Skip to content
Permalink
Browse files
[CXF-5561] Updating AccessTokenValidatorService to ensure an authenti…
…cated Principal is available

git-svn-id: https://svn.apache.org/repos/asf/cxf/trunk@1567907 13f79535-47bb-0310-9956-ffa450edef68
  • Loading branch information
Sergey Beryozkin committed Feb 13, 2014
1 parent 2e0e4aa commit 1e7c47d8d989d0f0206c8d4c1b11ef8638d5c3d6
Show file tree
Hide file tree
Showing 4 changed files with 35 additions and 31 deletions.
@@ -41,6 +41,7 @@
import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
import org.apache.cxf.rs.security.oauth2.common.UserSubject;
import org.apache.cxf.rs.security.oauth2.services.AbstractAccessTokenValidator;
import org.apache.cxf.rs.security.oauth2.utils.AuthorizationUtils;
import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
import org.apache.cxf.security.SecurityContext;

@@ -65,8 +66,15 @@ protected void validateRequest(Message m) {
return;
}

// Get the scheme and its data, Bearer only is supported by default
// WWW-Authenticate with the list of supported schemes will be sent back
// if the scheme is not accepted
String[] authParts = getAuthorizationParts(m);
String authScheme = authParts[0];
String authSchemeData = authParts[1];

// Get the access token
AccessTokenValidation accessTokenV = getAccessTokenValidation();
AccessTokenValidation accessTokenV = getAccessTokenValidation(authScheme, authSchemeData);

// Find the scopes which match the current request

@@ -190,4 +198,7 @@ public void setAudienceIsEndpointAddress(boolean audienceIsEndpointAddress) {
this.audienceIsEndpointAddress = audienceIsEndpointAddress;
}

protected String[] getAuthorizationParts(Message m) {
return AuthorizationUtils.getAuthorizationParts(getMessageContext(), supportedSchemes);
}
}
@@ -34,6 +34,16 @@ public void handleMessage(Message message) throws Fault {
validateRequest(message);
}

protected String[] getAuthorizationParts(Message message) {
return super.getAuthorizationParts(message);

// You can customise it, extract the token from the message, example, get
// WS-Security Binary token put on the message by WSS4JInInterceptor
//
// String token = getTokenFromCurrentMessage(mc);
// return new String[] {"Bearer", token};
}

public Collection<PhaseInterceptor<? extends Message>> getAdditionalInterceptors() {
return null;
}
@@ -57,14 +67,4 @@ public String getPhase() {
public void handleFault(Message message) {
}

// protected String[] getAuthorizationParts() {
// // the current message is wrapped in MessageContext
// MessageContext mc = getMessageContext();
//
// // extract the token from the message, example, get
// // WS-Security Binary token put on the message by WSS4JInInterceptor
//
// String token = getTokenFromCurrentMessage(mc);
// return new String[] {"Bearer", token};
// }
}
@@ -43,16 +43,14 @@ public abstract class AbstractAccessTokenValidator {

private static final String DEFAULT_AUTH_SCHEME = OAuthConstants.BEARER_AUTHORIZATION_SCHEME;


protected Set<String> supportedSchemes = new HashSet<String>();
protected String realm;

private MessageContext mc;

private List<AccessTokenValidator> tokenHandlers = Collections.emptyList();
private List<String> audiences = new LinkedList<String>();

private Set<String> supportedSchemes = new HashSet<String>();

private OAuthDataProvider dataProvider;
private String realm;

public void setTokenValidator(AccessTokenValidator validator) {
setTokenValidators(Collections.singletonList(validator));
@@ -92,19 +90,12 @@ protected AccessTokenValidator findTokenValidator(String authScheme) {
/**
* Get the access token
*/
protected AccessTokenValidation getAccessTokenValidation() {
protected AccessTokenValidation getAccessTokenValidation(String authScheme, String authSchemeData) {
AccessTokenValidation accessTokenV = null;
if (dataProvider == null && tokenHandlers.isEmpty()) {
throw ExceptionUtils.toInternalServerErrorException(null, null);
}

// Get the scheme and its data, Bearer only is supported by default
// WWW-Authenticate with the list of supported schemes will be sent back
// if the scheme is not accepted
String[] authParts = getAuthorizationParts();
String authScheme = authParts[0];
String authSchemeData = authParts[1];

// Get the registered handler capable of processing the token
AccessTokenValidator handler = findTokenValidator(authScheme);
if (handler != null) {
@@ -164,9 +155,4 @@ public List<String> getAudiences() {
public void setAudiences(List<String> audiences) {
this.audiences = audiences;
}

protected String[] getAuthorizationParts() {
return AuthorizationUtils.getAuthorizationParts(getMessageContext(), supportedSchemes);
}

}
@@ -18,18 +18,25 @@
*/
package org.apache.cxf.rs.security.oauth2.services;

import javax.ws.rs.Encoded;
import javax.ws.rs.FormParam;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.MediaType;

import org.apache.cxf.rs.security.oauth2.common.AccessTokenValidation;
import org.apache.cxf.rs.security.oauth2.utils.AuthorizationUtils;

@Path("validate")
public class AccessTokenValidatorService extends AbstractAccessTokenValidator {
@GET
@Produces({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
public AccessTokenValidation getTokenValidationInfo() {
return super.getAccessTokenValidation();
public AccessTokenValidation getTokenValidationInfo(@FormParam("authScheme") String authScheme,
@Encoded @FormParam("authScheme") String authSchemeData) {
if (getMessageContext().getSecurityContext().getUserPrincipal() == null) {
AuthorizationUtils.throwAuthorizationFailure(supportedSchemes, realm);
}
return super.getAccessTokenValidation(authScheme, authSchemeData);
}
}

0 comments on commit 1e7c47d

Please sign in to comment.