mirror of
https://repository.entgra.net/community/device-mgt-core.git
synced 2025-10-06 02:01:45 +00:00
Recomended Changes to Enabling OAuth Authentication for BackEnd Services
This commit is contained in:
Kamidu Sachith
parent
97df36842d
commit
786728b49b
@ -1,4 +1,21 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!--
|
||||
~ Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
|
||||
~
|
||||
~ WSO2 Inc. licenses this file to you under the Apache License,
|
||||
~ Version 2.0 (the "License"); you may not use this file except
|
||||
~ in compliance with the License.
|
||||
~ you may obtain a copy of the License at
|
||||
~
|
||||
~ http://www.apache.org/licenses/LICENSE-2.0
|
||||
~
|
||||
~ Unless required by applicable law or agreed to in writing,
|
||||
~ software distributed under the License is distributed on an
|
||||
~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
~ KIND, either express or implied. See the License for the
|
||||
~ specific language governing permissions and limitations
|
||||
~ under the License.
|
||||
-->
|
||||
<project xmlns="http://maven.apache.org/POM/4.0.0"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
|
||||
@ -16,48 +33,39 @@
|
||||
<dependency>
|
||||
<groupId>org.wso2.carbon</groupId>
|
||||
<artifactId>org.wso2.carbon.utils</artifactId>
|
||||
<version>${carbon.kernel.version}</version>
|
||||
</dependency>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.wso2.carbon.identity</groupId>
|
||||
<artifactId>org.wso2.carbon.identity.base</artifactId>
|
||||
<version>${carbon.identity.version}</version>
|
||||
</dependency>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.wso2.carbon.identity</groupId>
|
||||
<artifactId>org.wso2.carbon.identity.core</artifactId>
|
||||
<version>${carbon.identity.version}</version>
|
||||
</dependency>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.wso2.carbon</groupId>
|
||||
<artifactId>org.wso2.carbon.core</artifactId>
|
||||
<version>${carbon.kernel.version}</version>
|
||||
</dependency>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.wso2.carbon</groupId>
|
||||
<artifactId>org.wso2.carbon.logging</artifactId>
|
||||
<version>${carbon.kernel.version}</version>
|
||||
</dependency>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.wso2.carbon.identity</groupId>
|
||||
<artifactId>org.wso2.carbon.identity.application.authentication.framework</artifactId>
|
||||
<version>${carbon.identity.version}</version>
|
||||
</dependency>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.wso2.carbon</groupId>
|
||||
<artifactId>org.wso2.carbon.core.services</artifactId>
|
||||
<version>${carbon.kernel.version}</version>
|
||||
</dependency>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.wso2.carbon.identity</groupId>
|
||||
<artifactId>org.wso2.carbon.identity.oauth</artifactId>
|
||||
<version>${carbon.identity.version}</version>
|
||||
</dependency>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.wso2.carbon.identity</groupId>
|
||||
<artifactId>org.wso2.carbon.identity.application.common</artifactId>
|
||||
<version>${carbon.identity.version}</version>
|
||||
</dependency>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.wso2.carbon.identity</groupId>
|
||||
<artifactId>org.wso2.carbon.identity.oauth.stub</artifactId>
|
||||
@ -98,11 +106,9 @@
|
||||
<Export-Package>
|
||||
org.wso2.carbon.identity.authenticator.backend.oauth.*;
|
||||
</Export-Package>
|
||||
<DynamicImport-Package>*</DynamicImport-Package>
|
||||
</instructions>
|
||||
</instructions>
|
||||
</configuration>
|
||||
</plugin>
|
||||
</plugins>
|
||||
</build>
|
||||
|
||||
</project>
|
||||
@ -18,7 +18,7 @@
|
||||
package org.wso2.carbon.identity.authenticator.backend.oauth;
|
||||
|
||||
/**
|
||||
*Custom exception for backend OAuth authentication
|
||||
* Custom exception for backend OAuth authentication
|
||||
*/
|
||||
@SuppressWarnings("unused")
|
||||
public class AuthenticatorException extends Exception {
|
||||
|
||||
@ -41,18 +41,24 @@ public class OauthAuthenticator implements CarbonServerAuthenticator {
|
||||
private static final Log log = LogFactory.getLog(OauthAuthenticator.class);
|
||||
private static final int PRIORITY = 5;
|
||||
private static final int ACCESS_TOKEN_INDEX = 1;
|
||||
private OAuth2TokenValidator tokenValidator;
|
||||
|
||||
private static String hostUrl = "";
|
||||
private static boolean isRemote = false;
|
||||
|
||||
static {
|
||||
public OauthAuthenticator() {
|
||||
AuthenticatorsConfiguration authenticatorsConfiguration = AuthenticatorsConfiguration.getInstance();
|
||||
AuthenticatorsConfiguration.AuthenticatorConfig authenticatorConfig = authenticatorsConfiguration.getAuthenticatorConfig(OauthAuthenticatorConstants.AUTHENTICATOR_NAME);
|
||||
|
||||
AuthenticatorsConfiguration.AuthenticatorConfig authenticatorConfig = authenticatorsConfiguration.
|
||||
getAuthenticatorConfig(OauthAuthenticatorConstants.AUTHENTICATOR_NAME);
|
||||
boolean isRemote;
|
||||
String hostUrl;
|
||||
if (authenticatorConfig != null) {
|
||||
isRemote = Boolean.parseBoolean(authenticatorConfig.getParameters().get("isRemote"));
|
||||
hostUrl = authenticatorConfig.getParameters().get("hostURL");
|
||||
|
||||
}else{
|
||||
throw new IllegalArgumentException("Configuration parameters need to be defined in Authenticators.xml");
|
||||
}
|
||||
try {
|
||||
tokenValidator = OAuthValidatorFactory.getValidator(isRemote, hostUrl);
|
||||
} catch (IllegalArgumentException e) {
|
||||
log.error("Failed to initialise Authenticator",e);
|
||||
}
|
||||
}
|
||||
|
||||
@ -65,10 +71,8 @@ public class OauthAuthenticator implements CarbonServerAuthenticator {
|
||||
public boolean isHandle(MessageContext messageContext) {
|
||||
HttpServletRequest httpServletRequest = getHttpRequest(messageContext);
|
||||
String headerValue = httpServletRequest.getHeader(HTTPConstants.HEADER_AUTHORIZATION);
|
||||
|
||||
if (headerValue != null && !headerValue.trim().isEmpty()) {
|
||||
String[] headerPart = headerValue.trim().split(OauthAuthenticatorConstants.SPLITING_CHARACTOR);
|
||||
|
||||
if (OauthAuthenticatorConstants.AUTHORIZATION_HEADER_PREFIX_BEARER.equals(headerPart[0])) {
|
||||
return true;
|
||||
}
|
||||
@ -88,38 +92,25 @@ public class OauthAuthenticator implements CarbonServerAuthenticator {
|
||||
public boolean isAuthenticated(MessageContext messageContext) {
|
||||
HttpServletRequest httpServletRequest = getHttpRequest(messageContext);
|
||||
String headerValue = httpServletRequest.getHeader(HTTPConstants.HEADER_AUTHORIZATION);
|
||||
//split the header value to separate the identity type and the token.
|
||||
String[] headerPart = headerValue.trim().split(OauthAuthenticatorConstants.SPLITING_CHARACTOR);
|
||||
String accessToken = headerPart[ACCESS_TOKEN_INDEX];
|
||||
OAuth2TokenValidator tokenValidator = OAuthValidatorFactory.getValidator(isRemote,hostUrl);
|
||||
|
||||
if (tokenValidator == null) {
|
||||
log.error("OAuthValidationFactory failed to return a validator",
|
||||
new AuthenticatorException("OAuthValidatorFactory Failed to determine the validator"));
|
||||
return false;
|
||||
}
|
||||
|
||||
OAuthValidationRespond respond = null;
|
||||
OAuthValidationRespond response = null;
|
||||
try {
|
||||
respond = tokenValidator.validateToken(accessToken);
|
||||
response = tokenValidator.validateToken(accessToken);
|
||||
} catch (RemoteException e) {
|
||||
log.error("Failed to validate the OAuth token provided.", e);
|
||||
}
|
||||
|
||||
if (respond != null && respond.isValid()) {
|
||||
if (response != null && response.isValid()) {
|
||||
HttpSession session;
|
||||
|
||||
if ((session = httpServletRequest.getSession(false)) != null) {
|
||||
session.setAttribute(MultitenantConstants.TENANT_DOMAIN, respond.getTenantDomain());
|
||||
session.setAttribute(ServerConstants.USER_LOGGED_IN, respond.getUserName());
|
||||
|
||||
session.setAttribute(MultitenantConstants.TENANT_DOMAIN, response.getTenantDomain());
|
||||
session.setAttribute(ServerConstants.USER_LOGGED_IN, response.getUserName());
|
||||
if (log.isDebugEnabled()) {
|
||||
log.debug("Authentication successful for " + session.getAttribute(ServerConstants.USER_LOGGED_IN));
|
||||
}
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
if (log.isDebugEnabled()) {
|
||||
log.debug("Authentication failed.Illegal attempt from session " + httpServletRequest.getSession().getId());
|
||||
}
|
||||
|
||||
@ -20,6 +20,7 @@ package org.wso2.carbon.identity.authenticator.backend.oauth.validator;
|
||||
/**
|
||||
* This class hold the validation information which can be retrieve by both remote and in house IDPs
|
||||
*/
|
||||
@SuppressWarnings("unused")
|
||||
public class OAuthValidationRespond {
|
||||
private String userName;
|
||||
private String tenantDomain;
|
||||
|
||||
@ -17,34 +17,28 @@
|
||||
*/
|
||||
package org.wso2.carbon.identity.authenticator.backend.oauth.validator;
|
||||
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
import org.wso2.carbon.identity.authenticator.backend.oauth.AuthenticatorException;
|
||||
import org.wso2.carbon.identity.authenticator.backend.oauth.OauthAuthenticatorConstants;
|
||||
import org.wso2.carbon.identity.authenticator.backend.oauth.validator.impl.ExternalOAuthValidator;
|
||||
import org.wso2.carbon.identity.authenticator.backend.oauth.validator.impl.LocalOAuthValidator;
|
||||
|
||||
/**
|
||||
* the class validate the configurations and provide the most suitable implementation according to the configuration.
|
||||
* The class validate the configurations and provide the most suitable implementation according to the configuration.
|
||||
* Factory class for OAuthValidator.
|
||||
*/
|
||||
public class OAuthValidatorFactory {
|
||||
private static Log log = LogFactory.getLog(OAuthValidatorFactory.class);
|
||||
|
||||
/**
|
||||
* the method check the configuration and provide the appropriate implementation for OAuth2TokenValidator
|
||||
*
|
||||
* The method check the configuration and provide the appropriate implementation for OAuth2TokenValidator
|
||||
* @return OAuth2TokenValidator
|
||||
*/
|
||||
public static OAuth2TokenValidator getValidator(boolean isRemote ,String hostURL) {
|
||||
if(isRemote){
|
||||
if(!(hostURL == null || hostURL.trim().isEmpty())){
|
||||
public static OAuth2TokenValidator getValidator(boolean isRemote, String hostURL) throws IllegalArgumentException {
|
||||
if (isRemote) {
|
||||
if (!(hostURL == null || hostURL.trim().isEmpty())) {
|
||||
hostURL = hostURL + OauthAuthenticatorConstants.OAUTH_ENDPOINT_POSTFIX;
|
||||
return new ExternalOAuthValidator(hostURL);
|
||||
}else {
|
||||
log.error("IDP Configuration error",
|
||||
new AuthenticatorException("Remote server name and ip both can't be empty"));
|
||||
return null;
|
||||
} else {
|
||||
throw new IllegalArgumentException("Remote server name and ip both can't be empty");
|
||||
}
|
||||
}
|
||||
return new LocalOAuthValidator();
|
||||
|
||||
@ -21,15 +21,14 @@ import org.apache.axis2.client.Options;
|
||||
import org.apache.axis2.client.ServiceClient;
|
||||
import org.apache.axis2.transport.http.HTTPConstants;
|
||||
import org.apache.commons.httpclient.Header;
|
||||
import org.wso2.carbon.identity.authenticator.backend.oauth.OauthAuthenticatorConstants;
|
||||
import org.wso2.carbon.identity.authenticator.backend.oauth.validator.OAuth2TokenValidator;
|
||||
import org.wso2.carbon.identity.authenticator.backend.oauth.validator.OAuthValidationRespond;
|
||||
import org.wso2.carbon.identity.oauth2.stub.OAuth2TokenValidationServiceStub;
|
||||
import org.wso2.carbon.identity.oauth2.stub.dto.OAuth2ClientApplicationDTO;
|
||||
import org.wso2.carbon.identity.oauth2.stub.dto.OAuth2TokenValidationRequestDTO;
|
||||
import org.wso2.carbon.identity.oauth2.stub.dto.OAuth2TokenValidationRequestDTO_OAuth2AccessToken;
|
||||
import org.wso2.carbon.identity.oauth2.stub.dto.OAuth2TokenValidationRequestDTO_TokenValidationContextParam;
|
||||
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;
|
||||
import org.wso2.carbon.identity.authenticator.backend.oauth.OauthAuthenticatorConstants;
|
||||
import org.wso2.carbon.identity.authenticator.backend.oauth.validator.OAuth2TokenValidator;
|
||||
import org.wso2.carbon.identity.authenticator.backend.oauth.validator.OAuthValidationRespond;
|
||||
|
||||
import java.rmi.RemoteException;
|
||||
import java.util.ArrayList;
|
||||
@ -37,8 +36,7 @@ import java.util.List;
|
||||
|
||||
/**
|
||||
* Handles the Authentication form external IDP servers.
|
||||
* Currently only supports WSO2 IS.
|
||||
* External IDP support is planned for future.
|
||||
* Currently only supports WSO@ IS
|
||||
*/
|
||||
public class ExternalOAuthValidator implements OAuth2TokenValidator{
|
||||
protected String hostURL ;
|
||||
@ -54,20 +52,11 @@ public class ExternalOAuthValidator implements OAuth2TokenValidator{
|
||||
* @return OAuthValidationRespond with the validated results.
|
||||
*/
|
||||
public OAuthValidationRespond validateToken(String token) throws RemoteException {
|
||||
|
||||
// create an OAuth token validating request DTO
|
||||
OAuth2TokenValidationRequestDTO validationRequest = new OAuth2TokenValidationRequestDTO();
|
||||
|
||||
// create access token object to validate and populate it
|
||||
OAuth2TokenValidationRequestDTO_OAuth2AccessToken accessToken =
|
||||
new OAuth2TokenValidationRequestDTO_OAuth2AccessToken();
|
||||
accessToken.setTokenType(OauthAuthenticatorConstants.BEARER_TOKEN_TYPE);
|
||||
accessToken.setIdentifier(token);
|
||||
OAuth2TokenValidationRequestDTO_TokenValidationContextParam tokenValidationContextParam[] =
|
||||
new OAuth2TokenValidationRequestDTO_TokenValidationContextParam[1];
|
||||
validationRequest.setContext(tokenValidationContextParam);
|
||||
|
||||
//set the token to the validation request
|
||||
validationRequest.setAccessToken(accessToken);
|
||||
OAuth2TokenValidationServiceStub validationService =
|
||||
new OAuth2TokenValidationServiceStub(hostURL);
|
||||
@ -85,14 +74,12 @@ public class ExternalOAuthValidator implements OAuth2TokenValidator{
|
||||
boolean isValid = respond.getAccessTokenValidationResponse().getValid();
|
||||
String userName = null;
|
||||
String tenantDomain = null;
|
||||
|
||||
if(isValid){
|
||||
userName = MultitenantUtils.getTenantAwareUsername(
|
||||
respond.getAccessTokenValidationResponse().getAuthorizedUser());
|
||||
tenantDomain =
|
||||
MultitenantUtils.getTenantDomain(respond.getAccessTokenValidationResponse().getAuthorizedUser());
|
||||
}
|
||||
|
||||
return new OAuthValidationRespond(userName,tenantDomain,isValid);
|
||||
}
|
||||
}
|
||||
|
||||
@ -1,4 +1,3 @@
|
||||
|
||||
/*
|
||||
* Copyright (c) 2015 WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
|
||||
*
|
||||
@ -38,19 +37,11 @@ public class LocalOAuthValidator implements OAuth2TokenValidator {
|
||||
* @return OAuthValidationRespond with the validated results.
|
||||
*/
|
||||
public OAuthValidationRespond validateToken(String token) {
|
||||
// create an OAuth token validating request DTO
|
||||
OAuth2TokenValidationRequestDTO validationRequest = new OAuth2TokenValidationRequestDTO();
|
||||
// create access token object to validate and populate it
|
||||
OAuth2TokenValidationRequestDTO.OAuth2AccessToken accessToken =
|
||||
validationRequest.new OAuth2AccessToken();
|
||||
accessToken.setTokenType(OauthAuthenticatorConstants.BEARER_TOKEN_TYPE);
|
||||
accessToken.setIdentifier(token);
|
||||
//the workaround till the version is upgraded in both is and EMM to be the same.
|
||||
OAuth2TokenValidationRequestDTO.TokenValidationContextParam tokenValidationContextParam[] =
|
||||
new OAuth2TokenValidationRequestDTO.TokenValidationContextParam[1];
|
||||
//==
|
||||
validationRequest.setContext(tokenValidationContextParam);
|
||||
//set the token to the validation request
|
||||
validationRequest.setAccessToken(accessToken);
|
||||
OAuth2TokenValidationService validationService = new OAuth2TokenValidationService();
|
||||
OAuth2ClientApplicationDTO respond = validationService.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user