You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2015/04/07 18:45:53 UTC
cxf git commit: Adding some initial OAuth2 client filter support
Repository: cxf
Updated Branches:
refs/heads/master 2fd810353 -> e49894be6
Adding some initial OAuth2 client filter support
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/e49894be
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/e49894be
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/e49894be
Branch: refs/heads/master
Commit: e49894be6a817844066e517903f6c4aea7ce0a0c
Parents: 2fd8103
Author: Sergey Beryozkin <sb...@talend.com>
Authored: Tue Apr 7 17:45:36 2015 +0100
Committer: Sergey Beryozkin <sb...@talend.com>
Committed: Tue Apr 7 17:45:36 2015 +0100
----------------------------------------------------------------------
.../oauth2/client/AbstractAuthSupplier.java | 37 ++++++
.../oauth2/client/BearerAuthSupplier.java | 130 +++++++++++++++++++
.../oauth2/client/BearerClientFilter.java | 43 ++++++
.../oauth2/common/ClientAccessToken.java | 4 +
4 files changed, 214 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/e49894be/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/AbstractAuthSupplier.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/AbstractAuthSupplier.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/AbstractAuthSupplier.java
new file mode 100644
index 0000000..5932f28
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/AbstractAuthSupplier.java
@@ -0,0 +1,37 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rs.security.oauth2.client;
+
+import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
+
+public abstract class AbstractAuthSupplier {
+ protected ClientAccessToken clientAccessToken = new ClientAccessToken();
+ protected AbstractAuthSupplier(String type) {
+ clientAccessToken = new ClientAccessToken();
+ clientAccessToken.setTokenType(type);
+ }
+ public void setAccessToken(String accessToken) {
+ clientAccessToken.setTokenKey(accessToken);
+ }
+ protected String createAuthorizationHeader() {
+ return clientAccessToken.getTokenType() + " " + clientAccessToken.getTokenKey();
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/e49894be/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/BearerAuthSupplier.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/BearerAuthSupplier.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/BearerAuthSupplier.java
new file mode 100644
index 0000000..557a825
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/BearerAuthSupplier.java
@@ -0,0 +1,130 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rs.security.oauth2.client;
+
+import java.net.URI;
+import java.util.Collections;
+
+import org.apache.cxf.configuration.security.AuthorizationPolicy;
+import org.apache.cxf.jaxrs.client.WebClient;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthJSONProvider;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
+import org.apache.cxf.transport.http.auth.HttpAuthSupplier;
+
+public class BearerAuthSupplier extends AbstractAuthSupplier implements HttpAuthSupplier {
+ private Consumer consumer;
+ private String accessTokenServiceUri;
+ private boolean refreshEarly;
+ public BearerAuthSupplier() {
+ super(OAuthConstants.BEARER_AUTHORIZATION_SCHEME);
+ }
+
+ public boolean requiresRequestCaching() {
+ return true;
+ }
+
+ public String getAuthorization(AuthorizationPolicy authPolicy,
+ URI currentURI,
+ Message message,
+ String fullHeader) {
+ if (clientAccessToken.getTokenKey() == null) {
+ return null;
+ }
+
+
+ if (fullHeader == null) {
+ // regular authorization
+ if (refreshEarly) {
+ refreshAccessTokenIfExpired(authPolicy);
+ }
+ return createAuthorizationHeader();
+ }
+ // the last call resulted in 401, trying to refresh the token(s)
+ if (refreshAccessToken(authPolicy)) {
+ return createAuthorizationHeader();
+ } else {
+ return null;
+
+ }
+ }
+ private void refreshAccessTokenIfExpired(AuthorizationPolicy authPolicy) {
+ if (clientAccessToken.getExpiresIn() != -1
+ && OAuthUtils.isExpired(clientAccessToken.getIssuedAt(),
+ clientAccessToken.getExpiresIn())) {
+ refreshAccessToken(authPolicy);
+ }
+
+ }
+
+
+ private boolean refreshAccessToken(AuthorizationPolicy authPolicy) {
+ if (clientAccessToken.getRefreshToken() == null) {
+ return false;
+ }
+ // Client id and secret are needed to refresh the tokens
+ // AuthorizationPolicy can hold them by default, Consumer can also be injected into this supplier
+ // and checked if the policy is null.
+ // Client TLS authentication is also fine as an alternative authentication mechanism,
+ // how can we check here that a 2-way TLS has been set up ?
+ Consumer theConsumer = consumer;
+ if (theConsumer == null
+ && authPolicy != null && authPolicy.getUserName() != null && authPolicy.getPassword() != null) {
+ theConsumer = new Consumer(authPolicy.getUserName(), authPolicy.getPassword());
+ return false;
+ }
+ if (theConsumer == null) {
+ return false;
+ }
+ // Can WebCient be safely constructed at HttpConduit initialization time ?
+ // If yes then createAccessTokenServiceClient() can be called inside
+ // setAccessTokenServiceUri, though given that the token refreshment would
+ // not be done on every request the current approach is quite reasonable
+
+ WebClient accessTokenService = createAccessTokenServiceClient();
+ clientAccessToken = OAuthClientUtils.refreshAccessToken(accessTokenService, theConsumer, clientAccessToken);
+ return true;
+ }
+
+ private WebClient createAccessTokenServiceClient() {
+ return WebClient.create(accessTokenServiceUri, Collections.singletonList(new OAuthJSONProvider()));
+ }
+
+ public void setRefreshToken(String refreshToken) {
+ clientAccessToken.setRefreshToken(refreshToken);
+ }
+
+ public void setAccessTokenServiceUri(String uri) {
+ this.accessTokenServiceUri = uri;
+ }
+
+ public Consumer getConsumer() {
+ return consumer;
+ }
+ public void setConsumer(Consumer consumer) {
+ this.consumer = consumer;
+ }
+
+ public void setRefreshEarly(boolean refreshEarly) {
+ this.refreshEarly = refreshEarly;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/e49894be/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/BearerClientFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/BearerClientFilter.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/BearerClientFilter.java
new file mode 100644
index 0000000..30a7eeb
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/BearerClientFilter.java
@@ -0,0 +1,43 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rs.security.oauth2.client;
+
+import java.io.IOException;
+
+import javax.ws.rs.client.ClientRequestContext;
+import javax.ws.rs.client.ClientRequestFilter;
+import javax.ws.rs.core.HttpHeaders;
+
+import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
+
+public class BearerClientFilter extends AbstractAuthSupplier implements ClientRequestFilter {
+
+ public BearerClientFilter() {
+ super(OAuthConstants.BEARER_AUTHORIZATION_SCHEME);
+ }
+
+ @Override
+ public void filter(ClientRequestContext requestContext) throws IOException {
+ requestContext.getHeaders().putSingle(HttpHeaders.AUTHORIZATION,
+ createAuthorizationHeader());
+
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/e49894be/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ClientAccessToken.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ClientAccessToken.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ClientAccessToken.java
index 745339a..e59075d 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ClientAccessToken.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ClientAccessToken.java
@@ -31,6 +31,10 @@ public class ClientAccessToken extends AccessToken {
private static final long serialVersionUID = 831870452726298523L;
private String scope;
+ public ClientAccessToken() {
+
+ }
+
public ClientAccessToken(String tokenType, String tokenKey) {
super(tokenType, tokenKey);
}