Repository: cxf Updated Branches: refs/heads/master ffb10f12d -> 8c8c99834
Adding OAuth2 Consumers bean helper, and prototyping checking the authentication method of the resource owner Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/8c8c9983 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/8c8c9983 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/8c8c9983 Branch: refs/heads/master Commit: 8c8c99834cfda285f511b02ae73d7cd5c50f31a2 Parents: ffb10f1 Author: Sergey Beryozkin <[email protected]> Authored: Fri May 1 13:32:25 2015 +0100 Committer: Sergey Beryozkin <[email protected]> Committed: Fri May 1 13:32:25 2015 +0100 ---------------------------------------------------------------------- .../cxf/rs/security/oauth2/client/Consumer.java | 17 +++++- .../rs/security/oauth2/client/Consumers.java | 35 ++++++++++++ .../oauth2/common/AuthenticationMethod.java | 25 +++++++++ .../cxf/rs/security/oauth2/common/Client.java | 56 ++++++++++++++------ .../rs/security/oauth2/common/UserSubject.java | 10 +++- .../oauth2/filters/OAuthRequestFilter.java | 13 ++++- .../rs/security/oauth2/utils/OAuthUtils.java | 11 +++- 7 files changed, 146 insertions(+), 21 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/8c8c9983/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/Consumer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/Consumer.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/Consumer.java index 96aaf11..caa456d 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/Consumer.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/Consumer.java @@ -22,6 +22,7 @@ public class Consumer { private String key; private String secret; + private String description; public Consumer() { @@ -42,7 +43,19 @@ public class Consumer { public void setSecret(String secret) { this.secret = secret; } - - + public String getDescription() { + return description; + } + public void setDescription(String description) { + this.description = description; + } + @Override + public int hashCode() { + return key.hashCode(); + } + @Override + public boolean equals(Object o) { + return o instanceof Consumer && key.equals(((Consumer)o).key); + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/8c8c9983/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/Consumers.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/Consumers.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/Consumers.java new file mode 100644 index 0000000..0fe73f6 --- /dev/null +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/Consumers.java @@ -0,0 +1,35 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.oauth2.client; + +import java.util.HashSet; +import java.util.Set; + +public class Consumers { + + private Set<Consumer> consumers = new HashSet<Consumer>(); + + public Consumers(Consumers consumers) { + this.consumers = consumers.getConsumers(); + } + + public Set<Consumer> getConsumers() { + return consumers; + } +} http://git-wip-us.apache.org/repos/asf/cxf/blob/8c8c9983/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AuthenticationMethod.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AuthenticationMethod.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AuthenticationMethod.java new file mode 100644 index 0000000..2036ab4 --- /dev/null +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AuthenticationMethod.java @@ -0,0 +1,25 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.oauth2.common; + +public enum AuthenticationMethod { + PASSWORD, + TWO_FACTOR + //etc +} http://git-wip-us.apache.org/repos/asf/cxf/blob/8c8c9983/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java index 494a00d..4f1b395 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java @@ -49,6 +49,7 @@ public class Client implements Serializable { private Map<String, String> properties = new HashMap<String, String>(); private UserSubject subject; + private UserSubject resourceOwnerSubject; public Client() { @@ -96,7 +97,7 @@ public class Client implements Serializable { } /** - * Gets the name of the third-party application + * Get the name of the third-party application * this client represents * @return the application name */ @@ -105,7 +106,7 @@ public class Client implements Serializable { } /** - * Sets the name of the third-party application + * Set the name of the third-party application * this client represents * @param applicationName the name */ @@ -114,7 +115,7 @@ public class Client implements Serializable { } /** - * Gets the public URI of the third-party application. + * Get the public URI of the third-party application. * @return the application URI */ public String getApplicationWebUri() { @@ -122,7 +123,7 @@ public class Client implements Serializable { } /** - * Sets the public URI of the third-party application. + * Set the public URI of the third-party application. * @param applicationWebUri the application URI */ public void setApplicationWebUri(String applicationWebUri) { @@ -130,7 +131,7 @@ public class Client implements Serializable { } /** - * Sets the description of the third-party application. + * Set the description of the third-party application. * @param applicationDescription the description */ public void setApplicationDescription(String applicationDescription) { @@ -138,7 +139,7 @@ public class Client implements Serializable { } /** - * Gets the description of the third-party application. + * Get the description of the third-party application. * @return the application description */ public String getApplicationDescription() { @@ -146,7 +147,7 @@ public class Client implements Serializable { } /** - * Sets the URI pointing to a logo image of the client application + * Set the URI pointing to a logo image of the client application * @param logoPath the logo URI */ public void setApplicationLogoUri(String logoPath) { @@ -162,7 +163,7 @@ public class Client implements Serializable { } /** - * Sets the confidentiality status of this client application. + * Set the confidentiality status of this client application. * This can be used to restrict which OAuth2 flows this client * can participate in. * @@ -173,7 +174,7 @@ public class Client implements Serializable { } /** - * Gets the confidentiality status of this client application. + * Get the confidentiality status of this client application. * @return the confidentiality status */ public boolean isConfidential() { @@ -190,7 +191,7 @@ public class Client implements Serializable { } /** - * Gets a list of URIs the AuthorizationService + * Get a list of URIs the AuthorizationService * may return the authorization code to * @return the redirect uris */ @@ -199,7 +200,7 @@ public class Client implements Serializable { } /** - * Sets the list of access token grant types this client + * Set the list of access token grant types this client * can use to obtain the access tokens. * @param allowedGrantTypes the list of grant types */ @@ -208,7 +209,7 @@ public class Client implements Serializable { } /** - * Gets the list of access token grant types this client + * Get the list of access token grant types this client * can use to obtain the access tokens. * @return the list of grant types */ @@ -217,8 +218,11 @@ public class Client implements Serializable { } /** - * Sets the {@link UserSubject} representing this Client - * authentication, may be setup during the registration. + * Set the {@link UserSubject} representing this Client + * authentication. This property may be set during the registration + * in cases where a 3rd party client needs to authenticate first before + * registering as OAuth2 client. This property may also wrap a clientId + * in cases where a client credentials flow is used * * @param subject the user subject */ @@ -227,13 +231,35 @@ public class Client implements Serializable { } /** - * Gets the {@link UserSubject} representing this Client + * Get the {@link UserSubject} representing this Client * authentication * @return the user subject */ public UserSubject getSubject() { return subject; } + + /** + * Set the {@link UserSubject} representing the resource owner + * who has registered this client. This property may be set in cases where + * each account (resource) owner registers account specific Clients + * + * @param subject the resource owner user subject + */ + + public void setResourceOwnerSubject(UserSubject resourceOwnerSubject) { + this.resourceOwnerSubject = resourceOwnerSubject; + } + + + /** + * Get the {@link UserSubject} representing the resource owner + * who has registered this client + * @return the resource owner user subject + */ + public UserSubject getResourceOwnerSubject() { + return resourceOwnerSubject; + } /** * Get the list of additional client properties http://git-wip-us.apache.org/repos/asf/cxf/blob/8c8c9983/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/UserSubject.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/UserSubject.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/UserSubject.java index 43502b2..6972220 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/UserSubject.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/UserSubject.java @@ -39,7 +39,7 @@ public class UserSubject implements Serializable { private String id; private List<String> roles = new LinkedList<String>(); private Map<String, String> properties = new HashMap<String, String>(); - + private AuthenticationMethod am; public UserSubject() { } @@ -129,5 +129,13 @@ public class UserSubject implements Serializable { public void setId(String id) { this.id = id; } + + public AuthenticationMethod getAuthenticationMethod() { + return am; + } + + public void setAthenticationMethod(AuthenticationMethod method) { + this.am = method; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/8c8c9983/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java index 22af72c..c11cbc2 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java @@ -46,6 +46,7 @@ import org.apache.cxf.message.Message; import org.apache.cxf.message.MessageUtils; import org.apache.cxf.phase.PhaseInterceptorChain; import org.apache.cxf.rs.security.oauth2.common.AccessTokenValidation; +import org.apache.cxf.rs.security.oauth2.common.AuthenticationMethod; import org.apache.cxf.rs.security.oauth2.common.OAuthContext; import org.apache.cxf.rs.security.oauth2.common.OAuthPermission; import org.apache.cxf.rs.security.oauth2.common.UserSubject; @@ -72,7 +73,7 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator private List<String> requiredScopes = Collections.emptyList(); private boolean allPermissionsMatch; private boolean blockPublicClients; - + private AuthenticationMethod am; public void filter(ContainerRequestContext context) { validateRequest(JAXRSUtils.getCurrentMessage()); } @@ -128,6 +129,13 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator LOG.warning(message); throw ExceptionUtils.toForbiddenException(null, null); } + if (am != null && !am.equals(accessTokenV.getTokenSubject().getAuthenticationMethod())) { + String message = "The token has been authorized by the resource owner " + + "using an unsupported authentication method"; + LOG.warning(message); + throw ExceptionUtils.toForbiddenException(null, null); + + } // Create the security context and make it available on the message SecurityContext sc = createSecurityContext(req, accessTokenV); @@ -283,5 +291,8 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator public void setBlockPublicClients(boolean blockPublicClients) { this.blockPublicClients = blockPublicClients; } + public void setTokenSubjectAuthenticationMethod(AuthenticationMethod method) { + this.am = method; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/8c8c9983/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java index 9752974..e989ba8 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java @@ -32,6 +32,9 @@ import org.apache.cxf.common.util.StringUtils; import org.apache.cxf.jaxrs.ext.MessageContext; import org.apache.cxf.jaxrs.impl.MetadataMap; import org.apache.cxf.jaxrs.model.URITemplate; +import org.apache.cxf.jaxrs.utils.JAXRSUtils; +import org.apache.cxf.message.Message; +import org.apache.cxf.rs.security.oauth2.common.AuthenticationMethod; import org.apache.cxf.rs.security.oauth2.common.Client; import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken; import org.apache.cxf.rs.security.oauth2.common.OAuthPermission; @@ -85,8 +88,12 @@ public final class OAuthUtils { roleNames.add(p.getName()); } } - return - new UserSubject(securityContext.getUserPrincipal().getName(), roleNames); + UserSubject subject = new UserSubject(securityContext.getUserPrincipal().getName(), roleNames); + Message m = JAXRSUtils.getCurrentMessage(); + if (m != null && m.get(AuthenticationMethod.class) != null) { + subject.setAthenticationMethod(m.get(AuthenticationMethod.class)); + } + return subject; } public static String convertPermissionsToScope(List<OAuthPermission> perms) {
