From 545e2c1a96a6b622a35a6884f56de359f7acabc7 Mon Sep 17 00:00:00 2001 From: MaxKey Date: Sun, 27 Feb 2022 21:32:36 +0800 Subject: [PATCH] =?UTF-8?q?OIDC=E6=8E=A5=E5=8F=A3=E4=BC=98=E5=8C=96=20#I4V?= =?UTF-8?q?FYD?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../authn/support/basic/BasicEntryPoint.java | 2 +- .../maxkey/util/AuthorizationHeaderUtils.java | 27 ++++++++++-- .../main/java/org/maxkey/web/WebContext.java | 44 ++++++++++++------- .../org/maxkey/web/WebXssRequestFilter.java | 7 +-- .../TokenEndpointAuthenticationFilter.java | 4 -- .../userinfo/endpoint/UserInfoEndpoint.java | 20 +++------ .../endpoint/UserInfoOIDCEndpoint.java | 12 ++--- .../maxkey/web/endpoint/LoginEndpoint.java | 2 - .../Oauth20ApiPermissionAdapter.java | 2 +- .../interceptor/RestApiPermissionAdapter.java | 2 +- 10 files changed, 67 insertions(+), 55 deletions(-) diff --git a/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/basic/BasicEntryPoint.java b/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/basic/BasicEntryPoint.java index 4727333c0..d5a196f90 100644 --- a/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/basic/BasicEntryPoint.java +++ b/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/basic/BasicEntryPoint.java @@ -85,7 +85,7 @@ public class BasicEntryPoint implements AsyncHandlerInterceptor { _logger.info("recreate new session ."); request.getSession(true); } - String basicCredential =request.getHeader(AuthorizationHeaderUtils.AUTHORIZATION_HEADERNAME); + String basicCredential =request.getHeader(AuthorizationHeaderUtils.HEADER_Authorization); _logger.info("getSession.getId : "+ request.getSession().getId()); _logger.info("Authorization : " + basicCredential); diff --git a/maxkey-common/src/main/java/org/maxkey/util/AuthorizationHeaderUtils.java b/maxkey-common/src/main/java/org/maxkey/util/AuthorizationHeaderUtils.java index ac219e36a..7bbd036f4 100644 --- a/maxkey-common/src/main/java/org/maxkey/util/AuthorizationHeaderUtils.java +++ b/maxkey-common/src/main/java/org/maxkey/util/AuthorizationHeaderUtils.java @@ -17,6 +17,8 @@ package org.maxkey.util; +import javax.servlet.http.HttpServletRequest; + import org.maxkey.crypto.Base64Utils; /** @@ -25,7 +27,14 @@ import org.maxkey.crypto.Base64Utils; */ public class AuthorizationHeaderUtils { - public static final String AUTHORIZATION_HEADERNAME = "Authorization"; + /** + * first UpperCase + */ + public static final String HEADER_Authorization = "Authorization"; + /** + * first LowerCase + */ + public static final String HEADER_authorization = "authorization"; public static String createBasic(String username, String password) { String authUserPass = username + ":" + password; @@ -34,7 +43,7 @@ public class AuthorizationHeaderUtils { } public static AuthorizationHeaderCredential resolve(String authorization) { - if (isBasic(authorization)) { + if (StringUtils.isNotBlank(authorization) && isBasic(authorization)) { String decodeUserPass = Base64Utils.decode(authorization.split(" ")[1]); String []userPass =decodeUserPass.split(":"); return new AuthorizationHeaderCredential(userPass[0],userPass[1]); @@ -56,10 +65,10 @@ public class AuthorizationHeaderUtils { } public static String resolveBearer(String bearer) { - if (isBearer(bearer)) { + if (StringUtils.isNotBlank(bearer) && isBearer(bearer)) { return bearer.split(" ")[1]; } else { - return null; + return bearer; } } @@ -70,5 +79,15 @@ public class AuthorizationHeaderUtils { return false; } } + + public static String resolveBearer(HttpServletRequest request) { + String authorization = + StringUtils.isNotBlank(request.getHeader(HEADER_Authorization)) ? + request.getHeader(HEADER_Authorization) : request.getHeader(HEADER_authorization); + if(StringUtils.isNotBlank(authorization)) { + return resolveBearer(authorization); + } + return null; + } } diff --git a/maxkey-core/src/main/java/org/maxkey/web/WebContext.java b/maxkey-core/src/main/java/org/maxkey/web/WebContext.java index 33838a9bf..bd03e95b1 100644 --- a/maxkey-core/src/main/java/org/maxkey/web/WebContext.java +++ b/maxkey-core/src/main/java/org/maxkey/web/WebContext.java @@ -56,6 +56,10 @@ import org.springframework.web.servlet.support.RequestContextUtils; * @author Crystal.Sea * @since 1.5 */ +/** + * @author shimi + * + */ public final class WebContext { final static Logger _logger = LoggerFactory.getLogger(WebContext.class); @@ -275,22 +279,32 @@ public final class WebContext { } + /** + * isTraceEnabled print request headers and parameters
+ * see WebInstRequestFilter + * @param request + */ public static void printRequest(final HttpServletRequest request) { - _logger.trace("getRequestURL : "+request.getRequestURL()); - _logger.trace("getMethod : "+request.getMethod()); - Enumeration headerNames = request.getHeaderNames(); - while (headerNames.hasMoreElements()) { - String key = (String) headerNames.nextElement(); - String value = request.getHeader(key); - _logger.trace("Header key "+key +" , value " + value); - } - - Enumeration parameterNames = request.getParameterNames(); - while (parameterNames.hasMoreElements()) { - String key = (String) parameterNames.nextElement(); - String value = request.getParameter(key); - _logger.trace("Parameter "+key +" , value " + value); - } + if(_logger.isTraceEnabled()) { + _logger.trace("getContextPath : {}" , request.getContextPath()); + _logger.trace("getRequestURL : {} " , request.getRequestURL()); + _logger.trace("URL : {}" , request.getRequestURI().substring(request.getContextPath().length())); + _logger.trace("getMethod : {} " , request.getMethod()); + + Enumeration headerNames = request.getHeaderNames(); + while (headerNames.hasMoreElements()) { + String key = (String) headerNames.nextElement(); + String value = request.getHeader(key); + _logger.trace("Header key {} , value {}" , key, value); + } + + Enumeration parameterNames = request.getParameterNames(); + while (parameterNames.hasMoreElements()) { + String key = (String) parameterNames.nextElement(); + String value = request.getParameter(key); + _logger.trace("Parameter {} , value {}",key , value); + } + } } /** diff --git a/maxkey-core/src/main/java/org/maxkey/web/WebXssRequestFilter.java b/maxkey-core/src/main/java/org/maxkey/web/WebXssRequestFilter.java index f7beab022..6a425881b 100644 --- a/maxkey-core/src/main/java/org/maxkey/web/WebXssRequestFilter.java +++ b/maxkey-core/src/main/java/org/maxkey/web/WebXssRequestFilter.java @@ -70,15 +70,10 @@ public class WebXssRequestFilter extends GenericFilterBean { public void doFilter(ServletRequest servletRequest, ServletResponse response, FilterChain chain) throws IOException, ServletException { _logger.trace("WebXssRequestFilter"); - boolean isWebXss = false; HttpServletRequest request= ((HttpServletRequest)servletRequest); - String requestURI=request.getRequestURI(); - _logger.trace("getContextPath " +request.getContextPath()); - _logger.trace("getRequestURL " + ((HttpServletRequest)request).getRequestURI()); - _logger.trace("URL " +requestURI.substring(request.getContextPath().length())); - if(skipUrlMap.containsKey(requestURI.substring(request.getContextPath().length()))) { + if(skipUrlMap.containsKey(request.getRequestURI().substring(request.getContextPath().length()))) { isWebXss = false; }else { Enumeration parameterNames = request.getParameterNames(); diff --git a/maxkey-protocols/maxkey-protocol-oauth-2.0/src/main/java/org/maxkey/authz/oauth2/provider/endpoint/TokenEndpointAuthenticationFilter.java b/maxkey-protocols/maxkey-protocol-oauth-2.0/src/main/java/org/maxkey/authz/oauth2/provider/endpoint/TokenEndpointAuthenticationFilter.java index 0d0ff4998..af9745238 100644 --- a/maxkey-protocols/maxkey-protocol-oauth-2.0/src/main/java/org/maxkey/authz/oauth2/provider/endpoint/TokenEndpointAuthenticationFilter.java +++ b/maxkey-protocols/maxkey-protocol-oauth-2.0/src/main/java/org/maxkey/authz/oauth2/provider/endpoint/TokenEndpointAuthenticationFilter.java @@ -136,10 +136,6 @@ public class TokenEndpointAuthenticationFilter implements Filter { final HttpServletRequest request = (HttpServletRequest) req; final HttpServletResponse response = (HttpServletResponse) res; - if(_logger.isTraceEnabled()) { - WebContext.printRequest(request); - } - try { String grantType = request.getParameter(OAuth2Constants.PARAMETER.GRANT_TYPE); if (grantType != null && grantType.equals(OAuth2Constants.PARAMETER.GRANT_TYPE_PASSWORD)) { diff --git a/maxkey-protocols/maxkey-protocol-oauth-2.0/src/main/java/org/maxkey/authz/oauth2/provider/userinfo/endpoint/UserInfoEndpoint.java b/maxkey-protocols/maxkey-protocol-oauth-2.0/src/main/java/org/maxkey/authz/oauth2/provider/userinfo/endpoint/UserInfoEndpoint.java index 6bf24cf9d..231eeee9c 100644 --- a/maxkey-protocols/maxkey-protocol-oauth-2.0/src/main/java/org/maxkey/authz/oauth2/provider/userinfo/endpoint/UserInfoEndpoint.java +++ b/maxkey-protocols/maxkey-protocol-oauth-2.0/src/main/java/org/maxkey/authz/oauth2/provider/userinfo/endpoint/UserInfoEndpoint.java @@ -18,13 +18,13 @@ package org.maxkey.authz.oauth2.provider.userinfo.endpoint; import java.lang.reflect.InvocationTargetException; -import java.util.Enumeration; import java.util.HashMap; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.commons.beanutils.BeanUtils; +import org.apache.commons.lang3.StringUtils; import org.maxkey.authn.SigninPrincipal; import org.maxkey.authz.endpoint.adapter.AbstractAuthorizeAdapter; import org.maxkey.authz.oauth2.common.OAuth2Constants; @@ -48,7 +48,6 @@ import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.stereotype.Controller; -import org.springframework.web.bind.annotation.RequestHeader; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.RequestParam; @@ -83,27 +82,18 @@ public class UserInfoEndpoint { @RequestMapping(value=OAuth2Constants.ENDPOINT.ENDPOINT_USERINFO, method={RequestMethod.POST, RequestMethod.GET}) public void apiV20UserInfo( @RequestParam(value = "access_token", required = false) String access_token, - @RequestHeader(value = "authorization", required = false) String authorization_bearer, HttpServletRequest request, HttpServletResponse response) { - if(access_token == null && authorization_bearer!= null) { - if(_logger.isTraceEnabled()) { - _logger.trace("getRequestURL : "+request.getRequestURL()); - Enumeration headerNames = request.getHeaderNames(); - while (headerNames.hasMoreElements()) { - String key = (String) headerNames.nextElement(); - String value = request.getHeader(key); - _logger.trace("Header key "+key +" , value " + value); - } - } + if(StringUtils.isBlank(access_token)) { //for header authorization bearer - access_token = AuthorizationHeaderUtils.resolveBearer(authorization_bearer); + access_token = AuthorizationHeaderUtils.resolveBearer(request); } - String principal=""; if (!StringGenerator.uuidMatches(access_token)) { httpResponseAdapter.write(response,JsonUtils.gson2Json(accessTokenFormatError(access_token)),"json"); } + + String principal=""; OAuth2Authentication oAuth2Authentication =null; try{ oAuth2Authentication = oauth20tokenServices.loadAuthentication(access_token); diff --git a/maxkey-protocols/maxkey-protocol-oauth-2.0/src/main/java/org/maxkey/authz/oauth2/provider/userinfo/endpoint/UserInfoOIDCEndpoint.java b/maxkey-protocols/maxkey-protocol-oauth-2.0/src/main/java/org/maxkey/authz/oauth2/provider/userinfo/endpoint/UserInfoOIDCEndpoint.java index aac74a75e..bbb6186a6 100644 --- a/maxkey-protocols/maxkey-protocol-oauth-2.0/src/main/java/org/maxkey/authz/oauth2/provider/userinfo/endpoint/UserInfoOIDCEndpoint.java +++ b/maxkey-protocols/maxkey-protocol-oauth-2.0/src/main/java/org/maxkey/authz/oauth2/provider/userinfo/endpoint/UserInfoOIDCEndpoint.java @@ -42,6 +42,7 @@ import org.maxkey.entity.UserInfo; import org.maxkey.entity.apps.oauth2.provider.ClientDetails; import org.maxkey.persistence.service.AppsService; import org.maxkey.persistence.service.UserInfoService; +import org.maxkey.util.AuthorizationHeaderUtils; import org.maxkey.util.JsonUtils; import org.maxkey.util.StringGenerator; import org.maxkey.web.HttpResponseAdapter; @@ -51,7 +52,6 @@ import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.stereotype.Controller; -import org.springframework.web.bind.annotation.RequestHeader; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.ResponseBody; @@ -100,15 +100,15 @@ public class UserInfoOIDCEndpoint { @Operation(summary = "OIDC 用户信息接口", description = "传递Authorization参数access_token",method="GET") @RequestMapping(value=OAuth2Constants.ENDPOINT.ENDPOINT_OPENID_CONNECT_USERINFO, method={RequestMethod.POST, RequestMethod.GET}) @ResponseBody - public String connect10aUserInfo( - @RequestHeader(value = "Authorization", required = true) String access_token, - HttpServletRequest request, - HttpServletResponse response) { - String principal=""; + public String connect10aUserInfo(HttpServletRequest request, + HttpServletResponse response) { + String access_token = AuthorizationHeaderUtils.resolveBearer(request); + if (!StringGenerator.uuidMatches(access_token)) { return JsonUtils.gson2Json(accessTokenFormatError(access_token)); } + String principal=""; OAuth2Authentication oAuth2Authentication =null; try{ oAuth2Authentication = oauth20tokenServices.loadAuthentication(access_token); diff --git a/maxkey-webs/maxkey-web-maxkey/src/main/java/org/maxkey/web/endpoint/LoginEndpoint.java b/maxkey-webs/maxkey-web-maxkey/src/main/java/org/maxkey/web/endpoint/LoginEndpoint.java index d468aa463..a43fead7d 100644 --- a/maxkey-webs/maxkey-web-maxkey/src/main/java/org/maxkey/web/endpoint/LoginEndpoint.java +++ b/maxkey-webs/maxkey-web-maxkey/src/main/java/org/maxkey/web/endpoint/LoginEndpoint.java @@ -99,8 +99,6 @@ public class LoginEndpoint { public ModelAndView login(HttpServletRequest request) { _logger.debug("LoginController /login."); - WebContext.printRequest(request); - boolean isAuthenticated= WebContext.isAuthenticated(); if(isAuthenticated){ diff --git a/maxkey-webs/maxkey-web-mgt/src/main/java/org/maxkey/web/interceptor/Oauth20ApiPermissionAdapter.java b/maxkey-webs/maxkey-web-mgt/src/main/java/org/maxkey/web/interceptor/Oauth20ApiPermissionAdapter.java index 97b8cb510..acab22423 100644 --- a/maxkey-webs/maxkey-web-mgt/src/main/java/org/maxkey/web/interceptor/Oauth20ApiPermissionAdapter.java +++ b/maxkey-webs/maxkey-web-mgt/src/main/java/org/maxkey/web/interceptor/Oauth20ApiPermissionAdapter.java @@ -61,7 +61,7 @@ public class Oauth20ApiPermissionAdapter implements AsyncHandlerInterceptor { @Override public boolean preHandle(HttpServletRequest request,HttpServletResponse response, Object handler) throws Exception { _logger.trace("Oauth20ApiPermissionAdapter preHandle"); - String authorization = request.getHeader(AuthorizationHeaderUtils.AUTHORIZATION_HEADERNAME); + String authorization = request.getHeader(AuthorizationHeaderUtils.HEADER_Authorization); String accessToken = AuthorizationHeaderUtils.resolveBearer(authorization); OAuth2Authentication authentication = oauth20tokenServices.loadAuthentication(accessToken); diff --git a/maxkey-webs/maxkey-web-mgt/src/main/java/org/maxkey/web/interceptor/RestApiPermissionAdapter.java b/maxkey-webs/maxkey-web-mgt/src/main/java/org/maxkey/web/interceptor/RestApiPermissionAdapter.java index f35b87f34..d8c2a266f 100644 --- a/maxkey-webs/maxkey-web-mgt/src/main/java/org/maxkey/web/interceptor/RestApiPermissionAdapter.java +++ b/maxkey-webs/maxkey-web-mgt/src/main/java/org/maxkey/web/interceptor/RestApiPermissionAdapter.java @@ -65,7 +65,7 @@ public class RestApiPermissionAdapter implements AsyncHandlerInterceptor { @Override public boolean preHandle(HttpServletRequest request,HttpServletResponse response, Object handler) throws Exception { _logger.trace("RestApiPermissionAdapter preHandle"); - String authorization = request.getHeader(AuthorizationHeaderUtils.AUTHORIZATION_HEADERNAME); + String authorization = request.getHeader(AuthorizationHeaderUtils.HEADER_Authorization); AuthorizationHeaderCredential headerCredential = AuthorizationHeaderUtils.resolve(authorization); //判断应用的AppId和Secret