Search in sources :

Example 1 with AccessToken

use of org.apache.cxf.rs.security.oauth.data.AccessToken in project cxf by apache.

the class AccessTokenHandler method handle.

public Response handle(MessageContext mc, OAuthDataProvider dataProvider, OAuthValidator validator) {
    try {
        OAuthMessage oAuthMessage = OAuthUtils.getOAuthMessage(mc, mc.getHttpServletRequest(), REQUIRED_PARAMETERS);
        RequestToken requestToken = dataProvider.getRequestToken(oAuthMessage.getToken());
        if (requestToken == null) {
            throw new OAuthProblemException(OAuth.Problems.TOKEN_REJECTED);
        }
        String oauthVerifier = oAuthMessage.getParameter(OAuth.OAUTH_VERIFIER);
        if (StringUtils.isEmpty(oauthVerifier)) {
            if (requestToken.getSubject() != null && requestToken.isPreAuthorized()) {
                LOG.fine("Preauthorized request token");
            } else {
                throw new OAuthProblemException(OAuthConstants.VERIFIER_INVALID);
            }
        } else if (!oauthVerifier.equals(requestToken.getVerifier())) {
            throw new OAuthProblemException(OAuthConstants.VERIFIER_INVALID);
        }
        OAuthUtils.validateMessage(oAuthMessage, requestToken.getClient(), requestToken, dataProvider, validator);
        AccessTokenRegistration reg = new AccessTokenRegistration();
        reg.setRequestToken(requestToken);
        AccessToken accessToken = dataProvider.createAccessToken(reg);
        // create response
        Map<String, Object> responseParams = new HashMap<>();
        responseParams.put(OAuth.OAUTH_TOKEN, accessToken.getTokenKey());
        responseParams.put(OAuth.OAUTH_TOKEN_SECRET, accessToken.getTokenSecret());
        String responseString = OAuth.formEncode(responseParams.entrySet());
        return Response.ok(responseString).build();
    } catch (OAuthProblemException e) {
        LOG.log(Level.WARNING, "An OAuth-related problem: {0}", new Object[] { e.fillInStackTrace() });
        int code = e.getHttpStatusCode();
        if (code == HttpServletResponse.SC_OK) {
            code = e.getProblem() == OAuth.Problems.CONSUMER_KEY_UNKNOWN ? 401 : 400;
        }
        return OAuthUtils.handleException(mc, e, code);
    } catch (OAuthServiceException e) {
        return OAuthUtils.handleException(mc, e, HttpServletResponse.SC_BAD_REQUEST);
    } catch (Exception e) {
        LOG.log(Level.SEVERE, "Unexpected internal server exception: {0}", new Object[] { e.fillInStackTrace() });
        return OAuthUtils.handleException(mc, e, HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
    }
}
Also used : OAuthProblemException(net.oauth.OAuthProblemException) OAuthMessage(net.oauth.OAuthMessage) HashMap(java.util.HashMap) OAuthServiceException(org.apache.cxf.rs.security.oauth.provider.OAuthServiceException) RequestToken(org.apache.cxf.rs.security.oauth.data.RequestToken) AccessToken(org.apache.cxf.rs.security.oauth.data.AccessToken) AccessTokenRegistration(org.apache.cxf.rs.security.oauth.data.AccessTokenRegistration) OAuthProblemException(net.oauth.OAuthProblemException) OAuthServiceException(org.apache.cxf.rs.security.oauth.provider.OAuthServiceException)

Example 2 with AccessToken

use of org.apache.cxf.rs.security.oauth.data.AccessToken in project cxf by apache.

the class MemoryOAuthDataProvider method createAccessToken.

public AccessToken createAccessToken(AccessTokenRegistration reg) throws OAuthServiceException {
    RequestToken requestToken = reg.getRequestToken();
    Client client = requestToken.getClient();
    requestToken = getRequestToken(requestToken.getTokenKey());
    String accessTokenString = generateToken();
    String tokenSecretString = generateToken();
    AccessToken accessToken = new AccessToken(client, accessTokenString, tokenSecretString, 3600, System.currentTimeMillis() / 1000);
    accessToken.setScopes(requestToken.getScopes());
    synchronized (oauthTokens) {
        oauthTokens.remove(requestToken.getTokenKey());
        oauthTokens.put(accessTokenString, accessToken);
        synchronized (userAuthorizedClients) {
            userAuthorizedClients.add(client.getConsumerKey(), client.getConsumerKey());
        }
    }
    return accessToken;
}
Also used : RequestToken(org.apache.cxf.rs.security.oauth.data.RequestToken) AccessToken(org.apache.cxf.rs.security.oauth.data.AccessToken) Client(org.apache.cxf.rs.security.oauth.data.Client)

Example 3 with AccessToken

use of org.apache.cxf.rs.security.oauth.data.AccessToken in project testcases by coheigea.

the class OAuthDataProviderImpl method createAccessToken.

public AccessToken createAccessToken(AccessTokenRegistration reg) throws OAuthServiceException {
    // Generate request token + associated secret
    Client client = reg.getRequestToken().getClient();
    String token = UUID.randomUUID().toString();
    byte[] secret = new byte[20];
    random.nextBytes(secret);
    AccessToken accessToken = new AccessToken(client, token, Base64.getEncoder().encodeToString(secret), 60L * 5L, new Date().getTime() / 1000L);
    accessToken.setScopes(reg.getRequestToken().getScopes());
    accessToken.setSubject(reg.getRequestToken().getSubject());
    // Remove request token
    requestTokens.remove(reg.getRequestToken().getTokenKey());
    // Add access token
    accessTokens.put(token, accessToken);
    return accessToken;
}
Also used : AccessToken(org.apache.cxf.rs.security.oauth.data.AccessToken) Client(org.apache.cxf.rs.security.oauth.data.Client) Date(java.util.Date)

Example 4 with AccessToken

use of org.apache.cxf.rs.security.oauth.data.AccessToken in project cxf by apache.

the class AbstractAuthFilter method handleOAuthRequest.

/**
 * Authenticates the third-party consumer and returns
 * {@link OAuthInfo} bean capturing the information about the request.
 * @param req http request
 * @return OAuth info
 * @see OAuthInfo
 * @throws Exception
 * @throws OAuthProblemException
 */
protected OAuthInfo handleOAuthRequest(HttpServletRequest req) throws Exception, OAuthProblemException {
    if (LOG.isLoggable(Level.FINE)) {
        LOG.log(Level.FINE, "OAuth security filter for url: {0}", req.getRequestURL());
    }
    AccessToken accessToken = null;
    Client client = null;
    OAuthMessage oAuthMessage = OAuthServlet.getMessage(new CustomHttpServletWrapper(req), OAuthServlet.getRequestURL(req));
    if (oAuthMessage.getParameter(OAuth.OAUTH_TOKEN) != null) {
        oAuthMessage.requireParameters(REQUIRED_PARAMETERS);
        accessToken = dataProvider.getAccessToken(oAuthMessage.getToken());
        // check if access token is not null
        if (accessToken == null) {
            LOG.warning("Access token is unavailable");
            throw new OAuthProblemException(OAuth.Problems.TOKEN_REJECTED);
        }
        client = accessToken.getClient();
        OAuthUtils.validateMessage(oAuthMessage, client, accessToken, dataProvider, validator);
    } else {
        String consumerKey = null;
        String consumerSecret = null;
        String authHeader = oAuthMessage.getHeader("Authorization");
        if (authHeader != null) {
            if (authHeader.startsWith("OAuth")) {
                consumerKey = oAuthMessage.getParameter(OAuth.OAUTH_CONSUMER_KEY);
                consumerSecret = oAuthMessage.getParameter(OAuthConstants.OAUTH_CONSUMER_SECRET);
            } else if (authHeader.startsWith("Basic")) {
                AuthorizationPolicy policy = getAuthorizationPolicy(authHeader);
                if (policy != null) {
                    consumerKey = policy.getUserName();
                    consumerSecret = policy.getPassword();
                }
            }
        }
        if (consumerKey != null) {
            client = dataProvider.getClient(consumerKey);
        }
        if (client == null) {
            LOG.warning("Client is invalid");
            throw new OAuthProblemException(OAuth.Problems.CONSUMER_KEY_UNKNOWN);
        }
        if (consumerSecret != null && !consumerSecret.equals(client.getSecretKey())) {
            LOG.warning("Client secret is invalid");
            throw new OAuthProblemException(OAuth.Problems.CONSUMER_KEY_UNKNOWN);
        }
        OAuthUtils.validateMessage(oAuthMessage, client, null, dataProvider, validator);
        accessToken = client.getPreAuthorizedToken();
        if (accessToken == null || !accessToken.isPreAuthorized()) {
            LOG.warning("Preauthorized access token is unavailable");
            throw new OAuthProblemException(OAuth.Problems.TOKEN_REJECTED);
        }
    }
    List<OAuthPermission> permissions = accessToken.getScopes();
    List<OAuthPermission> matchingPermissions = new ArrayList<>();
    for (OAuthPermission perm : permissions) {
        boolean uriOK = checkRequestURI(req, perm.getUris());
        boolean verbOK = checkHttpVerb(req, perm.getHttpVerbs());
        if (uriOK && verbOK) {
            matchingPermissions.add(perm);
        }
    }
    if (!permissions.isEmpty() && matchingPermissions.isEmpty()) {
        String message = "Client has no valid permissions";
        LOG.warning(message);
        throw new OAuthProblemException(message);
    }
    return new OAuthInfo(accessToken, matchingPermissions);
}
Also used : OAuthProblemException(net.oauth.OAuthProblemException) AuthorizationPolicy(org.apache.cxf.configuration.security.AuthorizationPolicy) OAuthPermission(org.apache.cxf.rs.security.oauth.data.OAuthPermission) OAuthMessage(net.oauth.OAuthMessage) AccessToken(org.apache.cxf.rs.security.oauth.data.AccessToken) ArrayList(java.util.ArrayList) Client(org.apache.cxf.rs.security.oauth.data.Client)

Example 5 with AccessToken

use of org.apache.cxf.rs.security.oauth.data.AccessToken in project cxf by apache.

the class MemoryOAuthDataProvider method createAccessToken.

public AccessToken createAccessToken(AccessTokenRegistration reg) throws OAuthServiceException {
    RequestToken requestToken = reg.getRequestToken();
    Client client = requestToken.getClient();
    requestToken = getRequestToken(requestToken.getTokenKey());
    String accessTokenString = generateToken();
    String tokenSecretString = generateToken();
    AccessToken accessToken = new AccessToken(client, accessTokenString, tokenSecretString, 3600, System.currentTimeMillis() / 1000);
    accessToken.setScopes(requestToken.getScopes());
    synchronized (oauthTokens) {
        oauthTokens.remove(requestToken.getTokenKey());
        oauthTokens.put(accessTokenString, accessToken);
        synchronized (userAuthorizedClients) {
            userAuthorizedClients.add(client.getConsumerKey(), client.getConsumerKey());
        }
    }
    return accessToken;
}
Also used : RequestToken(org.apache.cxf.rs.security.oauth.data.RequestToken) AccessToken(org.apache.cxf.rs.security.oauth.data.AccessToken) Client(org.apache.cxf.rs.security.oauth.data.Client)

Aggregations

AccessToken (org.apache.cxf.rs.security.oauth.data.AccessToken)6 Client (org.apache.cxf.rs.security.oauth.data.Client)4 RequestToken (org.apache.cxf.rs.security.oauth.data.RequestToken)4 OAuthMessage (net.oauth.OAuthMessage)2 OAuthProblemException (net.oauth.OAuthProblemException)2 ArrayList (java.util.ArrayList)1 Date (java.util.Date)1 HashMap (java.util.HashMap)1 AuthorizationPolicy (org.apache.cxf.configuration.security.AuthorizationPolicy)1 AccessTokenRegistration (org.apache.cxf.rs.security.oauth.data.AccessTokenRegistration)1 OAuthPermission (org.apache.cxf.rs.security.oauth.data.OAuthPermission)1 OAuthServiceException (org.apache.cxf.rs.security.oauth.provider.OAuthServiceException)1