roles granted by introspection token services are now configurable (and extendable) via service, addresses #386

pull/419/merge
Justin Richer 2013-07-16 16:59:43 -04:00
parent 35d1e1b6d4
commit 67fd5fa7e9
4 changed files with 73 additions and 2 deletions

View File

@ -23,7 +23,6 @@ import java.util.Map;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.provider.AuthorizationRequest;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
@ -50,6 +49,7 @@ public class IntrospectingTokenService implements ResourceServerTokenServices {
private String clientId;
private String clientSecret;
private IntrospectionUrlProvider introspectionUrlProvider;
private IntrospectionAuthorityGranter introspectionAuthorityGranter = new SimpleIntrospectionAuthorityGranter();
// Inner class to store in the hash map
private class TokenCacheObject {
@ -117,7 +117,7 @@ public class IntrospectingTokenService implements ResourceServerTokenServices {
// create a default authentication object with authority ROLE_API
private Authentication createAuthentication(JsonObject token) {
// TODO: make role/authority configurable somehow
return new PreAuthenticatedAuthenticationToken(token.get("sub").getAsString(), null, AuthorityUtils.createAuthorityList("ROLE_API"));
return new PreAuthenticatedAuthenticationToken(token.get("sub").getAsString(), token, introspectionAuthorityGranter.getAuthorities(token));
}
private OAuth2AccessToken createAccessToken(final JsonObject token, final String tokenString) {

View File

@ -0,0 +1,20 @@
/**
*
*/
package org.mitre.oauth2.introspectingfilter;
import java.util.List;
import org.springframework.security.core.GrantedAuthority;
import com.google.gson.JsonObject;
/**
* @author jricher
*
*/
public interface IntrospectionAuthorityGranter {
public List<GrantedAuthority> getAuthorities(JsonObject introspectionResponse);
}

View File

@ -4,6 +4,8 @@
package org.mitre.oauth2.introspectingfilter;
import java.text.ParseException;
import java.util.HashSet;
import java.util.Set;
import org.mitre.openid.connect.client.service.ServerConfigurationService;
import org.mitre.openid.connect.config.ServerConfiguration;
@ -50,6 +52,9 @@ public class JWTParsingIntrospectionUrlProvider implements IntrospectionUrlProvi
String issuer = jwt.getJWTClaimsSet().getIssuer();
if (!Strings.isNullOrEmpty(issuer)) {
ServerConfiguration server = serverConfigurationService.getServerConfiguration(issuer);
if (server != null) {
if (!Strings.isNullOrEmpty(server.getIntrospectionEndpointUri())) {

View File

@ -0,0 +1,46 @@
/**
*
*/
package org.mitre.oauth2.introspectingfilter;
import java.util.List;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import com.google.gson.JsonObject;
/**
*
* Grants the same set of authorities no matter what's passed in.
*
* @author jricher
*
*/
public class SimpleIntrospectionAuthorityGranter implements IntrospectionAuthorityGranter {
private List<GrantedAuthority> authorities = AuthorityUtils.createAuthorityList("ROLE_API");
/* (non-Javadoc)
* @see org.mitre.oauth2.introspectingfilter.IntrospectionAuthorityGranter#getAuthorities(net.minidev.json.JSONObject)
*/
@Override
public List<GrantedAuthority> getAuthorities(JsonObject introspectionResponse) {
return authorities;
}
/**
* @return the authorities
*/
public List<GrantedAuthority> getAuthorities() {
return authorities;
}
/**
* @param authorities the authorities to set
*/
public void setAuthorities(List<GrantedAuthority> authorities) {
this.authorities = authorities;
}
}