You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2016/02/09 17:17:17 UTC
cxf git commit: Avoiding linking UserSubject to indiv clients too
early
Repository: cxf
Updated Branches:
refs/heads/master 4298ce8c4 -> 5c72fad58
Avoiding linking UserSubject to indiv clients too early
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/5c72fad5
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/5c72fad5
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/5c72fad5
Branch: refs/heads/master
Commit: 5c72fad581d0c8abe3aa035108b11b5336e0dc6f
Parents: 4298ce8
Author: Sergey Beryozkin <sb...@gmail.com>
Authored: Tue Feb 9 16:17:00 2016 +0000
Committer: Sergey Beryozkin <sb...@gmail.com>
Committed: Tue Feb 9 16:17:00 2016 +0000
----------------------------------------------------------------------
.../oauth2/provider/DefaultSubjectCreator.java | 2 --
.../rs/security/oauth2/provider/SubjectCreator.java | 3 ---
.../oauth2/services/AbstractImplicitGrantService.java | 6 +++---
.../oauth2/services/DirectAuthorizationService.java | 6 +++---
.../oauth2/services/RedirectionBasedGrantService.java | 14 ++++----------
.../rs/security/oidc/idp/IdTokenResponseFilter.java | 2 ++
.../cxf/rs/security/oidc/idp/OidcImplicitService.java | 4 +++-
7 files changed, 15 insertions(+), 22 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/5c72fad5/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultSubjectCreator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultSubjectCreator.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultSubjectCreator.java
index 53c1d54..6dc9dd8 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultSubjectCreator.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultSubjectCreator.java
@@ -21,7 +21,6 @@ package org.apache.cxf.rs.security.oauth2.provider;
import javax.ws.rs.core.MultivaluedMap;
import org.apache.cxf.jaxrs.ext.MessageContext;
-import org.apache.cxf.rs.security.oauth2.common.Client;
import org.apache.cxf.rs.security.oauth2.common.UserSubject;
import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
import org.apache.cxf.security.SecurityContext;
@@ -30,7 +29,6 @@ public class DefaultSubjectCreator implements SubjectCreator {
@Override
public UserSubject createUserSubject(MessageContext mc,
- Client client,
MultivaluedMap<String, String> params) throws OAuthServiceException {
return OAuthUtils.createSubject(mc,
(SecurityContext)mc.get(SecurityContext.class.getName()));
http://git-wip-us.apache.org/repos/asf/cxf/blob/5c72fad5/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SubjectCreator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SubjectCreator.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SubjectCreator.java
index 4ddee90..25a14e6 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SubjectCreator.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SubjectCreator.java
@@ -22,7 +22,6 @@ package org.apache.cxf.rs.security.oauth2.provider;
import javax.ws.rs.core.MultivaluedMap;
import org.apache.cxf.jaxrs.ext.MessageContext;
-import org.apache.cxf.rs.security.oauth2.common.Client;
import org.apache.cxf.rs.security.oauth2.common.UserSubject;
/**
@@ -35,12 +34,10 @@ public interface SubjectCreator {
/**
* Create a {@link UserSubject}
* @param mc the {@link MessageContext} of this request
- * @param client the client
* @param params the request parameters
* @return {@link UserSubject}
* @throws OAuthServiceException
*/
UserSubject createUserSubject(MessageContext mc,
- Client client,
MultivaluedMap<String, String> params) throws OAuthServiceException;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/5c72fad5/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java
index 6c9349d..f3c466b 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java
@@ -108,16 +108,16 @@ public abstract class AbstractImplicitGrantService extends RedirectionBasedGrant
processRefreshToken(sb, token.getRefreshToken());
}
- return finalizeResponse(sb, client, state);
+ return finalizeResponse(sb, state);
}
- protected Response finalizeResponse(StringBuilder sb, Client client, OAuthRedirectionState state) {
+ protected Response finalizeResponse(StringBuilder sb, OAuthRedirectionState state) {
if (state.getState() != null) {
sb.append("&");
sb.append(OAuthConstants.STATE).append("=").append(state.getState());
}
if (reportClientId) {
- sb.append("&").append(OAuthConstants.CLIENT_ID).append("=").append(client.getClientId());
+ sb.append("&").append(OAuthConstants.CLIENT_ID).append("=").append(state.getClientId());
}
return Response.seeOther(URI.create(sb.toString())).build();
http://git-wip-us.apache.org/repos/asf/cxf/blob/5c72fad5/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DirectAuthorizationService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DirectAuthorizationService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DirectAuthorizationService.java
index e8b5e16..a9fa8be 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DirectAuthorizationService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DirectAuthorizationService.java
@@ -53,7 +53,7 @@ public class DirectAuthorizationService extends AbstractOAuthService {
SecurityContext sc = getAndValidateSecurityContext(params);
Client client = getClient(params);
// Create a UserSubject representing the end user
- UserSubject userSubject = createUserSubject(sc, client, params);
+ UserSubject userSubject = createUserSubject(sc, params);
AccessTokenRegistration reg = new AccessTokenRegistration();
@@ -83,11 +83,11 @@ public class DirectAuthorizationService extends AbstractOAuthService {
checkTransportSecurity();
return securityContext;
}
- protected UserSubject createUserSubject(SecurityContext securityContext, Client client,
+ protected UserSubject createUserSubject(SecurityContext securityContext,
MultivaluedMap<String, String> params) {
UserSubject subject = null;
if (subjectCreator != null) {
- subject = subjectCreator.createUserSubject(getMessageContext(), client, params);
+ subject = subjectCreator.createUserSubject(getMessageContext(), params);
if (subject != null) {
return subject;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/5c72fad5/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
index ab4bba8..094c5af 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
@@ -120,7 +120,7 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
SecurityContext sc = getAndValidateSecurityContext(params);
Client client = getClient(params);
// Create a UserSubject representing the end user
- UserSubject userSubject = createUserSubject(sc, client, params);
+ UserSubject userSubject = createUserSubject(sc, params);
return startAuthorization(params, userSubject, client);
}
@@ -274,9 +274,6 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
state = sessionAuthenticityTokenProvider.getSessionState(super.getMessageContext(),
sessionToken,
subject);
- if (!state.getClientId().equals(params.getFirst(OAuthConstants.CLIENT_ID))) {
- throw ExceptionUtils.toBadRequestException(null, null);
- }
}
if (state == null) {
state = new OAuthRedirectionState();
@@ -312,11 +309,8 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
protected Response completeAuthorization(MultivaluedMap<String, String> params) {
// Make sure the end user has authenticated, check if HTTPS is used
SecurityContext securityContext = getAndValidateSecurityContext(params);
- // Client id may also be preserved in a session but it must be set
- // as a authorization form parameter
- Client client = getClient(params.getFirst(OAuthConstants.CLIENT_ID));
- UserSubject userSubject = createUserSubject(securityContext, client, params);
+ UserSubject userSubject = createUserSubject(securityContext, params);
// Make sure the session is valid
String sessionTokenParamName = params.getFirst(OAuthConstants.SESSION_AUTHENTICITY_TOKEN_PARAM_NAME);
@@ -330,6 +324,8 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
OAuthRedirectionState state =
recreateRedirectionStateFromSession(userSubject, params, sessionToken);
+
+ Client client = getClient(state.getClientId());
String redirectUri = validateRedirectUri(client, state.getRedirectUri());
// Get the end user decision value
@@ -375,12 +371,10 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
}
protected UserSubject createUserSubject(SecurityContext securityContext,
- Client client,
MultivaluedMap<String, String> params) {
UserSubject subject = null;
if (subjectCreator != null) {
subject = subjectCreator.createUserSubject(getMessageContext(),
- client,
params);
if (subject != null) {
return subject;
http://git-wip-us.apache.org/repos/asf/cxf/blob/5c72fad5/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
index 7051090..6e7bb92 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
@@ -59,6 +59,8 @@ public class IdTokenResponseFilter extends OAuthServerJoseJwtProducer implements
} else if (st.getSubject() instanceof OidcUserSubject) {
OidcUserSubject sub = (OidcUserSubject)st.getSubject();
IdToken idToken = new IdToken(sub.getIdToken());
+ idToken.setAudience(st.getClient().getClientId());
+ idToken.setAuthorizedParty(st.getClient().getClientId());
// if this token was refreshed then the cloned IDToken might need to have its
// issuedAt and expiry time properties adjusted if it proves to be necessary
setAtHashAndNonce(idToken, st);
http://git-wip-us.apache.org/repos/asf/cxf/blob/5c72fad5/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
index 40f29ea4..60b638d 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
@@ -101,7 +101,7 @@ public class OidcImplicitService extends ImplicitGrantService {
if (idToken != null) {
sb.append(OidcUtils.ID_TOKEN).append("=").append(idToken);
}
- return finalizeResponse(sb, client, state);
+ return finalizeResponse(sb, state);
}
private String getProcessedIdToken(OAuthRedirectionState state, UserSubject subject) {
@@ -110,6 +110,8 @@ public class OidcImplicitService extends ImplicitGrantService {
} else if (subject instanceof OidcUserSubject) {
OidcUserSubject sub = (OidcUserSubject)subject;
IdToken idToken = new IdToken(sub.getIdToken());
+ idToken.setAudience(state.getClientId());
+ idToken.setAuthorizedParty(state.getClientId());
idToken.setNonce(state.getNonce());
JoseJwtProducer processor = idTokenHandler == null ? new JoseJwtProducer() : idTokenHandler;
return processor.processJwt(new JwtToken(idToken));