定制介体
在进行 OAuth 2.0 消息处理以执行定制后处理期间,将 OAuth 2.0 介体用作回调。
编写 OAuth 2.0 介体
要编写介体,必须实现名称为 com.ibm.oauth.core.api.oauth20.mediator.OAuth20Mediator 的接口。您可以实现下列其中一个或多个方法来执行定制后处理。
void init(OAuthComponentConfiguration config)
创建此对象的实例时,工厂会调用此方法。void mediateAuthorize(AttributeList attributeList)
进行基本的消息验证和处理之后,核心组件会调用此方法,以允许 processAuthorization 方法中的组件使用者进行任何定制后处理。void mediateAuthorizeException(AttributeList attributeList, OAuthException exception)
发生协议异常时,核心组件会调用此方法,以允许 processAuthorization 方法中的组件使用者进行任何定制后处理。void mediateResource(AttributeList attributeList)
进行基本的消息验证和处理之后,核心组件会调用此方法,以允许 processResourceRequest 方法中的组件使用者进行任何定制后处理。void mediateResourceException(AttributeList attributeList, OAuthException exception)
发生协议异常时,核心组件会调用此方法,以允许 processResourceRequest 方法中的组件使用者进行任何定制后处理。void mediateToken(AttributeList attributeList)
进行基本的消息验证和处理之后,核心组件会调用此方法,以允许 processTokenRequest 方法中的组件使用者进行任何定制后处理。void mediateTokenException(AttributeList attributeList, OAuthException exception)
发生协议异常时,核心组件会调用此方法,以允许 processTokenRequest 方法中的组件使用者进行任何定制后处理。对 OAuth 提供者启用 OAuth 2.0 介体
要将定制介体添加到特定 OAuth 2.0 服务提供者,请在 server.xml 文件中更新提供者定义。添加 oauthProvider 元素的 mediatorClassname 属性,并为介体指定类名。您也可以使用 oauthProvider 元素的 mediatorClassname 子元素来为介体指定多个类名。如果指定多个介体,那么会以指定介体的顺序来启动那些介体。您还必须定义包含介体类的 library 元素,并使用 libraryRef 属性来引用该 library 元素。
以下示例会显示 server.xml 文件中提供者定义内的样本定制介体条目:
<oauthProvider id="OAuthConfigSample" libraryRef="myLib"
mediatorClassname="com.ibm.ws.security.oauth20.mediator.ResourceOwnerValidationMediator" ...>
...
</oauthProvider>
<library id="myLib">
<fileset dir="C:\mydir" includes="myLib.jar" />
</library>
以下代码样本通过在资源所有者密码凭证流程中使用 WebSphere® Application Server 用户注册表来实现凭证验证。
package com.ibm.ws.security.oauth20.mediator;
import com.ibm.oauth.core.api.attributes.AttributeList;
import com.ibm.oauth.core.api.config.OAuthComponentConfiguration;
import com.ibm.oauth.core.api.error.OAuthException;
import com.ibm.oauth.core.api.error.oauth20.OAuth20MediatorException;
import com.ibm.oauth.core.api.oauth20.mediator.OAuth20Mediator;
import com.ibm.oauth.core.internal.oauth20.OAuth20Constants;
import com.ibm.websphere.security.CustomRegistryException;
import com.ibm.websphere.security.PasswordCheckFailedException;
import com.ibm.websphere.security.UserRegistry;
import java.rmi.RemoteException;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.naming.InitialContext;
import javax.naming.NamingException;
public class ResourceOwnerValidationMedidator implements OAuth20Mediator {
private static final String CLASS = ResourceOwnerValidationMedidator.class.getName();
private static final Logger LOG = Logger.getLogger(CLASS);
private UserRegistry reg = null;
public void init(OAuthComponentConfiguration config) {
try {
InitialContext ctx = new InitialContext();
reg = (UserRegistry) ctx.lookup("UserRegistry");
} catch(NamingException ne) {
LOG.log(Level.SEVERE, "Cannot lookup UserRegistry", ne);
}
}
public void mediateAuthorize(AttributeList attributeList)
throws OAuth20MediatorException {
// nothing to do here
}
public void mediateAuthorizeException(AttributeList attributeList,
OAuthException exception)
throws OAuth20MediatorException {
// nothing to do here
}
public void mediateResource(AttributeList attributeList)
throws OAuth20MediatorException {
// nothing to do here
}
public void mediateResourceException(AttributeList attributeList,
OAuthException exception)
throws OAuth20MediatorException {
// nothing to do here
}
public void mediateToken(AttributeList attributeList)
throws OAuth20MediatorException {
final String methodName = "mediateToken";
LOG.entering(CLASS, methodName, attributeList);
if("password".equals(attributeList.getAttributeValueByName("grant_type"))) {
String username = attributeList.getAttributeValueByName("username");
String password = attributeList.getAttributeValueByName("password");
try {
reg.checkPassword(username, password);
} catch (PasswordCheckFailedException e) {
throw new OAuth20MediatorException("User doesn't exist or the
password doesn't match.", e);
} catch (CustomRegistryException e) {
throw new OAuth20MediatorException("Cannot validate resource owner.", e);
} catch (RemoteException e) {
throw new OAuth20MediatorException("Cannot validate resource owner.", e);
}
}
LOG.exiting(CLASS, methodName);
}
public void mediateTokenException(AttributeList attributeList,
OAuthException exception)
throws OAuth20MediatorException {
final String methodName = "mediateTokenException";
LOG.entering(CLASS, methodName, new Object[] {attributeList, exception});
if("password".equals(attributeList.getAttributeValueByName("grant_type"))) {
// clear sensitive data
attributeList.setAttribute("access_token",
OAuth20Constants.ATTRTYPE_RESPONSE_ATTRIBUTE,
new String[0]);
attributeList.setAttribute("refresh_token",
OAuth20Constants.ATTRTYPE_RESPONSE_ATTRIBUTE,
new String[0]);
}
LOG.exiting(CLASS, methodName);
}
}