Repository: cxf Updated Branches: refs/heads/master a1bd8bd7f -> 133f53e74
Minor updates to AccessTokenValidatorService Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/133f53e7 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/133f53e7 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/133f53e7 Branch: refs/heads/master Commit: 133f53e7498da0a9a71cfb17937ac6f004d23139 Parents: a1bd8bd Author: Sergey Beryozkin <[email protected]> Authored: Mon Nov 2 13:21:33 2015 +0000 Committer: Sergey Beryozkin <[email protected]> Committed: Mon Nov 2 13:21:33 2015 +0000 ---------------------------------------------------------------------- .../services/AccessTokenValidatorService.java | 37 ++++++++++++++++++-- 1 file changed, 34 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/133f53e7/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenValidatorService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenValidatorService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenValidatorService.java index 6cb4a4b..67609fa 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenValidatorService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenValidatorService.java @@ -18,6 +18,8 @@ */ package org.apache.cxf.rs.security.oauth2.services; +import java.util.logging.Logger; + import javax.ws.rs.Consumes; import javax.ws.rs.Encoded; import javax.ws.rs.POST; @@ -25,22 +27,51 @@ import javax.ws.rs.Path; import javax.ws.rs.Produces; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.MultivaluedMap; +import javax.ws.rs.core.SecurityContext; +import org.apache.cxf.common.logging.LogUtils; import org.apache.cxf.rs.security.oauth2.common.AccessTokenValidation; import org.apache.cxf.rs.security.oauth2.utils.AuthorizationUtils; import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants; @Path("validate") public class AccessTokenValidatorService extends AbstractAccessTokenValidator { + private static final Logger LOG = LogUtils.getL7dLogger(AccessTokenValidatorService.class); + private boolean blockUnsecureRequests; + private boolean blockUnauthorizedRequests = true; @POST @Produces({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @Consumes(MediaType.APPLICATION_FORM_URLENCODED) public AccessTokenValidation getTokenValidationInfo(@Encoded MultivaluedMap<String, String> params) { - if (getMessageContext().getSecurityContext().getUserPrincipal() == null) { - AuthorizationUtils.throwAuthorizationFailure(supportedSchemes, realm); - } + checkSecurityContext(); String authScheme = params.getFirst(OAuthConstants.AUTHORIZATION_SCHEME_TYPE); String authSchemeData = params.getFirst(OAuthConstants.AUTHORIZATION_SCHEME_DATA); return super.getAccessTokenValidation(authScheme, authSchemeData, params); } + + private void checkSecurityContext() { + SecurityContext sc = getMessageContext().getSecurityContext(); + if (!sc.isSecure() && blockUnsecureRequests) { + LOG.warning("Unsecure HTTP, Transport Layer Security is recommended"); + AuthorizationUtils.throwAuthorizationFailure(supportedSchemes, realm); + } + if (sc.getUserPrincipal() == null && blockUnauthorizedRequests) { + //TODO: check client certificates + LOG.warning("Authenticated Principal is not available"); + AuthorizationUtils.throwAuthorizationFailure(supportedSchemes, realm); + } + + } + + public void setBlockUnsecureRequests(boolean blockUnsecureRequests) { + this.blockUnsecureRequests = blockUnsecureRequests; + } + + public boolean isBlockUnauthorizedRequests() { + return blockUnauthorizedRequests; + } + + public void setBlockUnauthorizedRequests(boolean blockUnauthorizedRequests) { + this.blockUnauthorizedRequests = blockUnauthorizedRequests; + } }
