diff --git a/extensions/guacamole-auth-cas/pom.xml b/extensions/guacamole-auth-cas/pom.xml
index 60d1df300..3afabda3f 100644
--- a/extensions/guacamole-auth-cas/pom.xml
+++ b/extensions/guacamole-auth-cas/pom.xml
@@ -261,6 +261,14 @@
2.5
provided
+
+
+
+ javax.ws.rs
+ jsr311-api
+ 1.1.1
+ provided
+
diff --git a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/CASGuacamoleProperties.java b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/CASGuacamoleProperties.java
index dd741a3f8..f9876e055 100644
--- a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/CASGuacamoleProperties.java
+++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/CASGuacamoleProperties.java
@@ -19,7 +19,7 @@
package org.apache.guacamole.auth.cas.conf;
-import org.apache.guacamole.properties.StringGuacamoleProperty;
+import org.apache.guacamole.properties.UriGuacamoleProperty;
/**
* Provides properties required for use of the CAS authentication provider.
@@ -36,8 +36,8 @@ public class CASGuacamoleProperties {
/**
* The authorization endpoint (URI) of the CAS service.
*/
- public static final StringGuacamoleProperty CAS_AUTHORIZATION_ENDPOINT =
- new StringGuacamoleProperty() {
+ public static final UriGuacamoleProperty CAS_AUTHORIZATION_ENDPOINT =
+ new UriGuacamoleProperty() {
@Override
public String getName() { return "cas-authorization-endpoint"; }
@@ -49,8 +49,8 @@ public class CASGuacamoleProperties {
* authentication process is complete. This must be the full URL that a
* user would enter into their browser to access Guacamole.
*/
- public static final StringGuacamoleProperty CAS_REDIRECT_URI =
- new StringGuacamoleProperty() {
+ public static final UriGuacamoleProperty CAS_REDIRECT_URI =
+ new UriGuacamoleProperty() {
@Override
public String getName() { return "cas-redirect-uri"; }
diff --git a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/ConfigurationService.java b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/ConfigurationService.java
index e0016ad75..680f17057 100644
--- a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/ConfigurationService.java
+++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/conf/ConfigurationService.java
@@ -20,6 +20,7 @@
package org.apache.guacamole.auth.cas.conf;
import com.google.inject.Inject;
+import java.net.URI;
import java.security.PrivateKey;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.environment.Environment;
@@ -47,7 +48,7 @@ public class ConfigurationService {
* If guacamole.properties cannot be parsed, or if the authorization
* endpoint property is missing.
*/
- public String getAuthorizationEndpoint() throws GuacamoleException {
+ public URI getAuthorizationEndpoint() throws GuacamoleException {
return environment.getRequiredProperty(CASGuacamoleProperties.CAS_AUTHORIZATION_ENDPOINT);
}
@@ -65,7 +66,7 @@ public class ConfigurationService {
* If guacamole.properties cannot be parsed, or if the redirect URI
* property is missing.
*/
- public String getRedirectURI() throws GuacamoleException {
+ public URI getRedirectURI() throws GuacamoleException {
return environment.getRequiredProperty(CASGuacamoleProperties.CAS_REDIRECT_URI);
}
diff --git a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/form/CASTicketField.java b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/form/CASTicketField.java
index f785241f7..c16f52598 100644
--- a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/form/CASTicketField.java
+++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/form/CASTicketField.java
@@ -19,8 +19,8 @@
package org.apache.guacamole.auth.cas.form;
-import java.io.UnsupportedEncodingException;
-import java.net.URLEncoder;
+import java.net.URI;
+import javax.ws.rs.core.UriBuilder;
import org.apache.guacamole.form.Field;
@@ -47,7 +47,7 @@ public class CASTicketField extends Field {
/**
* The full URI which the field should link to.
*/
- private final String authorizationURI;
+ private final URI authorizationURI;
/**
* Creates a new CAS "ticket" field which links to the given CAS
@@ -65,29 +65,15 @@ public class CASTicketField extends Field {
* The URI that the CAS service should redirect to upon successful
* authentication.
*/
- public CASTicketField(String authorizationEndpoint, String redirectURI) {
+ public CASTicketField(URI authorizationEndpoint, URI redirectURI) {
// Init base field properties
super(PARAMETER_NAME, "GUAC_CAS_TICKET");
-
- // Build authorization URI from given values
- try {
- final StringBuilder sb = new StringBuilder();
- sb.append(authorizationEndpoint);
- // user might configure the endpoint with a trailing slash
- if (sb.charAt(sb.length() - 1) != '/') {
- sb.append('/');
- }
- sb.append(CAS_LOGIN_URI);
- sb.append("?service=");
- sb.append(URLEncoder.encode(redirectURI, "UTF-8"));
- this.authorizationURI = sb.toString();
- }
-
- // Java is required to provide UTF-8 support
- catch (UnsupportedEncodingException e) {
- throw new UnsupportedOperationException("Unexpected lack of UTF-8 support.", e);
- }
+
+ this.authorizationURI = UriBuilder.fromUri(authorizationEndpoint)
+ .path(CAS_LOGIN_URI)
+ .queryParam("service", redirectURI)
+ .build();
}
@@ -99,7 +85,7 @@ public class CASTicketField extends Field {
* The full URI that this field should link to.
*/
public String getAuthorizationURI() {
- return authorizationURI;
+ return authorizationURI.toString();
}
}
diff --git a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/ticket/TicketValidationService.java b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/ticket/TicketValidationService.java
index b7cf33f0b..958ea2c11 100644
--- a/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/ticket/TicketValidationService.java
+++ b/extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/ticket/TicketValidationService.java
@@ -21,6 +21,7 @@ package org.apache.guacamole.auth.cas.ticket;
import com.google.common.io.BaseEncoding;
import com.google.inject.Inject;
+import java.net.URI;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
@@ -83,13 +84,13 @@ public class TicketValidationService {
// Retrieve the configured CAS URL, establish a ticket validator,
// and then attempt to validate the supplied ticket. If that succeeds,
// grab the principal returned by the validator.
- String casServerUrl = confService.getAuthorizationEndpoint();
- Cas20ProxyTicketValidator validator = new Cas20ProxyTicketValidator(casServerUrl);
+ URI casServerUrl = confService.getAuthorizationEndpoint();
+ Cas20ProxyTicketValidator validator = new Cas20ProxyTicketValidator(casServerUrl.toString());
validator.setAcceptAnyProxy(true);
validator.setEncoding("UTF-8");
try {
- String confRedirectURI = confService.getRedirectURI();
- Assertion a = validator.validate(ticket, confRedirectURI);
+ URI confRedirectURI = confService.getRedirectURI();
+ Assertion a = validator.validate(ticket, confRedirectURI.toString());
AttributePrincipal principal = a.getPrincipal();
// Retrieve username and set the credentials.
diff --git a/extensions/guacamole-auth-openid/pom.xml b/extensions/guacamole-auth-openid/pom.xml
index 967ad03e2..25158c88e 100644
--- a/extensions/guacamole-auth-openid/pom.xml
+++ b/extensions/guacamole-auth-openid/pom.xml
@@ -246,6 +246,14 @@
2.5
provided
+
+
+
+ javax.ws.rs
+ jsr311-api
+ 1.1.1
+ provided
+
diff --git a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/conf/ConfigurationService.java b/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/conf/ConfigurationService.java
index c742d8991..8b4874c13 100644
--- a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/conf/ConfigurationService.java
+++ b/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/conf/ConfigurationService.java
@@ -20,10 +20,12 @@
package org.apache.guacamole.auth.openid.conf;
import com.google.inject.Inject;
+import java.net.URI;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.environment.Environment;
import org.apache.guacamole.properties.IntegerGuacamoleProperty;
import org.apache.guacamole.properties.StringGuacamoleProperty;
+import org.apache.guacamole.properties.UriGuacamoleProperty;
/**
* Service for retrieving configuration information regarding the OpenID
@@ -63,8 +65,8 @@ public class ConfigurationService {
/**
* The authorization endpoint (URI) of the OpenID service.
*/
- private static final StringGuacamoleProperty OPENID_AUTHORIZATION_ENDPOINT =
- new StringGuacamoleProperty() {
+ private static final UriGuacamoleProperty OPENID_AUTHORIZATION_ENDPOINT =
+ new UriGuacamoleProperty() {
@Override
public String getName() { return "openid-authorization-endpoint"; }
@@ -75,8 +77,8 @@ public class ConfigurationService {
* The endpoint (URI) of the JWKS service which defines how received ID
* tokens (JWTs) shall be validated.
*/
- private static final StringGuacamoleProperty OPENID_JWKS_ENDPOINT =
- new StringGuacamoleProperty() {
+ private static final UriGuacamoleProperty OPENID_JWKS_ENDPOINT =
+ new UriGuacamoleProperty() {
@Override
public String getName() { return "openid-jwks-endpoint"; }
@@ -174,8 +176,8 @@ public class ConfigurationService {
* authentication process is complete. This must be the full URL that a
* user would enter into their browser to access Guacamole.
*/
- private static final StringGuacamoleProperty OPENID_REDIRECT_URI =
- new StringGuacamoleProperty() {
+ private static final UriGuacamoleProperty OPENID_REDIRECT_URI =
+ new UriGuacamoleProperty() {
@Override
public String getName() { return "openid-redirect-uri"; }
@@ -200,7 +202,7 @@ public class ConfigurationService {
* If guacamole.properties cannot be parsed, or if the authorization
* endpoint property is missing.
*/
- public String getAuthorizationEndpoint() throws GuacamoleException {
+ public URI getAuthorizationEndpoint() throws GuacamoleException {
return environment.getRequiredProperty(OPENID_AUTHORIZATION_ENDPOINT);
}
@@ -236,7 +238,7 @@ public class ConfigurationService {
* If guacamole.properties cannot be parsed, or if the redirect URI
* property is missing.
*/
- public String getRedirectURI() throws GuacamoleException {
+ public URI getRedirectURI() throws GuacamoleException {
return environment.getRequiredProperty(OPENID_REDIRECT_URI);
}
@@ -270,7 +272,7 @@ public class ConfigurationService {
* If guacamole.properties cannot be parsed, or if the JWKS endpoint
* property is missing.
*/
- public String getJWKSEndpoint() throws GuacamoleException {
+ public URI getJWKSEndpoint() throws GuacamoleException {
return environment.getRequiredProperty(OPENID_JWKS_ENDPOINT);
}
diff --git a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/form/TokenField.java b/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/form/TokenField.java
index d99c3672d..4a3bc9dd4 100644
--- a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/form/TokenField.java
+++ b/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/form/TokenField.java
@@ -19,8 +19,8 @@
package org.apache.guacamole.auth.openid.form;
-import java.io.UnsupportedEncodingException;
-import java.net.URLEncoder;
+import java.net.URI;
+import javax.ws.rs.core.UriBuilder;
import org.apache.guacamole.form.Field;
/**
@@ -38,7 +38,7 @@ public class TokenField extends Field {
/**
* The full URI which the field should link to.
*/
- private final String authorizationURI;
+ private final URI authorizationURI;
/**
* Creates a new field which requests authentication via OpenID connect.
@@ -69,26 +69,19 @@ public class TokenField extends Field {
* A random string unique to this request. To defend against replay
* attacks, this value must cease being valid after its first use.
*/
- public TokenField(String authorizationEndpoint, String scope,
- String clientID, String redirectURI, String nonce) {
+ public TokenField(URI authorizationEndpoint, String scope,
+ String clientID, URI redirectURI, String nonce) {
// Init base field properties
super(PARAMETER_NAME, "GUAC_OPENID_TOKEN");
- // Build authorization URI from given values
- try {
- this.authorizationURI = authorizationEndpoint
- + "?scope=" + URLEncoder.encode(scope, "UTF-8")
- + "&response_type=id_token"
- + "&client_id=" + URLEncoder.encode(clientID, "UTF-8")
- + "&redirect_uri=" + URLEncoder.encode(redirectURI, "UTF-8")
- + "&nonce=" + nonce;
- }
-
- // Java is required to provide UTF-8 support
- catch (UnsupportedEncodingException e) {
- throw new UnsupportedOperationException("Unexpected lack of UTF-8 support.", e);
- }
+ this.authorizationURI = UriBuilder.fromUri(authorizationEndpoint)
+ .queryParam("scope", scope)
+ .queryParam("response_type", "id_token")
+ .queryParam("client_id","clientID")
+ .queryParam("redirect_uri", redirectURI)
+ .queryParam("nonce", nonce)
+ .build();
}
@@ -100,7 +93,7 @@ public class TokenField extends Field {
* The full URI that this field should link to.
*/
public String getAuthorizationURI() {
- return authorizationURI;
+ return authorizationURI.toString();
}
}
diff --git a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/token/TokenValidationService.java b/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/token/TokenValidationService.java
index cde4f89a6..5efb09dab 100644
--- a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/token/TokenValidationService.java
+++ b/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/token/TokenValidationService.java
@@ -74,7 +74,7 @@ public class TokenValidationService {
public String processUsername(String token) throws GuacamoleException {
// Validating the token requires a JWKS key resolver
- HttpsJwks jwks = new HttpsJwks(confService.getJWKSEndpoint());
+ HttpsJwks jwks = new HttpsJwks(confService.getJWKSEndpoint().toString());
HttpsJwksVerificationKeyResolver resolver = new HttpsJwksVerificationKeyResolver(jwks);
// Create JWT consumer for validating received token