cxf git commit: Makaing sure the code filter can catch all code response errors
Repository: cxf Updated Branches: refs/heads/3.1.x-fixes 0f4c8989c -> 4ff4cf5f2 Makaing sure the code filter can catch all code response errors Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/4ff4cf5f Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/4ff4cf5f Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/4ff4cf5f Branch: refs/heads/3.1.x-fixes Commit: 4ff4cf5f28b22bc85cc107a9d31545c53c04845a Parents: 0f4c898 Author: Sergey BeryozkinAuthored: Fri Nov 13 10:56:58 2015 + Committer: Sergey Beryozkin Committed: Fri Nov 13 10:58:34 2015 + -- .../cxf/rs/security/oauth2/client/AccessDeniedResponse.java | 8 +++- .../rs/security/oauth2/client/ClientCodeRequestFilter.java | 4 ++-- .../oauth2/provider/AbstractOAuthJoseJwtProducer.java| 5 +++-- 3 files changed, 12 insertions(+), 5 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/4ff4cf5f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/AccessDeniedResponse.java -- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/AccessDeniedResponse.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/AccessDeniedResponse.java index 9ec28ab..16a87bf 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/AccessDeniedResponse.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/AccessDeniedResponse.java @@ -19,5 +19,11 @@ package org.apache.cxf.rs.security.oauth2.client; public class AccessDeniedResponse { - +private String error; +public AccessDeniedResponse(String error) { +this.error = error; +} +public String getError() { +return error; +} } http://git-wip-us.apache.org/repos/asf/cxf/blob/4ff4cf5f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java -- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java index 3e312a3..18285a6 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java @@ -115,10 +115,10 @@ public class ClientCodeRequestFilter implements ContainerRequestFilter { if (sc == null || sc.getUserPrincipal() == null) { if (codeParam == null && requestParams.containsKey(OAuthConstants.ERROR_KEY) -&& OAuthConstants.ACCESS_DENIED.equals(requestParams.getFirst(OAuthConstants.ERROR_KEY)) && !faultAccessDeniedResponses) { if (!applicationCanHandleAccessDenied) { -rc.abortWith(Response.ok(new AccessDeniedResponse()).build()); +String error = requestParams.getFirst(OAuthConstants.ERROR_KEY); +rc.abortWith(Response.ok(new AccessDeniedResponse(error)).build()); } } else { throw ExceptionUtils.toNotAuthorizedException(null, null); http://git-wip-us.apache.org/repos/asf/cxf/blob/4ff4cf5f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java -- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java index b0a7414..fec38bc 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java @@ -22,6 +22,7 @@ import java.util.Properties; import javax.crypto.SecretKey; +import org.apache.cxf.common.util.StringUtils; import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils; import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm; import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm; @@ -44,7 +45,7 @@ public abstract class
cxf git commit: Making sure an empty/null secret is not used for getting tokens for public clients
Repository: cxf Updated Branches: refs/heads/3.1.x-fixes 4ff4cf5f2 -> e80086821 Making sure an empty/null secret is not used for getting tokens for public clients Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/e8008682 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/e8008682 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/e8008682 Branch: refs/heads/3.1.x-fixes Commit: e80086821a1f4020247d97bbd62dd8cad81d4ae1 Parents: 4ff4cf5 Author: Sergey BeryozkinAuthored: Fri Nov 13 11:35:16 2015 + Committer: Sergey Beryozkin Committed: Fri Nov 13 11:36:03 2015 + -- .../cxf/rs/security/oauth2/client/OAuthClientUtils.java | 8 +--- 1 file changed, 5 insertions(+), 3 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/e8008682/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthClientUtils.java -- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthClientUtils.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthClientUtils.java index 971b481..17471f8 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthClientUtils.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthClientUtils.java @@ -33,6 +33,7 @@ import javax.ws.rs.core.Response; import javax.ws.rs.core.UriBuilder; import org.apache.cxf.common.util.Base64Utility; +import org.apache.cxf.common.util.StringUtils; import org.apache.cxf.jaxrs.client.WebClient; import org.apache.cxf.rs.security.oauth2.common.AccessTokenGrant; import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken; @@ -281,7 +282,8 @@ public final class OAuthClientUtils { } } if (consumer != null) { -if (setAuthorizationHeader) { +boolean secretAvailable = !StringUtils.isEmpty(consumer.getSecret()); +if (setAuthorizationHeader && secretAvailable) { StringBuilder sb = new StringBuilder(); sb.append("Basic "); try { @@ -293,7 +295,7 @@ public final class OAuthClientUtils { accessTokenService.replaceHeader("Authorization", sb.toString()); } else { form.param(OAuthConstants.CLIENT_ID, consumer.getKey()); -if (consumer.getSecret() != null) { +if (secretAvailable) { form.param(OAuthConstants.CLIENT_SECRET, consumer.getSecret()); } } @@ -315,7 +317,7 @@ public final class OAuthClientUtils { } else { return token; } -} else if (400 == response.getStatus() && map.containsKey(OAuthConstants.ERROR_KEY)) { +} else if (response.getStatus() >= 400 && map.containsKey(OAuthConstants.ERROR_KEY)) { OAuthError error = new OAuthError(map.get(OAuthConstants.ERROR_KEY), map.get(OAuthConstants.ERROR_DESCRIPTION_KEY)); error.setErrorUri(map.get(OAuthConstants.ERROR_URI_KEY));
cxf git commit: Making sure an empty/null secret is not used for getting tokens for public clients
Repository: cxf Updated Branches: refs/heads/master 144ee70dc -> 0b8ac3e0e Making sure an empty/null secret is not used for getting tokens for public clients Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/0b8ac3e0 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/0b8ac3e0 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/0b8ac3e0 Branch: refs/heads/master Commit: 0b8ac3e0e2488b015f52d178a33da943ce81ce0e Parents: 144ee70 Author: Sergey BeryozkinAuthored: Fri Nov 13 11:35:16 2015 + Committer: Sergey Beryozkin Committed: Fri Nov 13 11:35:16 2015 + -- .../cxf/rs/security/oauth2/client/OAuthClientUtils.java | 8 +--- 1 file changed, 5 insertions(+), 3 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/0b8ac3e0/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthClientUtils.java -- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthClientUtils.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthClientUtils.java index 971b481..17471f8 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthClientUtils.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthClientUtils.java @@ -33,6 +33,7 @@ import javax.ws.rs.core.Response; import javax.ws.rs.core.UriBuilder; import org.apache.cxf.common.util.Base64Utility; +import org.apache.cxf.common.util.StringUtils; import org.apache.cxf.jaxrs.client.WebClient; import org.apache.cxf.rs.security.oauth2.common.AccessTokenGrant; import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken; @@ -281,7 +282,8 @@ public final class OAuthClientUtils { } } if (consumer != null) { -if (setAuthorizationHeader) { +boolean secretAvailable = !StringUtils.isEmpty(consumer.getSecret()); +if (setAuthorizationHeader && secretAvailable) { StringBuilder sb = new StringBuilder(); sb.append("Basic "); try { @@ -293,7 +295,7 @@ public final class OAuthClientUtils { accessTokenService.replaceHeader("Authorization", sb.toString()); } else { form.param(OAuthConstants.CLIENT_ID, consumer.getKey()); -if (consumer.getSecret() != null) { +if (secretAvailable) { form.param(OAuthConstants.CLIENT_SECRET, consumer.getSecret()); } } @@ -315,7 +317,7 @@ public final class OAuthClientUtils { } else { return token; } -} else if (400 == response.getStatus() && map.containsKey(OAuthConstants.ERROR_KEY)) { +} else if (response.getStatus() >= 400 && map.containsKey(OAuthConstants.ERROR_KEY)) { OAuthError error = new OAuthError(map.get(OAuthConstants.ERROR_KEY), map.get(OAuthConstants.ERROR_DESCRIPTION_KEY)); error.setErrorUri(map.get(OAuthConstants.ERROR_URI_KEY));
cxf-fediz git commit: [FEDIZ-131] Completing the cxf plugin demo
Repository: cxf-fediz Updated Branches: refs/heads/master 9f05f8969 -> a9ac5873d [FEDIZ-131] Completing the cxf plugin demo Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/a9ac5873 Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/a9ac5873 Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/a9ac5873 Branch: refs/heads/master Commit: a9ac5873d4fb1c11d623b219c20555adb37f4c7d Parents: 9f05f89 Author: Sergey BeryozkinAuthored: Fri Nov 13 15:16:29 2015 + Committer: Sergey Beryozkin Committed: Fri Nov 13 15:16:29 2015 + -- .../apache/cxf/fediz/example/FederationService.java| 13 ++--- examples/pom.xml | 1 + 2 files changed, 11 insertions(+), 3 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/a9ac5873/examples/jaxrsCxfPluginWebapp/src/main/java/org/apache/cxf/fediz/example/FederationService.java -- diff --git a/examples/jaxrsCxfPluginWebapp/src/main/java/org/apache/cxf/fediz/example/FederationService.java b/examples/jaxrsCxfPluginWebapp/src/main/java/org/apache/cxf/fediz/example/FederationService.java index fa31a87..471b8bf 100644 --- a/examples/jaxrsCxfPluginWebapp/src/main/java/org/apache/cxf/fediz/example/FederationService.java +++ b/examples/jaxrsCxfPluginWebapp/src/main/java/org/apache/cxf/fediz/example/FederationService.java @@ -25,6 +25,7 @@ import java.util.Arrays; import java.util.List; import javax.ws.rs.GET; +import javax.ws.rs.POST; import javax.ws.rs.Path; import javax.ws.rs.core.Context; import javax.ws.rs.core.Response; @@ -49,10 +50,16 @@ import org.apache.cxf.fediz.core.SecurityTokenThreadLocal; @Path("/") public class FederationService { - +@Context +private UriInfo uriInfo; +@Context +private SecurityContext securityContext; +@POST +public Response getTokenInfoFromPost() { +return getTokenInfo(); +} @GET -public Response get(@Context UriInfo uriInfo, -@Context SecurityContext securityContext) { +public Response getTokenInfo() { ResponseBuilder rb = Response.ok().type("text/html"); http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/a9ac5873/examples/pom.xml -- diff --git a/examples/pom.xml b/examples/pom.xml index e6c6490..d77b8d6 100644 --- a/examples/pom.xml +++ b/examples/pom.xml @@ -39,6 +39,7 @@ springPreauthWebapp jaxrsSimpleWebapp jaxrsSpringSecurityWebapp +jaxrsCxfPluginWebapp
cxf git commit: Adding JWTValidator
Repository: cxf Updated Branches: refs/heads/master 67ac0ab27 -> c8905fd54 Adding JWTValidator Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/c8905fd5 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/c8905fd5 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/c8905fd5 Branch: refs/heads/master Commit: c8905fd544457546be73f8887e154bb72dee7c7e Parents: 67ac0ab Author: Colm O hEigeartaighAuthored: Fri Nov 13 16:28:07 2015 + Committer: Colm O hEigeartaigh Committed: Fri Nov 13 16:28:07 2015 + -- .../apache/cxf/sts/request/ReceivedToken.java | 7 +- .../token/validator/jwt/JWTTokenValidator.java | 207 .../token/validator/JWTTokenValidatorTest.java | 246 +++ 3 files changed, 459 insertions(+), 1 deletion(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/c8905fd5/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/ReceivedToken.java -- diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/ReceivedToken.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/ReceivedToken.java index c2e1aee..252ec60 100644 --- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/ReceivedToken.java +++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/ReceivedToken.java @@ -33,7 +33,7 @@ import org.apache.cxf.ws.security.sts.provider.STSException; /** * This class contains values that have been extracted from a received Token. The Token can be a - * JAXB UsernameTokenType/BinarySecurityTokenType or a DOM Element. + * JAXB UsernameTokenType/BinarySecurityTokenType, a DOM Element or a String. */ public class ReceivedToken { @@ -74,6 +74,11 @@ public class ReceivedToken { } this.token = receivedToken; isDOMElement = true; +} else if (receivedToken instanceof String) { +if (LOG.isLoggable(Level.FINE)) { +LOG.fine("Found ValidateTarget String"); +} +this.token = receivedToken; } else { LOG.fine("Found ValidateTarget object of unknown type"); throw new STSException( http://git-wip-us.apache.org/repos/asf/cxf/blob/c8905fd5/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/jwt/JWTTokenValidator.java -- diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/jwt/JWTTokenValidator.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/jwt/JWTTokenValidator.java new file mode 100644 index 000..837c3c1 --- /dev/null +++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/jwt/JWTTokenValidator.java @@ -0,0 +1,207 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.sts.token.validator.jwt; + +import java.security.KeyStore; +import java.security.Principal; +import java.util.Properties; +import java.util.logging.Level; +import java.util.logging.Logger; + +import org.apache.cxf.common.logging.LogUtils; +import org.apache.cxf.common.security.SimplePrincipal; +import org.apache.cxf.rs.security.jose.common.JoseConstants; +import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm; +import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer; +import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier; +import org.apache.cxf.rs.security.jose.jws.JwsUtils; +import org.apache.cxf.rs.security.jose.jwt.JwtToken; +import org.apache.cxf.rs.security.jose.jwt.JwtUtils; +import org.apache.cxf.sts.STSPropertiesMBean; +import org.apache.cxf.sts.request.ReceivedToken; +import org.apache.cxf.sts.request.ReceivedToken.STATE; +import org.apache.cxf.sts.token.validator.TokenValidator; +import org.apache.cxf.sts.token.validator.TokenValidatorParameters; +import
cxf git commit: Introducing a dedicated property for checking client secret algorithms
Repository: cxf Updated Branches: refs/heads/master c8905fd54 -> 92b8fbba1 Introducing a dedicated property for checking client secret algorithms Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/92b8fbba Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/92b8fbba Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/92b8fbba Branch: refs/heads/master Commit: 92b8fbba1f1c192a26aa77e6c0bb42e7ae1d63c1 Parents: c8905fd Author: Sergey BeryozkinAuthored: Fri Nov 13 16:46:39 2015 + Committer: Sergey Beryozkin Committed: Fri Nov 13 16:46:39 2015 + -- .../oauth2/provider/AbstractOAuthJoseJwtConsumer.java | 9 +++-- .../oauth2/provider/AbstractOAuthJoseJwtProducer.java | 9 +++-- .../apache/cxf/rs/security/oauth2/utils/OAuthConstants.java | 5 + 3 files changed, 19 insertions(+), 4 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/92b8fbba/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java -- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java index 5d2fa3b..175346e 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java @@ -31,6 +31,7 @@ import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier; import org.apache.cxf.rs.security.jose.jws.JwsUtils; import org.apache.cxf.rs.security.jose.jwt.AbstractJoseJwtConsumer; import org.apache.cxf.rs.security.jose.jwt.JwtToken; +import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants; import org.apache.cxf.rt.security.crypto.CryptoUtils; public abstract class AbstractOAuthJoseJwtConsumer extends AbstractJoseJwtConsumer { @@ -47,7 +48,9 @@ public abstract class AbstractOAuthJoseJwtConsumer extends AbstractJoseJwtConsum protected JwsSignatureVerifier getInitializedSignatureVerifier(String clientSecret) { if (verifyWithClientSecret) { Properties props = JwsUtils.loadSignatureInProperties(false); -SignatureAlgorithm sigAlgo = JwsUtils.getSignatureAlgorithm(props, SignatureAlgorithm.HS256); +SignatureAlgorithm sigAlgo = SignatureAlgorithm.getAlgorithm( + props.getProperty(OAuthConstants.CLIENT_SECRET_SIGNATURE_ALGORITHM)); +sigAlgo = sigAlgo != null ? sigAlgo : SignatureAlgorithm.HS256; if (AlgorithmUtils.isHmacSign(sigAlgo)) { return JwsUtils.getHmacSignatureVerifier(clientSecret, sigAlgo); } @@ -59,7 +62,9 @@ public abstract class AbstractOAuthJoseJwtConsumer extends AbstractJoseJwtConsum if (decryptWithClientSecret) { SecretKey key = CryptoUtils.decodeSecretKey(clientSecret); Properties props = JweUtils.loadEncryptionInProperties(false); -ContentAlgorithm ctAlgo = JweUtils.getContentEncryptionAlgorithm(props, ContentAlgorithm.A128GCM); +ContentAlgorithm ctAlgo = ContentAlgorithm.getAlgorithm( + props.getProperty(OAuthConstants.CLIENT_SECRET_ENCRYPTION_ALGORITHM)); +ctAlgo = ctAlgo != null ? ctAlgo : ContentAlgorithm.A128GCM; theDecryptionProvider = JweUtils.getDirectKeyJweDecryption(key, ctAlgo); } return theDecryptionProvider; http://git-wip-us.apache.org/repos/asf/cxf/blob/92b8fbba/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java -- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java index fec38bc..5e1c870 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java @@ -32,6 +32,7 @@ import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider; import org.apache.cxf.rs.security.jose.jws.JwsUtils; import org.apache.cxf.rs.security.jose.jwt.AbstractJoseJwtProducer; import
cxf-fediz git commit: [FEDIZ-135] Letting the sign in request to proceed
Repository: cxf-fediz Updated Branches: refs/heads/master 890e2277b -> 9f05f8969 [FEDIZ-135] Letting the sign in request to proceed Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/9f05f896 Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/9f05f896 Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/9f05f896 Branch: refs/heads/master Commit: 9f05f8969e9afc62d46d7be0480854a771290124 Parents: 890e227 Author: Sergey BeryozkinAuthored: Fri Nov 13 15:13:42 2015 + Committer: Sergey Beryozkin Committed: Fri Nov 13 15:13:42 2015 + -- .../cxf/plugin/FedizRedirectBindingFilter.java | 252 +++ .../src/main/webapp/WEB-INF/cxf-service.xml | 1 + 2 files changed, 149 insertions(+), 104 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9f05f896/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java -- diff --git a/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java b/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java index 1f1e3c8..731b24a 100644 --- a/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java +++ b/plugins/cxf/src/main/java/org/apache/cxf/fediz/cxf/plugin/FedizRedirectBindingFilter.java @@ -18,6 +18,7 @@ */ package org.apache.cxf.fediz.cxf.plugin; +import java.io.IOException; import java.io.InputStream; import java.net.URI; import java.security.cert.X509Certificate; @@ -32,6 +33,8 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.ws.rs.HttpMethod; import javax.ws.rs.container.ContainerRequestContext; +import javax.ws.rs.container.ContainerResponseContext; +import javax.ws.rs.container.ContainerResponseFilter; import javax.ws.rs.core.Context; import javax.ws.rs.core.Cookie; import javax.ws.rs.core.HttpHeaders; @@ -40,6 +43,7 @@ import javax.ws.rs.core.Response; import javax.ws.rs.core.Response.ResponseBuilder; import org.w3c.dom.Document; + import org.apache.cxf.fediz.core.FederationConstants; import org.apache.cxf.fediz.core.RequestState; import org.apache.cxf.fediz.core.SAMLSSOConstants; @@ -65,12 +69,15 @@ import org.apache.wss4j.common.util.DOM2Writer; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -public class FedizRedirectBindingFilter extends AbstractServiceProviderFilter { +public class FedizRedirectBindingFilter extends AbstractServiceProviderFilter +implements ContainerResponseFilter { private static final Logger LOG = LoggerFactory.getLogger(FedizRedirectBindingFilter.class); @Context private MessageContext messageContext; + +private boolean redirectOnInitialSignIn; public void filter(ContainerRequestContext context) { Message m = JAXRSUtils.getCurrentMessage(); @@ -107,127 +114,146 @@ public class FedizRedirectBindingFilter extends AbstractServiceProviderFilter { return; } else { if (isSignInRequired(fedConfig, params)) { -// Unauthenticated -> redirect -FedizProcessor processor = - FedizProcessorFactory.newFedizProcessor(fedConfig.getProtocol()); - -HttpServletRequest request = messageContext.getHttpServletRequest(); -try { -RedirectionResponse redirectionResponse = -processor.createSignInRequest(request, fedConfig); -String redirectURL = redirectionResponse.getRedirectionURL(); -if (redirectURL != null) { -ResponseBuilder response = Response.seeOther(new URI(redirectURL)); -Map headers = redirectionResponse.getHeaders(); -if (!headers.isEmpty()) { -for (String headerName : headers.keySet()) { -response.header(headerName, headers.get(headerName)); -} -} - -// Save the RequestState -RequestState requestState = redirectionResponse.getRequestState(); -if (requestState != null && requestState.getState() != null) { - getStateManager().setRequestState(requestState.getState(), requestState); - -String contextCookie = - CookieUtils.createCookie(SECURITY_CONTEXT_STATE, -
cxf git commit: Fix checkstyle
Repository: cxf Updated Branches: refs/heads/master 92b8fbba1 -> 16feba3f0 Fix checkstyle Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/16feba3f Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/16feba3f Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/16feba3f Branch: refs/heads/master Commit: 16feba3f058d19458e4da4da0bf8dc65fe4bade0 Parents: 92b8fbb Author: Daniel KulpAuthored: Fri Nov 13 12:20:34 2015 -0500 Committer: Daniel Kulp Committed: Fri Nov 13 12:20:50 2015 -0500 -- .../atmosphere/DefaultProtocolInterceptor.java | 93 +++- 1 file changed, 52 insertions(+), 41 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/16feba3f/rt/transports/websocket/src/main/java/org/apache/cxf/transport/websocket/atmosphere/DefaultProtocolInterceptor.java -- diff --git a/rt/transports/websocket/src/main/java/org/apache/cxf/transport/websocket/atmosphere/DefaultProtocolInterceptor.java b/rt/transports/websocket/src/main/java/org/apache/cxf/transport/websocket/atmosphere/DefaultProtocolInterceptor.java index 54431ce..3dde4b5 100644 --- a/rt/transports/websocket/src/main/java/org/apache/cxf/transport/websocket/atmosphere/DefaultProtocolInterceptor.java +++ b/rt/transports/websocket/src/main/java/org/apache/cxf/transport/websocket/atmosphere/DefaultProtocolInterceptor.java @@ -298,49 +298,60 @@ public class DefaultProtocolInterceptor extends AtmosphereInterceptorAdapter { @Override public ServletOutputStream getOutputStream() throws IOException { if (sout == null) { -sout = new ServletOutputStream() { -CachedOutputStream out = new CachedOutputStream(); -OutputStream getOut() { -if (out == null) { -out = new CachedOutputStream(); -} -return out; -} -void send(boolean complete) throws IOException { -if (out == null) { -return; -} -if (response.getStatus() >= 400) { -int i = response.getStatus(); -response.setStatus(200); -response.addIntHeader(WebSocketUtils.SC_KEY, i); -} -out.flush(); -out.lockOutputStream(); -out.writeCacheTo(delegate); -delegate.flush(); -out.close(); -out = null; -} -public void write(int i) throws IOException { -getOut().write(i); -} -public void close() throws IOException { -send(true); -delegate.close(); -} -public void flush() throws IOException { -send(false); -} -public void write(byte[] b, int off, int len) throws IOException { -getOut().write(b, off, len); -} -public void write(byte[] b) throws IOException { -getOut().write(b); -} -}; +sout = new BufferedServletOutputStream(); } return sout; } + +private final class BufferedServletOutputStream extends ServletOutputStream { +CachedOutputStream out = new CachedOutputStream(); + +OutputStream getOut() { +if (out == null) { +out = new CachedOutputStream(); +} +return out; +} + +void send(boolean complete) throws IOException { +if (out == null) { +return; +} +if (response.getStatus() >= 400) { +int i = response.getStatus(); +response.setStatus(200); +response.addIntHeader(WebSocketUtils.SC_KEY, i); +} +out.flush(); +out.lockOutputStream(); +out.writeCacheTo(delegate); +delegate.flush(); +out.close(); +out = null; +} + +public void write(int i) throws IOException { +getOut().write(i); +} + +public void close() throws IOException { +
cxf-fediz git commit: FEDIZ-134: avoiding a possible comflict between algo properties
Repository: cxf-fediz Updated Branches: refs/heads/master a9ac5873d -> 1c4d2f580 FEDIZ-134: avoiding a possible comflict between algo properties Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/1c4d2f58 Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/1c4d2f58 Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/1c4d2f58 Branch: refs/heads/master Commit: 1c4d2f580e8dd9ee456510aaac48cd7e6efca015 Parents: a9ac587 Author: Sergey BeryozkinAuthored: Fri Nov 13 16:52:39 2015 + Committer: Sergey Beryozkin Committed: Fri Nov 13 16:52:39 2015 + -- .../org/apache/cxf/fediz/service/oidc/OAuthDataManager.java| 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/1c4d2f58/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java -- diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java index b1e632e..c498161 100644 --- a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java +++ b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java @@ -111,9 +111,9 @@ public class OAuthDataManager extends AbstractCodeDataProvider { protected JwsSignatureProvider getJwsSignatureProvider(Client client) { if (signIdTokenWithClientSecret && client.isConfidential() && client.getClientSecret() != null) { Properties sigProps = JwsUtils.loadSignatureOutProperties(false); -// HS256, HS384, HS512 -SignatureAlgorithm sigAlgo = JwsUtils.getSignatureAlgorithm(sigProps, -SignatureAlgorithm.HS256); +SignatureAlgorithm sigAlgo = SignatureAlgorithm.getAlgorithm( + sigProps.getProperty(OAuthConstants.CLIENT_SECRET_SIGNATURE_ALGORITHM)); +sigAlgo = sigAlgo != null ? sigAlgo : SignatureAlgorithm.HS256; if (AlgorithmUtils.isHmacSign(sigAlgo)) { return JwsUtils.getHmacSignatureProvider(client.getClientSecret(), sigAlgo); }
cxf git commit: Fix checkstyle
Repository: cxf Updated Branches: refs/heads/3.1.x-fixes 4744117f9 -> efac3c9e5 Fix checkstyle Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/efac3c9e Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/efac3c9e Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/efac3c9e Branch: refs/heads/3.1.x-fixes Commit: efac3c9e56559370e2d8c8733f7886f83662b4e4 Parents: 4744117 Author: Daniel KulpAuthored: Fri Nov 13 12:20:34 2015 -0500 Committer: Daniel Kulp Committed: Fri Nov 13 12:21:07 2015 -0500 -- .../atmosphere/DefaultProtocolInterceptor.java | 93 +++- 1 file changed, 52 insertions(+), 41 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/efac3c9e/rt/transports/websocket/src/main/java/org/apache/cxf/transport/websocket/atmosphere/DefaultProtocolInterceptor.java -- diff --git a/rt/transports/websocket/src/main/java/org/apache/cxf/transport/websocket/atmosphere/DefaultProtocolInterceptor.java b/rt/transports/websocket/src/main/java/org/apache/cxf/transport/websocket/atmosphere/DefaultProtocolInterceptor.java index 54431ce..3dde4b5 100644 --- a/rt/transports/websocket/src/main/java/org/apache/cxf/transport/websocket/atmosphere/DefaultProtocolInterceptor.java +++ b/rt/transports/websocket/src/main/java/org/apache/cxf/transport/websocket/atmosphere/DefaultProtocolInterceptor.java @@ -298,49 +298,60 @@ public class DefaultProtocolInterceptor extends AtmosphereInterceptorAdapter { @Override public ServletOutputStream getOutputStream() throws IOException { if (sout == null) { -sout = new ServletOutputStream() { -CachedOutputStream out = new CachedOutputStream(); -OutputStream getOut() { -if (out == null) { -out = new CachedOutputStream(); -} -return out; -} -void send(boolean complete) throws IOException { -if (out == null) { -return; -} -if (response.getStatus() >= 400) { -int i = response.getStatus(); -response.setStatus(200); -response.addIntHeader(WebSocketUtils.SC_KEY, i); -} -out.flush(); -out.lockOutputStream(); -out.writeCacheTo(delegate); -delegate.flush(); -out.close(); -out = null; -} -public void write(int i) throws IOException { -getOut().write(i); -} -public void close() throws IOException { -send(true); -delegate.close(); -} -public void flush() throws IOException { -send(false); -} -public void write(byte[] b, int off, int len) throws IOException { -getOut().write(b, off, len); -} -public void write(byte[] b) throws IOException { -getOut().write(b); -} -}; +sout = new BufferedServletOutputStream(); } return sout; } + +private final class BufferedServletOutputStream extends ServletOutputStream { +CachedOutputStream out = new CachedOutputStream(); + +OutputStream getOut() { +if (out == null) { +out = new CachedOutputStream(); +} +return out; +} + +void send(boolean complete) throws IOException { +if (out == null) { +return; +} +if (response.getStatus() >= 400) { +int i = response.getStatus(); +response.setStatus(200); +response.addIntHeader(WebSocketUtils.SC_KEY, i); +} +out.flush(); +out.lockOutputStream(); +out.writeCacheTo(delegate); +delegate.flush(); +out.close(); +out = null; +} + +public void write(int i) throws IOException { +getOut().write(i); +} + +public void close() throws IOException { +
cxf git commit: Introducing a dedicated property for checking client secret algorithms
Repository: cxf Updated Branches: refs/heads/3.1.x-fixes 5e8334b2d -> 4744117f9 Introducing a dedicated property for checking client secret algorithms Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/4744117f Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/4744117f Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/4744117f Branch: refs/heads/3.1.x-fixes Commit: 4744117f9228e8f25cc2cba2255f6e6a516e2d2a Parents: 5e8334b Author: Sergey BeryozkinAuthored: Fri Nov 13 16:46:39 2015 + Committer: Sergey Beryozkin Committed: Fri Nov 13 16:48:30 2015 + -- .../oauth2/provider/AbstractOAuthJoseJwtConsumer.java | 9 +++-- .../oauth2/provider/AbstractOAuthJoseJwtProducer.java | 9 +++-- .../apache/cxf/rs/security/oauth2/utils/OAuthConstants.java | 5 + 3 files changed, 19 insertions(+), 4 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/4744117f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java -- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java index 5d2fa3b..175346e 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java @@ -31,6 +31,7 @@ import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier; import org.apache.cxf.rs.security.jose.jws.JwsUtils; import org.apache.cxf.rs.security.jose.jwt.AbstractJoseJwtConsumer; import org.apache.cxf.rs.security.jose.jwt.JwtToken; +import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants; import org.apache.cxf.rt.security.crypto.CryptoUtils; public abstract class AbstractOAuthJoseJwtConsumer extends AbstractJoseJwtConsumer { @@ -47,7 +48,9 @@ public abstract class AbstractOAuthJoseJwtConsumer extends AbstractJoseJwtConsum protected JwsSignatureVerifier getInitializedSignatureVerifier(String clientSecret) { if (verifyWithClientSecret) { Properties props = JwsUtils.loadSignatureInProperties(false); -SignatureAlgorithm sigAlgo = JwsUtils.getSignatureAlgorithm(props, SignatureAlgorithm.HS256); +SignatureAlgorithm sigAlgo = SignatureAlgorithm.getAlgorithm( + props.getProperty(OAuthConstants.CLIENT_SECRET_SIGNATURE_ALGORITHM)); +sigAlgo = sigAlgo != null ? sigAlgo : SignatureAlgorithm.HS256; if (AlgorithmUtils.isHmacSign(sigAlgo)) { return JwsUtils.getHmacSignatureVerifier(clientSecret, sigAlgo); } @@ -59,7 +62,9 @@ public abstract class AbstractOAuthJoseJwtConsumer extends AbstractJoseJwtConsum if (decryptWithClientSecret) { SecretKey key = CryptoUtils.decodeSecretKey(clientSecret); Properties props = JweUtils.loadEncryptionInProperties(false); -ContentAlgorithm ctAlgo = JweUtils.getContentEncryptionAlgorithm(props, ContentAlgorithm.A128GCM); +ContentAlgorithm ctAlgo = ContentAlgorithm.getAlgorithm( + props.getProperty(OAuthConstants.CLIENT_SECRET_ENCRYPTION_ALGORITHM)); +ctAlgo = ctAlgo != null ? ctAlgo : ContentAlgorithm.A128GCM; theDecryptionProvider = JweUtils.getDirectKeyJweDecryption(key, ctAlgo); } return theDecryptionProvider; http://git-wip-us.apache.org/repos/asf/cxf/blob/4744117f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java -- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java index fec38bc..5e1c870 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java @@ -32,6 +32,7 @@ import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider; import org.apache.cxf.rs.security.jose.jws.JwsUtils; import org.apache.cxf.rs.security.jose.jwt.AbstractJoseJwtProducer;
cxf git commit: Recording .gitmergeinfo Changes
Repository: cxf Updated Branches: refs/heads/3.0.x-fixes 5704f28b5 -> a90a0b216 Recording .gitmergeinfo Changes Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/a90a0b21 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/a90a0b21 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/a90a0b21 Branch: refs/heads/3.0.x-fixes Commit: a90a0b216d05be1892d6713679e8faf6fcdafd91 Parents: 5704f28 Author: Colm O hEigeartaighAuthored: Fri Nov 13 16:46:30 2015 + Committer: Colm O hEigeartaigh Committed: Fri Nov 13 16:46:30 2015 + -- .gitmergeinfo | 1 + 1 file changed, 1 insertion(+) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/a90a0b21/.gitmergeinfo -- diff --git a/.gitmergeinfo b/.gitmergeinfo index 25b1b2f..bec5c84 100644 --- a/.gitmergeinfo +++ b/.gitmergeinfo @@ -194,6 +194,7 @@ B 5bc8c0c41e3cef645ee6c7a1587d19e844fc7e4c B 5c678face89e4d38b2879bc4679ce3b92ac3aeb0 B 5d387616bc1787f3ae50dbe2a185c6abb0e9955b B 5e06ba0c4970700477484bd2409a226aa9ec7f0a +B 5e8334b2d62fa5ae453ba12becffc7db154d71cb B 5f94e273e7e8d99915eeda1189824f13488eb013 B 5faf182264c64bd3c0abc0addc9746b64492c864 B 5fbd407bac5af5e55bb280125405d75b7add872b
cxf git commit: Fixing some failing tests
Repository: cxf Updated Branches: refs/heads/master 79f590ee8 -> 67ac0ab27 Fixing some failing tests Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/67ac0ab2 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/67ac0ab2 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/67ac0ab2 Branch: refs/heads/master Commit: 67ac0ab2732b4b974824796cf13d0ed42712b879 Parents: 79f590e Author: Colm O hEigeartaighAuthored: Fri Nov 13 15:06:55 2015 + Committer: Colm O hEigeartaigh Committed: Fri Nov 13 15:06:55 2015 + -- .../apache/cxf/sts/token/provider/JWTTokenProviderTest.java| 6 +- 1 file changed, 1 insertion(+), 5 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/67ac0ab2/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/JWTTokenProviderTest.java -- diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/JWTTokenProviderTest.java b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/JWTTokenProviderTest.java index 51ef210..c81f746 100644 --- a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/JWTTokenProviderTest.java +++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/JWTTokenProviderTest.java @@ -387,11 +387,7 @@ public class JWTTokenProviderTest extends org.junit.Assert { "org.apache.wss4j.crypto.provider", "org.apache.wss4j.common.crypto.Merlin" ); properties.put("org.apache.wss4j.crypto.merlin.keystore.password", "stsspass"); -if (unrestrictedPoliciesInstalled) { -properties.put("org.apache.wss4j.crypto.merlin.keystore.file", "stsstore.jks"); -} else { -properties.put("org.apache.wss4j.crypto.merlin.keystore.file", "restricted/stsstore.jks"); -} +properties.put("org.apache.wss4j.crypto.merlin.keystore.file", "stsstore.jks"); return properties; }
cxf git commit: Fixing some failing tests
Repository: cxf Updated Branches: refs/heads/3.1.x-fixes 2e8802825 -> 22d0c244d Fixing some failing tests Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/22d0c244 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/22d0c244 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/22d0c244 Branch: refs/heads/3.1.x-fixes Commit: 22d0c244d3b60aafbd3c070e9599012019de486c Parents: 2e88028 Author: Colm O hEigeartaighAuthored: Fri Nov 13 15:06:55 2015 + Committer: Colm O hEigeartaigh Committed: Fri Nov 13 15:07:32 2015 + -- .../apache/cxf/sts/token/provider/JWTTokenProviderTest.java| 6 +- 1 file changed, 1 insertion(+), 5 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/22d0c244/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/JWTTokenProviderTest.java -- diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/JWTTokenProviderTest.java b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/JWTTokenProviderTest.java index 51ef210..c81f746 100644 --- a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/JWTTokenProviderTest.java +++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/JWTTokenProviderTest.java @@ -387,11 +387,7 @@ public class JWTTokenProviderTest extends org.junit.Assert { "org.apache.wss4j.crypto.provider", "org.apache.wss4j.common.crypto.Merlin" ); properties.put("org.apache.wss4j.crypto.merlin.keystore.password", "stsspass"); -if (unrestrictedPoliciesInstalled) { -properties.put("org.apache.wss4j.crypto.merlin.keystore.file", "stsstore.jks"); -} else { -properties.put("org.apache.wss4j.crypto.merlin.keystore.file", "restricted/stsstore.jks"); -} +properties.put("org.apache.wss4j.crypto.merlin.keystore.file", "stsstore.jks"); return properties; }
cxf git commit: Recording .gitmergeinfo Changes
Repository: cxf Updated Branches: refs/heads/3.0.x-fixes 1c4ffc8ee -> 5704f28b5 Recording .gitmergeinfo Changes Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/5704f28b Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/5704f28b Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/5704f28b Branch: refs/heads/3.0.x-fixes Commit: 5704f28b5cd7344f62acee838a26a3d22fc38344 Parents: 1c4ffc8 Author: Colm O hEigeartaighAuthored: Fri Nov 13 15:09:01 2015 + Committer: Colm O hEigeartaigh Committed: Fri Nov 13 15:09:01 2015 + -- .gitmergeinfo | 1 + 1 file changed, 1 insertion(+) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/5704f28b/.gitmergeinfo -- diff --git a/.gitmergeinfo b/.gitmergeinfo index 6b9c226..25b1b2f 100644 --- a/.gitmergeinfo +++ b/.gitmergeinfo @@ -58,6 +58,7 @@ B 2004b1021ce0d0975eb49cae36416863bd8c59bb B 20467ecea3cb0778bd02e60029d4d4ec7a8a2483 B 20539c0278472689722204f0c08e68a86597aae1 B 222137cb2ee577e6582a644b7ae73bbc0a75d4d1 +B 22d0c244d3b60aafbd3c070e9599012019de486c B 2302aa5820661975bb04857fa6d48bb68bebb4f7 B 2345b6e4ff4adf48e9adf5e0b9245da3f7afa011 B 237ace40ea2c204f68848309b9483c322499b524
cxf git commit: Adding JWTValidator
Repository: cxf Updated Branches: refs/heads/3.1.x-fixes 22d0c244d -> 5e8334b2d Adding JWTValidator Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/5e8334b2 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/5e8334b2 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/5e8334b2 Branch: refs/heads/3.1.x-fixes Commit: 5e8334b2d62fa5ae453ba12becffc7db154d71cb Parents: 22d0c24 Author: Colm O hEigeartaighAuthored: Fri Nov 13 16:28:07 2015 + Committer: Colm O hEigeartaigh Committed: Fri Nov 13 16:35:02 2015 + -- .../apache/cxf/sts/request/ReceivedToken.java | 7 +- .../token/validator/jwt/JWTTokenValidator.java | 207 .../token/validator/JWTTokenValidatorTest.java | 246 +++ 3 files changed, 459 insertions(+), 1 deletion(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/5e8334b2/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/ReceivedToken.java -- diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/ReceivedToken.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/ReceivedToken.java index c2e1aee..252ec60 100644 --- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/ReceivedToken.java +++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/ReceivedToken.java @@ -33,7 +33,7 @@ import org.apache.cxf.ws.security.sts.provider.STSException; /** * This class contains values that have been extracted from a received Token. The Token can be a - * JAXB UsernameTokenType/BinarySecurityTokenType or a DOM Element. + * JAXB UsernameTokenType/BinarySecurityTokenType, a DOM Element or a String. */ public class ReceivedToken { @@ -74,6 +74,11 @@ public class ReceivedToken { } this.token = receivedToken; isDOMElement = true; +} else if (receivedToken instanceof String) { +if (LOG.isLoggable(Level.FINE)) { +LOG.fine("Found ValidateTarget String"); +} +this.token = receivedToken; } else { LOG.fine("Found ValidateTarget object of unknown type"); throw new STSException( http://git-wip-us.apache.org/repos/asf/cxf/blob/5e8334b2/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/jwt/JWTTokenValidator.java -- diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/jwt/JWTTokenValidator.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/jwt/JWTTokenValidator.java new file mode 100644 index 000..837c3c1 --- /dev/null +++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/jwt/JWTTokenValidator.java @@ -0,0 +1,207 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.sts.token.validator.jwt; + +import java.security.KeyStore; +import java.security.Principal; +import java.util.Properties; +import java.util.logging.Level; +import java.util.logging.Logger; + +import org.apache.cxf.common.logging.LogUtils; +import org.apache.cxf.common.security.SimplePrincipal; +import org.apache.cxf.rs.security.jose.common.JoseConstants; +import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm; +import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer; +import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier; +import org.apache.cxf.rs.security.jose.jws.JwsUtils; +import org.apache.cxf.rs.security.jose.jwt.JwtToken; +import org.apache.cxf.rs.security.jose.jwt.JwtUtils; +import org.apache.cxf.sts.STSPropertiesMBean; +import org.apache.cxf.sts.request.ReceivedToken; +import org.apache.cxf.sts.request.ReceivedToken.STATE; +import org.apache.cxf.sts.token.validator.TokenValidator; +import org.apache.cxf.sts.token.validator.TokenValidatorParameters; +import
svn commit: r972319 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2015-5253.txt.asc security-advisories.html
Author: buildbot Date: Fri Nov 13 17:47:39 2015 New Revision: 972319 Log: Production update by buildbot for cxf Added: websites/production/cxf/content/security-advisories.data/CVE-2015-5253.txt.asc Modified: websites/production/cxf/content/cache/main.pageCache websites/production/cxf/content/security-advisories.html Modified: websites/production/cxf/content/cache/main.pageCache == Binary files - no diff available. Added: websites/production/cxf/content/security-advisories.data/CVE-2015-5253.txt.asc == --- websites/production/cxf/content/security-advisories.data/CVE-2015-5253.txt.asc (added) +++ websites/production/cxf/content/security-advisories.data/CVE-2015-5253.txt.asc Fri Nov 13 17:47:39 2015 @@ -0,0 +1,43 @@ +-BEGIN PGP SIGNED MESSAGE- +Hash: SHA1 + + +CVE-2015-5253: Apache CXF SAML SSO processing is vulnerable to a wrapping attack + +Severity: Major + +Vendor: The Apache Software Foundation + +Versions Affected: + +This vulnerability affects all versions of Apache CXF prior to 3.1.3, 3.0.7 and 2.7.18. + +Description: + +Apache CXF offers a module that adds support for SAML SSO to a JAX-RS endpoint. +It is possible to construct a SAML Response by means of a wrapping attack, that +allows a malicious user to log in instead of the principal extracted from +the signed SAML assertion. + +This has been fixed in revision: + +https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=commit;h=845eccb6484b43ba02875c71e824db23ae4f20c0 + +Migration: + +CXF 2.7.x users should upgrade to 2.7.18 or later as soon as possible. +CXF 3.0.x users should upgrade to 3.0.7 or later as soon as possible. +CXF 3.1.x users should upgrade to 3.1.3 or later as soon as possible. + +References: http://cxf.apache.org/security-advisories.html +-BEGIN PGP SIGNATURE- +Version: GnuPG v1 + +iQEcBAEBAgAGBQJWQy+4AAoJEGe/gLEK1TmDRiUIALQIwSJBJU7c+p4hqlgbYfSK +Kn0wnTw91xSQmXZzn7JnB76EECZXOubEBtpvszSjawetRvHHIhjkgowEzKFbKDXQ +xHiy7v2SwTmbSyAUcJQ069velrW86aEUaQlUPB4pHWjTvCvFgDiZLncLKG9wGya5 +A3jdRldZmKOJ3Niv2D2NZsZqzDVDo1OyS/RtBOgeW+KcovIgcUeIgo8SWakuPf6v +gk3ZtRa8wMKcgAjY7S1Tm+aQVBh4m2cNT+obn48C1Sq2g7mQXEGuvP3VaF7Gbo+m +zvrbbz++GxC5PPXv3qjBZH2o2Q/IdsiSAtRe+6vVUVQniFJzXkZHor2biUZVnFs= +=b3bL +-END PGP SIGNATURE- Modified: websites/production/cxf/content/security-advisories.html == --- websites/production/cxf/content/security-advisories.html (original) +++ websites/production/cxf/content/security-advisories.html Fri Nov 13 17:47:39 2015 @@ -99,7 +99,7 @@ Apache CXF -- Security Advisories -2015CVE-2015-5175: Apache CXF Fediz application plugins are vulnerable to Denial of Service (DoS) attacks2014CVE-2014-3577: Apache CXF SSL hostname verification bypassNote on CVE-2014-3566: SSL 3.0 support in Apache CXF, aka the "POODLE" attack.CVE-2014-3623: Apache CXF does not properly enforce the security semantics of SAML SubjectConfirmation methods when used with the TransportBindingCVE-2014-3584: Apache CXF JAX-RS SAML handling is vulnerable to a Denial of Service (DoS) attackCVE-2014-0109: HTML content posted to SOAP endpoint could cause OOM errorsCVE-2014-0110: Large invalid content co uld cause temporary space to fillCVE-2014-0034: The SecurityTokenService accepts certain invalid SAML Tokens as validCVE-2014-0035: UsernameTokens are sent in plaintext with a Symmetric EncryptBeforeSigning policy2013CVE-2013-2160 - Denial of Service Attacks on Apache CXFNote on CVE-2012-5575 - XML Encryption backwards compatibility attack on Apache CXF.CVE-2013-0239 - Authentication bypass in the case of WS-SecurityPolicy enable d plaintext UsernameTokens.2012CVE-2012-5633 - WSS4JInInterceptor always allows HTTP Get requests from browser.Note on CVE-2011-2487 - Bleichenbacher attack against distributed symmetric key in WS-Security.CVE-2012-3451 - Apache CXF is vulnerable to SOAP Action spoofing attacks on Document Literal web services.CVE-2012-2379 - Apache CXF does not verify that elements were signed or encrypted by a particular Supporting Token.CVE-2012-2378 - Apache CXF does not pick up some child policies of WS-SecurityPolicy 1.1 SupportingToken policy assertions on the client side.Note on CVE-2011-1096 - XML Encrypt ion flaw / Character pattern encoding attack.CVE-2012-0803 - Apache CXF does not validate UsernameToken policies correctly.2010http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf;>CVE-2010-2076 - DTD based XML attacks. +2015CVE-2015-5253: Apache CXF SAML SSO processing is vulnerable to a wrapping attackCVE-2015-5175: Apache CXF Fediz application plugins are vulnerable to Denial of Service (DoS) attacks2014CVE-2014-3577: Apache CXF SSL hostname verification bypassNote on CVE-2014-3566: SSL 3.0
[2/2] cxf git commit: Fix pmd error
Fix pmd error Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/f831e9f5 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/f831e9f5 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/f831e9f5 Branch: refs/heads/3.1.x-fixes Commit: f831e9f5ee56bff9e4472782300f9558ba234f80 Parents: efac3c9 Author: Daniel KulpAuthored: Fri Nov 13 12:42:45 2015 -0500 Committer: Daniel Kulp Committed: Fri Nov 13 12:44:44 2015 -0500 -- .../websocket/atmosphere/DefaultProtocolInterceptor.java| 9 ++--- 1 file changed, 6 insertions(+), 3 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/f831e9f5/rt/transports/websocket/src/main/java/org/apache/cxf/transport/websocket/atmosphere/DefaultProtocolInterceptor.java -- diff --git a/rt/transports/websocket/src/main/java/org/apache/cxf/transport/websocket/atmosphere/DefaultProtocolInterceptor.java b/rt/transports/websocket/src/main/java/org/apache/cxf/transport/websocket/atmosphere/DefaultProtocolInterceptor.java index 3dde4b5..1a2cd9a 100644 --- a/rt/transports/websocket/src/main/java/org/apache/cxf/transport/websocket/atmosphere/DefaultProtocolInterceptor.java +++ b/rt/transports/websocket/src/main/java/org/apache/cxf/transport/websocket/atmosphere/DefaultProtocolInterceptor.java @@ -286,25 +286,28 @@ public class DefaultProtocolInterceptor extends AtmosphereInterceptorAdapter { // a workaround to flush the header data upon close when no write operation occurs private class WrappedAtmosphereResponse extends AtmosphereResponse { final AtmosphereResponse response; -final ServletOutputStream delegate; ServletOutputStream sout; WrappedAtmosphereResponse(AtmosphereResponse resp, AtmosphereRequest req) throws IOException { super((HttpServletResponse)resp.getResponse(), null, req, resp.isDestroyable()); response = resp; response.request(req); -delegate = super.getOutputStream(); } @Override public ServletOutputStream getOutputStream() throws IOException { if (sout == null) { -sout = new BufferedServletOutputStream(); +sout = new BufferedServletOutputStream(super.getOutputStream()); } return sout; } private final class BufferedServletOutputStream extends ServletOutputStream { +final ServletOutputStream delegate; CachedOutputStream out = new CachedOutputStream(); + +BufferedServletOutputStream(ServletOutputStream d) { +delegate = d; +} OutputStream getOut() { if (out == null) {
[1/2] cxf git commit: Recording .gitmergeinfo Changes
Repository: cxf Updated Branches: refs/heads/3.1.x-fixes efac3c9e5 -> dd3c8f9d0 Recording .gitmergeinfo Changes Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/dd3c8f9d Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/dd3c8f9d Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/dd3c8f9d Branch: refs/heads/3.1.x-fixes Commit: dd3c8f9d05b549d7aeb3804476bdc3fb344cf2d8 Parents: f831e9f Author: Daniel KulpAuthored: Fri Nov 13 12:44:44 2015 -0500 Committer: Daniel Kulp Committed: Fri Nov 13 12:44:44 2015 -0500 -- .gitmergeinfo | 2 ++ 1 file changed, 2 insertions(+) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/dd3c8f9d/.gitmergeinfo -- diff --git a/.gitmergeinfo b/.gitmergeinfo index 8bd298f..f2766bb 100644 --- a/.gitmergeinfo +++ b/.gitmergeinfo @@ -4,6 +4,8 @@ B 39851b83af116611ce0efe70c4b9a32ee8491523 B 59b8615053ddcad353fbebcd9a5b1109ae0897a1 B 65e1e07fdb810ec9de135530ca3e3d23821836a3 B 7fc957efa3a193a5f2ae178b8a608717ce4c5b26 +B a261507ebd3104b1a00298801ec9815ed1e7a728 B ced98c6e937bd93f92dac9043fa0406c696bfd84 +B f0e08b7bea2660542e18294d490e68c7b14aaa4b B f1b56150d6520e73d2ade2296c3b2f13839e63e5 B fb30f8bffc85fcc3208fcc0e1eda4b54a89b5d37
cxf git commit: Fix pmd error
Repository: cxf Updated Branches: refs/heads/master 16feba3f0 -> 4ced4ae4f Fix pmd error Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/4ced4ae4 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/4ced4ae4 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/4ced4ae4 Branch: refs/heads/master Commit: 4ced4ae4f31f34ac5e2f98e52ab91b3aee701f43 Parents: 16feba3 Author: Daniel KulpAuthored: Fri Nov 13 12:42:45 2015 -0500 Committer: Daniel Kulp Committed: Fri Nov 13 12:42:45 2015 -0500 -- .../websocket/atmosphere/DefaultProtocolInterceptor.java| 9 ++--- 1 file changed, 6 insertions(+), 3 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/4ced4ae4/rt/transports/websocket/src/main/java/org/apache/cxf/transport/websocket/atmosphere/DefaultProtocolInterceptor.java -- diff --git a/rt/transports/websocket/src/main/java/org/apache/cxf/transport/websocket/atmosphere/DefaultProtocolInterceptor.java b/rt/transports/websocket/src/main/java/org/apache/cxf/transport/websocket/atmosphere/DefaultProtocolInterceptor.java index 3dde4b5..1a2cd9a 100644 --- a/rt/transports/websocket/src/main/java/org/apache/cxf/transport/websocket/atmosphere/DefaultProtocolInterceptor.java +++ b/rt/transports/websocket/src/main/java/org/apache/cxf/transport/websocket/atmosphere/DefaultProtocolInterceptor.java @@ -286,25 +286,28 @@ public class DefaultProtocolInterceptor extends AtmosphereInterceptorAdapter { // a workaround to flush the header data upon close when no write operation occurs private class WrappedAtmosphereResponse extends AtmosphereResponse { final AtmosphereResponse response; -final ServletOutputStream delegate; ServletOutputStream sout; WrappedAtmosphereResponse(AtmosphereResponse resp, AtmosphereRequest req) throws IOException { super((HttpServletResponse)resp.getResponse(), null, req, resp.isDestroyable()); response = resp; response.request(req); -delegate = super.getOutputStream(); } @Override public ServletOutputStream getOutputStream() throws IOException { if (sout == null) { -sout = new BufferedServletOutputStream(); +sout = new BufferedServletOutputStream(super.getOutputStream()); } return sout; } private final class BufferedServletOutputStream extends ServletOutputStream { +final ServletOutputStream delegate; CachedOutputStream out = new CachedOutputStream(); + +BufferedServletOutputStream(ServletOutputStream d) { +delegate = d; +} OutputStream getOut() { if (out == null) {
cxf git commit: Makaing sure the code filter can catch all code response errors
Repository: cxf Updated Branches: refs/heads/master bf52c1759 -> 144ee70dc Makaing sure the code filter can catch all code response errors Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/144ee70d Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/144ee70d Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/144ee70d Branch: refs/heads/master Commit: 144ee70dc163a1dbcfbfa891a3fed0b98b7edf21 Parents: bf52c17 Author: Sergey BeryozkinAuthored: Fri Nov 13 10:56:58 2015 + Committer: Sergey Beryozkin Committed: Fri Nov 13 10:56:58 2015 + -- .../cxf/rs/security/oauth2/client/AccessDeniedResponse.java | 8 +++- .../rs/security/oauth2/client/ClientCodeRequestFilter.java | 4 ++-- .../oauth2/provider/AbstractOAuthJoseJwtProducer.java| 5 +++-- 3 files changed, 12 insertions(+), 5 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/144ee70d/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/AccessDeniedResponse.java -- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/AccessDeniedResponse.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/AccessDeniedResponse.java index 9ec28ab..16a87bf 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/AccessDeniedResponse.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/AccessDeniedResponse.java @@ -19,5 +19,11 @@ package org.apache.cxf.rs.security.oauth2.client; public class AccessDeniedResponse { - +private String error; +public AccessDeniedResponse(String error) { +this.error = error; +} +public String getError() { +return error; +} } http://git-wip-us.apache.org/repos/asf/cxf/blob/144ee70d/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java -- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java index 3e312a3..18285a6 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java @@ -115,10 +115,10 @@ public class ClientCodeRequestFilter implements ContainerRequestFilter { if (sc == null || sc.getUserPrincipal() == null) { if (codeParam == null && requestParams.containsKey(OAuthConstants.ERROR_KEY) -&& OAuthConstants.ACCESS_DENIED.equals(requestParams.getFirst(OAuthConstants.ERROR_KEY)) && !faultAccessDeniedResponses) { if (!applicationCanHandleAccessDenied) { -rc.abortWith(Response.ok(new AccessDeniedResponse()).build()); +String error = requestParams.getFirst(OAuthConstants.ERROR_KEY); +rc.abortWith(Response.ok(new AccessDeniedResponse(error)).build()); } } else { throw ExceptionUtils.toNotAuthorizedException(null, null); http://git-wip-us.apache.org/repos/asf/cxf/blob/144ee70d/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java -- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java index b0a7414..fec38bc 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java @@ -22,6 +22,7 @@ import java.util.Properties; import javax.crypto.SecretKey; +import org.apache.cxf.common.util.StringUtils; import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils; import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm; import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm; @@ -44,7 +45,7 @@ public abstract class
[2/2] cxf git commit: NPE fix
NPE fix Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/c5413a80 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/c5413a80 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/c5413a80 Branch: refs/heads/master Commit: c5413a80e67b9b9a319ab8e3112486f093892528 Parents: 0b8ac3e Author: Colm O hEigeartaighAuthored: Fri Nov 13 11:15:30 2015 + Committer: Colm O hEigeartaigh Committed: Fri Nov 13 12:39:30 2015 + -- .../rs/security/oauth2/services/RedirectionBasedGrantService.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/c5413a80/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java -- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java index 51ea97e..667de92 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java @@ -271,7 +271,7 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService sessionTokenParamName = OAuthConstants.SESSION_AUTHENTICITY_TOKEN; } String sessionToken = params.getFirst(sessionTokenParamName); -if (!compareRequestAndSessionTokens(sessionToken, params, userSubject)) { +if (sessionToken == null || !compareRequestAndSessionTokens(sessionToken, params, userSubject)) { throw ExceptionUtils.toBadRequestException(null, null); }
[1/2] cxf git commit: Use client id instead of principal name if it's available
Repository: cxf Updated Branches: refs/heads/master 0b8ac3e0e -> 79f590ee8 Use client id instead of principal name if it's available Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/79f590ee Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/79f590ee Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/79f590ee Branch: refs/heads/master Commit: 79f590ee8f51943aa95a9e6e245f906be85d6fbb Parents: c5413a8 Author: Colm O hEigeartaighAuthored: Fri Nov 13 12:25:57 2015 + Committer: Colm O hEigeartaigh Committed: Fri Nov 13 12:39:30 2015 + -- .../cxf/rs/security/oauth2/services/AbstractTokenService.java| 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/79f590ee/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java -- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java index 29eadcb..61e3165 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java @@ -65,12 +65,12 @@ public class AbstractTokenService extends AbstractOAuthService { client = getAndValidateClientFromIdAndSecret(clientId, params.getFirst(OAuthConstants.CLIENT_SECRET)); } -} else if (principal.getName() != null) { -client = getClient(principal.getName()); } else { String clientId = retrieveClientId(params); if (clientId != null) { client = getClient(clientId); +} else if (principal.getName() != null) { +client = getClient(principal.getName()); } } if (client == null) {
[1/2] cxf git commit: NPE fix
Repository: cxf Updated Branches: refs/heads/3.1.x-fixes e80086821 -> 2e8802825 NPE fix Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/13521bd1 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/13521bd1 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/13521bd1 Branch: refs/heads/3.1.x-fixes Commit: 13521bd10962d41f16f699f42876874b53a448f3 Parents: e800868 Author: Colm O hEigeartaighAuthored: Fri Nov 13 11:15:30 2015 + Committer: Colm O hEigeartaigh Committed: Fri Nov 13 13:37:00 2015 + -- .../rs/security/oauth2/services/RedirectionBasedGrantService.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/13521bd1/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java -- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java index 51ea97e..667de92 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java @@ -271,7 +271,7 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService sessionTokenParamName = OAuthConstants.SESSION_AUTHENTICITY_TOKEN; } String sessionToken = params.getFirst(sessionTokenParamName); -if (!compareRequestAndSessionTokens(sessionToken, params, userSubject)) { +if (sessionToken == null || !compareRequestAndSessionTokens(sessionToken, params, userSubject)) { throw ExceptionUtils.toBadRequestException(null, null); }
[3/3] cxf git commit: Recording .gitmergeinfo Changes
Recording .gitmergeinfo Changes Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/1c4ffc8e Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/1c4ffc8e Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/1c4ffc8e Branch: refs/heads/3.0.x-fixes Commit: 1c4ffc8ee75fc2dcc21913b7ca35fd8f9eb4615b Parents: 2a0142e Author: Colm O hEigeartaighAuthored: Fri Nov 13 13:39:00 2015 + Committer: Colm O hEigeartaigh Committed: Fri Nov 13 13:39:00 2015 + -- .gitmergeinfo | 1 + 1 file changed, 1 insertion(+) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/1c4ffc8e/.gitmergeinfo -- diff --git a/.gitmergeinfo b/.gitmergeinfo index 33fd585..6b9c226 100644 --- a/.gitmergeinfo +++ b/.gitmergeinfo @@ -562,6 +562,7 @@ M 0f7b744eb8e4ad8c4eee2ffd10bdaa1da1364deb M 10a8386fcef4b7f2220ceceaa6aedca60846f6d1 M 10b043faa0652a6a06f5f020173162edef7fb0ca M 12d070f4392316cdfff03eb41abe22531ed64ee9 +M 13521bd10962d41f16f699f42876874b53a448f3 M 16ffa0f10dac874cd5727d312ac56a78b13e5ca9 M 1701e6c8d4e794f25d69781e3f69357723ad7fcf M 174bd11dcfeae47998723757542abe56c792cc76
[1/3] cxf git commit: NPE fix
Repository: cxf Updated Branches: refs/heads/3.0.x-fixes 3f240045b -> 1c4ffc8ee NPE fix Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/1da85e32 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/1da85e32 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/1da85e32 Branch: refs/heads/3.0.x-fixes Commit: 1da85e324276d380836fb7dcbff2d83526b3946f Parents: 3f24004 Author: Colm O hEigeartaighAuthored: Fri Nov 13 11:15:30 2015 + Committer: Colm O hEigeartaigh Committed: Fri Nov 13 13:38:59 2015 + -- .../rs/security/oauth2/services/RedirectionBasedGrantService.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/1da85e32/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java -- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java index a6260bd..e260bbc 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java @@ -229,7 +229,7 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService sessionTokenParamName = OAuthConstants.SESSION_AUTHENTICITY_TOKEN; } String sessionToken = params.getFirst(sessionTokenParamName); -if (!compareRequestAndSessionTokens(sessionToken, params, userSubject)) { +if (sessionToken == null || !compareRequestAndSessionTokens(sessionToken, params, userSubject)) { throw ExceptionUtils.toBadRequestException(null, null); } //TODO: additionally we can check that the Principal that got authenticated
[2/3] cxf git commit: Use client id instead of principal name if it's available
Use client id instead of principal name if it's available Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2a0142e8 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2a0142e8 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2a0142e8 Branch: refs/heads/3.0.x-fixes Commit: 2a0142e89c960095a7bb723803251e7e6ff4cae5 Parents: 1da85e3 Author: Colm O hEigeartaighAuthored: Fri Nov 13 12:25:57 2015 + Committer: Colm O hEigeartaigh Committed: Fri Nov 13 13:39:00 2015 + -- .../cxf/rs/security/oauth2/services/AbstractTokenService.java| 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/2a0142e8/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java -- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java index 29eadcb..61e3165 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java @@ -65,12 +65,12 @@ public class AbstractTokenService extends AbstractOAuthService { client = getAndValidateClientFromIdAndSecret(clientId, params.getFirst(OAuthConstants.CLIENT_SECRET)); } -} else if (principal.getName() != null) { -client = getClient(principal.getName()); } else { String clientId = retrieveClientId(params); if (clientId != null) { client = getClient(clientId); +} else if (principal.getName() != null) { +client = getClient(principal.getName()); } } if (client == null) {
cxf-fediz git commit: [FEDIZ-134] Supporting public clients
Repository: cxf-fediz Updated Branches: refs/heads/master 799d27485 -> 890e2277b [FEDIZ-134] Supporting public clients Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/890e2277 Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/890e2277 Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/890e2277 Branch: refs/heads/master Commit: 890e2277be2e80a0077fb1ce36e5dfb57c8e1e0e Parents: 799d274 Author: Sergey BeryozkinAuthored: Fri Nov 13 14:10:59 2015 + Committer: Sergey Beryozkin Committed: Fri Nov 13 14:10:59 2015 + -- services/oidc/src/main/webapp/WEB-INF/applicationContext.xml | 2 ++ 1 file changed, 2 insertions(+) -- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/890e2277/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml -- diff --git a/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml b/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml index 4520c21..2ab43d9 100644 --- a/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml +++ b/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml @@ -31,6 +31,7 @@ + @@ -67,6 +68,7 @@ +
[2/2] cxf git commit: Use client id instead of principal name if it's available
Use client id instead of principal name if it's available Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2e880282 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2e880282 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2e880282 Branch: refs/heads/3.1.x-fixes Commit: 2e88028254a89e6ecea2bf607b50f60d66aaeaae Parents: 13521bd Author: Colm O hEigeartaighAuthored: Fri Nov 13 12:25:57 2015 + Committer: Colm O hEigeartaigh Committed: Fri Nov 13 13:37:01 2015 + -- .../cxf/rs/security/oauth2/services/AbstractTokenService.java| 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/2e880282/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java -- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java index 29eadcb..61e3165 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java @@ -65,12 +65,12 @@ public class AbstractTokenService extends AbstractOAuthService { client = getAndValidateClientFromIdAndSecret(clientId, params.getFirst(OAuthConstants.CLIENT_SECRET)); } -} else if (principal.getName() != null) { -client = getClient(principal.getName()); } else { String clientId = retrieveClientId(params); if (clientId != null) { client = getClient(clientId); +} else if (principal.getName() != null) { +client = getClient(principal.getName()); } } if (client == null) {