Author: sergeyb
Date: Thu Oct 11 11:27:08 2012
New Revision: 1396988
URL: http://svn.apache.org/viewvc?rev=1396988&view=rev
Log:
[CXF-4548,CXF-4549] Enabling the use of customized session providers, adding
more information to OAuthContext, patches applied with thanks to Thorsten Hoeger
Added:
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java
(with props)
Modified:
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
Modified:
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java?rev=1396988&r1=1396987&r2=1396988&view=diff
==============================================================================
---
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java
(original)
+++
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java
Thu Oct 11 11:27:08 2012
@@ -31,6 +31,8 @@ public class OAuthContext {
private UserSubject subject;
private List<OAuthPermission> permissions;
private String tokenGrantType;
+ private String clientId;
+ private String tokenKey;
public OAuthContext(UserSubject subject,
List<OAuthPermission> perms,
@@ -66,5 +68,35 @@ public class OAuthContext {
return tokenGrantType;
}
-
+ /**
+ * Returns the client which obtained the access token
+ * @return the client id
+ */
+ public String getClientId() {
+ return clientId;
+ }
+
+ /**
+ * Sets the client which obtained the access token
+ * @param clientId
+ */
+ public void setClientId(String clientId) {
+ this.clientId = clientId;
+ }
+
+ /**
+ * Returns the access token the client is using now during the current
request
+ * @return the token
+ */
+ public String getTokenKey() {
+ return tokenKey;
+ }
+
+ /**
+ * Sets the access token the client is using now during the current request
+ * @param tokenKey
+ */
+ public void setTokenKey(String tokenKey) {
+ this.tokenKey = tokenKey;
+ }
}
Modified:
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java?rev=1396988&r1=1396987&r2=1396988&view=diff
==============================================================================
---
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
(original)
+++
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
Thu Oct 11 11:27:08 2012
@@ -79,9 +79,14 @@ public class OAuthRequestFilter extends
m.put(SecurityContext.class, sc);
// Also set the OAuthContext
- m.setContent(OAuthContext.class, new
OAuthContext(accessTokenV.getTokenSubject(),
- matchingPermissions,
-
accessTokenV.getTokenGrantType()));
+ OAuthContext oauthContext = new
OAuthContext(accessTokenV.getTokenSubject(),
+ matchingPermissions,
+
accessTokenV.getTokenGrantType());
+
+ oauthContext.setClientId(accessTokenV.getClientId());
+ oauthContext.setTokenKey(accessTokenV.getTokenKey());
+
+ m.setContent(OAuthContext.class, oauthContext);
return null;
}
Added:
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java?rev=1396988&view=auto
==============================================================================
---
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java
(added)
+++
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java
Thu Oct 11 11:27:08 2012
@@ -0,0 +1,53 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rs.security.oauth2.provider;
+
+import org.apache.cxf.jaxrs.ext.MessageContext;
+
+/**
+ * SessionAuthenticityTokenProvider responsible for storing and retrieving
tokens
+ * to validate the authenticity of request sessions
+ */
+public interface SessionAuthenticityTokenProvider {
+
+ /**
+ * Creates a new session token and stores it
+ *
+ * @param mc the {@link MessageContext} of this request
+ * @return the created session token
+ */
+ String createSessionToken(MessageContext mc);
+
+ /**
+ * Retrieves the stored session token
+ *
+ * @param mc the {@link MessageContext} of this request
+ * @return the stored token
+ */
+ String getSessionToken(MessageContext mc);
+
+ /**
+ * Removes the stored session token
+ *
+ * @param mc the {@link MessageContext} of this request
+ */
+ String removeSessionToken(MessageContext mc);
+
+}
Propchange:
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange:
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SessionAuthenticityTokenProvider.java
------------------------------------------------------------------------------
svn:keywords = Rev Date
Modified:
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java?rev=1396988&r1=1396987&r2=1396988&view=diff
==============================================================================
---
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
(original)
+++
cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
Thu Oct 11 11:27:08 2012
@@ -41,6 +41,7 @@ import org.apache.cxf.rs.security.oauth2
import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
import org.apache.cxf.rs.security.oauth2.common.UserSubject;
import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
+import
org.apache.cxf.rs.security.oauth2.provider.SessionAuthenticityTokenProvider;
import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
import org.apache.cxf.security.SecurityContext;
@@ -53,6 +54,8 @@ public abstract class RedirectionBasedGr
private String supportedResponseType;
private String supportedGrantType;
private boolean isClientConfidential;
+ private SessionAuthenticityTokenProvider sessionAuthenticityTokenProvider;
+
protected RedirectionBasedGrantService(String supportedResponseType,
String supportedGrantType,
boolean isConfidential) {
@@ -234,6 +237,10 @@ public abstract class RedirectionBasedGr
}
+ public void
setSessionAuthenticityTokenProvider(SessionAuthenticityTokenProvider
sessionAuthenticityTokenProvider) {
+ this.sessionAuthenticityTokenProvider =
sessionAuthenticityTokenProvider;
+ }
+
private UserSubject createUserSubject(SecurityContext securityContext) {
return OAuthUtils.createSubject(securityContext);
}
@@ -279,22 +286,33 @@ public abstract class RedirectionBasedGr
}
private void addAuthenticityTokenToSession(OAuthAuthorizationData secData)
{
- HttpSession session =
getMessageContext().getHttpServletRequest().getSession();
- String value = UUID.randomUUID().toString();
- secData.setAuthenticityToken(value);
- session.setAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN, value);
+ final String sessionToken;
+ if (this.sessionAuthenticityTokenProvider != null) {
+ sessionToken =
this.sessionAuthenticityTokenProvider.createSessionToken(getMessageContext());
+ } else {
+ HttpSession session =
getMessageContext().getHttpServletRequest().getSession();
+ sessionToken = UUID.randomUUID().toString();
+ session.setAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN,
sessionToken);
+ }
+ secData.setAuthenticityToken(sessionToken);
}
private boolean compareRequestAndSessionTokens(String requestToken) {
- HttpSession session =
getMessageContext().getHttpServletRequest().getSession();
- String sessionToken =
(String)session.getAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN);
-
+ final String sessionToken;
+ if (this.sessionAuthenticityTokenProvider != null) {
+ sessionToken =
sessionAuthenticityTokenProvider.removeSessionToken(getMessageContext());
+ } else {
+ HttpSession session =
getMessageContext().getHttpServletRequest().getSession();
+ sessionToken =
(String)session.getAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN);
+ if (sessionToken != null) {
+
session.removeAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN);
+ }
+ }
if (StringUtils.isEmpty(sessionToken)) {
return false;
+ } else {
+ return requestToken.equals(sessionToken);
}
-
- session.removeAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN);
- return requestToken.equals(sessionToken);
}
}
