github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

generate random fake password for private key clients and shared secret crypto clients to avoid accidentally using client secret authentication and bypassing authentication, closes #715

pull/730/head
Justin Richer 2014-10-23 21:37:22 -04:00
parent 9dfac35912
commit a59fe0604e
1 changed files with 20 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
openid-connect-common/src/main/java/org/mitre/oauth2/service/impl/DefaultClientUserDetailsService.java
View File

@ -16,9 +16,14 @@
******************************************************************************/
package org.mitre.oauth2.service.impl;
import java.math.BigInteger;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.Collection;
import org.mitre.oauth2.model.ClientDetailsEntity;
import org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod;
import org.mitre.oauth2.service.ClientDetailsEntityService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
@ -26,8 +31,6 @@ import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.ClientDetailsService;
import org.springframework.stereotype.Service;
import com.google.common.base.Strings;
@ -42,16 +45,27 @@ import com.google.common.base.Strings;
public class DefaultClientUserDetailsService implements UserDetailsService {
@Autowired
private ClientDetailsService clientDetailsService;
private ClientDetailsEntityService clientDetailsService;
@Override
public UserDetails loadUserByUsername(String clientId) throws UsernameNotFoundException {
ClientDetails client = clientDetailsService.loadClientByClientId(clientId);
ClientDetailsEntity client = clientDetailsService.loadClientByClientId(clientId);
if (client != null) {
String password = Strings.nullToEmpty(client.getClientSecret());
if (client.getTokenEndpointAuthMethod() != null &&
(client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY) ||
client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT))) {
// Issue a random password each time to prevent password auth from being used (or skipped)
// for private key or shared key clients, see #715
password = new BigInteger(512, new SecureRandom()).toString(16);
}
boolean enabled = true;
boolean accountNonExpired = true;
boolean credentialsNonExpired = true;
@ -72,11 +86,11 @@ public class DefaultClientUserDetailsService implements UserDetailsService {
}
public ClientDetailsService getClientDetailsService() {
public ClientDetailsEntityService getClientDetailsService() {
return clientDetailsService;
}
public void setClientDetailsService(ClientDetailsService clientDetailsService) {
public void setClientDetailsService(ClientDetailsEntityService clientDetailsService) {
this.clientDetailsService = clientDetailsService;
}