From 7aec0dfe8008621b9831120f97a0ca57ece462d7 Mon Sep 17 00:00:00 2001 From: Justin Richer Date: Mon, 10 Sep 2012 16:43:45 -0400 Subject: [PATCH] added randomized view names to lower possibility of conflicting with local views --- .../connect/client/JwkViewResolver.java | 42 +++++++++-- .../client/OIDCSignedRequestFilter.java | 70 +++++++++---------- 2 files changed, 70 insertions(+), 42 deletions(-) diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/JwkViewResolver.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/JwkViewResolver.java index d85e6fb72..eeb897aa3 100644 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/JwkViewResolver.java +++ b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/JwkViewResolver.java @@ -18,10 +18,12 @@ import org.springframework.web.servlet.ViewResolver; */ public class JwkViewResolver implements ViewResolver, Ordered { - private View x509; - + private String jwkViewName = "jwkKeyList"; private View jwk; + private String x509ViewName = "x509certs"; + private View x509; + private int order = HIGHEST_PRECEDENCE; // highest precedence, most specific -- avoids hitting the catch-all view resolvers /** @@ -31,10 +33,10 @@ public class JwkViewResolver implements ViewResolver, Ordered { @Override public View resolveViewName(String viewName, Locale locale) throws Exception { if (viewName != null) { - if (viewName.equals("jwkKeyList")) { - return jwk; - } else if (viewName.equals("x509certs")) { - return x509; + if (viewName.equals(getJwkViewName())) { + return getJwk(); + } else if (viewName.equals(getX509ViewName())) { + return getX509(); } else { return null; } @@ -86,4 +88,32 @@ public class JwkViewResolver implements ViewResolver, Ordered { this.order = order; } + /** + * @return the jwkViewName + */ + public String getJwkViewName() { + return jwkViewName; + } + + /** + * @param jwkViewName the jwkViewName to set + */ + public void setJwkViewName(String jwkViewName) { + this.jwkViewName = jwkViewName; + } + + /** + * @return the x509ViewName + */ + public String getX509ViewName() { + return x509ViewName; + } + + /** + * @param x509ViewName the x509ViewName to set + */ + public void setX509ViewName(String x509ViewName) { + this.x509ViewName = x509ViewName; + } + } diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCSignedRequestFilter.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCSignedRequestFilter.java index 320f12cd9..4fd9ec263 100644 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCSignedRequestFilter.java +++ b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCSignedRequestFilter.java @@ -4,6 +4,7 @@ import java.io.IOException; import java.security.NoSuchAlgorithmException; import java.util.HashMap; import java.util.Map; +import java.util.UUID; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; @@ -42,6 +43,10 @@ public class OIDCSignedRequestFilter extends AbstractOIDCAuthenticationFilter im private BeanDefinitionRegistry registry; + private String jwkViewName = "jwkKeyList"; + + private String x509ViewName; + protected OIDCSignedRequestFilter() { super(); @@ -285,7 +290,7 @@ public class OIDCSignedRequestFilter extends AbstractOIDCAuthenticationFilter im // TODO: check if keys are empty, return a 404 here or just an empty list? - return new ModelAndView("jwkKeyList", "signers", signers); + return new ModelAndView(jwkViewName, "signers", signers); } /** @@ -298,7 +303,7 @@ public class OIDCSignedRequestFilter extends AbstractOIDCAuthenticationFilter im // TODO: check if keys are empty, return a 404 here or just an empty list? - return new ModelAndView("x509certs", "signers", signers); + return new ModelAndView(x509ViewName, "signers", signers); } /** @@ -306,49 +311,42 @@ public class OIDCSignedRequestFilter extends AbstractOIDCAuthenticationFilter im */ @Override public void postProcessBeanFactory(ConfigurableListableBeanFactory beanFactory) throws BeansException { - if (!Strings.isNullOrEmpty(jwkPublishUrl) || !Strings.isNullOrEmpty(getX509PublishUrl())) { - - // standard endpoint - /* - BeanDefinitionBuilder jwkBuilder = BeanDefinitionBuilder.rootBeanDefinition(JsonWebKeyEndpoint.class); - jwkBuilder.addPropertyValue("jwtService", signingAndValidationService); - registry.registerBeanDefinition("jwkEndpointController", jwkBuilder.getBeanDefinition()); - */ - + if (!Strings.isNullOrEmpty(getJwkPublishUrl()) || !Strings.isNullOrEmpty(getX509PublishUrl())) { + // add a mapping to this class BeanDefinitionBuilder clientKeyMapping = BeanDefinitionBuilder.rootBeanDefinition(ClientKeyPublisherMapping.class); - if (!Strings.isNullOrEmpty(jwkPublishUrl)) { - clientKeyMapping.addPropertyValue("jwkPublishUrl", jwkPublishUrl); + // custom view resolver + BeanDefinitionBuilder viewResolver = BeanDefinitionBuilder.rootBeanDefinition(JwkViewResolver.class); + + if (!Strings.isNullOrEmpty(getJwkPublishUrl())) { + clientKeyMapping.addPropertyValue("jwkPublishUrl", getJwkPublishUrl()); + + // randomize view name to make sure it doesn't conflict with local views + jwkViewName = "jwkKeyList-" + UUID.randomUUID().toString(); + viewResolver.addPropertyValue("jwkViewName", jwkViewName); + + // view bean + BeanDefinitionBuilder jwkView = BeanDefinitionBuilder.rootBeanDefinition(JwkKeyListView.class); + registry.registerBeanDefinition("jwkKeyList", jwkView.getBeanDefinition()); + viewResolver.addPropertyReference("jwk", "jwkKeyList"); } + if (!Strings.isNullOrEmpty(getX509PublishUrl())) { clientKeyMapping.addPropertyValue("x509PublishUrl", getX509PublishUrl()); + + // randomize view name to make sure it doesn't conflict with local views + x509ViewName = "x509certs-" + UUID.randomUUID().toString(); + viewResolver.addPropertyValue("x509ViewName", x509ViewName); + + // view bean + BeanDefinitionBuilder x509View = BeanDefinitionBuilder.rootBeanDefinition(X509CertificateView.class); + registry.registerBeanDefinition("x509certs", x509View.getBeanDefinition()); + viewResolver.addPropertyReference("x509", "x509certs"); } - registry.registerBeanDefinition("clientKeyMapping", clientKeyMapping.getBeanDefinition()); - - // add views for JWK and x509 formats - BeanDefinitionBuilder jwkView = BeanDefinitionBuilder.rootBeanDefinition(JwkKeyListView.class); - registry.registerBeanDefinition("jwkKeyList", jwkView.getBeanDefinition()); - BeanDefinitionBuilder x509View = BeanDefinitionBuilder.rootBeanDefinition(X509CertificateView.class); - registry.registerBeanDefinition("x509certs", x509View.getBeanDefinition()); - - // custom view resolver - BeanDefinitionBuilder viewResolver = BeanDefinitionBuilder.rootBeanDefinition(JwkViewResolver.class); - viewResolver.addPropertyReference("jwk", "jwkKeyList"); - viewResolver.addPropertyReference("x509", "x509certs"); + registry.registerBeanDefinition("clientKeyMapping", clientKeyMapping.getBeanDefinition()); registry.registerBeanDefinition("jwkViewResolver", viewResolver.getBeanDefinition()); - // Bean name view resolver - /* - Map resolvers = beanFactory.getBeansOfType(BeanNameViewResolver.class); - if (resolvers.isEmpty()) { - logger.info("Creating view resolver"); - BeanDefinitionBuilder viewResolverBuilder = BeanDefinitionBuilder.rootBeanDefinition(BeanNameViewResolver.class); - viewResolverBuilder.addPropertyValue("order", 1); - registry.registerBeanDefinition("beanNameViewResolver", viewResolverBuilder.getBeanDefinition()); - } - */ - } }