use of org.apache.cxf.rs.security.oauth.data.AccessToken in project cxf by apache.
the class AccessTokenHandler method handle.
public Response handle(MessageContext mc, OAuthDataProvider dataProvider, OAuthValidator validator) {
try {
OAuthMessage oAuthMessage = OAuthUtils.getOAuthMessage(mc, mc.getHttpServletRequest(), REQUIRED_PARAMETERS);
RequestToken requestToken = dataProvider.getRequestToken(oAuthMessage.getToken());
if (requestToken == null) {
throw new OAuthProblemException(OAuth.Problems.TOKEN_REJECTED);
}
String oauthVerifier = oAuthMessage.getParameter(OAuth.OAUTH_VERIFIER);
if (StringUtils.isEmpty(oauthVerifier)) {
if (requestToken.getSubject() != null && requestToken.isPreAuthorized()) {
LOG.fine("Preauthorized request token");
} else {
throw new OAuthProblemException(OAuthConstants.VERIFIER_INVALID);
}
} else if (!oauthVerifier.equals(requestToken.getVerifier())) {
throw new OAuthProblemException(OAuthConstants.VERIFIER_INVALID);
}
OAuthUtils.validateMessage(oAuthMessage, requestToken.getClient(), requestToken, dataProvider, validator);
AccessTokenRegistration reg = new AccessTokenRegistration();
reg.setRequestToken(requestToken);
AccessToken accessToken = dataProvider.createAccessToken(reg);
// create response
Map<String, Object> responseParams = new HashMap<>();
responseParams.put(OAuth.OAUTH_TOKEN, accessToken.getTokenKey());
responseParams.put(OAuth.OAUTH_TOKEN_SECRET, accessToken.getTokenSecret());
String responseString = OAuth.formEncode(responseParams.entrySet());
return Response.ok(responseString).build();
} catch (OAuthProblemException e) {
LOG.log(Level.WARNING, "An OAuth-related problem: {0}", new Object[] { e.fillInStackTrace() });
int code = e.getHttpStatusCode();
if (code == HttpServletResponse.SC_OK) {
code = e.getProblem() == OAuth.Problems.CONSUMER_KEY_UNKNOWN ? 401 : 400;
}
return OAuthUtils.handleException(mc, e, code);
} catch (OAuthServiceException e) {
return OAuthUtils.handleException(mc, e, HttpServletResponse.SC_BAD_REQUEST);
} catch (Exception e) {
LOG.log(Level.SEVERE, "Unexpected internal server exception: {0}", new Object[] { e.fillInStackTrace() });
return OAuthUtils.handleException(mc, e, HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
}
}
use of org.apache.cxf.rs.security.oauth.data.AccessToken in project cxf by apache.
the class MemoryOAuthDataProvider method createAccessToken.
public AccessToken createAccessToken(AccessTokenRegistration reg) throws OAuthServiceException {
RequestToken requestToken = reg.getRequestToken();
Client client = requestToken.getClient();
requestToken = getRequestToken(requestToken.getTokenKey());
String accessTokenString = generateToken();
String tokenSecretString = generateToken();
AccessToken accessToken = new AccessToken(client, accessTokenString, tokenSecretString, 3600, System.currentTimeMillis() / 1000);
accessToken.setScopes(requestToken.getScopes());
synchronized (oauthTokens) {
oauthTokens.remove(requestToken.getTokenKey());
oauthTokens.put(accessTokenString, accessToken);
synchronized (userAuthorizedClients) {
userAuthorizedClients.add(client.getConsumerKey(), client.getConsumerKey());
}
}
return accessToken;
}
use of org.apache.cxf.rs.security.oauth.data.AccessToken in project testcases by coheigea.
the class OAuthDataProviderImpl method createAccessToken.
public AccessToken createAccessToken(AccessTokenRegistration reg) throws OAuthServiceException {
// Generate request token + associated secret
Client client = reg.getRequestToken().getClient();
String token = UUID.randomUUID().toString();
byte[] secret = new byte[20];
random.nextBytes(secret);
AccessToken accessToken = new AccessToken(client, token, Base64.getEncoder().encodeToString(secret), 60L * 5L, new Date().getTime() / 1000L);
accessToken.setScopes(reg.getRequestToken().getScopes());
accessToken.setSubject(reg.getRequestToken().getSubject());
// Remove request token
requestTokens.remove(reg.getRequestToken().getTokenKey());
// Add access token
accessTokens.put(token, accessToken);
return accessToken;
}
use of org.apache.cxf.rs.security.oauth.data.AccessToken in project cxf by apache.
the class AbstractAuthFilter method handleOAuthRequest.
/**
* Authenticates the third-party consumer and returns
* {@link OAuthInfo} bean capturing the information about the request.
* @param req http request
* @return OAuth info
* @see OAuthInfo
* @throws Exception
* @throws OAuthProblemException
*/
protected OAuthInfo handleOAuthRequest(HttpServletRequest req) throws Exception, OAuthProblemException {
if (LOG.isLoggable(Level.FINE)) {
LOG.log(Level.FINE, "OAuth security filter for url: {0}", req.getRequestURL());
}
AccessToken accessToken = null;
Client client = null;
OAuthMessage oAuthMessage = OAuthServlet.getMessage(new CustomHttpServletWrapper(req), OAuthServlet.getRequestURL(req));
if (oAuthMessage.getParameter(OAuth.OAUTH_TOKEN) != null) {
oAuthMessage.requireParameters(REQUIRED_PARAMETERS);
accessToken = dataProvider.getAccessToken(oAuthMessage.getToken());
// check if access token is not null
if (accessToken == null) {
LOG.warning("Access token is unavailable");
throw new OAuthProblemException(OAuth.Problems.TOKEN_REJECTED);
}
client = accessToken.getClient();
OAuthUtils.validateMessage(oAuthMessage, client, accessToken, dataProvider, validator);
} else {
String consumerKey = null;
String consumerSecret = null;
String authHeader = oAuthMessage.getHeader("Authorization");
if (authHeader != null) {
if (authHeader.startsWith("OAuth")) {
consumerKey = oAuthMessage.getParameter(OAuth.OAUTH_CONSUMER_KEY);
consumerSecret = oAuthMessage.getParameter(OAuthConstants.OAUTH_CONSUMER_SECRET);
} else if (authHeader.startsWith("Basic")) {
AuthorizationPolicy policy = getAuthorizationPolicy(authHeader);
if (policy != null) {
consumerKey = policy.getUserName();
consumerSecret = policy.getPassword();
}
}
}
if (consumerKey != null) {
client = dataProvider.getClient(consumerKey);
}
if (client == null) {
LOG.warning("Client is invalid");
throw new OAuthProblemException(OAuth.Problems.CONSUMER_KEY_UNKNOWN);
}
if (consumerSecret != null && !consumerSecret.equals(client.getSecretKey())) {
LOG.warning("Client secret is invalid");
throw new OAuthProblemException(OAuth.Problems.CONSUMER_KEY_UNKNOWN);
}
OAuthUtils.validateMessage(oAuthMessage, client, null, dataProvider, validator);
accessToken = client.getPreAuthorizedToken();
if (accessToken == null || !accessToken.isPreAuthorized()) {
LOG.warning("Preauthorized access token is unavailable");
throw new OAuthProblemException(OAuth.Problems.TOKEN_REJECTED);
}
}
List<OAuthPermission> permissions = accessToken.getScopes();
List<OAuthPermission> matchingPermissions = new ArrayList<>();
for (OAuthPermission perm : permissions) {
boolean uriOK = checkRequestURI(req, perm.getUris());
boolean verbOK = checkHttpVerb(req, perm.getHttpVerbs());
if (uriOK && verbOK) {
matchingPermissions.add(perm);
}
}
if (!permissions.isEmpty() && matchingPermissions.isEmpty()) {
String message = "Client has no valid permissions";
LOG.warning(message);
throw new OAuthProblemException(message);
}
return new OAuthInfo(accessToken, matchingPermissions);
}
use of org.apache.cxf.rs.security.oauth.data.AccessToken in project cxf by apache.
the class MemoryOAuthDataProvider method createAccessToken.
public AccessToken createAccessToken(AccessTokenRegistration reg) throws OAuthServiceException {
RequestToken requestToken = reg.getRequestToken();
Client client = requestToken.getClient();
requestToken = getRequestToken(requestToken.getTokenKey());
String accessTokenString = generateToken();
String tokenSecretString = generateToken();
AccessToken accessToken = new AccessToken(client, accessTokenString, tokenSecretString, 3600, System.currentTimeMillis() / 1000);
accessToken.setScopes(requestToken.getScopes());
synchronized (oauthTokens) {
oauthTokens.remove(requestToken.getTokenKey());
oauthTokens.put(accessTokenString, accessToken);
synchronized (userAuthorizedClients) {
userAuthorizedClients.add(client.getConsumerKey(), client.getConsumerKey());
}
}
return accessToken;
}
Aggregations