Skip to main content
summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRoberto E. Escobar2014-08-05 02:16:50 +0000
committerRoberto E. Escobar2014-09-29 22:55:08 +0000
commit56d079ef0a6cfb38b3c6082275ef59e21ae053f7 (patch)
tree5571abe3da93a9830c5d05caba04718fa046e46d
parent0fa894259f74e53cc5be5229dcd0f91b5f373a0f (diff)
downloadorg.eclipse.osee-56d079ef0a6cfb38b3c6082275ef59e21ae053f7.tar.gz
org.eclipse.osee-56d079ef0a6cfb38b3c6082275ef59e21ae053f7.tar.xz
org.eclipse.osee-56d079ef0a6cfb38b3c6082275ef59e21ae053f7.zip
feature[ats_ATS64258]: Add OAuth2 storage model
Add OAuth2 storage model to avoid coupling with CXF Move all subject and session management to single SubjectProvider class to support session storage and retrieval. Refine JaxRsOAuthStorage interface Separate OAuth client storage from token and code storage. Change-Id: I20835553ab70feb033a0c1a39bba8d3f818afdcf
-rw-r--r--plugins/org.eclipse.osee.jaxrs.server/OSGI-INF/jaxrs.security.oauth2.provider.server.xml (renamed from plugins/org.eclipse.osee.jaxrs.server/OSGI-INF/jaxrs.security.oauth2.provider.xml)2
-rw-r--r--plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/OAuthUtil.java27
-rw-r--r--plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/ClientProvider.java (renamed from plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/endpoints/ClientDataProvider.java)6
-rw-r--r--plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/CxfOAuthDataProvider.java234
-rw-r--r--plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/OAuth2Configuration.java12
-rw-r--r--plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/OAuth2DataProvider.java313
-rw-r--r--plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/OAuth2RequestFilter.java52
-rw-r--r--plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/OAuth2ServerProvider.java (renamed from plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/OAuth2Provider.java)52
-rw-r--r--plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/SubjectProvider.java (renamed from plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/adapters/CxfSubjectCreator.java)26
-rw-r--r--plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/adapters/AccessToken.java57
-rw-r--r--plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/adapters/AuthorizationCode.java49
-rw-r--r--plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/adapters/CxfSessionAuthenticityTokenProvider.java48
-rw-r--r--plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/adapters/OAuthEncryption.java61
-rw-r--r--plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/adapters/RefreshOAuthToken.java57
-rw-r--r--plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/adapters/SubjectProviderImpl.java180
-rw-r--r--plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/endpoints/ClientRegistrationService.java5
-rw-r--r--plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/security/JaxRsOAuthStorage.java22
-rw-r--r--plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/security/JaxRsSessionProvider.java8
-rw-r--r--plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/security/OAuthCodeGrant.java40
-rw-r--r--plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/security/OAuthToken.java40
-rw-r--r--plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/security/OAuthTokenType.java61
21 files changed, 959 insertions, 393 deletions
diff --git a/plugins/org.eclipse.osee.jaxrs.server/OSGI-INF/jaxrs.security.oauth2.provider.xml b/plugins/org.eclipse.osee.jaxrs.server/OSGI-INF/jaxrs.security.oauth2.provider.server.xml
index 03bc15e599c..fddf8df53bc 100644
--- a/plugins/org.eclipse.osee.jaxrs.server/OSGI-INF/jaxrs.security.oauth2.provider.xml
+++ b/plugins/org.eclipse.osee.jaxrs.server/OSGI-INF/jaxrs.security.oauth2.provider.server.xml
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<scr:component xmlns:scr="http://www.osgi.org/xmlns/scr/v1.1.0" activate="start" configuration-policy="require" deactivate="stop" modified="update">
- <implementation class="org.eclipse.osee.jaxrs.server.internal.security.oauth2.provider.OAuth2Provider" />
+ <implementation class="org.eclipse.osee.jaxrs.server.internal.security.oauth2.provider.OAuth2ServerProvider" />
<reference bind="setLogger" cardinality="1..1" interface="org.eclipse.osee.logger.Log" name="Log" policy="static"/>
<reference bind="setJaxRsApplicationRegistry" cardinality="1..1" interface="org.eclipse.osee.jaxrs.server.internal.applications.JaxRsApplicationRegistry" name="JaxRsApplicationRegistry" policy="static"/>
<reference bind="setJaxRsAuthenticator" cardinality="1..1" interface="org.eclipse.osee.jaxrs.server.security.JaxRsAuthenticator" name="JaxRsAuthenticator" policy="static"/>
diff --git a/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/OAuthUtil.java b/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/OAuthUtil.java
index 278821a898e..72f42cbf522 100644
--- a/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/OAuthUtil.java
+++ b/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/OAuthUtil.java
@@ -169,11 +169,27 @@ public final class OAuthUtil {
}
public static OseePrincipal newOseePrincipal(UserSubject subject) {
- String value = subject.getId();
- Long id = Strings.isNumeric(value) ? Long.parseLong(value) : -1L;
+ Long id = getUserSubjectUuid(subject);
return new UserSubjectWrapper(id, subject);
}
+ public static Long getUserSubjectUuid(UserSubject subject) {
+ String value = subject.getId();
+ return Strings.isNumeric(value) ? Long.parseLong(value) : -1L;
+ }
+
+ public static String getDisplayName(UserSubject subject) {
+ return getProperty(subject.getProperties(), SUBJECT_DISPLAY_NAME, subject.getLogin());
+ }
+
+ public static String getProperty(Map<String, String> props, String key, String defaultValue) {
+ String toReturn = props.get(key);
+ if (toReturn == null) {
+ toReturn = defaultValue;
+ }
+ return toReturn;
+ }
+
private static final class UserSubjectWrapper extends BaseIdentity<Long> implements OseePrincipal {
private final UserSubject subject;
@@ -229,11 +245,8 @@ public final class OAuthUtil {
}
private String get(String key, String defaultValue) {
- String toReturn = subject.getProperties().get(key);
- if (toReturn == null) {
- toReturn = defaultValue;
- }
- return toReturn;
+ return getProperty(getProperties(), key, defaultValue);
}
}
+
}
diff --git a/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/endpoints/ClientDataProvider.java b/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/ClientProvider.java
index 189e7aaf25f..297af4e7ab2 100644
--- a/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/endpoints/ClientDataProvider.java
+++ b/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/ClientProvider.java
@@ -8,17 +8,19 @@
* Contributors:
* Boeing - initial API and implementation
*******************************************************************************/
-package org.eclipse.osee.jaxrs.server.internal.security.oauth2.provider.endpoints;
+package org.eclipse.osee.jaxrs.server.internal.security.oauth2.provider;
import org.apache.cxf.rs.security.oauth2.common.Client;
/**
* @author Roberto E. Escobar
*/
-public interface ClientDataProvider {
+public interface ClientProvider {
Client getClient(String clientId);
Client createClient();
+ long getClientId(Client client);
+
} \ No newline at end of file
diff --git a/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/CxfOAuthDataProvider.java b/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/CxfOAuthDataProvider.java
deleted file mode 100644
index 6f137536f43..00000000000
--- a/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/CxfOAuthDataProvider.java
+++ /dev/null
@@ -1,234 +0,0 @@
-/*******************************************************************************
- * Copyright (c) 2014 Boeing.
- * All rights reserved. This program and the accompanying materials
- * are made available under the terms of the Eclipse Public License v1.0
- * which accompanies this distribution, and is available at
- * http://www.eclipse.org/legal/epl-v10.html
- *
- * Contributors:
- * Boeing - initial API and implementation
- *******************************************************************************/
-package org.eclipse.osee.jaxrs.server.internal.security.oauth2.provider;
-
-import java.util.Collections;
-import java.util.List;
-import javax.crypto.SecretKey;
-import org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration;
-import org.apache.cxf.rs.security.oauth2.common.Client;
-import org.apache.cxf.rs.security.oauth2.common.OAuthError;
-import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
-import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
-import org.apache.cxf.rs.security.oauth2.common.UserSubject;
-import org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeDataProvider;
-import org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeRegistration;
-import org.apache.cxf.rs.security.oauth2.grants.code.ServerAuthorizationCodeGrant;
-import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
-import org.apache.cxf.rs.security.oauth2.tokens.bearer.BearerAccessToken;
-import org.apache.cxf.rs.security.oauth2.tokens.refresh.RefreshToken;
-import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.ModelEncryptionSupport;
-import org.eclipse.osee.jaxrs.server.internal.security.oauth2.provider.endpoints.ClientDataProvider;
-import org.eclipse.osee.jaxrs.server.security.JaxRsOAuthStorage;
-
-/**
- * @author Roberto E. Escobar
- */
-public class CxfOAuthDataProvider implements AuthorizationCodeDataProvider, ClientDataProvider {
-
- private final JaxRsOAuthStorage storage;
-
- private boolean isRefreshTokenAllowed;
- private long accessTokenExpiration;
- private long refreshTokenExpiration;
- private long codeGrantExpiration;
- private SecretKey secretKey;
-
- public CxfOAuthDataProvider(JaxRsOAuthStorage storage) {
- super();
- this.storage = storage;
- }
-
- public SecretKey getSecretKey() {
- return secretKey;
- }
-
- public void setSecretKey(SecretKey secretKey) {
- this.secretKey = secretKey;
- }
-
- public boolean isRefreshTokenAllowed() {
- return isRefreshTokenAllowed;
- }
-
- public long getAccessTokenExpiration() {
- return accessTokenExpiration;
- }
-
- public long getRefreshTokenExpiration() {
- return refreshTokenExpiration;
- }
-
- public long getCodeGrantExpiration() {
- return codeGrantExpiration;
- }
-
- public void setRefreshTokenAllowed(boolean isRefreshTokenAllowed) {
- this.isRefreshTokenAllowed = isRefreshTokenAllowed;
- }
-
- public void setAccessTokenExpiration(long accessTokenExpiration) {
- this.accessTokenExpiration = accessTokenExpiration;
- }
-
- public void setRefreshTokenExpiration(long refreshTokenExpiration) {
- this.refreshTokenExpiration = refreshTokenExpiration;
- }
-
- public void setCodeGrantExpiration(long codeGrantExpiration) {
- this.codeGrantExpiration = codeGrantExpiration;
- }
-
- @Override
- public Client createClient() {
- return null;
- }
-
- @Override
- public Client getClient(String clientId) {
- return storage.getClient(clientId);
- }
-
- @Override
- public ServerAuthorizationCodeGrant createCodeGrant(AuthorizationCodeRegistration reg) {
- long expiresIn = getCodeGrantExpiration();
-
- ServerAuthorizationCodeGrant grant = new ServerAuthorizationCodeGrant(reg.getClient(), expiresIn);
- grant.setAudience(reg.getAudience());
- grant.setRedirectUri(reg.getRedirectUri());
- grant.setClientCodeVerifier(reg.getClientCodeVerifier());
- grant.setSubject(reg.getSubject());
- grant.setApprovedScopes(getApprovedScopes(reg.getRequestedScope(), reg.getApprovedScope()));
- grant.setClientCodeVerifier(reg.getClientCodeVerifier());
-
- String encrypted = ModelEncryptionSupport.encryptCodeGrant(grant, getSecretKey());
- grant.setCode(encrypted);
-
- storage.storeCodeGrant(encrypted);
- return grant;
- }
-
- @Override
- public ServerAuthorizationCodeGrant removeCodeGrant(String code) {
- String codeGrant = storage.getCodeGrant(code);
- ServerAuthorizationCodeGrant grant = null;
- if (codeGrant != null) {
- storage.removeCodeGrant(codeGrant);
- grant = ModelEncryptionSupport.decryptCodeGrant(this, codeGrant, getSecretKey());
- }
- return grant;
- }
-
- @Override
- public ServerAccessToken createAccessToken(AccessTokenRegistration reg) {
- Client client = reg.getClient();
- List<String> approvedScopes = getApprovedScopes(reg.getRequestedScope(), reg.getApprovedScope());
- List<OAuthPermission> permissions = convertScopeToPermissions(client, approvedScopes);
-
- BearerAccessToken token = new BearerAccessToken(client, getAccessTokenExpiration());
- token.setSubject(reg.getSubject());
-
- token.setAudience(reg.getAudience());
- token.setGrantType(reg.getGrantType());
- token.setParameters(Collections.singletonMap("param", "value"));
- token.setScopes(permissions);
-
- String encryptedRefreshToken = null;
- if (isRefreshTokenAllowed()) {
- RefreshToken refreshToken = new RefreshToken(client, getRefreshTokenExpiration());
- encryptedRefreshToken = ModelEncryptionSupport.encryptRefreshToken(refreshToken, getSecretKey());
- token.setRefreshToken(encryptedRefreshToken);
- }
-
- String encryptedAccessToken = ModelEncryptionSupport.encryptAccessToken(token, getSecretKey());
- token.setTokenKey(encryptedAccessToken);
-
- storage.storeAccessToken(encryptedAccessToken);
- if (encryptedRefreshToken != null) {
- storage.storeRefreshToken(encryptedRefreshToken, encryptedAccessToken);
- }
- return token;
- }
-
- @Override
- public ServerAccessToken getAccessToken(String accessToken) {
- return ModelEncryptionSupport.decryptAccessToken(this, accessToken, getSecretKey());
- }
-
- @Override
- public ServerAccessToken refreshAccessToken(Client client, String refreshToken, List<String> requestedScopes) {
- if (!isRefreshTokenAllowed()) {
- OAuthError error = new OAuthError(OAuthConstants.INVALID_REQUEST, "Refresh tokens are not allowed.");
- throw new OAuthServiceException(error);
- }
- SecretKey secretKey = getSecretKey();
-
- String encryptedAccessToken = storage.getAccessTokenByRefreshToken(refreshToken);
- if (encryptedAccessToken != null) {
- storage.removeRefreshToken(refreshToken);
- }
-
- ServerAccessToken token = ModelEncryptionSupport.decryptAccessToken(this, encryptedAccessToken, secretKey);
- storage.removeAccessToken(token.getTokenKey());
-
- RefreshToken newRefreshToken = new RefreshToken(token.getClient(), getRefreshTokenExpiration());
- String newEncryptedRefreshToken = ModelEncryptionSupport.encryptRefreshToken(newRefreshToken, secretKey);
- token.setRefreshToken(newEncryptedRefreshToken);
-
- String newEncryptedAccessToken = ModelEncryptionSupport.encryptAccessToken(token, secretKey);
- storage.storeAccessToken(newEncryptedAccessToken);
- storage.storeRefreshToken(newEncryptedRefreshToken, newEncryptedAccessToken);
- token.setTokenKey(newEncryptedAccessToken);
- return token;
- }
-
- @Override
- public void removeAccessToken(ServerAccessToken accessToken) {
- storage.removeAccessToken(accessToken.getTokenKey());
- }
-
- @Override
- public void revokeToken(Client client, String token, String tokenTypeHint) {
- // the fast way: if it is the refresh token then there will be a matching value for it
- String accessToken = storage.getAccessTokenByRefreshToken(token);
- if (accessToken != null) {
- storage.removeRefreshToken(token);
- }
- // if no matching value then the token parameter is access token key
- storage.removeAccessToken(accessToken == null ? token : accessToken);
- }
-
- @Override
- public ServerAccessToken getPreauthorizedToken(Client client, List<String> requestedScopes, UserSubject subject, String grantType) {
- // This is an optimization useful in cases where a client requests an authorization code:
- // if a user has already provided a given client with a pre-authorized token then challenging
- // a user with yet another form asking for the authorization is redundant
- String clientId = client.getClientId();
- String subjectId = subject.getId();
- String encryptedToken = storage.getPreauthorizedToken(clientId, subjectId, grantType);
- ServerAccessToken token = null;
- if (encryptedToken != null) {
- token = ModelEncryptionSupport.decryptAccessToken(this, encryptedToken, getSecretKey());
- }
- return token;
- }
-
- @Override
- public List<OAuthPermission> convertScopeToPermissions(Client client, List<String> requestedScope) {
- return Collections.emptyList();
- }
-
- private List<String> getApprovedScopes(List<String> requestedScopes, List<String> approvedScopes) {
- return approvedScopes.isEmpty() ? requestedScopes : approvedScopes;
- }
-
-} \ No newline at end of file
diff --git a/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/OAuth2Configuration.java b/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/OAuth2Configuration.java
index fe496d2678a..c92fcd77d00 100644
--- a/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/OAuth2Configuration.java
+++ b/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/OAuth2Configuration.java
@@ -51,6 +51,9 @@ public class OAuth2Configuration {
public static final String OAUTH2_PROVIDER__USE_USER_SUBJECT = qualify("use.user.subject");
public static final String OAUTH2_PROVIDER__WRITE_CUSTOM_ERRORS = qualify("write.custom.errors");
public static final String OAUTH2_PROVIDER__WRITE_OPTIONAL_PARAMETERS = qualify("write.optional.parameters");
+
+ public static final String OAUTH2_PROVIDER__SECRET_KEY_ALGORITHM = qualify("secret.key.algorithm");
+ public static final String OAUTH2_PROVIDER__ENCODED_SECRET_KEY = qualify("secret.key");
//@formatter:on
public static final boolean DEFAULT_OAUTH2_PROVIDER__SERVICE_ENABLED = false;
@@ -74,6 +77,8 @@ public class OAuth2Configuration {
public static final boolean DEFAULT_OAUTH2_PROVIDER__USE_USER_SUBJECT = false;
public static final boolean DEFAULT_OAUTH2_PROVIDER__WRITE_CUSTOM_ERRORS = true;
public static final boolean DEFAULT_OAUTH2_PROVIDER__WRITE_OPTIONAL_PARAMETERS = true;
+ public static final String DEFAULT_OAUTH2_PROVIDER__SECRET_KEY_ALGORITHM = null;
+ public static final String DEFAULT_OAUTH2_PROVIDER__ENCODED_SECRET_KEY = null;
public static OAuth2Configuration fromProperties(Map<String, Object> props) {
OAuth2Configuration config = new OAuth2Configuration(props);
@@ -191,4 +196,11 @@ public class OAuth2Configuration {
DEFAULT_OAUTH2_PROVIDER__WRITE_OPTIONAL_PARAMETERS);
}
+ public String getSecretKeyAlgorithm() {
+ return get(props, OAUTH2_PROVIDER__SECRET_KEY_ALGORITHM, DEFAULT_OAUTH2_PROVIDER__SECRET_KEY_ALGORITHM);
+ }
+
+ public String getEncodedSecretKey() {
+ return get(props, OAUTH2_PROVIDER__ENCODED_SECRET_KEY, DEFAULT_OAUTH2_PROVIDER__ENCODED_SECRET_KEY);
+ }
} \ No newline at end of file
diff --git a/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/OAuth2DataProvider.java b/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/OAuth2DataProvider.java
new file mode 100644
index 00000000000..40fdf644e3d
--- /dev/null
+++ b/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/OAuth2DataProvider.java
@@ -0,0 +1,313 @@
+/*******************************************************************************
+ * Copyright (c) 2014 Boeing.
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License v1.0
+ * which accompanies this distribution, and is available at
+ * http://www.eclipse.org/legal/epl-v10.html
+ *
+ * Contributors:
+ * Boeing - initial API and implementation
+ *******************************************************************************/
+package org.eclipse.osee.jaxrs.server.internal.security.oauth2.provider;
+
+import java.util.Collections;
+import java.util.List;
+import javax.crypto.SecretKey;
+import org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration;
+import org.apache.cxf.rs.security.oauth2.common.Client;
+import org.apache.cxf.rs.security.oauth2.common.OAuthError;
+import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
+import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
+import org.apache.cxf.rs.security.oauth2.common.UserSubject;
+import org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeDataProvider;
+import org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeRegistration;
+import org.apache.cxf.rs.security.oauth2.grants.code.ServerAuthorizationCodeGrant;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
+import org.apache.cxf.rs.security.oauth2.tokens.refresh.RefreshToken;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
+import org.eclipse.osee.framework.jdk.core.util.Lib;
+import org.eclipse.osee.jaxrs.server.internal.security.oauth2.provider.adapters.AccessToken;
+import org.eclipse.osee.jaxrs.server.internal.security.oauth2.provider.adapters.AuthorizationCode;
+import org.eclipse.osee.jaxrs.server.internal.security.oauth2.provider.adapters.OAuthEncryption;
+import org.eclipse.osee.jaxrs.server.internal.security.oauth2.provider.adapters.RefreshOAuthToken;
+import org.eclipse.osee.jaxrs.server.security.JaxRsOAuthStorage;
+import org.eclipse.osee.jaxrs.server.security.OAuthCodeGrant;
+import org.eclipse.osee.jaxrs.server.security.OAuthToken;
+import org.eclipse.osee.jaxrs.server.security.OAuthTokenType;
+
+/**
+ * @author Roberto E. Escobar
+ */
+public class OAuth2DataProvider implements AuthorizationCodeDataProvider {
+
+ private final OAuthEncryption serializer;
+ private final JaxRsOAuthStorage storage;
+ private final ClientProvider clientProvider;
+ private final SubjectProvider subjectProvider;
+
+ private boolean isRefreshTokenAllowed;
+ private long accessTokenExpiration;
+ private long refreshTokenExpiration;
+ private long codeGrantExpiration;
+
+ private String secretKeyEncoded;
+ private String secretKeyAlgorithm;
+
+ private volatile SecretKey secretKey;
+
+ public OAuth2DataProvider(ClientProvider clientProvider, SubjectProvider subjectProvider, OAuthEncryption serializer, JaxRsOAuthStorage storage) {
+ super();
+ this.clientProvider = clientProvider;
+ this.subjectProvider = subjectProvider;
+ this.serializer = serializer;
+ this.storage = storage;
+ }
+
+ public void setSecretKeyEncoded(String secretKeyEncoded) {
+ this.secretKeyEncoded = secretKeyEncoded;
+ }
+
+ public void setSecretKeyAlgorithm(String secretKeyAlgorithm) {
+ this.secretKeyAlgorithm = secretKeyAlgorithm;
+ }
+
+ public void setRefreshTokenAllowed(boolean isRefreshTokenAllowed) {
+ this.isRefreshTokenAllowed = isRefreshTokenAllowed;
+ }
+
+ public void setAccessTokenExpiration(long accessTokenExpiration) {
+ this.accessTokenExpiration = accessTokenExpiration;
+ }
+
+ public void setRefreshTokenExpiration(long refreshTokenExpiration) {
+ this.refreshTokenExpiration = refreshTokenExpiration;
+ }
+
+ public void setCodeGrantExpiration(long codeGrantExpiration) {
+ this.codeGrantExpiration = codeGrantExpiration;
+ }
+
+ public boolean isRefreshTokenAllowed() {
+ return isRefreshTokenAllowed;
+ }
+
+ public long getAccessTokenExpiration() {
+ return accessTokenExpiration;
+ }
+
+ public long getRefreshTokenExpiration() {
+ return refreshTokenExpiration;
+ }
+
+ public long getCodeGrantExpiration() {
+ return codeGrantExpiration;
+ }
+
+ private SecretKey getSecretKey() {
+ if (secretKey == null) {
+ secretKey = serializer.decodeSecretKey(secretKeyEncoded, secretKeyAlgorithm);
+ }
+ return secretKey;
+ }
+
+ private long getClientId(Client client) {
+ return clientProvider.getClientId(client);
+ }
+
+ private long getSubjectId(UserSubject subject) {
+ return subjectProvider.getSubjectId(subject);
+ }
+
+ @Override
+ public Client getClient(String clientId) {
+ return clientProvider.getClient(clientId);
+ }
+
+ @Override
+ public ServerAuthorizationCodeGrant createCodeGrant(AuthorizationCodeRegistration reg) {
+ long expiresIn = getCodeGrantExpiration();
+
+ long uuid = Lib.generateUuid();
+ long clientId = getClientId(reg.getClient());
+ long subjectId = getSubjectId(reg.getSubject());
+
+ AuthorizationCode grant = new AuthorizationCode(uuid, clientId, subjectId);
+ grant.setCode(OAuthUtils.generateRandomTokenKey());
+ grant.setIssuedAt(OAuthUtils.getIssuedAt());
+ grant.setExpiresIn(expiresIn);
+ grant.setClient(reg.getClient());
+ grant.setSubject(reg.getSubject());
+
+ grant.setAudience(reg.getAudience());
+ grant.setRedirectUri(reg.getRedirectUri());
+ grant.setClientCodeVerifier(reg.getClientCodeVerifier());
+ grant.setApprovedScopes(getApprovedScopes(reg.getRequestedScope(), reg.getApprovedScope()));
+ grant.setClientCodeVerifier(reg.getClientCodeVerifier());
+
+ String encrypted = serializer.encryptCodeGrant(grant, getSecretKey());
+ grant.setCode(encrypted);
+
+ storage.storeCodeGrant(grant);
+ return grant;
+ }
+
+ @Override
+ public ServerAuthorizationCodeGrant removeCodeGrant(String code) {
+ OAuthCodeGrant codeGrant = storage.getCodeGrant(code);
+ ServerAuthorizationCodeGrant toReturn = null;
+ if (codeGrant != null) {
+ String encryptedCode = codeGrant.getCode();
+ toReturn = serializer.decryptCodeGrant(this, encryptedCode, getSecretKey());
+ storage.removeCodeGrant(codeGrant);
+ }
+ return toReturn;
+ }
+
+ @Override
+ public ServerAccessToken createAccessToken(AccessTokenRegistration reg) {
+ Client client = reg.getClient();
+ List<String> approvedScopes = getApprovedScopes(reg.getRequestedScope(), reg.getApprovedScope());
+ List<OAuthPermission> permissions = convertScopeToPermissions(client, approvedScopes);
+
+ long uuid = Lib.generateUuid();
+ long clientId = getClientId(reg.getClient());
+ long subjectId = getSubjectId(reg.getSubject());
+
+ OAuthTokenType type = OAuthTokenType.BEARER_TOKEN;
+
+ AccessToken accessToken = new AccessToken(uuid, clientId, subjectId, type);
+ accessToken.setTokenKey(OAuthUtils.generateRandomTokenKey());
+ accessToken.setIssuedAt(OAuthUtils.getIssuedAt());
+ accessToken.setExpiresIn(getAccessTokenExpiration());
+ accessToken.setClient(client);
+ accessToken.setSubject(reg.getSubject());
+
+ accessToken.setTokenType(type.getType());
+ accessToken.setAudience(reg.getAudience());
+ accessToken.setGrantType(reg.getGrantType());
+ accessToken.setScopes(permissions);
+
+ RefreshOAuthToken refreshToken = null;
+ if (isRefreshTokenAllowed()) {
+ refreshToken = newRefreshToken(accessToken, clientId, subjectId, getSecretKey());
+ accessToken.setRefreshToken(refreshToken.getTokenKey());
+ }
+
+ String encryptedAccessToken = serializer.encryptAccessToken(accessToken, getSecretKey());
+ accessToken.setTokenKey(encryptedAccessToken);
+
+ if (refreshToken != null) {
+ storage.storeToken(accessToken, refreshToken);
+ storage.relateTokens(refreshToken, accessToken);
+ } else {
+ storage.storeToken(accessToken);
+ }
+ return accessToken;
+ }
+
+ @Override
+ public ServerAccessToken getAccessToken(String accessToken) {
+ return serializer.decryptAccessToken(this, accessToken, getSecretKey());
+ }
+
+ @Override
+ public ServerAccessToken refreshAccessToken(Client client, String refreshToken, List<String> requestedScopes) {
+ if (!isRefreshTokenAllowed()) {
+ OAuthError error = new OAuthError(OAuthConstants.INVALID_REQUEST, "Refresh tokens are not allowed.");
+ throw new OAuthServiceException(error);
+ }
+ SecretKey secretKey = getSecretKey();
+
+ RefreshToken oldRefreshToken = serializer.decryptRefreshToken(this, refreshToken, secretKey);
+
+ Iterable<OAuthToken> tokens = storage.getAccessTokensByRefreshToken(refreshToken);
+ storage.removeToken(tokens);
+ storage.removeTokenByKey(refreshToken);
+
+ long uuid = Lib.generateUuid();
+ long clientId = getClientId(oldRefreshToken.getClient());
+ long subjectId = getSubjectId(oldRefreshToken.getSubject());
+
+ OAuthTokenType type = OAuthTokenType.BEARER_TOKEN;
+
+ AccessToken newAccessToken = new AccessToken(uuid, clientId, subjectId, type);
+ newAccessToken.setTokenKey(OAuthUtils.generateRandomTokenKey());
+ newAccessToken.setIssuedAt(OAuthUtils.getIssuedAt());
+ newAccessToken.setExpiresIn(getAccessTokenExpiration());
+ newAccessToken.setClient(oldRefreshToken.getClient());
+ newAccessToken.setSubject(oldRefreshToken.getSubject());
+
+ newAccessToken.setTokenType(type.getType());
+ newAccessToken.setAudience(oldRefreshToken.getAudience());
+ newAccessToken.setGrantType(oldRefreshToken.getGrantType());
+ newAccessToken.setScopes(oldRefreshToken.getScopes());
+
+ RefreshOAuthToken newRefreshToken = newRefreshToken(newAccessToken, clientId, subjectId, getSecretKey());
+ newAccessToken.setRefreshToken(newRefreshToken.getTokenKey());
+
+ String newEncryptedAccessToken = serializer.encryptAccessToken(newAccessToken, secretKey);
+ newAccessToken.setTokenKey(newEncryptedAccessToken);
+
+ storage.storeToken(newAccessToken, newRefreshToken);
+ storage.relateTokens(newRefreshToken, newAccessToken);
+ return newAccessToken;
+ }
+
+ private RefreshOAuthToken newRefreshToken(AccessToken token, long clientId, long subjectId, SecretKey secretKey) {
+ long refreshUuid = Lib.generateUuid();
+
+ RefreshOAuthToken toReturn = new RefreshOAuthToken(refreshUuid, clientId, subjectId);
+ toReturn.setTokenKey(OAuthUtils.generateRandomTokenKey());
+ toReturn.setIssuedAt(OAuthUtils.getIssuedAt());
+ toReturn.setExpiresIn(getRefreshTokenExpiration());
+ toReturn.setClient(token.getClient());
+ toReturn.setSubject(token.getSubject());
+
+ toReturn.setAudience(token.getAudience());
+ toReturn.setGrantType(token.getGrantType());
+ toReturn.setScopes(token.getScopes());
+
+ String encryptedRefreshToken = serializer.encryptRefreshToken(toReturn, secretKey);
+ toReturn.setTokenKey(encryptedRefreshToken);
+ return toReturn;
+ }
+
+ @Override
+ public void removeAccessToken(ServerAccessToken accessToken) {
+ storage.removeTokenByKey(accessToken.getTokenKey());
+ }
+
+ @Override
+ public void revokeToken(Client client, String tokenKey, String tokenTypeHint) {
+ Iterable<OAuthToken> tokens = storage.getAccessTokensByRefreshToken(tokenKey);
+ storage.removeToken(tokens);
+ storage.removeTokenByKey(tokenKey);
+ }
+
+ @Override
+ public ServerAccessToken getPreauthorizedToken(Client client, List<String> requestedScopes, UserSubject subject, String grantType) {
+ // This is an optimization useful in cases where a client requests an authorization code:
+ // if a user has already provided a given client with a pre-authorized token then challenging
+ // a user with yet another form asking for the authorization is redundant
+ long clientId = getClientId(client);
+ long subjectId = getSubjectId(subject);
+ OAuthToken accessToken = storage.getPreauthorizedToken(clientId, subjectId, grantType);
+
+ ServerAccessToken token = null;
+ if (accessToken != null) {
+ token = serializer.decryptAccessToken(this, accessToken.getTokenKey(), getSecretKey());
+ }
+ return token;
+ }
+
+ @Override
+ public List<OAuthPermission> convertScopeToPermissions(Client client, List<String> requestedScope) {
+ return Collections.emptyList();
+ }
+
+ private List<String> getApprovedScopes(List<String> requestedScopes, List<String> approvedScopes) {
+ return approvedScopes.isEmpty() ? requestedScopes : approvedScopes;
+ }
+
+} \ No newline at end of file
diff --git a/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/OAuth2RequestFilter.java b/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/OAuth2RequestFilter.java
index feb163260af..5a89bfa6d57 100644
--- a/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/OAuth2RequestFilter.java
+++ b/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/OAuth2RequestFilter.java
@@ -11,29 +11,24 @@
package org.eclipse.osee.jaxrs.server.internal.security.oauth2.provider;
import static org.eclipse.osee.jaxrs.server.internal.security.oauth2.OAuthUtil.newAuthorizationRequiredResponse;
-import static org.eclipse.osee.jaxrs.server.internal.security.oauth2.OAuthUtil.newUserSubject;
import java.net.URI;
import javax.annotation.Priority;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Priorities;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.PreMatching;
-import javax.ws.rs.core.Context;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
+import org.apache.cxf.jaxrs.ext.MessageContext;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.rs.security.oauth2.common.AccessTokenValidation;
import org.apache.cxf.rs.security.oauth2.common.UserSubject;
import org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter;
-import org.apache.cxf.rs.security.oauth2.grants.owner.ResourceOwnerLoginHandler;
import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
import org.apache.cxf.security.SecurityContext;
import org.eclipse.osee.framework.jdk.core.util.Strings;
import org.eclipse.osee.jaxrs.server.internal.security.oauth2.OAuthUtil;
-import org.eclipse.osee.jaxrs.server.security.JaxRsAuthenticator;
-import org.eclipse.osee.jaxrs.server.security.JaxRsAuthenticator.Subject;
-import org.eclipse.osee.jaxrs.server.security.JaxRsSessionProvider;
import org.eclipse.osee.logger.Log;
/**
@@ -46,20 +41,18 @@ import org.eclipse.osee.logger.Log;
*/
@PreMatching
@Priority(Priorities.AUTHENTICATION)
-public class OAuth2RequestFilter extends OAuthRequestFilter implements ResourceOwnerLoginHandler {
+public class OAuth2RequestFilter extends OAuthRequestFilter {
private final Log logger;
- private final JaxRsAuthenticator authenticator;
- private final JaxRsSessionProvider sessionProvider;
+ private final SubjectProvider sessionProvider;
private volatile boolean useUserSubject;
private volatile URI redirectURI;
private volatile boolean ignoreBasePath;
- public OAuth2RequestFilter(Log logger, JaxRsAuthenticator authenticator, JaxRsSessionProvider sessionProvider) {
+ public OAuth2RequestFilter(Log logger, SubjectProvider sessionProvider) {
super();
this.logger = logger;
- this.authenticator = authenticator;
this.sessionProvider = sessionProvider;
}
@@ -77,9 +70,6 @@ public class OAuth2RequestFilter extends OAuthRequestFilter implements ResourceO
this.ignoreBasePath = ignoreBasePath;
}
- private @Context
- HttpServletRequest request;
-
@Override
public void filter(ContainerRequestContext context) {
if (isResourceOwnerRequest(context)) {
@@ -100,15 +90,16 @@ public class OAuth2RequestFilter extends OAuthRequestFilter implements ResourceO
private void handleResourceOwnerRequest(ContainerRequestContext context) {
Message msg = JAXRSUtils.getCurrentMessage();
- String authorizationHeader = context.getHeaderString(HttpHeaders.AUTHORIZATION);
- Object sc = sessionProvider.getFromSession(request);
- if (sc != null) {
- msg.put(SecurityContext.class, (SecurityContext) sc);
- } else {
+ MessageContext mc = getMessageContext();
+
+ SecurityContext sc = sessionProvider.getSecurityContextFromSession(mc);
+ if (sc == null) {
+ String authorizationHeader = context.getHeaderString(HttpHeaders.AUTHORIZATION);
+
Response jaxRsResponse = null;
if (isAuthenticationSchemeSupported(authorizationHeader)) {
try {
- doBasicAuthentication(context, msg, authorizationHeader);
+ doBasicAuthentication(mc, authorizationHeader);
} catch (Exception ex) {
jaxRsResponse = getAuthenticationException(ex, msg);
}
@@ -132,29 +123,12 @@ public class OAuth2RequestFilter extends OAuthRequestFilter implements ResourceO
return newAuthorizationRequiredResponse(redirectURI, ignoreBasePath, realm, msg);
}
- private void doBasicAuthentication(ContainerRequestContext context, Message msg, String header) {
+ private void doBasicAuthentication(MessageContext mc, String header) {
logger.debug("doBasicAuthentication called");
String[] basicAuthParts = OAuthUtil.decodeCredentials(header);
String username = basicAuthParts[0];
String password = basicAuthParts[1];
- authenticate(context, OAuthConstants.BASIC_SCHEME, username, password, msg);
- }
-
- private void authenticate(ContainerRequestContext context, String scheme, String username, String password, Message msg) {
- UserSubject subject = authenticate(scheme, username, password);
- SecurityContext sc = OAuthUtil.newSecurityContext(subject);
- sessionProvider.createSession(request, scheme, sc);
- msg.put(SecurityContext.class, sc);
- }
-
- private UserSubject authenticate(String scheme, String username, String password) {
- Subject user = authenticator.authenticate(scheme, username, password);
- return newUserSubject(user);
- }
-
- @Override
- public UserSubject createSubject(String username, String password) {
- return authenticate(OAuthConstants.BASIC_SCHEME, username, password);
+ sessionProvider.authenticate(mc, OAuthConstants.BASIC_SCHEME, username, password);
}
@Override
diff --git a/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/OAuth2Provider.java b/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/OAuth2ServerProvider.java
index 2a0a497e451..e7eda3ca552 100644
--- a/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/OAuth2Provider.java
+++ b/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/OAuth2ServerProvider.java
@@ -17,7 +17,6 @@ import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.atomic.AtomicBoolean;
-import javax.crypto.SecretKey;
import javax.ws.rs.core.Application;
import org.apache.cxf.rs.security.oauth2.grants.AbstractGrantHandler;
import org.apache.cxf.rs.security.oauth2.grants.clientcred.ClientCredentialsGrantHandler;
@@ -29,11 +28,7 @@ import org.apache.cxf.rs.security.oauth2.grants.owner.ResourceOwnerLoginHandler;
import org.apache.cxf.rs.security.oauth2.grants.refresh.RefreshTokenGrantHandler;
import org.apache.cxf.rs.security.oauth2.provider.AccessTokenGrantHandler;
import org.apache.cxf.rs.security.oauth2.provider.AccessTokenValidator;
-import org.apache.cxf.rs.security.oauth2.provider.DefaultResourceOwnerNameProvider;
import org.apache.cxf.rs.security.oauth2.provider.OAuthDataProvider;
-import org.apache.cxf.rs.security.oauth2.provider.ResourceOwnerNameProvider;
-import org.apache.cxf.rs.security.oauth2.provider.SessionAuthenticityTokenProvider;
-import org.apache.cxf.rs.security.oauth2.provider.SubjectCreator;
import org.apache.cxf.rs.security.oauth2.services.AbstractAccessTokenValidator;
import org.apache.cxf.rs.security.oauth2.services.AbstractOAuthService;
import org.apache.cxf.rs.security.oauth2.services.AbstractTokenService;
@@ -47,12 +42,11 @@ import org.apache.cxf.rs.security.oauth2.tokens.hawk.HawkAccessTokenValidator;
import org.apache.cxf.rs.security.oauth2.tokens.hawk.NonceStore;
import org.apache.cxf.rs.security.oauth2.tokens.hawk.NonceVerifier;
import org.apache.cxf.rs.security.oauth2.tokens.hawk.NonceVerifierImpl;
-import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
import org.eclipse.osee.jaxrs.server.internal.JaxRsConstants;
import org.eclipse.osee.jaxrs.server.internal.applications.JaxRsApplicationRegistry;
import org.eclipse.osee.jaxrs.server.internal.security.oauth2.provider.adapters.CxfAuthorizationCodeService;
-import org.eclipse.osee.jaxrs.server.internal.security.oauth2.provider.adapters.CxfSubjectCreator;
-import org.eclipse.osee.jaxrs.server.internal.security.oauth2.provider.endpoints.ClientDataProvider;
+import org.eclipse.osee.jaxrs.server.internal.security.oauth2.provider.adapters.OAuthEncryption;
+import org.eclipse.osee.jaxrs.server.internal.security.oauth2.provider.adapters.SubjectProviderImpl;
import org.eclipse.osee.jaxrs.server.internal.security.oauth2.provider.endpoints.ClientRegistrationService;
import org.eclipse.osee.jaxrs.server.internal.security.oauth2.provider.writers.AuthorizationDataHtmlWriter;
import org.eclipse.osee.jaxrs.server.internal.security.oauth2.provider.writers.OOBAuthorizationResponseHtmlWriter;
@@ -67,13 +61,13 @@ import org.osgi.framework.BundleContext;
/**
* @author Roberto E. Escobar
*/
-public class OAuth2Provider {
+public class OAuth2ServerProvider {
private static final String OAUTH2_APPLICATION_COMPONENT_NAME = qualify("application");
private final Set<String> registeredProviders = new HashSet<String>();
private List<String> audiences;
- private CxfOAuthDataProvider dataProvider;
+ private OAuth2DataProvider dataProvider;
private NonceVerifier nonceVerifier;
private OAuth2RequestFilter filter;
@@ -137,18 +131,15 @@ public class OAuth2Provider {
}
private void initialize(OAuth2Configuration config) {
- SecretKey secretKey = CryptoUtils.getSecretKey("AES");
-
- SubjectCreator subjectCreator = new CxfSubjectCreator(logger);
- ResourceOwnerNameProvider nameProvider = new DefaultResourceOwnerNameProvider();
- SessionAuthenticityTokenProvider tokenSessionProvider = null; //new CxfSessionAuthenticityTokenProvider(logger);
+ ClientProvider clientProvider = null;
+ SubjectProvider subjectProvider = new SubjectProviderImpl(logger, sessionProvider, authenticator);
audiences = Collections.emptyList();
- dataProvider = new CxfOAuthDataProvider(storage);
- dataProvider.setSecretKey(secretKey);
+ OAuthEncryption serializer = new OAuthEncryption();
+ dataProvider = new OAuth2DataProvider(clientProvider, subjectProvider, serializer, storage);
- filter = new OAuth2RequestFilter(logger, authenticator, sessionProvider);
+ filter = new OAuth2RequestFilter(logger, subjectProvider);
bind(filter, dataProvider);
endpoints = new HashSet<Object>();
@@ -156,12 +147,12 @@ public class OAuth2Provider {
endpoints.add(bind(new TokenRevocationService(), dataProvider));
//@formatter:off
- endpoints.add(bind(new CxfAuthorizationCodeService(), dataProvider, subjectCreator, nameProvider, tokenSessionProvider));
- endpoints.add(bind(new ImplicitGrantService(), dataProvider, subjectCreator, nameProvider, tokenSessionProvider));
+ endpoints.add(bind(new CxfAuthorizationCodeService(), dataProvider, subjectProvider));
+ endpoints.add(bind(new ImplicitGrantService(), dataProvider, subjectProvider));
//@formatter:on
endpoints.add(bind(new AccessTokenValidatorService(), dataProvider));
- endpoints.add(bind(new ClientRegistrationService(), dataProvider));
+ endpoints.add(bind(new ClientRegistrationService(), clientProvider));
// Add OAuth2 application local Writers
endpoints.add(new AuthorizationDataHtmlWriter());
@@ -172,7 +163,7 @@ public class OAuth2Provider {
grantHandlers = new ArrayList<AccessTokenGrantHandler>();
grantHandlers.add(bind(new AuthorizationCodeGrantHandler(), dataProvider, new DigestCodeVerifier()));
grantHandlers.add(bind(new ClientCredentialsGrantHandler(), dataProvider));
- grantHandlers.add(bind(new ResourceOwnerGrantHandler(), dataProvider, filter));
+ grantHandlers.add(bind(new ResourceOwnerGrantHandler(), dataProvider, subjectProvider));
grantHandlers.add(bind(new RefreshTokenGrantHandler(), dataProvider));
tokenValidators = new ArrayList<AccessTokenValidator>();
@@ -238,11 +229,15 @@ public class OAuth2Provider {
}
}
- private void configure(OAuth2Configuration config, CxfOAuthDataProvider provider) {
+ private void configure(OAuth2Configuration config, OAuth2DataProvider provider) {
provider.setRefreshTokenAllowed(config.isRefreshTokenAllowed());
provider.setCodeGrantExpiration(config.getCodeGrantExpiration());
provider.setAccessTokenExpiration(config.getAccessTokenExpiration());
provider.setRefreshTokenExpiration(config.getRefreshTokenExpiration());
+
+ provider.setSecretKeyAlgorithm(config.getSecretKeyAlgorithm());
+ provider.setSecretKeyEncoded(config.getEncodedSecretKey());
+
configureObject(config, provider);
}
@@ -319,10 +314,9 @@ public class OAuth2Provider {
accessTokenService.setAudiences(audiences);
accessTokenService.setGrantHandlers(grantHandlers);
}
-
}
- private static ClientRegistrationService bind(ClientRegistrationService object, ClientDataProvider dataProvider) {
+ private static ClientRegistrationService bind(ClientRegistrationService object, ClientProvider dataProvider) {
object.setDataProvider(dataProvider);
return object;
}
@@ -332,10 +326,10 @@ public class OAuth2Provider {
return object;
}
- private static AbstractOAuthService bind(RedirectionBasedGrantService object, OAuthDataProvider dataProvider, SubjectCreator subjectCreator, ResourceOwnerNameProvider nameProvider, SessionAuthenticityTokenProvider sessionProvider) {
- object.setResourceOwnerNameProvider(nameProvider);
- object.setSessionAuthenticityTokenProvider(sessionProvider);
- object.setSubjectCreator(subjectCreator);
+ private static AbstractOAuthService bind(RedirectionBasedGrantService object, OAuthDataProvider dataProvider, SubjectProvider subjectProvider) {
+ object.setResourceOwnerNameProvider(subjectProvider);
+ object.setSessionAuthenticityTokenProvider(subjectProvider);
+ object.setSubjectCreator(subjectProvider);
bind(object, dataProvider);
return object;
}
diff --git a/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/adapters/CxfSubjectCreator.java b/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/SubjectProvider.java
index 05d5dc89872..d141b5e2c1c 100644
--- a/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/adapters/CxfSubjectCreator.java
+++ b/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/SubjectProvider.java
@@ -8,29 +8,25 @@
* Contributors:
* Boeing - initial API and implementation
*******************************************************************************/
-package org.eclipse.osee.jaxrs.server.internal.security.oauth2.provider.adapters;
+package org.eclipse.osee.jaxrs.server.internal.security.oauth2.provider;
import org.apache.cxf.jaxrs.ext.MessageContext;
import org.apache.cxf.rs.security.oauth2.common.UserSubject;
-import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
+import org.apache.cxf.rs.security.oauth2.grants.owner.ResourceOwnerLoginHandler;
+import org.apache.cxf.rs.security.oauth2.provider.ResourceOwnerNameProvider;
+import org.apache.cxf.rs.security.oauth2.provider.SessionAuthenticityTokenProvider;
import org.apache.cxf.rs.security.oauth2.provider.SubjectCreator;
-import org.eclipse.osee.logger.Log;
+import org.apache.cxf.security.SecurityContext;
/**
* @author Roberto E. Escobar
*/
-public class CxfSubjectCreator implements SubjectCreator {
- private final Log logger;
+public interface SubjectProvider extends SessionAuthenticityTokenProvider, SubjectCreator, ResourceOwnerNameProvider, ResourceOwnerLoginHandler {
- public CxfSubjectCreator(Log logger) {
- super();
- this.logger = logger;
- }
+ long getSubjectId(UserSubject subject);
- @Override
- public UserSubject createUserSubject(MessageContext mc) throws OAuthServiceException {
- logger.debug("createUserSubject called");
- return null;
- }
+ void authenticate(MessageContext mc, String scheme, String username, String password);
-}
+ SecurityContext getSecurityContextFromSession(MessageContext mc);
+
+} \ No newline at end of file
diff --git a/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/adapters/AccessToken.java b/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/adapters/AccessToken.java
new file mode 100644
index 00000000000..128097a3f2d
--- /dev/null
+++ b/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/adapters/AccessToken.java
@@ -0,0 +1,57 @@
+/*******************************************************************************
+ * Copyright (c) 2014 Boeing.
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License v1.0
+ * which accompanies this distribution, and is available at
+ * http://www.eclipse.org/legal/epl-v10.html
+ *
+ * Contributors:
+ * Boeing - initial API and implementation
+ *******************************************************************************/
+package org.eclipse.osee.jaxrs.server.internal.security.oauth2.provider.adapters;
+
+import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
+import org.eclipse.osee.jaxrs.server.security.OAuthToken;
+import org.eclipse.osee.jaxrs.server.security.OAuthTokenType;
+
+/**
+ * @author Roberto E. Escobar
+ */
+public class AccessToken extends ServerAccessToken implements OAuthToken {
+
+ private static final long serialVersionUID = 5893901939888969786L;
+
+ private final long uuid;
+ private final long clientId;
+ private final long subjectId;
+ private final OAuthTokenType type;
+
+ public AccessToken(long uuid, long clientId, long subjectId, OAuthTokenType type) {
+ super();
+ this.uuid = uuid;
+ this.clientId = clientId;
+ this.subjectId = subjectId;
+ this.type = type;
+ }
+
+ @Override
+ public long getUuid() {
+ return uuid;
+ }
+
+ @Override
+ public long getSubjectId() {
+ return subjectId;
+ }
+
+ @Override
+ public long getClientId() {
+ return clientId;
+ }
+
+ @Override
+ public OAuthTokenType getType() {
+ return type;
+ }
+
+}
diff --git a/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/adapters/AuthorizationCode.java b/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/adapters/AuthorizationCode.java
new file mode 100644
index 00000000000..c5674d4aa11
--- /dev/null
+++ b/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/adapters/AuthorizationCode.java
@@ -0,0 +1,49 @@
+/*******************************************************************************
+ * Copyright (c) 2014 Boeing.
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License v1.0
+ * which accompanies this distribution, and is available at
+ * http://www.eclipse.org/legal/epl-v10.html
+ *
+ * Contributors:
+ * Boeing - initial API and implementation
+ *******************************************************************************/
+package org.eclipse.osee.jaxrs.server.internal.security.oauth2.provider.adapters;
+
+import org.apache.cxf.rs.security.oauth2.grants.code.ServerAuthorizationCodeGrant;
+import org.eclipse.osee.jaxrs.server.security.OAuthCodeGrant;
+
+/**
+ * @author Roberto E. Escobar
+ */
+public class AuthorizationCode extends ServerAuthorizationCodeGrant implements OAuthCodeGrant {
+
+ private static final long serialVersionUID = 6207464542209610574L;
+
+ private final long uuid;
+ private final long clientId;
+ private final long subjectId;
+
+ public AuthorizationCode(long uuid, long clientId, long subjectId) {
+ super();
+ this.uuid = uuid;
+ this.clientId = clientId;
+ this.subjectId = subjectId;
+ }
+
+ @Override
+ public long getUuid() {
+ return uuid;
+ }
+
+ @Override
+ public long getSubjectId() {
+ return subjectId;
+ }
+
+ @Override
+ public long getClientId() {
+ return clientId;
+ }
+
+}
diff --git a/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/adapters/CxfSessionAuthenticityTokenProvider.java b/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/adapters/CxfSessionAuthenticityTokenProvider.java
deleted file mode 100644
index fc58be5487a..00000000000
--- a/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/adapters/CxfSessionAuthenticityTokenProvider.java
+++ /dev/null
@@ -1,48 +0,0 @@
-/*******************************************************************************
- * Copyright (c) 2014 Boeing.
- * All rights reserved. This program and the accompanying materials
- * are made available under the terms of the Eclipse Public License v1.0
- * which accompanies this distribution, and is available at
- * http://www.eclipse.org/legal/epl-v10.html
- *
- * Contributors:
- * Boeing - initial API and implementation
- *******************************************************************************/
-package org.eclipse.osee.jaxrs.server.internal.security.oauth2.provider.adapters;
-
-import javax.ws.rs.core.MultivaluedMap;
-import org.apache.cxf.jaxrs.ext.MessageContext;
-import org.apache.cxf.rs.security.oauth2.common.UserSubject;
-import org.apache.cxf.rs.security.oauth2.provider.SessionAuthenticityTokenProvider;
-import org.eclipse.osee.logger.Log;
-
-/**
- * @author Roberto E. Escobar
- */
-public class CxfSessionAuthenticityTokenProvider implements SessionAuthenticityTokenProvider {
- private final Log logger;
-
- public CxfSessionAuthenticityTokenProvider(Log logger) {
- super();
- this.logger = logger;
- }
-
- @Override
- public String createSessionToken(MessageContext mc, MultivaluedMap<String, String> params, UserSubject subject) {
- logger.debug("createSessionToken");
- return null;
- }
-
- @Override
- public String getSessionToken(MessageContext mc, MultivaluedMap<String, String> params, UserSubject subject) {
- logger.debug("getSessionToken");
- return null;
- }
-
- @Override
- public String removeSessionToken(MessageContext mc, MultivaluedMap<String, String> params, UserSubject subject) {
- logger.debug("removeSessionToken");
- return null;
- }
-
-}
diff --git a/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/adapters/OAuthEncryption.java b/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/adapters/OAuthEncryption.java
new file mode 100644
index 00000000000..62a68fe1654
--- /dev/null
+++ b/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/adapters/OAuthEncryption.java
@@ -0,0 +1,61 @@
+/*******************************************************************************
+ * Copyright (c) 2014 Boeing.
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License v1.0
+ * which accompanies this distribution, and is available at
+ * http://www.eclipse.org/legal/epl-v10.html
+ *
+ * Contributors:
+ * Boeing - initial API and implementation
+ *******************************************************************************/
+package org.eclipse.osee.jaxrs.server.internal.security.oauth2.provider.adapters;
+
+import javax.crypto.SecretKey;
+import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
+import org.apache.cxf.rs.security.oauth2.grants.code.ServerAuthorizationCodeGrant;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthDataProvider;
+import org.apache.cxf.rs.security.oauth2.tokens.refresh.RefreshToken;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.ModelEncryptionSupport;
+import org.eclipse.osee.framework.jdk.core.util.Strings;
+
+/**
+ * @author Roberto E. Escobar
+ */
+public class OAuthEncryption {
+
+ private static final String AES_CRYPTO_ALGO = "AES";
+
+ public SecretKey decodeSecretKey(String encodedSecretKey, String secretKeyAlgorithm) {
+ String secretKeyAlgorithmToUse = secretKeyAlgorithm;
+ if (!Strings.isValid(secretKeyAlgorithmToUse)) {
+ secretKeyAlgorithmToUse = AES_CRYPTO_ALGO;
+ }
+ return CryptoUtils.decodeSecretKey(encodedSecretKey, secretKeyAlgorithmToUse);
+ }
+
+ public String encryptCodeGrant(AuthorizationCode grant, SecretKey secretKey) {
+ return ModelEncryptionSupport.encryptCodeGrant(grant, secretKey);
+ }
+
+ public String encryptAccessToken(AccessToken token, SecretKey secretKey) {
+ return ModelEncryptionSupport.encryptAccessToken(token, secretKey);
+ }
+
+ public String encryptRefreshToken(RefreshOAuthToken refreshToken, SecretKey secretKey) {
+ return ModelEncryptionSupport.encryptRefreshToken(refreshToken, secretKey);
+ }
+
+ public ServerAuthorizationCodeGrant decryptCodeGrant(OAuthDataProvider provider, String grant, SecretKey secretKey) {
+ return ModelEncryptionSupport.decryptCodeGrant(provider, grant, secretKey);
+ }
+
+ public ServerAccessToken decryptAccessToken(OAuthDataProvider provider, String token, SecretKey secretKey) {
+ ServerAccessToken accessToken = ModelEncryptionSupport.decryptAccessToken(provider, token, secretKey);
+ return accessToken;
+ }
+
+ public RefreshToken decryptRefreshToken(OAuthDataProvider provider, String token, SecretKey secretKey) {
+ return ModelEncryptionSupport.decryptRefreshToken(provider, token, secretKey);
+ }
+} \ No newline at end of file
diff --git a/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/adapters/RefreshOAuthToken.java b/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/adapters/RefreshOAuthToken.java
new file mode 100644
index 00000000000..1d4659a1c4f
--- /dev/null
+++ b/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/adapters/RefreshOAuthToken.java
@@ -0,0 +1,57 @@
+/*******************************************************************************
+ * Copyright (c) 2014 Boeing.
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License v1.0
+ * which accompanies this distribution, and is available at
+ * http://www.eclipse.org/legal/epl-v10.html
+ *
+ * Contributors:
+ * Boeing - initial API and implementation
+ *******************************************************************************/
+package org.eclipse.osee.jaxrs.server.internal.security.oauth2.provider.adapters;
+
+import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
+import org.eclipse.osee.jaxrs.server.security.OAuthToken;
+import org.eclipse.osee.jaxrs.server.security.OAuthTokenType;
+
+/**
+ * @author Roberto E. Escobar
+ */
+public class RefreshOAuthToken extends org.apache.cxf.rs.security.oauth2.tokens.refresh.RefreshToken implements OAuthToken {
+
+ private static final long serialVersionUID = 5893901939888969786L;
+
+ private final long uuid;
+ private final long clientId;
+ private final long subjectId;
+ private final OAuthTokenType type = OAuthTokenType.REFRESH_TOKEN;
+
+ public RefreshOAuthToken(long uuid, long clientId, long subjectId) {
+ super();
+ this.uuid = uuid;
+ this.clientId = clientId;
+ this.subjectId = subjectId;
+ setTokenType(OAuthConstants.REFRESH_TOKEN_TYPE);
+ }
+
+ @Override
+ public long getUuid() {
+ return uuid;
+ }
+
+ @Override
+ public long getSubjectId() {
+ return subjectId;
+ }
+
+ @Override
+ public long getClientId() {
+ return clientId;
+ }
+
+ @Override
+ public OAuthTokenType getType() {
+ return type;
+ }
+
+}
diff --git a/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/adapters/SubjectProviderImpl.java b/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/adapters/SubjectProviderImpl.java
new file mode 100644
index 00000000000..493f086cf41
--- /dev/null
+++ b/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/adapters/SubjectProviderImpl.java
@@ -0,0 +1,180 @@
+/*******************************************************************************
+ * Copyright (c) 2014 Boeing.
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License v1.0
+ * which accompanies this distribution, and is available at
+ * http://www.eclipse.org/legal/epl-v10.html
+ *
+ * Contributors:
+ * Boeing - initial API and implementation
+ *******************************************************************************/
+package org.eclipse.osee.jaxrs.server.internal.security.oauth2.provider.adapters;
+
+import java.util.UUID;
+import javax.servlet.http.HttpSession;
+import javax.ws.rs.core.MultivaluedMap;
+import org.apache.cxf.jaxrs.ext.MessageContext;
+import org.apache.cxf.rs.security.oauth2.common.UserSubject;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
+import org.apache.cxf.security.SecurityContext;
+import org.eclipse.osee.framework.jdk.core.util.Strings;
+import org.eclipse.osee.jaxrs.server.internal.security.oauth2.OAuthUtil;
+import org.eclipse.osee.jaxrs.server.internal.security.oauth2.provider.SubjectProvider;
+import org.eclipse.osee.jaxrs.server.security.JaxRsAuthenticator;
+import org.eclipse.osee.jaxrs.server.security.JaxRsAuthenticator.Subject;
+import org.eclipse.osee.jaxrs.server.security.JaxRsSessionProvider;
+import org.eclipse.osee.logger.Log;
+
+/**
+ * @author Roberto E. Escobar
+ */
+public class SubjectProviderImpl implements SubjectProvider {
+
+ private static final String SESSION_SECURITY_CONTEXT = "jaxrs.server.session.authentication.object";
+
+ private final Log logger;
+ private final JaxRsAuthenticator authenticator;
+ private final JaxRsSessionProvider sessionDelegate;
+
+ public SubjectProviderImpl(Log logger, JaxRsSessionProvider sessionDelegate, JaxRsAuthenticator authenticator) {
+ super();
+ this.logger = logger;
+ this.sessionDelegate = sessionDelegate;
+ this.authenticator = authenticator;
+ }
+
+ @Override
+ public long getSubjectId(UserSubject subject) {
+ return OAuthUtil.getUserSubjectUuid(subject);
+ }
+
+ @Override
+ public String getName(UserSubject subject) {
+ return OAuthUtil.getDisplayName(subject);
+ }
+
+ @Override
+ public String createSessionToken(MessageContext mc, MultivaluedMap<String, String> params, UserSubject subject) {
+ logger.debug("Create Session Token - subject[%s]", subject);
+
+ String sessionToken = null;
+ if (sessionDelegate != null) {
+ Long subjectId = OAuthUtil.getUserSubjectUuid(subject);
+ sessionToken = sessionDelegate.createSessionToken(subjectId);
+ } else {
+ HttpSession session = mc.getHttpServletRequest().getSession();
+ sessionToken = (String) session.getAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN);
+ if (!Strings.isValid(sessionToken)) {
+ sessionToken = UUID.randomUUID().toString();
+ session.setAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN, sessionToken);
+ }
+ }
+ return sessionToken;
+ }
+
+ @Override
+ public String getSessionToken(MessageContext mc, MultivaluedMap<String, String> params, UserSubject subject) {
+ logger.debug("Get Session Token - subject[%s]", subject);
+
+ String sessionToken = null;
+ if (sessionDelegate != null) {
+ Long subjectId = OAuthUtil.getUserSubjectUuid(subject);
+ sessionToken = sessionDelegate.getSessionToken(subjectId);
+ } else {
+ HttpSession session = mc.getHttpServletRequest().getSession();
+ sessionToken = (String) session.getAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN);
+ }
+ return sessionToken;
+ }
+
+ @Override
+ public String removeSessionToken(MessageContext mc, MultivaluedMap<String, String> params, UserSubject subject) {
+ logger.debug("Remove Session Token - subject[%s]", subject);
+
+ String sessionToken = null;
+ if (sessionDelegate != null) {
+ Long subjectId = OAuthUtil.getUserSubjectUuid(subject);
+ sessionToken = sessionDelegate.removeSessionToken(subjectId);
+ } else {
+ HttpSession session = mc.getHttpServletRequest().getSession();
+ sessionToken = (String) session.getAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN);
+ if (sessionToken != null) {
+ session.removeAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN);
+ }
+ }
+ return sessionToken;
+ }
+
+ @Override
+ public UserSubject createUserSubject(MessageContext mc) throws OAuthServiceException {
+ UserSubject subject = mc.getContent(UserSubject.class);
+ if (subject == null) {
+ SecurityContext securityContext = getSecurityContext(mc);
+ subject = OAuthUtils.createSubject(securityContext);
+ }
+ return subject;
+ }
+
+ @Override
+ public SecurityContext getSecurityContextFromSession(MessageContext mc) {
+ SecurityContext securityContext = null;
+ if (sessionDelegate != null) {
+ // Long subjectId = OAuthUtil.getUserSubjectUuid(subject);
+ // sessionDelegate.getSecurityContext(subjectId);
+ } else {
+ HttpSession session = mc.getHttpServletRequest().getSession(false);
+ if (session != null) {
+ securityContext = (SecurityContext) session.getAttribute(SESSION_SECURITY_CONTEXT);
+ }
+ }
+ saveSecurityContext(mc, securityContext);
+ return securityContext;
+ }
+
+ @Override
+ public void authenticate(MessageContext mc, String scheme, String username, String password) {
+ UserSubject subject = authenticate(scheme, username, password);
+ SecurityContext securityContext = OAuthUtil.newSecurityContext(subject);
+
+ if (sessionDelegate != null) {
+ // Long subjectId = OAuthUtil.getUserSubjectUuid(subject);
+ // sessionDelegate.storeSecurityContext(subjectId, sc);
+ } else {
+ HttpSession session = mc.getHttpServletRequest().getSession(true);
+ session.setAttribute(SESSION_SECURITY_CONTEXT, securityContext);
+ }
+ saveSecurityContext(mc, securityContext);
+ }
+
+ @Override
+ public UserSubject createSubject(String username, String password) {
+ return authenticate(OAuthConstants.BASIC_SCHEME, username, password);
+ }
+
+ private UserSubject authenticate(String scheme, String username, String password) {
+ logger.debug("Authenticate - scheme[%s] username[%s]", scheme, username);
+
+ Subject user = authenticator.authenticate(scheme, username, password);
+ return OAuthUtil.newUserSubject(user);
+ }
+
+ private SecurityContext getSecurityContext(MessageContext mc) {
+ SecurityContext securityContext = (SecurityContext) mc.get(SecurityContext.class);
+ if (securityContext == null) {
+ securityContext = (SecurityContext) mc.get(SecurityContext.class.getName());
+ }
+ if (securityContext == null) {
+ securityContext = mc.getContent(SecurityContext.class);
+ }
+ return securityContext;
+ }
+
+ private void saveSecurityContext(MessageContext mc, SecurityContext securityContext) {
+ if (securityContext != null) {
+ mc.put(SecurityContext.class, securityContext);
+ mc.put(SecurityContext.class.getName(), securityContext);
+ }
+ }
+} \ No newline at end of file
diff --git a/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/endpoints/ClientRegistrationService.java b/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/endpoints/ClientRegistrationService.java
index 848e43afcbf..abef6a2608e 100644
--- a/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/endpoints/ClientRegistrationService.java
+++ b/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/internal/security/oauth2/provider/endpoints/ClientRegistrationService.java
@@ -15,6 +15,7 @@ import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.core.Response;
import org.apache.cxf.rs.security.oauth2.common.Client;
+import org.eclipse.osee.jaxrs.server.internal.security.oauth2.provider.ClientProvider;
/**
* @author Roberto E. Escobar
@@ -22,9 +23,9 @@ import org.apache.cxf.rs.security.oauth2.common.Client;
@Path("/clients")
public class ClientRegistrationService {
- private ClientDataProvider provider;
+ private ClientProvider provider;
- public void setDataProvider(ClientDataProvider provider) {
+ public void setDataProvider(ClientProvider provider) {
this.provider = provider;
}
diff --git a/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/security/JaxRsOAuthStorage.java b/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/security/JaxRsOAuthStorage.java
index 10337994b93..b51e2df9f53 100644
--- a/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/security/JaxRsOAuthStorage.java
+++ b/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/security/JaxRsOAuthStorage.java
@@ -10,31 +10,27 @@
*******************************************************************************/
package org.eclipse.osee.jaxrs.server.security;
-import org.apache.cxf.rs.security.oauth2.common.Client;
-
/**
* @author Roberto E. Escobar
*/
public interface JaxRsOAuthStorage {
- Client getClient(String clientId);
-
- void storeCodeGrant(String encrypted);
+ OAuthCodeGrant getCodeGrant(String code);
- void removeCodeGrant(String code);
+ void storeCodeGrant(OAuthCodeGrant codeGrant);
- String getAccessTokenByRefreshToken(String refreshToken);
+ void removeCodeGrant(OAuthCodeGrant codeGrant);
- void storeAccessToken(String encryptedToken);
+ Iterable<OAuthToken> getAccessTokensByRefreshToken(String refreshToken);
- void storeRefreshToken(String encryptedRefreshToken, String encryptedAccessToken);
+ OAuthToken getPreauthorizedToken(long clientId, long subjectId, String grantType);
- void removeRefreshToken(String refreshToken);
+ void storeToken(OAuthToken... tokens);
- void removeAccessToken(String tokenKey);
+ void relateTokens(OAuthToken refreshToken, OAuthToken accessToken);
- String getPreauthorizedToken(String clientId, String subjectId, String grantType);
+ void removeToken(Iterable<OAuthToken> tokens);
- String getCodeGrant(String code);
+ void removeTokenByKey(String tokenKey);
} \ No newline at end of file
diff --git a/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/security/JaxRsSessionProvider.java b/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/security/JaxRsSessionProvider.java
index ab9554957d7..b51a1f7ff08 100644
--- a/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/security/JaxRsSessionProvider.java
+++ b/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/security/JaxRsSessionProvider.java
@@ -10,14 +10,16 @@
*******************************************************************************/
package org.eclipse.osee.jaxrs.server.security;
-import javax.servlet.http.HttpServletRequest;
/**
* @author Roberto E. Escobar
*/
public interface JaxRsSessionProvider {
- void createSession(HttpServletRequest request, String scheme, Object sc);
+ String createSessionToken(Long subjectId);
+
+ String removeSessionToken(Long subjectId);
+
+ String getSessionToken(Long subjectId);
- Object getFromSession(HttpServletRequest request);
} \ No newline at end of file
diff --git a/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/security/OAuthCodeGrant.java b/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/security/OAuthCodeGrant.java
new file mode 100644
index 00000000000..9f081b16f12
--- /dev/null
+++ b/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/security/OAuthCodeGrant.java
@@ -0,0 +1,40 @@
+/*******************************************************************************
+ * Copyright (c) 2014 Boeing.
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License v1.0
+ * which accompanies this distribution, and is available at
+ * http://www.eclipse.org/legal/epl-v10.html
+ *
+ * Contributors:
+ * Boeing - initial API and implementation
+ *******************************************************************************/
+package org.eclipse.osee.jaxrs.server.security;
+
+import java.util.List;
+
+/**
+ * @author Roberto E. Escobar
+ */
+public interface OAuthCodeGrant {
+
+ long getUuid();
+
+ long getSubjectId();
+
+ long getClientId();
+
+ long getIssuedAt();
+
+ long getExpiresIn();
+
+ String getCode();
+
+ String getRedirectUri();
+
+ String getClientCodeVerifier();
+
+ String getAudience();
+
+ List<String> getApprovedScopes();
+
+}
diff --git a/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/security/OAuthToken.java b/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/security/OAuthToken.java
new file mode 100644
index 00000000000..432f40ebe2d
--- /dev/null
+++ b/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/security/OAuthToken.java
@@ -0,0 +1,40 @@
+/*******************************************************************************
+ * Copyright (c) 2014 Boeing.
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License v1.0
+ * which accompanies this distribution, and is available at
+ * http://www.eclipse.org/legal/epl-v10.html
+ *
+ * Contributors:
+ * Boeing - initial API and implementation
+ *******************************************************************************/
+package org.eclipse.osee.jaxrs.server.security;
+
+/**
+ * @author Roberto E. Escobar
+ */
+public interface OAuthToken {
+
+ long getUuid();
+
+ long getSubjectId();
+
+ long getClientId();
+
+ long getIssuedAt();
+
+ long getExpiresIn();
+
+ String getTokenKey();
+
+ String getTokenType();
+
+ String getGrantType();
+
+ String getAudience();
+
+ OAuthTokenType getType();
+
+ String getRefreshToken();
+
+}
diff --git a/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/security/OAuthTokenType.java b/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/security/OAuthTokenType.java
new file mode 100644
index 00000000000..94748ebb5d3
--- /dev/null
+++ b/plugins/org.eclipse.osee.jaxrs.server/src/org/eclipse/osee/jaxrs/server/security/OAuthTokenType.java
@@ -0,0 +1,61 @@
+/*******************************************************************************
+ * Copyright (c) 2014 Boeing.
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License v1.0
+ * which accompanies this distribution, and is available at
+ * http://www.eclipse.org/legal/epl-v10.html
+ *
+ * Contributors:
+ * Boeing - initial API and implementation
+ *******************************************************************************/
+package org.eclipse.osee.jaxrs.server.security;
+
+import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
+
+/**
+ * @author Roberto E. Escobar
+ */
+public enum OAuthTokenType {
+ UNKNOW_TOKEN("unknown", -1),
+ BEARER_TOKEN(OAuthConstants.BEARER_TOKEN_TYPE, 0),
+ REFRESH_TOKEN(OAuthConstants.REFRESH_TOKEN_TYPE, 1),
+ HAWK_TOKEN(OAuthConstants.HAWK_TOKEN_TYPE, 2);
+
+ private final String tokenType;
+ private final int value;
+
+ private OAuthTokenType(String tokenType, int value) {
+ this.tokenType = tokenType;
+ this.value = value;
+ }
+
+ public int getValue() {
+ return value;
+ }
+
+ public String getType() {
+ return tokenType;
+ }
+
+ public static OAuthTokenType fromValue(int value) {
+ OAuthTokenType toReturn = OAuthTokenType.UNKNOW_TOKEN;
+ for (OAuthTokenType tokenType : OAuthTokenType.values()) {
+ if (tokenType.getValue() == value) {
+ toReturn = tokenType;
+ break;
+ }
+ }
+ return toReturn;
+ }
+
+ public static OAuthTokenType fromType(String tokenType) {
+ OAuthTokenType toReturn = OAuthTokenType.UNKNOW_TOKEN;
+ for (OAuthTokenType type : OAuthTokenType.values()) {
+ if (type.getType().equals(tokenType)) {
+ toReturn = type;
+ break;
+ }
+ }
+ return toReturn;
+ }
+} \ No newline at end of file

Back to the top