Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

SECOAUTH-372: use authentication key for comparison instead of comple…

…te authentication
  • Loading branch information...
commit 5161576ac58ad8edd110282ebf0f4f2490e92440 1 parent b997487
@dsyer dsyer authored
View
7 ...security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/InMemoryTokenStore.java
@@ -112,9 +112,10 @@ public int getExpiryTokenCount() {
}
public OAuth2AccessToken getAccessToken(OAuth2Authentication authentication) {
- OAuth2AccessToken accessToken = authenticationToAccessTokenStore.get(authenticationKeyGenerator
- .extractKey(authentication));
- if (accessToken != null && !authentication.equals(readAuthentication(accessToken.getValue()))) {
+ String key = authenticationKeyGenerator.extractKey(authentication);
+ OAuth2AccessToken accessToken = authenticationToAccessTokenStore.get(key);
+ if (accessToken != null
+ && !key.equals(authenticationKeyGenerator.extractKey(readAuthentication(accessToken.getValue())))) {
// Keep the stores consistent (maybe the same user is represented by this authentication but the details
// have changed)
storeAccessToken(accessToken, authentication);
View
38 spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/JdbcTokenStore.java
@@ -100,23 +100,26 @@ public void setAuthenticationKeyGenerator(AuthenticationKeyGenerator authenticat
public OAuth2AccessToken getAccessToken(OAuth2Authentication authentication) {
OAuth2AccessToken accessToken = null;
+ String key = authenticationKeyGenerator.extractKey(authentication);
try {
accessToken = jdbcTemplate.queryForObject(selectAccessTokenFromAuthenticationSql,
new RowMapper<OAuth2AccessToken>() {
public OAuth2AccessToken mapRow(ResultSet rs, int rowNum) throws SQLException {
return deserializeAccessToken(rs.getBytes(2));
}
- }, authenticationKeyGenerator.extractKey(authentication));
+ }, key);
}
catch (EmptyResultDataAccessException e) {
if (LOG.isInfoEnabled()) {
LOG.debug("Failed to find access token for authentication " + authentication);
}
- } catch (IllegalArgumentException e) {
+ }
+ catch (IllegalArgumentException e) {
LOG.error("Could not extract access token for authentication " + authentication);
}
- if (accessToken != null && !authentication.equals(readAuthentication(accessToken.getValue()))) {
+ if (accessToken != null
+ && !key.equals(authenticationKeyGenerator.extractKey(readAuthentication(accessToken.getValue())))) {
removeAccessToken(accessToken.getValue());
// Keep the store consistent (maybe the same user is represented by this authentication but the details have
// changed)
@@ -135,8 +138,8 @@ public void storeAccessToken(OAuth2AccessToken token, OAuth2Authentication authe
new SqlLobValue(serializeAccessToken(token)), authenticationKeyGenerator.extractKey(authentication),
authentication.isClientOnly() ? null : authentication.getName(),
authentication.getAuthorizationRequest().getClientId(),
- new SqlLobValue(serializeAuthentication(authentication)), extractTokenKey(refreshToken) }, new int[] { Types.VARCHAR,
- Types.BLOB, Types.VARCHAR, Types.VARCHAR, Types.VARCHAR, Types.BLOB, Types.VARCHAR });
+ new SqlLobValue(serializeAuthentication(authentication)), extractTokenKey(refreshToken) }, new int[] {
+ Types.VARCHAR, Types.BLOB, Types.VARCHAR, Types.VARCHAR, Types.VARCHAR, Types.BLOB, Types.VARCHAR });
}
public OAuth2AccessToken readAccessToken(String tokenValue) {
@@ -153,7 +156,8 @@ public OAuth2AccessToken mapRow(ResultSet rs, int rowNum) throws SQLException {
if (LOG.isInfoEnabled()) {
LOG.info("Failed to find access token for token " + tokenValue);
}
- } catch (IllegalArgumentException e) {
+ }
+ catch (IllegalArgumentException e) {
LOG.warn("Failed to deserialize access token for " + tokenValue);
removeAccessToken(tokenValue);
}
@@ -188,7 +192,8 @@ public OAuth2Authentication mapRow(ResultSet rs, int rowNum) throws SQLException
if (LOG.isInfoEnabled()) {
LOG.info("Failed to find access token for token " + token);
}
- } catch (IllegalArgumentException e) {
+ }
+ catch (IllegalArgumentException e) {
LOG.warn("Failed to deserialize authentication for " + token);
removeAccessToken(token);
}
@@ -217,7 +222,8 @@ public OAuth2RefreshToken mapRow(ResultSet rs, int rowNum) throws SQLException {
if (LOG.isInfoEnabled()) {
LOG.info("Failed to find refresh token for token " + token);
}
- } catch (IllegalArgumentException e) {
+ }
+ catch (IllegalArgumentException e) {
LOG.warn("Failed to deserialize refresh token for token " + token);
removeRefreshToken(token);
}
@@ -252,7 +258,8 @@ public OAuth2Authentication mapRow(ResultSet rs, int rowNum) throws SQLException
if (LOG.isInfoEnabled()) {
LOG.info("Failed to find access token for token " + value);
}
- } catch (IllegalArgumentException e) {
+ }
+ catch (IllegalArgumentException e) {
LOG.warn("Failed to deserialize access token for " + value);
removeRefreshToken(value);
}
@@ -273,7 +280,8 @@ public void removeAccessTokenUsingRefreshToken(String refreshToken) {
List<OAuth2AccessToken> accessTokens = new ArrayList<OAuth2AccessToken>();
try {
- accessTokens = jdbcTemplate.query(selectAccessTokensFromClientIdSql, new SafeAccessTokenRowMapper(), clientId);
+ accessTokens = jdbcTemplate.query(selectAccessTokensFromClientIdSql, new SafeAccessTokenRowMapper(),
+ clientId);
}
catch (EmptyResultDataAccessException e) {
if (LOG.isInfoEnabled()) {
@@ -289,7 +297,8 @@ public void removeAccessTokenUsingRefreshToken(String refreshToken) {
List<OAuth2AccessToken> accessTokens = new ArrayList<OAuth2AccessToken>();
try {
- accessTokens = jdbcTemplate.query(selectAccessTokensFromUserNameSql, new SafeAccessTokenRowMapper(), userName);
+ accessTokens = jdbcTemplate.query(selectAccessTokensFromUserNameSql, new SafeAccessTokenRowMapper(),
+ userName);
}
catch (EmptyResultDataAccessException e) {
if (LOG.isInfoEnabled()) {
@@ -304,7 +313,7 @@ public void removeAccessTokenUsingRefreshToken(String refreshToken) {
private List<OAuth2AccessToken> removeNulls(List<OAuth2AccessToken> accessTokens) {
List<OAuth2AccessToken> tokens = new ArrayList<OAuth2AccessToken>();
for (OAuth2AccessToken token : accessTokens) {
- if (token!=null) {
+ if (token != null) {
tokens.add(token);
}
}
@@ -312,7 +321,7 @@ public void removeAccessTokenUsingRefreshToken(String refreshToken) {
}
protected String extractTokenKey(String value) {
- if (value==null) {
+ if (value == null) {
return null;
}
MessageDigest digest;
@@ -336,7 +345,8 @@ protected String extractTokenKey(String value) {
public OAuth2AccessToken mapRow(ResultSet rs, int rowNum) throws SQLException {
try {
return deserializeAccessToken(rs.getBytes(2));
- } catch (IllegalArgumentException e) {
+ }
+ catch (IllegalArgumentException e) {
String token = rs.getString(1);
jdbcTemplate.update(deleteAccessTokenSql, token);
return null;
View
32 ...security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/TestTokenStoreBase.java
@@ -13,6 +13,7 @@
package org.springframework.security.oauth2.provider.token;
import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull;
@@ -58,17 +59,26 @@ public void testStoreAccessToken() {
@Test
public void testRetrieveAccessToken() {
- OAuth2Authentication expectedAuthentication = new OAuth2Authentication(new DefaultAuthorizationRequest("id", null), new TestAuthentication("test2", false));
+ DefaultAuthorizationRequest authorizationRequest = new DefaultAuthorizationRequest("id", null);
+ authorizationRequest.setApproved(true); // normally the case for a persisted token
+ OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest, new TestAuthentication("test2", true));
OAuth2AccessToken expectedOAuth2AccessToken = new DefaultOAuth2AccessToken("testToken");
- getTokenStore().storeAccessToken(expectedOAuth2AccessToken, expectedAuthentication);
+ getTokenStore().storeAccessToken(expectedOAuth2AccessToken, authentication);
- OAuth2AccessToken actualOAuth2AccessToken = getTokenStore().getAccessToken(expectedAuthentication);
+ authorizationRequest = new DefaultAuthorizationRequest("id", null);
+ authorizationRequest.setApproved(false);
+ authentication = new OAuth2Authentication(authorizationRequest, new TestAuthentication("test2", true));
+ OAuth2AccessToken actualOAuth2AccessToken = getTokenStore().getAccessToken(authentication);
+ assertEquals(expectedOAuth2AccessToken, actualOAuth2AccessToken);
+ assertEquals(authentication.getUserAuthentication(), getTokenStore().readAuthentication(expectedOAuth2AccessToken.getValue()).getUserAuthentication());
+ // The authorizationRequest does not match because it is unapproved, but the token was granted to an approved request
+ assertFalse(authorizationRequest.equals(getTokenStore().readAuthentication(expectedOAuth2AccessToken.getValue()).getAuthorizationRequest()));
+ actualOAuth2AccessToken = getTokenStore().getAccessToken(authentication);
assertEquals(expectedOAuth2AccessToken, actualOAuth2AccessToken);
- assertEquals(expectedAuthentication, getTokenStore().readAuthentication(expectedOAuth2AccessToken));
getTokenStore().removeAccessToken(expectedOAuth2AccessToken);
assertNull(getTokenStore().readAccessToken("testToken"));
assertNull(getTokenStore().readAuthentication(expectedOAuth2AccessToken.getValue()));
- assertNull(getTokenStore().getAccessToken(expectedAuthentication));
+ assertNull(getTokenStore().getAccessToken(authentication));
}
@Test
@@ -131,17 +141,23 @@ public void testReadingRefreshTokenForTokenThatDoesNotExist() {
@Test
public void testGetAccessTokenForDeletedUser() throws Exception {
- OAuth2Authentication expectedAuthentication = new OAuth2Authentication(new DefaultAuthorizationRequest("id", null), new TestAuthentication("test", false));
+ DefaultAuthorizationRequest authorizationRequest = new DefaultAuthorizationRequest("id", null);
+ authorizationRequest.setApproved(true); // normally the case for a token being persisted
+ OAuth2Authentication expectedAuthentication = new OAuth2Authentication(authorizationRequest, new TestAuthentication("test", true));
OAuth2AccessToken expectedOAuth2AccessToken = new DefaultOAuth2AccessToken("testToken");
getTokenStore().storeAccessToken(expectedOAuth2AccessToken, expectedAuthentication);
assertEquals(expectedOAuth2AccessToken, getTokenStore().getAccessToken(expectedAuthentication));
assertEquals(expectedAuthentication, getTokenStore().readAuthentication(expectedOAuth2AccessToken.getValue()));
- OAuth2Authentication anotherAuthentication = new OAuth2Authentication(new DefaultAuthorizationRequest("id", null), new TestAuthentication("test", true));
+ authorizationRequest = new DefaultAuthorizationRequest("id", null);
+ authorizationRequest.setApproved(false); // normally the case for a token being checked for approval
+ OAuth2Authentication anotherAuthentication = new OAuth2Authentication(authorizationRequest, new TestAuthentication("test", true));
assertEquals(expectedOAuth2AccessToken, getTokenStore().getAccessToken(anotherAuthentication));
// The generated key for the authentication is the same as before, but the two auths are not equal. This could
// happen if there are 2 users in a system with the same username, or (more likely), if a user account was
// deleted and re-created.
- assertEquals(anotherAuthentication, getTokenStore().readAuthentication(expectedOAuth2AccessToken.getValue()));
+ assertEquals(anotherAuthentication.getUserAuthentication(), getTokenStore().readAuthentication(expectedOAuth2AccessToken.getValue()).getUserAuthentication());
+ // The authorizationRequest does not match because it is unapproved, but the token was granted to an approved request
+ assertFalse(authorizationRequest.equals(getTokenStore().readAuthentication(expectedOAuth2AccessToken.getValue()).getAuthorizationRequest()));
}
@Test
Please sign in to comment.
Something went wrong with that request. Please try again.