定制介体
在处理 OAuth 2.0 消息期间,OAuth 2.0 介体用作回调以执行定制的后处理。
编写 OAuth 2.0 介体
要编写介体,您必须实现一个名为 com.ibm.oauth.core.api.oauth20.mediator.OAuth20Mediator 的接口。可以实现一个或多个 mediate* 方法来执行定制后处理。
void init(OAuthComponentConfiguration config)
创建了此对象的实例时,工厂将调用此方法。void mediateAuthorize(AttributeList attributeList)
在进行基本消息验证和处理之后,核心组件调用此方法以允许 processAuthorization 方法中的组件使用者执行任何定制后处理。void mediateAuthorizeException(AttributeList attributeList, OAuthException exception)
发生协议异常时,核心组件调用此方法以允许 processAuthorization 方法中的组件使用者执行任何定制后处理。void mediateResource(AttributeList attributeList)
在进行基本消息验证和处理之后,核心组件调用此方法以允许 processResourceRequest 方法中的组件使用者执行任何定制后处理。void mediateResourceException(AttributeList attributeList, OAuthException exception)
发生协议异常时,核心组件调用此方法以允许 processResourceRequest 方法中的组件使用者执行任何定制后处理。void mediateToken(AttributeList attributeList)
在进行基本消息验证和处理之后,核心组件调用此方法以允许 processTokenRequest 方法中的组件使用者执行任何定制后处理。void mediateTokenException(AttributeList attributeList, OAuthException exception)
发生协议异常时,核心组件调用此方法以允许 processTokenRequest 方法中的组件使用者执行任何定制后处理。为 OAuth 提供程序启用 OAuth 2.0 介体
要向特定 OAuth20 服务提供程序添加定制介体,请更新该服务提供程序的配置文件,例如,OauthConfigSample.xml。找到 oauth20.mediator.classnames 参数,并为介体添加类名。对于 oauth20.mediator.classnames 参数,您还可以为介体指定多个类名。如果指定了多个介体,那么这些介体会按照它们在该参数中的指定顺序启动。以下示例显示了提供者配置文件中的样本定制介体条目:
<parameter name="oauth20.mediator.classnames" type="cc" customizable="false">
<value>org.acme.oauth2.sampleMediator</value>
<value>org.acme.oauth2.sampleMediator2</value>
</parameter>
以下代码样本通过在资源所有者密码凭证流中使用 WebSphere® Application Server 用户注册表来实现了凭证验证。
package com.ibm.ws.security.oauth20.mediator;
import com.ibm.oauth.core.api.attributes.AttributeList;
import com.ibm.oauth.core.api.config.OAuthComponentConfiguration;
import com.ibm.oauth.core.api.error.OAuthException;
import com.ibm.oauth.core.api.error.oauth20.OAuth20MediatorException;
import com.ibm.oauth.core.api.oauth20.mediator.OAuth20Mediator;
import com.ibm.oauth.core.internal.oauth20.OAuth20Constants;
import com.ibm.websphere.security.CustomRegistryException;
import com.ibm.websphere.security.PasswordCheckFailedException;
import com.ibm.websphere.security.UserRegistry;
import java.rmi.RemoteException;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.naming.InitialContext;
import javax.naming.NamingException;
public class ResourceOwnerValidationMedidator implements OAuth20Mediator {
private static final String CLASS = ResourceOwnerValidationMedidator.class.getName();
private static final Logger LOG = Logger.getLogger(CLASS);
private UserRegistry reg = null;
public void init(OAuthComponentConfiguration config) {
try {
InitialContext ctx = new InitialContext();
reg = (UserRegistry) ctx.lookup("UserRegistry");
} catch(NamingException ne) {
LOG.log(Level.SEVERE, "Cannot lookup UserRegistry", ne);
}
}
public void mediateAuthorize(AttributeList attributeList)
throws OAuth20MediatorException {
// nothing to do here
}
public void mediateAuthorizeException(AttributeList attributeList,
OAuthException exception)
throws OAuth20MediatorException {
// nothing to do here
}
public void mediateResource(AttributeList attributeList)
throws OAuth20MediatorException {
// nothing to do here
}
public void mediateResourceException(AttributeList attributeList,
OAuthException exception)
throws OAuth20MediatorException {
// nothing to do here
}
public void mediateToken(AttributeList attributeList)
throws OAuth20MediatorException {
final String methodName = "mediateToken";
LOG.entering(CLASS, methodName, attributeList);
if("password".equals(attributeList.getAttributeValueByName("grant_type"))) {
String username = attributeList.getAttributeValueByName("username");
String password = attributeList.getAttributeValueByName("password");
try {
reg.checkPassword(username, password);
} catch (PasswordCheckFailedException e) {
throw new OAuth20MediatorException("User doesn't exist or the
password doesn't match.", e);
} catch (CustomRegistryException e) {
throw new OAuth20MediatorException("Cannot validate resource owner.", e);
} catch (RemoteException e) {
throw new OAuth20MediatorException("Cannot validate resource owner.", e);
}
}
LOG.exiting(CLASS, methodName);
}
public void mediateTokenException(AttributeList attributeList,
OAuthException exception)
throws OAuth20MediatorException {
final String methodName = "mediateTokenException";
LOG.entering(CLASS, methodName, new Object[] {attributeList, exception});
if("password".equals(attributeList.getAttributeValueByName("grant_type"))) {
// clear sensitive data
attributeList.setAttribute("access_token",
OAuth20Constants.ATTRTYPE_RESPONSE_ATTRIBUTE,
new String[0]);
attributeList.setAttribute("refresh_token",
OAuth20Constants.ATTRTYPE_RESPONSE_ATTRIBUTE,
new String[0]);
}
LOG.exiting(CLASS, methodName);
}
}