Permalink
Browse files

SECOAUTH-18, SECOAUTH-19

  • Loading branch information...
1 parent 6714c81 commit 1ffd25fa25fad0133ade3123017faa998d4bab1a @stoicflame stoicflame committed Nov 23, 2010
File renamed without changes.
File renamed without changes.
View
@@ -55,6 +55,7 @@
<groupId>org.mortbay.jetty</groupId>
<artifactId>maven-jetty-plugin</artifactId>
<configuration>
+ <contextPath>/sparklr</contextPath>
<scanIntervalSeconds>10</scanIntervalSeconds>
<stopKey>sparklr</stopKey>
<stopPort>9999</stopPort>
@@ -26,7 +26,7 @@
<h2>Home</h2>
<p>This is a great site to store and view your photos. Unfortunately, we don't have any services
- for printing your photos. For that, you'll have to go to <a href="http://localhost:8888/tonr2/">Tonr.com</a>.</p>
+ for printing your photos. For that, you'll have to go to <a href="http://localhost:8888/tonr/">Tonr.com</a>.</p>
<authz:authorize ifNotGranted="ROLE_USER">
<h2>Login</h2>
@@ -31,7 +31,7 @@ public void testHappyDay() throws Exception {
formData.add("client_id", "my-trusted-client");
formData.add("username", "marissa");
formData.add("password", "koala");
- ClientResponse response = client.resource("http://localhost:" + port + "/sparklr2/oauth/authorize")
+ ClientResponse response = client.resource("http://localhost:" + port + "/sparklr/oauth/authorize")
.type(MediaType.APPLICATION_FORM_URLENCODED_TYPE)
.post(ClientResponse.class, formData);
assertEquals(200, response.getClientResponseStatus().getStatusCode());
@@ -43,11 +43,11 @@ public void testHappyDay() throws Exception {
//now try and use the token to access a protected resource.
//first make sure the resource is actually protected.
- response = client.resource("http://localhost:" + port + "/sparklr2/json/photos").get(ClientResponse.class);
+ response = client.resource("http://localhost:" + port + "/sparklr/json/photos").get(ClientResponse.class);
assertFalse(200 == response.getClientResponseStatus().getStatusCode());
//now make sure an authorized request is valid.
- response = client.resource("http://localhost:" + port + "/sparklr2/json/photos")
+ response = client.resource("http://localhost:" + port + "/sparklr/json/photos")
.header("Authorization", String.format("OAuth %s", accessToken.getValue()))
.get(ClientResponse.class);
assertEquals(200, response.getClientResponseStatus().getStatusCode());
@@ -66,7 +66,7 @@ public void testInvalidGrantType() throws Exception {
formData.add("client_id", "my-trusted-client");
formData.add("username", "marissa");
formData.add("password", "koala");
- ClientResponse response = client.resource("http://localhost:" + port + "/sparklr2/oauth/authorize")
+ ClientResponse response = client.resource("http://localhost:" + port + "/sparklr/oauth/authorize")
.type(MediaType.APPLICATION_FORM_URLENCODED_TYPE)
.post(ClientResponse.class, formData);
assertEquals(400, response.getClientResponseStatus().getStatusCode());
@@ -28,7 +28,7 @@ public void testHappyDay() throws Exception {
formData.add("client_id", "my-trusted-client");
formData.add("username", "marissa");
formData.add("password", "koala");
- ClientResponse response = client.resource("http://localhost:" + port + "/sparklr2/oauth/authorize")
+ ClientResponse response = client.resource("http://localhost:" + port + "/sparklr/oauth/authorize")
.type(MediaType.APPLICATION_FORM_URLENCODED_TYPE)
.post(ClientResponse.class, formData);
assertEquals(200, response.getClientResponseStatus().getStatusCode());
@@ -40,11 +40,11 @@ public void testHappyDay() throws Exception {
//now try and use the token to access a protected resource.
//first make sure the resource is actually protected.
- response = client.resource("http://localhost:" + port + "/sparklr2/json/photos").get(ClientResponse.class);
+ response = client.resource("http://localhost:" + port + "/sparklr/json/photos").get(ClientResponse.class);
assertFalse(200 == response.getClientResponseStatus().getStatusCode());
//now make sure an authorized request is valid.
- response = client.resource("http://localhost:" + port + "/sparklr2/json/photos")
+ response = client.resource("http://localhost:" + port + "/sparklr/json/photos")
.header("Authorization", String.format("OAuth %s", accessToken.getValue()))
.get(ClientResponse.class);
assertEquals(200, response.getClientResponseStatus().getStatusCode());
@@ -55,7 +55,7 @@ public void testHappyDay() throws Exception {
formData.add("grant_type", "refresh_token");
formData.add("client_id", "my-trusted-client");
formData.add("refresh_token", accessToken.getRefreshToken().getValue());
- response = client.resource("http://localhost:" + port + "/sparklr2/oauth/authorize")
+ response = client.resource("http://localhost:" + port + "/sparklr/oauth/authorize")
.type(MediaType.APPLICATION_FORM_URLENCODED_TYPE)
.post(ClientResponse.class, formData);
assertEquals(200, response.getClientResponseStatus().getStatusCode());
@@ -64,13 +64,13 @@ public void testHappyDay() throws Exception {
assertFalse(newAccessToken.getValue().equals(accessToken.getValue()));
//make sure the new access token can be used.
- response = client.resource("http://localhost:" + port + "/sparklr2/json/photos")
+ response = client.resource("http://localhost:" + port + "/sparklr/json/photos")
.header("Authorization", String.format("OAuth %s", newAccessToken.getValue()))
.get(ClientResponse.class);
assertEquals(200, response.getClientResponseStatus().getStatusCode());
//make sure the old access token isn't valid anymore.
- response = client.resource("http://localhost:" + port + "/sparklr2/json/photos")
+ response = client.resource("http://localhost:" + port + "/sparklr/json/photos")
.header("Authorization", String.format("OAuth %s", accessToken.getValue()))
.get(ClientResponse.class);
assertEquals(401, response.getClientResponseStatus().getStatusCode());
@@ -37,7 +37,7 @@ public void testBasicWebServerProfile() throws Exception {
WebClient userAgent = new WebClient(BrowserVersion.FIREFOX_3);
userAgent.setRedirectEnabled(false);
- UriBuilder uriBuilder = UriBuilder.fromUri("http://localhost:" + port + "/sparklr2/oauth/user/authorize")
+ UriBuilder uriBuilder = UriBuilder.fromUri("http://localhost:" + port + "/sparklr/oauth/user/authorize")
.queryParam("response_type", "code")
.queryParam("state", "mystateid")
.queryParam("client_id", "my-less-trusted-client")
@@ -113,7 +113,7 @@ else if ("state".equals(token)) {
formData.add("client_id", "my-less-trusted-client");
formData.add("redirect_uri", "http://anywhere");
formData.add("code", code);
- ClientResponse response = client.resource("http://localhost:" + port + "/sparklr2/oauth/authorize")
+ ClientResponse response = client.resource("http://localhost:" + port + "/sparklr/oauth/authorize")
.type(MediaType.APPLICATION_FORM_URLENCODED_TYPE)
.post(ClientResponse.class, formData);
assertEquals(200, response.getClientResponseStatus().getStatusCode());
@@ -123,7 +123,7 @@ else if ("state".equals(token)) {
OAuth2AccessToken accessToken = serializationService.deserializeJsonAccessToken(response.getEntityInputStream());
//let's try that request again and make sure we can't re-use the verification code...
- response = client.resource("http://localhost:" + port + "/sparklr2/oauth/authorize")
+ response = client.resource("http://localhost:" + port + "/sparklr/oauth/authorize")
.type(MediaType.APPLICATION_FORM_URLENCODED_TYPE)
.post(ClientResponse.class, formData);
assertEquals(401, response.getClientResponseStatus().getStatusCode());
@@ -138,14 +138,14 @@ else if ("state".equals(token)) {
//now try and use the token to access a protected resource.
//first make sure the resource is actually protected.
- response = client.resource("http://localhost:" + port + "/sparklr2/json/photos").get(ClientResponse.class);
+ response = client.resource("http://localhost:" + port + "/sparklr/json/photos").get(ClientResponse.class);
assertFalse(200 == response.getClientResponseStatus().getStatusCode());
String authHeader = response.getHeaders().getFirst("WWW-Authenticate");
assertNotNull(authHeader);
assertTrue(authHeader.startsWith("OAuth"));
//now make sure an authorized request is valid.
- response = client.resource("http://localhost:" + port + "/sparklr2/json/photos")
+ response = client.resource("http://localhost:" + port + "/sparklr/json/photos")
.header("Authorization", String.format("OAuth %s", accessToken.getValue()))
.get(ClientResponse.class);
assertEquals(200, response.getClientResponseStatus().getStatusCode());
@@ -159,7 +159,7 @@ public void testFailureIfSomeParametersAreMissing() throws Exception {
WebClient userAgent = new WebClient(BrowserVersion.FIREFOX_3);
userAgent.setRedirectEnabled(false);
- UriBuilder uriBuilder = UriBuilder.fromUri("http://localhost:" + port + "/sparklr2/oauth/user/authorize")
+ UriBuilder uriBuilder = UriBuilder.fromUri("http://localhost:" + port + "/sparklr/oauth/user/authorize")
.queryParam("response_type", "code")
.queryParam("state", "mystateid")
.queryParam("client_id", "my-less-trusted-client")
@@ -231,7 +231,7 @@ public void testFailureIfSomeParametersAreMissing() throws Exception {
formData.add("client_id", "my-less-trusted-client");
formData.add("redirect_uri", "http://nowhere");
formData.add("code", code);
- ClientResponse response = client.resource("http://localhost:" + port + "/sparklr2/oauth/authorize")
+ ClientResponse response = client.resource("http://localhost:" + port + "/sparklr/oauth/authorize")
.type(MediaType.APPLICATION_FORM_URLENCODED_TYPE)
.post(ClientResponse.class, formData);
assertEquals(401, response.getClientResponseStatus().getStatusCode());
@@ -254,7 +254,7 @@ public void testUserFailsToAuthorize() throws Exception {
WebClient userAgent = new WebClient(BrowserVersion.FIREFOX_3);
userAgent.setRedirectEnabled(false);
- UriBuilder uriBuilder = UriBuilder.fromUri("http://localhost:" + port + "/sparklr2/oauth/user/authorize")
+ UriBuilder uriBuilder = UriBuilder.fromUri("http://localhost:" + port + "/sparklr/oauth/user/authorize")
.queryParam("response_type", "code")
.queryParam("state", "mystateid")
.queryParam("client_id", "my-less-trusted-client")
@@ -1,6 +0,0 @@
-1. Change the pom to point to the new version.
-2. mvn deploy
-3. mvn clean
-4. mvn site:site
-5. rsync -av target/site/ /home/heatonra/mnt/spring-security-oauth/web
-6. svn ci
@@ -163,7 +163,9 @@ else if ("false".equals(lowercaseComparisons)) {
}
}
- consumerAccessFilterBean.addPropertyValue("objectDefinitionSource", new DefaultFilterInvocationSecurityMetadataSource(matcher, invocationDefinitionMap));
+ DefaultFilterInvocationSecurityMetadataSource source = new DefaultFilterInvocationSecurityMetadataSource(matcher, invocationDefinitionMap);
+ source.setStripQueryStringFromUrls(true); //see https://jira.springsource.org/browse/SECOAUTH-18
+ consumerAccessFilterBean.addPropertyValue("objectDefinitionSource", source);
parserContext.getRegistry().registerBeanDefinition("oauthConsumerFilter", consumerAccessFilterBean.getBeanDefinition());
filterChain.add(filterChain.size(), new RuntimeBeanReference("oauthConsumerFilter"));
}
@@ -163,7 +163,9 @@ else if ("false".equals(lowercaseComparisons)) {
}
}
- consumerFilterBean.addPropertyValue("objectDefinitionSource", new DefaultFilterInvocationSecurityMetadataSource(matcher, invocationDefinitionMap));
+ DefaultFilterInvocationSecurityMetadataSource source = new DefaultFilterInvocationSecurityMetadataSource(matcher, invocationDefinitionMap);
+ source.setStripQueryStringFromUrls(true); //see https://jira.springsource.org/browse/SECOAUTH-18
+ consumerFilterBean.addPropertyValue("objectDefinitionSource", source);
consumerFilterBean.addPropertyReference("resourceDetailsService", resourceDetailsServiceRef);
parserContext.getRegistry().registerBeanDefinition("oauth2ClientSecurityFilter", consumerFilterBean.getBeanDefinition());
filterChain.add(filterIndex++, new RuntimeBeanReference("oauth2ClientSecurityFilter"));
@@ -61,8 +61,7 @@ cd tonr
mvn jetty:run
+---
- Tonr should be started on port 8888. Browse to {{http://localhost:8888/tonr}} for OAuth 1.0 or {{http://localhost:8888/tonr2}} for OAuth2.
- Note Tonr's home page.
+ Tonr should be started on port 8888. Browse to {{http://localhost:8888/tonr}}. Note Tonr's home page.
Observe...
View
@@ -19,6 +19,7 @@
<groupId>org.mortbay.jetty</groupId>
<artifactId>maven-jetty-plugin</artifactId>
<configuration>
+ <contextPath>/tonr</contextPath>
<connectors>
<connector implementation="org.mortbay.jetty.nio.SelectChannelConnector">
<port>8888</port>
@@ -37,11 +37,11 @@
<!--define an oauth 2 resource for sparklr-->
<oauth:resource id="sparklr" type="authorization_code" clientId="tonr"
- accessTokenUri="http://localhost:8080/sparklr2/oauth/authorize"
- userAuthorizationUri="http://localhost:8080/sparklr2/oauth/user/authorize"/>
+ accessTokenUri="http://localhost:8080/sparklr/oauth/authorize"
+ userAuthorizationUri="http://localhost:8080/sparklr/oauth/user/authorize"/>
<!--define an oauth 2 resource for facebook. according to the facebook docs, the 'clientId' is the App ID, and the 'clientSecret' is the App Secret -->
- <oauth:resource id="facebook" type="authorization_code" clientId="135473799835937" clientSecret="6057dfad781c88dd2f09723dd3641773"
+ <oauth:resource id="facebook" type="authorization_code" clientId="162646850439461" clientSecret="560ad91d992d60298ae6c7f717c8fc93"
bearerTokenMethod="query" bearerTokenName="access_token"
accessTokenUri="https://graph.facebook.com/oauth/access_token"
userAuthorizationUri="https://graph.facebook.com/oauth/authorize"/>
@@ -15,7 +15,7 @@
<li><a href="<c:url value="/login.jsp"/>">login</a></li>
</authz:authorize>
<li><a href="<c:url value="/sparklr/photos.jsp"/>">sparklr pics</a></li>
- <li><a href="<c:url value="/facebook/info.jsp"/>" class="selected">facebook stuff</a></li>
+ <li><a href="<c:url value="/facebook/info.jsp"/>" class="selected">facebook friends</a></li>
</ul>
<div id="content">
@@ -15,7 +15,7 @@
<li><a href="<c:url value="/login.jsp"/>">login</a></li>
</authz:authorize>
<li><a href="<c:url value="/sparklr/photos.jsp"/>" class="selected">sparklr pics</a></li>
- <li><a href="<c:url value="/facebook/info.jsp"/>">facebook stuff</a></li>
+ <li><a href="<c:url value="/facebook/info.jsp"/>">facebook friends</a></li>
</ul>
<div id="content">
@@ -1,2 +1,2 @@
-sparklrPhotoListURL=http://localhost:8080/sparklr2/rest/photos
-sparklrPhotoURLPattern=http://localhost:8080/sparklr2/rest/jpg/photo/%s
+sparklrPhotoListURL=http://localhost:8080/sparklr/rest/photos
+sparklrPhotoURLPattern=http://localhost:8080/sparklr/rest/jpg/photo/%s
@@ -15,13 +15,13 @@
<li><a href="<c:url value="/login.jsp"/>">login</a></li>
</authz:authorize>
<li><a href="<c:url value="/sparklr/photos.jsp"/>">sparklr pics</a></li>
- <li><a href="<c:url value="/facebook/info.jsp"/>">facebook stuff</a></li>
+ <li><a href="<c:url value="/facebook/info.jsp"/>">facebook friends</a></li>
</ul>
<div id="content">
<h1>Welcome to Tonr.com!</h1>
- <p>This is a website that will allow you to print your photos that you've uploaded to <a href="http://localhost:8080/sparklr2/">sparklr.com</a>!
+ <p>This is a website that will allow you to print your photos that you've uploaded to <a href="http://localhost:8080/sparklr/">sparklr.com</a>!
And since this site uses <a href="http://oauth.net">OAuth</a> to access your photos, we will never ask you
for your Sparklr credentials.</p>
@@ -18,7 +18,7 @@
<li><a href="<c:url value="/index.jsp"/>">home</a></li>
<li><a href="<c:url value="/login.jsp"/>" class="selected">login</a></li>
<li><a href="<c:url value="/sparklr/photos.jsp"/>">sparklr pics</a></li>
- <li><a href="<c:url value="/facebook/info.jsp"/>">facebook stuff</a></li>
+ <li><a href="<c:url value="/facebook/info.jsp"/>">facebook friends</a></li>
</ul>
<div id="content">
@@ -19,7 +19,7 @@
<li><a href="<c:url value="/login.jsp"/>">login</a></li>
</authz:authorize>
<li><a href="<c:url value="/sparklr/photos.jsp"/>">sparklr pics</a></li>
- <li><a href="<c:url value="/facebook/info.jsp"/>">facebook stuff</a></li>
+ <li><a href="<c:url value="/facebook/info.jsp"/>">facebook friends</a></li>
</ul>
<div id="content">

0 comments on commit 1ffd25f

Please sign in to comment.