Updated redirect URI validator.
Change-Id: I1545a01247aac05327fd48526134c9d290d2f3d8
diff --git a/full/pom.xml b/full/pom.xml
index 5b4a093..db4c3e2 100644
--- a/full/pom.xml
+++ b/full/pom.xml
@@ -282,9 +282,18 @@
<dependency>
<groupId>org.apache.oltu.oauth2</groupId>
<artifactId>org.apache.oltu.oauth2.authzserver</artifactId>
- <version>1.0.0</version>
+ <version>1.0.2</version>
</dependency>
-
+ <dependency>
+ <groupId>org.apache.oltu.oauth2</groupId>
+ <artifactId>org.apache.oltu.oauth2.client</artifactId>
+ <version>1.0.2</version>
+ </dependency>
+ <!-- <dependency>
+ <groupId>org.apache.oltu.oauth2</groupId>
+ <artifactId>org.apache.oltu.oauth2.dynamicreg.client</artifactId>
+ <version>1.0.2</version>
+ </dependency> -->
<!-- JWT -->
<dependency>
<groupId>com.nimbusds</groupId>
diff --git a/full/src/main/java/de/ids_mannheim/korap/config/JWTSigner.java b/full/src/main/java/de/ids_mannheim/korap/config/JWTSigner.java
index 4f624cf..a55a08c 100644
--- a/full/src/main/java/de/ids_mannheim/korap/config/JWTSigner.java
+++ b/full/src/main/java/de/ids_mannheim/korap/config/JWTSigner.java
@@ -1,11 +1,25 @@
package de.ids_mannheim.korap.config;
-import com.nimbusds.jose.*;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.text.ParseException;
+import java.time.ZonedDateTime;
+import java.util.List;
+import java.util.Map;
+
+import org.joda.time.DateTime;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.JWSHeader;
+import com.nimbusds.jose.JWSSigner;
+import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.crypto.MACSigner;
import com.nimbusds.jose.crypto.MACVerifier;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.JWTClaimsSet.Builder;
import com.nimbusds.jwt.SignedJWT;
+
import de.ids_mannheim.korap.exceptions.KustvaktException;
import de.ids_mannheim.korap.exceptions.StatusCodes;
import de.ids_mannheim.korap.security.context.TokenContext;
@@ -13,15 +27,6 @@
import de.ids_mannheim.korap.user.User;
import de.ids_mannheim.korap.user.Userdata;
import de.ids_mannheim.korap.utils.TimeUtils;
-import org.joda.time.DateTime;
-
-import java.net.MalformedURLException;
-import java.net.URL;
-import java.text.ParseException;
-import java.time.ZonedDateTime;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Map;
/**
* @author hanl
diff --git a/full/src/main/java/de/ids_mannheim/korap/oauth2/openid/service/OpenIdAuthorizationService.java b/full/src/main/java/de/ids_mannheim/korap/oauth2/openid/service/OpenIdAuthorizationService.java
index 3e757f3..db118f5 100644
--- a/full/src/main/java/de/ids_mannheim/korap/oauth2/openid/service/OpenIdAuthorizationService.java
+++ b/full/src/main/java/de/ids_mannheim/korap/oauth2/openid/service/OpenIdAuthorizationService.java
@@ -35,14 +35,14 @@
public class OpenIdAuthorizationService extends OAuth2AuthorizationService {
@Autowired
- private UrlValidator urlValidator;
+ private UrlValidator redirectURIValidator;
public void checkRedirectUriParam (Map<String, String> map)
throws KustvaktException {
if (map.containsKey("redirect_uri")) {
String redirect_uri = map.get("redirect_uri");
if (redirect_uri != null && !redirect_uri.isEmpty()) {
- if (!urlValidator.isValid(redirect_uri)) {
+ if (!redirectURIValidator.isValid(redirect_uri)) {
throw new KustvaktException(
StatusCodes.INVALID_REDIRECT_URI,
"Invalid redirect URI",
diff --git a/full/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2ClientService.java b/full/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2ClientService.java
index e6c825d..dff46ae 100644
--- a/full/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2ClientService.java
+++ b/full/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2ClientService.java
@@ -50,9 +50,7 @@
@Autowired
private AdminDao adminDao;
@Autowired
- private UrlValidator urlValidator;
- @Autowired
- private UrlValidator httpsValidator;
+ private UrlValidator redirectURIValidator;
@Autowired
private EncryptionIface encryption;
@Autowired
@@ -60,18 +58,12 @@
public OAuth2ClientDto registerClient (OAuth2ClientJson clientJson,
String registeredBy) throws KustvaktException {
- if (!urlValidator.isValid(clientJson.getUrl())) {
+ if (!redirectURIValidator.isValid(clientJson.getUrl())) {
throw new KustvaktException(StatusCodes.INVALID_ARGUMENT,
clientJson.getUrl() + " is invalid.",
OAuth2Error.INVALID_REQUEST);
}
- if (!httpsValidator.isValid(clientJson.getRedirectURI())) {
- throw new KustvaktException(StatusCodes.HTTPS_REQUIRED,
- clientJson.getRedirectURI()
- + " is invalid. RedirectURI requires https.",
- OAuth2Error.INVALID_REQUEST);
- }
-
+
boolean isNative = isNativeClient(clientJson.getUrl(),
clientJson.getRedirectURI());
diff --git a/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuthClientController.java b/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuthClientController.java
index 2c36ad6..fe2c770 100644
--- a/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuthClientController.java
+++ b/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuthClientController.java
@@ -52,21 +52,17 @@
/**
* Registers a client application. Before starting an OAuth
- * process,
- * client applications have to be registered first. Only
- * registered
- * users are allowed to register client applications. After
- * registration,
- * the client will receive a client_id and a client_secret, if the
- * client
- * is confidential (capable of storing the client_secret), that
- * are needed
- * in the authorization process.
+ * process, client applications have to be registered first. Only
+ * registered users are allowed to register client applications.
+ *
+ * After registration, the client receives a client_id and a
+ * client_secret, if the client is confidential (capable of
+ * storing the client_secret), that are needed in the
+ * authorization process.
*
* From RFC 6749:
* The authorization server SHOULD document the size of any
- * identifier
- * it issues.
+ * identifier it issues.
*
* @param context
* @param clientJson
@@ -86,6 +82,7 @@
OAuth2ClientJson clientJson) {
TokenContext context =
(TokenContext) securityContext.getUserPrincipal();
+
try {
return clientService.registerClient(clientJson,
context.getUsername());
diff --git a/full/src/main/java/de/ids_mannheim/korap/web/input/OAuth2ClientJson.java b/full/src/main/java/de/ids_mannheim/korap/web/input/OAuth2ClientJson.java
index cec1806..2d7afcd 100644
--- a/full/src/main/java/de/ids_mannheim/korap/web/input/OAuth2ClientJson.java
+++ b/full/src/main/java/de/ids_mannheim/korap/web/input/OAuth2ClientJson.java
@@ -18,7 +18,7 @@
private OAuth2ClientType type;
private String url;
// redirect URI determines where the OAuth 2.0 service will return the user to
- // after they have authorized a client. It must be https.
+ // after they have authorized a client.
private String redirectURI;
private String description;
}
diff --git a/full/src/main/resources/default-config.xml b/full/src/main/resources/default-config.xml
index e06aa8b..5c2a050 100644
--- a/full/src/main/resources/default-config.xml
+++ b/full/src/main/resources/default-config.xml
@@ -177,11 +177,12 @@
</bean>
<!-- URLValidator -->
- <bean id="urlValidator" class="org.apache.commons.validator.routines.UrlValidator">
- <constructor-arg value="http,https" />
- </bean>
- <bean id="httpsValidator" class="org.apache.commons.validator.routines.UrlValidator">
- <constructor-arg value="https" />
+ <bean id="redirectURIValidator" class="org.apache.commons.validator.routines.UrlValidator">
+ <constructor-arg value="http,https" index="0" />
+ <constructor-arg index="1" type="long">
+ <util:constant
+ static-field="org.apache.commons.validator.routines.UrlValidator.NO_FRAGMENTS" />
+ </constructor-arg>
</bean>
<bean id="kustvakt_rewrite" class="de.ids_mannheim.korap.rewrite.FullRewriteHandler">
diff --git a/full/src/main/resources/kustvakt.conf b/full/src/main/resources/kustvakt.conf
index 75a3483..8adf152 100644
--- a/full/src/main/resources/kustvakt.conf
+++ b/full/src/main/resources/kustvakt.conf
@@ -73,7 +73,7 @@
security.validation.stringLength = 150
security.validation.emailLength = 50
security.encryption.algo=BCRYPT
-security.sharedSecret=sharedSecret
+security.sharedSecret=this-is-shared-secret-code-for-JWT-Signing.It-must-contains-minimum-256-bits
security.adminToken=adminToken
## applicable: rewrite, foundry, filter, deny
diff --git a/full/src/test/resources/kustvakt-test.conf b/full/src/test/resources/kustvakt-test.conf
index 6a6b5c2..b135ca7 100644
--- a/full/src/test/resources/kustvakt-test.conf
+++ b/full/src/test/resources/kustvakt-test.conf
@@ -96,7 +96,7 @@
security.validation.stringLength = 150
security.validation.emailLength = 50
security.encryption.algo=BCRYPT
-security.sharedSecret=testSecretCodeMustContainsMinimum256Bits$87aL2t0sklnf66roGDerNsw2s9
+security.sharedSecret=this-is-shared-secret-code-for-JWT-Signing.It-must-contains-minimum-256-bits
## applicable: rewrite, foundry, filter, deny
security.rewrite.strategies=filter, foundry, rewrite
\ No newline at end of file
diff --git a/full/src/test/resources/test-config.xml b/full/src/test/resources/test-config.xml
index 6094435..180be50 100644
--- a/full/src/test/resources/test-config.xml
+++ b/full/src/test/resources/test-config.xml
@@ -178,12 +178,15 @@
</bean>
<!-- URLValidator -->
- <bean id="urlValidator" class="org.apache.commons.validator.routines.UrlValidator">
- <constructor-arg value="http,https" />
+ <bean id="redirectURIValidator" class="org.apache.commons.validator.routines.UrlValidator">
+ <constructor-arg value="http,https" index="0" />
+ <constructor-arg index="1" type="long">
+ <util:constant
+ static-field="org.apache.commons.validator.routines.UrlValidator.NO_FRAGMENTS" />
+ </constructor-arg>
</bean>
- <bean id="httpsValidator" class="org.apache.commons.validator.routines.UrlValidator">
- <constructor-arg value="https" />
- </bean>
+ <!-- <bean id="httpsValidator" class="org.apache.commons.validator.routines.UrlValidator">
+ <constructor-arg value="https" /> </bean> -->
<bean id="kustvakt_rewrite" class="de.ids_mannheim.korap.rewrite.FullRewriteHandler">
<constructor-arg ref="kustvakt_config" />
@@ -252,10 +255,10 @@
<constructor-arg type="de.ids_mannheim.korap.interfaces.EncryptionIface"
ref="kustvakt_encryption" />
</bean>
-
+
<bean id="oauth2_auth"
class="de.ids_mannheim.korap.authentication.OAuth2Authentication" />
-
+
<util:list id="kustvakt_authproviders"
value-type="de.ids_mannheim.korap.interfaces.AuthenticationIface">