AuthorizationServerFilter (API Secure - resource server library 1.2.4 API)

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

org.surfnet.oaaas.auth
Class AuthorizationServerFilter

java.lang.Object
  org.surfnet.oaaas.auth.AuthorizationServerFilter

All Implemented Interfaces:: javax.servlet.Filter

public class AuthorizationServerFilter
extends Object
implements javax.servlet.Filter
extends Object
implements javax.servlet.Filter

Filter which can be used to protect all relevant resources by validating the oauth access token with the Authorization server. This is an example configuration:

 <filter>
   <filter-name>authorization-server</filter-name>
   <filter-class>org.surfnet.oaaas.auth.AuthorizationServerFilter</filter-class>
   <init-param>
     <param-name>resource-server-key</param-name>
     <param-value>university-foo</param-value>
   </init-param>
   <init-param>
     <param-name>resource-server-secret</param-name>
     <param-value>58b749f7-acb3-44b7-a38c-53d5ad740cf6</param-value>
   </init-param>
   <init-param>
     <param-name>authorization-server-url</param-name>
     <param-value>http://<host-name>/v1/tokeninfo</param-value>
   </init-param>
 </filter>
 <filter-mapping>
   <filter-name>authorization-server</filter-name>
  <url-pattern>/*</url-pattern>
 </filter-mapping>

The response of the Authorization Server is put on the HttpServletRequest with the name VERIFY_TOKEN_RESPONSE.

Of course it might be better to use a properties file depending on the environment (e.g. OTAP) to get the name, secret and url. This can be achieved simple to provide an apis.application.properties file on the classpath or configure a properties file name as init-param (to have multiple resource servers in the same tomcat instance). See init(FilterConfig)

Also note that by default the responses from the Authorization Server are not cached. This in configurable in the properties file used by this Filter. Again see init(FilterConfig) The cache behaviour can also be changed if you override cacheAccessTokens() and to configure the cache differently override buildCache()

Field Summary
`static String`	`VERIFY_TOKEN_RESPONSE`

Constructor Summary
`AuthorizationServerFilter()`

Method Summary
`protected TokenResponseCache`	`buildCache()`
`protected boolean`	`cacheAccessTokens()`
`protected com.sun.jersey.api.client.Client`	`createClient()`
`protected org.codehaus.jackson.map.ObjectMapper`	`createObjectMapper()`
`void`	`destroy()`
`void`	`doFilter(javax.servlet.ServletRequest servletRequest, javax.servlet.ServletResponse servletResponse, javax.servlet.FilterChain chain)`
`protected String`	`getAccessControlAllowedMethods()`
`protected String`	`getAccessControlMaxAge()`
`protected String`	`getAllowedHeaders(String requestHeaders)`
`protected VerifyTokenResponse`	`getVerifyTokenResponse(String accessToken)`
`protected boolean`	`handledCorsPreflightRequest(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)`
`void`	`init(javax.servlet.FilterConfig filterConfig)`
`protected void`	`sendError(javax.servlet.http.HttpServletResponse response, int statusCode, String reason)`
`void`	`setAllowCorsRequests(boolean allowCorsRequests)`
`void`	`setAuthorizationServerUrl(String authorizationServerUrl)`
`void`	`setCacheEnabled(boolean cacheEnabled)`
`void`	`setResourceServerKey(String resourceServerKey)`
`void`	`setResourceServerSecret(String resourceServerSecret)`

Methods inherited from class java.lang.Object
`clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait`

Field Detail

VERIFY_TOKEN_RESPONSE

public static final String VERIFY_TOKEN_RESPONSE

See Also:: Constant Field Values

Constructor Detail