Author: kwall
Date: Mon Feb 15 16:13:17 2016
New Revision: 1730559
URL: http://svn.apache.org/viewvc?rev=1730559&view=rev
Log:
QPID-7028: Address review comments from Lorenz Quack <[email protected]>
Modified:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProvider.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProviderImpl.java
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/OAuth2InteractiveAuthenticator.java
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/UsernamePasswordInteractiveLogin.java
qpid/java/trunk/broker-plugins/management-http/src/main/java/resources/index.html
Modified:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProvider.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProvider.java?rev=1730559&r1=1730558&r2=1730559&view=diff
==============================================================================
---
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProvider.java
(original)
+++
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProvider.java
Mon Feb 15 16:13:17 2016
@@ -74,7 +74,7 @@ public interface OAuth2AuthenticationPro
String getIdentityResolverType();
@ManagedAttribute( description = "Redirect URI used when the user leaves
the Web Management Console. If not specified, an internal page is used
instead.")
- URI getLogoutURI();
+ URI getPostLogoutURI();
@ManagedAttribute( description = "Client ID to identify qpid to the OAuth
endpoints", mandatory = true )
String getClientId();
Modified:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProviderImpl.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProviderImpl.java?rev=1730559&r1=1730558&r2=1730559&view=diff
==============================================================================
---
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProviderImpl.java
(original)
+++
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProviderImpl.java
Mon Feb 15 16:13:17 2016
@@ -81,7 +81,7 @@ public class OAuth2AuthenticationProvide
private boolean _tokenEndpointNeedsAuth;
@ManagedAttributeField
- private URI _logoutURI;
+ private URI _postLogoutURI;
@ManagedAttributeField
private String _clientId;
@@ -125,6 +125,7 @@ public class OAuth2AuthenticationProvide
super.validateChange(proxyForValidation, changedAttributes);
validateResolver((OAuth2AuthenticationProvider<?>)proxyForValidation);
validateSecureEndpoints((OAuth2AuthenticationProvider<?>)proxyForValidation);
+ validatePostLogoutURI(this);
}
@@ -134,6 +135,7 @@ public class OAuth2AuthenticationProvide
super.onValidate();
validateResolver(this);
validateSecureEndpoints(this);
+ validatePostLogoutURI(this);
}
private void validateSecureEndpoints(final OAuth2AuthenticationProvider<?>
provider)
@@ -152,6 +154,17 @@ public class OAuth2AuthenticationProvide
}
}
+ private void validatePostLogoutURI(final OAuth2AuthenticationProvider<?>
provider)
+ {
+ if (provider.getPostLogoutURI() != null)
+ {
+ String scheme = provider.getPostLogoutURI().getScheme();
+ if (!"https".equals(scheme) && !"http".equals(scheme))
+ {
+ throw new IllegalConfigurationException(String.format("Post
logout URI does not have a http or https scheme: '%s'",
provider.getPostLogoutURI()));
+ }
+ }
+ }
private void validateResolver(final OAuth2AuthenticationProvider<?>
provider)
{
@@ -348,9 +361,9 @@ public class OAuth2AuthenticationProvide
}
@Override
- public URI getLogoutURI()
+ public URI getPostLogoutURI()
{
- return _logoutURI;
+ return _postLogoutURI;
}
@Override
Modified:
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/OAuth2InteractiveAuthenticator.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/OAuth2InteractiveAuthenticator.java?rev=1730559&r1=1730558&r2=1730559&view=diff
==============================================================================
---
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/OAuth2InteractiveAuthenticator.java
(original)
+++
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/OAuth2InteractiveAuthenticator.java
Mon Feb 15 16:13:17 2016
@@ -20,10 +20,8 @@
package org.apache.qpid.server.management.plugin.auth;
import java.io.IOException;
-import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
-import java.net.URL;
import java.security.AccessControlException;
import java.security.SecureRandom;
import java.util.Collections;
@@ -62,12 +60,12 @@ public class OAuth2InteractiveAuthentica
private static final String ORIGINAL_REQUEST_URI_SESSION_ATTRIBUTE =
"originalRequestURI";
private static final String REDIRECT_URI_SESSION_ATTRIBUTE = "redirectURI";
- /** Authentication Endpoint error responses
https://tools.ietf.org/html/rfc6749#section-4.2.1 */
+ /** Authentication Endpoint error responses
https://tools.ietf.org/html/rfc6749#section-4.2.2.1 */
private static final Map<String, Integer> ERROR_RESPONSES;
static
{
- // Authentication Enpoint
+ // Authentication Endpoint
Map<String, Integer> errorResponses = new HashMap<>();
errorResponses.put("invalid_request", 400);
errorResponses.put("unauthorized_client", 400);
@@ -223,25 +221,17 @@ public class OAuth2InteractiveAuthentica
final OAuth2AuthenticationProvider oauth2Provider =
(OAuth2AuthenticationProvider)
configuration.getAuthenticationProvider(request);
- try
+ if (oauth2Provider.getPostLogoutURI() != null)
{
- if (oauth2Provider.getLogoutURI() != null)
+ final String postLogoutRedirect =
oauth2Provider.getPostLogoutURI().toString();
+ return new LogoutHandler()
{
- final URL logoutUri =
oauth2Provider.getLogoutURI().toURL();
- return new LogoutHandler()
+ @Override
+ public void handleLogout(final HttpServletResponse
response) throws IOException
{
- @Override
- public void handleLogout(final HttpServletResponse
response) throws IOException
- {
- response.sendRedirect(logoutUri.toString());
- }
- };
- }
- }
- catch (MalformedURLException e)
- {
- throw new IllegalStateException(String.format("LogoutURI has
unexpected format '%s'",
-
oauth2Provider.getLogoutURI()), e);
+ response.sendRedirect(postLogoutRedirect);
+ }
+ };
}
}
return null;
Modified:
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/UsernamePasswordInteractiveLogin.java
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/UsernamePasswordInteractiveLogin.java?rev=1730559&r1=1730558&r2=1730559&view=diff
==============================================================================
---
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/UsernamePasswordInteractiveLogin.java
(original)
+++
qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/UsernamePasswordInteractiveLogin.java
Mon Feb 15 16:13:17 2016
@@ -35,11 +35,11 @@ import org.apache.qpid.server.security.a
@PluggableService
public class UsernamePasswordInteractiveLogin implements
HttpRequestInteractiveAuthenticator
{
- // TODO: When we refactor web management and adopt a web fragments, move
login.html and login.html
- // to WEB-INF/ and dispatch (forward) to them, rather than client side
redirect.
- // This would keep the login/logout pages private and inaccessible when
using auth providers
+ // TODO: When we refactor web management and adopt web fragments, move
login.html (and logout.html)
+ // to WEB-INF/ and dispatch (forward) to them, rather than using a client
side redirect.
+ // This would keep the login/logout pages private and inaccessible to the
user when using auth providers
// such as Ouath2.
- private static final String DEFAULT_LOGIN_URL = "login.html";
+ private static final String DEFAULT_LOGIN_URL = "/login.html";
private static final AuthenticationHandler REDIRECT_HANDLER = new
AuthenticationHandler()
{
Modified:
qpid/java/trunk/broker-plugins/management-http/src/main/java/resources/index.html
URL:
http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/resources/index.html?rev=1730559&r1=1730558&r2=1730559&view=diff
==============================================================================
---
qpid/java/trunk/broker-plugins/management-http/src/main/java/resources/index.html
(original)
+++
qpid/java/trunk/broker-plugins/management-http/src/main/java/resources/index.html
Mon Feb 15 16:13:17 2016
@@ -161,7 +161,7 @@
</div>
<div class="dijitDialogPaneActionBar qpidDialogPaneActionBar">
<input type="button" id="errorDialog.button.cancel"
value="Cancel" label="Cancel" dojoType="dijit.form.Button"
onClick="dijit.byId('errorDialog').hide();"/>
- <input type="button" id="errorDialog.button.relogin"
value="Login" label="Login" dojoType="dijit.form.Button"
onClick="dijit.byId('errorDialog').hide(); window.location='logout';"/>
+ <input type="button" id="errorDialog.button.relogin"
value="Login" label="Login" dojoType="dijit.form.Button"
onClick="dijit.byId('errorDialog').hide(); window.location='/';"/>
</div>
</div>
</div>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
