandler
secData.setApplicationName(token.getClient().getApplicationName());
secData.setApplicationURI(token.getClient().getApplicationURI());
- secData.setPermissions(OAuthUtils.getAllScopes(token.getClient(), token));
+ secData.setPermissions(token.getScopes());
return secData;
}
Modified: cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/utils/OAuthUtils.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/utils/OAuthUtils.java?rev=1237718&r1=1237717&r2=1237718&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/utils/OAuthUtils.java (original)
+++ cxf/branches/2.5.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/utils/OAuthUtils.java Mon Jan 30 15:34:22 2012
@@ -23,7 +23,6 @@ import java.io.InputStream;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
-import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Map.Entry;
@@ -51,7 +50,6 @@ import org.apache.cxf.jaxrs.impl.Metadat
import org.apache.cxf.jaxrs.model.URITemplate;
import org.apache.cxf.jaxrs.utils.FormUtils;
import org.apache.cxf.rs.security.oauth.data.Client;
-import org.apache.cxf.rs.security.oauth.data.OAuthPermission;
import org.apache.cxf.rs.security.oauth.data.RequestToken;
import org.apache.cxf.rs.security.oauth.data.Token;
import org.apache.cxf.rs.security.oauth.provider.DefaultOAuthValidator;
@@ -83,15 +81,6 @@ public final class OAuthUtils {
return false;
}
- public static List<OAuthPermission> getAllScopes(Client client, Token token) {
- List<OAuthPermission> scopes = new LinkedList<OAuthPermission>();
- if (token != null) {
- scopes.addAll(token.getScopes());
- }
- scopes.addAll(client.getScopes());
- return scopes;
- }
-
public static void validateMessage(OAuthMessage oAuthMessage,
Client client,
Token token,