You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2016/01/22 15:01:55 UTC
[2/2] cxf git commit: Trying to finalize the current token
introspection/audience code
Trying to finalize the current token introspection/audience code
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/4604ca12
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/4604ca12
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/4604ca12
Branch: refs/heads/3.1.x-fixes
Commit: 4604ca122a129ee311bbbfc041fbd48777f5354f
Parents: 5705d3d
Author: Sergey Beryozkin <sb...@gmail.com>
Authored: Fri Jan 22 13:45:34 2016 +0000
Committer: Sergey Beryozkin <sb...@gmail.com>
Committed: Fri Jan 22 14:01:33 2016 +0000
----------------------------------------------------------------------
.../rs/security/oauth2/common/AccessToken.java | 9 +++++
.../oauth2/common/AccessTokenValidation.java | 11 +++++-
.../rs/security/oauth2/common/OAuthContext.java | 19 ++++++++---
.../filters/AccessTokenIntrospectionClient.java | 20 +++++++----
.../oauth2/filters/OAuthRequestFilter.java | 35 +++++++++++++-------
.../oauth2/provider/OAuthJSONProvider.java | 18 +++++++---
.../services/TokenIntrospectionService.java | 9 ++++-
7 files changed, 92 insertions(+), 29 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/4604ca12/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessToken.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessToken.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessToken.java
index e31ae7c..dd0415f 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessToken.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessToken.java
@@ -34,6 +34,7 @@ public abstract class AccessToken implements Serializable {
private String refreshToken;
private long expiresIn = -1;
private long issuedAt = -1;
+ private String issuer;
private Map<String, String> parameters = new LinkedHashMap<String, String>();
@@ -140,4 +141,12 @@ public abstract class AccessToken implements Serializable {
public void setParameters(Map<String, String> parameters) {
this.parameters = parameters;
}
+
+ public String getIssuer() {
+ return issuer;
+ }
+
+ public void setIssuer(String issuer) {
+ this.issuer = issuer;
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/4604ca12/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java
index 6a33e2b..f7b945d 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java
@@ -53,6 +53,7 @@ public class AccessTokenValidation {
private String tokenGrantType;
private long tokenIssuedAt;
private long tokenLifetime;
+ private String tokenIssuer;
private UserSubject tokenSubject;
private List<OAuthPermission> tokenScopes = new LinkedList<OAuthPermission>();
private List<String> audiences = new LinkedList<String>();
@@ -73,7 +74,7 @@ public class AccessTokenValidation {
this.tokenGrantType = token.getGrantType();
this.tokenIssuedAt = token.getIssuedAt();
this.tokenLifetime = token.getExpiresIn();
-
+ this.tokenIssuer = token.getIssuer();
this.tokenSubject = token.getSubject();
this.tokenScopes = token.getScopes();
this.setAudiences(token.getAudiences());
@@ -183,5 +184,13 @@ public class AccessTokenValidation {
public void setAudiences(List<String> audiences) {
this.audiences = audiences;
}
+
+ public String getTokenIssuer() {
+ return tokenIssuer;
+ }
+
+ public void setTokenIssuer(String tokenIssuer) {
+ this.tokenIssuer = tokenIssuer;
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/4604ca12/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java
index 6e83e08..74d7fc2 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java
@@ -35,7 +35,8 @@ public class OAuthContext {
private String clientId;
private boolean isClientConfidential;
private String tokenKey;
- private List<String> tokenAudiences;
+ private String tokenAudience;
+ private String tokenIssuer;
private String[] tokenRequestParts;
public OAuthContext(UserSubject resourceOwnerSubject,
@@ -113,12 +114,12 @@ public class OAuthContext {
this.tokenKey = tokenKey;
}
- public List<String> getTokenAudiences() {
- return tokenAudiences;
+ public String getTokenAudience() {
+ return tokenAudience;
}
- public void setTokenAudiences(List<String> audiences) {
- this.tokenAudiences = audiences;
+ public void setTokenAudience(String audience) {
+ this.tokenAudience = audience;
}
public String[] getTokenRequestParts() {
@@ -134,4 +135,12 @@ public class OAuthContext {
public void setClientConfidential(boolean isConfidential) {
this.isClientConfidential = isConfidential;
}
+
+ public String getTokenIssuer() {
+ return tokenIssuer;
+ }
+
+ public void setTokenIssuer(String tokenIssuer) {
+ this.tokenIssuer = tokenIssuer;
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/4604ca12/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenIntrospectionClient.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenIntrospectionClient.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenIntrospectionClient.java
index 0b1a267..778b732 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenIntrospectionClient.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenIntrospectionClient.java
@@ -62,13 +62,21 @@ public class AccessTokenIntrospectionClient implements AccessTokenValidator {
private AccessTokenValidation convertIntrospectionToValidation(TokenIntrospection response) {
AccessTokenValidation atv = new AccessTokenValidation();
atv.setInitialValidationSuccessful(response.isActive());
- if (!response.isActive()) {
- return atv;
+ if (response.getClientId() != null) {
+ atv.setClientId(response.getClientId());
+ }
+ if (response.getIat() != null) {
+ atv.setTokenIssuedAt(response.getIat());
+ }
+ if (response.getExp() != null) {
+ atv.setTokenLifetime(response.getExp() - response.getIat());
+ }
+ if (!StringUtils.isEmpty(response.getAud())) {
+ atv.setAudiences(response.getAud());
+ }
+ if (response.getIss() != null) {
+ atv.setTokenIssuer(response.getIss());
}
- atv.setClientId(response.getClientId());
- atv.setTokenIssuedAt(response.getIat());
- atv.setTokenLifetime(response.getExp() - response.getIat());
- atv.setAudiences(response.getAud());
if (response.getScope() != null) {
String[] scopes = response.getScope().split(" ");
List<OAuthPermission> perms = new LinkedList<OAuthPermission>();
http://git-wip-us.apache.org/repos/asf/cxf/blob/4604ca12/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
index 40f4a41..5fb6108 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
@@ -70,6 +70,7 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator
private boolean useUserSubject;
private String audience;
+ private String issuer;
private boolean completeAudienceMatch;
private boolean audienceIsEndpointAddress = true;
private boolean checkFormData;
@@ -99,10 +100,13 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator
// Get the access token
AccessTokenValidation accessTokenV = getAccessTokenValidation(authScheme, authSchemeData, null);
if (!accessTokenV.isInitialValidationSuccessful()) {
- throw ExceptionUtils.toNotAuthorizedException(null, null);
+ AuthorizationUtils.throwAuthorizationFailure(supportedSchemes, realm);
}
// Check audiences
- if (!validateAudiences(accessTokenV.getAudiences())) {
+ String validAudience = validateAudiences(accessTokenV.getAudiences());
+
+ // Check if token was issued by the supported issuer
+ if (issuer != null && issuer.equals(accessTokenV.getTokenIssuer())) {
AuthorizationUtils.throwAuthorizationFailure(supportedSchemes, realm);
}
// Find the scopes which match the current request
@@ -162,7 +166,8 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator
oauthContext.setClientId(accessTokenV.getClientId());
oauthContext.setClientConfidential(accessTokenV.isClientConfidential());
oauthContext.setTokenKey(accessTokenV.getTokenKey());
- oauthContext.setTokenAudiences(accessTokenV.getAudiences());
+ oauthContext.setTokenAudience(validAudience);
+ oauthContext.setTokenIssuer(accessTokenV.getTokenIssuer());
oauthContext.setTokenRequestParts(authParts);
m.setContent(OAuthContext.class, oauthContext);
}
@@ -241,26 +246,28 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator
return MessageUtils.isTrue(m.get("local_preflight"));
}
- protected boolean validateAudiences(List<String> audiences) {
+ protected String validateAudiences(List<String> audiences) {
if (StringUtils.isEmpty(audiences) && audience == null) {
- return true;
+ return null;
}
if (audience != null) {
- return audiences.contains(audience);
+ if (audiences.contains(audience)) {
+ return audience;
+ }
+ AuthorizationUtils.throwAuthorizationFailure(supportedSchemes, realm);
}
if (!audienceIsEndpointAddress) {
- return true;
+ return null;
}
- boolean matched = false;
String requestPath = (String)PhaseInterceptorChain.getCurrentMessage().get(Message.REQUEST_URL);
for (String s : audiences) {
- matched = completeAudienceMatch ? requestPath.equals(s) : requestPath.startsWith(s);
+ boolean matched = completeAudienceMatch ? requestPath.equals(s) : requestPath.startsWith(s);
if (matched) {
- break;
+ return s;
}
}
- return matched;
-
+ AuthorizationUtils.throwAuthorizationFailure(supportedSchemes, realm);
+ return null;
}
public void setCheckFormData(boolean checkFormData) {
@@ -331,5 +338,9 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator
public void setAudienceIsEndpointAddress(boolean audienceIsEndpointAddress) {
this.audienceIsEndpointAddress = audienceIsEndpointAddress;
}
+
+ public void setIssuer(String issuer) {
+ this.issuer = issuer;
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/4604ca12/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJSONProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJSONProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJSONProvider.java
index 1a3283b..01b7d5a 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJSONProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJSONProvider.java
@@ -99,8 +99,8 @@ public class OAuthJSONProvider implements MessageBodyWriter<Object>,
if (obj.getAud().size() == 1) {
appendJsonPair(sb, "aud", obj.getAud().get(0));
} else {
- sb.append("[");
StringBuilder arr = new StringBuilder();
+ arr.append("[");
List<String> auds = obj.getAud();
for (int i = 0; i < auds.size(); i++) {
if (i > 0) {
@@ -108,15 +108,21 @@ public class OAuthJSONProvider implements MessageBodyWriter<Object>,
}
arr.append("\"").append(auds.get(i)).append("\"");
}
- sb.append("]");
+ arr.append("]");
appendJsonPair(sb, "aud", arr.toString(), false);
}
}
+ if (obj.getIss() != null) {
+ sb.append(",");
+ appendJsonPair(sb, "iss", obj.getExp(), false);
+ }
sb.append(",");
appendJsonPair(sb, "iat", obj.getIat(), false);
- sb.append(",");
- appendJsonPair(sb, "exp", obj.getExp(), false);
+ if (obj.getExp() != null) {
+ sb.append(",");
+ appendJsonPair(sb, "exp", obj.getExp(), false);
+ }
}
sb.append("}");
String result = sb.toString();
@@ -250,6 +256,10 @@ public class OAuthJSONProvider implements MessageBodyWriter<Object>,
resp.setAud(Collections.singletonList(aud));
}
}
+ String iss = params.get("iss");
+ if (iss != null) {
+ resp.setIss(iss);
+ }
String iat = params.get("iat");
if (iat != null) {
resp.setIat(Long.valueOf(iat));
http://git-wip-us.apache.org/repos/asf/cxf/blob/4604ca12/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java
index 9dc4bf8..65c1af6 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java
@@ -73,8 +73,15 @@ public class TokenIntrospectionService {
if (!StringUtils.isEmpty(at.getAudiences())) {
response.setAud(at.getAudiences());
}
+ if (at.getIssuer() != null) {
+ response.setIss(at.getIssuer());
+ }
+
response.setIat(at.getIssuedAt());
- response.setExp(at.getIssuedAt() + at.getExpiresIn());
+ if (at.getExpiresIn() > 0) {
+ response.setExp(at.getIssuedAt() + at.getExpiresIn());
+ }
+
response.setTokenType(at.getTokenType());
return response;
}