use of org.apache.cxf.rs.security.oauth2.common.UserSubject in project meecrowave by apache.
the class OAuth2Configurer method preCompute.
// TODO: still some missing configuration for jwt etc to add/wire from OAuth2Options
@PostConstruct
private void preCompute() {
configuration = builder.getExtension(OAuth2Options.class);
AbstractOAuthDataProvider provider;
switch(configuration.getProvider().toLowerCase(ENGLISH)) {
case "jpa":
{
if (!configuration.isAuthorizationCodeSupport()) {
// else use code impl
final JPAOAuthDataProvider jpaProvider = new JPAOAuthDataProvider();
jpaProvider.setEntityManagerFactory(JPAAdapter.createEntityManagerFactory(configuration));
provider = jpaProvider;
break;
}
}
case "jpa-code":
{
final JPACodeDataProvider jpaProvider = new JPACodeDataProvider();
jpaProvider.setEntityManagerFactory(JPAAdapter.createEntityManagerFactory(configuration));
provider = jpaProvider;
break;
}
case "jcache":
if (!configuration.isAuthorizationCodeSupport()) {
// else use code impl
jCacheConfigurer.doSetup(configuration);
try {
provider = new JCacheOAuthDataProvider(configuration.getJcacheConfigUri(), bus, configuration.isJcacheStoreJwtKeyOnly());
} catch (final Exception e) {
throw new IllegalStateException(e);
}
break;
}
case "jcache-code":
jCacheConfigurer.doSetup(configuration);
try {
provider = new JCacheCodeDataProvider(configuration, bus);
} catch (final Exception e) {
throw new IllegalStateException(e);
}
break;
case // not sure it makes sense since we have jcache but this one is cheap to support
"ehcache":
provider = new DefaultEHCacheOAuthDataProvider(configuration.getJcacheConfigUri(), bus);
break;
case "encrypted":
if (!configuration.isAuthorizationCodeSupport()) {
// else use code impl
provider = new DefaultEncryptingOAuthDataProvider(new SecretKeySpec(configuration.getEncryptedKey().getBytes(StandardCharsets.UTF_8), configuration.getEncryptedAlgo()));
break;
}
case "encrypted-code":
provider = new DefaultEncryptingCodeDataProvider(new SecretKeySpec(configuration.getEncryptedKey().getBytes(StandardCharsets.UTF_8), configuration.getEncryptedAlgo()));
break;
default:
throw new IllegalArgumentException("Unsupported oauth2 provider: " + configuration.getProvider());
}
final RefreshTokenGrantHandler refreshTokenGrantHandler = new RefreshTokenGrantHandler();
refreshTokenGrantHandler.setDataProvider(provider);
refreshTokenGrantHandler.setUseAllClientScopes(configuration.isUseAllClientScopes());
refreshTokenGrantHandler.setPartialMatchScopeValidation(configuration.isPartialMatchScopeValidation());
final ResourceOwnerLoginHandler loginHandler = configuration.isJaas() ? new JAASResourceOwnerLoginHandler() : (client, name, password) -> {
try {
request.login(name, password);
try {
final Principal pcp = request.getUserPrincipal();
final List<String> roles = GenericPrincipal.class.isInstance(pcp) ? new ArrayList<>(asList(GenericPrincipal.class.cast(pcp).getRoles())) : Collections.<String>emptyList();
final UserSubject userSubject = new UserSubject(name, roles);
userSubject.setAuthenticationMethod(PASSWORD);
return userSubject;
} finally {
request.logout();
}
} catch (final ServletException e) {
throw new AuthenticationException(e.getMessage());
}
};
final List<AccessTokenGrantHandler> handlers = new ArrayList<>();
handlers.add(refreshTokenGrantHandler);
handlers.add(new ClientCredentialsGrantHandler());
handlers.add(new ResourceOwnerGrantHandler() {
{
setLoginHandler(loginHandler);
}
});
handlers.add(new AuthorizationCodeGrantHandler());
handlers.add(new JwtBearerGrantHandler());
provider.setUseJwtFormatForAccessTokens(configuration.isUseJwtFormatForAccessTokens());
provider.setAccessTokenLifetime(configuration.getAccessTokenLifetime());
provider.setRefreshTokenLifetime(configuration.getRefreshTokenLifetime());
provider.setRecycleRefreshTokens(configuration.isRecycleRefreshTokens());
provider.setSupportPreauthorizedTokens(configuration.isSupportPreauthorizedTokens());
ofNullable(configuration.getRequiredScopes()).map(s -> asList(s.split(","))).ifPresent(provider::setRequiredScopes);
ofNullable(configuration.getDefaultScopes()).map(s -> asList(s.split(","))).ifPresent(provider::setDefaultScopes);
ofNullable(configuration.getInvisibleToClientScopes()).map(s -> asList(s.split(","))).ifPresent(provider::setInvisibleToClientScopes);
ofNullable(configuration.getJwtAccessTokenClaimMap()).map(s -> new Properties() {
{
try {
load(new StringReader(s));
} catch (IOException e) {
throw new IllegalArgumentException("Bad claim map configuration, use properties syntax");
}
}
}).ifPresent(m -> provider.setJwtAccessTokenClaimMap(new HashMap<>(Map.class.cast(m))));
final OAuthDataProvider dataProvider;
if (configuration.isRefreshToken()) {
dataProvider = new RefreshTokenEnabledProvider(provider);
if (provider.getInvisibleToClientScopes() == null) {
provider.setInvisibleToClientScopes(new ArrayList<>());
}
provider.getInvisibleToClientScopes().add(OAuthConstants.REFRESH_TOKEN_SCOPE);
} else {
dataProvider = provider;
}
handlers.stream().filter(AbstractGrantHandler.class::isInstance).forEach(h -> {
final AbstractGrantHandler handler = AbstractGrantHandler.class.cast(h);
handler.setDataProvider(dataProvider);
handler.setCanSupportPublicClients(configuration.isCanSupportPublicClients());
handler.setPartialMatchScopeValidation(configuration.isPartialMatchScopeValidation());
});
abstractTokenServiceConsumer = s -> {
// this is used @RequestScoped so ensure it is not slow for no reason
s.setCanSupportPublicClients(configuration.isCanSupportPublicClients());
s.setBlockUnsecureRequests(configuration.isBlockUnsecureRequests());
s.setWriteCustomErrors(configuration.isWriteCustomErrors());
s.setWriteOptionalParameters(configuration.isWriteOptionalParameters());
s.setDataProvider(dataProvider);
};
tokenServiceConsumer = s -> {
// this is used @RequestScoped so ensure it is not slow for no reason
abstractTokenServiceConsumer.accept(s);
s.setGrantHandlers(handlers);
};
final List<String> noConsentScopes = ofNullable(configuration.getScopesRequiringNoConsent()).map(s -> asList(s.split(","))).orElse(null);
// we prefix them oauth2.cxf. but otherwise it is the plain cxf config
final Map<String, String> contextualProperties = ofNullable(builder.getProperties()).map(Properties::stringPropertyNames).orElse(emptySet()).stream().filter(s -> s.startsWith("oauth2.cxf.rs.security.")).collect(toMap(s -> s.substring("oauth2.cxf.".length()), s -> builder.getProperties().getProperty(s)));
final JoseSessionTokenProvider sessionAuthenticityTokenProvider = new JoseSessionTokenProvider() {
private int maxDefaultSessionInterval;
private boolean jweRequired;
private JweEncryptionProvider jweEncryptor;
// workaround a NPE of 3.2.0 - https://issues.apache.org/jira/browse/CXF-7504
@Override
public String createSessionToken(final MessageContext mc, final MultivaluedMap<String, String> params, final UserSubject subject, final OAuthRedirectionState secData) {
String stateString = convertStateToString(secData);
final JwsSignatureProvider jws = getInitializedSigProvider();
final JweEncryptionProvider jwe = jweEncryptor == null ? JweUtils.loadEncryptionProvider(new JweHeaders(), jweRequired) : jweEncryptor;
if (jws == null && jwe == null) {
throw new OAuthServiceException("Session token can not be created");
}
if (jws != null) {
stateString = JwsUtils.sign(jws, stateString, null);
}
if (jwe != null) {
stateString = jwe.encrypt(StringUtils.toBytesUTF8(stateString), null);
}
return OAuthUtils.setSessionToken(mc, stateString, maxDefaultSessionInterval);
}
public void setJweEncryptor(final JweEncryptionProvider jweEncryptor) {
super.setJweEncryptor(jweEncryptor);
this.jweEncryptor = jweEncryptor;
}
@Override
public void setJweRequired(final boolean jweRequired) {
super.setJweRequired(jweRequired);
this.jweRequired = jweRequired;
}
@Override
public void setMaxDefaultSessionInterval(final int maxDefaultSessionInterval) {
super.setMaxDefaultSessionInterval(maxDefaultSessionInterval);
this.maxDefaultSessionInterval = maxDefaultSessionInterval;
}
};
sessionAuthenticityTokenProvider.setMaxDefaultSessionInterval(configuration.getMaxDefaultSessionInterval());
// TODO: other configs
redirectionBasedGrantServiceConsumer = s -> {
s.setDataProvider(dataProvider);
s.setBlockUnsecureRequests(configuration.isBlockUnsecureRequests());
s.setWriteOptionalParameters(configuration.isWriteOptionalParameters());
s.setUseAllClientScopes(configuration.isUseAllClientScopes());
s.setPartialMatchScopeValidation(configuration.isPartialMatchScopeValidation());
s.setUseRegisteredRedirectUriIfPossible(configuration.isUseRegisteredRedirectUriIfPossible());
s.setMaxDefaultSessionInterval(configuration.getMaxDefaultSessionInterval());
s.setMatchRedirectUriWithApplicationUri(configuration.isMatchRedirectUriWithApplicationUri());
s.setScopesRequiringNoConsent(noConsentScopes);
s.setSessionAuthenticityTokenProvider(sessionAuthenticityTokenProvider);
// TODO: make it even more contextual, client based?
final Message currentMessage = PhaseInterceptorChain.getCurrentMessage();
contextualProperties.forEach(currentMessage::put);
};
}
use of org.apache.cxf.rs.security.oauth2.common.UserSubject in project cxf by apache.
the class Saml2BearerGrantHandler method createAccessToken.
public ServerAccessToken createAccessToken(Client client, MultivaluedMap<String, String> params) throws OAuthServiceException {
String assertion = params.getFirst(Constants.CLIENT_GRANT_ASSERTION_PARAM);
if (assertion == null) {
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
}
try {
InputStream tokenStream = decodeAssertion(assertion);
Element token = readToken(tokenStream);
SamlAssertionWrapper assertionWrapper = new SamlAssertionWrapper(token);
Message message = PhaseInterceptorChain.getCurrentMessage();
validateToken(message, assertionWrapper);
UserSubject grantSubject = getGrantSubject(message, assertionWrapper);
return doCreateAccessToken(client, grantSubject, Constants.SAML2_BEARER_GRANT, OAuthUtils.parseScope(params.getFirst(OAuthConstants.SCOPE)));
} catch (OAuthServiceException ex) {
throw ex;
} catch (Exception ex) {
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT, ex);
}
}
use of org.apache.cxf.rs.security.oauth2.common.UserSubject in project cxf by apache.
the class Saml2BearerGrantHandler method getGrantSubject.
protected UserSubject getGrantSubject(Message message, SamlAssertionWrapper wrapper) {
SecurityContext sc = scProvider.getSecurityContext(message, wrapper);
if (sc instanceof SAMLSecurityContext) {
SAMLSecurityContext jaxrsSc = (SAMLSecurityContext) sc;
Set<Principal> rolesP = jaxrsSc.getUserRoles();
List<String> roles = new ArrayList<>();
if (roles != null) {
for (Principal p : rolesP) {
roles.add(p.getName());
}
}
return new SamlUserSubject(jaxrsSc.getUserPrincipal().getName(), roles, jaxrsSc.getClaims());
}
return new UserSubject(sc.getUserPrincipal().getName());
}
use of org.apache.cxf.rs.security.oauth2.common.UserSubject in project cxf by apache.
the class JwtAccessTokenValidator method convertClaimsToValidation.
private AccessTokenValidation convertClaimsToValidation(JwtClaims claims) {
AccessTokenValidation atv = new AccessTokenValidation();
atv.setInitialValidationSuccessful(true);
String clientId = claims.getStringProperty(OAuthConstants.CLIENT_ID);
if (clientId != null) {
atv.setClientId(clientId);
}
if (claims.getIssuedAt() != null) {
atv.setTokenIssuedAt(claims.getIssuedAt());
} else {
Instant now = Instant.now();
atv.setTokenIssuedAt(now.toEpochMilli());
}
if (claims.getExpiryTime() != null) {
atv.setTokenLifetime(claims.getExpiryTime() - atv.getTokenIssuedAt());
}
List<String> audiences = claims.getAudiences();
if (audiences != null && !audiences.isEmpty()) {
atv.setAudiences(claims.getAudiences());
}
if (claims.getIssuer() != null) {
atv.setTokenIssuer(claims.getIssuer());
}
Object scope = claims.getClaim(OAuthConstants.SCOPE);
if (scope != null) {
String[] scopes = scope instanceof String ? scope.toString().split(" ") : CastUtils.cast((List<?>) scope).toArray(new String[] {});
List<OAuthPermission> perms = new LinkedList<OAuthPermission>();
for (String s : scopes) {
if (!StringUtils.isEmpty(s)) {
perms.add(new OAuthPermission(s.trim()));
}
}
atv.setTokenScopes(perms);
}
String usernameClaimName = JwtTokenUtils.getClaimName(USERNAME_PROP, USERNAME_PROP, jwtAccessTokenClaimMap);
String username = claims.getStringProperty(usernameClaimName);
if (username != null) {
UserSubject userSubject = new UserSubject(username);
if (claims.getSubject() != null) {
userSubject.setId(claims.getSubject());
}
atv.setTokenSubject(userSubject);
} else if (claims.getSubject() != null) {
atv.setTokenSubject(new UserSubject(claims.getSubject()));
}
Map<String, String> extraProperties = CastUtils.cast((Map<?, ?>) claims.getClaim("extra_properties"));
if (extraProperties != null) {
atv.getExtraProps().putAll(extraProperties);
}
Map<String, Object> cnfClaim = CastUtils.cast((Map<?, ?>) claims.getClaim(JwtConstants.CLAIM_CONFIRMATION));
if (cnfClaim != null) {
Object certCnf = cnfClaim.get(JoseConstants.HEADER_X509_THUMBPRINT_SHA256);
if (certCnf != null) {
atv.getExtraProps().put(JoseConstants.HEADER_X509_THUMBPRINT_SHA256, certCnf.toString());
}
}
return atv;
}
use of org.apache.cxf.rs.security.oauth2.common.UserSubject in project cxf by apache.
the class JCacheOAuthDataProviderTest method testAddGetDeleteClients.
@Test
public void testAddGetDeleteClients() {
Client c = addClient("12345", "alice");
Client c2 = addClient("56789", "alice");
Client c3 = addClient("09876", "bob");
List<Client> aliceClients = provider.getClients(new UserSubject("alice"));
assertNotNull(aliceClients);
assertEquals(2, aliceClients.size());
compareClients(c, aliceClients.get(0).getClientId().equals("12345") ? aliceClients.get(0) : aliceClients.get(1));
compareClients(c2, aliceClients.get(0).getClientId().equals("56789") ? aliceClients.get(0) : aliceClients.get(1));
List<Client> bobClients = provider.getClients(new UserSubject("bob"));
assertNotNull(bobClients);
assertEquals(1, bobClients.size());
Client bobClient = bobClients.get(0);
compareClients(c3, bobClient);
List<Client> allClients = provider.getClients(null);
assertNotNull(allClients);
assertEquals(3, allClients.size());
provider.removeClient(c.getClientId());
provider.removeClient(c2.getClientId());
provider.removeClient(c3.getClientId());
allClients = provider.getClients(null);
assertNotNull(allClients);
assertEquals(0, allClients.size());
}
Aggregations