From ab16327315e60f72c57969cbb59d85fcb65feea0 Mon Sep 17 00:00:00 2001 From: Lachlan Roberts Date: Mon, 4 Jul 2022 17:41:19 +1000 Subject: [PATCH] restore ee9 version Signed-off-by: Lachlan Roberts --- .../security/openid/OpenIdConfiguration.java | 64 +++++++------------ .../DeferredAuthentication.java | 25 ++++---- 2 files changed, 36 insertions(+), 53 deletions(-) diff --git a/jetty-ee9/jetty-ee9-openid/src/main/java/org/eclipse/jetty/ee9/security/openid/OpenIdConfiguration.java b/jetty-ee9/jetty-ee9-openid/src/main/java/org/eclipse/jetty/ee9/security/openid/OpenIdConfiguration.java index 44b7e846a0a..992f5ab6651 100644 --- a/jetty-ee9/jetty-ee9-openid/src/main/java/org/eclipse/jetty/ee9/security/openid/OpenIdConfiguration.java +++ b/jetty-ee9/jetty-ee9-openid/src/main/java/org/eclipse/jetty/ee9/security/openid/OpenIdConfiguration.java @@ -11,7 +11,7 @@ // ======================================================================== // -package org.eclipse.jetty.security.openid; +package org.eclipse.jetty.ee9.security.openid; import java.util.ArrayList; import java.util.Collections; @@ -40,9 +40,6 @@ public class OpenIdConfiguration extends ContainerLifeCycle { private static final Logger LOG = LoggerFactory.getLogger(OpenIdConfiguration.class); private static final String CONFIG_PATH = "/.well-known/openid-configuration"; - private static final String AUTHORIZATION_ENDPOINT = "authorization_endpoint"; - private static final String TOKEN_ENDPOINT = "token_endpoint"; - private static final String ISSUER = "issuer"; private final HttpClient httpClient; private final String issuer; @@ -119,45 +116,35 @@ public class OpenIdConfiguration extends ContainerLifeCycle if (authEndpoint == null || tokenEndpoint == null) { - Map discoveryDocument = fetchOpenIdConnectMetadata(); - processMetadata(discoveryDocument); + Map discoveryDocument = fetchOpenIdConnectMetadata(issuer, httpClient); + + authEndpoint = (String)discoveryDocument.get("authorization_endpoint"); + if (authEndpoint == null) + throw new IllegalArgumentException("authorization_endpoint"); + + tokenEndpoint = (String)discoveryDocument.get("token_endpoint"); + if (tokenEndpoint == null) + throw new IllegalArgumentException("token_endpoint"); + + if (!Objects.equals(discoveryDocument.get("issuer"), issuer)) + LOG.warn("The issuer in the metadata is not correct."); } } - /** - * Process the OpenID Connect metadata discovered by {@link #fetchOpenIdConnectMetadata()}. - * By default, only the {@link #AUTHORIZATION_ENDPOINT} and {@link #TOKEN_ENDPOINT} claims are extracted. - * @see OpenID Connect Discovery 1.0 - * @throws IllegalStateException if a required field is not present in the metadata. - */ - protected void processMetadata(Map discoveryDocument) + private static HttpClient newHttpClient() { - authEndpoint = (String)discoveryDocument.get(AUTHORIZATION_ENDPOINT); - if (authEndpoint == null) - throw new IllegalStateException(AUTHORIZATION_ENDPOINT); - - tokenEndpoint = (String)discoveryDocument.get(TOKEN_ENDPOINT); - if (tokenEndpoint == null) - throw new IllegalStateException(TOKEN_ENDPOINT); - - // We are lenient and not throw here as some major OIDC providers do not conform to this. - if (!Objects.equals(discoveryDocument.get(ISSUER), issuer)) - LOG.warn("The issuer in the metadata is not correct."); + ClientConnector connector = new ClientConnector(); + connector.setSslContextFactory(new SslContextFactory.Client(false)); + return new HttpClient(new HttpClientTransportOverHTTP(connector)); } - /** - * Obtain the JSON metadata from OpenID Connect Discovery Configuration Endpoint. - * @return a set of Claims about the OpenID Provider's configuration in JSON format. - * @throws IllegalStateException if metadata could not be fetched from the OP. - */ - protected Map fetchOpenIdConnectMetadata() + private static Map fetchOpenIdConnectMetadata(String provider, HttpClient httpClient) { - String provider = issuer; - if (provider.endsWith("/")) - provider = provider.substring(0, provider.length() - 1); - try { + if (provider.endsWith("/")) + provider = provider.substring(0, provider.length() - 1); + Map result; String responseBody = httpClient.GET(provider + CONFIG_PATH).getContentAsString(); Object parsedResult = new JSON().fromJSON(responseBody); @@ -180,7 +167,7 @@ public class OpenIdConfiguration extends ContainerLifeCycle } catch (Exception e) { - throw new IllegalStateException("invalid identity provider " + provider, e); + throw new IllegalArgumentException("invalid identity provider " + provider, e); } } @@ -240,13 +227,6 @@ public class OpenIdConfiguration extends ContainerLifeCycle this.authenticateNewUsers = authenticateNewUsers; } - private static HttpClient newHttpClient() - { - ClientConnector connector = new ClientConnector(); - connector.setSslContextFactory(new SslContextFactory.Client(false)); - return new HttpClient(new HttpClientTransportOverHTTP(connector)); - } - @Override public String toString() { diff --git a/jetty-ee9/jetty-ee9-security/src/main/java/org/eclipse/jetty/ee9/security/authentication/DeferredAuthentication.java b/jetty-ee9/jetty-ee9-security/src/main/java/org/eclipse/jetty/ee9/security/authentication/DeferredAuthentication.java index da5c85777f5..58bbd267e97 100644 --- a/jetty-ee9/jetty-ee9-security/src/main/java/org/eclipse/jetty/ee9/security/authentication/DeferredAuthentication.java +++ b/jetty-ee9/jetty-ee9-security/src/main/java/org/eclipse/jetty/ee9/security/authentication/DeferredAuthentication.java @@ -11,7 +11,7 @@ // ======================================================================== // -package org.eclipse.jetty.security.authentication; +package org.eclipse.jetty.ee9.security.authentication; import java.io.IOException; import java.io.PrintWriter; @@ -25,14 +25,14 @@ import jakarta.servlet.ServletResponse; import jakarta.servlet.WriteListener; import jakarta.servlet.http.Cookie; import jakarta.servlet.http.HttpServletResponse; -import org.eclipse.jetty.security.IdentityService; -import org.eclipse.jetty.security.LoggedOutAuthentication; -import org.eclipse.jetty.security.LoginService; -import org.eclipse.jetty.security.SecurityHandler; -import org.eclipse.jetty.security.ServerAuthException; -import org.eclipse.jetty.security.UserAuthentication; -import org.eclipse.jetty.server.Authentication; -import org.eclipse.jetty.server.UserIdentity; +import org.eclipse.jetty.ee9.nested.Authentication; +import org.eclipse.jetty.ee9.nested.UserIdentity; +import org.eclipse.jetty.ee9.security.IdentityService; +import org.eclipse.jetty.ee9.security.LoggedOutAuthentication; +import org.eclipse.jetty.ee9.security.LoginService; +import org.eclipse.jetty.ee9.security.SecurityHandler; +import org.eclipse.jetty.ee9.security.ServerAuthException; +import org.eclipse.jetty.ee9.security.UserAuthentication; import org.eclipse.jetty.util.IO; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -120,8 +120,11 @@ public class DeferredAuthentication implements Authentication.Deferred if (security != null) { security.logout(null); - _authenticator.logout(request); - return new LoggedOutAuthentication(_authenticator); + if (_authenticator instanceof LoginAuthenticator) + { + ((LoginAuthenticator)_authenticator).logout(request); + return new LoggedOutAuthentication((LoginAuthenticator)_authenticator); + } } return Authentication.UNAUTHENTICATED;