cxf git commit: [CXF-6280] Prototyping an Implcit confidenatial grant service which returns a token directly to a JS client which is used by a huna user to copy tokens to confidential clients
Repository: cxf Updated Branches: refs/heads/master a802b442c - 982bdbc9d [CXF-6280] Prototyping an Implcit confidenatial grant service which returns a token directly to a JS client which is used by a huna user to copy tokens to confidential clients Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/982bdbc9 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/982bdbc9 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/982bdbc9 Branch: refs/heads/master Commit: 982bdbc9dc2127906d0a1ca06ae181c87c38bbfa Parents: a802b44 Author: Sergey Beryozkin sberyoz...@talend.com Authored: Wed Apr 22 17:15:39 2015 +0100 Committer: Sergey Beryozkin sberyoz...@talend.com Committed: Wed Apr 22 17:15:39 2015 +0100 -- .../oauth2/filters/OAuthRequestFilter.java | 16 +- .../services/AbstractImplicitGrantService.java | 163 +++ .../ImplicitConfidentialGrantService.java | 51 ++ .../oauth2/services/ImplicitGrantService.java | 130 +-- .../services/RedirectionBasedGrantService.java | 4 +- .../security/oauth2/utils/OAuthConstants.java | 4 + 6 files changed, 236 insertions(+), 132 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/982bdbc9/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java -- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java index fe638be..22af72c 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java @@ -28,7 +28,6 @@ import javax.annotation.Priority; import javax.servlet.http.HttpServletRequest; import javax.ws.rs.HttpMethod; import javax.ws.rs.Priorities; -import javax.ws.rs.WebApplicationException; import javax.ws.rs.container.ContainerRequestContext; import javax.ws.rs.container.ContainerRequestFilter; import javax.ws.rs.container.PreMatching; @@ -40,6 +39,7 @@ import javax.ws.rs.ext.Provider; import org.apache.cxf.common.logging.LogUtils; import org.apache.cxf.common.security.SimplePrincipal; import org.apache.cxf.jaxrs.provider.FormEncodingProvider; +import org.apache.cxf.jaxrs.utils.ExceptionUtils; import org.apache.cxf.jaxrs.utils.FormUtils; import org.apache.cxf.jaxrs.utils.JAXRSUtils; import org.apache.cxf.message.Message; @@ -71,6 +71,7 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator private boolean checkFormData; private ListString requiredScopes = Collections.emptyList(); private boolean allPermissionsMatch; +private boolean blockPublicClients; public void filter(ContainerRequestContext context) { validateRequest(JAXRSUtils.getCurrentMessage()); @@ -111,7 +112,7 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator || !requiredScopes.isEmpty() requiredScopes.size() != matchingPermissions.size()) { String message = Client has no valid permissions; LOG.warning(message); -throw new WebApplicationException(403); +throw ExceptionUtils.toForbiddenException(null, null); } if (accessTokenV.getClientIpAddress() != null) { @@ -119,9 +120,14 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator if (remoteAddress == null || accessTokenV.getClientIpAddress().matches(remoteAddress)) { String message = Client IP Address is invalid; LOG.warning(message); -throw new WebApplicationException(403); +throw ExceptionUtils.toForbiddenException(null, null); } } +if (blockPublicClients !accessTokenV.isClientConfidential()) { +String message = Only Confidential Clients are supported; +LOG.warning(message); +throw ExceptionUtils.toForbiddenException(null, null); +} // Create the security context and make it available on the message SecurityContext sc = createSecurityContext(req, accessTokenV); @@ -273,5 +279,9 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator public void setAllPermissionsMatch(boolean allPermissionsMatch) { this.allPermissionsMatch = allPermissionsMatch; } + +public void setBlockPublicClients(boolean blockPublicClients) { +this.blockPublicClients = blockPublicClients; +}
cxf git commit: [CXF-6280] Prototyping an Implcit confidenatial grant service which returns a token directly to a JS client which is used by a huna user to copy tokens to confidential clients
Repository: cxf Updated Branches: refs/heads/3.0.x-fixes 03b7d19c8 - 06b934503 [CXF-6280] Prototyping an Implcit confidenatial grant service which returns a token directly to a JS client which is used by a huna user to copy tokens to confidential clients Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/06b93450 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/06b93450 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/06b93450 Branch: refs/heads/3.0.x-fixes Commit: 06b9345031e37084fb0ed44b08cb6c6787ac3886 Parents: 03b7d19 Author: Sergey Beryozkin sberyoz...@talend.com Authored: Wed Apr 22 17:15:39 2015 +0100 Committer: Sergey Beryozkin sberyoz...@talend.com Committed: Wed Apr 22 17:32:35 2015 +0100 -- .../oauth2/filters/OAuthRequestFilter.java | 16 +- .../services/AbstractImplicitGrantService.java | 167 +++ .../ImplicitConfidentialGrantService.java | 51 ++ .../oauth2/services/ImplicitGrantService.java | 134 +-- .../services/RedirectionBasedGrantService.java | 4 +- .../security/oauth2/utils/OAuthConstants.java | 4 + 6 files changed, 240 insertions(+), 136 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/06b93450/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java -- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java index fe638be..22af72c 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java @@ -28,7 +28,6 @@ import javax.annotation.Priority; import javax.servlet.http.HttpServletRequest; import javax.ws.rs.HttpMethod; import javax.ws.rs.Priorities; -import javax.ws.rs.WebApplicationException; import javax.ws.rs.container.ContainerRequestContext; import javax.ws.rs.container.ContainerRequestFilter; import javax.ws.rs.container.PreMatching; @@ -40,6 +39,7 @@ import javax.ws.rs.ext.Provider; import org.apache.cxf.common.logging.LogUtils; import org.apache.cxf.common.security.SimplePrincipal; import org.apache.cxf.jaxrs.provider.FormEncodingProvider; +import org.apache.cxf.jaxrs.utils.ExceptionUtils; import org.apache.cxf.jaxrs.utils.FormUtils; import org.apache.cxf.jaxrs.utils.JAXRSUtils; import org.apache.cxf.message.Message; @@ -71,6 +71,7 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator private boolean checkFormData; private ListString requiredScopes = Collections.emptyList(); private boolean allPermissionsMatch; +private boolean blockPublicClients; public void filter(ContainerRequestContext context) { validateRequest(JAXRSUtils.getCurrentMessage()); @@ -111,7 +112,7 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator || !requiredScopes.isEmpty() requiredScopes.size() != matchingPermissions.size()) { String message = Client has no valid permissions; LOG.warning(message); -throw new WebApplicationException(403); +throw ExceptionUtils.toForbiddenException(null, null); } if (accessTokenV.getClientIpAddress() != null) { @@ -119,9 +120,14 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator if (remoteAddress == null || accessTokenV.getClientIpAddress().matches(remoteAddress)) { String message = Client IP Address is invalid; LOG.warning(message); -throw new WebApplicationException(403); +throw ExceptionUtils.toForbiddenException(null, null); } } +if (blockPublicClients !accessTokenV.isClientConfidential()) { +String message = Only Confidential Clients are supported; +LOG.warning(message); +throw ExceptionUtils.toForbiddenException(null, null); +} // Create the security context and make it available on the message SecurityContext sc = createSecurityContext(req, accessTokenV); @@ -273,5 +279,9 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator public void setAllPermissionsMatch(boolean allPermissionsMatch) { this.allPermissionsMatch = allPermissionsMatch; } + +public void setBlockPublicClients(boolean blockPublicClients) { +this.blockPublicClients = blockPublicClients; +
svn commit: r948748 - in /websites/production/cxf/content: cache/docs.pageCache docs/client-http-transport-including-ssl-support.html
Author: buildbot Date: Wed Apr 22 13:47:18 2015 New Revision: 948748 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/client-http-transport-including-ssl-support.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/client-http-transport-including-ssl-support.html == --- websites/production/cxf/content/docs/client-http-transport-including-ssl-support.html (original) +++ websites/production/cxf/content/docs/client-http-transport-including-ssl-support.html Wed Apr 22 13:47:18 2015 @@ -118,11 +118,11 @@ Apache CXF -- Client HTTP Transport (inc !-- Content -- div class=wiki-content div id=ConfluenceContentpstyle type=text/css/*![CDATA[*/ -div.rbtoc1424713584777 {padding: 0px;} -div.rbtoc1424713584777 ul {list-style: disc;margin-left: 0px;} -div.rbtoc1424713584777 li {margin-left: 0px;padding-left: 0px;} +div.rbtoc1429710411705 {padding: 0px;} +div.rbtoc1429710411705 ul {list-style: disc;margin-left: 0px;} +div.rbtoc1429710411705 li {margin-left: 0px;padding-left: 0px;} -/*]]*//style/pdiv class=toc-macro rbtoc1424713584777 +/*]]*//style/pdiv class=toc-macro rbtoc1429710411705 ul class=toc-indentationlia shape=rect href=#ClientHTTPTransport(includingSSLsupport)-AuthenticationAuthentication/a ul class=toc-indentationlia shape=rect href=#ClientHTTPTransport(includingSSLsupport)-BasicAuthenticationBasic Authentication/a/lilia shape=rect href=#ClientHTTPTransport(includingSSLsupport)-DigestAuthenticationDigest Authentication/a/lilia shape=rect href=#ClientHTTPTransport(includingSSLsupport)-SupplyingdynamicauthorizationSupplying dynamic authorization/a/lilia shape=rect href=#ClientHTTPTransport(includingSSLsupport)-SpnegoAuthentication(Kerberos)Spnego Authentication (Kerberos)/a ul class=toc-indentationlia shape=rect href=#ClientHTTPTransport(includingSSLsupport)-CredentialDelegationCredential Delegation/a/li/ul @@ -286,7 +286,7 @@ http.setClient(httpClientPolicy); lt;/http-conf:conduitgt; ... ]]/script -/div/divpThe codehttp-conf:conduit/code element has a number of child elements that specify configuration information. They are described below. See also Sun's a shape=rect class=external-link href=http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html; rel=nofollowJSSE Guide/a for more information on configuring SSL./pdiv class=table-wraptable class=confluenceTabletbodytrth colspan=1 rowspan=1 class=confluenceThpElement/p/thth colspan=1 rowspan=1 class=confluenceThpDescription/p/th/trtrtd colspan=1 rowspan=1 class=confluenceTdpcodehttp-conf:client/code/p/tdtd colspan=1 rowspan=1 class=confluenceTdpSpecifies the HTTP connection properties such as timeouts, keep-alive requests, content types, etc./p/td/trtrtd colspan=1 rowspan=1 class=confluenceTdpcodehttp-conf:authorization/code/p/tdtd colspan=1 rowspan=1 class=confluenceTdpSp ecifies the the parameters for configuring the basic authentication method that the endpoint uses preemptively./p/td/trtrtd colspan=1 rowspan=1 class=confluenceTdpcodehttp-conf:proxyAuthorization/code/p/tdtd colspan=1 rowspan=1 class=confluenceTdpSpecifies the parameters for configuring basic authentication against outgoing HTTP proxy servers./p/td/trtrtd colspan=1 rowspan=1 class=confluenceTdpcodehttp-conf:tlsClientParameters/code/p/tdtd colspan=1 rowspan=1 class=confluenceTdpSpecifies the parameters used to configure SSL/TLS./p/td/trtrtd colspan=1 rowspan=1 class=confluenceTdpcodehttp-conf:basicAuthSupplier/code/p/tdtd colspan=1 rowspan=1 class=confluenceTdpSpecifies the bean reference or class name of the object that supplies the the basic authentication information used by the endpoint both preemptively or in response to a 401 HTTP challenge./p/td/trtrtd colspan= 1 rowspan=1 class=confluenceTdpcodehttp-conf:trustDecider/code/p/tdtd colspan=1 rowspan=1 class=confluenceTdpSpecifies the bean reference or class name of the object that checks the HTTP(S) URLConnection object in order to establish trust for a connection with an HTTPS service provider before any information is transmitted./p/td/tr/tbody/table/divh3 id=ClientHTTPTransport(includingSSLsupport)-TheclientelementThe codeclient/code element/h3pThe codehttp-conf:client/code element is used to configure the non-security properties of a client's HTTP connection. Its attributes, described below, specify the connection's properties./pdiv class=table-wraptable class=confluenceTabletbodytrth colspan=1 rowspan=1 class=confluenceThpAttribute/p/thth colspan=1 rowspan=1 class=confluenceThpDescription/p/th/trtrtd colspan=1 rowspan=1
buildbot failure in ASF Buildbot on cxf-site-production
The Buildbot has detected a new failure on builder cxf-site-production while building ASF Buildbot. Full details are available at: http://ci.apache.org/builders/cxf-site-production/builds/8679 Buildbot URL: http://ci.apache.org/ Buildslave for this Build: bb-cms-slave Build Reason: The Nightly scheduler named 'cxf-site-production' triggered this build Build Source Stamp: [branch cxf/web] HEAD Blamelist: BUILD FAILED: failed compile Sincerely, -The Buildbot
buildbot success in ASF Buildbot on cxf-site-production
The Buildbot has detected a restored build on builder cxf-site-production while building ASF Buildbot. Full details are available at: http://ci.apache.org/builders/cxf-site-production/builds/8680 Buildbot URL: http://ci.apache.org/ Buildslave for this Build: bb-cms-slave Build Reason: The Nightly scheduler named 'cxf-site-production' triggered this build Build Source Stamp: [branch cxf/web] HEAD Blamelist: Build succeeded! Sincerely, -The Buildbot
cxf git commit: [CXF-6280] Updating AuthorizationCode service to support returning a code out of band even for confidential clients
Repository: cxf Updated Branches: refs/heads/master 6fd84bc9f - a802b442c [CXF-6280] Updating AuthorizationCode service to support returning a code out of band even for confidential clients Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/a802b442 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/a802b442 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/a802b442 Branch: refs/heads/master Commit: a802b442cdfdd8e4c23fae7de16a11f5de2004dc Parents: 6fd84bc Author: Sergey Beryozkin sberyoz...@talend.com Authored: Wed Apr 22 13:22:03 2015 +0100 Committer: Sergey Beryozkin sberyoz...@talend.com Committed: Wed Apr 22 13:22:03 2015 +0100 -- .../oauth2/services/AuthorizationCodeGrantService.java | 9 - 1 file changed, 8 insertions(+), 1 deletion(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/a802b442/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java -- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java index 9b7239a..184d219 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java @@ -55,6 +55,7 @@ import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants; public class AuthorizationCodeGrantService extends RedirectionBasedGrantService { private static final Integer RECOMMENDED_CODE_EXPIRY_TIME_MINS = 10; private boolean canSupportPublicClients; +private boolean canSupportEmptyRedirectForPrivateClients; private OOBResponseDeliverer oobDeliverer; private AuthorizationCodeRequestFilter codeRequestFilter; private AuthorizationCodeResponseFilter codeResponseFilter; @@ -179,7 +180,10 @@ public class AuthorizationCodeGrantService extends RedirectionBasedGrantService @Override protected boolean canRedirectUriBeEmpty(Client c) { -return canSupportPublicClient(c) c.getRedirectUris().isEmpty(); +// If a redirect URI is empty then the code will be returned out of band, +// typically will be returned directly to a human user +return (c.isConfidential() canSupportEmptyRedirectForPrivateClients || canSupportPublicClient(c)) + c.getRedirectUris().isEmpty(); } public void setCanSupportPublicClients(boolean support) { @@ -193,6 +197,9 @@ public class AuthorizationCodeGrantService extends RedirectionBasedGrantService public void setCodeRequestFilter(AuthorizationCodeRequestFilter codeRequestFilter) { this.codeRequestFilter = codeRequestFilter; } +public void setCanSupportEmptyRedirectForPrivateClients(boolean canSupportEmptyRedirectForPrivateClients) { +this.canSupportEmptyRedirectForPrivateClients = canSupportEmptyRedirectForPrivateClients; +} }
cxf git commit: [CXF-6280] Updating AuthorizationCode service to support returning a code out of band even for confidential clients
Repository: cxf Updated Branches: refs/heads/3.0.x-fixes 312e27e75 - 03b7d19c8 [CXF-6280] Updating AuthorizationCode service to support returning a code out of band even for confidential clients Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/03b7d19c Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/03b7d19c Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/03b7d19c Branch: refs/heads/3.0.x-fixes Commit: 03b7d19c8e934e98040f064bb36843638b428f63 Parents: 312e27e Author: Sergey Beryozkin sberyoz...@talend.com Authored: Wed Apr 22 13:22:03 2015 +0100 Committer: Sergey Beryozkin sberyoz...@talend.com Committed: Wed Apr 22 13:24:11 2015 +0100 -- .../oauth2/services/AuthorizationCodeGrantService.java | 9 - 1 file changed, 8 insertions(+), 1 deletion(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/03b7d19c/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java -- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java index edbbe51..a4c9d9e 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java @@ -54,6 +54,7 @@ import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants; public class AuthorizationCodeGrantService extends RedirectionBasedGrantService { private static final Integer RECOMMENDED_CODE_EXPIRY_TIME_MINS = 10; private boolean canSupportPublicClients; +private boolean canSupportEmptyRedirectForPrivateClients; private OOBResponseDeliverer oobDeliverer; private AuthorizationCodeRequestFilter codeRequestFilter; private AuthorizationCodeResponseFilter codeResponseFilter; @@ -171,7 +172,10 @@ public class AuthorizationCodeGrantService extends RedirectionBasedGrantService @Override protected boolean canRedirectUriBeEmpty(Client c) { -return canSupportPublicClient(c) c.getRedirectUris().isEmpty(); +// If a redirect URI is empty then the code will be returned out of band, +// typically will be returned directly to a human user +return (c.isConfidential() canSupportEmptyRedirectForPrivateClients || canSupportPublicClient(c)) + c.getRedirectUris().isEmpty(); } public void setCanSupportPublicClients(boolean support) { @@ -185,6 +189,9 @@ public class AuthorizationCodeGrantService extends RedirectionBasedGrantService public void setCodeRequestFilter(AuthorizationCodeRequestFilter codeRequestFilter) { this.codeRequestFilter = codeRequestFilter; } +public void setCanSupportEmptyRedirectForPrivateClients(boolean canSupportEmptyRedirectForPrivateClients) { +this.canSupportEmptyRedirectForPrivateClients = canSupportEmptyRedirectForPrivateClients; +} }