From 786728b49b978dd82021e828f49f7010f554082f Mon Sep 17 00:00:00 2001 From: Kamidu Sachith Date: Thu, 8 Oct 2015 17:54:49 +0530 Subject: [PATCH] Recomended Changes to Enabling OAuth Authentication for BackEnd Services --- .../backend-oauth-authenticator/pom.xml | 48 +++++++++++-------- .../backend/oauth/AuthenticatorException.java | 2 +- .../backend/oauth/OauthAuthenticator.java | 45 +++++++---------- .../validator/OAuthValidationRespond.java | 1 + .../validator/OAuthValidatorFactory.java | 20 +++----- .../impl/ExternalOAuthValidator.java | 21 ++------ .../validator/impl/LocalOAuthValidator.java | 9 ---- 7 files changed, 58 insertions(+), 88 deletions(-) diff --git a/components/identity-extensions/backend-oauth-authenticator/pom.xml b/components/identity-extensions/backend-oauth-authenticator/pom.xml index ac4bc382e5..37cc5274f6 100644 --- a/components/identity-extensions/backend-oauth-authenticator/pom.xml +++ b/components/identity-extensions/backend-oauth-authenticator/pom.xml @@ -1,4 +1,21 @@ + @@ -16,48 +33,39 @@ org.wso2.carbon org.wso2.carbon.utils - ${carbon.kernel.version} - + org.wso2.carbon.identity org.wso2.carbon.identity.base - ${carbon.identity.version} - + org.wso2.carbon.identity org.wso2.carbon.identity.core - ${carbon.identity.version} - + org.wso2.carbon org.wso2.carbon.core - ${carbon.kernel.version} - + org.wso2.carbon org.wso2.carbon.logging - ${carbon.kernel.version} - + org.wso2.carbon.identity org.wso2.carbon.identity.application.authentication.framework - ${carbon.identity.version} - + org.wso2.carbon org.wso2.carbon.core.services - ${carbon.kernel.version} - + org.wso2.carbon.identity org.wso2.carbon.identity.oauth - ${carbon.identity.version} - + org.wso2.carbon.identity org.wso2.carbon.identity.application.common - ${carbon.identity.version} - + org.wso2.carbon.identity org.wso2.carbon.identity.oauth.stub @@ -98,11 +106,9 @@ org.wso2.carbon.identity.authenticator.backend.oauth.*; - * - + - \ No newline at end of file diff --git a/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/AuthenticatorException.java b/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/AuthenticatorException.java index 05bc3d69f7..42eafd7888 100755 --- a/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/AuthenticatorException.java +++ b/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/AuthenticatorException.java @@ -18,7 +18,7 @@ package org.wso2.carbon.identity.authenticator.backend.oauth; /** - *Custom exception for backend OAuth authentication + * Custom exception for backend OAuth authentication */ @SuppressWarnings("unused") public class AuthenticatorException extends Exception { diff --git a/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/OauthAuthenticator.java b/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/OauthAuthenticator.java index 43877ba832..adfcf71214 100755 --- a/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/OauthAuthenticator.java +++ b/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/OauthAuthenticator.java @@ -41,18 +41,24 @@ public class OauthAuthenticator implements CarbonServerAuthenticator { private static final Log log = LogFactory.getLog(OauthAuthenticator.class); private static final int PRIORITY = 5; private static final int ACCESS_TOKEN_INDEX = 1; + private OAuth2TokenValidator tokenValidator; - private static String hostUrl = ""; - private static boolean isRemote = false; - - static { + public OauthAuthenticator() { AuthenticatorsConfiguration authenticatorsConfiguration = AuthenticatorsConfiguration.getInstance(); - AuthenticatorsConfiguration.AuthenticatorConfig authenticatorConfig = authenticatorsConfiguration.getAuthenticatorConfig(OauthAuthenticatorConstants.AUTHENTICATOR_NAME); - + AuthenticatorsConfiguration.AuthenticatorConfig authenticatorConfig = authenticatorsConfiguration. + getAuthenticatorConfig(OauthAuthenticatorConstants.AUTHENTICATOR_NAME); + boolean isRemote; + String hostUrl; if (authenticatorConfig != null) { isRemote = Boolean.parseBoolean(authenticatorConfig.getParameters().get("isRemote")); hostUrl = authenticatorConfig.getParameters().get("hostURL"); - + }else{ + throw new IllegalArgumentException("Configuration parameters need to be defined in Authenticators.xml"); + } + try { + tokenValidator = OAuthValidatorFactory.getValidator(isRemote, hostUrl); + } catch (IllegalArgumentException e) { + log.error("Failed to initialise Authenticator",e); } } @@ -65,10 +71,8 @@ public class OauthAuthenticator implements CarbonServerAuthenticator { public boolean isHandle(MessageContext messageContext) { HttpServletRequest httpServletRequest = getHttpRequest(messageContext); String headerValue = httpServletRequest.getHeader(HTTPConstants.HEADER_AUTHORIZATION); - if (headerValue != null && !headerValue.trim().isEmpty()) { String[] headerPart = headerValue.trim().split(OauthAuthenticatorConstants.SPLITING_CHARACTOR); - if (OauthAuthenticatorConstants.AUTHORIZATION_HEADER_PREFIX_BEARER.equals(headerPart[0])) { return true; } @@ -88,38 +92,25 @@ public class OauthAuthenticator implements CarbonServerAuthenticator { public boolean isAuthenticated(MessageContext messageContext) { HttpServletRequest httpServletRequest = getHttpRequest(messageContext); String headerValue = httpServletRequest.getHeader(HTTPConstants.HEADER_AUTHORIZATION); - //split the header value to separate the identity type and the token. String[] headerPart = headerValue.trim().split(OauthAuthenticatorConstants.SPLITING_CHARACTOR); String accessToken = headerPart[ACCESS_TOKEN_INDEX]; - OAuth2TokenValidator tokenValidator = OAuthValidatorFactory.getValidator(isRemote,hostUrl); - - if (tokenValidator == null) { - log.error("OAuthValidationFactory failed to return a validator", - new AuthenticatorException("OAuthValidatorFactory Failed to determine the validator")); - return false; - } - - OAuthValidationRespond respond = null; + OAuthValidationRespond response = null; try { - respond = tokenValidator.validateToken(accessToken); + response = tokenValidator.validateToken(accessToken); } catch (RemoteException e) { log.error("Failed to validate the OAuth token provided.", e); } - - if (respond != null && respond.isValid()) { + if (response != null && response.isValid()) { HttpSession session; - if ((session = httpServletRequest.getSession(false)) != null) { - session.setAttribute(MultitenantConstants.TENANT_DOMAIN, respond.getTenantDomain()); - session.setAttribute(ServerConstants.USER_LOGGED_IN, respond.getUserName()); - + session.setAttribute(MultitenantConstants.TENANT_DOMAIN, response.getTenantDomain()); + session.setAttribute(ServerConstants.USER_LOGGED_IN, response.getUserName()); if (log.isDebugEnabled()) { log.debug("Authentication successful for " + session.getAttribute(ServerConstants.USER_LOGGED_IN)); } } return true; } - if (log.isDebugEnabled()) { log.debug("Authentication failed.Illegal attempt from session " + httpServletRequest.getSession().getId()); } diff --git a/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/validator/OAuthValidationRespond.java b/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/validator/OAuthValidationRespond.java index 1e45aa5923..346ac2ac30 100755 --- a/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/validator/OAuthValidationRespond.java +++ b/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/validator/OAuthValidationRespond.java @@ -20,6 +20,7 @@ package org.wso2.carbon.identity.authenticator.backend.oauth.validator; /** * This class hold the validation information which can be retrieve by both remote and in house IDPs */ +@SuppressWarnings("unused") public class OAuthValidationRespond { private String userName; private String tenantDomain; diff --git a/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/validator/OAuthValidatorFactory.java b/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/validator/OAuthValidatorFactory.java index e3dab669c6..bb88d98f7e 100755 --- a/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/validator/OAuthValidatorFactory.java +++ b/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/validator/OAuthValidatorFactory.java @@ -17,34 +17,28 @@ */ package org.wso2.carbon.identity.authenticator.backend.oauth.validator; -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; import org.wso2.carbon.identity.authenticator.backend.oauth.AuthenticatorException; import org.wso2.carbon.identity.authenticator.backend.oauth.OauthAuthenticatorConstants; import org.wso2.carbon.identity.authenticator.backend.oauth.validator.impl.ExternalOAuthValidator; import org.wso2.carbon.identity.authenticator.backend.oauth.validator.impl.LocalOAuthValidator; /** - * the class validate the configurations and provide the most suitable implementation according to the configuration. + * The class validate the configurations and provide the most suitable implementation according to the configuration. * Factory class for OAuthValidator. */ public class OAuthValidatorFactory { - private static Log log = LogFactory.getLog(OAuthValidatorFactory.class); /** - * the method check the configuration and provide the appropriate implementation for OAuth2TokenValidator - * + * The method check the configuration and provide the appropriate implementation for OAuth2TokenValidator * @return OAuth2TokenValidator */ - public static OAuth2TokenValidator getValidator(boolean isRemote ,String hostURL) { - if(isRemote){ - if(!(hostURL == null || hostURL.trim().isEmpty())){ + public static OAuth2TokenValidator getValidator(boolean isRemote, String hostURL) throws IllegalArgumentException { + if (isRemote) { + if (!(hostURL == null || hostURL.trim().isEmpty())) { hostURL = hostURL + OauthAuthenticatorConstants.OAUTH_ENDPOINT_POSTFIX; return new ExternalOAuthValidator(hostURL); - }else { - log.error("IDP Configuration error", - new AuthenticatorException("Remote server name and ip both can't be empty")); - return null; + } else { + throw new IllegalArgumentException("Remote server name and ip both can't be empty"); } } return new LocalOAuthValidator(); diff --git a/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/validator/impl/ExternalOAuthValidator.java b/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/validator/impl/ExternalOAuthValidator.java index 4a337e9a9c..0c0836165e 100755 --- a/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/validator/impl/ExternalOAuthValidator.java +++ b/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/validator/impl/ExternalOAuthValidator.java @@ -21,15 +21,14 @@ import org.apache.axis2.client.Options; import org.apache.axis2.client.ServiceClient; import org.apache.axis2.transport.http.HTTPConstants; import org.apache.commons.httpclient.Header; +import org.wso2.carbon.identity.authenticator.backend.oauth.OauthAuthenticatorConstants; +import org.wso2.carbon.identity.authenticator.backend.oauth.validator.OAuth2TokenValidator; +import org.wso2.carbon.identity.authenticator.backend.oauth.validator.OAuthValidationRespond; import org.wso2.carbon.identity.oauth2.stub.OAuth2TokenValidationServiceStub; import org.wso2.carbon.identity.oauth2.stub.dto.OAuth2ClientApplicationDTO; import org.wso2.carbon.identity.oauth2.stub.dto.OAuth2TokenValidationRequestDTO; import org.wso2.carbon.identity.oauth2.stub.dto.OAuth2TokenValidationRequestDTO_OAuth2AccessToken; -import org.wso2.carbon.identity.oauth2.stub.dto.OAuth2TokenValidationRequestDTO_TokenValidationContextParam; import org.wso2.carbon.utils.multitenancy.MultitenantUtils; -import org.wso2.carbon.identity.authenticator.backend.oauth.OauthAuthenticatorConstants; -import org.wso2.carbon.identity.authenticator.backend.oauth.validator.OAuth2TokenValidator; -import org.wso2.carbon.identity.authenticator.backend.oauth.validator.OAuthValidationRespond; import java.rmi.RemoteException; import java.util.ArrayList; @@ -37,8 +36,7 @@ import java.util.List; /** * Handles the Authentication form external IDP servers. - * Currently only supports WSO2 IS. - * External IDP support is planned for future. + * Currently only supports WSO@ IS */ public class ExternalOAuthValidator implements OAuth2TokenValidator{ protected String hostURL ; @@ -54,20 +52,11 @@ public class ExternalOAuthValidator implements OAuth2TokenValidator{ * @return OAuthValidationRespond with the validated results. */ public OAuthValidationRespond validateToken(String token) throws RemoteException { - - // create an OAuth token validating request DTO OAuth2TokenValidationRequestDTO validationRequest = new OAuth2TokenValidationRequestDTO(); - - // create access token object to validate and populate it OAuth2TokenValidationRequestDTO_OAuth2AccessToken accessToken = new OAuth2TokenValidationRequestDTO_OAuth2AccessToken(); accessToken.setTokenType(OauthAuthenticatorConstants.BEARER_TOKEN_TYPE); accessToken.setIdentifier(token); - OAuth2TokenValidationRequestDTO_TokenValidationContextParam tokenValidationContextParam[] = - new OAuth2TokenValidationRequestDTO_TokenValidationContextParam[1]; - validationRequest.setContext(tokenValidationContextParam); - - //set the token to the validation request validationRequest.setAccessToken(accessToken); OAuth2TokenValidationServiceStub validationService = new OAuth2TokenValidationServiceStub(hostURL); @@ -85,14 +74,12 @@ public class ExternalOAuthValidator implements OAuth2TokenValidator{ boolean isValid = respond.getAccessTokenValidationResponse().getValid(); String userName = null; String tenantDomain = null; - if(isValid){ userName = MultitenantUtils.getTenantAwareUsername( respond.getAccessTokenValidationResponse().getAuthorizedUser()); tenantDomain = MultitenantUtils.getTenantDomain(respond.getAccessTokenValidationResponse().getAuthorizedUser()); } - return new OAuthValidationRespond(userName,tenantDomain,isValid); } } diff --git a/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/validator/impl/LocalOAuthValidator.java b/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/validator/impl/LocalOAuthValidator.java index d81e7f3531..ea7edf1d13 100755 --- a/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/validator/impl/LocalOAuthValidator.java +++ b/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/validator/impl/LocalOAuthValidator.java @@ -1,4 +1,3 @@ - /* * Copyright (c) 2015 WSO2 Inc. (http://www.wso2.org) All Rights Reserved. * @@ -38,19 +37,11 @@ public class LocalOAuthValidator implements OAuth2TokenValidator { * @return OAuthValidationRespond with the validated results. */ public OAuthValidationRespond validateToken(String token) { - // create an OAuth token validating request DTO OAuth2TokenValidationRequestDTO validationRequest = new OAuth2TokenValidationRequestDTO(); - // create access token object to validate and populate it OAuth2TokenValidationRequestDTO.OAuth2AccessToken accessToken = validationRequest.new OAuth2AccessToken(); accessToken.setTokenType(OauthAuthenticatorConstants.BEARER_TOKEN_TYPE); accessToken.setIdentifier(token); - //the workaround till the version is upgraded in both is and EMM to be the same. - OAuth2TokenValidationRequestDTO.TokenValidationContextParam tokenValidationContextParam[] = - new OAuth2TokenValidationRequestDTO.TokenValidationContextParam[1]; - //== - validationRequest.setContext(tokenValidationContextParam); - //set the token to the validation request validationRequest.setAccessToken(accessToken); OAuth2TokenValidationService validationService = new OAuth2TokenValidationService(); OAuth2ClientApplicationDTO respond = validationService.