[sling-whiteboard] branch master updated: oidc-rp: don't allow anonymous access to the OIDC entry point

Wed, 05 Jul 2023 06:26:12 -0700 

This is an automated email from the ASF dual-hosted git repository.

rombert pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/sling-whiteboard.git


The following commit(s) were added to refs/heads/master by this push:
     new 7d129f35 oidc-rp: don't allow anonymous access to the OIDC entry point
7d129f35 is described below

commit 7d129f351f69d83bb5194ac9102a52ef929972a2
Author: Robert Munteanu <romb...@apache.org>
AuthorDate: Wed Jul 5 16:25:45 2023 +0300

    oidc-rp: don't allow anonymous access to the OIDC entry point
---
 org.apache.sling.servlets.oidc-rp/README.md                         | 1 -
 org.apache.sling.servlets.oidc-rp/pom.xml                           | 6 ++++++
 .../org/apache/sling/servlets/oidc_rp/impl/OidcCallbackServlet.java | 5 ++++-
 .../apache/sling/servlets/oidc_rp/impl/OidcEntryPointServlet.java   | 5 ++++-
 4 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/org.apache.sling.servlets.oidc-rp/README.md 
b/org.apache.sling.servlets.oidc-rp/README.md
index 8c4c36ad..341aba99 100644
--- a/org.apache.sling.servlets.oidc-rp/README.md
+++ b/org.apache.sling.servlets.oidc-rp/README.md
@@ -19,7 +19,6 @@ objective is to simplify access to user and access tokens in 
a secure manner.
 - provide a sample content package and instructions how to use
 - review to see if we can use more of the Nimbus SDK, e.g. enpodints 
discovery, token parsing
 - review security best practices
-- do not start the OIDC process if the user can't write to their home 
directory ( anonymous )
 
 ## Prerequisites
 
diff --git a/org.apache.sling.servlets.oidc-rp/pom.xml 
b/org.apache.sling.servlets.oidc-rp/pom.xml
index 9d092515..ea542db1 100644
--- a/org.apache.sling.servlets.oidc-rp/pom.xml
+++ b/org.apache.sling.servlets.oidc-rp/pom.xml
@@ -266,6 +266,12 @@
             <version>2.0.8</version>
             <scope>provided</scope>
         </dependency>
+        <dependency>
+            <groupId>org.apache.sling</groupId>
+            <artifactId>org.apache.sling.auth.core</artifactId>
+            <version>1.2.0</version>
+            <scope>provided</scope>
+        </dependency>
         <dependency>
             <groupId>com.nimbusds</groupId>
             <artifactId>oauth2-oidc-sdk</artifactId>
diff --git 
a/org.apache.sling.servlets.oidc-rp/src/main/java/org/apache/sling/servlets/oidc_rp/impl/OidcCallbackServlet.java
 
b/org.apache.sling.servlets.oidc-rp/src/main/java/org/apache/sling/servlets/oidc_rp/impl/OidcCallbackServlet.java
index 94fa0777..769d6414 100644
--- 
a/org.apache.sling.servlets.oidc-rp/src/main/java/org/apache/sling/servlets/oidc_rp/impl/OidcCallbackServlet.java
+++ 
b/org.apache.sling.servlets.oidc-rp/src/main/java/org/apache/sling/servlets/oidc_rp/impl/OidcCallbackServlet.java
@@ -37,6 +37,7 @@ import javax.servlet.http.HttpServletResponse;
 import org.apache.sling.api.SlingHttpServletRequest;
 import org.apache.sling.api.SlingHttpServletResponse;
 import org.apache.sling.api.servlets.SlingAllMethodsServlet;
+import org.apache.sling.auth.core.AuthConstants;
 import org.apache.sling.servlets.annotations.SlingServletPaths;
 import org.apache.sling.servlets.oidc_rp.OidcConnection;
 import org.osgi.service.component.annotations.Activate;
@@ -59,7 +60,9 @@ import 
com.nimbusds.openid.connect.sdk.AuthenticationResponseParser;
 import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
 import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
 
-@Component(service = { Servlet.class })
+@Component(service = { Servlet.class },
+    property = { AuthConstants.AUTH_REQUIREMENTS +"=" + 
OidcCallbackServlet.PATH }
+)
 @SlingServletPaths(OidcCallbackServlet.PATH)
 public class OidcCallbackServlet extends SlingAllMethodsServlet {
 
diff --git 
a/org.apache.sling.servlets.oidc-rp/src/main/java/org/apache/sling/servlets/oidc_rp/impl/OidcEntryPointServlet.java
 
b/org.apache.sling.servlets.oidc-rp/src/main/java/org/apache/sling/servlets/oidc_rp/impl/OidcEntryPointServlet.java
index 8b67aaf9..40645c3b 100644
--- 
a/org.apache.sling.servlets.oidc-rp/src/main/java/org/apache/sling/servlets/oidc_rp/impl/OidcEntryPointServlet.java
+++ 
b/org.apache.sling.servlets.oidc-rp/src/main/java/org/apache/sling/servlets/oidc_rp/impl/OidcEntryPointServlet.java
@@ -35,6 +35,7 @@ import javax.servlet.http.HttpServletResponse;
 import org.apache.sling.api.SlingHttpServletRequest;
 import org.apache.sling.api.SlingHttpServletResponse;
 import org.apache.sling.api.servlets.SlingAllMethodsServlet;
+import org.apache.sling.auth.core.AuthConstants;
 import org.apache.sling.servlets.annotations.SlingServletPaths;
 import org.apache.sling.servlets.oidc_rp.OidcConnection;
 import org.osgi.service.component.annotations.Activate;
@@ -51,7 +52,9 @@ import com.nimbusds.openid.connect.sdk.AuthenticationRequest;
 import com.nimbusds.openid.connect.sdk.Nonce;
 import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
 
-@Component(service = { Servlet.class })
+@Component(service = { Servlet.class },
+    property = { AuthConstants.AUTH_REQUIREMENTS +"=" + 
OidcEntryPointServlet.PATH }
+)
 @SlingServletPaths(OidcEntryPointServlet.PATH)
 public class OidcEntryPointServlet extends SlingAllMethodsServlet {
     private static final long serialVersionUID = 1L;

Reply via email to