Repository: cxf Updated Branches: refs/heads/master 3be9aac26 -> a2557360f
Aligning OAuth2 Client Id check with the new mutual TLS auth draft: if client_id is avail then use it Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/a2557360 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/a2557360 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/a2557360 Branch: refs/heads/master Commit: a2557360f4828164661a36c68b3efaff8e11e901 Parents: 3be9aac Author: Sergey Beryozkin <[email protected]> Authored: Fri Nov 11 17:15:20 2016 +0000 Committer: Sergey Beryozkin <[email protected]> Committed: Fri Nov 11 17:15:20 2016 +0000 ---------------------------------------------------------------------- .../oauth2/services/AbstractTokenService.java | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/a2557360/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java index 05fdefb..d763b5b 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java @@ -62,9 +62,14 @@ public class AbstractTokenService extends AbstractOAuthService { if (principal == null) { String clientId = retrieveClientId(params); if (clientId != null) { - client = getAndValidateClientFromIdAndSecret(clientId, - params.getFirst(OAuthConstants.CLIENT_SECRET), - params); + if (!isMutualTls(sc, getTlsSessionInfo())) { + client = getAndValidateClientFromIdAndSecret(clientId, + params.getFirst(OAuthConstants.CLIENT_SECRET), + params); + } else { + client = getClient(clientId, params); + // Certificates will be compared below + } } } else { String clientId = retrieveClientId(params); @@ -152,8 +157,7 @@ public class AbstractTokenService extends AbstractOAuthService { TLSSessionInfo tlsSessionInfo, MultivaluedMap<String, String> params) { Client client = null; - if (tlsSessionInfo != null && StringUtils.isEmpty(sc.getAuthenticationScheme())) { - // Pure 2-way TLS authentication + if (isMutualTls(sc, tlsSessionInfo)) { String clientId = getClientIdFromTLSCertificates(sc, tlsSessionInfo); if (!StringUtils.isEmpty(clientId)) { client = getClient(clientId, params); @@ -161,6 +165,10 @@ public class AbstractTokenService extends AbstractOAuthService { } return client; } + protected boolean isMutualTls(SecurityContext sc, TLSSessionInfo tlsSessionInfo) { + // Pure 2-way TLS authentication + return tlsSessionInfo != null && StringUtils.isEmpty(sc.getAuthenticationScheme()); + } protected String getClientIdFromTLSCertificates(SecurityContext sc, TLSSessionInfo tlsInfo) { Certificate[] clientCerts = tlsInfo.getPeerCertificates();
