Package org.apache.cxf.rs.security.oauth2.common

Examples of org.apache.cxf.rs.security.oauth2.common.AccessTokenValidation


        if (isCorsRequest(m)) {
            return;
        }
       
        // Get the access token
        AccessTokenValidation accessTokenV = getAccessTokenValidation();
       
        // Find the scopes which match the current request
       
        List<OAuthPermission> permissions = accessTokenV.getTokenScopes();
        List<OAuthPermission> matchingPermissions = new ArrayList<OAuthPermission>();
       
        HttpServletRequest req = getMessageContext().getHttpServletRequest();
        for (OAuthPermission perm : permissions) {
            boolean uriOK = checkRequestURI(req, perm.getUris());
            boolean verbOK = checkHttpVerb(req, perm.getHttpVerbs());
            if (uriOK && verbOK) {
                matchingPermissions.add(perm);
            }
        }
       
        if (permissions.size() > 0 && matchingPermissions.isEmpty()) {
            String message = "Client has no valid permissions";
            LOG.warning(message);
            throw new WebApplicationException(403);
        }
     
        // Create the security context and make it available on the message
        SecurityContext sc = createSecurityContext(req, accessTokenV);
        m.put(SecurityContext.class, sc);
       
        // Also set the OAuthContext
        OAuthContext oauthContext = new OAuthContext(accessTokenV.getTokenSubject(),
                                                     accessTokenV.getClientSubject(),
                                                     matchingPermissions,
                                                     accessTokenV.getTokenGrantType());
       
        oauthContext.setClientId(accessTokenV.getClientId());
        oauthContext.setTokenKey(accessTokenV.getTokenKey());
        oauthContext.setTokenAudience(accessTokenV.getAudience());
       
        m.setContent(OAuthContext.class, oauthContext);
    }
View Full Code Here


   
    /**
     * Get the access token
     */
    protected AccessTokenValidation getAccessTokenValidation() {
        AccessTokenValidation accessTokenV = null;
        if (dataProvider == null && tokenHandlers.isEmpty()) {
            throw new WebApplicationException(500);
        }
       
        // Get the scheme and its data, Bearer only is supported by default
        // WWW-Authenticate with the list of supported schemes will be sent back
        // if the scheme is not accepted
        String[] authParts = AuthorizationUtils.getAuthorizationParts(mc, supportedSchemes);
        String authScheme = authParts[0];
        String authSchemeData = authParts[1];
       
        // Get the registered handler capable of processing the token
        AccessTokenValidator handler = findTokenValidator(authScheme);
        if (handler != null) {
            try {
                // Convert the HTTP Authorization scheme data into a token
                accessTokenV = handler.validateAccessToken(authScheme, authSchemeData);
            } catch (OAuthServiceException ex) {
                AuthorizationUtils.throwAuthorizationFailure(
                    Collections.singleton(authScheme));
            }
        }
        // Default processing if no registered providers available
        ServerAccessToken localAccessToken = null;
        if (accessTokenV == null && dataProvider != null && authScheme.equals(DEFAULT_AUTH_SCHEME)) {
            try {
                localAccessToken = dataProvider.getAccessToken(authSchemeData);
            } catch (OAuthServiceException ex) {
                // to be handled next
            }
            if (localAccessToken == null) {
                AuthorizationUtils.throwAuthorizationFailure(
                    Collections.singleton(authScheme));
            }
            accessTokenV = new AccessTokenValidation(localAccessToken);
        }
        if (accessTokenV == null) {
            AuthorizationUtils.throwAuthorizationFailure(supportedSchemes);
        }
        // Check if token is still valid
        if (OAuthUtils.isExpired(accessTokenV.getTokenIssuedAt(), accessTokenV.getTokenLifetime())) {
            if (localAccessToken != null) {
                dataProvider.removeAccessToken(localAccessToken);
            }
            AuthorizationUtils.throwAuthorizationFailure(supportedSchemes);
        }
View Full Code Here

        MacAuthorizationScheme macAuthInfo = new MacAuthorizationScheme(httpProps, schemeParams);
       
        MacAccessToken macAccessToken = validateSchemeData(macAuthInfo,
                                                           schemeParams.get(OAuthConstants.MAC_TOKEN_SIGNATURE));
        validateTimestampNonce(macAccessToken, macAuthInfo.getTimestamp(), macAuthInfo.getNonce());
        return new AccessTokenValidation(macAccessToken);
    }
View Full Code Here

        EasyMock.expect(messageContext.getHttpServletRequest()).andReturn(httpRequest);
        EasyMock.expect(messageContext.getUriInfo()).andReturn(uriInfo);
        EasyMock.replay(dataProvider, messageContext, httpRequest, uriInfo);
   
        String authData = getClientAuthHeader(macAccessToken);
        AccessTokenValidation tokenValidation = validator
            .validateAccessToken(messageContext,
                                 OAuthConstants.MAC_AUTHORIZATION_SCHEME,
                                 authData.split(" ")[1]);
        assertNotNull(tokenValidation);
        EasyMock.verify(dataProvider, messageContext, httpRequest);
View Full Code Here

        EasyMock.expect(messageContext.getHttpServletRequest()).andReturn(httpRequest);
        EasyMock.expect(messageContext.getUriInfo()).andReturn(uriInfo);
        EasyMock.replay(dataProvider, messageContext, httpRequest, uriInfo);
   
        String authData = getClientAuthHeader(macAccessToken);
        AccessTokenValidation tokenValidation = validator
            .validateAccessToken(messageContext,
                                 OAuthConstants.MAC_AUTHORIZATION_SCHEME,
                                 authData.split(" ")[1]);
        assertNotNull(tokenValidation);
        EasyMock.verify(dataProvider, messageContext, httpRequest);
View Full Code Here

        if (isCorsRequest(m)) {
            return null;
        }
       
        // Get the access token
        AccessTokenValidation accessTokenV = getAccessTokenValidation();
       
        // Find the scopes which match the current request
       
        List<OAuthPermission> permissions = accessTokenV.getTokenScopes();
        List<OAuthPermission> matchingPermissions = new ArrayList<OAuthPermission>();
       
        HttpServletRequest req = getMessageContext().getHttpServletRequest();
        for (OAuthPermission perm : permissions) {
            boolean uriOK = checkRequestURI(req, perm.getUris());
            boolean verbOK = checkHttpVerb(req, perm.getHttpVerbs());
            if (uriOK && verbOK) {
                matchingPermissions.add(perm);
            }
        }
       
        if (permissions.size() > 0 && matchingPermissions.isEmpty()) {
            String message = "Client has no valid permissions";
            LOG.warning(message);
            throw new WebApplicationException(403);
        }
     
        // Create the security context and make it available on the message
        SecurityContext sc = createSecurityContext(req, accessTokenV);
        m.put(SecurityContext.class, sc);
       
        // Also set the OAuthContext
        OAuthContext oauthContext = new OAuthContext(accessTokenV.getTokenSubject(),
                                                     accessTokenV.getClientSubject(),
                                                     matchingPermissions,
                                                     accessTokenV.getTokenGrantType());
       
        oauthContext.setClientId(accessTokenV.getClientId());
        oauthContext.setTokenKey(accessTokenV.getTokenKey());
       
        m.setContent(OAuthContext.class, oauthContext);
       
        return null;
    }
View Full Code Here

        String[] authParts = getAuthorizationParts(m);
        String authScheme = authParts[0];
        String authSchemeData = authParts[1];
       
        // Get the access token
        AccessTokenValidation accessTokenV = getAccessTokenValidation(authScheme, authSchemeData);
       
        // Find the scopes which match the current request
       
        List<OAuthPermission> permissions = accessTokenV.getTokenScopes();
        List<OAuthPermission> matchingPermissions = new ArrayList<OAuthPermission>();
       
        HttpServletRequest req = getMessageContext().getHttpServletRequest();
        for (OAuthPermission perm : permissions) {
            boolean uriOK = checkRequestURI(req, perm.getUris());
            boolean verbOK = checkHttpVerb(req, perm.getHttpVerbs());
            if (uriOK && verbOK) {
                matchingPermissions.add(perm);
            }
        }
       
        if (permissions.size() > 0 && matchingPermissions.isEmpty()) {
            String message = "Client has no valid permissions";
            LOG.warning(message);
            throw new WebApplicationException(403);
        }
     
        // Create the security context and make it available on the message
        SecurityContext sc = createSecurityContext(req, accessTokenV);
        m.put(SecurityContext.class, sc);
       
        // Also set the OAuthContext
        OAuthContext oauthContext = new OAuthContext(accessTokenV.getTokenSubject(),
                                                     accessTokenV.getClientSubject(),
                                                     matchingPermissions,
                                                     accessTokenV.getTokenGrantType());
       
        oauthContext.setClientId(accessTokenV.getClientId());
        oauthContext.setTokenKey(accessTokenV.getTokenKey());
        oauthContext.setTokenAudience(accessTokenV.getAudience());
       
        m.setContent(OAuthContext.class, oauthContext);
    }
View Full Code Here

        String[] authParts = getAuthorizationParts(m);
        String authScheme = authParts[0];
        String authSchemeData = authParts[1];
       
        // Get the access token
        AccessTokenValidation accessTokenV = getAccessTokenValidation(authScheme, authSchemeData);
       
        // Find the scopes which match the current request
       
        List<OAuthPermission> permissions = accessTokenV.getTokenScopes();
        List<OAuthPermission> matchingPermissions = new ArrayList<OAuthPermission>();
       
        HttpServletRequest req = getMessageContext().getHttpServletRequest();
        for (OAuthPermission perm : permissions) {
            boolean uriOK = checkRequestURI(req, perm.getUris());
            boolean verbOK = checkHttpVerb(req, perm.getHttpVerbs());
            if (uriOK && verbOK) {
                matchingPermissions.add(perm);
            }
        }
       
        if (permissions.size() > 0 && matchingPermissions.isEmpty()) {
            String message = "Client has no valid permissions";
            LOG.warning(message);
            throw new WebApplicationException(403);
        }
     
        // Create the security context and make it available on the message
        SecurityContext sc = createSecurityContext(req, accessTokenV);
        m.put(SecurityContext.class, sc);
       
        // Also set the OAuthContext
        OAuthContext oauthContext = new OAuthContext(accessTokenV.getTokenSubject(),
                                                     accessTokenV.getClientSubject(),
                                                     matchingPermissions,
                                                     accessTokenV.getTokenGrantType());
       
        oauthContext.setClientId(accessTokenV.getClientId());
        oauthContext.setTokenKey(accessTokenV.getTokenKey());
        oauthContext.setTokenAudience(accessTokenV.getAudience());
       
        m.setContent(OAuthContext.class, oauthContext);
    }
View Full Code Here

        HawkAuthorizationScheme macAuthInfo = new HawkAuthorizationScheme(httpProps, schemeParams);
       
        HawkAccessToken macAccessToken = validateSchemeData(macAuthInfo,
                                                           schemeParams.get(OAuthConstants.HAWK_TOKEN_SIGNATURE));
        validateTimestampNonce(macAccessToken, macAuthInfo.getTimestamp(), macAuthInfo.getNonce());
        return new AccessTokenValidation(macAccessToken);
    }
View Full Code Here

   
    /**
     * Get the access token
     */
    protected AccessTokenValidation getAccessTokenValidation() {
        AccessTokenValidation accessTokenV = null;
        if (dataProvider == null && tokenHandlers.isEmpty()) {
            throw new InternalServerErrorException();
        }
       
        // Get the scheme and its data, Bearer only is supported by default
        // WWW-Authenticate with the list of supported schemes will be sent back
        // if the scheme is not accepted
        String[] authParts = AuthorizationUtils.getAuthorizationParts(mc, supportedSchemes);
        String authScheme = authParts[0];
        String authSchemeData = authParts[1];
       
        // Get the registered handler capable of processing the token
        AccessTokenValidator handler = findTokenValidator(authScheme);
        if (handler != null) {
            try {
                // Convert the HTTP Authorization scheme data into a token
                accessTokenV = handler.validateAccessToken(mc, authScheme, authSchemeData);
            } catch (OAuthServiceException ex) {
                AuthorizationUtils.throwAuthorizationFailure(
                    Collections.singleton(authScheme));
            }
        }
        // Default processing if no registered providers available
        ServerAccessToken localAccessToken = null;
        if (accessTokenV == null && dataProvider != null && authScheme.equals(DEFAULT_AUTH_SCHEME)) {
            try {
                localAccessToken = dataProvider.getAccessToken(authSchemeData);
            } catch (OAuthServiceException ex) {
                // to be handled next
            }
            if (localAccessToken == null) {
                AuthorizationUtils.throwAuthorizationFailure(
                    Collections.singleton(authScheme));
            }
            accessTokenV = new AccessTokenValidation(localAccessToken);
        }
        if (accessTokenV == null) {
            AuthorizationUtils.throwAuthorizationFailure(supportedSchemes);
        }
        // Check if token is still valid
        if (OAuthUtils.isExpired(accessTokenV.getTokenIssuedAt(), accessTokenV.getTokenLifetime())) {
            if (localAccessToken != null) {
                dataProvider.removeAccessToken(localAccessToken);
            }
            AuthorizationUtils.throwAuthorizationFailure(supportedSchemes);
        }
View Full Code Here

TOP

Related Classes of org.apache.cxf.rs.security.oauth2.common.AccessTokenValidation

Copyright © 2018 www.massapicom. All rights reserved.
All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.