subject:"cxf git commit\: Making sure OIDC RP validation errors can be caught by OAuthServiceException mappers, a specialized exception subclass might need to be introduced"

cxf git commit: Making sure OIDC RP validation errors can be caught by OAuthServiceException mappers, a specialized exception subclass might need to be introduced

2015-12-15 Thread sergeyb

Repository: cxf
Updated Branches:
  refs/heads/master 3fb5e2464 -> dd76961dc


Making sure OIDC RP validation errors can be caught by OAuthServiceException 
mappers, a specialized exception subclass might need to be introduced


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/dd76961d
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/dd76961d
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/dd76961d

Branch: refs/heads/master
Commit: dd76961dcd50dfb07dd95d37ecf9a2f457db18bf
Parents: 3fb5e24
Author: Sergey Beryozkin 
Authored: Tue Dec 15 17:43:58 2015 +
Committer: Sergey Beryozkin 
Committed: Tue Dec 15 17:43:58 2015 +

--
 .../oidc/rp/AbstractTokenValidator.java | 34 ++--
 .../cxf/rs/security/oidc/rp/UserInfoClient.java |  3 +-
 .../cxf/rs/security/oidc/utils/OidcUtils.java   |  5 +--
 3 files changed, 30 insertions(+), 12 deletions(-)
--


http://git-wip-us.apache.org/repos/asf/cxf/blob/dd76961d/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
--
diff --git 
a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
 
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
index 0db3541..9e305e3 100644
--- 
a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
+++ 
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
@@ -29,9 +29,11 @@ import org.apache.cxf.rs.security.jose.jwk.JwkUtils;
 import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
 import org.apache.cxf.rs.security.jose.jws.JwsUtils;
 import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
+import org.apache.cxf.rs.security.jose.jwt.JwtException;
 import org.apache.cxf.rs.security.jose.jwt.JwtToken;
 import org.apache.cxf.rs.security.jose.jwt.JwtUtils;
 import org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthJoseJwtConsumer;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
 
 public abstract class AbstractTokenValidator extends 
AbstractOAuthJoseJwtConsumer {
 private static final String SELF_ISSUED_ISSUER = "https://self-issued.me;;
@@ -54,44 +56,58 @@ public abstract class AbstractTokenValidator extends 
AbstractOAuthJoseJwtConsume
 // validate the issuer
 String issuer = claims.getIssuer();
 if (issuer == null && validateClaimsAlways) {
-throw new SecurityException("Invalid provider");
+throw new OAuthServiceException("Invalid issuer");
 }
 if (supportSelfIssuedProvider && issuerId == null 
 && issuer != null && SELF_ISSUED_ISSUER.equals(issuer)) {
-//TODO: self-issued provider token validation
+validateSelfIssuedProvider(claims, clientId, validateClaimsAlways);
 } else {
 if (issuer != null && !issuer.equals(issuerId)) {
-throw new SecurityException("Invalid provider");
+throw new OAuthServiceException("Invalid issuer");
 }
 // validate subject
 if (claims.getSubject() == null) {
-throw new SecurityException("Invalid subject");
+throw new OAuthServiceException("Invalid subject");
 }
 // validate audience
 List audiences = claims.getAudiences();
 if (StringUtils.isEmpty(audiences) && validateClaimsAlways 
 || !StringUtils.isEmpty(audiences) && 
!audiences.contains(clientId)) {
-throw new SecurityException("Invalid audience");
+throw new OAuthServiceException("Invalid audience");
 }
 
 // If strict time validation: if no issuedTime claim is set then 
an expiresAt claim must be set
 // Otherwise: validate only if expiresAt claim is set
 boolean expiredRequired = 
 validateClaimsAlways || strictTimeValidation && 
claims.getIssuedAt() == null;
-JwtUtils.validateJwtExpiry(claims, clockOffset, expiredRequired);
+try {
+JwtUtils.validateJwtExpiry(claims, clockOffset, 
expiredRequired);
+} catch (JwtException ex) {
+throw new OAuthServiceException("ID Token has expired", ex);
+}
 
 // If strict time validation: If no expiresAt claim is set then an 
issuedAt claim must be set
 // Otherwise: validate only if issuedAt claim is set
 boolean issuedAtRequired = 
 validateClaimsAlways ||

cxf git commit: Making sure OIDC RP validation errors can be caught by OAuthServiceException mappers, a specialized exception subclass might need to be introduced

2015-12-15 Thread sergeyb

Repository: cxf
Updated Branches:
  refs/heads/3.1.x-fixes 9f746c97a -> 015d7a6dd


Making sure OIDC RP validation errors can be caught by OAuthServiceException 
mappers, a specialized exception subclass might need to be introduced


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/015d7a6d
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/015d7a6d
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/015d7a6d

Branch: refs/heads/3.1.x-fixes
Commit: 015d7a6dde4e201aaf8eaa90343b6ca9a20f6856
Parents: 9f746c9
Author: Sergey Beryozkin 
Authored: Tue Dec 15 17:43:58 2015 +
Committer: Sergey Beryozkin 
Committed: Tue Dec 15 17:44:56 2015 +

--
 .../oidc/rp/AbstractTokenValidator.java | 34 ++--
 .../cxf/rs/security/oidc/rp/UserInfoClient.java |  3 +-
 .../cxf/rs/security/oidc/utils/OidcUtils.java   |  5 +--
 3 files changed, 30 insertions(+), 12 deletions(-)
--


http://git-wip-us.apache.org/repos/asf/cxf/blob/015d7a6d/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
--
diff --git 
a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
 
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
index 0db3541..9e305e3 100644
--- 
a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
+++ 
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
@@ -29,9 +29,11 @@ import org.apache.cxf.rs.security.jose.jwk.JwkUtils;
 import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
 import org.apache.cxf.rs.security.jose.jws.JwsUtils;
 import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
+import org.apache.cxf.rs.security.jose.jwt.JwtException;
 import org.apache.cxf.rs.security.jose.jwt.JwtToken;
 import org.apache.cxf.rs.security.jose.jwt.JwtUtils;
 import org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthJoseJwtConsumer;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
 
 public abstract class AbstractTokenValidator extends 
AbstractOAuthJoseJwtConsumer {
 private static final String SELF_ISSUED_ISSUER = "https://self-issued.me;;
@@ -54,44 +56,58 @@ public abstract class AbstractTokenValidator extends 
AbstractOAuthJoseJwtConsume
 // validate the issuer
 String issuer = claims.getIssuer();
 if (issuer == null && validateClaimsAlways) {
-throw new SecurityException("Invalid provider");
+throw new OAuthServiceException("Invalid issuer");
 }
 if (supportSelfIssuedProvider && issuerId == null 
 && issuer != null && SELF_ISSUED_ISSUER.equals(issuer)) {
-//TODO: self-issued provider token validation
+validateSelfIssuedProvider(claims, clientId, validateClaimsAlways);
 } else {
 if (issuer != null && !issuer.equals(issuerId)) {
-throw new SecurityException("Invalid provider");
+throw new OAuthServiceException("Invalid issuer");
 }
 // validate subject
 if (claims.getSubject() == null) {
-throw new SecurityException("Invalid subject");
+throw new OAuthServiceException("Invalid subject");
 }
 // validate audience
 List audiences = claims.getAudiences();
 if (StringUtils.isEmpty(audiences) && validateClaimsAlways 
 || !StringUtils.isEmpty(audiences) && 
!audiences.contains(clientId)) {
-throw new SecurityException("Invalid audience");
+throw new OAuthServiceException("Invalid audience");
 }
 
 // If strict time validation: if no issuedTime claim is set then 
an expiresAt claim must be set
 // Otherwise: validate only if expiresAt claim is set
 boolean expiredRequired = 
 validateClaimsAlways || strictTimeValidation && 
claims.getIssuedAt() == null;
-JwtUtils.validateJwtExpiry(claims, clockOffset, expiredRequired);
+try {
+JwtUtils.validateJwtExpiry(claims, clockOffset, 
expiredRequired);
+} catch (JwtException ex) {
+throw new OAuthServiceException("ID Token has expired", ex);
+}
 
 // If strict time validation: If no expiresAt claim is set then an 
issuedAt claim must be set
 // Otherwise: validate only if issuedAt claim is set
 boolean issuedAtRequired = 
 validateClaimsAlways ||

cxf git commit: Making sure OIDC RP validation errors can be caught by OAuthServiceException mappers, a specialized exception subclass might need to be introduced

cxf git commit: Making sure OIDC RP validation errors can be caught by OAuthServiceException mappers, a specialized exception subclass might need to be introduced

2 matches

Site Navigation

Mail list logo

Footer information