roles granted by introspection token services are now configurable (and extendable) via service, addresses #386

2013-07-16 16:59:43 -04:00 · 2013-07-16 16:59:43 -04:00 · 67fd5fa7e9
parent 35d1e1b6d4
commit 67fd5fa7e9
4 changed files with 73 additions and 2 deletions
--- a/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/IntrospectingTokenService.java
+++ b/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/IntrospectingTokenService.java
@ -23,7 +23,6 @@ import java.util.Map;
 import org.slf4j.LoggerFactory;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
 import org.springframework.security.oauth2.provider.AuthorizationRequest;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
@ -50,6 +49,7 @@ public class IntrospectingTokenService implements ResourceServerTokenServices {
 	private String clientId;
 	private String clientSecret;
 	private IntrospectionUrlProvider introspectionUrlProvider;
+	private IntrospectionAuthorityGranter introspectionAuthorityGranter = new SimpleIntrospectionAuthorityGranter();
 	
 	// Inner class to store in the hash map
 	private class TokenCacheObject {
@ -117,7 +117,7 @@ public class IntrospectingTokenService implements ResourceServerTokenServices {
 	// create a default authentication object with authority ROLE_API
 	private Authentication createAuthentication(JsonObject token) {
 		// TODO: make role/authority configurable somehow
-		return new PreAuthenticatedAuthenticationToken(token.get("sub").getAsString(), null, AuthorityUtils.createAuthorityList("ROLE_API"));
+		return new PreAuthenticatedAuthenticationToken(token.get("sub").getAsString(), token, introspectionAuthorityGranter.getAuthorities(token));
 	}

 	private OAuth2AccessToken createAccessToken(final JsonObject token, final String tokenString) {
--- a/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/IntrospectionAuthorityGranter.java
+++ b/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/IntrospectionAuthorityGranter.java
@ -0,0 +1,20 @@
+/**
+ * 
+ */
+package org.mitre.oauth2.introspectingfilter;
+
+import java.util.List;
+
+import org.springframework.security.core.GrantedAuthority;
+
+import com.google.gson.JsonObject;
+
+/**
+ * @author jricher
+ *
+ */
+public interface IntrospectionAuthorityGranter {
+
+	public List<GrantedAuthority> getAuthorities(JsonObject introspectionResponse);
+	
+}
--- a/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/JWTParsingIntrospectionUrlProvider.java
+++ b/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/JWTParsingIntrospectionUrlProvider.java
@ -4,6 +4,8 @@
 package org.mitre.oauth2.introspectingfilter;

 import java.text.ParseException;
+import java.util.HashSet;
+import java.util.Set;

 import org.mitre.openid.connect.client.service.ServerConfigurationService;
 import org.mitre.openid.connect.config.ServerConfiguration;
@ -50,6 +52,9 @@ public class JWTParsingIntrospectionUrlProvider implements IntrospectionUrlProvi
 	        
 	        String issuer = jwt.getJWTClaimsSet().getIssuer();
 	        if (!Strings.isNullOrEmpty(issuer)) {
+	        	
+	        	
+	        	
 	        	ServerConfiguration server = serverConfigurationService.getServerConfiguration(issuer);
 	        	if (server != null) {
 	        		if (!Strings.isNullOrEmpty(server.getIntrospectionEndpointUri())) {
--- a/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/SimpleIntrospectionAuthorityGranter.java
+++ b/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/SimpleIntrospectionAuthorityGranter.java
@ -0,0 +1,46 @@
+/**
+ * 
+ */
+package org.mitre.oauth2.introspectingfilter;
+
+import java.util.List;
+
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.AuthorityUtils;
+
+import com.google.gson.JsonObject;
+
+/**
+ * 
+ * Grants the same set of authorities no matter what's passed in.
+ * 
+ * @author jricher
+ *
+ */
+public class SimpleIntrospectionAuthorityGranter implements IntrospectionAuthorityGranter {
+
+	private List<GrantedAuthority> authorities = AuthorityUtils.createAuthorityList("ROLE_API");
+	
+	/* (non-Javadoc)
+	 * @see org.mitre.oauth2.introspectingfilter.IntrospectionAuthorityGranter#getAuthorities(net.minidev.json.JSONObject)
+	 */
+	@Override
+	public List<GrantedAuthority> getAuthorities(JsonObject introspectionResponse) {
+		return authorities;
+	}
+
+	/**
+	 * @return the authorities
+	 */
+	public List<GrantedAuthority> getAuthorities() {
+		return authorities;
+	}
+
+	/**
+	 * @param authorities the authorities to set
+	 */
+	public void setAuthorities(List<GrantedAuthority> authorities) {
+		this.authorities = authorities;
+	}
+
+}