Make it possible to set a roleClaim on the OIDC filters so that we can implement authorization
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/689632b8 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/689632b8 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/689632b8 Branch: refs/heads/master-jaxrs-2.1 Commit: 689632b877f8aefcfd72211845f8e89d547e8592 Parents: 2ed93ca Author: Colm O hEigeartaigh <[email protected]> Authored: Wed Jul 20 14:36:02 2016 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Wed Jul 20 14:41:45 2016 +0100 ---------------------------------------------------------------------- .../oidc/rp/OidcClientCodeRequestFilter.java | 9 ++++++++- .../security/oidc/rp/OidcIdTokenRequestFilter.java | 10 +++++++++- .../cxf/rs/security/oidc/rp/OidcSecurityContext.java | 15 +++++++++++++++ 3 files changed, 32 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/689632b8/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java index 015be15..d9e75d9 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java @@ -52,6 +52,7 @@ public class OidcClientCodeRequestFilter extends ClientCodeRequestFilter { private Long maxAgeOffset; private String claims; private String claimsLocales; + private String roleClaim; public OidcClientCodeRequestFilter() { super(); @@ -87,7 +88,9 @@ public class OidcClientCodeRequestFilter extends ClientCodeRequestFilter { ctx.getIdToken(), getConsumer())); } - rc.setSecurityContext(new OidcSecurityContext(ctx)); + OidcSecurityContext oidcSecCtx = new OidcSecurityContext(ctx); + oidcSecCtx.setRoleClaim(roleClaim); + rc.setSecurityContext(oidcSecCtx); } return ctx; @@ -193,4 +196,8 @@ public class OidcClientCodeRequestFilter extends ClientCodeRequestFilter { public void setClaimsLocales(String claimsLocales) { this.claimsLocales = claimsLocales; } + + public void setRoleClaim(String roleClaim) { + this.roleClaim = roleClaim; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/689632b8/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcIdTokenRequestFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcIdTokenRequestFilter.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcIdTokenRequestFilter.java index 1babee7..fa9d850 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcIdTokenRequestFilter.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcIdTokenRequestFilter.java @@ -39,6 +39,7 @@ public class OidcIdTokenRequestFilter implements ContainerRequestFilter { private String tokenFormParameter = "id_token"; private IdTokenReader idTokenReader; private Consumer consumer; + private String roleClaim; @Override public void filter(ContainerRequestContext requestContext) throws IOException { @@ -51,9 +52,12 @@ public class OidcIdTokenRequestFilter implements ContainerRequestFilter { IdToken idToken = idTokenReader.getIdToken(idTokenParamValue, consumer); JAXRSUtils.getCurrentMessage().setContent(IdToken.class, idToken); - requestContext.setSecurityContext(new OidcSecurityContext(idToken)); + OidcSecurityContext oidcSecCtx = new OidcSecurityContext(idToken); + oidcSecCtx.setRoleClaim(roleClaim); + requestContext.setSecurityContext(oidcSecCtx); } + private MultivaluedMap<String, String> toFormData(ContainerRequestContext rc) { MultivaluedMap<String, String> requestState = new MetadataMap<String, String>(); if (MediaType.APPLICATION_FORM_URLENCODED_TYPE.isCompatible(rc.getMediaType())) { @@ -74,4 +78,8 @@ public class OidcIdTokenRequestFilter implements ContainerRequestFilter { public void setConsumer(Consumer consumer) { this.consumer = consumer; } + + public void setRoleClaim(String roleClaim) { + this.roleClaim = roleClaim; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/689632b8/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcSecurityContext.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcSecurityContext.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcSecurityContext.java index f84ca1c..552a6a1 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcSecurityContext.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcSecurityContext.java @@ -28,6 +28,7 @@ import org.apache.cxf.rs.security.oidc.common.IdToken; public class OidcSecurityContext extends SimpleSecurityContext implements SecurityContext { private OidcClientTokenContext oidcContext; + private String roleClaim; public OidcSecurityContext(IdToken token) { this(new OidcClientTokenContextImpl(token)); @@ -82,4 +83,18 @@ public class OidcSecurityContext extends SimpleSecurityContext implements Securi public String getAuthenticationScheme() { return "OIDC"; } + + @Override + public boolean isUserInRole(String role) { + return roleClaim != null && role != null && oidcContext.getIdToken() != null + && oidcContext.getIdToken().containsProperty(roleClaim) + && role.equals(oidcContext.getIdToken().getProperty(roleClaim)); + } + + /** + * Set the claim name that corresponds to the "role" of the Subject of the IdToken. + */ + public void setRoleClaim(String roleClaim) { + this.roleClaim = roleClaim; + } }
