You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2012/08/28 16:54:00 UTC
svn commit: r1378155 - in
/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services:
AuthorizationRequestHandler.java AuthorizationRequestService.java
OOBAuthorizationResponse.java RequestTokenHandler.java
Author: sergeyb
Date: Tue Aug 28 14:53:59 2012
New Revision: 1378155
URL: http://svn.apache.org/viewvc?rev=1378155&view=rev
Log:
[CXF-4432] Minor updates to the way OOB responses can be presented
Modified:
cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestHandler.java
cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestService.java
cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/OOBAuthorizationResponse.java
cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/RequestTokenHandler.java
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestHandler.java?rev=1378155&r1=1378154&r2=1378155&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestHandler.java (original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestHandler.java Tue Aug 28 14:53:59 2012
@@ -36,7 +36,7 @@ import java.util.logging.Logger;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
-import javax.ws.rs.core.MediaType;
+import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
@@ -81,14 +81,22 @@ public class AuthorizationRequestHandler
throw new OAuthProblemException(OAuth.Problems.TOKEN_REJECTED);
}
+ String decision = oAuthMessage.getParameter(OAuthConstants.AUTHORIZATION_DECISION_KEY);
+
OAuthAuthorizationData secData = new OAuthAuthorizationData();
if (!compareRequestSessionTokens(request, oAuthMessage)) {
+ if (decision != null) {
+ // this is a user decision request, the session has expired or been possibly hijacked
+ LOG.warning("Session authenticity token is missing or invalid");
+ throw new WebApplicationException(400);
+ }
+ // assume it is an initial authorization request
addAuthenticityTokenToSession(secData, request);
return Response.ok(
addAdditionalParams(secData, dataProvider, token)).build();
}
- String decision = oAuthMessage.getParameter(OAuthConstants.AUTHORIZATION_DECISION_KEY);
+
boolean allow = OAuthConstants.AUTHORIZATION_DECISION_ALLOW.equals(decision);
Map<String, String> queryParams = new HashMap<String, String>();
@@ -142,7 +150,7 @@ public class AuthorizationRequestHandler
String callbackValue = getCallbackValue(token);
if (OAuthConstants.OAUTH_CALLBACK_OOB.equals(callbackValue)) {
OOBAuthorizationResponse bean = convertQueryParamsToOOB(queryParams);
- return Response.ok().type(MediaType.TEXT_HTML).entity(bean).build();
+ return Response.ok().entity(bean).build();
} else {
URI callbackURI = buildCallbackURI(callbackValue, queryParams);
return Response.seeOther(callbackURI).build();
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestService.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestService.java?rev=1378155&r1=1378154&r2=1378155&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestService.java (original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestService.java Tue Aug 28 14:53:59 2012
@@ -59,6 +59,7 @@ public class AuthorizationRequestService
@GET
@Path("/decision")
+ @Produces({"application/xhtml+xml", "text/html", "application/xml;q=0.9", "application/json;q=0.9" })
public Response authorizeDecision() {
return authorize();
}
@@ -66,6 +67,11 @@ public class AuthorizationRequestService
@POST
@Path("/decision")
@Consumes("application/x-www-form-urlencoded")
+ @Produces({"application/xhtml+xml",
+ "text/html",
+ "application/xml;q=0.9",
+ "application/json;q=0.9",
+ "application/x-www-form-urlencoded" })
public Response authorizeDecisionForm() {
return authorizeDecision();
}
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/OOBAuthorizationResponse.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/OOBAuthorizationResponse.java?rev=1378155&r1=1378154&r2=1378155&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/OOBAuthorizationResponse.java (original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/OOBAuthorizationResponse.java Tue Aug 28 14:53:59 2012
@@ -18,6 +18,9 @@
*/
package org.apache.cxf.rs.security.oauth.services;
+import javax.xml.bind.annotation.XmlRootElement;
+
+@XmlRootElement
public class OOBAuthorizationResponse {
private String requestToken;
private String verifier;
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/RequestTokenHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/RequestTokenHandler.java?rev=1378155&r1=1378154&r2=1378155&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/RequestTokenHandler.java (original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/RequestTokenHandler.java Tue Aug 28 14:53:59 2012
@@ -124,14 +124,20 @@ public class RequestTokenHandler {
protected void validateCallbackURL(Client client,
String oauthCallback) throws OAuthProblemException {
// the callback must not be empty or null, and it should either match
- // the pre-registered callback URI or have the common root with the
- // the pre-registered application URI
- if (!StringUtils.isEmpty(oauthCallback)
- && (!StringUtils.isEmpty(client.getCallbackURI())
- && oauthCallback.equals(client.getCallbackURI())
- || !StringUtils.isEmpty(client.getApplicationURI())
- && oauthCallback.startsWith(client.getApplicationURI()))) {
- return;
+ // the registered callback URI or have the common root with the
+ // the registered application URI (but only if no callback was registered)
+ if (!StringUtils.isEmpty(oauthCallback)) {
+ boolean registeredCallbackIsEmpty = StringUtils.isEmpty(client.getCallbackURI());
+ if (!registeredCallbackIsEmpty
+ && oauthCallback.equals(client.getCallbackURI())) {
+ return;
+ }
+ if (registeredCallbackIsEmpty
+ && !StringUtils.isEmpty(client.getApplicationURI())
+ && oauthCallback.startsWith(client.getApplicationURI())) {
+ return;
+ }
+
}
OAuthProblemException problemEx = new OAuthProblemException(
OAuth.Problems.PARAMETER_REJECTED + " - " + OAuth.OAUTH_CALLBACK);