Example 1 with OAuthContext
use of org.apache.cxf.rs.security.oauth2.common.OAuthContext in project cxf by apache.
the class OAuthScopesFilter method checkScopes.
protected void checkScopes(Method m) {
List<String> methodScopes = scopesMap.get(m.getName());
if (methodScopes == null) {
return;
}
boolean matchAll = scopesMatchAllMap.get(m.getName());
OAuthContext context = OAuthContextUtils.getContext(mc);
List<String> requestScopes = new LinkedList<String>();
for (OAuthPermission perm : context.getPermissions()) {
if (matchAll) {
requestScopes.add(perm.getPermission());
} else if (methodScopes.contains(perm.getPermission())) {
return;
}
}
if (!requestScopes.containsAll(methodScopes)) {
LOG.warning("Scopes do not match");
throw ExceptionUtils.toForbiddenException(null, null);
}
}
Also used :
OAuthPermission(org.apache.cxf.rs.security.oauth2.common.OAuthPermission)
OAuthContext(org.apache.cxf.rs.security.oauth2.common.OAuthContext)
LinkedList(java.util.LinkedList)
Example 2 with OAuthContext
use of org.apache.cxf.rs.security.oauth2.common.OAuthContext in project cxf by apache.
the class UserInfoService method getUserInfo.
@GET
@Produces({ "application/json", "application/jwt" })
public Response getUserInfo() {
OAuthContext oauth = OAuthContextUtils.getContext(mc);
UserInfo userInfo = null;
if (userInfoProvider != null) {
userInfo = userInfoProvider.getUserInfo(oauth.getClientId(), oauth.getSubject(), OAuthUtils.convertPermissionsToScopeList(oauth.getPermissions()));
} else if (oauth.getSubject() instanceof OidcUserSubject) {
OidcUserSubject oidcUserSubject = (OidcUserSubject) oauth.getSubject();
userInfo = oidcUserSubject.getUserInfo();
if (userInfo == null) {
userInfo = createFromIdToken(oidcUserSubject.getIdToken());
}
}
if (userInfo == null) {
// Consider customizing the error code in case of UserInfo being not available
return Response.serverError().build();
}
Object responseEntity = null;
// UserInfo may be returned in a clear form as JSON
if (super.isJwsRequired() || super.isJweRequired()) {
Client client = null;
if (oauthDataProvider != null) {
client = oauthDataProvider.getClient(oauth.getClientId());
}
responseEntity = super.processJwt(new JwtToken(userInfo), client);
} else {
responseEntity = convertUserInfoToResponseEntity(userInfo);
}
return Response.ok(responseEntity).build();
}
Also used :
JwtToken(org.apache.cxf.rs.security.jose.jwt.JwtToken)
OAuthContext(org.apache.cxf.rs.security.oauth2.common.OAuthContext)
UserInfo(org.apache.cxf.rs.security.oidc.common.UserInfo)
Client(org.apache.cxf.rs.security.oauth2.common.Client)
Produces(javax.ws.rs.Produces)
GET(javax.ws.rs.GET)
Example 3 with OAuthContext
use of org.apache.cxf.rs.security.oauth2.common.OAuthContext in project cxf by apache.
the class OAuthRequestFilter method validateRequest.
protected void validateRequest(Message m) {
if (isCorsRequest(m)) {
return;
}
// Get the scheme and its data, Bearer only is supported by default
// WWW-Authenticate with the list of supported schemes will be sent back
// if the scheme is not accepted
String[] authParts = getAuthorizationParts(m);
if (authParts.length < 2) {
throw ExceptionUtils.toForbiddenException(null, null);
}
String authScheme = authParts[0];
String authSchemeData = authParts[1];
// Get the access token
AccessTokenValidation accessTokenV = getAccessTokenValidation(authScheme, authSchemeData, null);
if (!accessTokenV.isInitialValidationSuccessful()) {
AuthorizationUtils.throwAuthorizationFailure(supportedSchemes, realm);
}
// Check audiences
String validAudience = validateAudiences(accessTokenV.getAudiences());
// Check if token was issued by the supported issuer
if (issuer != null && !issuer.equals(accessTokenV.getTokenIssuer())) {
AuthorizationUtils.throwAuthorizationFailure(supportedSchemes, realm);
}
// Find the scopes which match the current request
List<OAuthPermission> permissions = accessTokenV.getTokenScopes();
List<OAuthPermission> matchingPermissions = new ArrayList<>();
HttpServletRequest req = getMessageContext().getHttpServletRequest();
for (OAuthPermission perm : permissions) {
boolean uriOK = checkRequestURI(req, perm.getUris());
boolean verbOK = checkHttpVerb(req, perm.getHttpVerbs());
boolean scopeOk = checkScopeProperty(perm.getPermission());
if (uriOK && verbOK && scopeOk) {
matchingPermissions.add(perm);
}
}
if (!permissions.isEmpty() && matchingPermissions.isEmpty() || allPermissionsMatch && (matchingPermissions.size() != permissions.size()) || !requiredScopes.isEmpty() && requiredScopes.size() != matchingPermissions.size()) {
String message = "Client has no valid permissions";
LOG.warning(message);
throw ExceptionUtils.toForbiddenException(null, null);
}
if (accessTokenV.getClientIpAddress() != null) {
String remoteAddress = getMessageContext().getHttpServletRequest().getRemoteAddr();
if (remoteAddress == null || accessTokenV.getClientIpAddress().equals(remoteAddress)) {
String message = "Client IP Address is invalid";
LOG.warning(message);
throw ExceptionUtils.toForbiddenException(null, null);
}
}
if (blockPublicClients && !accessTokenV.isClientConfidential()) {
String message = "Only Confidential Clients are supported";
LOG.warning(message);
throw ExceptionUtils.toForbiddenException(null, null);
}
if (am != null && !am.equals(accessTokenV.getTokenSubject().getAuthenticationMethod())) {
String message = "The token has been authorized by the resource owner " + "using an unsupported authentication method";
LOG.warning(message);
throw ExceptionUtils.toNotAuthorizedException(null, null);
}
// Check Client Certificate Binding if any
String certThumbprint = accessTokenV.getExtraProps().get(JoseConstants.HEADER_X509_THUMBPRINT_SHA256);
if (certThumbprint != null) {
TLSSessionInfo tlsInfo = getTlsSessionInfo();
X509Certificate cert = tlsInfo == null ? null : OAuthUtils.getRootTLSCertificate(tlsInfo);
if (cert == null || !OAuthUtils.compareCertificateThumbprints(cert, certThumbprint)) {
throw ExceptionUtils.toNotAuthorizedException(null, null);
}
}
// Create the security context and make it available on the message
SecurityContext sc = createSecurityContext(req, accessTokenV);
m.put(SecurityContext.class, sc);
// Also set the OAuthContext
OAuthContext oauthContext = new OAuthContext(accessTokenV.getTokenSubject(), accessTokenV.getClientSubject(), matchingPermissions, accessTokenV.getTokenGrantType());
oauthContext.setClientId(accessTokenV.getClientId());
oauthContext.setClientConfidential(accessTokenV.isClientConfidential());
oauthContext.setTokenKey(accessTokenV.getTokenKey());
oauthContext.setTokenAudience(validAudience);
oauthContext.setTokenIssuer(accessTokenV.getTokenIssuer());
oauthContext.setTokenRequestParts(authParts);
oauthContext.setTokenExtraProperties(accessTokenV.getExtraProps());
m.setContent(OAuthContext.class, oauthContext);
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
OAuthPermission(org.apache.cxf.rs.security.oauth2.common.OAuthPermission)
ArrayList(java.util.ArrayList)
SecurityContext(org.apache.cxf.security.SecurityContext)
OAuthContext(org.apache.cxf.rs.security.oauth2.common.OAuthContext)
AccessTokenValidation(org.apache.cxf.rs.security.oauth2.common.AccessTokenValidation)
TLSSessionInfo(org.apache.cxf.security.transport.TLSSessionInfo)
X509Certificate(java.security.cert.X509Certificate)
Aggregations
OAuthContext (org.apache.cxf.rs.security.oauth2.common.OAuthContext)3
OAuthPermission (org.apache.cxf.rs.security.oauth2.common.OAuthPermission)2
X509Certificate (java.security.cert.X509Certificate)1
ArrayList (java.util.ArrayList)1
LinkedList (java.util.LinkedList)1
HttpServletRequest (javax.servlet.http.HttpServletRequest)1
GET (javax.ws.rs.GET)1
Produces (javax.ws.rs.Produces)1
JwtToken (org.apache.cxf.rs.security.jose.jwt.JwtToken)1
AccessTokenValidation (org.apache.cxf.rs.security.oauth2.common.AccessTokenValidation)1
Client (org.apache.cxf.rs.security.oauth2.common.Client)1
UserInfo (org.apache.cxf.rs.security.oidc.common.UserInfo)1
SecurityContext (org.apache.cxf.security.SecurityContext)1
TLSSessionInfo (org.apache.cxf.security.transport.TLSSessionInfo)1
