This is an automated email from the ASF dual-hosted git repository. rombert pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/sling-whiteboard.git
The following commit(s) were added to refs/heads/master by this push: new 7d129f35 oidc-rp: don't allow anonymous access to the OIDC entry point 7d129f35 is described below commit 7d129f351f69d83bb5194ac9102a52ef929972a2 Author: Robert Munteanu <romb...@apache.org> AuthorDate: Wed Jul 5 16:25:45 2023 +0300 oidc-rp: don't allow anonymous access to the OIDC entry point --- org.apache.sling.servlets.oidc-rp/README.md | 1 - org.apache.sling.servlets.oidc-rp/pom.xml | 6 ++++++ .../org/apache/sling/servlets/oidc_rp/impl/OidcCallbackServlet.java | 5 ++++- .../apache/sling/servlets/oidc_rp/impl/OidcEntryPointServlet.java | 5 ++++- 4 files changed, 14 insertions(+), 3 deletions(-) diff --git a/org.apache.sling.servlets.oidc-rp/README.md b/org.apache.sling.servlets.oidc-rp/README.md index 8c4c36ad..341aba99 100644 --- a/org.apache.sling.servlets.oidc-rp/README.md +++ b/org.apache.sling.servlets.oidc-rp/README.md @@ -19,7 +19,6 @@ objective is to simplify access to user and access tokens in a secure manner. - provide a sample content package and instructions how to use - review to see if we can use more of the Nimbus SDK, e.g. enpodints discovery, token parsing - review security best practices -- do not start the OIDC process if the user can't write to their home directory ( anonymous ) ## Prerequisites diff --git a/org.apache.sling.servlets.oidc-rp/pom.xml b/org.apache.sling.servlets.oidc-rp/pom.xml index 9d092515..ea542db1 100644 --- a/org.apache.sling.servlets.oidc-rp/pom.xml +++ b/org.apache.sling.servlets.oidc-rp/pom.xml @@ -266,6 +266,12 @@ <version>2.0.8</version> <scope>provided</scope> </dependency> + <dependency> + <groupId>org.apache.sling</groupId> + <artifactId>org.apache.sling.auth.core</artifactId> + <version>1.2.0</version> + <scope>provided</scope> + </dependency> <dependency> <groupId>com.nimbusds</groupId> <artifactId>oauth2-oidc-sdk</artifactId> diff --git a/org.apache.sling.servlets.oidc-rp/src/main/java/org/apache/sling/servlets/oidc_rp/impl/OidcCallbackServlet.java b/org.apache.sling.servlets.oidc-rp/src/main/java/org/apache/sling/servlets/oidc_rp/impl/OidcCallbackServlet.java index 94fa0777..769d6414 100644 --- a/org.apache.sling.servlets.oidc-rp/src/main/java/org/apache/sling/servlets/oidc_rp/impl/OidcCallbackServlet.java +++ b/org.apache.sling.servlets.oidc-rp/src/main/java/org/apache/sling/servlets/oidc_rp/impl/OidcCallbackServlet.java @@ -37,6 +37,7 @@ import javax.servlet.http.HttpServletResponse; import org.apache.sling.api.SlingHttpServletRequest; import org.apache.sling.api.SlingHttpServletResponse; import org.apache.sling.api.servlets.SlingAllMethodsServlet; +import org.apache.sling.auth.core.AuthConstants; import org.apache.sling.servlets.annotations.SlingServletPaths; import org.apache.sling.servlets.oidc_rp.OidcConnection; import org.osgi.service.component.annotations.Activate; @@ -59,7 +60,9 @@ import com.nimbusds.openid.connect.sdk.AuthenticationResponseParser; import com.nimbusds.openid.connect.sdk.OIDCTokenResponse; import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata; -@Component(service = { Servlet.class }) +@Component(service = { Servlet.class }, + property = { AuthConstants.AUTH_REQUIREMENTS +"=" + OidcCallbackServlet.PATH } +) @SlingServletPaths(OidcCallbackServlet.PATH) public class OidcCallbackServlet extends SlingAllMethodsServlet { diff --git a/org.apache.sling.servlets.oidc-rp/src/main/java/org/apache/sling/servlets/oidc_rp/impl/OidcEntryPointServlet.java b/org.apache.sling.servlets.oidc-rp/src/main/java/org/apache/sling/servlets/oidc_rp/impl/OidcEntryPointServlet.java index 8b67aaf9..40645c3b 100644 --- a/org.apache.sling.servlets.oidc-rp/src/main/java/org/apache/sling/servlets/oidc_rp/impl/OidcEntryPointServlet.java +++ b/org.apache.sling.servlets.oidc-rp/src/main/java/org/apache/sling/servlets/oidc_rp/impl/OidcEntryPointServlet.java @@ -35,6 +35,7 @@ import javax.servlet.http.HttpServletResponse; import org.apache.sling.api.SlingHttpServletRequest; import org.apache.sling.api.SlingHttpServletResponse; import org.apache.sling.api.servlets.SlingAllMethodsServlet; +import org.apache.sling.auth.core.AuthConstants; import org.apache.sling.servlets.annotations.SlingServletPaths; import org.apache.sling.servlets.oidc_rp.OidcConnection; import org.osgi.service.component.annotations.Activate; @@ -51,7 +52,9 @@ import com.nimbusds.openid.connect.sdk.AuthenticationRequest; import com.nimbusds.openid.connect.sdk.Nonce; import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata; -@Component(service = { Servlet.class }) +@Component(service = { Servlet.class }, + property = { AuthConstants.AUTH_REQUIREMENTS +"=" + OidcEntryPointServlet.PATH } +) @SlingServletPaths(OidcEntryPointServlet.PATH) public class OidcEntryPointServlet extends SlingAllMethodsServlet { private static final long serialVersionUID = 1L;