SECOAUTH-171: Consolidate TokenGranter logic

Author: Dave Syer

samples/oauth2/sparklr/src/test/java/org/springframework/security/oauth2/provider/ServerRunning.java

@@ -60,6 +60,7 @@
  * @author Dave Syer
  * 
  */
+@SuppressWarnings("deprecation")
 public class ServerRunning extends TestWatchman {
 
 private static Log logger = LogFactory.getLog(ServerRunning.class);

samples/oauth2/sparklr/src/test/java/org/springframework/security/oauth2/provider/TestAuthorizationCodeProvider.java

@@ -455,7 +455,7 @@ public void testInvalidScopeProvided() throws Exception {
 
 URI uri = serverRunning.buildUri("/sparklr2/oauth/authorize").queryParam("response_type", "code")
 .queryParam("state", "mystateid").queryParam("client_id", "my-client-with-registered-redirect")
-.queryParam("scope", "read").build();
+.queryParam("scope", "nonexistent").build();
 String location = null;
 try {
 userAgent.getPage(uri.toString());
@@ -514,7 +514,6 @@ else if ("state".equals(token)) {
 MultiValueMap<String, String> formData = new LinkedMultiValueMap<String, String>();
 formData.add("grant_type", "authorization_code");
 formData.add("client_id", "my-client-with-registered-redirect");
-formData.add("scope", "read");
 formData.add("code", code);
 
 ResponseEntity<String> response = serverRunning.postForString("/sparklr2/oauth/token", formData);

samples/oauth2/sparklr/src/test/java/org/springframework/security/oauth2/provider/TestNativeApplicationProvider.java

@@ -149,8 +149,8 @@ public void testSecretProvidedInHeader() throws Exception {
 public void testInvalidGrantType() throws Exception {
 
 MultiValueMap<String, String> formData = new LinkedMultiValueMap<String, String>();
-formData.add("grant_type", "authorization_code");
-formData.add("client_id", "my-trusted-client");
+formData.add("grant_type", "password");
+formData.add("client_id", "my-untrusted-client-with-registered-redirect");
 formData.add("username", "marissa");
 formData.add("password", "koala");
 ResponseEntity<String> response = serverRunning.postForString("/sparklr2/oauth/token", formData);
@@ -165,7 +165,7 @@ public void testInvalidGrantType() throws Exception {
 try {
 throw serializationService.deserializeJsonError(new ByteArrayInputStream(response.getBody().getBytes()));
 } catch (OAuth2Exception e) {
-assertEquals("invalid_request", e.getOAuth2ErrorCode());
+assertEquals("invalid_grant", e.getOAuth2ErrorCode());
 }
 }
 

spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/AuthorizationServerBeanDefinitionParser.java

@@ -48,7 +48,6 @@ protected AbstractBeanDefinition parseEndpointAndReturnFilter(Element element, P
 String clientDetailsRef = element.getAttribute("client-details-service-ref");
 String tokenEndpointUrl = element.getAttribute("token-endpoint-url");
 String authorizationEndpointUrl = element.getAttribute("authorization-endpoint-url");
-String defaultGrantType = element.getAttribute("default-grant-type");
 String tokenGranterRef = element.getAttribute("token-granter-ref");
 String redirectStrategyRef = element.getAttribute("redirect-strategy-ref");
 
@@ -192,9 +191,6 @@ protected AbstractBeanDefinition parseEndpointAndReturnFilter(Element element, P
 
 // configure the token endpoint
 BeanDefinitionBuilder tokenEndpointBean = BeanDefinitionBuilder.rootBeanDefinition(TokenEndpoint.class);
-if (StringUtils.hasText(defaultGrantType)) {
-tokenEndpointBean.addPropertyValue("defaultGrantType", defaultGrantType);
-}
 tokenEndpointBean.addPropertyReference("tokenGranter", tokenGranterRef);
 parserContext.getRegistry().registerBeanDefinition("tokenEndpoint", tokenEndpointBean.getBeanDefinition());
 

spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/AbstractTokenGranter.java

@@ -0,0 +1,62 @@
+/*
+ * Copyright 2006-2011 the original author or authors.
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * 
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+ * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+package org.springframework.security.oauth2.provider;
+
+import java.util.Map;
+import java.util.Set;
+
+import org.springframework.security.authentication.encoding.PasswordEncoder;
+import org.springframework.security.oauth2.common.OAuth2AccessToken;
+import org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices;
+
+/**
+ * @author Dave Syer
+ * 
+ */
+public abstract class AbstractTokenGranter implements TokenGranter {
+
+private final AuthorizationServerTokenServices tokenServices;
+
+private final ClientCredentialsChecker clientCredentialsChecker;
+
+private final String grantType;
+
+protected AbstractTokenGranter(AuthorizationServerTokenServices tokenServices,
+ClientDetailsService clientDetailsService, String grantType) {
+this.grantType = grantType;
+this.clientCredentialsChecker = new ClientCredentialsChecker(clientDetailsService);
+this.tokenServices = tokenServices;
+}
+
+public void setPasswordEncoder(PasswordEncoder passwordEncoder) {
+clientCredentialsChecker.setPasswordEncoder(passwordEncoder);
+}
+
+public OAuth2AccessToken grant(String grantType, Map<String, String> parameters, String clientId,
+String clientSecret, Set<String> scopes) {
+
+if (!this.grantType.equals(grantType)) {
+return null;
+}
+
+ClientToken clientToken = clientCredentialsChecker
+.validateCredentials(grantType, clientId, clientSecret, scopes);
+
+return tokenServices.createAccessToken(getOAuth2Authentication(parameters, clientToken));
+
+}
+
+protected abstract OAuth2Authentication getOAuth2Authentication(Map<String, String> parameters,
+ClientToken clientToken);
+
+}

spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/ClientCredentialsChecker.java

@@ -0,0 +1,104 @@
+/*
+ * Copyright 2006-2011 the original author or authors.
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * 
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+ * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+package org.springframework.security.oauth2.provider;
+
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import org.springframework.security.authentication.encoding.PasswordEncoder;
+import org.springframework.security.authentication.encoding.PlaintextPasswordEncoder;
+import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
+import org.springframework.security.oauth2.common.exceptions.InvalidScopeException;
+import org.springframework.security.oauth2.common.exceptions.UnauthorizedClientException;
+
+/**
+ * @author Dave Syer
+ * 
+ */
+public class ClientCredentialsChecker {
+
+private final ClientDetailsService clientDetailsService;
+
+private PasswordEncoder passwordEncoder = new PlaintextPasswordEncoder();
+
+public ClientCredentialsChecker(ClientDetailsService clientDetailsService) {
+this.clientDetailsService = clientDetailsService;
+}
+
+public void setPasswordEncoder(PasswordEncoder passwordEncoder) {
+this.passwordEncoder = passwordEncoder;
+}
+
+public ClientToken validateCredentials(String grantType, String clientId, String clientSecret) {
+return this.validateCredentials(grantType, clientId, clientSecret, null);
+}
+
+public ClientToken validateCredentials(String grantType, String clientId, String clientSecret, Set<String> scopes) {
+
+ClientDetails clientDetails = clientDetailsService.loadClientByClientId(clientId);
+validateGrantType(grantType, clientDetails);
+if (scopes != null) {
+validateScope(clientDetails, scopes);
+}
+validateClient(clientDetails, clientSecret);
+
+return new ClientToken(clientId, new HashSet<String>(clientDetails.getResourceIds()), clientSecret, scopes,
+clientDetails.getAuthorities());
+
+}
+
+private void validateClient(ClientDetails clientDetails, String clientSecret) {
+if (clientDetails.isSecretRequired()) {
+String assertedSecret = clientSecret;
+if (assertedSecret == null) {
+throw new UnauthorizedClientException("Client secret is required but not provided.");
+}
+else {
+Object salt = null;
+if (clientDetails instanceof SaltedClientSecret) {
+salt = ((SaltedClientSecret) clientDetails).getSalt();
+}
+
+if (!passwordEncoder.isPasswordValid(clientDetails.getClientSecret(), assertedSecret, salt)) {
+throw new UnauthorizedClientException("Invalid client secret.");
+}
+}
+}
+}
+
+private void validateScope(ClientDetails clientDetails, Set<String> scopes) {
+
+if (clientDetails.isScoped()) {
+if (scopes.isEmpty()) {
+throw new InvalidScopeException("Invalid scope (none)");
+}
+List<String> validScope = clientDetails.getScope();
+for (String scope : scopes) {
+if (!validScope.contains(scope)) {
+throw new InvalidScopeException("Invalid scope: " + scope);
+}
+}
+}
+
+}
+
+private void validateGrantType(String grantType, ClientDetails clientDetails) {
+List<String> authorizedGrantTypes = clientDetails.getAuthorizedGrantTypes();
+if (authorizedGrantTypes != null && !authorizedGrantTypes.isEmpty()
+&& !authorizedGrantTypes.contains(grantType)) {
+throw new InvalidGrantException("Unauthorized grant type: " + grantType);
+}
+}
+
+}

spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/ClientCredentialsTokenGranter.java

@@ -16,88 +16,30 @@
 
 package org.springframework.security.oauth2.provider.client;
 
-import java.util.HashSet;
-import java.util.List;
 import java.util.Map;
-import java.util.Set;
 
-import org.springframework.security.authentication.encoding.PasswordEncoder;
-import org.springframework.security.authentication.encoding.PlaintextPasswordEncoder;
-import org.springframework.security.oauth2.common.OAuth2AccessToken;
-import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
-import org.springframework.security.oauth2.common.exceptions.InvalidScopeException;
-import org.springframework.security.oauth2.common.exceptions.UnauthorizedClientException;
-import org.springframework.security.oauth2.provider.ClientDetails;
+import org.springframework.security.oauth2.provider.AbstractTokenGranter;
 import org.springframework.security.oauth2.provider.ClientDetailsService;
 import org.springframework.security.oauth2.provider.ClientToken;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
-import org.springframework.security.oauth2.provider.SaltedClientSecret;
-import org.springframework.security.oauth2.provider.TokenGranter;
 import org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices;
 
 /**
  * @author Dave Syer
  * 
  */
-public class ClientCredentialsTokenGranter implements TokenGranter {
+public class ClientCredentialsTokenGranter extends AbstractTokenGranter {
 
 private static final String GRANT_TYPE = "client_credentials";
-private final AuthorizationServerTokenServices tokenServices;
-private final ClientDetailsService clientDetailsService;
-private PasswordEncoder passwordEncoder = new PlaintextPasswordEncoder();
 
-public ClientCredentialsTokenGranter(AuthorizationServerTokenServices tokenServices, ClientDetailsService clientDetailsService) {
-this.tokenServices = tokenServices;
-this.clientDetailsService = clientDetailsService;
+public ClientCredentialsTokenGranter(AuthorizationServerTokenServices tokenServices,
+ClientDetailsService clientDetailsService) {
+super(tokenServices, clientDetailsService, GRANT_TYPE);
 }
 
-public OAuth2AccessToken grant(String grantType, Map<String, String> parameters, String clientId,
-String clientSecret, Set<String> authorizationScope) {
-
-if (!GRANT_TYPE.equals(grantType)) {
-return null;
-}
-
-// TODO: move this out to a filter?
-ClientDetails clientDetails = clientDetailsService.loadClientByClientId(clientId);
-if (clientDetails.isSecretRequired()) {
-String assertedSecret = clientSecret;
-if (assertedSecret == null) {
-throw new UnauthorizedClientException("Client secret is required but not provided.");
-} else {
-Object salt = null;
-if (clientDetails instanceof SaltedClientSecret) {
-salt = ((SaltedClientSecret) clientDetails).getSalt();
-}
-
-if (!passwordEncoder.isPasswordValid(clientDetails.getClientSecret(), assertedSecret, salt)) {
-throw new UnauthorizedClientException("Invalid client secret.");
-}
-}
-}
-
-if (clientDetails.isScoped()) {
-if (authorizationScope.isEmpty()) {
-throw new InvalidScopeException("Invalid scope (none)");
-}
-List<String> validScope = clientDetails.getScope();
-for (String scope : authorizationScope) {
-if (!validScope.contains(scope)) {
-throw new InvalidScopeException("Invalid scope: " + scope);
-}
-}
-}
-
-List<String> authorizedGrantTypes = clientDetails.getAuthorizedGrantTypes();
-if (authorizedGrantTypes != null && !authorizedGrantTypes.isEmpty()
-&& !authorizedGrantTypes.contains(grantType)) {
-throw new InvalidGrantException("Unauthorized grant type: " + grantType);
-}
-
-ClientToken clientAuth = new ClientToken(clientId, new HashSet<String>(
-clientDetails.getResourceIds()), clientSecret, authorizationScope, clientDetails.getAuthorities());
-return tokenServices.createAccessToken(new OAuth2Authentication(clientAuth, null));
-
+@Override
+protected OAuth2Authentication getOAuth2Authentication(Map<String, String> parameters, ClientToken clientToken) {
+return new OAuth2Authentication(clientToken, null);
 }
 
 }