public class AuthorizationServerFilter extends Object implements javax.servlet.Filter
Filter which can be used to protect all relevant resources by
validating the oauth access token with the Authorization server. This is an
example configuration:
<filter>
<filter-name>authorization-server</filter-name>
<filter-class>org.surfnet.oaaas.auth.AuthorizationServerFilter</filter-class>
<init-param>
<param-name>resource-server-key</param-name>
<param-value>university-foo</param-value>
</init-param>
<init-param>
<param-name>resource-server-secret</param-name>
<param-value>58b749f7-acb3-44b7-a38c-53d5ad740cf6</param-value>
</init-param>
<init-param>
<param-name>authorization-server-url</param-name>
<param-value>http://<host-name>/v1/tokeninfo</param-value>
</init-param>
<init-param>
<param-name>type-information-is-included</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>authorization-server</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
The response of the Authorization Server is put on the
HttpServletRequest with the name
VERIFY_TOKEN_RESPONSE.
Of course it might be better to use a properties file depending on the
environment (e.g. OTAP) to get the name, secret and url. This can be achieved
simple to provide an apis.application.properties file on the classpath or configure a
properties file name as init-param (to have multiple resource servers in the same tomcat instance).
See init(FilterConfig)
Also note that by default the responses from the Authorization Server are not
cached. This in configurable in the properties file used by this Filter. Again
see init(FilterConfig)
The cache behaviour can also be changed if you override
cacheAccessTokens() and to configure the
cache differently override buildCache()| Modifier and Type | Field and Description |
|---|---|
static String |
VERIFY_TOKEN_RESPONSE |
| Constructor and Description |
|---|
AuthorizationServerFilter() |
| Modifier and Type | Method and Description |
|---|---|
protected TokenResponseCache |
buildCache() |
protected boolean |
cacheAccessTokens() |
protected com.sun.jersey.api.client.Client |
createClient() |
protected org.codehaus.jackson.map.ObjectMapper |
createObjectMapper(boolean typeInformationIsIncluded) |
void |
destroy() |
void |
doFilter(javax.servlet.ServletRequest servletRequest,
javax.servlet.ServletResponse servletResponse,
javax.servlet.FilterChain chain) |
protected String |
getAccessControlAllowedMethods() |
protected String |
getAccessControlMaxAge() |
protected String |
getAllowedHeaders(String requestHeaders) |
protected VerifyTokenResponse |
getVerifyTokenResponse(String accessToken) |
protected boolean |
handledCorsPreflightRequest(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response) |
void |
init(javax.servlet.FilterConfig filterConfig) |
protected void |
sendError(javax.servlet.http.HttpServletResponse response,
int statusCode,
String reason) |
void |
setAllowCorsRequests(boolean allowCorsRequests) |
void |
setAuthorizationServerUrl(String authorizationServerUrl) |
void |
setCacheEnabled(boolean cacheEnabled) |
void |
setResourceServerKey(String resourceServerKey) |
void |
setResourceServerSecret(String resourceServerSecret) |
void |
setTypeInformationIsIncluded(boolean typeInformationIsIncluded) |
public static final String VERIFY_TOKEN_RESPONSE
public void init(javax.servlet.FilterConfig filterConfig)
throws javax.servlet.ServletException
init in interface javax.servlet.Filterjavax.servlet.ServletExceptionprotected org.codehaus.jackson.map.ObjectMapper createObjectMapper(boolean typeInformationIsIncluded)
protected com.sun.jersey.api.client.Client createClient()
protected TokenResponseCache buildCache()
public void doFilter(javax.servlet.ServletRequest servletRequest,
javax.servlet.ServletResponse servletResponse,
javax.servlet.FilterChain chain)
throws IOException,
javax.servlet.ServletException
doFilter in interface javax.servlet.FilterIOExceptionjavax.servlet.ServletExceptionprotected VerifyTokenResponse getVerifyTokenResponse(String accessToken)
protected void sendError(javax.servlet.http.HttpServletResponse response,
int statusCode,
String reason)
protected boolean cacheAccessTokens()
protected boolean handledCorsPreflightRequest(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
throws IOException
IOExceptionprotected String getAccessControlMaxAge()
protected String getAccessControlAllowedMethods()
public void destroy()
destroy in interface javax.servlet.Filterpublic void setAuthorizationServerUrl(String authorizationServerUrl)
public void setResourceServerSecret(String resourceServerSecret)
public void setResourceServerKey(String resourceServerKey)
public void setCacheEnabled(boolean cacheEnabled)
public void setAllowCorsRequests(boolean allowCorsRequests)
public void setTypeInformationIsIncluded(boolean typeInformationIsIncluded)
Copyright © 2012–2013 SURFnet bv, The Netherlands. All rights reserved.