You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2016/02/08 14:55:28 UTC
cxf-fediz git commit: Moving OidcUserSubject creation to an earlier
stage with a custom SubjectCreator
Repository: cxf-fediz
Updated Branches:
refs/heads/master d87c3c0ca -> 4d9c688e1
Moving OidcUserSubject creation to an earlier stage with a custom SubjectCreator
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/4d9c688e
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/4d9c688e
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/4d9c688e
Branch: refs/heads/master
Commit: 4d9c688e177d6aeae34ca8dbcf95e09a6a086596
Parents: d87c3c0
Author: Sergey Beryozkin <sb...@gmail.com>
Authored: Mon Feb 8 13:55:13 2016 +0000
Committer: Sergey Beryozkin <sb...@gmail.com>
Committed: Mon Feb 8 13:55:13 2016 +0000
----------------------------------------------------------------------
.../fediz/service/oidc/FedizSubjectCreator.java | 66 ++++++++++++++++++++
.../fediz/service/oidc/OAuthDataManager.java | 59 -----------------
.../main/webapp/WEB-INF/applicationContext.xml | 2 +
.../src/main/webapp/WEB-INF/data-manager.xml | 10 ++-
4 files changed, 75 insertions(+), 62 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4d9c688e/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java
new file mode 100644
index 0000000..f030f06
--- /dev/null
+++ b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java
@@ -0,0 +1,66 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.oidc;
+
+import java.security.Principal;
+
+import org.apache.cxf.fediz.core.FedizPrincipal;
+import org.apache.cxf.jaxrs.ext.MessageContext;
+import org.apache.cxf.rs.security.oauth2.common.Client;
+import org.apache.cxf.rs.security.oauth2.common.UserSubject;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
+import org.apache.cxf.rs.security.oauth2.provider.SubjectCreator;
+import org.apache.cxf.rs.security.oidc.common.IdToken;
+import org.apache.cxf.rs.security.oidc.idp.OidcUserSubject;
+
+public class FedizSubjectCreator implements SubjectCreator {
+
+ private SamlTokenConverter tokenConverter = new SamlTokenConverter();
+
+
+ @Override
+ public UserSubject createUserSubject(MessageContext mc, Client client) throws OAuthServiceException {
+ Principal principal = mc.getSecurityContext().getUserPrincipal();
+
+ if (!(principal instanceof FedizPrincipal)) {
+ throw new OAuthServiceException("Unsupported Principal");
+ }
+ FedizPrincipal fedizPrincipal = (FedizPrincipal)principal;
+
+ // In the future FedizPrincipal will likely have JWT claims already prepared,
+ // with IdToken being initialized here from those claims + client id
+
+ IdToken idToken = tokenConverter.convertToIdToken(fedizPrincipal.getLoginToken(),
+ fedizPrincipal.getName(),
+ fedizPrincipal.getClaims(),
+ client.getClientId());
+
+ OidcUserSubject oidcSub = new OidcUserSubject();
+ oidcSub.setLogin(fedizPrincipal.getName());
+ oidcSub.setIdToken(idToken);
+ // UserInfo can be populated and set on OidcUserSubject too.
+
+ return oidcSub;
+ }
+
+ public void setTokenConverter(SamlTokenConverter tokenConverter) {
+ this.tokenConverter = tokenConverter;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4d9c688e/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java
index 3f9b955..c822223 100644
--- a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java
+++ b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java
@@ -18,70 +18,11 @@
*/
package org.apache.cxf.fediz.service.oidc;
-import java.security.Principal;
-
-import org.apache.cxf.fediz.core.FedizPrincipal;
-import org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration;
-import org.apache.cxf.rs.security.oauth2.common.Client;
-import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
-import org.apache.cxf.rs.security.oauth2.common.UserSubject;
-import org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeRegistration;
import org.apache.cxf.rs.security.oauth2.grants.code.DefaultEHCacheCodeDataProvider;
-import org.apache.cxf.rs.security.oauth2.grants.code.ServerAuthorizationCodeGrant;
-import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
-import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
-import org.apache.cxf.rs.security.oidc.common.IdToken;
-import org.apache.cxf.rs.security.oidc.idp.OidcUserSubject;
public class OAuthDataManager extends DefaultEHCacheCodeDataProvider {
- private SamlTokenConverter tokenConverter = new SamlTokenConverter();
public OAuthDataManager() {
}
- @Override
- protected ServerAuthorizationCodeGrant doCreateCodeGrant(AuthorizationCodeRegistration reg)
- throws OAuthServiceException {
- ServerAuthorizationCodeGrant grant = super.doCreateCodeGrant(reg);
- OidcUserSubject oidcSub = createOidcSubject(grant.getClient(),
- grant.getSubject());
- grant.setSubject(oidcSub);
- return grant;
- }
-
- @Override
- protected ServerAccessToken doCreateAccessToken(AccessTokenRegistration reg)
- throws OAuthServiceException {
- ServerAccessToken token = super.doCreateAccessToken(reg);
- if (OAuthConstants.IMPLICIT_GRANT.equals(reg.getGrantType())) {
- OidcUserSubject oidcSub = createOidcSubject(token.getClient(),
- token.getSubject());
- token.setSubject(oidcSub);
- }
- return token;
- }
-
- protected OidcUserSubject createOidcSubject(Client client, UserSubject subject) {
- Principal principal = getMessageContext().getSecurityContext().getUserPrincipal();
-
- if (!(principal instanceof FedizPrincipal)) {
- throw new OAuthServiceException("Unsupported Principal");
- }
- FedizPrincipal fedizPrincipal = (FedizPrincipal)principal;
- IdToken idToken = tokenConverter.convertToIdToken(fedizPrincipal.getLoginToken(),
- fedizPrincipal.getName(),
- fedizPrincipal.getClaims(),
- client.getClientId());
-
- OidcUserSubject oidcSub = new OidcUserSubject(subject);
- oidcSub.setIdToken(idToken);
- // UserInfo can be populated and set on OidcUserSubject too.
-
-
- return oidcSub;
- }
-
- public void setTokenConverter(SamlTokenConverter tokenConverter) {
- this.tokenConverter = tokenConverter;
- }
}
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4d9c688e/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml b/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml
index 8f9340f..4ff8856 100644
--- a/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml
+++ b/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml
@@ -42,6 +42,7 @@
<bean id="oidcAuthorizationService" class="org.apache.cxf.rs.security.oidc.idp.OidcAuthorizationCodeService">
<property name="dataProvider" ref="oauthProvider"/>
+ <property name="subjectCreator" ref="subjectCreator"/>
<property name="skipAuthorizationWithOidcScope" value="true"/>
<!--
<property name="useAllClientScopes" value="true"/>
@@ -50,6 +51,7 @@
</bean>
<bean id="oidcImplicitService" class="org.apache.cxf.rs.security.oidc.idp.OidcImplicitService">
<property name="dataProvider" ref="oauthProvider"/>
+ <property name="subjectCreator" ref="subjectCreator"/>
<property name="skipAuthorizationWithOidcScope" value="true"/>
<property name="responseFilter" ref="idTokenFilter"/>
</bean>
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4d9c688e/services/oidc/src/main/webapp/WEB-INF/data-manager.xml
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/webapp/WEB-INF/data-manager.xml b/services/oidc/src/main/webapp/WEB-INF/data-manager.xml
index d496731..d6e06af 100644
--- a/services/oidc/src/main/webapp/WEB-INF/data-manager.xml
+++ b/services/oidc/src/main/webapp/WEB-INF/data-manager.xml
@@ -29,9 +29,6 @@
<bean id="applicationContextProvider" class="org.apache.cxf.fediz.service.oidc.ApplicationContextProvider"/>
- <bean id="samlTokenConverter" class="org.apache.cxf.fediz.service.oidc.SamlTokenConverter">
- <property name="issuer" value="accounts.fediz.com"/>
- </bean>
<util:map id="supportedScopes">
<entry key="openid" value="Access the authentication claims" />
<entry key="refreshToken" value="Refresh access tokens" />
@@ -54,6 +51,13 @@
<!--
<property name="accessTokenLifetime" value="3600"/>
-->
+ </bean>
+
+ <bean id="samlTokenConverter" class="org.apache.cxf.fediz.service.oidc.SamlTokenConverter">
+ <property name="issuer" value="accounts.fediz.com"/>
+ </bean>
+
+ <bean id="subjectCreator" class="org.apache.cxf.fediz.service.oidc.FedizSubjectCreator">
<property name="tokenConverter" ref="samlTokenConverter"/>
</bean>