Repository: cxf Updated Branches: refs/heads/3.1.x-fixes 448fdcf01 -> d0e42861b
Restoring the option to store client id in a session Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/d0e42861 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/d0e42861 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/d0e42861 Branch: refs/heads/3.1.x-fixes Commit: d0e42861b5df45cf24985d956372f75bf04800f3 Parents: 448fdcf Author: Sergey Beryozkin <[email protected]> Authored: Tue Feb 9 13:00:41 2016 +0000 Committer: Sergey Beryozkin <[email protected]> Committed: Tue Feb 9 13:01:22 2016 +0000 ---------------------------------------------------------------------- .../oauth2/common/OAuthAuthorizationData.java | 17 ----------------- .../oauth2/common/OAuthRedirectionState.java | 19 +++++++++++++++++++ .../provider/JoseSessionTokenProvider.java | 20 +++++++++++++------- .../services/RedirectionBasedGrantService.java | 8 ++++++-- 4 files changed, 38 insertions(+), 26 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/d0e42861/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java index 8cf1102..27cb511 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java @@ -39,7 +39,6 @@ import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils; public class OAuthAuthorizationData extends OAuthRedirectionState implements Serializable { private static final long serialVersionUID = -7755998413495017637L; - private String clientId; private String endUserName; private String authenticityToken; private String replyTo; @@ -60,22 +59,6 @@ public class OAuthAuthorizationData extends OAuthRedirectionState implements Ser } /** - * Sets the client id which needs to be retained in a hidden form field - * @param clientId the client id - */ - public void setClientId(String clientId) { - this.clientId = clientId; - } - - /** - * Gets the client id which needs to be retained in a hidden form field - * @return the client id - */ - public String getClientId() { - return clientId; - } - - /** * Get the client application name * @return application name */ http://git-wip-us.apache.org/repos/asf/cxf/blob/d0e42861/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthRedirectionState.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthRedirectionState.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthRedirectionState.java index 761d41f..4a413a0 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthRedirectionState.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthRedirectionState.java @@ -23,6 +23,8 @@ import java.io.Serializable; public class OAuthRedirectionState implements Serializable { private static final long serialVersionUID = -661649302262699347L; + + private String clientId; private String redirectUri; private String state; private String proposedScope; @@ -34,6 +36,21 @@ public class OAuthRedirectionState implements Serializable { public OAuthRedirectionState() { } + /** + * Sets the client id which needs to be retained in a hidden form field + * @param clientId the client id + */ + public void setClientId(String clientId) { + this.clientId = clientId; + } + + /** + * Gets the client id which needs to be retained in a hidden form field + * @return the client id + */ + public String getClientId() { + return clientId; + } /** * Sets the redirect uri which needs to be retained in a hidden form field @@ -117,4 +134,6 @@ public class OAuthRedirectionState implements Serializable { public void setResponseType(String responseType) { this.responseType = responseType; } + + } http://git-wip-us.apache.org/repos/asf/cxf/blob/d0e42861/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JoseSessionTokenProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JoseSessionTokenProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JoseSessionTokenProvider.java index 9722e16..0c23db1 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JoseSessionTokenProvider.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JoseSessionTokenProvider.java @@ -148,31 +148,37 @@ public class JoseSessionTokenProvider implements SessionAuthenticityTokenProvide String[] parts = ModelEncryptionSupport.getParts(stateString); OAuthRedirectionState state = new OAuthRedirectionState(); if (!StringUtils.isEmpty(parts[0])) { - state.setAudience(parts[0]); + state.setClientId(parts[0]); } if (!StringUtils.isEmpty(parts[1])) { - state.setClientCodeChallenge(parts[1]); + state.setAudience(parts[1]); } if (!StringUtils.isEmpty(parts[2])) { - state.setState(parts[2]); + state.setClientCodeChallenge(parts[2]); } if (!StringUtils.isEmpty(parts[3])) { - state.setProposedScope(parts[3]); + state.setState(parts[3]); } if (!StringUtils.isEmpty(parts[4])) { - state.setRedirectUri(parts[4]); + state.setProposedScope(parts[4]); } if (!StringUtils.isEmpty(parts[5])) { - state.setNonce(parts[5]); + state.setRedirectUri(parts[5]); } if (!StringUtils.isEmpty(parts[6])) { - state.setResponseType(parts[6]); + state.setNonce(parts[6]); + } + if (!StringUtils.isEmpty(parts[7])) { + state.setResponseType(parts[7]); } return state; } protected String convertStateToString(OAuthRedirectionState secData) { //TODO: make it simpler, convert it to JwtClaims -> JSON StringBuilder state = new StringBuilder(); + // 0: client id + state.append(ModelEncryptionSupport.tokenizeString(secData.getClientId())); + state.append(ModelEncryptionSupport.SEP); // 1: client audience state.append(ModelEncryptionSupport.tokenizeString(secData.getAudience())); state.append(ModelEncryptionSupport.SEP); http://git-wip-us.apache.org/repos/asf/cxf/blob/d0e42861/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java index d7cd724..ab4bba8 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java @@ -274,13 +274,15 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService state = sessionAuthenticityTokenProvider.getSessionState(super.getMessageContext(), sessionToken, subject); + if (!state.getClientId().equals(params.getFirst(OAuthConstants.CLIENT_ID))) { + throw ExceptionUtils.toBadRequestException(null, null); + } } if (state == null) { state = new OAuthRedirectionState(); + state.setClientId(params.getFirst(OAuthConstants.CLIENT_ID)); state.setRedirectUri(params.getFirst(OAuthConstants.REDIRECT_URI)); state.setAudience(params.getFirst(OAuthConstants.CLIENT_AUDIENCE)); - // or if no audience parameter is available, set the list of client - // audiences for the users to see ? state.setProposedScope(params.getFirst(OAuthConstants.SCOPE)); state.setState(params.getFirst(OAuthConstants.STATE)); state.setNonce(params.getFirst(OAuthConstants.NONCE)); @@ -310,6 +312,8 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService protected Response completeAuthorization(MultivaluedMap<String, String> params) { // Make sure the end user has authenticated, check if HTTPS is used SecurityContext securityContext = getAndValidateSecurityContext(params); + // Client id may also be preserved in a session but it must be set + // as a authorization form parameter Client client = getClient(params.getFirst(OAuthConstants.CLIENT_ID)); UserSubject userSubject = createUserSubject(securityContext, client, params);
