org.surfnet.oaaas.auth
Class AuthorizationServerFilter
java.lang.Object
org.surfnet.oaaas.auth.AuthorizationServerFilter
- All Implemented Interfaces:
- javax.servlet.Filter
public class AuthorizationServerFilter
- extends Object
- implements javax.servlet.Filter
Filter which can be used to protect all relevant resources by
validating the oauth access token with the Authorization server. This is an
example configuration:
<filter>
<filter-name>authorization-server</filter-name>
<filter-class>org.surfnet.oaaas.auth.AuthorizationServerFilter</filter-class>
<init-param>
<param-name>resource-server-key</param-name>
<param-value>university-foo</param-value>
</init-param>
<init-param>
<param-name>resource-server-secret</param-name>
<param-value>58b749f7-acb3-44b7-a38c-53d5ad740cf6</param-value>
</init-param>
<init-param>
<param-name>authorization-server-url</param-name>
<param-value>http://<host-name>/v1/tokeninfo</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>authorization-server</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
The response of the Authorization Server is put on the
HttpServletRequest with the name
VERIFY_TOKEN_RESPONSE.
Of course it might be better to use a properties file depending on the
environment (e.g. OTAP) to get the name, secret and url. This can be achieved
simple to provide an apis.application.properties file on the classpath or configure a
properties file name as init-param (to have multiple resource servers in the same tomcat instance).
See init(FilterConfig)
Also note that by default the responses from the Authorization Server are not
cached. This in configurable in the properties file used by this Filter. Again
see init(FilterConfig)
The cache behaviour can also be changed if you override
cacheAccessTokens() and to configure the
cache differently override buildCache()
| Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
VERIFY_TOKEN_RESPONSE
public static final String VERIFY_TOKEN_RESPONSE
- See Also:
- Constant Field Values
AuthorizationServerFilter
public AuthorizationServerFilter()
init
public void init(javax.servlet.FilterConfig filterConfig)
throws javax.servlet.ServletException
- Specified by:
init in interface javax.servlet.Filter
- Throws:
javax.servlet.ServletException
createObjectMapper
protected org.codehaus.jackson.map.ObjectMapper createObjectMapper()
createClient
protected com.sun.jersey.api.client.Client createClient()
- Returns:
- Client
buildCache
protected TokenResponseCache buildCache()
doFilter
public void doFilter(javax.servlet.ServletRequest servletRequest,
javax.servlet.ServletResponse servletResponse,
javax.servlet.FilterChain chain)
throws IOException,
javax.servlet.ServletException
- Specified by:
doFilter in interface javax.servlet.Filter
- Throws:
IOException
javax.servlet.ServletException
getVerifyTokenResponse
protected VerifyTokenResponse getVerifyTokenResponse(String accessToken)
sendError
protected void sendError(javax.servlet.http.HttpServletResponse response,
int statusCode,
String reason)
cacheAccessTokens
protected boolean cacheAccessTokens()
handledCorsPreflightRequest
protected boolean handledCorsPreflightRequest(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
throws IOException
- Throws:
IOException
getAllowedHeaders
protected String getAllowedHeaders(String requestHeaders)
getAccessControlMaxAge
protected String getAccessControlMaxAge()
getAccessControlAllowedMethods
protected String getAccessControlAllowedMethods()
destroy
public void destroy()
- Specified by:
destroy in interface javax.servlet.Filter
setAuthorizationServerUrl
public void setAuthorizationServerUrl(String authorizationServerUrl)
setResourceServerSecret
public void setResourceServerSecret(String resourceServerSecret)
setResourceServerKey
public void setResourceServerKey(String resourceServerKey)
Copyright © 2012-2013 SURFnet bv, The Netherlands. All Rights Reserved.