You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2019/11/04 15:55:57 UTC
[cxf-fediz] 01/02: Picking up some changes from the recent CXF
releases
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 1.4.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git
commit 08db044d9b5bbdfaf2bbc0eb3336e59220c357b0
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Mon Nov 4 12:36:31 2019 +0000
Picking up some changes from the recent CXF releases
---
.../service/oidc/FedizAccessTokenService.java | 95 ++++++++++++++++++++++
.../service/oidc/FedizTokenRevocationService.java | 95 ++++++++++++++++++++++
.../src/main/webapp/WEB-INF/applicationContext.xml | 4 +-
.../src/test/resources/oidc/applicationContext.xml | 4 +-
.../resources/oidc/spring/applicationContext.xml | 4 +-
5 files changed, 196 insertions(+), 6 deletions(-)
diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizAccessTokenService.java b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizAccessTokenService.java
new file mode 100644
index 0000000..3e58ad3
--- /dev/null
+++ b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizAccessTokenService.java
@@ -0,0 +1,95 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.oidc;
+
+import java.security.Principal;
+
+import javax.ws.rs.core.MultivaluedMap;
+import javax.ws.rs.core.SecurityContext;
+
+import org.apache.cxf.rs.security.oauth2.common.Client;
+import org.apache.cxf.rs.security.oauth2.services.AccessTokenService;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
+import org.apache.cxf.security.transport.TLSSessionInfo;
+
+/**
+ * Override the default CXF class to pick up the fix that was made in 3.2.11/3.3.4 in the AbstractTokenService
+ */
+public class FedizAccessTokenService extends AccessTokenService {
+
+ @Override
+ protected Client authenticateClientIfNeeded(MultivaluedMap<String, String> params) {
+ Client client = null;
+ SecurityContext sc = getMessageContext().getSecurityContext();
+ Principal principal = sc.getUserPrincipal();
+
+ String clientId = retrieveClientId(params);
+ if (principal == null) {
+ if (clientId != null) {
+ String clientSecret = params.getFirst(OAuthConstants.CLIENT_SECRET);
+ if (clientSecret != null) {
+ client = getAndValidateClientFromIdAndSecret(clientId, clientSecret, params);
+ validateClientAuthenticationMethod(client, OAuthConstants.TOKEN_ENDPOINT_AUTH_POST);
+ } else if (OAuthUtils.isMutualTls(sc, getTlsSessionInfo())) {
+ client = getClient(clientId, params);
+ checkCertificateBinding(client, getTlsSessionInfo());
+ validateClientAuthenticationMethod(client, OAuthConstants.TOKEN_ENDPOINT_AUTH_TLS);
+ } else if (isCanSupportPublicClients()) {
+ client = getValidClient(clientId, params);
+ if (!isValidPublicClient(client, clientId)) {
+ client = null;
+ } else {
+ validateClientAuthenticationMethod(client, OAuthConstants.TOKEN_ENDPOINT_AUTH_NONE);
+ }
+ }
+ }
+ } else {
+ if (clientId != null) {
+ if (!clientId.equals(principal.getName())) {
+ reportInvalidClient();
+ }
+
+ client = (Client)getMessageContext().get(Client.class.getName());
+ if (client == null) {
+ client = getClient(clientId, params);
+ }
+ } else if (principal.getName() != null) {
+ client = getClient(principal.getName(), params);
+ }
+ }
+ if (client == null) {
+ client = getClientFromTLSCertificates(sc, getTlsSessionInfo(), params);
+ if (client == null) {
+ // Basic Authentication is expected by default
+ client = getClientFromBasicAuthScheme(params);
+ }
+ }
+ if (client == null) {
+ reportInvalidClient();
+ }
+ return client;
+ }
+
+ private TLSSessionInfo getTlsSessionInfo() {
+
+ return (TLSSessionInfo)getMessageContext().get(TLSSessionInfo.class.getName());
+ }
+
+}
diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizTokenRevocationService.java b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizTokenRevocationService.java
new file mode 100644
index 0000000..e999f27
--- /dev/null
+++ b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizTokenRevocationService.java
@@ -0,0 +1,95 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.oidc;
+
+import java.security.Principal;
+
+import javax.ws.rs.core.MultivaluedMap;
+import javax.ws.rs.core.SecurityContext;
+
+import org.apache.cxf.rs.security.oauth2.common.Client;
+import org.apache.cxf.rs.security.oauth2.services.TokenRevocationService;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
+import org.apache.cxf.security.transport.TLSSessionInfo;
+
+/**
+ * Override the default CXF class to pick up the fix that was made in 3.2.11/3.3.4 in the AbstractTokenService
+ */
+public class FedizTokenRevocationService extends TokenRevocationService {
+
+ @Override
+ protected Client authenticateClientIfNeeded(MultivaluedMap<String, String> params) {
+ Client client = null;
+ SecurityContext sc = getMessageContext().getSecurityContext();
+ Principal principal = sc.getUserPrincipal();
+
+ String clientId = retrieveClientId(params);
+ if (principal == null) {
+ if (clientId != null) {
+ String clientSecret = params.getFirst(OAuthConstants.CLIENT_SECRET);
+ if (clientSecret != null) {
+ client = getAndValidateClientFromIdAndSecret(clientId, clientSecret, params);
+ validateClientAuthenticationMethod(client, OAuthConstants.TOKEN_ENDPOINT_AUTH_POST);
+ } else if (OAuthUtils.isMutualTls(sc, getTlsSessionInfo())) {
+ client = getClient(clientId, params);
+ checkCertificateBinding(client, getTlsSessionInfo());
+ validateClientAuthenticationMethod(client, OAuthConstants.TOKEN_ENDPOINT_AUTH_TLS);
+ } else if (isCanSupportPublicClients()) {
+ client = getValidClient(clientId, params);
+ if (!isValidPublicClient(client, clientId)) {
+ client = null;
+ } else {
+ validateClientAuthenticationMethod(client, OAuthConstants.TOKEN_ENDPOINT_AUTH_NONE);
+ }
+ }
+ }
+ } else {
+ if (clientId != null) {
+ if (!clientId.equals(principal.getName())) {
+ reportInvalidClient();
+ }
+
+ client = (Client)getMessageContext().get(Client.class.getName());
+ if (client == null) {
+ client = getClient(clientId, params);
+ }
+ } else if (principal.getName() != null) {
+ client = getClient(principal.getName(), params);
+ }
+ }
+ if (client == null) {
+ client = getClientFromTLSCertificates(sc, getTlsSessionInfo(), params);
+ if (client == null) {
+ // Basic Authentication is expected by default
+ client = getClientFromBasicAuthScheme(params);
+ }
+ }
+ if (client == null) {
+ reportInvalidClient();
+ }
+ return client;
+ }
+
+ private TLSSessionInfo getTlsSessionInfo() {
+
+ return (TLSSessionInfo)getMessageContext().get(TLSSessionInfo.class.getName());
+ }
+
+}
diff --git a/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml b/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml
index b2ee2fe..d99dba5 100644
--- a/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml
+++ b/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml
@@ -212,14 +212,14 @@
<!-- Add more custom grant handlers as needed -->
</util:list>
<!-- Access Token service -->
- <bean id="accessTokenService" class="org.apache.cxf.rs.security.oauth2.services.AccessTokenService">
+ <bean id="accessTokenService" class="org.apache.cxf.fediz.service.oidc.FedizAccessTokenService">
<property name="dataProvider" ref="oauthProvider"/>
<property name="responseFilter" ref="idTokenFilter"/>
<property name="grantHandlers" ref="grantHandlers"/>
<property name="canSupportPublicClients" value="true"/>
</bean>
<!-- Access Token Revocation service -->
- <bean id="accessTokenRevocationService" class="org.apache.cxf.rs.security.oauth2.services.TokenRevocationService">
+ <bean id="accessTokenRevocationService" class="org.apache.cxf.fediz.service.oidc.FedizTokenRevocationService">
<property name="dataProvider" ref="oauthProvider"/>
</bean>
<!-- Access Token Introspection service -->
diff --git a/systests/oidc/src/test/resources/oidc/applicationContext.xml b/systests/oidc/src/test/resources/oidc/applicationContext.xml
index 9d6935a..81c2cec 100644
--- a/systests/oidc/src/test/resources/oidc/applicationContext.xml
+++ b/systests/oidc/src/test/resources/oidc/applicationContext.xml
@@ -231,14 +231,14 @@
<ref bean="clientCredsHandler"/>
</util:list>
<!-- Access Token service -->
- <bean id="accessTokenService" class="org.apache.cxf.rs.security.oauth2.services.AccessTokenService">
+ <bean id="accessTokenService" class="org.apache.cxf.fediz.service.oidc.FedizAccessTokenService">
<property name="dataProvider" ref="oauthProvider"/>
<property name="responseFilter" ref="idTokenFilter"/>
<property name="grantHandlers" ref="grantHandlers"/>
<property name="canSupportPublicClients" value="true"/>
</bean>
<!-- Access Token Revocation service -->
- <bean id="accessTokenRevocationService" class="org.apache.cxf.rs.security.oauth2.services.TokenRevocationService">
+ <bean id="accessTokenRevocationService" class="org.apache.cxf.fediz.service.oidc.FedizTokenRevocationService">
<property name="dataProvider" ref="oauthProvider"/>
</bean>
<!-- Access Token Introspection service -->
diff --git a/systests/oidc/src/test/resources/oidc/spring/applicationContext.xml b/systests/oidc/src/test/resources/oidc/spring/applicationContext.xml
index e3b5a21..47eba34 100644
--- a/systests/oidc/src/test/resources/oidc/spring/applicationContext.xml
+++ b/systests/oidc/src/test/resources/oidc/spring/applicationContext.xml
@@ -299,14 +299,14 @@
<ref bean="clientCredsHandler"/>
</util:list>
<!-- Access Token service -->
- <bean id="accessTokenService" class="org.apache.cxf.rs.security.oauth2.services.AccessTokenService">
+ <bean id="accessTokenService" class="org.apache.cxf.fediz.service.oidc.FedizAccessTokenService">
<property name="dataProvider" ref="oauthProvider"/>
<property name="responseFilter" ref="idTokenFilter"/>
<property name="grantHandlers" ref="grantHandlers"/>
<property name="canSupportPublicClients" value="true"/>
</bean>
<!-- Access Token Revocation service -->
- <bean id="accessTokenRevocationService" class="org.apache.cxf.rs.security.oauth2.services.TokenRevocationService">
+ <bean id="accessTokenRevocationService" class="org.apache.cxf.fediz.service.oidc.FedizTokenRevocationService">
<property name="dataProvider" ref="oauthProvider"/>
</bean>
<!-- Access Token Introspection service -->