Merge pull request #1 from SpringSource/master

Merging changes from master Spring security oauth repo

.travis.yml

@@ -1 +1,6 @@
 language: java
+
+install: mvn -U install --quiet -DskipTests=true -P bootstrap
+script: mvn clean test -P bootstrap
+
+

pom.xml

@@ -5,7 +5,7 @@
   <name>OAuth for Spring Security</name>
   <description>Parent Project for OAuth Support for Spring Security</description>
   <packaging>pom</packaging>
-  <version>1.0.1.BUILD-SNAPSHOT</version>
+  <version>1.0.2.BUILD-SNAPSHOT</version>
   <url>http://static.springframework.org/spring-security/oauth</url>
 
   <modules>
@@ -187,6 +187,18 @@
           </execution>
         </executions>
       </plugin>
+      <plugin>
+        <artifactId>maven-javadoc-plugin</artifactId>
+        <executions>
+          <execution>
+            <id>javadoc</id>
+            <phase>package</phase>
+            <goals>
+              <goal>jar</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
       <plugin>
         <groupId>org.codehaus.mojo</groupId>
         <artifactId>animal-sniffer-maven-plugin</artifactId>

samples/oauth/sparklr/pom.xml

@@ -5,7 +5,7 @@
 	<parent>
 		<groupId>org.springframework.security.oauth</groupId>
 		<artifactId>spring-security-oauth-parent</artifactId>
-		<version>1.0.1.BUILD-SNAPSHOT</version>
+		<version>1.0.2.BUILD-SNAPSHOT</version>
 		<relativePath>../../..</relativePath>
 	</parent>
 

samples/oauth/tonr/pom.xml

@@ -5,7 +5,7 @@
 	<parent>
 		<groupId>org.springframework.security.oauth</groupId>
 		<artifactId>spring-security-oauth-parent</artifactId>
-		<version>1.0.1.BUILD-SNAPSHOT</version>
+		<version>1.0.2.BUILD-SNAPSHOT</version>
 		<relativePath>../../..</relativePath>
 	</parent>
 

samples/oauth2/sparklr/pom.xml

@@ -5,7 +5,7 @@
 	<parent>
 		<groupId>org.springframework.security.oauth</groupId>
 		<artifactId>spring-security-oauth-parent</artifactId>
-		<version>1.0.1.BUILD-SNAPSHOT</version>
+		<version>1.0.2.BUILD-SNAPSHOT</version>
 		<relativePath>../../..</relativePath>
 	</parent>
 

samples/oauth2/sparklr/src/main/webapp/WEB-INF/spring-servlet.xml

@@ -34,6 +34,7 @@
 			method="GET" />
 		<intercept-url pattern="/oauth/clients/.*"
 			access="#oauth2.clientHasRole('ROLE_CLIENT') and #oauth2.isClient() and #oauth2.hasScope('read')" method="GET" />
+		<intercept-url pattern="/**" access="denyAll()"/>
 		<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
 		<access-denied-handler ref="oauthAccessDeniedHandler" />
 		<expression-handler ref="oauthWebExpressionHandler" />
@@ -77,8 +78,9 @@
 		<property name="realmName" value="sparklr2" />
 	</bean>
 
-	<bean id="clientAuthenticationEntryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
+	<bean id="clientAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
 		<property name="realmName" value="sparklr2/client" />
+		<property name="typeName" value="Basic" />
 	</bean>
 
 	<bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />

samples/oauth2/sparklr/src/test/java/org/springframework/security/oauth2/provider/TestResourceOwnerPasswordProvider.java

@@ -132,7 +132,7 @@ public void testTokenNotGrantedIfSecretNotProvided() throws Exception {
 			assertEquals(HttpStatus.UNAUTHORIZED, e.getStatusCode());
 			List<String> values = tokenEndpointResponse.getHeaders().get("WWW-Authenticate");
 			assertEquals(1, values.size());
-			assertEquals("Basic realm=\"sparklr2/client\"", values.get(0));
+			assertTrue(values.get(0).contains("Basic realm=\"sparklr2/client\""));
 		}
 	}
 

samples/oauth2/tonr/pom.xml

@@ -5,7 +5,7 @@
 	<parent>
 		<groupId>org.springframework.security.oauth</groupId>
 		<artifactId>spring-security-oauth-parent</artifactId>
-		<version>1.0.1.BUILD-SNAPSHOT</version>
+		<version>1.0.2.BUILD-SNAPSHOT</version>
 		<relativePath>../../..</relativePath>
 	</parent>
 

samples/pom.xml

@@ -4,7 +4,7 @@
   <parent>
     <groupId>org.springframework.security.oauth</groupId>
     <artifactId>spring-security-oauth-parent</artifactId>
-    <version>1.0.1.BUILD-SNAPSHOT</version>
+    <version>1.0.2.BUILD-SNAPSHOT</version>
   </parent>
 
   <artifactId>spring-security-oauth-samples</artifactId>

spring-security-oauth/pom.xml

@@ -4,7 +4,7 @@
 	<parent>
 		<groupId>org.springframework.security.oauth</groupId>
 		<artifactId>spring-security-oauth-parent</artifactId>
-		<version>1.0.1.BUILD-SNAPSHOT</version>
+		<version>1.0.2.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<artifactId>spring-security-oauth</artifactId>

spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/client/CoreOAuthConsumerSupport.java

@@ -647,16 +647,17 @@ protected String getSignatureBaseString(Map<String, Set<CharSequence>> oauthPara
     Iterator<Map.Entry<String, TreeSet<String>>> sortedIt = sortedParameters.entrySet().iterator();
     while (sortedIt.hasNext()) {
       Map.Entry<String, TreeSet<String>> sortedParameter = sortedIt.next();
-      for (String parameterValue : sortedParameter.getValue()) {
-        if (parameterValue == null) {
+      for (Iterator<String> sortedParametersIterator = sortedParameter.getValue().iterator(); sortedParametersIterator.hasNext();) {
+		String parameterValue = sortedParametersIterator.next();
+		if (parameterValue == null) {
           parameterValue = "";
         }
 
         queryString.append(sortedParameter.getKey()).append('=').append(parameterValue);
-        if (sortedIt.hasNext()) {
+        if (sortedIt.hasNext() || sortedParametersIterator.hasNext()) {
           queryString.append('&');
         }
-      }
+	}
     }
 
     StringBuilder url = new StringBuilder(requestURL.getProtocol().toLowerCase()).append("://").append(requestURL.getHost().toLowerCase());

spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/rememberme/HttpSessionOAuthRememberMeServices.java

@@ -1,34 +1,57 @@
 package org.springframework.security.oauth.consumer.rememberme;
 
-import org.springframework.security.oauth.consumer.OAuthConsumerToken;
+import java.util.HashMap;
+import java.util.Map;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
-import java.util.Map;
+
+import org.springframework.security.oauth.consumer.OAuthConsumerToken;
 
 /**
- * Default implementation of the OAuth2 rememberme services. Just stores everything in the session.
+ * Default implementation of the OAuth2 rememberme services. Just stores everything in the session by default. Storing
+ * access token can be suppressed to reduce long-term expose of these tokens in the underlying HTTP session.
  * 
  * @author Ryan Heaton
+ * @author Alex Rau
  */
 public class HttpSessionOAuthRememberMeServices implements OAuthRememberMeServices {
 
-  public static final String REMEMBERED_TOKENS_KEY = HttpSessionOAuthRememberMeServices.class.getName() + "#REMEMBERED_TOKENS";
-
-  public Map<String, OAuthConsumerToken> loadRememberedTokens(HttpServletRequest request, HttpServletResponse response) {
-    HttpSession session = request.getSession(false);
-    Map<String, OAuthConsumerToken> rememberedTokens = null;
-    if (session != null) {
-      rememberedTokens = (Map<String, OAuthConsumerToken>) session.getAttribute(REMEMBERED_TOKENS_KEY);
-    }
-    return rememberedTokens;
-  }
-
-  public void rememberTokens(Map<String, OAuthConsumerToken> tokens, HttpServletRequest request, HttpServletResponse response) {
-    HttpSession session = request.getSession(false);
-    if (session != null) {
-      session.setAttribute(REMEMBERED_TOKENS_KEY, tokens);
-    }
-  }
+	public static final String REMEMBERED_TOKENS_KEY = HttpSessionOAuthRememberMeServices.class.getName()
+			+ "#REMEMBERED_TOKENS";
+
+	private boolean storeAccessTokens = true;
+
+	@SuppressWarnings("unchecked")
+	public Map<String, OAuthConsumerToken> loadRememberedTokens(HttpServletRequest request, HttpServletResponse response) {
+
+		HttpSession session = request.getSession(false);
+
+		if (session != null) {
+			return (Map<String, OAuthConsumerToken>) session.getAttribute(REMEMBERED_TOKENS_KEY);
+		}
+
+		return null;
+	}
+
+	public void rememberTokens(Map<String, OAuthConsumerToken> tokens, HttpServletRequest request,
+			HttpServletResponse response) {
+
+		HttpSession session = request.getSession(false);
+
+		if (session == null) {
+			return;
+		}
+
+		Map<String, OAuthConsumerToken> requestTokensOnly = new HashMap<String, OAuthConsumerToken>();
+
+		for (Map.Entry<String, OAuthConsumerToken> token : tokens.entrySet()) {
+			if (storeAccessTokens && !token.getValue().isAccessToken())
+				requestTokensOnly.put(token.getKey(), token.getValue());
+
+		}
+
+		session.setAttribute(REMEMBERED_TOKENS_KEY, requestTokensOnly);
+	}
 }

spring-security-oauth/src/test/java/org/springframework/security/oauth/consumer/client/TestCoreOAuthConsumerSupport.java

@@ -38,8 +38,10 @@
 import java.net.URL;
 import java.net.URLConnection;
 import java.net.URLEncoder;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
+import java.util.LinkedHashSet;
 import java.util.Map;
 import java.util.Set;
 import java.util.TreeMap;
@@ -79,7 +81,8 @@ public void testAfterPropertiesSet() throws Exception {
 		try {
 			new CoreOAuthConsumerSupport().afterPropertiesSet();
 			fail("should required a protected resource details service.");
-		} catch (IllegalArgumentException e) {
+		}
+		catch (IllegalArgumentException e) {
 		}
 	}
 
@@ -146,7 +149,8 @@ public URL configureURLForProtectedAccess(URL url, OAuthConsumerToken accessToke
 				try {
 					return new URL(url.getProtocol(), url.getHost(), url.getPort(), url.getFile(),
 							new StreamHandlerForTestingPurposes(connectionMock));
-				} catch (MalformedURLException e) {
+				}
+				catch (MalformedURLException e) {
 					throw new RuntimeException(e);
 				}
 			}
@@ -165,7 +169,8 @@ public String getOAuthQueryString(ProtectedResourceDetails details, OAuthConsume
 		try {
 			support.readResource(details, url, "POST", token, null, null);
 			fail("shouldn't have been a valid response code.");
-		} catch (OAuthRequestFailedException e) {
+		}
+		catch (OAuthRequestFailedException e) {
 			// fall through...
 		}
 		assertFalse(connectionProps.doOutput);
@@ -181,7 +186,8 @@ public String getOAuthQueryString(ProtectedResourceDetails details, OAuthConsume
 		try {
 			support.readResource(details, url, "POST", token, null, null);
 			fail("shouldn't have been a valid response code.");
-		} catch (OAuthRequestFailedException e) {
+		}
+		catch (OAuthRequestFailedException e) {
 			// fall through...
 		}
 		assertFalse(connectionProps.doOutput);
@@ -198,7 +204,8 @@ public String getOAuthQueryString(ProtectedResourceDetails details, OAuthConsume
 		try {
 			support.readResource(details, url, "POST", token, null, null);
 			fail("shouldn't have been a valid response code.");
-		} catch (InvalidOAuthRealmException e) {
+		}
+		catch (InvalidOAuthRealmException e) {
 			// fall through...
 		}
 		assertFalse(connectionProps.doOutput);
@@ -400,8 +407,8 @@ protected String getSignatureBaseString(Map<String, Set<CharSequence>> oauthPara
 		when(details.getSignatureMethod()).thenReturn(HMAC_SHA1SignatureMethod.SIGNATURE_NAME);
 		SharedConsumerSecret secret = new SharedConsumerSecretImpl("shh!!!");
 		when(details.getSharedSecret()).thenReturn(secret);
-		when(sigFactory.getSignatureMethod(HMAC_SHA1SignatureMethod.SIGNATURE_NAME, secret, null)).thenReturn(
-				sigMethod);
+		when(sigFactory.getSignatureMethod(HMAC_SHA1SignatureMethod.SIGNATURE_NAME, secret, null))
+				.thenReturn(sigMethod);
 		when(sigMethod.sign("MYSIGBASESTRING")).thenReturn("MYSIGNATURE");
 
 		Map<String, Set<CharSequence>> params = support.loadOAuthParameters(details, url, token, "POST", null);
@@ -446,6 +453,33 @@ public void testGetSignatureBaseString() throws Exception {
 				baseString);
 	}
 
+	@Test
+	public void testGetSignatureBaseStringSimple() throws Exception {
+		Map<String, Set<CharSequence>> oauthParams = new HashMap<String, Set<CharSequence>>();
+		oauthParams.put("foo", Collections.singleton((CharSequence) "bar"));
+		oauthParams.put("bar", new LinkedHashSet<CharSequence>(Arrays.<CharSequence> asList("120", "24")));
+
+		CoreOAuthConsumerSupport support = new CoreOAuthConsumerSupport();
+
+		String baseString = support.getSignatureBaseString(oauthParams, new URL("http://photos.example.net/photos"),
+				"get");
+		assertEquals("GET&http%3A%2F%2Fphotos.example.net%2Fphotos&bar%3D120%26bar%3D24%26foo%3Dbar", baseString);
+	}
+
+	// See SECOAUTH-383
+	@Test
+	public void testGetSignatureBaseStringMultivaluedLast() throws Exception {
+		Map<String, Set<CharSequence>> oauthParams = new HashMap<String, Set<CharSequence>>();
+		oauthParams.put("foo", Collections.singleton((CharSequence) "bar"));
+		oauthParams.put("pin", new LinkedHashSet<CharSequence>(Arrays.<CharSequence> asList("2", "1")));
+
+		CoreOAuthConsumerSupport support = new CoreOAuthConsumerSupport();
+
+		String baseString = support.getSignatureBaseString(oauthParams, new URL("http://photos.example.net/photos"),
+				"get");
+		assertEquals("GET&http%3A%2F%2Fphotos.example.net%2Fphotos&foo%3Dbar%26pin%3D1%26pin%3D2", baseString);
+	}
+
 	static class StreamHandlerForTestingPurposes extends Handler {
 
 		private final HttpURLConnectionForTestingPurposes connection;
@@ -469,7 +503,7 @@ static class HttpURLConnectionForTestingPurposes extends HttpURLConnection {
 
 		/**
 		 * Constructor for the HttpURLConnection.
-		 *
+		 * 
 		 * @param u the URL
 		 */
 		public HttpURLConnectionForTestingPurposes(URL u) {
@@ -490,11 +524,17 @@ public void connect() throws IOException {
 	static class ConnectionProps {
 
 		public int responseCode;
+
 		public String responseMessage;
+
 		public String method;
+
 		public Boolean doOutput;
+
 		public Boolean connected;
+
 		public OutputStream outputStream;
+
 		public final Map<String, String> headerFields = new TreeMap<String, String>();
 
 		public void reset() {