Author: lindner
Date: Thu Jan 15 06:16:43 2009
New Revision: 734717

URL: http://svn.apache.org/viewvc?rev=734717&view=rev
Log:
SHINDIG-580 | Patch from Louis Ryan | Authentication filter doesnt distinguish 
between no authentication and invalid authentication

Modified:
    
incubator/shindig/trunk/java/common/src/main/java/org/apache/shindig/auth/AuthenticationHandler.java
    
incubator/shindig/trunk/java/common/src/main/java/org/apache/shindig/auth/AuthenticationServletFilter.java
    
incubator/shindig/trunk/java/common/src/main/java/org/apache/shindig/auth/UrlParameterAuthenticationHandler.java
    
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/core/oauth/OAuthConsumerRequestAuthenticationHandler.java
    
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/opensocial/oauth/OAuthLookupService.java
    
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/sample/oauth/SampleContainerOAuthLookupService.java

Modified: 
incubator/shindig/trunk/java/common/src/main/java/org/apache/shindig/auth/AuthenticationHandler.java
URL: 
http://svn.apache.org/viewvc/incubator/shindig/trunk/java/common/src/main/java/org/apache/shindig/auth/AuthenticationHandler.java?rev=734717&r1=734716&r2=734717&view=diff
==============================================================================
--- 
incubator/shindig/trunk/java/common/src/main/java/org/apache/shindig/auth/AuthenticationHandler.java
 (original)
+++ 
incubator/shindig/trunk/java/common/src/main/java/org/apache/shindig/auth/AuthenticationHandler.java
 Thu Jan 15 06:16:43 2009
@@ -17,6 +17,8 @@
  */
 package org.apache.shindig.auth;
 
+import java.util.Map;
+
 import javax.servlet.http.HttpServletRequest;
 
 /**
@@ -49,4 +51,43 @@
      * @return Header value for a WWW-Authenticate Header
      */
   String getWWWAuthenticateHeader(String realm);
+ 
+  /**
+   * An exception thrown by an AuthenticationHandler in the situation where
+   * a malformed credential or token is passed. A handler which throws this 
exception
+   * is required to include the appropriate error state in the servlet response
+   */
+  public static final class InvalidAuthenticationException extends 
RuntimeException {
+ 
+     private Map<String,String> additionalHeaders;
+     private String redirect;
+ 
+     /**
+      * @param message Message to output in error response
+      * @param cause Underlying exception
+      */
+     public InvalidAuthenticationException(String message, Throwable cause) {
+       this(message, cause, null, null);
+     }
+ 
+     /**
+      * @param message Message to output in error response
+      * @param additionalHeaders Headers to add to error response
+      * @param cause Underlying exception
+      */
+     public InvalidAuthenticationException(String message, Throwable cause,
+         Map<String,String> additionalHeaders, String redirect) {
+       super(message, cause);
+       this.additionalHeaders = additionalHeaders;
+       this.redirect = redirect;
+     }
+ 
+     public Map<String, String> getAdditionalHeaders() {
+       return additionalHeaders;
+     }
+ 
+     public String getRedirect() {
+       return redirect;
+     }
+   }
 }

Modified: 
incubator/shindig/trunk/java/common/src/main/java/org/apache/shindig/auth/AuthenticationServletFilter.java
URL: 
http://svn.apache.org/viewvc/incubator/shindig/trunk/java/common/src/main/java/org/apache/shindig/auth/AuthenticationServletFilter.java?rev=734717&r1=734716&r2=734717&view=diff
==============================================================================
--- 
incubator/shindig/trunk/java/common/src/main/java/org/apache/shindig/auth/AuthenticationServletFilter.java
 (original)
+++ 
incubator/shindig/trunk/java/common/src/main/java/org/apache/shindig/auth/AuthenticationServletFilter.java
 Thu Jan 15 06:16:43 2009
@@ -23,6 +23,9 @@
 
 import java.io.IOException;
 import java.util.List;
+import java.util.Map;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
@@ -30,6 +33,7 @@
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpServletResponse;
 
 /**
  * Filter that attempts to authenticate an incoming HTTP request. It uses the 
guice injected
@@ -47,6 +51,9 @@
 
   private List<AuthenticationHandler> handlers;
 
+  private static final Logger logger = Logger.getLogger(
+      AuthenticationServletFilter.class.getName());
+
   @Inject
   public void setAuthenticationHandlers(List<AuthenticationHandler> handlers) {
     this.handlers = handlers;
@@ -63,20 +70,36 @@
 
     HttpServletRequest req = (HttpServletRequest) request;
     HttpServletResponse resp = (HttpServletResponse) response;
-    for (AuthenticationHandler handler : handlers) {
-      SecurityToken token = handler.getSecurityTokenFromRequest(req);
-      if (token != null) {
-        new 
AuthInfo(req).setAuthType(handler.getName()).setSecurityToken(token);
-        chain.doFilter(req, response);
-        return;
-      } else {
+
+    try {
+      for (AuthenticationHandler handler : handlers) {
+        SecurityToken token = handler.getSecurityTokenFromRequest(req);
+        if (token != null) {
+          new 
AuthInfo(req).setAuthType(handler.getName()).setSecurityToken(token);
+          chain.doFilter(req, response);
+          return;
+        } else {
           String authHeader = handler.getWWWAuthenticateHeader(realm);
           if (authHeader != null) {
               resp.addHeader("WWW-Authenticate", authHeader);
           }
+        }
+      }
+
+      // We did not find a security token so we will just pass null
+      chain.doFilter(req, response);
+    } catch (AuthenticationHandler.InvalidAuthenticationException iae) {
+      logger.log(Level.INFO, iae.getMessage(), iae.getCause());
+      if (iae.getAdditionalHeaders() != null) {
+        for (Map.Entry<String,String> entry : 
iae.getAdditionalHeaders().entrySet()) {
+          resp.addHeader(entry.getKey(), entry.getValue());
+        }
+      }
+      if (iae.getRedirect() != null) {
+        resp.sendRedirect(iae.getRedirect());
+      } else {
+        resp.sendError(HttpServletResponse.SC_UNAUTHORIZED, iae.getMessage());
       }
     }
-    // We did not find a security token so we will just pass null
-    chain.doFilter(req, response);
   }
 }

Modified: 
incubator/shindig/trunk/java/common/src/main/java/org/apache/shindig/auth/UrlParameterAuthenticationHandler.java
URL: 
http://svn.apache.org/viewvc/incubator/shindig/trunk/java/common/src/main/java/org/apache/shindig/auth/UrlParameterAuthenticationHandler.java?rev=734717&r1=734716&r2=734717&view=diff
==============================================================================
--- 
incubator/shindig/trunk/java/common/src/main/java/org/apache/shindig/auth/UrlParameterAuthenticationHandler.java
 (original)
+++ 
incubator/shindig/trunk/java/common/src/main/java/org/apache/shindig/auth/UrlParameterAuthenticationHandler.java
 Thu Jan 15 06:16:43 2009
@@ -19,8 +19,6 @@
 
 import java.util.Collections;
 import java.util.Map;
-import java.util.logging.Level;
-import java.util.logging.Logger;
 
 import javax.servlet.http.HttpServletRequest;
 
@@ -31,17 +29,12 @@
  */
 public class UrlParameterAuthenticationHandler implements 
AuthenticationHandler {
   public static final String AUTH_URL_PARAMETER = "SecurityTokenUrlParameter";
-
   private static final String TOKEN_PARAM = "st";
 
-  private static final Logger logger = Logger
-      .getLogger(UrlParameterAuthenticationHandler.class.getName());
-
   private final SecurityTokenDecoder securityTokenDecoder;
 
   @Inject
-  public UrlParameterAuthenticationHandler(
-      SecurityTokenDecoder securityTokenDecoder) {
+  public UrlParameterAuthenticationHandler(SecurityTokenDecoder 
securityTokenDecoder) {
     this.securityTokenDecoder = securityTokenDecoder;
   }
 
@@ -50,15 +43,14 @@
   }
 
   public SecurityToken getSecurityTokenFromRequest(HttpServletRequest request) 
{
+    Map<String, String> parameters = getMappedParameters(request);
     try {
-      Map<String, String> parameters = getMappedParameters(request);
       if (parameters.get(SecurityTokenDecoder.SECURITY_TOKEN_NAME) == null) {
         return null;
       }
       return securityTokenDecoder.createToken(parameters);
     } catch (SecurityTokenException e) {
-      logger.log(Level.INFO, "Valid security token not found.", e);
-      return null;
+      throw new InvalidAuthenticationException("Malformed security token " + 
parameters.get(SecurityTokenDecoder.SECURITY_TOKEN_NAME), e);
     }
   }
 

Modified: 
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/core/oauth/OAuthConsumerRequestAuthenticationHandler.java
URL: 
http://svn.apache.org/viewvc/incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/core/oauth/OAuthConsumerRequestAuthenticationHandler.java?rev=734717&r1=734716&r2=734717&view=diff
==============================================================================
--- 
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/core/oauth/OAuthConsumerRequestAuthenticationHandler.java
 (original)
+++ 
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/core/oauth/OAuthConsumerRequestAuthenticationHandler.java
 Thu Jan 15 06:16:43 2009
@@ -23,12 +23,13 @@
 
 import com.google.inject.Inject;
 
+import org.apache.commons.lang.StringUtils;
+
 import net.oauth.OAuth;
+import net.oauth.OAuthException;
 import net.oauth.OAuthMessage;
 import net.oauth.server.OAuthServlet;
 
-import org.apache.commons.lang.StringUtils;
-
 import java.io.IOException;
 
 import javax.servlet.http.HttpServletRequest;
@@ -64,10 +65,14 @@
       return null;
     }
 
-    if (service.thirdPartyHasAccessToUser(requestMessage, containerKey, 
userId)) {
-      return service.getSecurityToken(containerKey, userId);
-    } else {
-      return null;
+    try {
+      if (service.thirdPartyHasAccessToUser(requestMessage, containerKey, 
userId)) {
+        return service.getSecurityToken(containerKey, userId);
+      } else {
+        return null;
+      }
+    } catch (OAuthException oae) {
+      throw new InvalidAuthenticationException(oae.getMessage(), oae);
     }
   }
 

Modified: 
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/opensocial/oauth/OAuthLookupService.java
URL: 
http://svn.apache.org/viewvc/incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/opensocial/oauth/OAuthLookupService.java?rev=734717&r1=734716&r2=734717&view=diff
==============================================================================
--- 
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/opensocial/oauth/OAuthLookupService.java
 (original)
+++ 
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/opensocial/oauth/OAuthLookupService.java
 Thu Jan 15 06:16:43 2009
@@ -22,12 +22,13 @@
 
 import com.google.inject.ImplementedBy;
 
+import net.oauth.OAuthException;
 import net.oauth.OAuthMessage;
 
 @ImplementedBy(SampleContainerOAuthLookupService.class)
 
 public interface OAuthLookupService {
   boolean thirdPartyHasAccessToUser(OAuthMessage message, String appUrl,
-      String userId);
+      String userId) throws OAuthException;
   SecurityToken getSecurityToken(String appUrl, String userId);
 }

Modified: 
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/sample/oauth/SampleContainerOAuthLookupService.java
URL: 
http://svn.apache.org/viewvc/incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/sample/oauth/SampleContainerOAuthLookupService.java?rev=734717&r1=734716&r2=734717&view=diff
==============================================================================
--- 
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/sample/oauth/SampleContainerOAuthLookupService.java
 (original)
+++ 
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/sample/oauth/SampleContainerOAuthLookupService.java
 Thu Jan 15 06:16:43 2009
@@ -57,13 +57,15 @@
       "8355", "SocialActivitiesWorldSharedSecret"
   );
 
-  public boolean thirdPartyHasAccessToUser(OAuthMessage message, String 
appUrl, String userId) {
+  public boolean thirdPartyHasAccessToUser(OAuthMessage message, String 
appUrl, String userId)
+    throws OAuthException {
     String appId = getAppId(appUrl);
     return hasValidSignature(message, appUrl, appId)
         && userHasAppInstalled(userId, appId);
   }
 
-  private boolean hasValidSignature(OAuthMessage message, String appUrl, 
String appId) {
+  private boolean hasValidSignature(OAuthMessage message, String appUrl, 
String appId)
+      throws OAuthException {
     String sharedSecret = sampleContainerSharedSecrets.get(appId);
     if (sharedSecret == null) {
       return false;
@@ -76,12 +78,10 @@
     SimpleOAuthValidator validator = new SimpleOAuthValidator();
     try {
       validator.validateMessage(message, accessor);
-    } catch (OAuthException e) {
-      return false;
     } catch (IOException e) {
-      return false;
+      throw new OAuthException(e);
     } catch (URISyntaxException e) {
-      return false;
+      throw new OAuthException(e);
     }
 
     return true;


Reply via email to