Updated redirect URI validator.
Change-Id: I1545a01247aac05327fd48526134c9d290d2f3d8
diff --git a/full/src/main/java/de/ids_mannheim/korap/config/JWTSigner.java b/full/src/main/java/de/ids_mannheim/korap/config/JWTSigner.java
index 4f624cf..a55a08c 100644
--- a/full/src/main/java/de/ids_mannheim/korap/config/JWTSigner.java
+++ b/full/src/main/java/de/ids_mannheim/korap/config/JWTSigner.java
@@ -1,11 +1,25 @@
package de.ids_mannheim.korap.config;
-import com.nimbusds.jose.*;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.text.ParseException;
+import java.time.ZonedDateTime;
+import java.util.List;
+import java.util.Map;
+
+import org.joda.time.DateTime;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.JWSHeader;
+import com.nimbusds.jose.JWSSigner;
+import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.crypto.MACSigner;
import com.nimbusds.jose.crypto.MACVerifier;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.JWTClaimsSet.Builder;
import com.nimbusds.jwt.SignedJWT;
+
import de.ids_mannheim.korap.exceptions.KustvaktException;
import de.ids_mannheim.korap.exceptions.StatusCodes;
import de.ids_mannheim.korap.security.context.TokenContext;
@@ -13,15 +27,6 @@
import de.ids_mannheim.korap.user.User;
import de.ids_mannheim.korap.user.Userdata;
import de.ids_mannheim.korap.utils.TimeUtils;
-import org.joda.time.DateTime;
-
-import java.net.MalformedURLException;
-import java.net.URL;
-import java.text.ParseException;
-import java.time.ZonedDateTime;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Map;
/**
* @author hanl
diff --git a/full/src/main/java/de/ids_mannheim/korap/oauth2/openid/service/OpenIdAuthorizationService.java b/full/src/main/java/de/ids_mannheim/korap/oauth2/openid/service/OpenIdAuthorizationService.java
index 3e757f3..db118f5 100644
--- a/full/src/main/java/de/ids_mannheim/korap/oauth2/openid/service/OpenIdAuthorizationService.java
+++ b/full/src/main/java/de/ids_mannheim/korap/oauth2/openid/service/OpenIdAuthorizationService.java
@@ -35,14 +35,14 @@
public class OpenIdAuthorizationService extends OAuth2AuthorizationService {
@Autowired
- private UrlValidator urlValidator;
+ private UrlValidator redirectURIValidator;
public void checkRedirectUriParam (Map<String, String> map)
throws KustvaktException {
if (map.containsKey("redirect_uri")) {
String redirect_uri = map.get("redirect_uri");
if (redirect_uri != null && !redirect_uri.isEmpty()) {
- if (!urlValidator.isValid(redirect_uri)) {
+ if (!redirectURIValidator.isValid(redirect_uri)) {
throw new KustvaktException(
StatusCodes.INVALID_REDIRECT_URI,
"Invalid redirect URI",
diff --git a/full/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2ClientService.java b/full/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2ClientService.java
index e6c825d..dff46ae 100644
--- a/full/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2ClientService.java
+++ b/full/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2ClientService.java
@@ -50,9 +50,7 @@
@Autowired
private AdminDao adminDao;
@Autowired
- private UrlValidator urlValidator;
- @Autowired
- private UrlValidator httpsValidator;
+ private UrlValidator redirectURIValidator;
@Autowired
private EncryptionIface encryption;
@Autowired
@@ -60,18 +58,12 @@
public OAuth2ClientDto registerClient (OAuth2ClientJson clientJson,
String registeredBy) throws KustvaktException {
- if (!urlValidator.isValid(clientJson.getUrl())) {
+ if (!redirectURIValidator.isValid(clientJson.getUrl())) {
throw new KustvaktException(StatusCodes.INVALID_ARGUMENT,
clientJson.getUrl() + " is invalid.",
OAuth2Error.INVALID_REQUEST);
}
- if (!httpsValidator.isValid(clientJson.getRedirectURI())) {
- throw new KustvaktException(StatusCodes.HTTPS_REQUIRED,
- clientJson.getRedirectURI()
- + " is invalid. RedirectURI requires https.",
- OAuth2Error.INVALID_REQUEST);
- }
-
+
boolean isNative = isNativeClient(clientJson.getUrl(),
clientJson.getRedirectURI());
diff --git a/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuthClientController.java b/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuthClientController.java
index 2c36ad6..fe2c770 100644
--- a/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuthClientController.java
+++ b/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuthClientController.java
@@ -52,21 +52,17 @@
/**
* Registers a client application. Before starting an OAuth
- * process,
- * client applications have to be registered first. Only
- * registered
- * users are allowed to register client applications. After
- * registration,
- * the client will receive a client_id and a client_secret, if the
- * client
- * is confidential (capable of storing the client_secret), that
- * are needed
- * in the authorization process.
+ * process, client applications have to be registered first. Only
+ * registered users are allowed to register client applications.
+ *
+ * After registration, the client receives a client_id and a
+ * client_secret, if the client is confidential (capable of
+ * storing the client_secret), that are needed in the
+ * authorization process.
*
* From RFC 6749:
* The authorization server SHOULD document the size of any
- * identifier
- * it issues.
+ * identifier it issues.
*
* @param context
* @param clientJson
@@ -86,6 +82,7 @@
OAuth2ClientJson clientJson) {
TokenContext context =
(TokenContext) securityContext.getUserPrincipal();
+
try {
return clientService.registerClient(clientJson,
context.getUsername());
diff --git a/full/src/main/java/de/ids_mannheim/korap/web/input/OAuth2ClientJson.java b/full/src/main/java/de/ids_mannheim/korap/web/input/OAuth2ClientJson.java
index cec1806..2d7afcd 100644
--- a/full/src/main/java/de/ids_mannheim/korap/web/input/OAuth2ClientJson.java
+++ b/full/src/main/java/de/ids_mannheim/korap/web/input/OAuth2ClientJson.java
@@ -18,7 +18,7 @@
private OAuth2ClientType type;
private String url;
// redirect URI determines where the OAuth 2.0 service will return the user to
- // after they have authorized a client. It must be https.
+ // after they have authorized a client.
private String redirectURI;
private String description;
}
diff --git a/full/src/main/resources/default-config.xml b/full/src/main/resources/default-config.xml
index e06aa8b..5c2a050 100644
--- a/full/src/main/resources/default-config.xml
+++ b/full/src/main/resources/default-config.xml
@@ -177,11 +177,12 @@
</bean>
<!-- URLValidator -->
- <bean id="urlValidator" class="org.apache.commons.validator.routines.UrlValidator">
- <constructor-arg value="http,https" />
- </bean>
- <bean id="httpsValidator" class="org.apache.commons.validator.routines.UrlValidator">
- <constructor-arg value="https" />
+ <bean id="redirectURIValidator" class="org.apache.commons.validator.routines.UrlValidator">
+ <constructor-arg value="http,https" index="0" />
+ <constructor-arg index="1" type="long">
+ <util:constant
+ static-field="org.apache.commons.validator.routines.UrlValidator.NO_FRAGMENTS" />
+ </constructor-arg>
</bean>
<bean id="kustvakt_rewrite" class="de.ids_mannheim.korap.rewrite.FullRewriteHandler">
diff --git a/full/src/main/resources/kustvakt.conf b/full/src/main/resources/kustvakt.conf
index 75a3483..8adf152 100644
--- a/full/src/main/resources/kustvakt.conf
+++ b/full/src/main/resources/kustvakt.conf
@@ -73,7 +73,7 @@
security.validation.stringLength = 150
security.validation.emailLength = 50
security.encryption.algo=BCRYPT
-security.sharedSecret=sharedSecret
+security.sharedSecret=this-is-shared-secret-code-for-JWT-Signing.It-must-contains-minimum-256-bits
security.adminToken=adminToken
## applicable: rewrite, foundry, filter, deny