Author: lindner
Date: Thu Jan 15 06:16:43 2009
New Revision: 734717
URL: http://svn.apache.org/viewvc?rev=734717&view=rev
Log:
SHINDIG-580 | Patch from Louis Ryan | Authentication filter doesnt distinguish
between no authentication and invalid authentication
Modified:
incubator/shindig/trunk/java/common/src/main/java/org/apache/shindig/auth/AuthenticationHandler.java
incubator/shindig/trunk/java/common/src/main/java/org/apache/shindig/auth/AuthenticationServletFilter.java
incubator/shindig/trunk/java/common/src/main/java/org/apache/shindig/auth/UrlParameterAuthenticationHandler.java
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/core/oauth/OAuthConsumerRequestAuthenticationHandler.java
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/opensocial/oauth/OAuthLookupService.java
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/sample/oauth/SampleContainerOAuthLookupService.java
Modified:
incubator/shindig/trunk/java/common/src/main/java/org/apache/shindig/auth/AuthenticationHandler.java
URL:
http://svn.apache.org/viewvc/incubator/shindig/trunk/java/common/src/main/java/org/apache/shindig/auth/AuthenticationHandler.java?rev=734717&r1=734716&r2=734717&view=diff
==============================================================================
---
incubator/shindig/trunk/java/common/src/main/java/org/apache/shindig/auth/AuthenticationHandler.java
(original)
+++
incubator/shindig/trunk/java/common/src/main/java/org/apache/shindig/auth/AuthenticationHandler.java
Thu Jan 15 06:16:43 2009
@@ -17,6 +17,8 @@
*/
package org.apache.shindig.auth;
+import java.util.Map;
+
import javax.servlet.http.HttpServletRequest;
/**
@@ -49,4 +51,43 @@
* @return Header value for a WWW-Authenticate Header
*/
String getWWWAuthenticateHeader(String realm);
+
+ /**
+ * An exception thrown by an AuthenticationHandler in the situation where
+ * a malformed credential or token is passed. A handler which throws this
exception
+ * is required to include the appropriate error state in the servlet response
+ */
+ public static final class InvalidAuthenticationException extends
RuntimeException {
+
+ private Map<String,String> additionalHeaders;
+ private String redirect;
+
+ /**
+ * @param message Message to output in error response
+ * @param cause Underlying exception
+ */
+ public InvalidAuthenticationException(String message, Throwable cause) {
+ this(message, cause, null, null);
+ }
+
+ /**
+ * @param message Message to output in error response
+ * @param additionalHeaders Headers to add to error response
+ * @param cause Underlying exception
+ */
+ public InvalidAuthenticationException(String message, Throwable cause,
+ Map<String,String> additionalHeaders, String redirect) {
+ super(message, cause);
+ this.additionalHeaders = additionalHeaders;
+ this.redirect = redirect;
+ }
+
+ public Map<String, String> getAdditionalHeaders() {
+ return additionalHeaders;
+ }
+
+ public String getRedirect() {
+ return redirect;
+ }
+ }
}
Modified:
incubator/shindig/trunk/java/common/src/main/java/org/apache/shindig/auth/AuthenticationServletFilter.java
URL:
http://svn.apache.org/viewvc/incubator/shindig/trunk/java/common/src/main/java/org/apache/shindig/auth/AuthenticationServletFilter.java?rev=734717&r1=734716&r2=734717&view=diff
==============================================================================
---
incubator/shindig/trunk/java/common/src/main/java/org/apache/shindig/auth/AuthenticationServletFilter.java
(original)
+++
incubator/shindig/trunk/java/common/src/main/java/org/apache/shindig/auth/AuthenticationServletFilter.java
Thu Jan 15 06:16:43 2009
@@ -23,6 +23,9 @@
import java.io.IOException;
import java.util.List;
+import java.util.Map;
+import java.util.logging.Level;
+import java.util.logging.Logger;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
@@ -30,6 +33,7 @@
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpServletResponse;
/**
* Filter that attempts to authenticate an incoming HTTP request. It uses the
guice injected
@@ -47,6 +51,9 @@
private List<AuthenticationHandler> handlers;
+ private static final Logger logger = Logger.getLogger(
+ AuthenticationServletFilter.class.getName());
+
@Inject
public void setAuthenticationHandlers(List<AuthenticationHandler> handlers) {
this.handlers = handlers;
@@ -63,20 +70,36 @@
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse resp = (HttpServletResponse) response;
- for (AuthenticationHandler handler : handlers) {
- SecurityToken token = handler.getSecurityTokenFromRequest(req);
- if (token != null) {
- new
AuthInfo(req).setAuthType(handler.getName()).setSecurityToken(token);
- chain.doFilter(req, response);
- return;
- } else {
+
+ try {
+ for (AuthenticationHandler handler : handlers) {
+ SecurityToken token = handler.getSecurityTokenFromRequest(req);
+ if (token != null) {
+ new
AuthInfo(req).setAuthType(handler.getName()).setSecurityToken(token);
+ chain.doFilter(req, response);
+ return;
+ } else {
String authHeader = handler.getWWWAuthenticateHeader(realm);
if (authHeader != null) {
resp.addHeader("WWW-Authenticate", authHeader);
}
+ }
+ }
+
+ // We did not find a security token so we will just pass null
+ chain.doFilter(req, response);
+ } catch (AuthenticationHandler.InvalidAuthenticationException iae) {
+ logger.log(Level.INFO, iae.getMessage(), iae.getCause());
+ if (iae.getAdditionalHeaders() != null) {
+ for (Map.Entry<String,String> entry :
iae.getAdditionalHeaders().entrySet()) {
+ resp.addHeader(entry.getKey(), entry.getValue());
+ }
+ }
+ if (iae.getRedirect() != null) {
+ resp.sendRedirect(iae.getRedirect());
+ } else {
+ resp.sendError(HttpServletResponse.SC_UNAUTHORIZED, iae.getMessage());
}
}
- // We did not find a security token so we will just pass null
- chain.doFilter(req, response);
}
}
Modified:
incubator/shindig/trunk/java/common/src/main/java/org/apache/shindig/auth/UrlParameterAuthenticationHandler.java
URL:
http://svn.apache.org/viewvc/incubator/shindig/trunk/java/common/src/main/java/org/apache/shindig/auth/UrlParameterAuthenticationHandler.java?rev=734717&r1=734716&r2=734717&view=diff
==============================================================================
---
incubator/shindig/trunk/java/common/src/main/java/org/apache/shindig/auth/UrlParameterAuthenticationHandler.java
(original)
+++
incubator/shindig/trunk/java/common/src/main/java/org/apache/shindig/auth/UrlParameterAuthenticationHandler.java
Thu Jan 15 06:16:43 2009
@@ -19,8 +19,6 @@
import java.util.Collections;
import java.util.Map;
-import java.util.logging.Level;
-import java.util.logging.Logger;
import javax.servlet.http.HttpServletRequest;
@@ -31,17 +29,12 @@
*/
public class UrlParameterAuthenticationHandler implements
AuthenticationHandler {
public static final String AUTH_URL_PARAMETER = "SecurityTokenUrlParameter";
-
private static final String TOKEN_PARAM = "st";
- private static final Logger logger = Logger
- .getLogger(UrlParameterAuthenticationHandler.class.getName());
-
private final SecurityTokenDecoder securityTokenDecoder;
@Inject
- public UrlParameterAuthenticationHandler(
- SecurityTokenDecoder securityTokenDecoder) {
+ public UrlParameterAuthenticationHandler(SecurityTokenDecoder
securityTokenDecoder) {
this.securityTokenDecoder = securityTokenDecoder;
}
@@ -50,15 +43,14 @@
}
public SecurityToken getSecurityTokenFromRequest(HttpServletRequest request)
{
+ Map<String, String> parameters = getMappedParameters(request);
try {
- Map<String, String> parameters = getMappedParameters(request);
if (parameters.get(SecurityTokenDecoder.SECURITY_TOKEN_NAME) == null) {
return null;
}
return securityTokenDecoder.createToken(parameters);
} catch (SecurityTokenException e) {
- logger.log(Level.INFO, "Valid security token not found.", e);
- return null;
+ throw new InvalidAuthenticationException("Malformed security token " +
parameters.get(SecurityTokenDecoder.SECURITY_TOKEN_NAME), e);
}
}
Modified:
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/core/oauth/OAuthConsumerRequestAuthenticationHandler.java
URL:
http://svn.apache.org/viewvc/incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/core/oauth/OAuthConsumerRequestAuthenticationHandler.java?rev=734717&r1=734716&r2=734717&view=diff
==============================================================================
---
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/core/oauth/OAuthConsumerRequestAuthenticationHandler.java
(original)
+++
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/core/oauth/OAuthConsumerRequestAuthenticationHandler.java
Thu Jan 15 06:16:43 2009
@@ -23,12 +23,13 @@
import com.google.inject.Inject;
+import org.apache.commons.lang.StringUtils;
+
import net.oauth.OAuth;
+import net.oauth.OAuthException;
import net.oauth.OAuthMessage;
import net.oauth.server.OAuthServlet;
-import org.apache.commons.lang.StringUtils;
-
import java.io.IOException;
import javax.servlet.http.HttpServletRequest;
@@ -64,10 +65,14 @@
return null;
}
- if (service.thirdPartyHasAccessToUser(requestMessage, containerKey,
userId)) {
- return service.getSecurityToken(containerKey, userId);
- } else {
- return null;
+ try {
+ if (service.thirdPartyHasAccessToUser(requestMessage, containerKey,
userId)) {
+ return service.getSecurityToken(containerKey, userId);
+ } else {
+ return null;
+ }
+ } catch (OAuthException oae) {
+ throw new InvalidAuthenticationException(oae.getMessage(), oae);
}
}
Modified:
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/opensocial/oauth/OAuthLookupService.java
URL:
http://svn.apache.org/viewvc/incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/opensocial/oauth/OAuthLookupService.java?rev=734717&r1=734716&r2=734717&view=diff
==============================================================================
---
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/opensocial/oauth/OAuthLookupService.java
(original)
+++
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/opensocial/oauth/OAuthLookupService.java
Thu Jan 15 06:16:43 2009
@@ -22,12 +22,13 @@
import com.google.inject.ImplementedBy;
+import net.oauth.OAuthException;
import net.oauth.OAuthMessage;
@ImplementedBy(SampleContainerOAuthLookupService.class)
public interface OAuthLookupService {
boolean thirdPartyHasAccessToUser(OAuthMessage message, String appUrl,
- String userId);
+ String userId) throws OAuthException;
SecurityToken getSecurityToken(String appUrl, String userId);
}
Modified:
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/sample/oauth/SampleContainerOAuthLookupService.java
URL:
http://svn.apache.org/viewvc/incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/sample/oauth/SampleContainerOAuthLookupService.java?rev=734717&r1=734716&r2=734717&view=diff
==============================================================================
---
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/sample/oauth/SampleContainerOAuthLookupService.java
(original)
+++
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/sample/oauth/SampleContainerOAuthLookupService.java
Thu Jan 15 06:16:43 2009
@@ -57,13 +57,15 @@
"8355", "SocialActivitiesWorldSharedSecret"
);
- public boolean thirdPartyHasAccessToUser(OAuthMessage message, String
appUrl, String userId) {
+ public boolean thirdPartyHasAccessToUser(OAuthMessage message, String
appUrl, String userId)
+ throws OAuthException {
String appId = getAppId(appUrl);
return hasValidSignature(message, appUrl, appId)
&& userHasAppInstalled(userId, appId);
}
- private boolean hasValidSignature(OAuthMessage message, String appUrl,
String appId) {
+ private boolean hasValidSignature(OAuthMessage message, String appUrl,
String appId)
+ throws OAuthException {
String sharedSecret = sampleContainerSharedSecrets.get(appId);
if (sharedSecret == null) {
return false;
@@ -76,12 +78,10 @@
SimpleOAuthValidator validator = new SimpleOAuthValidator();
try {
validator.validateMessage(message, accessor);
- } catch (OAuthException e) {
- return false;
} catch (IOException e) {
- return false;
+ throw new OAuthException(e);
} catch (URISyntaxException e) {
- return false;
+ throw new OAuthException(e);
}
return true;