OIDC接口优化 #I4VFYD

2025-12-07 17:38:32 +08:00 · 2022-02-27 21:32:36 +08:00 · 2022-02-27 21:32:36 +08:00 · 545e2c1a96
commit 545e2c1a96
parent 933780d082
10 changed files with 67 additions and 55 deletions
--- a/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/basic/BasicEntryPoint.java
+++ b/maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/basic/BasicEntryPoint.java
@ -85,7 +85,7 @@ public class BasicEntryPoint implements   AsyncHandlerInterceptor {
 		    _logger.info("recreate new session .");
 			request.getSession(true);
 		 }
-		 String basicCredential =request.getHeader(AuthorizationHeaderUtils.AUTHORIZATION_HEADERNAME);
+		 String basicCredential =request.getHeader(AuthorizationHeaderUtils.HEADER_Authorization);
 		 _logger.info("getSession.getId : "+ request.getSession().getId());
 		 
 		 _logger.info("Authorization : " + basicCredential);
--- a/maxkey-common/src/main/java/org/maxkey/util/AuthorizationHeaderUtils.java
+++ b/maxkey-common/src/main/java/org/maxkey/util/AuthorizationHeaderUtils.java
@ -17,6 +17,8 @@

 package org.maxkey.util;

+import javax.servlet.http.HttpServletRequest;
+
 import org.maxkey.crypto.Base64Utils;

 /**
@ -25,7 +27,14 @@ import org.maxkey.crypto.Base64Utils;
 */
 public class AuthorizationHeaderUtils {

-    public static final String AUTHORIZATION_HEADERNAME = "Authorization";
+	/**
+	 * first UpperCase
+	 */
+    public static final String HEADER_Authorization = "Authorization";
+    /**
+     * first LowerCase
+     */
+    public static final String HEADER_authorization = "authorization";

    public static String createBasic(String username, String password) {
        String authUserPass = username + ":" + password;
@ -34,7 +43,7 @@ public class AuthorizationHeaderUtils {
    }

    public static AuthorizationHeaderCredential resolve(String authorization) {
-        if (isBasic(authorization)) {
+        if (StringUtils.isNotBlank(authorization) && isBasic(authorization)) {
            String decodeUserPass = Base64Utils.decode(authorization.split(" ")[1]);
            String []userPass =decodeUserPass.split(":");
            return new AuthorizationHeaderCredential(userPass[0],userPass[1]);
@ -56,10 +65,10 @@ public class AuthorizationHeaderUtils {
    }

    public static String resolveBearer(String bearer) {
-        if (isBearer(bearer)) {
+        if (StringUtils.isNotBlank(bearer) && isBearer(bearer)) {
            return bearer.split(" ")[1];
        } else {
-            return null;
+            return bearer;
        }
    }
    
@ -71,4 +80,14 @@ public class AuthorizationHeaderUtils {
        }
    }
    
+    public  static String resolveBearer(HttpServletRequest request) {
+    	String authorization = 
+    			StringUtils.isNotBlank(request.getHeader(HEADER_Authorization)) ? 
+    					request.getHeader(HEADER_Authorization) : request.getHeader(HEADER_authorization);
+    	if(StringUtils.isNotBlank(authorization)) {
+    		return resolveBearer(authorization);
+    	}
+    	return null;
+    }
+
 }
--- a/maxkey-core/src/main/java/org/maxkey/web/WebContext.java
+++ b/maxkey-core/src/main/java/org/maxkey/web/WebContext.java
@ -56,6 +56,10 @@ import org.springframework.web.servlet.support.RequestContextUtils;
 * @author Crystal.Sea
 * @since 1.5
 */
+/**
+ * @author shimi
+ *
+ */
 public final class WebContext {
    
    final static Logger _logger = LoggerFactory.getLogger(WebContext.class);
@ -275,21 +279,31 @@ public final class WebContext {

    }
    
+    /**
+     * isTraceEnabled print request headers and parameters<br>
+     * see WebInstRequestFilter
+     * @param request
+     */
    public static void printRequest(final HttpServletRequest request) {
-    	_logger.trace("getRequestURL : "+request.getRequestURL());
-    	_logger.trace("getMethod : "+request.getMethod());
+    	if(_logger.isTraceEnabled()) {
+    		_logger.trace("getContextPath : {}"  , request.getContextPath());
+	    	_logger.trace("getRequestURL : {} " , request.getRequestURL());
+			_logger.trace("URL : {}" , request.getRequestURI().substring(request.getContextPath().length()));
+	    	_logger.trace("getMethod : {} " , request.getMethod());
+	    	
 	        Enumeration<String> headerNames = request.getHeaderNames();
 	        while (headerNames.hasMoreElements()) {
 	          String key = (String) headerNames.nextElement();
 	          String value = request.getHeader(key);
-          _logger.trace("Header key "+key +" , value " + value);
+	          _logger.trace("Header key {} , value {}" , key, value);
 	        }
 	        
 	        Enumeration<String> parameterNames = request.getParameterNames();
 	        while (parameterNames.hasMoreElements()) {
 	          String key = (String) parameterNames.nextElement();
 	          String value = request.getParameter(key);
-          _logger.trace("Parameter "+key +" , value " + value);
+	          _logger.trace("Parameter {} , value {}",key , value);
+	        }
    	}
    }

--- a/maxkey-core/src/main/java/org/maxkey/web/WebXssRequestFilter.java
+++ b/maxkey-core/src/main/java/org/maxkey/web/WebXssRequestFilter.java
@ -70,15 +70,10 @@ public class WebXssRequestFilter  extends GenericFilterBean {
 	public void doFilter(ServletRequest servletRequest, ServletResponse response, FilterChain chain)
 			throws IOException, ServletException {
 		_logger.trace("WebXssRequestFilter");
-		
 		boolean isWebXss = false;
 		HttpServletRequest request= ((HttpServletRequest)servletRequest);
-		String requestURI=request.getRequestURI();
-		_logger.trace("getContextPath " +request.getContextPath());
-		_logger.trace("getRequestURL " + ((HttpServletRequest)request).getRequestURI());
-		_logger.trace("URL " +requestURI.substring(request.getContextPath().length()));
 		
-		if(skipUrlMap.containsKey(requestURI.substring(request.getContextPath().length()))) {
+		if(skipUrlMap.containsKey(request.getRequestURI().substring(request.getContextPath().length()))) {
 			isWebXss = false;
 		}else {
 	        Enumeration<String> parameterNames = request.getParameterNames();
--- a/maxkey-protocols/maxkey-protocol-oauth-2.0/src/main/java/org/maxkey/authz/oauth2/provider/endpoint/TokenEndpointAuthenticationFilter.java
+++ b/maxkey-protocols/maxkey-protocol-oauth-2.0/src/main/java/org/maxkey/authz/oauth2/provider/endpoint/TokenEndpointAuthenticationFilter.java
@ -136,10 +136,6 @@ public class TokenEndpointAuthenticationFilter implements Filter {
 		final HttpServletRequest request = (HttpServletRequest) req;
 		final HttpServletResponse response = (HttpServletResponse) res;

-		if(_logger.isTraceEnabled()) {
-			WebContext.printRequest(request);
-		}
-		
 		try {
 			String grantType = request.getParameter(OAuth2Constants.PARAMETER.GRANT_TYPE);
 			if (grantType != null && grantType.equals(OAuth2Constants.PARAMETER.GRANT_TYPE_PASSWORD)) {
--- a/maxkey-protocols/maxkey-protocol-oauth-2.0/src/main/java/org/maxkey/authz/oauth2/provider/userinfo/endpoint/UserInfoEndpoint.java
+++ b/maxkey-protocols/maxkey-protocol-oauth-2.0/src/main/java/org/maxkey/authz/oauth2/provider/userinfo/endpoint/UserInfoEndpoint.java
@ -18,13 +18,13 @@
 package org.maxkey.authz.oauth2.provider.userinfo.endpoint;

 import java.lang.reflect.InvocationTargetException;
-import java.util.Enumeration;
 import java.util.HashMap;

 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;

 import org.apache.commons.beanutils.BeanUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.maxkey.authn.SigninPrincipal;
 import org.maxkey.authz.endpoint.adapter.AbstractAuthorizeAdapter;
 import org.maxkey.authz.oauth2.common.OAuth2Constants;
@ -48,7 +48,6 @@ import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.RequestHeader;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
@ -83,27 +82,18 @@ public class UserInfoEndpoint {
 	@RequestMapping(value=OAuth2Constants.ENDPOINT.ENDPOINT_USERINFO, method={RequestMethod.POST, RequestMethod.GET}) 
 	public void apiV20UserInfo(
 			@RequestParam(value = "access_token", required = false) String access_token,
-			@RequestHeader(value = "authorization", required = false) String authorization_bearer,
            HttpServletRequest request, 
            HttpServletResponse response) {	        
-	        if(access_token == null && authorization_bearer!= null) {
-	        	if(_logger.isTraceEnabled()) {
-		        	_logger.trace("getRequestURL : "+request.getRequestURL());
-			        Enumeration<String> headerNames = request.getHeaderNames();
-			        while (headerNames.hasMoreElements()) {
-			          String key = (String) headerNames.nextElement();
-			          String value = request.getHeader(key);
-			          _logger.trace("Header key "+key +" , value " + value);
-			        }
-		        }
+	        if(StringUtils.isBlank(access_token)) {
 	        	//for header authorization bearer
-	        	access_token = AuthorizationHeaderUtils.resolveBearer(authorization_bearer);
+	        	access_token = AuthorizationHeaderUtils.resolveBearer(request);
 	        }
 	        
-			String principal="";
 			if (!StringGenerator.uuidMatches(access_token)) {
 				httpResponseAdapter.write(response,JsonUtils.gson2Json(accessTokenFormatError(access_token)),"json"); 
 			}
+			
+			String principal="";
 			OAuth2Authentication oAuth2Authentication =null;
 			try{
 				 oAuth2Authentication = oauth20tokenServices.loadAuthentication(access_token);
--- a/maxkey-protocols/maxkey-protocol-oauth-2.0/src/main/java/org/maxkey/authz/oauth2/provider/userinfo/endpoint/UserInfoOIDCEndpoint.java
+++ b/maxkey-protocols/maxkey-protocol-oauth-2.0/src/main/java/org/maxkey/authz/oauth2/provider/userinfo/endpoint/UserInfoOIDCEndpoint.java
@ -42,6 +42,7 @@ import org.maxkey.entity.UserInfo;
 import org.maxkey.entity.apps.oauth2.provider.ClientDetails;
 import org.maxkey.persistence.service.AppsService;
 import org.maxkey.persistence.service.UserInfoService;
+import org.maxkey.util.AuthorizationHeaderUtils;
 import org.maxkey.util.JsonUtils;
 import org.maxkey.util.StringGenerator;
 import org.maxkey.web.HttpResponseAdapter;
@ -51,7 +52,6 @@ import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.RequestHeader;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.ResponseBody;
@ -100,15 +100,15 @@ public class UserInfoOIDCEndpoint {
    @Operation(summary = "OIDC 用户信息接口", description = "传递Authorization参数access_token",method="GET")
 	@RequestMapping(value=OAuth2Constants.ENDPOINT.ENDPOINT_OPENID_CONNECT_USERINFO, method={RequestMethod.POST, RequestMethod.GET})
 	@ResponseBody
-	public String connect10aUserInfo(
-			@RequestHeader(value = "Authorization", required = true) String access_token,
-			HttpServletRequest request, 
+	public String connect10aUserInfo(HttpServletRequest request, 
 									 HttpServletResponse response) {
-		String principal="";
+    	String access_token = AuthorizationHeaderUtils.resolveBearer(request);
+		
 		if (!StringGenerator.uuidMatches(access_token)) {
 			return JsonUtils.gson2Json(accessTokenFormatError(access_token));
 		}
 		
+		String principal="";
 		OAuth2Authentication oAuth2Authentication =null;
 		try{
 			 oAuth2Authentication = oauth20tokenServices.loadAuthentication(access_token);
--- a/maxkey-webs/maxkey-web-maxkey/src/main/java/org/maxkey/web/endpoint/LoginEndpoint.java
+++ b/maxkey-webs/maxkey-web-maxkey/src/main/java/org/maxkey/web/endpoint/LoginEndpoint.java
@ -99,8 +99,6 @@ public class LoginEndpoint {
 	public ModelAndView login(HttpServletRequest request) {
 		_logger.debug("LoginController /login.");
 		
-		WebContext.printRequest(request);
-		
 		boolean isAuthenticated= WebContext.isAuthenticated();
 		
 		if(isAuthenticated){
--- a/maxkey-webs/maxkey-web-mgt/src/main/java/org/maxkey/web/interceptor/Oauth20ApiPermissionAdapter.java
+++ b/maxkey-webs/maxkey-web-mgt/src/main/java/org/maxkey/web/interceptor/Oauth20ApiPermissionAdapter.java
@ -61,7 +61,7 @@ public class Oauth20ApiPermissionAdapter  implements AsyncHandlerInterceptor  {
 	@Override
 	public boolean preHandle(HttpServletRequest request,HttpServletResponse response, Object handler) throws Exception {
 		 _logger.trace("Oauth20ApiPermissionAdapter preHandle");
-		String  authorization = request.getHeader(AuthorizationHeaderUtils.AUTHORIZATION_HEADERNAME);
+		String  authorization = request.getHeader(AuthorizationHeaderUtils.HEADER_Authorization);
 		 
 		 String accessToken = AuthorizationHeaderUtils.resolveBearer(authorization);
 		 OAuth2Authentication authentication = oauth20tokenServices.loadAuthentication(accessToken);
--- a/maxkey-webs/maxkey-web-mgt/src/main/java/org/maxkey/web/interceptor/RestApiPermissionAdapter.java
+++ b/maxkey-webs/maxkey-web-mgt/src/main/java/org/maxkey/web/interceptor/RestApiPermissionAdapter.java
@ -65,7 +65,7 @@ public class RestApiPermissionAdapter  implements AsyncHandlerInterceptor  {
 	@Override
 	public boolean preHandle(HttpServletRequest request,HttpServletResponse response, Object handler) throws Exception {
 		 _logger.trace("RestApiPermissionAdapter preHandle");
-		String  authorization = request.getHeader(AuthorizationHeaderUtils.AUTHORIZATION_HEADERNAME);
+		String  authorization = request.getHeader(AuthorizationHeaderUtils.HEADER_Authorization);
 		AuthorizationHeaderCredential headerCredential = AuthorizationHeaderUtils.resolve(authorization);
 		 
 		//判断应用的AppId和Secret