You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2013/08/15 12:30:41 UTC
svn commit: r1514227 - in
/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2:
common/ filters/ services/ utils/
Author: sergeyb
Date: Thu Aug 15 10:30:40 2013
New Revision: 1514227
URL: http://svn.apache.org/r1514227
Log:
[CXF-5209] Support for OAuth2 audience parameter
Modified:
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractAccessTokenValidator.java
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java?rev=1514227&r1=1514226&r2=1514227&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java (original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java Thu Aug 15 10:30:40 2013
@@ -44,6 +44,7 @@ public class AccessTokenValidation {
private long tokenLifetime;
private UserSubject tokenSubject;
private List<OAuthPermission> tokenScopes = new LinkedList<OAuthPermission>();
+ private String audience;
public AccessTokenValidation() {
@@ -60,7 +61,8 @@ public class AccessTokenValidation {
this.tokenLifetime = token.getExpiresIn();
this.tokenSubject = token.getSubject();
- this.tokenScopes = token.getScopes();
+ this.tokenScopes = token.getScopes();
+ this.audience = token.getAudience();
}
public String getClientId() {
@@ -119,5 +121,13 @@ public class AccessTokenValidation {
public void setTokenType(String tokenType) {
this.tokenType = tokenType;
}
+
+ public String getAudience() {
+ return audience;
+ }
+
+ public void setAudience(String audience) {
+ this.audience = audience;
+ }
}
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java?rev=1514227&r1=1514226&r2=1514227&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java (original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java Thu Aug 15 10:30:40 2013
@@ -34,6 +34,7 @@ public class OAuthContext {
private String tokenGrantType;
private String clientId;
private String tokenKey;
+ private String tokenAudience;
public OAuthContext(UserSubject resourceOwnerSubject,
UserSubject clientSubject,
@@ -109,4 +110,12 @@ public class OAuthContext {
public void setTokenKey(String tokenKey) {
this.tokenKey = tokenKey;
}
+
+ public String getTokenAudience() {
+ return tokenAudience;
+ }
+
+ public void setTokenAudience(String tokenAudience) {
+ this.tokenAudience = tokenAudience;
+ }
}
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java?rev=1514227&r1=1514226&r2=1514227&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java (original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java Thu Aug 15 10:30:40 2013
@@ -29,6 +29,7 @@ public abstract class ServerAccessToken
private Client client;
private List<OAuthPermission> scopes = new LinkedList<OAuthPermission>();
private UserSubject subject;
+ private String audience;
protected ServerAccessToken(Client client,
String tokenType,
@@ -108,4 +109,12 @@ public abstract class ServerAccessToken
return grantType;
}
+ public String getAudience() {
+ return audience;
+ }
+
+ public void setAudience(String audience) {
+ this.audience = audience;
+ }
+
}
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java?rev=1514227&r1=1514226&r2=1514227&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java (original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java Thu Aug 15 10:30:40 2013
@@ -95,6 +95,7 @@ public class OAuthRequestFilter extends
oauthContext.setClientId(accessTokenV.getClientId());
oauthContext.setTokenKey(accessTokenV.getTokenKey());
+ oauthContext.setTokenAudience(accessTokenV.getAudience());
m.setContent(OAuthContext.class, oauthContext);
}
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractAccessTokenValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractAccessTokenValidator.java?rev=1514227&r1=1514226&r2=1514227&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractAccessTokenValidator.java (original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractAccessTokenValidator.java Thu Aug 15 10:30:40 2013
@@ -20,6 +20,7 @@ package org.apache.cxf.rs.security.oauth
import java.util.Collections;
import java.util.HashSet;
+import java.util.LinkedList;
import java.util.List;
import java.util.Set;
@@ -44,7 +45,10 @@ public abstract class AbstractAccessToke
private MessageContext mc;
private List<AccessTokenValidator> tokenHandlers = Collections.emptyList();
+ private List<String> audiences = new LinkedList<String>();
+
private Set<String> supportedSchemes = new HashSet<String>();
+
private OAuthDataProvider dataProvider;
private String realm;
@@ -134,12 +138,28 @@ public abstract class AbstractAccessToke
}
AuthorizationUtils.throwAuthorizationFailure(supportedSchemes, realm);
}
+
+ // Check audiences
+ if (accessTokenV.getAudience() != null
+ && !audiences.isEmpty()
+ && !audiences.contains(accessTokenV.getAudience())) {
+ AuthorizationUtils.throwAuthorizationFailure(supportedSchemes, realm);
+ }
+
return accessTokenV;
}
public void setRealm(String realm) {
this.realm = realm;
}
+
+ public List<String> getAudiences() {
+ return audiences;
+ }
+
+ public void setAudiences(List<String> audiences) {
+ this.audiences = audiences;
+ }
}
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java?rev=1514227&r1=1514226&r2=1514227&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java (original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java Thu Aug 15 10:30:40 2013
@@ -19,6 +19,8 @@
package org.apache.cxf.rs.security.oauth2.services;
+import java.net.MalformedURLException;
+import java.net.URL;
import java.util.LinkedList;
import java.util.List;
@@ -32,6 +34,7 @@ import javax.ws.rs.core.Response;
import org.apache.cxf.rs.security.oauth2.common.Client;
import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
+import org.apache.cxf.rs.security.oauth2.common.OAuthError;
import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
import org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeDataProvider;
@@ -47,6 +50,7 @@ import org.apache.cxf.rs.security.oauth2
@Path("/token")
public class AccessTokenService extends AbstractTokenService {
private List<AccessTokenGrantHandler> grantHandlers = new LinkedList<AccessTokenGrantHandler>();
+ private List<String> audiences = new LinkedList<String>();
/**
* Sets the list of optional grant handlers
@@ -83,6 +87,11 @@ public class AccessTokenService extends
return createErrorResponse(params, OAuthConstants.UNAUTHORIZED_CLIENT);
}
+ try {
+ checkAudience(params);
+ } catch (OAuthServiceException ex) {
+ return super.createErrorResponseFromBean(ex.getError());
+ }
// Find the grant handler
AccessTokenGrantHandler handler = findGrantHandler(params);
@@ -121,6 +130,28 @@ public class AccessTokenService extends
.build();
}
+ protected void checkAudience(MultivaluedMap<String, String> params) {
+ if (audiences.isEmpty()) {
+ return;
+ }
+
+ String audienceParam = params.getFirst(OAuthConstants.CLIENT_AUDIENCE);
+ if (audienceParam == null) {
+ throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_REQUEST));
+ }
+ // must be URL
+ try {
+ new URL(audienceParam);
+ } catch (MalformedURLException ex) {
+ throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_REQUEST));
+ }
+
+ if (!audiences.contains(audienceParam)) {
+ throw new OAuthServiceException(new OAuthError(OAuthConstants.ACCESS_DENIED));
+ }
+
+ }
+
/**
* Find the matching grant handler
*/
@@ -146,4 +177,12 @@ public class AccessTokenService extends
return null;
}
+
+ public List<String> getAudiences() {
+ return audiences;
+ }
+
+ public void setAudiences(List<String> audiences) {
+ this.audiences = audiences;
+ }
}
\ No newline at end of file
Modified: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java?rev=1514227&r1=1514226&r2=1514227&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java (original)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java Thu Aug 15 10:30:40 2013
@@ -26,6 +26,7 @@ public final class OAuthConstants {
// Common OAuth2 constants
public static final String CLIENT_ID = "client_id";
public static final String CLIENT_SECRET = "client_secret";
+ public static final String CLIENT_AUDIENCE = "audience";
public static final String REDIRECT_URI = "redirect_uri";
public static final String SCOPE = "scope";
public static final String STATE = "state";