Repository: cxf Updated Branches: refs/heads/master b6aaae80c -> 9a3dd438d
[CXF-5607] Very basic prototyping of the incremental authorization case Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/9a3dd438 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/9a3dd438 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/9a3dd438 Branch: refs/heads/master Commit: 9a3dd438dc52e2c957fc6c98e2db5426884c1a5c Parents: b6aaae8 Author: Sergey Beryozkin <[email protected]> Authored: Mon Jun 22 18:25:51 2015 +0100 Committer: Sergey Beryozkin <[email protected]> Committed: Mon Jun 22 18:25:51 2015 +0100 ---------------------------------------------------------------------- .../oidc/rp/OidcClientCodeRequestFilter.java | 2 +- .../oidc/rp/OidcRpAuthenticationFilter.java | 87 ++++++++++++++++++++ .../oidc/rp/OidcRpAuthenticationService.java | 42 ++++++++++ .../rs/security/oidc/rp/OidcRpStateManager.java | 32 +++++++ 4 files changed, 162 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/9a3dd438/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java index 4475aff..088f826 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java @@ -52,7 +52,7 @@ public class OidcClientCodeRequestFilter extends ClientCodeRequestFilter { @Override protected void checkSecurityContextStart(ContainerRequestContext rc) { SecurityContext sc = rc.getSecurityContext(); - if (sc != null && sc.getUserPrincipal() != null) { + if (sc != null && !(sc instanceof OidcSecurityContext)) { throw ExceptionUtils.toNotAuthorizedException(null, null); } } http://git-wip-us.apache.org/repos/asf/cxf/blob/9a3dd438/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java new file mode 100644 index 0000000..c589161 --- /dev/null +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java @@ -0,0 +1,87 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.oidc.rp; + +import java.util.Map; + +import javax.ws.rs.container.ContainerRequestContext; +import javax.ws.rs.container.ContainerRequestFilter; +import javax.ws.rs.core.Cookie; +import javax.ws.rs.core.HttpHeaders; +import javax.ws.rs.core.MediaType; +import javax.ws.rs.core.MultivaluedMap; +import javax.ws.rs.core.Response; +import javax.ws.rs.core.UriBuilder; + +import org.apache.cxf.jaxrs.impl.MetadataMap; +import org.apache.cxf.jaxrs.utils.FormUtils; +import org.apache.cxf.jaxrs.utils.JAXRSUtils; +import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils; + +public class OidcRpAuthenticationFilter implements ContainerRequestFilter { + + private OidcRpStateManager stateManager; + private String rpServiceAddress; + + public void filter(ContainerRequestContext rc) { + if (checkSecurityContext(rc)) { + return; + } else { + String token = OAuthUtils.generateRandomTokenKey(); + MultivaluedMap<String, String> state = toRequestState(rc); + stateManager.setRequestState(token, state); + UriBuilder ub = UriBuilder.fromUri(rpServiceAddress); + ub.queryParam("state", token); + rc.abortWith(Response.seeOther(ub.build()) + .header(HttpHeaders.CACHE_CONTROL, "no-cache, no-store") + .header("Pragma", "no-cache") + .build()); + } + } + protected boolean checkSecurityContext(ContainerRequestContext rc) { + Map<String, Cookie> cookies = rc.getCookies(); + + Cookie securityContextCookie = cookies.get("org.apache.cxf.websso.context"); + if (securityContextCookie == null) { + return false; + } + String contextKey = securityContextCookie.getValue(); + + OidcClientTokenContext tokenContext = stateManager.getTokenContext(contextKey); + + if (tokenContext == null) { + return false; + } + rc.setSecurityContext(new OidcSecurityContext(tokenContext)); + return true; + } + private MultivaluedMap<String, String> toRequestState(ContainerRequestContext rc) { + MultivaluedMap<String, String> requestState = new MetadataMap<String, String>(); + requestState.putAll(rc.getUriInfo().getQueryParameters(true)); + if (MediaType.APPLICATION_FORM_URLENCODED_TYPE.isCompatible(rc.getMediaType())) { + String body = FormUtils.readBody(rc.getEntityStream(), "UTF-8"); + FormUtils.populateMapFromString(requestState, JAXRSUtils.getCurrentMessage(), body, + "UTF-8", true); + } + return requestState; + } + public void setRpServiceAddress(String rpServiceAddress) { + this.rpServiceAddress = rpServiceAddress; + } +} http://git-wip-us.apache.org/repos/asf/cxf/blob/9a3dd438/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationService.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationService.java new file mode 100644 index 0000000..5541e80 --- /dev/null +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationService.java @@ -0,0 +1,42 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.oidc.rp; + +import java.net.URI; + +import javax.ws.rs.GET; +import javax.ws.rs.Path; +import javax.ws.rs.core.Context; +import javax.ws.rs.core.Response; + +import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils; + +@Path("rp") +public class OidcRpAuthenticationService { + private OidcRpStateManager stateManager; + + @GET + @Path("complete") + public Response completeAuthentication(@Context OidcClientTokenContext context) { + String key = OAuthUtils.generateRandomTokenKey(); + stateManager.setTokenContext(key, context); + URI uri = URI.create(context.getState().getFirst("location")); + return Response.seeOther(uri).header("SetCookie", "contextKey=" + key).build(); + } +} http://git-wip-us.apache.org/repos/asf/cxf/blob/9a3dd438/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpStateManager.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpStateManager.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpStateManager.java new file mode 100644 index 0000000..564e53e --- /dev/null +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpStateManager.java @@ -0,0 +1,32 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.oidc.rp; + +import java.io.Closeable; + +import javax.ws.rs.core.MultivaluedMap; + +public interface OidcRpStateManager extends Closeable { + void setRequestState(String token, MultivaluedMap<String, String> state); + MultivaluedMap<String, String> removeRequestState(String token); + + void setTokenContext(String contextKey, OidcClientTokenContext state); + OidcClientTokenContext getTokenContext(String contextKey); + OidcClientTokenContext removeTokenContext(String contextKey); +}
