You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@shindig.apache.org by rb...@apache.org on 2014/05/13 16:18:57 UTC
svn commit: r1594233 - in /shindig/trunk: config/
java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth2/handler/
java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth2/handler/
java/social-api/src/main/java/org/apache/shindig/social/core/o...
Author: rbaxter85
Date: Tue May 13 14:18:57 2014
New Revision: 1594233
URL: http://svn.apache.org/r1594233
Log:
Shindig must use "POST" method to make access token request with client credential grant type
SHINDIG-1976
Committed For Yun Zhi Lin
Modified:
shindig/trunk/config/oauth2.json
shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth2/handler/ClientCredentialsGrantTypeHandler.java
shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth2/handler/ClientCredentialsGrantTypeHandlerTest.java
shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/core/oauth2/OAuth2Servlet.java
shindig/trunk/java/social-api/src/test/java/org/apache/shindig/social/core/oauth/OAuth2AuthCodeFlowTest.java
shindig/trunk/java/social-api/src/test/java/org/apache/shindig/social/core/oauth/OAuth2ClientCredentialFlowTest.java
Modified: shindig/trunk/config/oauth2.json
URL: http://svn.apache.org/viewvc/shindig/trunk/config/oauth2.json?rev=1594233&r1=1594232&r2=1594233&view=diff
==============================================================================
--- shindig/trunk/config/oauth2.json (original)
+++ shindig/trunk/config/oauth2.json Tue May 13 14:18:57 2014
@@ -126,7 +126,7 @@
"shindig_client2" : {
"providerName" : "shindigOAuth2Provider",
"type" : "confidential",
- "grant_type" : "code",
+ "grant_type" : "client_credentials",
"client_id" : "testClientCredentialsClient",
"client_secret" : "clientCredentialsClient_secret"
},
Modified: shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth2/handler/ClientCredentialsGrantTypeHandler.java
URL: http://svn.apache.org/viewvc/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth2/handler/ClientCredentialsGrantTypeHandler.java?rev=1594233&r1=1594232&r2=1594233&view=diff
==============================================================================
--- shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth2/handler/ClientCredentialsGrantTypeHandler.java (original)
+++ shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth2/handler/ClientCredentialsGrantTypeHandler.java Tue May 13 14:18:57 2014
@@ -103,7 +103,7 @@ public class ClientCredentialsGrantTypeH
}
final HttpRequest request = new HttpRequest(Uri.parse(completeAuthorizationUrl));
- request.setMethod("GET");
+ request.setMethod("POST");
request.setHeader("Content-Type", "application/x-www-form-urlencoded; charset=utf-8");
request.setSecurityToken(new AnonymousSecurityToken("", 0L, accessor.getGadgetUri()));
Modified: shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth2/handler/ClientCredentialsGrantTypeHandlerTest.java
URL: http://svn.apache.org/viewvc/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth2/handler/ClientCredentialsGrantTypeHandlerTest.java?rev=1594233&r1=1594232&r2=1594233&view=diff
==============================================================================
--- shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth2/handler/ClientCredentialsGrantTypeHandlerTest.java (original)
+++ shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/oauth2/handler/ClientCredentialsGrantTypeHandlerTest.java Tue May 13 14:18:57 2014
@@ -103,6 +103,7 @@ public class ClientCredentialsGrantTypeH
Assert.assertNotNull( result.getSecurityToken() );
Assert.assertTrue( result.getSecurityToken().isAnonymous() );
Assert.assertEquals( accessor.getGadgetUri(), result.getSecurityToken().getAppUrl() );
+ Assert.assertEquals("POST", result.getMethod());
}
@Test(expected = OAuth2RequestException.class)
Modified: shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/core/oauth2/OAuth2Servlet.java
URL: http://svn.apache.org/viewvc/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/core/oauth2/OAuth2Servlet.java?rev=1594233&r1=1594232&r2=1594233&view=diff
==============================================================================
--- shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/core/oauth2/OAuth2Servlet.java (original)
+++ shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/core/oauth2/OAuth2Servlet.java Tue May 13 14:18:57 2014
@@ -42,6 +42,8 @@ import com.google.inject.Inject;
*/
public class OAuth2Servlet extends InjectedServlet {
+ private static final String AUTHORIZE = "authorize";
+ private static final String TOKEN = "token";
private static final long serialVersionUID = -4257719224664564922L;
private static OAuth2AuthorizationHandler authorizationHandler;
private static OAuth2TokenHandler tokenHandler;
@@ -66,10 +68,12 @@ public class OAuth2Servlet extends Injec
throws ServletException, IOException {
HttpUtil.setNoCache(response);
String path = request.getPathInfo();
- if (path.endsWith("authorize")) {
+ if (path.endsWith(AUTHORIZE)) {
sendOAuth2Response(response, authorizationHandler.handle(request, response));
- } else if (path.endsWith("token")) {
- sendOAuth2Response(response, tokenHandler.handle(request, response));
+ } else if (path.endsWith(TOKEN)) {
+ //token endpoint must use POST method
+ response.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED, "The client MUST use the HTTP \"POST\" method " +
+ "when making access token requests.");
} else {
response.sendError(HttpServletResponse.SC_NOT_FOUND, "Unknown URL");
}
@@ -78,7 +82,14 @@ public class OAuth2Servlet extends Injec
@Override
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
- doGet(request, response);
+ String path = request.getPathInfo();
+ if(path.endsWith(TOKEN)){
+ HttpUtil.setNoCache(response);
+ sendOAuth2Response(response, tokenHandler.handle(request, response));
+ }else{
+ // authorization endpoint must support GET method and may support POST as well
+ doGet(request, response);
+ }
}
/**
Modified: shindig/trunk/java/social-api/src/test/java/org/apache/shindig/social/core/oauth/OAuth2AuthCodeFlowTest.java
URL: http://svn.apache.org/viewvc/shindig/trunk/java/social-api/src/test/java/org/apache/shindig/social/core/oauth/OAuth2AuthCodeFlowTest.java?rev=1594233&r1=1594232&r2=1594233&view=diff
==============================================================================
--- shindig/trunk/java/social-api/src/test/java/org/apache/shindig/social/core/oauth/OAuth2AuthCodeFlowTest.java (original)
+++ shindig/trunk/java/social-api/src/test/java/org/apache/shindig/social/core/oauth/OAuth2AuthCodeFlowTest.java Tue May 13 14:18:57 2014
@@ -75,7 +75,7 @@ public class OAuth2AuthCodeFlowTest exte
+ "&grant_type=authorization_code&redirect_uri="
+ URLEncoder.encode(PUBLIC_REDIRECT_URI, "UTF-8") + "&code="
+ PUBLIC_AUTH_CODE, "UTF-8");
- req.setMethod("GET");
+ req.setMethod("POST");
req.setServletPath("/oauth2");
req.setPathInfo("/access_token");
HttpServletResponse resp = mock(HttpServletResponse.class);
@@ -332,7 +332,7 @@ public class OAuth2AuthCodeFlowTest exte
+ "&grant_type=authorization_code&redirect_uri="
+ URLEncoder.encode(REDIRECT_URI, "UTF-8") + "&code=" + code
+ "&client_secret=" + CONF_CLIENT_SECRET);
- req.setMethod("GET");
+ req.setMethod("POST");
req.setServletPath("/oauth2");
req.setPathInfo("/access_token");
resp = mock(HttpServletResponse.class);
@@ -367,7 +367,7 @@ public class OAuth2AuthCodeFlowTest exte
+ "&grant_type=authorization_code&redirect_uri="
+ URLEncoder.encode(REDIRECT_URI, "UTF-8") + "&code="
+ CONF_AUTH_CODE + "&client_secret=" + CONF_CLIENT_SECRET);
- req.setMethod("GET");
+ req.setMethod("POST");
req.setServletPath("/oauth2");
req.setPathInfo("/access_token");
HttpServletResponse resp = mock(HttpServletResponse.class);
@@ -407,7 +407,7 @@ public class OAuth2AuthCodeFlowTest exte
+ Base64
.encodeBase64String((CONF_CLIENT_ID + ":" + CONF_CLIENT_SECRET)
.getBytes("UTF-8")));
- req.setMethod("GET");
+ req.setMethod("POST");
req.setServletPath("/oauth2");
req.setPathInfo("/access_token");
HttpServletResponse resp = mock(HttpServletResponse.class);
@@ -446,7 +446,7 @@ public class OAuth2AuthCodeFlowTest exte
"Basic "
+ Base64.encodeBase64String(("BAD_ID:" + CONF_CLIENT_SECRET)
.getBytes("UTF-8")));
- req.setMethod("GET");
+ req.setMethod("POST");
req.setServletPath("/oauth2");
req.setPathInfo("/access_token");
HttpServletResponse resp = mock(HttpServletResponse.class);
@@ -477,7 +477,7 @@ public class OAuth2AuthCodeFlowTest exte
+ "&grant_type=authorization_code&redirect_uri="
+ URLEncoder.encode(REDIRECT_URI, "UTF-8") + "&code="
+ CONF_AUTH_CODE + "&client_secret=BAD_SECRET", "UTF-8");
- req.setMethod("GET");
+ req.setMethod("POST");
req.setServletPath("/oauth2");
req.setPathInfo("/access_token");
HttpServletResponse resp = mock(HttpServletResponse.class);
@@ -509,7 +509,7 @@ public class OAuth2AuthCodeFlowTest exte
"client_id=BAD_CLIENT&grant_type=authorization_code&redirect_uri="
+ URLEncoder.encode(REDIRECT_URI, "UTF-8") + "&code="
+ PUBLIC_AUTH_CODE);
- req.setMethod("GET");
+ req.setMethod("POST");
req.setServletPath("/oauth2");
req.setPathInfo("/access_token");
HttpServletResponse resp = mock(HttpServletResponse.class);
@@ -541,7 +541,7 @@ public class OAuth2AuthCodeFlowTest exte
+ "&grant_type=BAD_GRANT&redirect_uri="
+ URLEncoder.encode(REDIRECT_URI, "UTF-8") + "&code="
+ PUBLIC_AUTH_CODE);
- req.setMethod("GET");
+ req.setMethod("POST");
req.setServletPath("/oauth2");
req.setPathInfo("/access_token");
HttpServletResponse resp = mock(HttpServletResponse.class);
@@ -572,7 +572,7 @@ public class OAuth2AuthCodeFlowTest exte
"http://localhost:8080", "/oauth2", "client_id=" + PUBLIC_CLIENT_ID
+ "&grant_type=authorization_code&redirect_uri="
+ URLEncoder.encode(REDIRECT_URI, "UTF-8") + "&code=BAD-CODE-OMG");
- req.setMethod("GET");
+ req.setMethod("POST");
req.setServletPath("/oauth2");
req.setPathInfo("/access_token");
HttpServletResponse resp = mock(HttpServletResponse.class);
@@ -626,7 +626,7 @@ public class OAuth2AuthCodeFlowTest exte
// use authorization code to get access token
req = new FakeHttpServletRequest("http://localhost:8080","/oauth2", "client_id=" + CONF_CLIENT_ID + "&grant_type=authorization_code&redirect_uri=" + URLEncoder.encode(REDIRECT_URI,"UTF-8") + "&code=" + code + "&client_secret=" + CONF_CLIENT_SECRET);
- req.setMethod("GET");
+ req.setMethod("POST");
req.setServletPath("/oauth2");
req.setPathInfo("/access_token");
resp = mock(HttpServletResponse.class);
@@ -659,7 +659,7 @@ public class OAuth2AuthCodeFlowTest exte
// attempt to re-use authorization code to get new access token
req = new FakeHttpServletRequest("http://localhost:8080","/oauth2", "client_id=" + CONF_CLIENT_ID + "&grant_type=authorization_code&redirect_uri=" + URLEncoder.encode(REDIRECT_URI,"UTF-8") + "&code=" + code + "&client_secret=" + CONF_CLIENT_SECRET);
- req.setMethod("GET");
+ req.setMethod("POST");
req.setServletPath("/oauth2");
req.setPathInfo("/access_token");
resp = mock(HttpServletResponse.class);
@@ -687,4 +687,31 @@ public class OAuth2AuthCodeFlowTest exte
fail("Should have thrown InvalidAuthenticationException");
}
+ /**
+ * Test attempting to get access token via GET request
+ */
+ @Test
+ public void testGetAccessTokenBadMethodType() throws Exception {
+ FakeHttpServletRequest req = new FakeHttpServletRequest(
+ "http://localhost:8080/oauth2");
+ req.setContentType("application/x-www-form-urlencoded");
+ req.setPostData(
+ "client_id=" + PUBLIC_CLIENT_ID
+ + "&grant_type=authorization_code&redirect_uri="
+ + URLEncoder.encode(PUBLIC_REDIRECT_URI, "UTF-8") + "&code="
+ + PUBLIC_AUTH_CODE, "UTF-8");
+ req.setMethod("GET");
+ req.setServletPath("/oauth2");
+ req.setPathInfo("/access_token");
+
+ HttpServletResponse resp = mock(HttpServletResponse.class);
+ resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED, "The client MUST use the HTTP \"POST\" method " +
+ "when making access token requests.");
+
+ replay();
+ servlet.service(req, resp);
+
+ verify();
+ }
+
}
Modified: shindig/trunk/java/social-api/src/test/java/org/apache/shindig/social/core/oauth/OAuth2ClientCredentialFlowTest.java
URL: http://svn.apache.org/viewvc/shindig/trunk/java/social-api/src/test/java/org/apache/shindig/social/core/oauth/OAuth2ClientCredentialFlowTest.java?rev=1594233&r1=1594232&r2=1594233&view=diff
==============================================================================
--- shindig/trunk/java/social-api/src/test/java/org/apache/shindig/social/core/oauth/OAuth2ClientCredentialFlowTest.java (original)
+++ shindig/trunk/java/social-api/src/test/java/org/apache/shindig/social/core/oauth/OAuth2ClientCredentialFlowTest.java Tue May 13 14:18:57 2014
@@ -30,6 +30,7 @@ import org.junit.Test;
import javax.servlet.http.HttpServletResponse;
import java.io.PrintWriter;
+import java.net.URLEncoder;
public class OAuth2ClientCredentialFlowTest extends AbstractLargeRestfulTests {
@@ -56,7 +57,7 @@ public class OAuth2ClientCredentialFlowT
FakeHttpServletRequest req = new FakeHttpServletRequest(
"http://localhost:8080", "/oauth2", "grant_type=client_credentials");
req.setHeader("Authorization", "Basic *^%#");
- req.setMethod("GET");
+ req.setMethod("POST");
req.setServletPath("/oauth2");
req.setPathInfo("/access_token");
HttpServletResponse resp = mock(HttpServletResponse.class);
@@ -89,7 +90,7 @@ public class OAuth2ClientCredentialFlowT
"Basic "
+ Base64.encodeBase64String((CLIENT_CRED_CLIENT + ":badsecret")
.getBytes("UTF-8")));
- req.setMethod("GET");
+ req.setMethod("POST");
req.setServletPath("/oauth2");
req.setPathInfo("/access_token");
HttpServletResponse resp = mock(HttpServletResponse.class);
@@ -123,7 +124,7 @@ public class OAuth2ClientCredentialFlowT
+ Base64
.encodeBase64String((CLIENT_CRED_CLIENT + ":" + CLIENT_CRED_SECRET)
.getBytes("UTF-8")));
- req.setMethod("GET");
+ req.setMethod("POST");
req.setServletPath("/oauth2");
req.setPathInfo("/access_token");
HttpServletResponse resp = mock(HttpServletResponse.class);
@@ -156,7 +157,7 @@ public class OAuth2ClientCredentialFlowT
"http://localhost:8080", "/oauth2", "client_id=" + CLIENT_CRED_CLIENT
+ "&grant_type=client_credentials&client_secret="
+ CLIENT_CRED_SECRET);
- req.setMethod("GET");
+ req.setMethod("POST");
req.setServletPath("/oauth2");
req.setPathInfo("/access_token");
HttpServletResponse resp = mock(HttpServletResponse.class);
@@ -178,4 +179,27 @@ public class OAuth2ClientCredentialFlowT
verify();
}
+ /**
+ * Test attempting to get access token via GET request
+ */
+ @Test
+ public void testGetAccessTokenBadMethodType() throws Exception {
+ FakeHttpServletRequest req = new FakeHttpServletRequest(
+ "http://localhost:8080", "/oauth2", "client_id=" + CLIENT_CRED_CLIENT
+ + "&grant_type=client_credentials&client_secret="
+ + CLIENT_CRED_SECRET);
+ req.setMethod("GET");
+ req.setServletPath("/oauth2");
+ req.setPathInfo("/access_token");
+
+ HttpServletResponse resp = mock(HttpServletResponse.class);
+ resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED, "The client MUST use the HTTP \"POST\" method " +
+ "when making access token requests.");
+
+ replay();
+ servlet.service(req, resp);
+
+ verify();
+ }
+
}