This is an automated email from the ASF dual-hosted git repository. coheigea pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 4c5cf7e31db3937fd746964add5cee343070a673 Author: Colm O hEigeartaigh <cohei...@apache.org> AuthorDate: Mon Sep 16 13:12:46 2019 +0100 Adding OAuth token introspection systests + requiring a client register a redirect URI for authz code + implicit grants --- .../services/DynamicRegistrationService.java | 43 +++- .../oauth2/common/CallbackHandlerImpl.java | 16 ++ .../oauth2/grants/DynamicRegistrationTest.java | 222 +++++++++++++++++++++ .../grants/dynamic-reg-server-jcache-jwt.xml | 142 +++++++++++++ .../oauth2/grants/dynamic-reg-server-jcache.xml | 131 ++++++++++++ .../oauth2/grants/dynamic-reg-server-jpa.xml | 144 +++++++++++++ 6 files changed, 689 insertions(+), 9 deletions(-) diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DynamicRegistrationService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DynamicRegistrationService.java index 56cff1f..12155d9 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DynamicRegistrationService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DynamicRegistrationService.java @@ -31,7 +31,9 @@ import javax.ws.rs.PathParam; import javax.ws.rs.Produces; import javax.ws.rs.QueryParam; import javax.ws.rs.core.Context; +import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; +import javax.ws.rs.core.Response.ResponseBuilder; import javax.ws.rs.core.SecurityContext; import javax.ws.rs.core.UriBuilder; @@ -39,7 +41,9 @@ import org.apache.cxf.common.util.Base64UrlUtility; import org.apache.cxf.common.util.StringUtils; import org.apache.cxf.jaxrs.ext.MessageContext; import org.apache.cxf.jaxrs.utils.ExceptionUtils; +import org.apache.cxf.jaxrs.utils.JAXRSUtils; import org.apache.cxf.rs.security.oauth2.common.Client; +import org.apache.cxf.rs.security.oauth2.common.OAuthError; import org.apache.cxf.rs.security.oauth2.common.UserSubject; import org.apache.cxf.rs.security.oauth2.provider.ClientRegistrationProvider; import org.apache.cxf.rs.security.oauth2.utils.AuthorizationUtils; @@ -81,13 +85,13 @@ public class DynamicRegistrationService { } } - + protected void checkSecurityContext() { SecurityContext sc = mc.getSecurityContext(); if (sc.getUserPrincipal() == null) { throw ExceptionUtils.toNotAuthorizedException(null, null); - } + } if (userRole != null && !sc.isUserInRole(userRole)) { throw ExceptionUtils.toForbiddenException(null, null); } @@ -198,7 +202,7 @@ public class DynamicRegistrationService { } } } - + return reg; } @@ -236,10 +240,10 @@ public class DynamicRegistrationService { if (grantTypes == null) { grantTypes = Collections.singletonList(OAuthConstants.AUTHORIZATION_CODE_GRANT); } - + String tokenEndpointAuthMethod = request.getTokenEndpointAuthMethod(); //TODO: default is expected to be set to OAuthConstants.TOKEN_ENDPOINT_AUTH_BASIC - + boolean passwordRequired = isPasswordRequired(grantTypes, tokenEndpointAuthMethod); // Application Type @@ -255,7 +259,7 @@ public class DynamicRegistrationService { // Client Secret String clientSecret = passwordRequired ? generateClientSecret(request) : null; - + Client newClient = new Client(clientId, clientSecret, isConfidential, clientName); newClient.setAllowedGrantTypes(grantTypes); @@ -272,7 +276,7 @@ public class DynamicRegistrationService { } } // Client Registration Time - newClient.setRegisteredAt(System.currentTimeMillis() / 1000); + newClient.setRegisteredAt(System.currentTimeMillis() / 1000L); // Client Redirect URIs List<String> redirectUris = request.getRedirectUris(); @@ -283,6 +287,15 @@ public class DynamicRegistrationService { newClient.setRedirectUris(redirectUris); } + if (newClient.getRedirectUris().isEmpty() + && (grantTypes.contains(OAuthConstants.AUTHORIZATION_CODE_GRANT) + || grantTypes.contains(OAuthConstants.IMPLICIT_GRANT))) { + // Throw an error as we need a redirect URI for these grants. + OAuthError error = + new OAuthError(OAuthConstants.INVALID_REQUEST, "A Redirection URI is required"); + reportInvalidRequestError(error); + } + // Client Resource Audience URIs List<String> resourceUris = request.getResourceUris(); if (resourceUris != null) { @@ -314,7 +327,7 @@ public class DynamicRegistrationService { UserSubject subject = new UserSubject(sc.getUserPrincipal().getName()); newClient.setResourceOwnerSubject(subject); } - + newClient.setRegisteredDynamically(true); return newClient; } @@ -326,7 +339,7 @@ public class DynamicRegistrationService { if (tokenEndpointAuthMethod == null) { return true; } - + return !OAuthConstants.TOKEN_ENDPOINT_AUTH_NONE.equals(tokenEndpointAuthMethod) && (OAuthConstants.TOKEN_ENDPOINT_AUTH_BASIC.equals(tokenEndpointAuthMethod) || OAuthConstants.TOKEN_ENDPOINT_AUTH_POST.equals(tokenEndpointAuthMethod)); @@ -388,4 +401,16 @@ public class DynamicRegistrationService { public void setUserRole(String userRole) { this.userRole = userRole; } + + private void reportInvalidRequestError(OAuthError entity) { + reportInvalidRequestError(entity, MediaType.APPLICATION_JSON_TYPE); + } + + private void reportInvalidRequestError(OAuthError entity, MediaType mt) { + ResponseBuilder rb = JAXRSUtils.toResponseBuilder(400); + if (mt != null) { + rb.type(mt); + } + throw ExceptionUtils.toBadRequestException(null, rb.entity(entity).build()); + } } diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/CallbackHandlerImpl.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/CallbackHandlerImpl.java index c8ce14d..ba0e884 100644 --- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/CallbackHandlerImpl.java +++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/CallbackHandlerImpl.java @@ -24,10 +24,14 @@ import javax.security.auth.callback.Callback; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.callback.UnsupportedCallbackException; +import org.apache.cxf.rs.security.oauth2.common.Client; +import org.apache.cxf.rs.security.oauth2.provider.OAuthDataProvider; import org.apache.wss4j.common.ext.WSPasswordCallback; public class CallbackHandlerImpl implements CallbackHandler { + private OAuthDataProvider dataProvider; + public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { for (int i = 0; i < callbacks.length; i++) { @@ -46,8 +50,20 @@ public class CallbackHandlerImpl implements CallbackHandler { } else if ("service".equals(pc.getIdentifier())) { pc.setPassword("service-pass"); break; + } else if (dataProvider != null) { + Client client = dataProvider.getClient(pc.getIdentifier()); + pc.setPassword(client.getClientSecret()); + break; } } } } + + public OAuthDataProvider getDataProvider() { + return dataProvider; + } + + public void setDataProvider(OAuthDataProvider dataProvider) { + this.dataProvider = dataProvider; + } } \ No newline at end of file diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/DynamicRegistrationTest.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/DynamicRegistrationTest.java new file mode 100644 index 0000000..8f65497 --- /dev/null +++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/DynamicRegistrationTest.java @@ -0,0 +1,222 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.systest.jaxrs.security.oauth2.grants; + +import java.net.URL; +import java.util.Arrays; +import java.util.Collection; +import java.util.Collections; + +import javax.ws.rs.core.Response; + +import org.apache.cxf.Bus; +import org.apache.cxf.BusFactory; +import org.apache.cxf.bus.spring.SpringBusFactory; +import org.apache.cxf.jaxrs.client.WebClient; +import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken; +import org.apache.cxf.rs.security.oauth2.services.ClientRegistration; +import org.apache.cxf.rs.security.oauth2.services.ClientRegistrationResponse; +import org.apache.cxf.systest.jaxrs.security.SecurityTestUtil; +import org.apache.cxf.systest.jaxrs.security.oauth2.common.OAuth2TestUtils; +import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase; +import org.apache.cxf.testutil.common.AbstractBusTestServerBase; +import org.apache.cxf.testutil.common.TestUtil; + +import org.junit.AfterClass; +import org.junit.BeforeClass; +import org.junit.runner.RunWith; +import org.junit.runners.Parameterized.Parameters; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertTrue; + +/** + * Some unit tests for the dynamic registration service in CXF. The tests are run multiple times with different + * OAuthDataProvider implementations: + * a) JCACHE_PORT - JCache + * b) JWT_JCACHE_PORT - JCache with useJwtFormatForAccessTokens enabled + * c) JPA_PORT - JPA provider + */ +@RunWith(value = org.junit.runners.Parameterized.class) +public class DynamicRegistrationTest extends AbstractBusClientServerTestBase { + + public static final String JCACHE_PORT = TestUtil.getPortNumber("jaxrs-oauth2-dynamic-reg-jcache"); + public static final String JCACHE_PORT2 = TestUtil.getPortNumber("jaxrs-oauth2-dynamic-reg2-jcache"); + public static final String JWT_JCACHE_PORT = TestUtil.getPortNumber("jaxrs-oauth2-dynamic-reg-jcache-jwt"); + public static final String JWT_JCACHE_PORT2 = TestUtil.getPortNumber("jaxrs-oauth2-dynamic-reg2-jcache-jwt"); + public static final String JPA_PORT = TestUtil.getPortNumber("jaxrs-oauth2-dynamic-reg-jpa"); + public static final String JPA_PORT2 = TestUtil.getPortNumber("jaxrs-oauth2-dynamic-reg2-jpa"); + + final String port; + + public DynamicRegistrationTest(String port) { + this.port = port; + } + + @BeforeClass + public static void startServers() throws Exception { + assertTrue("server did not launch correctly", + launchServer(BookServerOAuth2DynamicRegistrationJCache.class, true)); + assertTrue("server did not launch correctly", + launchServer(BookServerOAuth2DynamicRegistrationJCacheJWT.class, true)); + assertTrue("server did not launch correctly", + launchServer(BookServerOAuth2DynamicRegistrationJPA.class, true)); + } + + @AfterClass + public static void cleanup() throws Exception { + SecurityTestUtil.cleanup(); + } + + @Parameters(name = "{0}") + public static Collection<String> data() { + + return Arrays.asList(JCACHE_PORT, JWT_JCACHE_PORT, JPA_PORT); + } + + @org.junit.Test + public void testDynamicRegistration() throws Exception { + URL busFile = DynamicRegistrationTest.class.getResource("client.xml"); + + String address = "https://localhost:" + port + "/services/"; + WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "alice", "security", busFile.toString()); + + // 1. Register a client + client.accept("application/json").type("application/json"); + client.path("register/"); + + ClientRegistration registration = new ClientRegistration(); + registration.setClientName("new client"); + registration.setRedirectUris(Collections.singletonList("http://www.blah.apache.org")); + + Response response = client.post(registration); + + ClientRegistrationResponse registrationResponse = response.readEntity(ClientRegistrationResponse.class); + assertNotNull(registrationResponse.getClientId()); + assertNotNull(registrationResponse.getClientSecret()); + assertNotNull(registrationResponse.getRegistrationClientUri()); + assertNotNull(registrationResponse.getRegistrationAccessToken()); + + // 2. Get Authorization Code + client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "alice", "security", busFile.toString()); + // Save the Cookie for the second request... + WebClient.getConfig(client).getRequestContext().put( + org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); + String code = OAuth2TestUtils.getAuthorizationCode(client, null, registrationResponse.getClientId()); + assertNotNull(code); + + // 3. Now get the access token + client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + registrationResponse.getClientId(), registrationResponse.getClientSecret(), + busFile.toString()); + // Save the Cookie for the second request... + WebClient.getConfig(client).getRequestContext().put( + org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); + + ClientAccessToken accessToken = + OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code, registrationResponse.getClientId(), null); + assertNotNull(accessToken.getTokenKey()); + } + + @org.junit.Test + public void testRedirectURIIsRequired() throws Exception { + URL busFile = DynamicRegistrationTest.class.getResource("client.xml"); + + String address = "https://localhost:" + port + "/services/"; + WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "alice", "security", busFile.toString()); + + // 1. Register a client + client.accept("application/json").type("application/json"); + client.path("register/"); + + ClientRegistration registration = new ClientRegistration(); + registration.setClientName("new client"); + registration.setScope("newscope"); + + Response response = client.post(registration); + assertEquals(400, response.getStatus()); + } + + // + // Server implementations + // + + public static class BookServerOAuth2DynamicRegistrationJCache extends AbstractBusTestServerBase { + private static final URL SERVER_CONFIG_FILE = + BookServerOAuth2DynamicRegistrationJCache.class.getResource("dynamic-reg-server-jcache.xml"); + + protected void run() { + SpringBusFactory bf = new SpringBusFactory(); + Bus springBus = bf.createBus(SERVER_CONFIG_FILE); + BusFactory.setDefaultBus(springBus); + setBus(springBus); + + try { + new BookServerOAuth2DynamicRegistrationJCache(); + } catch (Exception e) { + throw new RuntimeException(e); + } + } + + } + + public static class BookServerOAuth2DynamicRegistrationJCacheJWT extends AbstractBusTestServerBase { + private static final URL SERVER_CONFIG_FILE = + BookServerOAuth2DynamicRegistrationJCacheJWT.class.getResource("dynamic-reg-server-jcache-jwt.xml"); + + protected void run() { + SpringBusFactory bf = new SpringBusFactory(); + Bus springBus = bf.createBus(SERVER_CONFIG_FILE); + BusFactory.setDefaultBus(springBus); + setBus(springBus); + + try { + new BookServerOAuth2DynamicRegistrationJCacheJWT(); + } catch (Exception e) { + throw new RuntimeException(e); + } + } + + } + + public static class BookServerOAuth2DynamicRegistrationJPA extends AbstractBusTestServerBase { + private static final URL SERVER_CONFIG_FILE = + BookServerOAuth2DynamicRegistrationJPA.class.getResource("dynamic-reg-server-jpa.xml"); + + protected void run() { + SpringBusFactory bf = new SpringBusFactory(); + Bus springBus = bf.createBus(SERVER_CONFIG_FILE); + BusFactory.setDefaultBus(springBus); + setBus(springBus); + + try { + new BookServerOAuth2DynamicRegistrationJPA(); + } catch (Exception e) { + throw new RuntimeException(e); + } + } + + } + + +} diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/dynamic-reg-server-jcache-jwt.xml b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/dynamic-reg-server-jcache-jwt.xml new file mode 100644 index 0000000..cfcb5b3 --- /dev/null +++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/dynamic-reg-server-jcache-jwt.xml @@ -0,0 +1,142 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, +software distributed under the License is distributed on an +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +KIND, either express or implied. See the License for the +specific language governing permissions and limitations +under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xmlns:http="http://cxf.apache.org/transports/http/configuration" + xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration" + xmlns:sec="http://cxf.apache.org/configuration/security" + xmlns:cxf="http://cxf.apache.org/core" + xmlns:jaxrs="http://cxf.apache.org/jaxrs" + xmlns:util="http://www.springframework.org/schema/util" + xsi:schemaLocation="http://cxf.apache.org/jaxrs http://cxf.apache.org/schemas/jaxrs.xsd + http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd + http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.2.xsd + http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd + http://cxf.apache.org/transports/http-jetty/configuration http://cxf.apache.org/schemas/configuration/http-jetty.xsd + http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd"> + <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/> + <cxf:bus> + <cxf:features> + <cxf:logging/> + </cxf:features> + <cxf:properties> + <entry key="org.apache.cxf.jaxrs.bus.providers" value-ref="busProviders"/> + </cxf:properties> + </cxf:bus> + <!-- providers --> + <util:list id="busProviders"> + <ref bean="oauthJson"/> + </util:list> + <bean id="oauthJson" class="org.apache.cxf.rs.security.oauth2.provider.OAuthJSONProvider"/> + + <httpj:engine-factory id="tls-config"> + <httpj:engine port="${testutil.ports.jaxrs-oauth2-dynamic-reg-jcache-jwt}"> + <httpj:tlsServerParameters> + <sec:keyManagers keyPassword="password"> + <sec:keyStore type="JKS" password="password" resource="keys/Bethal.jks"/> + </sec:keyManagers> + <sec:trustManagers> + <sec:keyStore type="JKS" password="password" resource="keys/Truststore.jks"/> + </sec:trustManagers> + <sec:clientAuthentication want="true" required="true"/> + </httpj:tlsServerParameters> + <httpj:sessionSupport>true</httpj:sessionSupport> + </httpj:engine> + </httpj:engine-factory> + + <bean id="oauthProvider" class="org.apache.cxf.systest.jaxrs.security.oauth2.common.JCacheOAuthDataProviderImpl"> + <constructor-arg><value>${testutil.ports.jaxrs-oauth2-dynamic-reg2-jcache-jwt}</value></constructor-arg> + <property name="useJwtFormatForAccessTokens" value="true"/> + </bean> + + <bean id="authorizationService" class="org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService"> + <property name="dataProvider" ref="oauthProvider"/> + </bean> + + <bean id="refreshGrantHandler" class="org.apache.cxf.rs.security.oauth2.grants.refresh.RefreshTokenGrantHandler"> + <property name="dataProvider" ref="oauthProvider"/> + </bean> + + <bean id="callbackHandlerLoginHandler" class="org.apache.cxf.systest.jaxrs.security.oauth2.grants.CallbackHandlerLoginHandler"> + <property name="callbackHandler" ref="callbackHandler"/> + </bean> + + <bean id="passwordGrantHandler" class="org.apache.cxf.rs.security.oauth2.grants.owner.ResourceOwnerGrantHandler"> + <property name="dataProvider" ref="oauthProvider"/> + <property name="loginHandler" ref="callbackHandlerLoginHandler"/> + </bean> + + <bean id="clientCredsGrantHandler" class="org.apache.cxf.rs.security.oauth2.grants.clientcred.ClientCredentialsGrantHandler"> + <property name="dataProvider" ref="oauthProvider"/> + </bean> + + <bean id="tokenService" class="org.apache.cxf.rs.security.oauth2.services.AccessTokenService"> + <property name="dataProvider" ref="oauthProvider"/> + <property name="grantHandlers"> + <list> + <ref bean="refreshGrantHandler"/> + <ref bean="passwordGrantHandler"/> + <ref bean="clientCredsGrantHandler"/> + </list> + </property> + </bean> + + <bean id="dynamicRegistrationService" class="org.apache.cxf.rs.security.oauth2.services.DynamicRegistrationService"> + <property name="clientProvider" ref="oauthProvider"/> + </bean> + <bean id="tokenIntrospectionService" class="org.apache.cxf.rs.security.oauth2.services.TokenIntrospectionService"> + <property name="dataProvider" ref="oauthProvider"/> + </bean> + + <bean id="callbackHandler" class="org.apache.cxf.systest.jaxrs.security.oauth2.common.CallbackHandlerImpl"> + <property name="dataProvider" ref="oauthProvider"/> + </bean> + <bean id="basicAuthFilter" class="org.apache.cxf.systest.jaxrs.security.oauth2.common.WSS4JBasicAuthFilter"> + <property name="callbackHandler" ref="callbackHandler"/> + </bean> + + <jaxrs:server + depends-on="tls-config" + address="https://localhost:${testutil.ports.jaxrs-oauth2-dynamic-reg-jcache-jwt}/services"> + <jaxrs:serviceBeans> + <ref bean="authorizationService"/> + <ref bean="tokenService"/> + <ref bean="dynamicRegistrationService"/> + <ref bean="tokenIntrospectionService"/> + </jaxrs:serviceBeans> + <jaxrs:providers> + <ref bean="basicAuthFilter"/> + <bean class="org.apache.cxf.jaxrs.provider.json.JsonMapObjectProvider"/> + </jaxrs:providers> + <jaxrs:properties> + <entry key="security.signature.properties" + value="org/apache/cxf/systest/jaxrs/security/bob.properties"/> + <entry key="rs.security.keystore.type" value="jks" /> + <entry key="rs.security.keystore.alias" value="alice"/> + <entry key="rs.security.keystore.password" value="password"/> + <entry key="rs.security.key.password" value="password"/> + <entry key="rs.security.keystore.file" value="keys/alice.jks" /> + <entry key="rs.security.signature.algorithm" value="RS256" /> + </jaxrs:properties> + </jaxrs:server> + + +</beans> diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/dynamic-reg-server-jcache.xml b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/dynamic-reg-server-jcache.xml new file mode 100644 index 0000000..7f85b27 --- /dev/null +++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/dynamic-reg-server-jcache.xml @@ -0,0 +1,131 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, +software distributed under the License is distributed on an +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +KIND, either express or implied. See the License for the +specific language governing permissions and limitations +under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xmlns:http="http://cxf.apache.org/transports/http/configuration" + xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration" + xmlns:sec="http://cxf.apache.org/configuration/security" + xmlns:cxf="http://cxf.apache.org/core" + xmlns:jaxrs="http://cxf.apache.org/jaxrs" + xmlns:util="http://www.springframework.org/schema/util" + xsi:schemaLocation="http://cxf.apache.org/jaxrs http://cxf.apache.org/schemas/jaxrs.xsd + http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd + http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.2.xsd + http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd + http://cxf.apache.org/transports/http-jetty/configuration http://cxf.apache.org/schemas/configuration/http-jetty.xsd + http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd"> + <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/> + <cxf:bus> + <cxf:features> + <cxf:logging/> + </cxf:features> + <cxf:properties> + <entry key="org.apache.cxf.jaxrs.bus.providers" value-ref="busProviders"/> + </cxf:properties> + </cxf:bus> + <!-- providers --> + <util:list id="busProviders"> + <ref bean="oauthJson"/> + </util:list> + <bean id="oauthJson" class="org.apache.cxf.rs.security.oauth2.provider.OAuthJSONProvider"/> + + <httpj:engine-factory id="tls-config"> + <httpj:engine port="${testutil.ports.jaxrs-oauth2-dynamic-reg-jcache}"> + <httpj:tlsServerParameters> + <sec:keyManagers keyPassword="password"> + <sec:keyStore type="JKS" password="password" resource="keys/Bethal.jks"/> + </sec:keyManagers> + <sec:trustManagers> + <sec:keyStore type="JKS" password="password" resource="keys/Truststore.jks"/> + </sec:trustManagers> + <sec:clientAuthentication want="true" required="true"/> + </httpj:tlsServerParameters> + <httpj:sessionSupport>true</httpj:sessionSupport> + </httpj:engine> + </httpj:engine-factory> + + <bean id="oauthProvider" class="org.apache.cxf.systest.jaxrs.security.oauth2.common.JCacheOAuthDataProviderImpl"> + <constructor-arg><value>${testutil.ports.jaxrs-oauth2-dynamic-reg2-jcache}</value></constructor-arg> + </bean> + + <bean id="authorizationService" class="org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService"> + <property name="dataProvider" ref="oauthProvider"/> + </bean> + + <bean id="refreshGrantHandler" class="org.apache.cxf.rs.security.oauth2.grants.refresh.RefreshTokenGrantHandler"> + <property name="dataProvider" ref="oauthProvider"/> + </bean> + + <bean id="callbackHandlerLoginHandler" class="org.apache.cxf.systest.jaxrs.security.oauth2.grants.CallbackHandlerLoginHandler"> + <property name="callbackHandler" ref="callbackHandler"/> + </bean> + + <bean id="passwordGrantHandler" class="org.apache.cxf.rs.security.oauth2.grants.owner.ResourceOwnerGrantHandler"> + <property name="dataProvider" ref="oauthProvider"/> + <property name="loginHandler" ref="callbackHandlerLoginHandler"/> + </bean> + + <bean id="clientCredsGrantHandler" class="org.apache.cxf.rs.security.oauth2.grants.clientcred.ClientCredentialsGrantHandler"> + <property name="dataProvider" ref="oauthProvider"/> + </bean> + + <bean id="tokenService" class="org.apache.cxf.rs.security.oauth2.services.AccessTokenService"> + <property name="dataProvider" ref="oauthProvider"/> + <property name="grantHandlers"> + <list> + <ref bean="refreshGrantHandler"/> + <ref bean="passwordGrantHandler"/> + <ref bean="clientCredsGrantHandler"/> + </list> + </property> + </bean> + + <bean id="dynamicRegistrationService" class="org.apache.cxf.rs.security.oauth2.services.DynamicRegistrationService"> + <property name="clientProvider" ref="oauthProvider"/> + </bean> + <bean id="tokenIntrospectionService" class="org.apache.cxf.rs.security.oauth2.services.TokenIntrospectionService"> + <property name="dataProvider" ref="oauthProvider"/> + </bean> + + <bean id="callbackHandler" class="org.apache.cxf.systest.jaxrs.security.oauth2.common.CallbackHandlerImpl"> + <property name="dataProvider" ref="oauthProvider"/> + </bean> + <bean id="basicAuthFilter" class="org.apache.cxf.systest.jaxrs.security.oauth2.common.WSS4JBasicAuthFilter"> + <property name="callbackHandler" ref="callbackHandler"/> + </bean> + + <jaxrs:server + depends-on="tls-config" + address="https://localhost:${testutil.ports.jaxrs-oauth2-dynamic-reg-jcache}/services"> + <jaxrs:serviceBeans> + <ref bean="authorizationService"/> + <ref bean="tokenService"/> + <ref bean="dynamicRegistrationService"/> + <ref bean="tokenIntrospectionService"/> + </jaxrs:serviceBeans> + <jaxrs:providers> + <ref bean="basicAuthFilter"/> + <bean class="org.apache.cxf.jaxrs.provider.json.JsonMapObjectProvider"/> + </jaxrs:providers> + </jaxrs:server> + + +</beans> diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/dynamic-reg-server-jpa.xml b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/dynamic-reg-server-jpa.xml new file mode 100644 index 0000000..096a14c --- /dev/null +++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/dynamic-reg-server-jpa.xml @@ -0,0 +1,144 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, +software distributed under the License is distributed on an +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +KIND, either express or implied. See the License for the +specific language governing permissions and limitations +under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xmlns:http="http://cxf.apache.org/transports/http/configuration" + xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration" + xmlns:sec="http://cxf.apache.org/configuration/security" + xmlns:cxf="http://cxf.apache.org/core" + xmlns:jaxrs="http://cxf.apache.org/jaxrs" + xmlns:util="http://www.springframework.org/schema/util" + xsi:schemaLocation="http://cxf.apache.org/jaxrs http://cxf.apache.org/schemas/jaxrs.xsd + http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd + http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.2.xsd + http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd + http://cxf.apache.org/transports/http-jetty/configuration http://cxf.apache.org/schemas/configuration/http-jetty.xsd + http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd"> + <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/> + <cxf:bus> + <cxf:features> + <cxf:logging/> + </cxf:features> + <cxf:properties> + <entry key="org.apache.cxf.jaxrs.bus.providers" value-ref="busProviders"/> + </cxf:properties> + </cxf:bus> + <!-- providers --> + <util:list id="busProviders"> + <ref bean="oauthJson"/> + </util:list> + <bean id="oauthJson" class="org.apache.cxf.rs.security.oauth2.provider.OAuthJSONProvider"/> + + <httpj:engine-factory id="tls-config"> + <httpj:engine port="${testutil.ports.jaxrs-oauth2-dynamic-reg-jpa}"> + <httpj:tlsServerParameters> + <sec:keyManagers keyPassword="password"> + <sec:keyStore type="JKS" password="password" resource="keys/Bethal.jks"/> + </sec:keyManagers> + <sec:trustManagers> + <sec:keyStore type="JKS" password="password" resource="keys/Truststore.jks"/> + </sec:trustManagers> + <sec:clientAuthentication want="true" required="true"/> + </httpj:tlsServerParameters> + <httpj:sessionSupport>true</httpj:sessionSupport> + </httpj:engine> + </httpj:engine-factory> + + <bean id="entityManagerFactory" + class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean"> + <property name="persistenceUnitName" + value="test-hibernate-cxf-systests-rs-security" /> + <property name="jpaPropertyMap"> + <map> + <entry key="hibernate.jdbc.fetch_size" value="400" /> + <entry key="hibernate.jdbc.batch_size" value="100" /> + </map> + </property> + </bean> + + <bean id="oauthProvider" class="org.apache.cxf.systest.jaxrs.security.oauth2.common.JPAOAuthDataProviderImpl"> + <constructor-arg><value>${testutil.ports.jaxrs-oauth2-dynamic-reg2-jpa}</value></constructor-arg> + <constructor-arg ref="entityManagerFactory"/> + </bean> + + <bean id="authorizationService" class="org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService"> + <property name="dataProvider" ref="oauthProvider"/> + </bean> + + <bean id="refreshGrantHandler" class="org.apache.cxf.rs.security.oauth2.grants.refresh.RefreshTokenGrantHandler"> + <property name="dataProvider" ref="oauthProvider"/> + </bean> + + <bean id="callbackHandlerLoginHandler" class="org.apache.cxf.systest.jaxrs.security.oauth2.grants.CallbackHandlerLoginHandler"> + <property name="callbackHandler" ref="callbackHandler"/> + </bean> + + <bean id="passwordGrantHandler" class="org.apache.cxf.rs.security.oauth2.grants.owner.ResourceOwnerGrantHandler"> + <property name="dataProvider" ref="oauthProvider"/> + <property name="loginHandler" ref="callbackHandlerLoginHandler"/> + </bean> + + <bean id="clientCredsGrantHandler" class="org.apache.cxf.rs.security.oauth2.grants.clientcred.ClientCredentialsGrantHandler"> + <property name="dataProvider" ref="oauthProvider"/> + </bean> + + <bean id="tokenService" class="org.apache.cxf.rs.security.oauth2.services.AccessTokenService"> + <property name="dataProvider" ref="oauthProvider"/> + <property name="grantHandlers"> + <list> + <ref bean="refreshGrantHandler"/> + <ref bean="passwordGrantHandler"/> + <ref bean="clientCredsGrantHandler"/> + </list> + </property> + </bean> + + <bean id="dynamicRegistrationService" class="org.apache.cxf.rs.security.oauth2.services.DynamicRegistrationService"> + <property name="clientProvider" ref="oauthProvider"/> + </bean> + <bean id="tokenIntrospectionService" class="org.apache.cxf.rs.security.oauth2.services.TokenIntrospectionService"> + <property name="dataProvider" ref="oauthProvider"/> + </bean> + + <bean id="callbackHandler" class="org.apache.cxf.systest.jaxrs.security.oauth2.common.CallbackHandlerImpl"> + <property name="dataProvider" ref="oauthProvider"/> + </bean> + <bean id="basicAuthFilter" class="org.apache.cxf.systest.jaxrs.security.oauth2.common.WSS4JBasicAuthFilter"> + <property name="callbackHandler" ref="callbackHandler"/> + </bean> + + <jaxrs:server + depends-on="tls-config" + address="https://localhost:${testutil.ports.jaxrs-oauth2-dynamic-reg-jpa}/services"> + <jaxrs:serviceBeans> + <ref bean="authorizationService"/> + <ref bean="tokenService"/> + <ref bean="dynamicRegistrationService"/> + <ref bean="tokenIntrospectionService"/> + </jaxrs:serviceBeans> + <jaxrs:providers> + <ref bean="basicAuthFilter"/> + <bean class="org.apache.cxf.jaxrs.provider.json.JsonMapObjectProvider"/> + </jaxrs:providers> + </jaxrs:server> + + +</beans>