Repository: cxf Updated Branches: refs/heads/3.1.x-fixes 04300f6e3 -> 814dafbb8
Updating SubjectCreator to accept Client too as it may be needed to create UserSubject correctly Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/814dafbb Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/814dafbb Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/814dafbb Branch: refs/heads/3.1.x-fixes Commit: 814dafbb8d0b6124b3a7efe5ead768f731a9ff66 Parents: 04300f6 Author: Sergey Beryozkin <[email protected]> Authored: Mon Feb 8 13:23:31 2016 +0000 Committer: Sergey Beryozkin <[email protected]> Committed: Mon Feb 8 13:24:26 2016 +0000 ---------------------------------------------------------------------- .../oauth2/common/OAuthAuthorizationData.java | 17 +++++++++++++++ .../oauth2/common/OAuthRedirectionState.java | 17 --------------- .../oauth2/provider/DefaultSubjectCreator.java | 3 ++- .../provider/JoseSessionTokenProvider.java | 22 ++++++++------------ .../oauth2/provider/SubjectCreator.java | 4 +++- .../services/AbstractImplicitGrantService.java | 6 +++--- .../services/DirectAuthorizationService.java | 9 ++++---- .../services/RedirectionBasedGrantService.java | 14 ++++++------- .../security/oidc/idp/OidcImplicitService.java | 2 +- 9 files changed, 47 insertions(+), 47 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/814dafbb/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java index 27cb511..8cf1102 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java @@ -39,6 +39,7 @@ import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils; public class OAuthAuthorizationData extends OAuthRedirectionState implements Serializable { private static final long serialVersionUID = -7755998413495017637L; + private String clientId; private String endUserName; private String authenticityToken; private String replyTo; @@ -59,6 +60,22 @@ public class OAuthAuthorizationData extends OAuthRedirectionState implements Ser } /** + * Sets the client id which needs to be retained in a hidden form field + * @param clientId the client id + */ + public void setClientId(String clientId) { + this.clientId = clientId; + } + + /** + * Gets the client id which needs to be retained in a hidden form field + * @return the client id + */ + public String getClientId() { + return clientId; + } + + /** * Get the client application name * @return application name */ http://git-wip-us.apache.org/repos/asf/cxf/blob/814dafbb/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthRedirectionState.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthRedirectionState.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthRedirectionState.java index 0ff4d47..761d41f 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthRedirectionState.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthRedirectionState.java @@ -23,7 +23,6 @@ import java.io.Serializable; public class OAuthRedirectionState implements Serializable { private static final long serialVersionUID = -661649302262699347L; - private String clientId; private String redirectUri; private String state; private String proposedScope; @@ -37,22 +36,6 @@ public class OAuthRedirectionState implements Serializable { /** - * Sets the client id which needs to be retained in a hidden form field - * @param clientId the client id - */ - public void setClientId(String clientId) { - this.clientId = clientId; - } - - /** - * Gets the client id which needs to be retained in a hidden form field - * @return the client id - */ - public String getClientId() { - return clientId; - } - - /** * Sets the redirect uri which needs to be retained in a hidden form field * @param redirectUri the redirect uri */ http://git-wip-us.apache.org/repos/asf/cxf/blob/814dafbb/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultSubjectCreator.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultSubjectCreator.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultSubjectCreator.java index ae870fb..36afd1b 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultSubjectCreator.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultSubjectCreator.java @@ -19,6 +19,7 @@ package org.apache.cxf.rs.security.oauth2.provider; import org.apache.cxf.jaxrs.ext.MessageContext; +import org.apache.cxf.rs.security.oauth2.common.Client; import org.apache.cxf.rs.security.oauth2.common.UserSubject; import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils; import org.apache.cxf.security.SecurityContext; @@ -26,7 +27,7 @@ import org.apache.cxf.security.SecurityContext; public class DefaultSubjectCreator implements SubjectCreator { @Override - public UserSubject createUserSubject(MessageContext mc) throws OAuthServiceException { + public UserSubject createUserSubject(MessageContext mc, Client client) throws OAuthServiceException { return OAuthUtils.createSubject(mc, (SecurityContext)mc.get(SecurityContext.class.getName())); } http://git-wip-us.apache.org/repos/asf/cxf/blob/814dafbb/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JoseSessionTokenProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JoseSessionTokenProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JoseSessionTokenProvider.java index 1948c0f..9722e16 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JoseSessionTokenProvider.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JoseSessionTokenProvider.java @@ -147,36 +147,32 @@ public class JoseSessionTokenProvider implements SessionAuthenticityTokenProvide private OAuthRedirectionState convertStateStringToState(String stateString) { String[] parts = ModelEncryptionSupport.getParts(stateString); OAuthRedirectionState state = new OAuthRedirectionState(); - state.setClientId(parts[0]); + if (!StringUtils.isEmpty(parts[0])) { + state.setAudience(parts[0]); + } if (!StringUtils.isEmpty(parts[1])) { - state.setAudience(parts[1]); + state.setClientCodeChallenge(parts[1]); } if (!StringUtils.isEmpty(parts[2])) { - state.setClientCodeChallenge(parts[2]); + state.setState(parts[2]); } if (!StringUtils.isEmpty(parts[3])) { - state.setState(parts[3]); + state.setProposedScope(parts[3]); } if (!StringUtils.isEmpty(parts[4])) { - state.setProposedScope(parts[4]); + state.setRedirectUri(parts[4]); } if (!StringUtils.isEmpty(parts[5])) { - state.setRedirectUri(parts[5]); + state.setNonce(parts[5]); } if (!StringUtils.isEmpty(parts[6])) { - state.setNonce(parts[6]); - } - if (!StringUtils.isEmpty(parts[7])) { - state.setResponseType(parts[7]); + state.setResponseType(parts[6]); } return state; } protected String convertStateToString(OAuthRedirectionState secData) { //TODO: make it simpler, convert it to JwtClaims -> JSON StringBuilder state = new StringBuilder(); - // 0: client id - state.append(ModelEncryptionSupport.tokenizeString(secData.getClientId())); - state.append(ModelEncryptionSupport.SEP); // 1: client audience state.append(ModelEncryptionSupport.tokenizeString(secData.getAudience())); state.append(ModelEncryptionSupport.SEP); http://git-wip-us.apache.org/repos/asf/cxf/blob/814dafbb/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SubjectCreator.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SubjectCreator.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SubjectCreator.java index 74f9486..e21b4d6 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SubjectCreator.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SubjectCreator.java @@ -20,6 +20,7 @@ package org.apache.cxf.rs.security.oauth2.provider; import org.apache.cxf.jaxrs.ext.MessageContext; +import org.apache.cxf.rs.security.oauth2.common.Client; import org.apache.cxf.rs.security.oauth2.common.UserSubject; /** @@ -32,8 +33,9 @@ public interface SubjectCreator { /** * Create a {@link UserSubject} * @param mc the {@link MessageContext} of this request + * @param client the client * @return {@link UserSubject} * @throws OAuthServiceException */ - UserSubject createUserSubject(MessageContext mc) throws OAuthServiceException; + UserSubject createUserSubject(MessageContext mc, Client client) throws OAuthServiceException; } http://git-wip-us.apache.org/repos/asf/cxf/blob/814dafbb/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java index f3c466b..6c9349d 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java @@ -108,16 +108,16 @@ public abstract class AbstractImplicitGrantService extends RedirectionBasedGrant processRefreshToken(sb, token.getRefreshToken()); } - return finalizeResponse(sb, state); + return finalizeResponse(sb, client, state); } - protected Response finalizeResponse(StringBuilder sb, OAuthRedirectionState state) { + protected Response finalizeResponse(StringBuilder sb, Client client, OAuthRedirectionState state) { if (state.getState() != null) { sb.append("&"); sb.append(OAuthConstants.STATE).append("=").append(state.getState()); } if (reportClientId) { - sb.append("&").append(OAuthConstants.CLIENT_ID).append("=").append(state.getClientId()); + sb.append("&").append(OAuthConstants.CLIENT_ID).append("=").append(client.getClientId()); } return Response.seeOther(URI.create(sb.toString())).build(); http://git-wip-us.apache.org/repos/asf/cxf/blob/814dafbb/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DirectAuthorizationService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DirectAuthorizationService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DirectAuthorizationService.java index f88a85a..c39badb 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DirectAuthorizationService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DirectAuthorizationService.java @@ -51,9 +51,10 @@ public class DirectAuthorizationService extends AbstractOAuthService { @Produces("text/html") public Response authorize(MultivaluedMap<String, String> params) { SecurityContext sc = getAndValidateSecurityContext(params); - // Create a UserSubject representing the end user - UserSubject userSubject = createUserSubject(sc); Client client = getClient(params); + // Create a UserSubject representing the end user + UserSubject userSubject = createUserSubject(sc, client); + AccessTokenRegistration reg = new AccessTokenRegistration(); reg.setClient(client); @@ -82,10 +83,10 @@ public class DirectAuthorizationService extends AbstractOAuthService { checkTransportSecurity(); return securityContext; } - protected UserSubject createUserSubject(SecurityContext securityContext) { + protected UserSubject createUserSubject(SecurityContext securityContext, Client client) { UserSubject subject = null; if (subjectCreator != null) { - subject = subjectCreator.createUserSubject(getMessageContext()); + subject = subjectCreator.createUserSubject(getMessageContext(), client); if (subject != null) { return subject; } http://git-wip-us.apache.org/repos/asf/cxf/blob/814dafbb/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java index cb833c9..12b6f2a 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java @@ -118,9 +118,9 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService protected Response startAuthorization(MultivaluedMap<String, String> params) { // Make sure the end user has authenticated, check if HTTPS is used SecurityContext sc = getAndValidateSecurityContext(params); - // Create a UserSubject representing the end user - UserSubject userSubject = createUserSubject(sc); Client client = getClient(params); + // Create a UserSubject representing the end user + UserSubject userSubject = createUserSubject(sc, client); return startAuthorization(params, userSubject, client); } @@ -277,7 +277,6 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService } if (state == null) { state = new OAuthRedirectionState(); - state.setClientId(params.getFirst(OAuthConstants.CLIENT_ID)); state.setRedirectUri(params.getFirst(OAuthConstants.REDIRECT_URI)); state.setAudience(params.getFirst(OAuthConstants.CLIENT_AUDIENCE)); // or if no audience parameter is available, set the list of client @@ -311,7 +310,9 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService protected Response completeAuthorization(MultivaluedMap<String, String> params) { // Make sure the end user has authenticated, check if HTTPS is used SecurityContext securityContext = getAndValidateSecurityContext(params); - UserSubject userSubject = createUserSubject(securityContext); + Client client = getClient(params.getFirst(OAuthConstants.CLIENT_ID)); + + UserSubject userSubject = createUserSubject(securityContext, client); // Make sure the session is valid String sessionTokenParamName = params.getFirst(OAuthConstants.SESSION_AUTHENTICITY_TOKEN_PARAM_NAME); @@ -325,7 +326,6 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService OAuthRedirectionState state = recreateRedirectionStateFromSession(userSubject, params, sessionToken); - Client client = getClient(state.getClientId()); String redirectUri = validateRedirectUri(client, state.getRedirectUri()); // Get the end user decision value @@ -370,10 +370,10 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService this.subjectCreator = creator; } - protected UserSubject createUserSubject(SecurityContext securityContext) { + protected UserSubject createUserSubject(SecurityContext securityContext, Client client) { UserSubject subject = null; if (subjectCreator != null) { - subject = subjectCreator.createUserSubject(getMessageContext()); + subject = subjectCreator.createUserSubject(getMessageContext(), client); if (subject != null) { return subject; } http://git-wip-us.apache.org/repos/asf/cxf/blob/814dafbb/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java index f8a72ab..1bbc391 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java @@ -105,7 +105,7 @@ public class OidcImplicitService extends ImplicitGrantService { sb.append("&"); sb.append(OAuthConstants.STATE).append("=").append(state.getState()); } - return finalizeResponse(sb, state); + return finalizeResponse(sb, client, state); } private String getProcessedIdToken(OAuthRedirectionState state, UserSubject subject) {
