Browse files

CFID-36: tidy up and add some docs

  • Loading branch information...
1 parent 277e180 commit e578bc0235e12851d49e4babdb9deb7351d13b4e @dsyer dsyer committed Nov 9, 2011
View
16 README.md
@@ -79,8 +79,14 @@ an access token submitted by an OAuth2 client.
4. SCIM user provisioning endpoints (todo)
-5. OpenID connect endpoints to support authentication (todo). Authentication is currently
-performed by submitting credentials directly to the /authorize endpoint (as described in UAA-API doc).
+5. OpenID connect endpoints to support authentication
+(todo). Implemented roughly enough to get it working (so /app
+authenticates here), but not to meet the spec.
+
+Authentication can be performed by command line clients by submitting
+credentials directly to the /authorize endpoint (as described in
+UAA-API doc). There is an `ImplicitAccessTokenProvider` in Spring
+Security OAuth that can do the heavy lifting.
## The API Application
@@ -93,9 +99,9 @@ the application on port 9080.
## The App Application
This is a user interface (primarily aimed at browser) app that uses
-OpenID for authentication (i.e. SSO) and OAuth2 for access grants. It
-authenticates with the Auth service, and then accesses resources in
-the API service.
+OpenId Connect for authentication (i.e. SSO) and OAuth2 for access
+grants. It authenticates with the Auth service, and then accesses
+resources in the API service.
### Use Cases
View
2 ...entity/openid/user/CustomUserDetails.java → ...y/identity/app/web/CustomUserDetails.java
@@ -10,7 +10,7 @@
* an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
* specific language governing permissions and limitations under the License.
*/
-package org.cloudfoundry.identity.openid.user;
+package org.cloudfoundry.identity.app.web;
import java.util.Collection;
View
16 ...dry/identity/app/web/LoginController.java → ...ndry/identity/app/web/HomeController.java
@@ -19,21 +19,7 @@
import org.springframework.web.bind.annotation.RequestMapping;
@Controller
-public class LoginController {
-
- private String openidProviderUrl;
-
- public void setOpenidProviderUrl(String openidProviderUrl) {
- this.openidProviderUrl = openidProviderUrl;
- }
-
- @RequestMapping("/openid")
- public String login(Model model) {
- model.addAttribute("action", "verify");
- model.addAttribute("openid_identifier", openidProviderUrl);
- model.addAttribute("_spring_security_remember_me", "true");
- return "redirect:j_spring_openid_security_check";
- }
+public class HomeController {
@RequestMapping("/home")
public String home(Model model, Principal principal) {
View
34 app/src/main/java/org/cloudfoundry/identity/app/web/OpenIdClientFilter.java
@@ -1,3 +1,15 @@
+/*
+ * Copyright 2006-2010 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+ * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
package org.cloudfoundry.identity.app.web;
import java.io.IOException;
@@ -9,7 +21,6 @@
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import org.cloudfoundry.identity.openid.user.CustomUserDetails;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
@@ -18,16 +29,32 @@
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
import org.springframework.web.client.RestOperations;
+/**
+ * A filter that can authenticate with a remote OpenId Connect provider.
+ *
+ * @author Dave Syer
+ *
+ */
public class OpenIdClientFilter extends AbstractAuthenticationProcessingFilter {
public RestOperations restTemplate;
private String userInfoUrl;
+ /**
+ * A rest template to be used to contact the remote user info endpoint.
+ *
+ * @param restTemplate a rest template
+ */
public void setRestTemplate(RestOperations restTemplate) {
this.restTemplate = restTemplate;
}
+ /**
+ * The remote URL of the OpenId Connect /userinfo endpoint.
+ *
+ * @param userInfoUrl
+ */
public void setUserInfoUrl(String userInfoUrl) {
this.userInfoUrl = userInfoUrl;
}
@@ -43,13 +70,16 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
Map<String, String> map = restTemplate.getForObject(userInfoUrl, Map.class);
String userName = map.get("user_name");
List<GrantedAuthority> authorities = Arrays.<GrantedAuthority> asList(new SimpleGrantedAuthority("ROLE_USER"));
- return new UsernamePasswordAuthenticationToken(new CustomUserDetails(userName,authorities), null,
+ CustomUserDetails user = new CustomUserDetails(userName,authorities);
+ user.setEmail(map.get("user_email"));
+ return new UsernamePasswordAuthenticationToken(user, null,
authorities);
}
@Override
protected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response,
AuthenticationException failed) throws IOException, ServletException {
+ // Need to force a redirect via the OAuth2 client filter, so rethrow here
throw failed;
}
View
107 app/src/main/java/org/cloudfoundry/identity/openid/user/CustomUserDetailsService.java
@@ -1,107 +0,0 @@
-package org.cloudfoundry.identity.openid.user;
-
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-
-import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.authority.AuthorityUtils;
-import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;
-import org.springframework.security.core.userdetails.UserDetails;
-import org.springframework.security.core.userdetails.UserDetailsService;
-import org.springframework.security.core.userdetails.UsernameNotFoundException;
-import org.springframework.security.openid.OpenIDAttribute;
-import org.springframework.security.openid.OpenIDAuthenticationToken;
-
-/**
- * Custom UserDetailsService which accepts any OpenID user, "registering" new users in a map so they can be welcomed
- * back to the site on subsequent logins.
- *
- * @author Luke Taylor
- * @since 3.1
- */
-public class CustomUserDetailsService implements UserDetailsService, AuthenticationUserDetailsService<OpenIDAuthenticationToken> {
-
- private final Map<String, CustomUserDetails> registeredUsers = new HashMap<String, CustomUserDetails>();
-
- private static final List<GrantedAuthority> DEFAULT_AUTHORITIES = AuthorityUtils.createAuthorityList("ROLE_USER");
-
- /**
- * Implementation of {@code UserDetailsService}. We only need this to satisfy the {@code RememberMeServices}
- * requirements.
- */
- public UserDetails loadUserByUsername(String id) throws UsernameNotFoundException {
- UserDetails user = registeredUsers.get(id);
-
- if (user == null) {
- throw new UsernameNotFoundException(id);
- }
-
- return user;
- }
-
- /**
- * Implementation of {@code AuthenticationUserDetailsService} which allows full access to the submitted
- * {@code Authentication} object. Used by the OpenIDAuthenticationProvider.
- */
- public UserDetails loadUserDetails(OpenIDAuthenticationToken token) {
- String id = token.getIdentityUrl();
-
- CustomUserDetails user = registeredUsers.get(id);
-
- if (user != null) {
- return user;
- }
-
- String email = null;
- String firstName = null;
- String lastName = null;
- String fullName = null;
-
- List<OpenIDAttribute> attributes = token.getAttributes();
-
- for (OpenIDAttribute attribute : attributes) {
- if (attribute.getName().equals("email")) {
- email = attribute.getValues().get(0);
- }
-
- if (attribute.getName().equals("firstname")) {
- firstName = attribute.getValues().get(0);
- }
-
- if (attribute.getName().equals("lastname")) {
- lastName = attribute.getValues().get(0);
- }
-
- if (attribute.getName().equals("fullname")) {
- fullName = attribute.getValues().get(0);
- }
- }
-
- if (fullName == null) {
- StringBuilder fullNameBldr = new StringBuilder();
-
- if (firstName != null) {
- fullNameBldr.append(firstName);
- }
-
- if (lastName != null) {
- fullNameBldr.append(" ").append(lastName);
- }
- fullName = fullNameBldr.toString();
- }
-
- user = new CustomUserDetails(id, DEFAULT_AUTHORITIES);
- user.setEmail(email);
- user.setName(fullName);
-
- registeredUsers.put(id, user);
-
- user = new CustomUserDetails(id, DEFAULT_AUTHORITIES);
- user.setEmail(email);
- user.setName(fullName);
- user.setNewUser(true);
-
- return user;
- }
-}
View
2 app/src/main/resources/application-cloud.properties
@@ -1,4 +1,4 @@
-openidProviderUrl=http://dsyerauth.cloudfoundry.com/openid
+userInfoUri=http://dsyerauth.cloudfoundry.com/userinfo
accessTokenUri=http://dsyerauth.cloudfoundry.com/oauth/token
userAuthorizationUri=http://dsyerauth.cloudfoundry.com/oauth/authorize
treeUrlPattern=http://dsyerapi.cloudfoundry.com/{type}
View
2 app/src/main/resources/application.properties
@@ -1,5 +1,3 @@
-# openidProviderUrl=http://localhost:8080/cloudfoundry-identity-uaa/openid
-openidProviderUrl=https://www.google.com/accounts/o8/id
accessTokenUri=http://localhost:8080/cloudfoundry-identity-uaa/oauth/token
userAuthorizationUri=http://localhost:8080/cloudfoundry-identity-uaa/oauth/authorize
userInfoUri=http://localhost:8080/cloudfoundry-identity-uaa/userinfo
View
8 app/src/main/webapp/WEB-INF/spring-servlet.xml
@@ -43,8 +43,6 @@
<bean id="oauth2TokenServices" class="org.springframework.security.oauth2.client.token.service.InMemoryOAuth2ClientTokenServices" />
- <bean id="registeringUserService" class="org.cloudfoundry.identity.openid.user.CustomUserDetailsService" />
-
<mvc:resources location="/resources/" mapping="/resources/**" />
<mvc:annotation-driven />
@@ -75,10 +73,6 @@
</property>
</bean>
- <bean id="loginController" class="org.cloudfoundry.identity.app.web.LoginController">
- <property name="openidProviderUrl" value="${openidProviderUrl}" />
- </bean>
-
<bean id="treeController" class="org.cloudfoundry.identity.app.web.TreeController">
<property name="restTemplate">
<bean class="org.springframework.security.oauth2.client.OAuth2RestTemplate">
@@ -88,6 +82,8 @@
<property name="treeUrlPattern" value="${treeUrlPattern}" />
</bean>
+ <bean id="homeController" class="org.cloudfoundry.identity.app.web.HomeController"/>
+
<!--define an oauth 2 resource for api access -->
<oauth:resource id="api" type="authorization_code" client-id="app" client-secret="appclientsecret"
access-token-uri="${accessTokenUri}" user-authorization-uri="${userAuthorizationUri}" scope="read,openid" />

0 comments on commit e578bc0

Please sign in to comment.