DRYD-203: Expect passwords to be base64-encoded on oauth2 password grant requests.

diff --git a/services/IntegrationTests/src/test/java/org/collectionspace/services/IntegrationTests/test/JsonIntegrationTest.java b/services/IntegrationTests/src/test/java/org/collectionspace/services/IntegrationTests/test/JsonIntegrationTest.java
index 94a5102894d5ab7f86bfc33c719c7b7b2f71fe44..fb14d63087d6a1e13d29dc8378c73a35be8435f6 100644 (file)
--- a/services/IntegrationTests/src/test/java/org/collectionspace/services/IntegrationTests/test/JsonIntegrationTest.java
+++ b/services/IntegrationTests/src/test/java/org/collectionspace/services/IntegrationTests/test/JsonIntegrationTest.java
@@ -2,6 +2,9 @@ package org.collectionspace.services.IntegrationTests.test;
 
 import java.io.File;
 import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+
+import javax.xml.bind.DatatypeConverter;
 
 import static org.testng.Assert.*;
 
@@ -77,9 +80,11 @@ public class JsonIntegrationTest {
     
     @Test
     public void testAuth() throws ClientProtocolException, IOException {
+        String base64EncodedPassword = DatatypeConverter.printBase64Binary(PASSWORD.getBytes(StandardCharsets.UTF_8));
+        
         JsonNode jsonNode;
         
-        jsonNode = postAuthForm("oauth/token", "grant_type=password&username=" + USERNAME + "&password=" + PASSWORD);
+        jsonNode = postAuthForm("oauth/token", "grant_type=password&username=" + USERNAME + "&password=" + base64EncodedPassword);
 
         assertEquals(jsonNode.at("/token_type").asText(), "bearer");
         assertTrue(StringUtils.isNotEmpty(jsonNode.at("/access_token").asText()));

diff --git a/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security-oauth/password-grant-admin.txt b/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security-oauth/password-grant-admin.txt
index 0bf30694ec32d1941d68d9d7b3aba8b1796634bb..6c1f1ec063c931fb0bfd6e36510de731fb607b71 100644 (file)
--- a/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security-oauth/password-grant-admin.txt
+++ b/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security-oauth/password-grant-admin.txt
@@ -1 +1 @@
-grant_type=password&username=admin@core.collectionspace.org&password=Administrator
\ No newline at end of file
+grant_type=password&username=admin@core.collectionspace.org&password=QWRtaW5pc3RyYXRvcg%3D%3D
\ No newline at end of file

diff --git a/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security-oauth/password-grant-bad-password.txt b/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security-oauth/password-grant-bad-password.txt
index 1a5022c1a8748fa464ec250c9a37095152326ca9..40b4a0540ec3cd0e4c81b2709b698af0d3be18cc 100644 (file)
--- a/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security-oauth/password-grant-bad-password.txt
+++ b/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security-oauth/password-grant-bad-password.txt
@@ -1 +1 @@
-grant_type=password&username=admin@core.collectionspace.org&password=NotThePassword
\ No newline at end of file
+grant_type=password&username=admin@core.collectionspace.org&password=NotTheBase64EncodedPassword
\ No newline at end of file

diff --git a/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security-oauth/password-grant-reader.txt b/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security-oauth/password-grant-reader.txt
index b74be9dc524ed29ebdb0e16ec561bd9bd6738059..d0ed77a65c2b0c2f6d6b59c167a32e4a70ae4e7f 100644 (file)
--- a/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security-oauth/password-grant-reader.txt
+++ b/services/IntegrationTests/src/test/resources/test-data/xmlreplay/security-oauth/password-grant-reader.txt
@@ -1 +1 @@
-grant_type=password&username=reader@core.collectionspace.org&password=reader
\ No newline at end of file
+grant_type=password&username=reader@core.collectionspace.org&password=cmVhZGVy
\ No newline at end of file

diff --git a/services/JaxRsServiceProvider/src/main/webapp/WEB-INF/oauth-servlet.xml b/services/JaxRsServiceProvider/src/main/webapp/WEB-INF/oauth-servlet.xml
index bc408d0664bd4c07683e808b12977646d0229a5c..2f379635369937d544b2382bd6d1d2af6b6aa3f3 100644 (file)
--- a/services/JaxRsServiceProvider/src/main/webapp/WEB-INF/oauth-servlet.xml
+++ b/services/JaxRsServiceProvider/src/main/webapp/WEB-INF/oauth-servlet.xml
@@ -7,7 +7,11 @@
        http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd
        http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2.xsd">
 
-    <oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenServices">
+    <oauth:authorization-server
+        client-details-service-ref="clientDetails"
+        token-services-ref="tokenServices"
+        authorization-request-manager-ref="oauthRequestManager"
+    >
         <oauth:refresh-token />
         <oauth:password authentication-manager-ref="userAuthenticationManager" />
     </oauth:authorization-server>
@@ -15,7 +19,11 @@
     <mvc:annotation-driven />
 
     <mvc:default-servlet-handler />
-    
+
+    <bean id="oauthRequestManager" class="org.collectionspace.services.authorization.spring.CSpaceOAuth2RequestFactory">
+        <constructor-arg ref="clientDetails" />
+    </bean>
+
     <bean id="viewResolver" class="org.springframework.web.servlet.view.ContentNegotiatingViewResolver">
         <property name="defaultViews">
             <list>

diff --git a/services/authorization/service/pom.xml b/services/authorization/service/pom.xml
index 0cb33a980fdd0e83a37bbf6a505da89f569f0588..2f13b965e40648b1f2dcc93733fbe6c795c4862f 100644 (file)
--- a/services/authorization/service/pom.xml
+++ b/services/authorization/service/pom.xml
@@ -101,6 +101,12 @@
             <version>${spring.security.version}</version>
             <scope>provided</scope>
         </dependency>
+        <dependency>
+            <groupId>org.springframework.security.oauth</groupId>
+            <artifactId>spring-security-oauth2</artifactId>
+            <version>${spring.security.oauth2.version}</version>
+            <scope>provided</scope>
+        </dependency>
         <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-context</artifactId>

diff --git a/services/authorization/service/src/main/java/org/collectionspace/services/authorization/spring/CSpaceOAuth2RequestFactory.java b/services/authorization/service/src/main/java/org/collectionspace/services/authorization/spring/CSpaceOAuth2RequestFactory.java
new file mode 100644 (file)
index 0000000..7cd8075
--- /dev/null
+++ b/services/authorization/service/src/main/java/org/collectionspace/services/authorization/spring/CSpaceOAuth2RequestFactory.java
@@ -0,0 +1,100 @@
+/**
+ *  This document is a part of the source code and related artifacts
+ *  for CollectionSpace, an open source collections management system
+ *  for museums and related institutions:
+
+ *  http://www.collectionspace.org
+ *  http://wiki.collectionspace.org
+
+ *  Copyright 2009 University of California at Berkeley
+
+ *  Licensed under the Educational Community License (ECL), Version 2.0.
+ *  You may not use this file except in compliance with this License.
+
+ *  You may obtain a copy of the ECL 2.0 License at
+
+ *  https://source.collectionspace.org/collection-space/LICENSE.txt
+
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *//**
+ *  This document is a part of the source code and related artifacts
+ *  for CollectionSpace, an open source collections management system
+ *  for museums and related institutions:
+
+ *  http://www.collectionspace.org
+ *  http://wiki.collectionspace.org
+
+ *  Copyright 2009 University of California at Berkeley
+
+ *  Licensed under the Educational Community License (ECL), Version 2.0.
+ *  You may not use this file except in compliance with this License.
+
+ *  You may obtain a copy of the ECL 2.0 License at
+
+ *  https://source.collectionspace.org/collection-space/LICENSE.txt
+
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+package org.collectionspace.services.authorization.spring;
+
+import java.nio.charset.StandardCharsets;
+import java.util.HashMap;
+import java.util.Map;
+
+import javax.xml.bind.DatatypeConverter;
+
+import org.springframework.security.oauth2.provider.AuthorizationRequest;
+import org.springframework.security.oauth2.provider.ClientDetails;
+import org.springframework.security.oauth2.provider.ClientDetailsService;
+import org.springframework.security.oauth2.provider.TokenRequest;
+import org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory;
+
+/**
+ * An OAuth2RequestFactory that expects the password to be base64 encoded. This implementation
+ * copies the parameters, decodes the password if present, and passes the result to
+ * DefaultOAuth2RequestFactory.
+ */
+public class CSpaceOAuth2RequestFactory extends DefaultOAuth2RequestFactory {
+    private final String PASSWORD_PARAMETER = "password";
+    
+    public CSpaceOAuth2RequestFactory(ClientDetailsService clientDetailsService) {
+        super(clientDetailsService);
+    }
+
+    @Override
+    public AuthorizationRequest createAuthorizationRequest(
+            Map<String, String> authorizationParameters) {
+        return super.createAuthorizationRequest(decodePassword(authorizationParameters));
+    }
+
+    @Override
+    public TokenRequest createTokenRequest(
+            Map<String, String> requestParameters,
+            ClientDetails authenticatedClient) {
+        return super.createTokenRequest(decodePassword(requestParameters), authenticatedClient);
+    }
+    
+    private Map<String, String> decodePassword(Map<String, String> parameters) {
+        if (parameters.containsKey(PASSWORD_PARAMETER)) {
+            String base64EncodedPassword = parameters.get(PASSWORD_PARAMETER);
+            String password = new String(DatatypeConverter.parseBase64Binary(base64EncodedPassword), StandardCharsets.UTF_8);
+
+            Map<String, String> parametersCopy = new HashMap<String, String>(parameters);
+
+            parametersCopy.put(PASSWORD_PARAMETER, password);
+
+            return parametersCopy;
+        }
+
+        return parameters;
+    }
+}