Custom mediator
An OAuth 2.0 mediator is used as a callback during the OAuth 2.0 message processing to perform customized post processing.
Write an OAuth20 mediator
To write a mediator,
you must implement the interface named
com.ibm.oauth.core.api.oauth20.mediator.OAuth20Mediator
You
can implement one or more mediate*
methods to perform
custom post processing.void init(OAuthComponentConfiguration config)
This
method is called by a factory when an instance of this object is created.void mediateAuthorize(AttributeList attributeList)
This
method is called by the core component after basic message validation
and processing to allow any post custom processing by the component
consumer in the processAuthorization
method.void mediateAuthorizeException(AttributeList attributeList, OAuthException exception)
This
method is called by the core component when the protocol exception
happens to allow any post custom processing by the component consumer
in the processAuthorization
method.void mediateResource(AttributeList attributeList)
This
method is called by the core component after basic message validation
and processing to allow any post custom processing by the component
consumer in the processResourceRequest
method.void mediateResourceException(AttributeList attributeList, OAuthException exception)
This
method is called by the core component when protocol exception happens
to allow any post custom processing by the component consumer in the processResourceRequest
method.void mediateToken(AttributeList attributeList)
This
method is called by the core component after basic message validation
and processing to allow any post custom processing by the component
consumer in the processTokenRequest
method.void mediateTokenException(AttributeList attributeList, OAuthException exception)
This
method is called by the core component when protocol exception happens
to allow any post custom processing by the component consumer in the processTokenRequest
method.Enable OAuth20 mediator for an OAuth provider
To
add a customized mediator to a specific OAuth20 service provider,
update the configuration file for the service provider, for example, OAuthConfigSample.xml.
Locate the
oauth20.mediator.classnames
parameter
and add the class name for the mediators. You can also specify multiple
class names for mediators for the oauth20.mediator.classnames
parameters.
If multiple mediators are specified, those mediators are started in
the order they are specified in the parameter. The following example
shows a sample custom mediator entry in the provider configuration
file:<parameter name="oauth20.mediator.classnames" type="cc" customizable="false">
<value>org.acme.oauth2.sampleMediator</value>
<value>org.acme.oauth2.sampleMediator2</value>
</parameter>
The following code sample implements
the credential validation by using the WebSphere® Application Server user registry
in the resource owner password credentials flow.
package com.ibm.ws.security.oauth20.mediator;
import com.ibm.oauth.core.api.attributes.AttributeList;
import com.ibm.oauth.core.api.config.OAuthComponentConfiguration;
import com.ibm.oauth.core.api.error.OAuthException;
import com.ibm.oauth.core.api.error.oauth20.OAuth20MediatorException;
import com.ibm.oauth.core.api.oauth20.mediator.OAuth20Mediator;
import com.ibm.oauth.core.internal.oauth20.OAuth20Constants;
import com.ibm.websphere.security.CustomRegistryException;
import com.ibm.websphere.security.PasswordCheckFailedException;
import com.ibm.websphere.security.UserRegistry;
import java.rmi.RemoteException;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.naming.InitialContext;
import javax.naming.NamingException;
public class ResourceOwnerValidationMedidator implements OAuth20Mediator {
private static final String CLASS = ResourceOwnerValidationMedidator.class.getName();
private static final Logger LOG = Logger.getLogger(CLASS);
private UserRegistry reg = null;
public void init(OAuthComponentConfiguration config) {
try {
InitialContext ctx = new InitialContext();
reg = (UserRegistry) ctx.lookup("UserRegistry");
} catch(NamingException ne) {
LOG.log(Level.SEVERE, "Cannot lookup UserRegistry", ne);
}
}
public void mediateAuthorize(AttributeList attributeList)
throws OAuth20MediatorException {
// nothing to do here
}
public void mediateAuthorizeException(AttributeList attributeList,
OAuthException exception)
throws OAuth20MediatorException {
// nothing to do here
}
public void mediateResource(AttributeList attributeList)
throws OAuth20MediatorException {
// nothing to do here
}
public void mediateResourceException(AttributeList attributeList,
OAuthException exception)
throws OAuth20MediatorException {
// nothing to do here
}
public void mediateToken(AttributeList attributeList)
throws OAuth20MediatorException {
final String methodName = "mediateToken";
LOG.entering(CLASS, methodName, attributeList);
if("password".equals(attributeList.getAttributeValueByName("grant_type"))) {
String username = attributeList.getAttributeValueByName("username");
String password = attributeList.getAttributeValueByName("password");
try {
reg.checkPassword(username, password);
} catch (PasswordCheckFailedException e) {
throw new OAuth20MediatorException("User doesn't exist or the
password doesn't match.", e);
} catch (CustomRegistryException e) {
throw new OAuth20MediatorException("Cannot validate resource owner.", e);
} catch (RemoteException e) {
throw new OAuth20MediatorException("Cannot validate resource owner.", e);
}
}
LOG.exiting(CLASS, methodName);
}
public void mediateTokenException(AttributeList attributeList,
OAuthException exception)
throws OAuth20MediatorException {
final String methodName = "mediateTokenException";
LOG.entering(CLASS, methodName, new Object[] {attributeList, exception});
if("password".equals(attributeList.getAttributeValueByName("grant_type"))) {
// clear sensitive data
attributeList.setAttribute("access_token",
OAuth20Constants.ATTRTYPE_RESPONSE_ATTRIBUTE,
new String[0]);
attributeList.setAttribute("refresh_token",
OAuth20Constants.ATTRTYPE_RESPONSE_ATTRIBUTE,
new String[0]);
}
LOG.exiting(CLASS, methodName);
}
}