OIDC接口优化 #I4VFYD

maxkey-authentications/maxkey-authentication-core/src/main/java/org/maxkey/authn/support/basic/BasicEntryPoint.java

@@ -85,7 +85,7 @@ public class BasicEntryPoint implements   AsyncHandlerInterceptor {
 		    _logger.info("recreate new session .");
 			request.getSession(true);
 		 }
-		 String basicCredential =request.getHeader(AuthorizationHeaderUtils.AUTHORIZATION_HEADERNAME);
+		 String basicCredential =request.getHeader(AuthorizationHeaderUtils.HEADER_Authorization);
 		 _logger.info("getSession.getId : "+ request.getSession().getId());
 		 
 		 _logger.info("Authorization : " + basicCredential);

maxkey-common/src/main/java/org/maxkey/util/AuthorizationHeaderUtils.java

@@ -17,6 +17,8 @@
 
 package org.maxkey.util;
 
+import javax.servlet.http.HttpServletRequest;
+
 import org.maxkey.crypto.Base64Utils;
 
 /**
@@ -25,7 +27,14 @@ import org.maxkey.crypto.Base64Utils;
  */
 public class AuthorizationHeaderUtils {
 
-    public static final String AUTHORIZATION_HEADERNAME = "Authorization";
+	/**
+	 * first UpperCase
+	 */
+    public static final String HEADER_Authorization = "Authorization";
+    /**
+     * first LowerCase
+     */
+    public static final String HEADER_authorization = "authorization";
 
     public static String createBasic(String username, String password) {
         String authUserPass = username + ":" + password;
@@ -34,7 +43,7 @@ public class AuthorizationHeaderUtils {
     }
 
     public static AuthorizationHeaderCredential resolve(String authorization) {
-        if (isBasic(authorization)) {
+        if (StringUtils.isNotBlank(authorization) && isBasic(authorization)) {
             String decodeUserPass = Base64Utils.decode(authorization.split(" ")[1]);
             String []userPass =decodeUserPass.split(":");
             return new AuthorizationHeaderCredential(userPass[0],userPass[1]);
@@ -56,10 +65,10 @@ public class AuthorizationHeaderUtils {
     }
 
     public static String resolveBearer(String bearer) {
-        if (isBearer(bearer)) {
+        if (StringUtils.isNotBlank(bearer) && isBearer(bearer)) {
             return bearer.split(" ")[1];
         } else {
-            return null;
+            return bearer;
         }
     }
     
@@ -70,5 +79,15 @@ public class AuthorizationHeaderUtils {
             return false;
         }
     }
+    
+    public  static String resolveBearer(HttpServletRequest request) {
+    	String authorization = 
+    			StringUtils.isNotBlank(request.getHeader(HEADER_Authorization)) ? 
+    					request.getHeader(HEADER_Authorization) : request.getHeader(HEADER_authorization);
+    	if(StringUtils.isNotBlank(authorization)) {
+    		return resolveBearer(authorization);
+    	}
+    	return null;
+    }
 
 }

maxkey-core/src/main/java/org/maxkey/web/WebContext.java

@@ -56,6 +56,10 @@ import org.springframework.web.servlet.support.RequestContextUtils;
  * @author Crystal.Sea
  * @since 1.5
  */
+/**
+ * @author shimi
+ *
+ */
 public final class WebContext {
     
     final static Logger _logger = LoggerFactory.getLogger(WebContext.class);
@@ -275,22 +279,32 @@ public final class WebContext {
 
     }
     
+    /**
+     * isTraceEnabled print request headers and parameters<br>
+     * see WebInstRequestFilter
+     * @param request
+     */
     public static void printRequest(final HttpServletRequest request) {
-    	_logger.trace("getRequestURL : "+request.getRequestURL());
-    	_logger.trace("getMethod : "+request.getMethod());
-        Enumeration<String> headerNames = request.getHeaderNames();
-        while (headerNames.hasMoreElements()) {
-          String key = (String) headerNames.nextElement();
-          String value = request.getHeader(key);
-          _logger.trace("Header key "+key +" , value " + value);
-        }
-        
-        Enumeration<String> parameterNames = request.getParameterNames();
-        while (parameterNames.hasMoreElements()) {
-          String key = (String) parameterNames.nextElement();
-          String value = request.getParameter(key);
-          _logger.trace("Parameter "+key +" , value " + value);
-        }
+    	if(_logger.isTraceEnabled()) {
+    		_logger.trace("getContextPath : {}"  , request.getContextPath());
+	    	_logger.trace("getRequestURL : {} " , request.getRequestURL());
+			_logger.trace("URL : {}" , request.getRequestURI().substring(request.getContextPath().length()));
+	    	_logger.trace("getMethod : {} " , request.getMethod());
+	    	
+	        Enumeration<String> headerNames = request.getHeaderNames();
+	        while (headerNames.hasMoreElements()) {
+	          String key = (String) headerNames.nextElement();
+	          String value = request.getHeader(key);
+	          _logger.trace("Header key {} , value {}" , key, value);
+	        }
+	        
+	        Enumeration<String> parameterNames = request.getParameterNames();
+	        while (parameterNames.hasMoreElements()) {
+	          String key = (String) parameterNames.nextElement();
+	          String value = request.getParameter(key);
+	          _logger.trace("Parameter {} , value {}",key , value);
+	        }
+    	}
     }
 
     /**

maxkey-core/src/main/java/org/maxkey/web/WebXssRequestFilter.java

@@ -70,15 +70,10 @@ public class WebXssRequestFilter  extends GenericFilterBean {
 	public void doFilter(ServletRequest servletRequest, ServletResponse response, FilterChain chain)
 			throws IOException, ServletException {
 		_logger.trace("WebXssRequestFilter");
-		
 		boolean isWebXss = false;
 		HttpServletRequest request= ((HttpServletRequest)servletRequest);
-		String requestURI=request.getRequestURI();
-		_logger.trace("getContextPath " +request.getContextPath());
-		_logger.trace("getRequestURL " + ((HttpServletRequest)request).getRequestURI());
-		_logger.trace("URL " +requestURI.substring(request.getContextPath().length()));
 		
-		if(skipUrlMap.containsKey(requestURI.substring(request.getContextPath().length()))) {
+		if(skipUrlMap.containsKey(request.getRequestURI().substring(request.getContextPath().length()))) {
 			isWebXss = false;
 		}else {
 	        Enumeration<String> parameterNames = request.getParameterNames();

maxkey-protocols/maxkey-protocol-oauth-2.0/src/main/java/org/maxkey/authz/oauth2/provider/endpoint/TokenEndpointAuthenticationFilter.java

@@ -136,10 +136,6 @@ public class TokenEndpointAuthenticationFilter implements Filter {
 		final HttpServletRequest request = (HttpServletRequest) req;
 		final HttpServletResponse response = (HttpServletResponse) res;
 
-		if(_logger.isTraceEnabled()) {
-			WebContext.printRequest(request);
-		}
-		
 		try {
 			String grantType = request.getParameter(OAuth2Constants.PARAMETER.GRANT_TYPE);
 			if (grantType != null && grantType.equals(OAuth2Constants.PARAMETER.GRANT_TYPE_PASSWORD)) {

maxkey-protocols/maxkey-protocol-oauth-2.0/src/main/java/org/maxkey/authz/oauth2/provider/userinfo/endpoint/UserInfoEndpoint.java

@@ -18,13 +18,13 @@
 package org.maxkey.authz.oauth2.provider.userinfo.endpoint;
 
 import java.lang.reflect.InvocationTargetException;
-import java.util.Enumeration;
 import java.util.HashMap;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.beanutils.BeanUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.maxkey.authn.SigninPrincipal;
 import org.maxkey.authz.endpoint.adapter.AbstractAuthorizeAdapter;
 import org.maxkey.authz.oauth2.common.OAuth2Constants;
@@ -48,7 +48,6 @@ import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.RequestHeader;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
@@ -83,27 +82,18 @@ public class UserInfoEndpoint {
 	@RequestMapping(value=OAuth2Constants.ENDPOINT.ENDPOINT_USERINFO, method={RequestMethod.POST, RequestMethod.GET}) 
 	public void apiV20UserInfo(
 			@RequestParam(value = "access_token", required = false) String access_token,
-			@RequestHeader(value = "authorization", required = false) String authorization_bearer,
             HttpServletRequest request, 
             HttpServletResponse response) {	        
-	        if(access_token == null && authorization_bearer!= null) {
-	        	if(_logger.isTraceEnabled()) {
-		        	_logger.trace("getRequestURL : "+request.getRequestURL());
-			        Enumeration<String> headerNames = request.getHeaderNames();
-			        while (headerNames.hasMoreElements()) {
-			          String key = (String) headerNames.nextElement();
-			          String value = request.getHeader(key);
-			          _logger.trace("Header key "+key +" , value " + value);
-			        }
-		        }
+	        if(StringUtils.isBlank(access_token)) {
 	        	//for header authorization bearer
-	        	access_token = AuthorizationHeaderUtils.resolveBearer(authorization_bearer);
+	        	access_token = AuthorizationHeaderUtils.resolveBearer(request);
 	        }
 	        
-			String principal="";
 			if (!StringGenerator.uuidMatches(access_token)) {
 				httpResponseAdapter.write(response,JsonUtils.gson2Json(accessTokenFormatError(access_token)),"json"); 
 			}
+			
+			String principal="";
 			OAuth2Authentication oAuth2Authentication =null;
 			try{
 				 oAuth2Authentication = oauth20tokenServices.loadAuthentication(access_token);

maxkey-protocols/maxkey-protocol-oauth-2.0/src/main/java/org/maxkey/authz/oauth2/provider/userinfo/endpoint/UserInfoOIDCEndpoint.java

@@ -42,6 +42,7 @@ import org.maxkey.entity.UserInfo;
 import org.maxkey.entity.apps.oauth2.provider.ClientDetails;
 import org.maxkey.persistence.service.AppsService;
 import org.maxkey.persistence.service.UserInfoService;
+import org.maxkey.util.AuthorizationHeaderUtils;
 import org.maxkey.util.JsonUtils;
 import org.maxkey.util.StringGenerator;
 import org.maxkey.web.HttpResponseAdapter;
@@ -51,7 +52,6 @@ import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.RequestHeader;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.ResponseBody;
@@ -100,15 +100,15 @@ public class UserInfoOIDCEndpoint {
     @Operation(summary = "OIDC 用户信息接口", description = "传递Authorization参数access_token",method="GET")
 	@RequestMapping(value=OAuth2Constants.ENDPOINT.ENDPOINT_OPENID_CONNECT_USERINFO, method={RequestMethod.POST, RequestMethod.GET})
 	@ResponseBody
-	public String connect10aUserInfo(
-			@RequestHeader(value = "Authorization", required = true) String access_token,
-			HttpServletRequest request, 
-			HttpServletResponse response) {
-		String principal="";
+	public String connect10aUserInfo(HttpServletRequest request, 
+									 HttpServletResponse response) {
+    	String access_token = AuthorizationHeaderUtils.resolveBearer(request);
+		
 		if (!StringGenerator.uuidMatches(access_token)) {
 			return JsonUtils.gson2Json(accessTokenFormatError(access_token));
 		}
 		
+		String principal="";
 		OAuth2Authentication oAuth2Authentication =null;
 		try{
 			 oAuth2Authentication = oauth20tokenServices.loadAuthentication(access_token);

maxkey-webs/maxkey-web-maxkey/src/main/java/org/maxkey/web/endpoint/LoginEndpoint.java

@@ -99,8 +99,6 @@ public class LoginEndpoint {
 	public ModelAndView login(HttpServletRequest request) {
 		_logger.debug("LoginController /login.");
 		
-		WebContext.printRequest(request);
-		
 		boolean isAuthenticated= WebContext.isAuthenticated();
 		
 		if(isAuthenticated){

maxkey-webs/maxkey-web-mgt/src/main/java/org/maxkey/web/interceptor/Oauth20ApiPermissionAdapter.java

@@ -61,7 +61,7 @@ public class Oauth20ApiPermissionAdapter  implements AsyncHandlerInterceptor  {
 	@Override
 	public boolean preHandle(HttpServletRequest request,HttpServletResponse response, Object handler) throws Exception {
 		 _logger.trace("Oauth20ApiPermissionAdapter preHandle");
-		String  authorization = request.getHeader(AuthorizationHeaderUtils.AUTHORIZATION_HEADERNAME);
+		String  authorization = request.getHeader(AuthorizationHeaderUtils.HEADER_Authorization);
 		 
 		 String accessToken = AuthorizationHeaderUtils.resolveBearer(authorization);
 		 OAuth2Authentication authentication = oauth20tokenServices.loadAuthentication(accessToken);

maxkey-webs/maxkey-web-mgt/src/main/java/org/maxkey/web/interceptor/RestApiPermissionAdapter.java

@@ -65,7 +65,7 @@ public class RestApiPermissionAdapter  implements AsyncHandlerInterceptor  {
 	@Override
 	public boolean preHandle(HttpServletRequest request,HttpServletResponse response, Object handler) throws Exception {
 		 _logger.trace("RestApiPermissionAdapter preHandle");
-		String  authorization = request.getHeader(AuthorizationHeaderUtils.AUTHORIZATION_HEADERNAME);
+		String  authorization = request.getHeader(AuthorizationHeaderUtils.HEADER_Authorization);
 		AuthorizationHeaderCredential headerCredential = AuthorizationHeaderUtils.resolve(authorization);
 		 
 		//判断应用的AppId和Secret