Author: ssievers
Date: Tue Feb 26 12:55:30 2013
New Revision: 1450157
URL: http://svn.apache.org/r1450157
Log:
SHINDIG-1907 | OAuth2 allowed domain checks are case sensitive | Patch from
Marshall Shi. Thanks!
Modified:
shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth2/BasicOAuth2Request.java
shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth2/OAuth2Utils.java
shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth2/handler/CodeAuthorizationResponseHandler.java
Modified:
shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth2/BasicOAuth2Request.java
URL:
http://svn.apache.org/viewvc/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth2/BasicOAuth2Request.java?rev=1450157&r1=1450156&r2=1450157&view=diff
==============================================================================
---
shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth2/BasicOAuth2Request.java
(original)
+++
shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth2/BasicOAuth2Request.java
Tue Feb 26 12:55:30 2013
@@ -673,7 +673,7 @@ public class BasicOAuth2Request implemen
}
if (accessToken != null) {
- final boolean isAllowed = isUriAllowed(request.getUri(),
accessor.getAllowedDomains());
+ final boolean isAllowed = OAuth2Utils.isUriAllowed(request.getUri(),
accessor.getAllowedDomains());
if (isAllowed) {
String tokenType = accessToken.getTokenType();
if (tokenType == null || tokenType.length() == 0) {
@@ -913,7 +913,7 @@ public class BasicOAuth2Request implemen
"error generating refresh body", e);
}
- if (!isUriAllowed(request.getUri(), accessor.getAllowedDomains())) {
+ if (!OAuth2Utils.isUriAllowed(request.getUri(),
accessor.getAllowedDomains())) {
ret = new OAuth2HandlerError(OAuth2Error.REFRESH_TOKEN_PROBLEM,
"error fetching refresh token - domain not allowed", null);
}
@@ -1024,27 +1024,6 @@ public class BasicOAuth2Request implemen
return ret;
}
- private static boolean isUriAllowed(final Uri uri, final String[]
allowedDomains) {
- if (allowedDomains == null || allowedDomains.length == 0) {
- // if white list is not specified, allow client to access any domain
- return true;
- }
- String host = uri.getAuthority();
- final int pos = host.indexOf(':');
- if (pos != -1) {
- host = host.substring(0, pos);
- }
- for (String domain : allowedDomains) {
- if (domain != null) {
- domain = domain.trim();
- if (domain.startsWith(".") && host.endsWith(domain) ||
domain.equals(host)) {
- return true;
- }
- }
- }
- return false;
- }
-
private static boolean validateAccessToken(final OAuth2Token accessToken) {
return accessToken != null;
}
Modified:
shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth2/OAuth2Utils.java
URL:
http://svn.apache.org/viewvc/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth2/OAuth2Utils.java?rev=1450157&r1=1450156&r2=1450157&view=diff
==============================================================================
---
shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth2/OAuth2Utils.java
(original)
+++
shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth2/OAuth2Utils.java
Tue Feb 26 12:55:30 2013
@@ -187,4 +187,37 @@ public class OAuth2Utils {
}
return secret;
}
+
+ /**
+ * Check if the given Uri is in the allowedDomains array.
+ *
+ * @param uri
+ * The uri
+ * @param allowedDomains
+ * allowed domains
+ *
+ * @return boolean true if uri is allowed
+ */
+ public static boolean isUriAllowed(final Uri uri, final String[]
allowedDomains) {
+ if (allowedDomains == null || allowedDomains.length == 0) {
+ // if white list is not specified, allow client to access any domain
+ return true;
+ }
+ String host = uri.getAuthority();
+ final int pos = host.indexOf(':');
+ if (pos != -1) {
+ host = host.substring(0, pos);
+ }
+ host = host.toLowerCase();
+ for (String domain : allowedDomains) {
+ if (domain != null) {
+ domain = domain.trim();
+ domain = domain.toLowerCase();
+ if (domain.startsWith(".") && host.endsWith(domain) ||
domain.equalsIgnoreCase(host)) {
+ return true;
+ }
+ }
+ }
+ return false;
+ }
}
Modified:
shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth2/handler/CodeAuthorizationResponseHandler.java
URL:
http://svn.apache.org/viewvc/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth2/handler/CodeAuthorizationResponseHandler.java?rev=1450157&r1=1450156&r2=1450157&view=diff
==============================================================================
---
shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth2/handler/CodeAuthorizationResponseHandler.java
(original)
+++
shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/oauth2/handler/CodeAuthorizationResponseHandler.java
Tue Feb 26 12:55:30 2013
@@ -227,7 +227,7 @@ public class CodeAuthorizationResponseHa
request.setHeader("Content-Type", "application/x-www-form-urlencoded;
charset=utf-8");
request.setSecurityToken(new AnonymousSecurityToken("", 0L,
accessor.getGadgetUri()));
- if (!isUriAllowed(request.getUri(), accessor.getAllowedDomains())) {
+ if (!OAuth2Utils.isUriAllowed(request.getUri(),
accessor.getAllowedDomains())) {
ret = new OAuth2HandlerError(OAuth2Error.AUTHORIZATION_CODE_PROBLEM,
"Exception exchanging authorization code for access_token -
domain not allowed", null);
}
@@ -301,25 +301,4 @@ public class CodeAuthorizationResponseHa
return ret;
}
-
- private static boolean isUriAllowed(final Uri uri, final String[]
allowedDomains) {
- if (allowedDomains == null || allowedDomains.length == 0) {
- // if white list is not specified, allow client to access any domain
- return true;
- }
- String host = uri.getAuthority();
- final int pos = host.indexOf(':');
- if (pos != -1) {
- host = host.substring(0, pos);
- }
- for (String domain : allowedDomains) {
- if (domain != null) {
- domain = domain.trim();
- if (domain.startsWith(".") && host.endsWith(domain) ||
domain.equals(host)) {
- return true;
- }
- }
- }
- return false;
- }
}
