cxf git commit: [CXF-6280] Prototyping an Implcit confidenatial grant service which returns a token directly to a JS client which is used by a huna user to copy tokens to confidential clients
Repository: cxf
Updated Branches:
refs/heads/master a802b442c - 982bdbc9d
[CXF-6280] Prototyping an Implcit confidenatial grant service which returns a
token directly to a JS client which is used by a huna user to copy tokens to
confidential clients
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/982bdbc9
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/982bdbc9
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/982bdbc9
Branch: refs/heads/master
Commit: 982bdbc9dc2127906d0a1ca06ae181c87c38bbfa
Parents: a802b44
Author: Sergey Beryozkin sberyoz...@talend.com
Authored: Wed Apr 22 17:15:39 2015 +0100
Committer: Sergey Beryozkin sberyoz...@talend.com
Committed: Wed Apr 22 17:15:39 2015 +0100
--
.../oauth2/filters/OAuthRequestFilter.java | 16 +-
.../services/AbstractImplicitGrantService.java | 163 +++
.../ImplicitConfidentialGrantService.java | 51 ++
.../oauth2/services/ImplicitGrantService.java | 130 +--
.../services/RedirectionBasedGrantService.java | 4 +-
.../security/oauth2/utils/OAuthConstants.java | 4 +
6 files changed, 236 insertions(+), 132 deletions(-)
--
http://git-wip-us.apache.org/repos/asf/cxf/blob/982bdbc9/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
--
diff --git
a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
index fe638be..22af72c 100644
---
a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
+++
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
@@ -28,7 +28,6 @@ import javax.annotation.Priority;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.HttpMethod;
import javax.ws.rs.Priorities;
-import javax.ws.rs.WebApplicationException;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.PreMatching;
@@ -40,6 +39,7 @@ import javax.ws.rs.ext.Provider;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.security.SimplePrincipal;
import org.apache.cxf.jaxrs.provider.FormEncodingProvider;
+import org.apache.cxf.jaxrs.utils.ExceptionUtils;
import org.apache.cxf.jaxrs.utils.FormUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.message.Message;
@@ -71,6 +71,7 @@ public class OAuthRequestFilter extends
AbstractAccessTokenValidator
private boolean checkFormData;
private ListString requiredScopes = Collections.emptyList();
private boolean allPermissionsMatch;
+private boolean blockPublicClients;
public void filter(ContainerRequestContext context) {
validateRequest(JAXRSUtils.getCurrentMessage());
@@ -111,7 +112,7 @@ public class OAuthRequestFilter extends
AbstractAccessTokenValidator
|| !requiredScopes.isEmpty() requiredScopes.size() !=
matchingPermissions.size()) {
String message = Client has no valid permissions;
LOG.warning(message);
-throw new WebApplicationException(403);
+throw ExceptionUtils.toForbiddenException(null, null);
}
if (accessTokenV.getClientIpAddress() != null) {
@@ -119,9 +120,14 @@ public class OAuthRequestFilter extends
AbstractAccessTokenValidator
if (remoteAddress == null ||
accessTokenV.getClientIpAddress().matches(remoteAddress)) {
String message = Client IP Address is invalid;
LOG.warning(message);
-throw new WebApplicationException(403);
+throw ExceptionUtils.toForbiddenException(null, null);
}
}
+if (blockPublicClients !accessTokenV.isClientConfidential()) {
+String message = Only Confidential Clients are supported;
+LOG.warning(message);
+throw ExceptionUtils.toForbiddenException(null, null);
+}
// Create the security context and make it available on the message
SecurityContext sc = createSecurityContext(req, accessTokenV);
@@ -273,5 +279,9 @@ public class OAuthRequestFilter extends
AbstractAccessTokenValidator
public void setAllPermissionsMatch(boolean allPermissionsMatch) {
this.allPermissionsMatch = allPermissionsMatch;
}
+
+public void setBlockPublicClients(boolean blockPublicClients) {
+this.blockPublicClients = blockPublicClients;
+}
cxf git commit: [CXF-6280] Prototyping an Implcit confidenatial grant service which returns a token directly to a JS client which is used by a huna user to copy tokens to confidential clients
Repository: cxf
Updated Branches:
refs/heads/3.0.x-fixes 03b7d19c8 - 06b934503
[CXF-6280] Prototyping an Implcit confidenatial grant service which returns a
token directly to a JS client which is used by a huna user to copy tokens to
confidential clients
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/06b93450
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/06b93450
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/06b93450
Branch: refs/heads/3.0.x-fixes
Commit: 06b9345031e37084fb0ed44b08cb6c6787ac3886
Parents: 03b7d19
Author: Sergey Beryozkin sberyoz...@talend.com
Authored: Wed Apr 22 17:15:39 2015 +0100
Committer: Sergey Beryozkin sberyoz...@talend.com
Committed: Wed Apr 22 17:32:35 2015 +0100
--
.../oauth2/filters/OAuthRequestFilter.java | 16 +-
.../services/AbstractImplicitGrantService.java | 167 +++
.../ImplicitConfidentialGrantService.java | 51 ++
.../oauth2/services/ImplicitGrantService.java | 134 +--
.../services/RedirectionBasedGrantService.java | 4 +-
.../security/oauth2/utils/OAuthConstants.java | 4 +
6 files changed, 240 insertions(+), 136 deletions(-)
--
http://git-wip-us.apache.org/repos/asf/cxf/blob/06b93450/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
--
diff --git
a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
index fe638be..22af72c 100644
---
a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
+++
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
@@ -28,7 +28,6 @@ import javax.annotation.Priority;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.HttpMethod;
import javax.ws.rs.Priorities;
-import javax.ws.rs.WebApplicationException;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.PreMatching;
@@ -40,6 +39,7 @@ import javax.ws.rs.ext.Provider;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.security.SimplePrincipal;
import org.apache.cxf.jaxrs.provider.FormEncodingProvider;
+import org.apache.cxf.jaxrs.utils.ExceptionUtils;
import org.apache.cxf.jaxrs.utils.FormUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.message.Message;
@@ -71,6 +71,7 @@ public class OAuthRequestFilter extends
AbstractAccessTokenValidator
private boolean checkFormData;
private ListString requiredScopes = Collections.emptyList();
private boolean allPermissionsMatch;
+private boolean blockPublicClients;
public void filter(ContainerRequestContext context) {
validateRequest(JAXRSUtils.getCurrentMessage());
@@ -111,7 +112,7 @@ public class OAuthRequestFilter extends
AbstractAccessTokenValidator
|| !requiredScopes.isEmpty() requiredScopes.size() !=
matchingPermissions.size()) {
String message = Client has no valid permissions;
LOG.warning(message);
-throw new WebApplicationException(403);
+throw ExceptionUtils.toForbiddenException(null, null);
}
if (accessTokenV.getClientIpAddress() != null) {
@@ -119,9 +120,14 @@ public class OAuthRequestFilter extends
AbstractAccessTokenValidator
if (remoteAddress == null ||
accessTokenV.getClientIpAddress().matches(remoteAddress)) {
String message = Client IP Address is invalid;
LOG.warning(message);
-throw new WebApplicationException(403);
+throw ExceptionUtils.toForbiddenException(null, null);
}
}
+if (blockPublicClients !accessTokenV.isClientConfidential()) {
+String message = Only Confidential Clients are supported;
+LOG.warning(message);
+throw ExceptionUtils.toForbiddenException(null, null);
+}
// Create the security context and make it available on the message
SecurityContext sc = createSecurityContext(req, accessTokenV);
@@ -273,5 +279,9 @@ public class OAuthRequestFilter extends
AbstractAccessTokenValidator
public void setAllPermissionsMatch(boolean allPermissionsMatch) {
this.allPermissionsMatch = allPermissionsMatch;
}
+
+public void setBlockPublicClients(boolean blockPublicClients) {
+this.blockPublicClients = blockPublicClients;
+
svn commit: r948748 - in /websites/production/cxf/content: cache/docs.pageCache docs/client-http-transport-including-ssl-support.html
Author: buildbot
Date: Wed Apr 22 13:47:18 2015
New Revision: 948748
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/client-http-transport-including-ssl-support.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==
Binary files - no diff available.
Modified:
websites/production/cxf/content/docs/client-http-transport-including-ssl-support.html
==
---
websites/production/cxf/content/docs/client-http-transport-including-ssl-support.html
(original)
+++
websites/production/cxf/content/docs/client-http-transport-including-ssl-support.html
Wed Apr 22 13:47:18 2015
@@ -118,11 +118,11 @@ Apache CXF -- Client HTTP Transport (inc
!-- Content --
div class=wiki-content
div id=ConfluenceContentpstyle type=text/css/*![CDATA[*/
-div.rbtoc1424713584777 {padding: 0px;}
-div.rbtoc1424713584777 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1424713584777 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1429710411705 {padding: 0px;}
+div.rbtoc1429710411705 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1429710411705 li {margin-left: 0px;padding-left: 0px;}
-/*]]*//style/pdiv class=toc-macro rbtoc1424713584777
+/*]]*//style/pdiv class=toc-macro rbtoc1429710411705
ul class=toc-indentationlia shape=rect
href=#ClientHTTPTransport(includingSSLsupport)-AuthenticationAuthentication/a
ul class=toc-indentationlia shape=rect
href=#ClientHTTPTransport(includingSSLsupport)-BasicAuthenticationBasic
Authentication/a/lilia shape=rect
href=#ClientHTTPTransport(includingSSLsupport)-DigestAuthenticationDigest
Authentication/a/lilia shape=rect
href=#ClientHTTPTransport(includingSSLsupport)-SupplyingdynamicauthorizationSupplying
dynamic authorization/a/lilia shape=rect
href=#ClientHTTPTransport(includingSSLsupport)-SpnegoAuthentication(Kerberos)Spnego
Authentication (Kerberos)/a
ul class=toc-indentationlia shape=rect
href=#ClientHTTPTransport(includingSSLsupport)-CredentialDelegationCredential
Delegation/a/li/ul
@@ -286,7 +286,7 @@ http.setClient(httpClientPolicy);
lt;/http-conf:conduitgt;
...
]]/script
-/div/divpThe codehttp-conf:conduit/code element has a number of
child elements that specify configuration information. They are described
below. See also Sun's a shape=rect class=external-link
href=http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html;
rel=nofollowJSSE Guide/a for more information on configuring SSL./pdiv
class=table-wraptable class=confluenceTabletbodytrth colspan=1
rowspan=1 class=confluenceThpElement/p/thth colspan=1 rowspan=1
class=confluenceThpDescription/p/th/trtrtd colspan=1
rowspan=1 class=confluenceTdpcodehttp-conf:client/code/p/tdtd
colspan=1 rowspan=1 class=confluenceTdpSpecifies the HTTP connection
properties such as timeouts, keep-alive requests, content types,
etc./p/td/trtrtd colspan=1 rowspan=1
class=confluenceTdpcodehttp-conf:authorization/code/p/tdtd
colspan=1 rowspan=1 class=confluenceTdpSp
ecifies the the parameters for configuring the basic authentication method
that the endpoint uses preemptively./p/td/trtrtd colspan=1
rowspan=1
class=confluenceTdpcodehttp-conf:proxyAuthorization/code/p/tdtd
colspan=1 rowspan=1 class=confluenceTdpSpecifies the parameters for
configuring basic authentication against outgoing HTTP proxy
servers./p/td/trtrtd colspan=1 rowspan=1
class=confluenceTdpcodehttp-conf:tlsClientParameters/code/p/tdtd
colspan=1 rowspan=1 class=confluenceTdpSpecifies the parameters used
to configure SSL/TLS./p/td/trtrtd colspan=1 rowspan=1
class=confluenceTdpcodehttp-conf:basicAuthSupplier/code/p/tdtd
colspan=1 rowspan=1 class=confluenceTdpSpecifies the bean reference or
class name of the object that supplies the the basic authentication information
used by the endpoint both preemptively or in response to a 401 HTTP
challenge./p/td/trtrtd colspan=
1 rowspan=1
class=confluenceTdpcodehttp-conf:trustDecider/code/p/tdtd
colspan=1 rowspan=1 class=confluenceTdpSpecifies the bean reference or
class name of the object that checks the HTTP(S) URLConnection object in order
to establish trust for a connection with an HTTPS service provider before any
information is transmitted./p/td/tr/tbody/table/divh3
id=ClientHTTPTransport(includingSSLsupport)-TheclientelementThe
codeclient/code element/h3pThe codehttp-conf:client/code element is
used to configure the non-security properties of a client's HTTP connection.
Its attributes, described below, specify the connection's properties./pdiv
class=table-wraptable class=confluenceTabletbodytrth colspan=1
rowspan=1 class=confluenceThpAttribute/p/thth colspan=1
rowspan=1 class=confluenceThpDescription/p/th/trtrtd
colspan=1 rowspan=1
buildbot failure in ASF Buildbot on cxf-site-production
The Buildbot has detected a new failure on builder cxf-site-production while building ASF Buildbot. Full details are available at: http://ci.apache.org/builders/cxf-site-production/builds/8679 Buildbot URL: http://ci.apache.org/ Buildslave for this Build: bb-cms-slave Build Reason: The Nightly scheduler named 'cxf-site-production' triggered this build Build Source Stamp: [branch cxf/web] HEAD Blamelist: BUILD FAILED: failed compile Sincerely, -The Buildbot
buildbot success in ASF Buildbot on cxf-site-production
The Buildbot has detected a restored build on builder cxf-site-production while building ASF Buildbot. Full details are available at: http://ci.apache.org/builders/cxf-site-production/builds/8680 Buildbot URL: http://ci.apache.org/ Buildslave for this Build: bb-cms-slave Build Reason: The Nightly scheduler named 'cxf-site-production' triggered this build Build Source Stamp: [branch cxf/web] HEAD Blamelist: Build succeeded! Sincerely, -The Buildbot
cxf git commit: [CXF-6280] Updating AuthorizationCode service to support returning a code out of band even for confidential clients
Repository: cxf
Updated Branches:
refs/heads/master 6fd84bc9f - a802b442c
[CXF-6280] Updating AuthorizationCode service to support returning a code out
of band even for confidential clients
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/a802b442
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/a802b442
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/a802b442
Branch: refs/heads/master
Commit: a802b442cdfdd8e4c23fae7de16a11f5de2004dc
Parents: 6fd84bc
Author: Sergey Beryozkin sberyoz...@talend.com
Authored: Wed Apr 22 13:22:03 2015 +0100
Committer: Sergey Beryozkin sberyoz...@talend.com
Committed: Wed Apr 22 13:22:03 2015 +0100
--
.../oauth2/services/AuthorizationCodeGrantService.java | 9 -
1 file changed, 8 insertions(+), 1 deletion(-)
--
http://git-wip-us.apache.org/repos/asf/cxf/blob/a802b442/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
--
diff --git
a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
index 9b7239a..184d219 100644
---
a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
+++
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
@@ -55,6 +55,7 @@ import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
public class AuthorizationCodeGrantService extends
RedirectionBasedGrantService {
private static final Integer RECOMMENDED_CODE_EXPIRY_TIME_MINS = 10;
private boolean canSupportPublicClients;
+private boolean canSupportEmptyRedirectForPrivateClients;
private OOBResponseDeliverer oobDeliverer;
private AuthorizationCodeRequestFilter codeRequestFilter;
private AuthorizationCodeResponseFilter codeResponseFilter;
@@ -179,7 +180,10 @@ public class AuthorizationCodeGrantService extends
RedirectionBasedGrantService
@Override
protected boolean canRedirectUriBeEmpty(Client c) {
-return canSupportPublicClient(c) c.getRedirectUris().isEmpty();
+// If a redirect URI is empty then the code will be returned out of
band,
+// typically will be returned directly to a human user
+return (c.isConfidential() canSupportEmptyRedirectForPrivateClients
|| canSupportPublicClient(c))
+ c.getRedirectUris().isEmpty();
}
public void setCanSupportPublicClients(boolean support) {
@@ -193,6 +197,9 @@ public class AuthorizationCodeGrantService extends
RedirectionBasedGrantService
public void setCodeRequestFilter(AuthorizationCodeRequestFilter
codeRequestFilter) {
this.codeRequestFilter = codeRequestFilter;
}
+public void setCanSupportEmptyRedirectForPrivateClients(boolean
canSupportEmptyRedirectForPrivateClients) {
+this.canSupportEmptyRedirectForPrivateClients =
canSupportEmptyRedirectForPrivateClients;
+}
}
cxf git commit: [CXF-6280] Updating AuthorizationCode service to support returning a code out of band even for confidential clients
Repository: cxf
Updated Branches:
refs/heads/3.0.x-fixes 312e27e75 - 03b7d19c8
[CXF-6280] Updating AuthorizationCode service to support returning a code out
of band even for confidential clients
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/03b7d19c
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/03b7d19c
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/03b7d19c
Branch: refs/heads/3.0.x-fixes
Commit: 03b7d19c8e934e98040f064bb36843638b428f63
Parents: 312e27e
Author: Sergey Beryozkin sberyoz...@talend.com
Authored: Wed Apr 22 13:22:03 2015 +0100
Committer: Sergey Beryozkin sberyoz...@talend.com
Committed: Wed Apr 22 13:24:11 2015 +0100
--
.../oauth2/services/AuthorizationCodeGrantService.java | 9 -
1 file changed, 8 insertions(+), 1 deletion(-)
--
http://git-wip-us.apache.org/repos/asf/cxf/blob/03b7d19c/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
--
diff --git
a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
index edbbe51..a4c9d9e 100644
---
a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
+++
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
@@ -54,6 +54,7 @@ import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
public class AuthorizationCodeGrantService extends
RedirectionBasedGrantService {
private static final Integer RECOMMENDED_CODE_EXPIRY_TIME_MINS = 10;
private boolean canSupportPublicClients;
+private boolean canSupportEmptyRedirectForPrivateClients;
private OOBResponseDeliverer oobDeliverer;
private AuthorizationCodeRequestFilter codeRequestFilter;
private AuthorizationCodeResponseFilter codeResponseFilter;
@@ -171,7 +172,10 @@ public class AuthorizationCodeGrantService extends
RedirectionBasedGrantService
@Override
protected boolean canRedirectUriBeEmpty(Client c) {
-return canSupportPublicClient(c) c.getRedirectUris().isEmpty();
+// If a redirect URI is empty then the code will be returned out of
band,
+// typically will be returned directly to a human user
+return (c.isConfidential() canSupportEmptyRedirectForPrivateClients
|| canSupportPublicClient(c))
+ c.getRedirectUris().isEmpty();
}
public void setCanSupportPublicClients(boolean support) {
@@ -185,6 +189,9 @@ public class AuthorizationCodeGrantService extends
RedirectionBasedGrantService
public void setCodeRequestFilter(AuthorizationCodeRequestFilter
codeRequestFilter) {
this.codeRequestFilter = codeRequestFilter;
}
+public void setCanSupportEmptyRedirectForPrivateClients(boolean
canSupportEmptyRedirectForPrivateClients) {
+this.canSupportEmptyRedirectForPrivateClients =
canSupportEmptyRedirectForPrivateClients;
+}
}
