Examples with DefaultOAuthValidator org.apache.cxf.rs.security.oauth.provider.DefaultOAuthValidator used on opensource projects

Example 1 with DefaultOAuthValidator

use of org.apache.cxf.rs.security.oauth.provider.DefaultOAuthValidator in project cxf by apache.

the class OAuthUtils method validateMessage.

public static void validateMessage(OAuthMessage oAuthMessage, Client client, Token token, OAuthDataProvider provider, OAuthValidator validator) throws Exception {
    OAuthConsumer consumer = new OAuthConsumer(null, client.getConsumerKey(), client.getSecretKey(), null);
    OAuthAccessor accessor = new OAuthAccessor(consumer);
    if (token != null) {
        if (token instanceof RequestToken) {
            accessor.requestToken = token.getTokenKey();
        } else {
            accessor.accessToken = token.getTokenKey();
        }
        accessor.tokenSecret = token.getTokenSecret();
    }
    try {
        validator.validateMessage(oAuthMessage, accessor);
    } catch (Exception ex) {
        if (token != null) {
            provider.removeToken(token);
        }
        throw ex;
    }
    if (token != null && validator instanceof DefaultOAuthValidator) {
        ((DefaultOAuthValidator) validator).validateToken(token, provider);
    }
}

Example 2 with DefaultOAuthValidator

use of org.apache.cxf.rs.security.oauth.provider.DefaultOAuthValidator in project cxf by apache.

the class AuthorizationRequestHandler method handle.

public Response handle(MessageContext mc, OAuthDataProvider dataProvider) {
    HttpServletRequest request = mc.getHttpServletRequest();
    try {
        OAuthMessage oAuthMessage = OAuthUtils.getOAuthMessage(mc, request, REQUIRED_PARAMETERS);
        new DefaultOAuthValidator().checkSingleParameter(oAuthMessage);
        RequestToken token = dataProvider.getRequestToken(oAuthMessage.getToken());
        if (token == null) {
            throw new OAuthProblemException(OAuth.Problems.TOKEN_REJECTED);
        }
        String decision = oAuthMessage.getParameter(OAuthConstants.AUTHORIZATION_DECISION_KEY);
        OAuthAuthorizationData secData = new OAuthAuthorizationData();
        if (!compareRequestSessionTokens(request, oAuthMessage)) {
            if (decision != null) {
                // this is a user decision request, the session has expired or been possibly hijacked
                LOG.warning("Session authenticity token is missing or invalid");
                throw ExceptionUtils.toBadRequestException(null, null);
            }
            // assume it is an initial authorization request
            addAuthenticityTokenToSession(secData, request);
            return Response.ok(addAdditionalParams(secData, dataProvider, token)).build();
        }
        boolean allow = OAuthConstants.AUTHORIZATION_DECISION_ALLOW.equals(decision);
        Map<String, String> queryParams = new HashMap<>();
        if (allow) {
            SecurityContext sc = (SecurityContext) mc.get(SecurityContext.class.getName());
            List<String> roleNames = Collections.emptyList();
            if (sc instanceof LoginSecurityContext) {
                roleNames = new ArrayList<>();
                Set<Principal> roles = ((LoginSecurityContext) sc).getUserRoles();
                for (Principal p : roles) {
                    roleNames.add(p.getName());
                }
            }
            token.setSubject(new UserSubject(sc.getUserPrincipal() == null ? null : sc.getUserPrincipal().getName(), roleNames));
            AuthorizationInput input = new AuthorizationInput();
            input.setToken(token);
            Set<OAuthPermission> approvedScopesSet = new HashSet<>();
            List<OAuthPermission> originalScopes = token.getScopes();
            for (OAuthPermission perm : originalScopes) {
                String param = oAuthMessage.getParameter(perm.getPermission() + "_status");
                if (param != null && OAuthConstants.AUTHORIZATION_DECISION_ALLOW.equals(param)) {
                    approvedScopesSet.add(perm);
                }
            }
            List<OAuthPermission> approvedScopes = new LinkedList<OAuthPermission>(approvedScopesSet);
            if (approvedScopes.isEmpty()) {
                approvedScopes = originalScopes;
            } else if (approvedScopes.size() < originalScopes.size()) {
                for (OAuthPermission perm : originalScopes) {
                    if (perm.isDefault() && !approvedScopes.contains(perm)) {
                        approvedScopes.add(perm);
                    }
                }
            }
            input.setApprovedScopes(approvedScopes);
            String verifier = dataProvider.finalizeAuthorization(input);
            queryParams.put(OAuth.OAUTH_VERIFIER, verifier);
        } else {
            dataProvider.removeToken(token);
        }
        queryParams.put(OAuth.OAUTH_TOKEN, token.getTokenKey());
        if (token.getState() != null) {
            queryParams.put(OAuthConstants.X_OAUTH_STATE, token.getState());
        }
        String callbackValue = getCallbackValue(token);
        if (OAuthConstants.OAUTH_CALLBACK_OOB.equals(callbackValue)) {
            OOBAuthorizationResponse bean = convertQueryParamsToOOB(queryParams);
            return Response.ok().entity(bean).build();
        }
        URI callbackURI = buildCallbackURI(callbackValue, queryParams);
        return Response.seeOther(callbackURI).build();
    } catch (OAuthProblemException e) {
        LOG.log(Level.WARNING, "An OAuth related problem: {0}", new Object[] { e.fillInStackTrace() });
        int code = e.getHttpStatusCode();
        if (code == HttpServletResponse.SC_OK) {
            code = e.getProblem() == OAuth.Problems.CONSUMER_KEY_UNKNOWN ? 401 : 400;
        }
        return OAuthUtils.handleException(mc, e, code);
    } catch (OAuthServiceException e) {
        return OAuthUtils.handleException(mc, e, HttpServletResponse.SC_BAD_REQUEST);
    } catch (Exception e) {
        LOG.log(Level.SEVERE, "Unexpected internal server exception: {0}", new Object[] { e.fillInStackTrace() });
        return OAuthUtils.handleException(mc, e, HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
    }
}

Example 3 with DefaultOAuthValidator

use of org.apache.cxf.rs.security.oauth.provider.DefaultOAuthValidator in project cxf by apache.

the class OAuthUtils method getOAuthValidator.

public static synchronized OAuthValidator getOAuthValidator(ServletContext servletContext) {
    OAuthValidator dataProvider = (OAuthValidator) servletContext.getAttribute(OAuthConstants.OAUTH_VALIDATOR_INSTANCE_KEY);
    if (dataProvider == null) {
        String dataProviderClassName = servletContext.getInitParameter(OAuthConstants.OAUTH_VALIDATOR_CLASS);
        if (!StringUtils.isEmpty(dataProviderClassName)) {
            try {
                dataProvider = (OAuthValidator) OAuthUtils.instantiateClass(dataProviderClassName);
                servletContext.setAttribute(OAuthConstants.OAUTH_VALIDATOR_INSTANCE_KEY, dataProvider);
            } catch (Exception e) {
                throw new RuntimeException("Cannot instantiate OAuthValidator class: " + dataProviderClassName, e);
            }
        }
    }
    return dataProvider == null ? new DefaultOAuthValidator() : dataProvider;
}