Author: doll
Date: Thu Aug 7 13:19:12 2008
New Revision: 683698
URL: http://svn.apache.org/viewvc?rev=683698&view=rev
Log:
Added an AuthenticationHandler interface and three implementations. One for the
basic url parsing, one for two legged oauth and an anonymous handler.
The two legged oauth case uses an OAuthLookupService that containers will need
to implement themselves. The sample container has a simple example.
Added:
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/core/oauth/AnonymousAuthenticationHandler.java
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/core/oauth/AuthenticationHandlerProvider.java
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/core/oauth/OAuthConsumerRequestAuthenticationHandler.java
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/core/oauth/UrlParameterAuthenticationHandler.java
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/opensocial/oauth/AuthenticationHandler.java
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/opensocial/oauth/OAuthLookupService.java
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/sample/oauth/
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/sample/oauth/SampleContainerOAuthLookupService.java
Added:
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/core/oauth/AnonymousAuthenticationHandler.java
URL:
http://svn.apache.org/viewvc/incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/core/oauth/AnonymousAuthenticationHandler.java?rev=683698&view=auto
==============================================================================
---
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/core/oauth/AnonymousAuthenticationHandler.java
(added)
+++
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/core/oauth/AnonymousAuthenticationHandler.java
Thu Aug 7 13:19:12 2008
@@ -0,0 +1,49 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+package org.apache.shindig.social.core.oauth;
+
+import org.apache.shindig.common.SecurityToken;
+import org.apache.shindig.social.opensocial.oauth.AuthenticationHandler;
+
+import com.google.inject.name.Named;
+import com.google.inject.Inject;
+
+import javax.servlet.http.HttpServletRequest;
+
+public class AnonymousAuthenticationHandler implements AuthenticationHandler {
+ public static final String ALLOW_UNAUTHENTICATED =
"shindig.allowUnauthenticated";
+ public static final String AUTH_UNAUTHENTICATED = "Unauthenticated";
+ private final boolean allowUnauthenticated;
+
+ @Inject
+ public AnonymousAuthenticationHandler(@Named(ALLOW_UNAUTHENTICATED)
+ boolean allowUnauthenticated) {
+ this.allowUnauthenticated = allowUnauthenticated;
+ }
+
+ public String getName() {
+ return AUTH_UNAUTHENTICATED;
+ }
+
+ public SecurityToken getSecurityTokenFromRequest(HttpServletRequest request)
{
+ if (allowUnauthenticated) {
+ return new AnonymousSecurityToken();
+ }
+ return null;
+ }
+}
\ No newline at end of file
Added:
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/core/oauth/AuthenticationHandlerProvider.java
URL:
http://svn.apache.org/viewvc/incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/core/oauth/AuthenticationHandlerProvider.java?rev=683698&view=auto
==============================================================================
---
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/core/oauth/AuthenticationHandlerProvider.java
(added)
+++
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/core/oauth/AuthenticationHandlerProvider.java
Thu Aug 7 13:19:12 2008
@@ -0,0 +1,40 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+package org.apache.shindig.social.core.oauth;
+
+import org.apache.shindig.social.opensocial.oauth.AuthenticationHandler;
+
+import com.google.common.collect.Lists;
+import com.google.inject.Inject;
+
+import java.util.List;
+
+public class AuthenticationHandlerProvider {
+ protected List<AuthenticationHandler> handlers;
+
+ @Inject
+ public AuthenticationHandlerProvider(UrlParameterAuthenticationHandler
urlParam,
+ OAuthConsumerRequestAuthenticationHandler twoLeggedOAuth,
+ AnonymousAuthenticationHandler anonymous) {
+ handlers = Lists.newArrayList(urlParam, twoLeggedOAuth, anonymous);
+ }
+
+ public List<AuthenticationHandler> get() {
+ return handlers;
+ }
+}
\ No newline at end of file
Added:
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/core/oauth/OAuthConsumerRequestAuthenticationHandler.java
URL:
http://svn.apache.org/viewvc/incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/core/oauth/OAuthConsumerRequestAuthenticationHandler.java?rev=683698&view=auto
==============================================================================
---
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/core/oauth/OAuthConsumerRequestAuthenticationHandler.java
(added)
+++
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/core/oauth/OAuthConsumerRequestAuthenticationHandler.java
Thu Aug 7 13:19:12 2008
@@ -0,0 +1,79 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+package org.apache.shindig.social.core.oauth;
+
+import org.apache.shindig.common.SecurityToken;
+import org.apache.shindig.social.opensocial.oauth.AuthenticationHandler;
+import org.apache.shindig.social.opensocial.oauth.OAuthLookupService;
+
+import com.google.inject.Inject;
+import net.oauth.OAuth;
+import net.oauth.OAuthMessage;
+import net.oauth.server.OAuthServlet;
+import org.apache.commons.lang.StringUtils;
+
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+
+/**
+ * This class only handles "two-legged" OAuth (aka Consumer Request) OAuth
requests. The request
+ * must include a xoauth_requestor_id parameter, which will be the userId of
the person the
+ * container is requesting information on behalf of.
+ */
+public class OAuthConsumerRequestAuthenticationHandler implements
AuthenticationHandler {
+ public static final String AUTH_OAUTH_CONSUMER_REQUEST =
"OAuth-ConsumerRequest";
+ public static final String REQUESTOR_ID_PARAM = "xoauth_requestor_id";
+ private final OAuthLookupService service;
+
+ @Inject
+ public OAuthConsumerRequestAuthenticationHandler(OAuthLookupService service)
{
+ this.service = service;
+ }
+
+ public String getName() {
+ return AUTH_OAUTH_CONSUMER_REQUEST;
+ }
+
+ public SecurityToken getSecurityTokenFromRequest(HttpServletRequest request)
{
+ OAuthMessage requestMessage = OAuthServlet.getMessage(request, null);
+
+ String containerKey = getParameter(requestMessage,
OAuth.OAUTH_CONSUMER_KEY);
+ String containerSignature = getParameter(requestMessage,
OAuth.OAUTH_SIGNATURE);
+ String userId = StringUtils.trim(request.getParameter(REQUESTOR_ID_PARAM));
+
+ if (containerKey == null || containerSignature == null ||
StringUtils.isBlank(userId)) {
+ // This isn't a proper OAuth request
+ return null;
+ }
+
+ if (service.thirdPartyHasAccessToUser(requestMessage, containerKey,
userId)) {
+ return service.getSecurityToken(containerKey, userId);
+ } else {
+ return null;
+ }
+ }
+
+ private String getParameter(OAuthMessage requestMessage, String key) {
+ try {
+ return requestMessage.getParameter(key);
+ } catch (IOException e) {
+ return null;
+ }
+ }
+
+}
\ No newline at end of file
Added:
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/core/oauth/UrlParameterAuthenticationHandler.java
URL:
http://svn.apache.org/viewvc/incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/core/oauth/UrlParameterAuthenticationHandler.java?rev=683698&view=auto
==============================================================================
---
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/core/oauth/UrlParameterAuthenticationHandler.java
(added)
+++
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/core/oauth/UrlParameterAuthenticationHandler.java
Thu Aug 7 13:19:12 2008
@@ -0,0 +1,61 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+package org.apache.shindig.social.core.oauth;
+
+import org.apache.shindig.common.SecurityToken;
+import org.apache.shindig.common.SecurityTokenDecoder;
+import org.apache.shindig.common.SecurityTokenException;
+import org.apache.shindig.common.servlet.ParameterFetcher;
+import org.apache.shindig.social.opensocial.oauth.AuthenticationHandler;
+
+import com.google.inject.Inject;
+import com.google.inject.name.Named;
+
+import javax.servlet.http.HttpServletRequest;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+public class UrlParameterAuthenticationHandler implements
AuthenticationHandler {
+ public static final String AUTH_URL_PARAMETER = "SecurityTokenUrlParameter";
+
+ private static final Logger logger = Logger.getLogger(
+ UrlParameterAuthenticationHandler.class.getName());
+
+ private final SecurityTokenDecoder securityTokenDecoder;
+ private final ParameterFetcher parameterFetcher;
+
+ @Inject
+ public UrlParameterAuthenticationHandler(SecurityTokenDecoder
securityTokenDecoder,
+ @Named("DataServiceServlet")ParameterFetcher parameterFetcher) {
+ this.securityTokenDecoder = securityTokenDecoder;
+ this.parameterFetcher = parameterFetcher;
+ }
+
+ public String getName() {
+ return AUTH_URL_PARAMETER;
+ }
+
+ public SecurityToken getSecurityTokenFromRequest(HttpServletRequest request)
{
+ try {
+ return securityTokenDecoder.createToken(parameterFetcher.fetch(request));
+ } catch (SecurityTokenException e) {
+ logger.log(Level.INFO, "Valid security token not found.", e);
+ return null;
+ }
+ }
+}
Added:
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/opensocial/oauth/AuthenticationHandler.java
URL:
http://svn.apache.org/viewvc/incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/opensocial/oauth/AuthenticationHandler.java?rev=683698&view=auto
==============================================================================
---
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/opensocial/oauth/AuthenticationHandler.java
(added)
+++
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/opensocial/oauth/AuthenticationHandler.java
Thu Aug 7 13:19:12 2008
@@ -0,0 +1,27 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+package org.apache.shindig.social.opensocial.oauth;
+
+import org.apache.shindig.common.SecurityToken;
+
+import javax.servlet.http.HttpServletRequest;
+
+public interface AuthenticationHandler {
+ String getName();
+ SecurityToken getSecurityTokenFromRequest(HttpServletRequest request);
+}
Added:
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/opensocial/oauth/OAuthLookupService.java
URL:
http://svn.apache.org/viewvc/incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/opensocial/oauth/OAuthLookupService.java?rev=683698&view=auto
==============================================================================
---
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/opensocial/oauth/OAuthLookupService.java
(added)
+++
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/opensocial/oauth/OAuthLookupService.java
Thu Aug 7 13:19:12 2008
@@ -0,0 +1,32 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+package org.apache.shindig.social.opensocial.oauth;
+
+import org.apache.shindig.common.SecurityToken;
+import
org.apache.shindig.social.sample.oauth.SampleContainerOAuthLookupService;
+
+import com.google.inject.ImplementedBy;
+import net.oauth.OAuthMessage;
+
[EMAIL PROTECTED](SampleContainerOAuthLookupService.class)
+
+public interface OAuthLookupService {
+ boolean thirdPartyHasAccessToUser(OAuthMessage message, String appUrl,
+ String userId);
+ SecurityToken getSecurityToken(String appUrl, String userId);
+}
Added:
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/sample/oauth/SampleContainerOAuthLookupService.java
URL:
http://svn.apache.org/viewvc/incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/sample/oauth/SampleContainerOAuthLookupService.java?rev=683698&view=auto
==============================================================================
---
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/sample/oauth/SampleContainerOAuthLookupService.java
(added)
+++
incubator/shindig/trunk/java/social-api/src/main/java/org/apache/shindig/social/sample/oauth/SampleContainerOAuthLookupService.java
Thu Aug 7 13:19:12 2008
@@ -0,0 +1,110 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+package org.apache.shindig.social.sample.oauth;
+
+import org.apache.shindig.common.SecurityToken;
+import org.apache.shindig.social.opensocial.oauth.OAuthLookupService;
+import org.apache.shindig.social.core.oauth.OAuthSecurityToken;
+
+import com.google.common.collect.Lists;
+import com.google.common.collect.Maps;
+import net.oauth.OAuthAccessor;
+import net.oauth.OAuthConsumer;
+import net.oauth.OAuthException;
+import net.oauth.OAuthMessage;
+import net.oauth.OAuthServiceProvider;
+import net.oauth.SimpleOAuthValidator;
+
+import java.io.IOException;
+import java.net.URISyntaxException;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+
+public class SampleContainerOAuthLookupService implements OAuthLookupService {
+ // If we were a real social network this would probably be a function
+ private static Map<String, String> sampleContainerUrlToAppIdMap =
Maps.immutableMap(
+
"http://localhost:8080/gadgets/files/samplecontainer/examples/SocialHelloWorld.xml";,
+ "7810",
+
"http://localhost:8080/gadgets/files/samplecontainer/examples/SocialActivitiesWorld.xml";,
+ "8355"
+ );
+
+ // If we were a real social network we would probably be keeping track of
this in a db somewhere
+ private static Map<String, ArrayList<String>> sampleContainerAppInstalls =
Maps.immutableMap(
+ "john.doe", Lists.newArrayList( "7810", "8355")
+ );
+
+ // If we were a real social network we would establish shared secrets with
each of our gadgets
+ private static Map<String, String> sampleContainerSharedSecrets =
Maps.immutableMap(
+ "7810", "SocialHelloWorldSharedSecret",
+ "8355", "SocialActivitiesWorldSharedSecret"
+ );
+
+ public boolean thirdPartyHasAccessToUser(OAuthMessage message, String
appUrl, String userId) {
+ String appId = getAppId(appUrl);
+ return hasValidSignature(message, appUrl, appId)
+ && userHasAppInstalled(userId, appId);
+ }
+
+ private boolean hasValidSignature(OAuthMessage message, String appUrl,
String appId) {
+ String sharedSecret = sampleContainerSharedSecrets.get(appId);
+ if (sharedSecret == null) {
+ return false;
+ }
+
+ OAuthServiceProvider provider = new OAuthServiceProvider(null, null, null);
+ OAuthConsumer consumer = new OAuthConsumer(null, appUrl, sharedSecret,
provider);
+ OAuthAccessor accessor = new OAuthAccessor(consumer);
+
+ SimpleOAuthValidator validator = new SimpleOAuthValidator();
+ try {
+ validator.validateMessage(message, accessor);
+ } catch (OAuthException e) {
+ return false;
+ } catch (IOException e) {
+ return false;
+ } catch (URISyntaxException e) {
+ return false;
+ }
+
+ return true;
+ }
+
+ private boolean userHasAppInstalled(String userId, String appId) {
+ List<String> appInstalls = sampleContainerAppInstalls.get(userId);
+ if (appInstalls != null) {
+ for (String appInstall : appInstalls) {
+ if (appInstall.equals(appId)) {
+ return true;
+ }
+ }
+ }
+
+ return false;
+ }
+
+ public SecurityToken getSecurityToken(String appUrl, String userId) {
+ return new OAuthSecurityToken(userId, appUrl, getAppId(appUrl),
"samplecontainer");
+ }
+
+ private String getAppId(String appUrl) {
+ return sampleContainerUrlToAppIdMap.get(appUrl);
+ }
+
+}
