You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2014/12/15 16:02:31 UTC
cxf git commit: making it simpler to use refresh tokens as oAuth2
client ids and avoiding using UUID to generate tokens
Repository: cxf
Updated Branches:
refs/heads/master 6b1b576d6 -> fb6867e0f
making it simpler to use refresh tokens as oAuth2 client ids and avoiding using UUID to generate tokens
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/fb6867e0
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/fb6867e0
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/fb6867e0
Branch: refs/heads/master
Commit: fb6867e0f5affd2f386e787e722c17fd086d3600
Parents: 6b1b576
Author: Sergey Beryozkin <sb...@talend.com>
Authored: Mon Dec 15 15:02:15 2014 +0000
Committer: Sergey Beryozkin <sb...@talend.com>
Committed: Mon Dec 15 15:02:15 2014 +0000
----------------------------------------------------------------------
.../org/apache/cxf/common/util/StringUtils.java | 8 +++++++
.../common/util/crypto/MessageDigestUtils.java | 11 ++++-----
.../oauth2/services/AbstractTokenService.java | 17 +++++++------
.../services/RedirectionBasedGrantService.java | 3 +--
.../rs/security/oauth2/utils/OAuthUtils.java | 25 +++++++-------------
5 files changed, 32 insertions(+), 32 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/fb6867e0/core/src/main/java/org/apache/cxf/common/util/StringUtils.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/common/util/StringUtils.java b/core/src/main/java/org/apache/cxf/common/util/StringUtils.java
index 40e45a5..7df3d52 100644
--- a/core/src/main/java/org/apache/cxf/common/util/StringUtils.java
+++ b/core/src/main/java/org/apache/cxf/common/util/StringUtils.java
@@ -216,4 +216,12 @@ public final class StringUtils {
public static byte[] toBytes(String str, String enc) throws UnsupportedEncodingException {
return str.getBytes(enc);
}
+
+ public static String toHexString(byte[] bytes) {
+ StringBuilder hexString = new StringBuilder();
+ for (int i = 0; i < bytes.length; i++) {
+ hexString.append(Integer.toHexString(0xFF & bytes[i]));
+ }
+ return hexString.toString();
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/fb6867e0/core/src/main/java/org/apache/cxf/common/util/crypto/MessageDigestUtils.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/common/util/crypto/MessageDigestUtils.java b/core/src/main/java/org/apache/cxf/common/util/crypto/MessageDigestUtils.java
index 24b096b..b8e84e2 100644
--- a/core/src/main/java/org/apache/cxf/common/util/crypto/MessageDigestUtils.java
+++ b/core/src/main/java/org/apache/cxf/common/util/crypto/MessageDigestUtils.java
@@ -22,6 +22,8 @@ import java.io.UnsupportedEncodingException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
+import org.apache.cxf.common.util.StringUtils;
+
/**
* The utility Message Digest generator which can be used for generating
* random values
@@ -37,18 +39,13 @@ public final class MessageDigestUtils {
}
public static String generate(byte[] input) {
- return generate(input, ALGO_MD5);
+ return generate(input, ALGO_SHA_256);
}
public static String generate(byte[] input, String algo) {
try {
byte[] messageDigest = createDigest(input, algo);
- StringBuilder hexString = new StringBuilder();
- for (int i = 0; i < messageDigest.length; i++) {
- hexString.append(Integer.toHexString(0xFF & messageDigest[i]));
- }
-
- return hexString.toString();
+ return StringUtils.toHexString(messageDigest);
} catch (NoSuchAlgorithmException e) {
throw new SecurityException(e);
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/fb6867e0/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
index f7feec8..23d8053 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
@@ -107,24 +107,27 @@ public class AbstractTokenService extends AbstractOAuthService {
}
// Get the Client and check the id and secret
- protected Client getAndValidateClientFromIdAndSecret(String clientId, String clientSecret) {
+ protected Client getAndValidateClientFromIdAndSecret(String clientId, String providedClientSecret) {
Client client = getClient(clientId);
if (!client.getClientId().equals(clientId)) {
throw ExceptionUtils.toNotAuthorizedException(null, null);
}
- if (isValidPublicClient(client, clientId, clientSecret)) {
+ if (isValidPublicClient(client, clientId, providedClientSecret)) {
return client;
}
if (!client.isConfidential()
- || clientSecret == null || client.getClientSecret() == null
- || !isClientSecretValid(client, clientSecret)) {
+ || !isConfidenatialClientSecretValid(client, providedClientSecret)) {
throw ExceptionUtils.toNotAuthorizedException(null, null);
}
return client;
}
- protected boolean isClientSecretValid(Client client, String clientSecret) {
- return clientSecretVerifier != null ? clientSecretVerifier.validateClientSecret(client, clientSecret)
- : client.getClientSecret().equals(clientSecret);
+ protected boolean isConfidenatialClientSecretValid(Client client, String providedClientSecret) {
+ if (clientSecretVerifier != null) {
+ return clientSecretVerifier.validateClientSecret(client, providedClientSecret);
+ } else {
+ return client.getClientSecret() != null
+ && providedClientSecret != null && client.getClientSecret().equals(providedClientSecret);
+ }
}
protected boolean isValidPublicClient(Client client, String clientId, String clientSecret) {
return canSupportPublicClients
http://git-wip-us.apache.org/repos/asf/cxf/blob/fb6867e0/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
index 3168f75..9450a8a 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
@@ -23,7 +23,6 @@ import java.util.Collections;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
-import java.util.UUID;
import javax.servlet.http.HttpSession;
import javax.ws.rs.Consumes;
@@ -347,7 +346,7 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
subject);
} else {
HttpSession session = getMessageContext().getHttpServletRequest().getSession();
- sessionToken = UUID.randomUUID().toString();
+ sessionToken = OAuthUtils.generateRandomTokenKey();
session.setAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN, sessionToken);
}
secData.setAuthenticityToken(sessionToken);
http://git-wip-us.apache.org/repos/asf/cxf/blob/fb6867e0/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
index 83716b1..1d4088f 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
@@ -24,12 +24,11 @@ import java.util.Collections;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
-import java.util.UUID;
import javax.ws.rs.core.MultivaluedMap;
import org.apache.cxf.common.util.StringUtils;
-import org.apache.cxf.common.util.crypto.MessageDigestUtils;
+import org.apache.cxf.common.util.crypto.CryptoUtils;
import org.apache.cxf.jaxrs.impl.MetadataMap;
import org.apache.cxf.jaxrs.model.URITemplate;
import org.apache.cxf.rs.security.oauth2.common.Client;
@@ -48,7 +47,7 @@ public final class OAuthUtils {
private OAuthUtils() {
}
-
+
public static UserSubject createSubject(SecurityContext securityContext) {
List<String> roleNames = Collections.emptyList();
if (securityContext instanceof LoginSecurityContext) {
@@ -105,25 +104,19 @@ public final class OAuthUtils {
}
public static String generateRandomTokenKey() throws OAuthServiceException {
- return generateRandomTokenKey(null);
+ return generateRandomTokenKey(16);
+ }
+ public static String generateRandomTokenKey(int byteSize) {
+ if (byteSize < 16) {
+ throw new OAuthServiceException();
+ }
+ return StringUtils.toHexString(CryptoUtils.generateSecureRandomBytes(byteSize));
}
public static long getIssuedAt() {
return System.currentTimeMillis() / 1000;
}
- public static String generateRandomTokenKey(String digestAlgo) throws OAuthServiceException {
- try {
- byte[] bytes = UUID.randomUUID().toString().getBytes("UTF-8");
- if (digestAlgo == null) {
- digestAlgo = MessageDigestUtils.ALGO_MD5;
- }
- return MessageDigestUtils.generate(bytes, digestAlgo);
- } catch (Exception ex) {
- throw new OAuthServiceException(OAuthConstants.SERVER_ERROR, ex);
- }
- }
-
public static boolean isExpired(Long issuedAt, Long lifetime) {
return lifetime != -1
&& issuedAt + lifetime < System.currentTimeMillis() / 1000;