svn commit: r1378210 - in /cxf/branches/2.6.x-fixes: ./ rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/

Tue, 28 Aug 2012 09:29:04 -0700 

Author: sergeyb
Date: Tue Aug 28 16:28:19 2012
New Revision: 1378210

URL: http://svn.apache.org/viewvc?rev=1378210&view=rev
Log:
Merged revisions 1378155 via svnmerge from 
https://svn.apache.org/repos/asf/cxf/trunk

........
  r1378155 | sergeyb | 2012-08-28 15:53:59 +0100 (Tue, 28 Aug 2012) | 1 line
  
  [CXF-4432] Minor updates to the way OOB responses can be presented
........

Modified:
    cxf/branches/2.6.x-fixes/   (props changed)
    
cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestHandler.java
    
cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestService.java
    
cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/OOBAuthorizationResponse.java
    
cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/RequestTokenHandler.java

Propchange: cxf/branches/2.6.x-fixes/
------------------------------------------------------------------------------
    svn:mergeinfo = /cxf/trunk:1378155

Propchange: cxf/branches/2.6.x-fixes/
------------------------------------------------------------------------------
Binary property 'svnmerge-integrated' - no diff available.

Modified: 
cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestHandler.java
URL: 
http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestHandler.java?rev=1378210&r1=1378209&r2=1378210&view=diff
==============================================================================
--- 
cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestHandler.java
 (original)
+++ 
cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestHandler.java
 Tue Aug 28 16:28:19 2012
@@ -36,7 +36,7 @@ import java.util.logging.Logger;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
-import javax.ws.rs.core.MediaType;
+import javax.ws.rs.WebApplicationException;
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.UriBuilder;
 
@@ -81,14 +81,22 @@ public class AuthorizationRequestHandler
                 throw new OAuthProblemException(OAuth.Problems.TOKEN_REJECTED);
             }
             
+            String decision = 
oAuthMessage.getParameter(OAuthConstants.AUTHORIZATION_DECISION_KEY);
+            
             OAuthAuthorizationData secData = new OAuthAuthorizationData();
             if (!compareRequestSessionTokens(request, oAuthMessage)) {
+                if (decision != null) {
+                    // this is a user decision request, the session has 
expired or been possibly hijacked
+                    LOG.warning("Session authenticity token is missing or 
invalid");
+                    throw new WebApplicationException(400);
+                }
+                // assume it is an initial authorization request
                 addAuthenticityTokenToSession(secData, request);
                 return Response.ok(
                         addAdditionalParams(secData, dataProvider, 
token)).build();
             }
             
-            String decision = 
oAuthMessage.getParameter(OAuthConstants.AUTHORIZATION_DECISION_KEY);
+            
             boolean allow = 
OAuthConstants.AUTHORIZATION_DECISION_ALLOW.equals(decision);
 
             Map<String, String> queryParams = new HashMap<String, String>();
@@ -142,7 +150,7 @@ public class AuthorizationRequestHandler
             String callbackValue = getCallbackValue(token);
             if (OAuthConstants.OAUTH_CALLBACK_OOB.equals(callbackValue)) {
                 OOBAuthorizationResponse bean = 
convertQueryParamsToOOB(queryParams);
-                return 
Response.ok().type(MediaType.TEXT_HTML).entity(bean).build();
+                return Response.ok().entity(bean).build();
             } else {
                 URI callbackURI = buildCallbackURI(callbackValue, queryParams);
                 return Response.seeOther(callbackURI).build();

Modified: 
cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestService.java
URL: 
http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestService.java?rev=1378210&r1=1378209&r2=1378210&view=diff
==============================================================================
--- 
cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestService.java
 (original)
+++ 
cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestService.java
 Tue Aug 28 16:28:19 2012
@@ -59,6 +59,7 @@ public class AuthorizationRequestService
 
     @GET
     @Path("/decision")
+    @Produces({"application/xhtml+xml", "text/html", "application/xml;q=0.9", 
"application/json;q=0.9" })
     public Response authorizeDecision() {
         return authorize();
     }
@@ -66,6 +67,11 @@ public class AuthorizationRequestService
     @POST
     @Path("/decision")
     @Consumes("application/x-www-form-urlencoded")
+    @Produces({"application/xhtml+xml", 
+               "text/html", 
+               "application/xml;q=0.9", 
+               "application/json;q=0.9",
+               "application/x-www-form-urlencoded" })
     public Response authorizeDecisionForm() {
         return authorizeDecision();
     }

Modified: 
cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/OOBAuthorizationResponse.java
URL: 
http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/OOBAuthorizationResponse.java?rev=1378210&r1=1378209&r2=1378210&view=diff
==============================================================================
--- 
cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/OOBAuthorizationResponse.java
 (original)
+++ 
cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/OOBAuthorizationResponse.java
 Tue Aug 28 16:28:19 2012
@@ -18,6 +18,9 @@
  */
 package org.apache.cxf.rs.security.oauth.services;
 
+import javax.xml.bind.annotation.XmlRootElement;
+
+@XmlRootElement
 public class OOBAuthorizationResponse {
     private String requestToken;
     private String verifier;

Modified: 
cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/RequestTokenHandler.java
URL: 
http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/RequestTokenHandler.java?rev=1378210&r1=1378209&r2=1378210&view=diff
==============================================================================
--- 
cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/RequestTokenHandler.java
 (original)
+++ 
cxf/branches/2.6.x-fixes/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/RequestTokenHandler.java
 Tue Aug 28 16:28:19 2012
@@ -124,14 +124,20 @@ public class RequestTokenHandler {
     protected void validateCallbackURL(Client client,
                                        String oauthCallback) throws 
OAuthProblemException {
         // the callback must not be empty or null, and it should either match
-        // the pre-registered callback URI or have the common root with the
-        // the pre-registered application URI
-        if (!StringUtils.isEmpty(oauthCallback) 
-            && (!StringUtils.isEmpty(client.getCallbackURI())
-                && oauthCallback.equals(client.getCallbackURI())
-                || !StringUtils.isEmpty(client.getApplicationURI())
-                && oauthCallback.startsWith(client.getApplicationURI()))) {
-            return;
+        // the registered callback URI or have the common root with the
+        // the registered application URI (but only if no callback was 
registered)
+        if (!StringUtils.isEmpty(oauthCallback)) {
+            boolean registeredCallbackIsEmpty = 
StringUtils.isEmpty(client.getCallbackURI());
+            if (!registeredCallbackIsEmpty
+                && oauthCallback.equals(client.getCallbackURI())) {
+                return;
+            }
+            if (registeredCallbackIsEmpty 
+                && !StringUtils.isEmpty(client.getApplicationURI())
+                && oauthCallback.startsWith(client.getApplicationURI())) {
+                return;
+            }    
+            
         }
         OAuthProblemException problemEx = new OAuthProblemException(
             OAuth.Problems.PARAMETER_REJECTED + " - " + OAuth.OAUTH_CALLBACK);

Reply via email to