Example 1 with AccessTokenValidation
use of org.apache.cxf.rs.security.oauth2.common.AccessTokenValidation in project cxf by apache.
the class AccessTokenIntrospectionClient method convertIntrospectionToValidation.
private AccessTokenValidation convertIntrospectionToValidation(TokenIntrospection response) {
AccessTokenValidation atv = new AccessTokenValidation();
atv.setInitialValidationSuccessful(response.isActive());
if (response.getClientId() != null) {
atv.setClientId(response.getClientId());
}
if (response.getIat() != null) {
atv.setTokenIssuedAt(response.getIat());
} else {
Instant now = Instant.now();
atv.setTokenIssuedAt(now.toEpochMilli());
}
if (response.getExp() != null) {
atv.setTokenLifetime(response.getExp() - atv.getTokenIssuedAt());
}
if (!StringUtils.isEmpty(response.getAud())) {
atv.setAudiences(response.getAud());
}
if (response.getIss() != null) {
atv.setTokenIssuer(response.getIss());
}
if (response.getScope() != null) {
String[] scopes = response.getScope().split(" ");
List<OAuthPermission> perms = new LinkedList<OAuthPermission>();
for (String s : scopes) {
if (!StringUtils.isEmpty(s)) {
perms.add(new OAuthPermission(s.trim()));
}
}
atv.setTokenScopes(perms);
}
if (response.getUsername() != null) {
atv.setTokenSubject(new UserSubject(response.getUsername()));
}
atv.getExtraProps().putAll(response.getExtensions());
return atv;
}
Also used :
OAuthPermission(org.apache.cxf.rs.security.oauth2.common.OAuthPermission)
UserSubject(org.apache.cxf.rs.security.oauth2.common.UserSubject)
Instant(java.time.Instant)
AccessTokenValidation(org.apache.cxf.rs.security.oauth2.common.AccessTokenValidation)
LinkedList(java.util.LinkedList)
Example 2 with AccessTokenValidation
use of org.apache.cxf.rs.security.oauth2.common.AccessTokenValidation in project cxf by apache.
the class AccessTokenValidatorClient method validateAccessToken.
public AccessTokenValidation validateAccessToken(MessageContext mc, String authScheme, String authSchemeData, MultivaluedMap<String, String> extraProps) throws OAuthServiceException {
WebClient client = WebClient.fromClient(tokenValidatorClient, true);
MultivaluedMap<String, String> props = new MetadataMap<String, String>();
props.putSingle(OAuthConstants.AUTHORIZATION_SCHEME_TYPE, authScheme);
props.putSingle(OAuthConstants.AUTHORIZATION_SCHEME_DATA, authSchemeData);
if (extraProps != null) {
props.putAll(extraProps);
}
try {
return client.post(props, AccessTokenValidation.class);
} catch (WebApplicationException ex) {
throw new OAuthServiceException(ex);
}
}
Also used :
MetadataMap(org.apache.cxf.jaxrs.impl.MetadataMap)
WebApplicationException(javax.ws.rs.WebApplicationException)
OAuthServiceException(org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException)
WebClient(org.apache.cxf.jaxrs.client.WebClient)
Example 3 with AccessTokenValidation
use of org.apache.cxf.rs.security.oauth2.common.AccessTokenValidation in project cxf by apache.
the class OAuthRequestFilter method createSecurityContext.
protected SecurityContext createSecurityContext(HttpServletRequest request, AccessTokenValidation accessTokenV) {
UserSubject resourceOwnerSubject = accessTokenV.getTokenSubject();
UserSubject clientSubject = accessTokenV.getClientSubject();
final UserSubject theSubject = OAuthRequestFilter.this.useUserSubject ? resourceOwnerSubject : clientSubject;
return new SecurityContext() {
public Principal getUserPrincipal() {
return theSubject != null ? new SimplePrincipal(theSubject.getLogin()) : null;
}
public boolean isUserInRole(String role) {
if (theSubject == null) {
return false;
}
return theSubject.getRoles().contains(role);
}
};
}
Also used :
UserSubject(org.apache.cxf.rs.security.oauth2.common.UserSubject)
SecurityContext(org.apache.cxf.security.SecurityContext)
SimplePrincipal(org.apache.cxf.common.security.SimplePrincipal)
Example 4 with AccessTokenValidation
use of org.apache.cxf.rs.security.oauth2.common.AccessTokenValidation in project cxf by apache.
the class AbstractAccessTokenValidator method getAccessTokenValidation.
/**
* Get the access token
*/
protected AccessTokenValidation getAccessTokenValidation(String authScheme, String authSchemeData, MultivaluedMap<String, String> extraProps) {
AccessTokenValidation accessTokenV = null;
if (dataProvider == null && tokenHandlers.isEmpty()) {
throw ExceptionUtils.toInternalServerErrorException(null, null);
}
if (maxValidationDataCacheSize > 0) {
accessTokenV = accessTokenValidations.get(authSchemeData);
}
ServerAccessToken localAccessToken = null;
if (accessTokenV == null) {
// Get the registered handler capable of processing the token
AccessTokenValidator handler = findTokenValidator(authScheme);
if (handler != null) {
try {
// Convert the HTTP Authorization scheme data into a token
accessTokenV = handler.validateAccessToken(getMessageContext(), authScheme, authSchemeData, extraProps);
} catch (OAuthServiceException ex) {
AuthorizationUtils.throwAuthorizationFailure(Collections.singleton(authScheme), realm);
} catch (RuntimeException ex) {
AuthorizationUtils.throwAuthorizationFailure(Collections.singleton(authScheme), realm);
}
}
// Default processing if no registered providers available
if (accessTokenV == null && dataProvider != null && authScheme.equals(DEFAULT_AUTH_SCHEME)) {
try {
localAccessToken = dataProvider.getAccessToken(authSchemeData);
} catch (OAuthServiceException ex) {
// to be handled next
}
if (localAccessToken == null) {
AuthorizationUtils.throwAuthorizationFailure(Collections.singleton(authScheme), realm);
}
accessTokenV = new AccessTokenValidation(localAccessToken);
}
}
if (accessTokenV == null) {
AuthorizationUtils.throwAuthorizationFailure(supportedSchemes, realm);
}
// Check if token is still valid
if (OAuthUtils.isExpired(accessTokenV.getTokenIssuedAt(), accessTokenV.getTokenLifetime())) {
if (localAccessToken != null) {
removeAccessToken(localAccessToken);
} else if (maxValidationDataCacheSize > 0) {
accessTokenValidations.remove(authSchemeData);
}
AuthorizationUtils.throwAuthorizationFailure(supportedSchemes, realm);
}
if (maxValidationDataCacheSize > 0) {
if (accessTokenValidations.size() >= maxValidationDataCacheSize) {
// or delete the ones expiring sooner than others, etc
accessTokenValidations.clear();
}
accessTokenValidations.put(authSchemeData, accessTokenV);
}
return accessTokenV;
}
Also used :
AccessTokenValidator(org.apache.cxf.rs.security.oauth2.provider.AccessTokenValidator)
ServerAccessToken(org.apache.cxf.rs.security.oauth2.common.ServerAccessToken)
OAuthServiceException(org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException)
AccessTokenValidation(org.apache.cxf.rs.security.oauth2.common.AccessTokenValidation)
Example 5 with AccessTokenValidation
use of org.apache.cxf.rs.security.oauth2.common.AccessTokenValidation in project cxf by apache.
the class AccessTokenValidatorService method getTokenValidationInfo.
@POST
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
public AccessTokenValidation getTokenValidationInfo(@Encoded MultivaluedMap<String, String> params) {
checkSecurityContext();
String authScheme = params.getFirst(OAuthConstants.AUTHORIZATION_SCHEME_TYPE);
String authSchemeData = params.getFirst(OAuthConstants.AUTHORIZATION_SCHEME_DATA);
try {
return super.getAccessTokenValidation(authScheme, authSchemeData, params);
} catch (NotAuthorizedException ex) {
// at this point it does not mean that RS failed to authenticate but that the basic
// local or chained token validation has failed
AccessTokenValidation v = new AccessTokenValidation();
v.setInitialValidationSuccessful(false);
return v;
}
}
Also used :
AccessTokenValidation(org.apache.cxf.rs.security.oauth2.common.AccessTokenValidation)
NotAuthorizedException(javax.ws.rs.NotAuthorizedException)
POST(javax.ws.rs.POST)
Produces(javax.ws.rs.Produces)
Consumes(javax.ws.rs.Consumes)
Aggregations
AccessTokenValidation (org.apache.cxf.rs.security.oauth2.common.AccessTokenValidation)8
OAuthServiceException (org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException)5
OAuthPermission (org.apache.cxf.rs.security.oauth2.common.OAuthPermission)3
UserSubject (org.apache.cxf.rs.security.oauth2.common.UserSubject)3
Instant (java.time.Instant)2
LinkedList (java.util.LinkedList)2
HttpServletRequest (javax.servlet.http.HttpServletRequest)2
WebApplicationException (javax.ws.rs.WebApplicationException)2
WebClient (org.apache.cxf.jaxrs.client.WebClient)2
MetadataMap (org.apache.cxf.jaxrs.impl.MetadataMap)2
ServerAccessToken (org.apache.cxf.rs.security.oauth2.common.ServerAccessToken)2
SecurityContext (org.apache.cxf.security.SecurityContext)2
X509Certificate (java.security.cert.X509Certificate)1
ArrayList (java.util.ArrayList)1
Consumes (javax.ws.rs.Consumes)1
NotAuthorizedException (javax.ws.rs.NotAuthorizedException)1
POST (javax.ws.rs.POST)1
Produces (javax.ws.rs.Produces)1
UriInfo (javax.ws.rs.core.UriInfo)1
SimplePrincipal (org.apache.cxf.common.security.SimplePrincipal)1
