Java tutorial
/** * Most of the code in the Qalingo project is copyrighted Hoteia and licensed * under the Apache License Version 2.0 (release version 0.8.0) * http://www.apache.org/licenses/LICENSE-2.0 * * Copyright (c) Hoteia, 2012-2014 * http://www.hoteia.com - http://twitter.com/hoteia - contact@hoteia.com * */ package org.hoteia.qalingo.core.service.openid; import java.io.BufferedReader; import java.io.IOException; import java.io.StringReader; import java.io.UnsupportedEncodingException; import java.security.InvalidKeyException; import java.security.NoSuchAlgorithmException; import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.Properties; import java.util.concurrent.ConcurrentHashMap; import javax.crypto.Mac; import javax.crypto.spec.SecretKeySpec; import javax.servlet.http.HttpServletRequest; import org.apache.commons.lang.StringUtils; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; /** * */ @Service("openIdService") public class OpenIdService { private static final String HMAC_SHA1_ALGORITHM = "HmacSHA1"; public static final String OPEN_ID_PROVIDER_ALIAS_SUFIX = ".alias"; @Autowired private Properties openIdProperties; private Map<String, Endpoint> endpointCache = new ConcurrentHashMap<String, Endpoint>(); private Map<Endpoint, Association> associationCache = new ConcurrentHashMap<Endpoint, Association>(); private Map<String, String> urlMap = new HashMap<String, String>(); private Map<String, String> aliasMap = new HashMap<String, String>(); private int timeOut = 5000; // 5 seconds private String assocQuery = null; private String authQuery = null; private String returnTo = null; private String returnToUrlEncode = null; private String realm = null; /** * Set returning address after authentication. * * @param returnTo URL that should redirect to. */ public void setReturnTo(String returnTo) { try { this.returnToUrlEncode = Utils.urlEncode(returnTo); } catch (UnsupportedEncodingException e) { throw new OpenIdException(e); } this.returnTo = returnTo; } /** * Set realm. For example, "http://*.example.com". * * @param realm Realm of RP. */ public void setRealm(String realm) { try { this.realm = Utils.urlEncode(realm); } catch (UnsupportedEncodingException e) { throw new OpenIdException(e); } } /** * Set timeout in milliseconds. */ public void setTimeOut(int timeOutInMilliseconds) { this.timeOut = timeOutInMilliseconds; } /** * Get authentication information from HTTP request, key.and alias */ public OpenIdAuthentication getAuthentication(HttpServletRequest request, byte[] key, String alias) { // verify: String identity = request.getParameter("openid.identity"); if (identity == null) throw new OpenIdException("Missing 'openid.identity'."); if (request.getParameter("openid.invalidate_handle") != null) throw new OpenIdException("Invalidate handle."); String sig = request.getParameter("openid.sig"); if (sig == null) throw new OpenIdException("Missing 'openid.sig'."); String signed = request.getParameter("openid.signed"); if (signed == null) throw new OpenIdException("Missing 'openid.signed'."); if (!returnTo.equals(request.getParameter("openid.return_to"))) throw new OpenIdException("Bad 'openid.return_to'."); // check sig: String[] params = signed.split("[\\,]+"); StringBuilder sb = new StringBuilder(1024); for (String param : params) { sb.append(param).append(':'); String value = request.getParameter("openid." + param); if (value != null) sb.append(value); sb.append('\n'); } String hmac = getHmacSha1(sb.toString(), key); if (!safeEquals(sig, hmac)) { throw new OpenIdException("Verify signature failed."); } // set auth: OpenIdAuthentication auth = new OpenIdAuthentication(); auth.setIdentity(identity); auth.setEmail(request.getParameter("openid." + alias + ".value.email")); auth.setLanguage(request.getParameter("openid." + alias + ".value.language")); auth.setGender(request.getParameter("openid." + alias + ".value.gender")); auth.setFullname(getFullname(request, alias)); auth.setFirstname(getFirstname(request, alias)); auth.setLastname(getLastname(request, alias)); return auth; } boolean safeEquals(String s1, String s2) { if (s1.length() != s2.length()) { return false; } int result = 0; for (int i = 0; i < s1.length(); i++) { int c1 = s1.charAt(i); int c2 = s2.charAt(i); result |= (c1 ^ c2); } return result == 0; } String getLastname(HttpServletRequest request, String axa) { String name = request.getParameter("openid." + axa + ".value.lastname"); // If lastname is not supported try to get it from the fullname if (name == null) { name = request.getParameter("openid." + axa + ".value.fullname"); if (name != null) { int n = name.lastIndexOf(' '); if (n != (-1)) { name = name.substring(n + 1); } } } return name; } String getFirstname(HttpServletRequest request, String axa) { String name = request.getParameter("openid." + axa + ".value.firstname"); //If firstname is not supported try to get it from the fullname if (name == null) { name = request.getParameter("openid." + axa + ".value.fullname"); if (name != null) { int n = name.indexOf(' '); if (n != (-1)) { name = name.substring(0, n); } } } return name; } String getFullname(HttpServletRequest request, String axa) { // If fullname is not supported then get combined first and last name String fname = request.getParameter("openid." + axa + ".value.fullname"); if (fname == null) { fname = request.getParameter("openid." + axa + ".value.firstname"); if (fname != null) { fname += " "; } fname += request.getParameter("openid." + axa + ".value.lastname"); } return fname; } String getHmacSha1(String data, byte[] key) { SecretKeySpec signingKey = new SecretKeySpec(key, HMAC_SHA1_ALGORITHM); Mac mac = null; try { mac = Mac.getInstance(HMAC_SHA1_ALGORITHM); mac.init(signingKey); } catch (NoSuchAlgorithmException e) { throw new OpenIdException(e); } catch (InvalidKeyException e) { throw new OpenIdException(e); } try { byte[] rawHmac = mac.doFinal(data.getBytes("UTF-8")); return Base64.encodeBytes(rawHmac); } catch (IllegalStateException e) { throw new OpenIdException(e); } catch (UnsupportedEncodingException e) { throw new OpenIdException(e); } } /** * Lookup end point by name or full URL. */ public Endpoint lookupEndpoint(String nameOrUrl) { String url = null; String alias = null; if (nameOrUrl.startsWith("http://") || nameOrUrl.startsWith("https://")) { url = nameOrUrl; } else { url = lookupUrlByName(nameOrUrl); if (url == null) { throw new OpenIdException("Cannot find OP URL by name: " + nameOrUrl); } alias = lookupAliasByName(nameOrUrl); } Endpoint endpoint = endpointCache.get(url); if (endpoint != null && !endpoint.isExpired()) { return endpoint; } endpoint = requestEndpoint(url, alias == null ? Endpoint.DEFAULT_ALIAS : alias); endpointCache.put(url, endpoint); return endpoint; } public Association lookupAssociation(Endpoint endpoint) { Association assoc = associationCache.get(endpoint); if (assoc != null && !assoc.isExpired()) { return assoc; } assoc = requestAssociation(endpoint); associationCache.put(endpoint, assoc); return assoc; } public String getAuthenticationUrl(Endpoint endpoint, Association association) { StringBuilder sb = new StringBuilder(1024); sb.append(endpoint.getUrl()).append(endpoint.getUrl().contains("?") ? '&' : '?') .append(getAuthQuery(endpoint.getAlias())).append("&openid.return_to=").append(returnToUrlEncode) .append("&openid.assoc_handle=").append(association.getAssociationHandle()); if (realm != null) { sb.append("&openid.realm=").append(realm); } return sb.toString(); } Endpoint requestEndpoint(String url, String alias) { Map<String, Object> map = Utils.httpRequest(url, "GET", "application/xrds+xml", null, timeOut); try { String content = Utils.getContent(map); return new Endpoint(Utils.mid(content, "<URI>", "</URI>"), alias, Utils.getMaxAge(map)); } catch (UnsupportedEncodingException e) { throw new OpenIdException(e); } } Association requestAssociation(Endpoint endpoint) { Map<String, Object> map = Utils.httpRequest(endpoint.getUrl(), "POST", "*/*", getAssocQuery(), timeOut); String content = null; try { content = Utils.getContent(map); } catch (UnsupportedEncodingException e) { throw new OpenIdException(e); } Association assoc = new Association(); try { BufferedReader r = new BufferedReader(new StringReader(content)); for (;;) { String line = r.readLine(); if (line == null) { break; } line = line.trim(); int pos = line.indexOf(':'); if (pos != (-1)) { String key = line.substring(0, pos); String value = line.substring(pos + 1); if ("session_type".equals(key)) assoc.setSessionType(value); else if ("assoc_type".equals(key)) assoc.setAssociationType(value); else if ("assoc_handle".equals(key)) assoc.setAssociationHandle(value); else if ("mac_key".equals(key)) assoc.setMacKey(value); else if ("expires_in".equals(key)) { long maxAge = Long.parseLong(value); assoc.setMaxAge(maxAge * 900L); // 90% } } } } catch (IOException e) { throw new RuntimeException("Association is impossible!", e); } return assoc; } private String getAuthQuery(String axa) { if (authQuery != null) { return authQuery; } List<String> list = new ArrayList<String>(); list.add("openid.ns=http://specs.openid.net/auth/2.0"); list.add("openid.claimed_id=http://specs.openid.net/auth/2.0/identifier_select"); list.add("openid.identity=http://specs.openid.net/auth/2.0/identifier_select"); list.add("openid.mode=checkid_setup"); list.add("openid.ns." + axa + "=http://openid.net/srv/ax/1.0"); list.add("openid." + axa + ".mode=fetch_request"); list.add("openid." + axa + ".type.email=http://axschema.org/contact/email"); list.add("openid." + axa + ".type.fullname=http://axschema.org/namePerson"); list.add("openid." + axa + ".type.language=http://axschema.org/pref/language"); list.add("openid." + axa + ".type.firstname=http://axschema.org/namePerson/first"); list.add("openid." + axa + ".type.lastname=http://axschema.org/namePerson/last"); list.add("openid." + axa + ".type.gender=http://axschema.org/person/gender"); list.add("openid." + axa + ".required=email,fullname,language,firstname,lastname,gender"); String query = Utils.buildQuery(list); authQuery = query; return query; } private String getAssocQuery() { if (assocQuery != null) { return assocQuery; } List<String> list = new ArrayList<String>(); list.add("openid.ns=http://specs.openid.net/auth/2.0"); list.add("openid.mode=associate"); list.add("openid.session_type=" + Association.SESSION_TYPE_NO_ENCRYPTION); list.add("openid.assoc_type=" + Association.ASSOC_TYPE_HMAC_SHA1); String query = Utils.buildQuery(list); assocQuery = query; return query; } private String lookupUrlByName(String name) { checkMap(); if (StringUtils.isNotEmpty(name)) { String provider = name.toLowerCase(); if (provider.contains("-") || provider.contains("_")) { provider = provider.replace("-", "."); provider = provider.replace("_", "."); } if (urlMap.get(provider) != null) { return urlMap.get(provider); } else { provider = provider.replaceAll("[_]", "."); if (urlMap.get(provider) != null) { return urlMap.get(provider); } } } return null; } private String lookupAliasByName(String name) { checkMap(); String alias = aliasMap.get(name); return alias == null ? Endpoint.DEFAULT_ALIAS : alias; } private void checkMap() { if (urlMap.size() == 0) { loadMap(); } if (aliasMap.size() == 0) { loadMap(); } } private void loadMap() { for (Object k : openIdProperties.keySet()) { String key = (String) k; String value = openIdProperties.getProperty(key); if (key.endsWith(OPEN_ID_PROVIDER_ALIAS_SUFIX)) { aliasMap.put(key.substring(0, key.length() - 6), value); } else { urlMap.put(key, value); } } } }