[cxf] branch 3.4.x-fixes updated (65ce246 -> f654f82)

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[cxf] branch 3.4.x-fixes updated (65ce246 -> f654f82)

coheigea
Administrator
This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a change to branch 3.4.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git.


    from 65ce246  Recording .gitmergeinfo Changes
     new ccc9330  Adding OAuth 2 systests for JoseSessionTokenProvider
     new f654f82  CXF-8368 - org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService#createAuthorizationData wrongly sets code_challenge

The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 .../services/AuthorizationCodeGrantService.java    | 26 ++-------
 .../services/RedirectionBasedGrantService.java     |  1 +
 .../oauth2/grants/AuthorizationGrantTest.java      | 10 +++-
 .../security/oauth2/grants/PublicClientTest.java   | 65 ++++++++++++++++------
 ...he-jwt.xml => grants-server-jcache-session.xml} | 34 ++++++-----
 ...public.xml => grants-server-public-session.xml} | 59 ++++++++++----------
 .../oauth2/grants/grants-server-public.xml         |  6 --
 7 files changed, 112 insertions(+), 89 deletions(-)
 copy systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/{grants-server-jcache-jwt.xml => grants-server-jcache-session.xml} (83%)
 copy systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/{grants-server-public.xml => grants-server-public-session.xml} (72%)

Reply | Threaded
Open this post in threaded view
|

[cxf] 01/02: Adding OAuth 2 systests for JoseSessionTokenProvider

coheigea
Administrator
This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch 3.4.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git

commit ccc9330b321e08b5b883ed12ce9ae592e77f0517
Author: Colm O hEigeartaigh <[hidden email]>
AuthorDate: Fri Nov 13 09:53:58 2020 +0000

    Adding OAuth 2 systests for JoseSessionTokenProvider
   
    (cherry picked from commit 14eab5956de5ce2e9bfc299480391039b6fa4ac8)
---
 .../oauth2/grants/AuthorizationGrantTest.java      |  10 +-
 .../oauth2/grants/grants-server-jcache-session.xml | 150 +++++++++++++++++++++
 2 files changed, 159 insertions(+), 1 deletion(-)

diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantTest.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantTest.java
index 426574b..f905424 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantTest.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantTest.java
@@ -80,6 +80,10 @@ public class AuthorizationGrantTest extends AbstractBusClientServerTestBase {
     private static final String JWT_NON_PERSIST_JCACHE_PORT2 =
         TestUtil.getPortNumber("grants-server-jcache-jwt-non-persist.2");
 
+    private static final SpringBusTestServer JCACHE_SERVER_SESSION =
+            new SpringBusTestServer("grants-server-jcache-session") { };
+    private static final String JCACHE_PORT3 = TestUtil.getPortNumber("grants-server-jcache-session.2");
+
     private static final String ISSUER = "OIDC IdP";
 
     final String port;
@@ -98,6 +102,7 @@ public class AuthorizationGrantTest extends AbstractBusClientServerTestBase {
         assertTrue("server did not launch correctly", launchServer(JWT_JCACHE_SERVER));
         assertTrue("server did not launch correctly", launchServer(JPA_SERVER));
         assertTrue("server did not launch correctly", launchServer(JWT_NON_PERSIST_JCACHE_SERVER));
+        assertTrue("server did not launch correctly", launchServer(JCACHE_SERVER_SESSION));
     }
 
     @Parameters(name = "{0}")
@@ -106,7 +111,8 @@ public class AuthorizationGrantTest extends AbstractBusClientServerTestBase {
             JCACHE_SERVER.getPort(),
             JWT_JCACHE_SERVER.getPort(),
             JPA_SERVER.getPort(),
-            JWT_NON_PERSIST_JCACHE_SERVER.getPort()};
+            JWT_NON_PERSIST_JCACHE_SERVER.getPort(),
+            JCACHE_SERVER_SESSION.getPort()};
     }
 
     @org.junit.Test
@@ -370,6 +376,8 @@ public class AuthorizationGrantTest extends AbstractBusClientServerTestBase {
             audPort = JPA_PORT2;
         } else if (JWT_NON_PERSIST_JCACHE_SERVER.getPort().equals(port)) {
             audPort = JWT_NON_PERSIST_JCACHE_PORT2;
+        } else if (JCACHE_SERVER_SESSION.getPort().equals(port)) {
+            audPort = JCACHE_PORT3;
         }
         String audience = "https://localhost:" + audPort + "/secured/bookstore/books";
         ClientAccessToken accessToken =
diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-server-jcache-session.xml b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-server-jcache-session.xml
new file mode 100644
index 0000000..65dcfbe
--- /dev/null
+++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-server-jcache-session.xml
@@ -0,0 +1,150 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:http="http://cxf.apache.org/transports/http/configuration"
+    xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"
+    xmlns:sec="http://cxf.apache.org/configuration/security"
+    xmlns:cxf="http://cxf.apache.org/core"
+    xmlns:jaxrs="http://cxf.apache.org/jaxrs"
+    xmlns:util="http://www.springframework.org/schema/util"
+    xsi:schemaLocation="http://cxf.apache.org/jaxrs http://cxf.apache.org/schemas/jaxrs.xsd
+             http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
+             http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+             http://www.springframework.org/schema/util  http://www.springframework.org/schema/util/spring-util-4.2.xsd
+             http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd
+             http://cxf.apache.org/transports/http-jetty/configuration http://cxf.apache.org/schemas/configuration/http-jetty.xsd 
+             http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd">
+    <bean class="org.springframework.context.support.PropertySourcesPlaceholderConfigurer"/>
+    <cxf:bus>
+        <cxf:features>
+            <cxf:logging/>
+        </cxf:features>
+        <cxf:properties>
+          <entry key="org.apache.cxf.jaxrs.bus.providers" value-ref="busProviders"/>
+        </cxf:properties>
+    </cxf:bus>
+    <!-- providers -->
+    <util:list id="busProviders">
+        <ref bean="oauthJson"/>
+    </util:list>
+    <bean id="oauthJson" class="org.apache.cxf.rs.security.oauth2.provider.OAuthJSONProvider"/>
+    
+    <httpj:engine-factory id="tls-config">
+        <httpj:engine port="${testutil.ports.grants-server-jcache-session}">
+            <httpj:tlsServerParameters>
+                <sec:keyManagers keyPassword="password">
+                    <sec:keyStore type="JKS" password="password" resource="keys/Bethal.jks"/>
+                </sec:keyManagers>
+                <sec:trustManagers>
+                    <sec:keyStore type="JKS" password="password" resource="keys/Truststore.jks"/>
+                </sec:trustManagers>
+                <sec:clientAuthentication want="true" required="true"/>
+            </httpj:tlsServerParameters>
+            <httpj:sessionSupport>true</httpj:sessionSupport>
+        </httpj:engine>
+    </httpj:engine-factory>
+    
+   <bean id="oauthProvider" class="org.apache.cxf.systest.jaxrs.security.oauth2.common.JCacheOAuthDataProviderImpl">
+       <constructor-arg><value>${testutil.ports.grants-server-jcache-session.2}</value></constructor-arg>
+   </bean>
+
+    <bean id="sessionTokenProvider" class="org.apache.cxf.rs.security.oauth2.provider.JoseSessionTokenProvider">
+    </bean>
+
+    <bean id="authorizationService" class="org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService">
+      <property name="dataProvider" ref="oauthProvider"/>
+       <property name="sessionAuthenticityTokenProvider" ref="sessionTokenProvider"/>
+   </bean>
+  
+   <bean id="implicitService" class="org.apache.cxf.rs.security.oauth2.services.ImplicitGrantService">
+      <property name="dataProvider" ref="oauthProvider"/>
+   </bean>
+  
+   <bean id="refreshGrantHandler" class="org.apache.cxf.rs.security.oauth2.grants.refresh.RefreshTokenGrantHandler">
+      <property name="dataProvider" ref="oauthProvider"/>
+   </bean>
+  
+   <bean id="callbackHandlerLoginHandler" class="org.apache.cxf.systest.jaxrs.security.oauth2.grants.CallbackHandlerLoginHandler">
+      <property name="callbackHandler" ref="callbackHandler"/>
+   </bean>
+  
+   <bean id="passwordGrantHandler" class="org.apache.cxf.rs.security.oauth2.grants.owner.ResourceOwnerGrantHandler">
+      <property name="dataProvider" ref="oauthProvider"/>
+      <property name="loginHandler" ref="callbackHandlerLoginHandler"/>
+   </bean>
+  
+   <bean id="clientCredsGrantHandler" class="org.apache.cxf.rs.security.oauth2.grants.clientcred.ClientCredentialsGrantHandler">
+      <property name="dataProvider" ref="oauthProvider"/>
+   </bean>
+  
+   <bean id="samlGrantHandler" class="org.apache.cxf.rs.security.oauth2.grants.saml.Saml2BearerGrantHandler">
+      <property name="dataProvider" ref="oauthProvider"/>
+   </bean>
+  
+   <bean id="jwtGrantHandler" class="org.apache.cxf.rs.security.oauth2.grants.jwt.JwtBearerGrantHandler">
+      <property name="dataProvider" ref="oauthProvider"/>
+   </bean>
+
+   <bean id="tokenService" class="org.apache.cxf.rs.security.oauth2.services.AccessTokenService">
+      <property name="dataProvider" ref="oauthProvider"/>
+      <property name="grantHandlers">
+         <list>
+             <ref bean="refreshGrantHandler"/>
+             <ref bean="passwordGrantHandler"/>
+             <ref bean="clientCredsGrantHandler"/>
+             <ref bean="samlGrantHandler"/>
+             <ref bean="jwtGrantHandler"/>
+         </list>
+      </property>
+   </bean>
+  
+   <bean id="callbackHandler" class="org.apache.cxf.systest.jaxrs.security.oauth2.common.CallbackHandlerImpl"/>
+   <bean id="basicAuthFilter" class="org.apache.cxf.systest.jaxrs.security.oauth2.common.WSS4JBasicAuthFilter">
+       <property name="callbackHandler" ref="callbackHandler"/>
+   </bean>
+
+    <bean id="keyPasswordProvider" class="org.apache.cxf.systest.jaxrs.security.jose.jwejws.PrivateKeyPasswordProviderImpl"/>
+
+   <jaxrs:server
+       depends-on="tls-config"
+       address="<a href="https://localhost:$">https://localhost:${testutil.ports.grants-server-jcache-session}/services">
+       <jaxrs:serviceBeans>
+           <ref bean="authorizationService"/>
+           <ref bean="implicitService"/>
+           <ref bean="tokenService"/>
+       </jaxrs:serviceBeans>
+       <jaxrs:providers>
+           <ref bean="basicAuthFilter"/>
+       </jaxrs:providers>
+       <jaxrs:properties>
+           <entry key="security.signature.properties"
+                  value="org/apache/cxf/systest/jaxrs/security/bob.properties"/>
+           <entry key="rs.security.signature.out.properties" value="org/apache/cxf/systest/jaxrs/security/alice.rs.properties"/>
+           <entry key="rs.security.encryption.in.properties" value="org/apache/cxf/systest/jaxrs/security/bob.rs.properties"/>
+           <entry key="rs.security.encryption.out.properties" value="org/apache/cxf/systest/jaxrs/security/bob.rs.properties"/>
+           <entry key="rs.security.signature.in.properties" value="org/apache/cxf/systest/jaxrs/security/alice.rs.properties"/>
+           <entry key="rs.security.signature.key.password.provider" value-ref="keyPasswordProvider"/>
+           <entry key="rs.security.decryption.key.password.provider" value-ref="keyPasswordProvider"/>
+       </jaxrs:properties>
+   </jaxrs:server>
+  
+
+</beans>

Reply | Threaded
Open this post in threaded view
|

[cxf] 02/02: CXF-8368 - org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService#createAuthorizationData wrongly sets code_challenge

coheigea
Administrator
In reply to this post by coheigea
This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch 3.4.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git

commit f654f82ecac36a5a2e1d8d2d05d7c94ede9488fc
Author: Colm O hEigeartaigh <[hidden email]>
AuthorDate: Fri Nov 13 10:22:50 2020 +0000

    CXF-8368 - org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService#createAuthorizationData wrongly sets code_challenge
   
    (cherry picked from commit dcf6d7ab478444d26afb97b677cbc2f292ddfbb8)
---
 .../services/AuthorizationCodeGrantService.java    | 26 ++-------
 .../services/RedirectionBasedGrantService.java     |  1 +
 .../security/oauth2/grants/PublicClientTest.java   | 65 ++++++++++++++++------
 ...public.xml => grants-server-public-session.xml} | 59 ++++++++++----------
 .../oauth2/grants/grants-server-public.xml         |  6 --
 5 files changed, 84 insertions(+), 73 deletions(-)

diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
index f4da8b6..d63e85ed 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
@@ -28,8 +28,6 @@ import javax.ws.rs.core.UriBuilder;
 
 import org.apache.cxf.rs.security.oauth2.common.Client;
 import org.apache.cxf.rs.security.oauth2.common.FormAuthorizationResponse;
-import org.apache.cxf.rs.security.oauth2.common.OAuthAuthorizationData;
-import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
 import org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState;
 import org.apache.cxf.rs.security.oauth2.common.OOBAuthorizationResponse;
 import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
@@ -61,29 +59,13 @@ public class AuthorizationCodeGrantService extends RedirectionBasedGrantService
     public AuthorizationCodeGrantService() {
         super(OAuthConstants.CODE_RESPONSE_TYPE, OAuthConstants.AUTHORIZATION_CODE_GRANT);
     }
-    @Override
-    protected OAuthAuthorizationData createAuthorizationData(Client client,
-                                                             MultivaluedMap<String, String> params,
-                                                             String redirectUri,
-                                                             UserSubject subject,
-                                                             List<OAuthPermission> requestedPerms,
-                                                             List<OAuthPermission> alreadyAuthorizedPerms,
-                                                             boolean authorizationCanBeSkipped) {
-        OAuthAuthorizationData data =
-            super.createAuthorizationData(client, params, redirectUri, subject,
-                                          requestedPerms, alreadyAuthorizedPerms, authorizationCanBeSkipped);
-        setCodeChallenge(data, params);
-        return data;
-    }
-    protected OAuthRedirectionState recreateRedirectionStateFromParams(
-        MultivaluedMap<String, String> params) {
+
+    protected OAuthRedirectionState recreateRedirectionStateFromParams(MultivaluedMap<String, String> params) {
         OAuthRedirectionState state = super.recreateRedirectionStateFromParams(params);
-        setCodeChallenge(state, params);
+        state.setClientCodeChallenge(params.getFirst(OAuthConstants.AUTHORIZATION_CODE_CHALLENGE));
         return state;
     }
-    private static void setCodeChallenge(OAuthRedirectionState data, MultivaluedMap<String, String> params) {
-        data.setClientCodeChallenge(params.getFirst(OAuthConstants.AUTHORIZATION_CODE_CHALLENGE));
-    }
+
     protected Response createGrant(OAuthRedirectionState state,
                                    Client client,
                                    List<String> requestedScope,
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
index cee3334..63f65a7 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
@@ -292,6 +292,7 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
             }
             secData.setProposedScope(builder.toString().trim());
         }
+        secData.setClientCodeChallenge(params.getFirst(OAuthConstants.AUTHORIZATION_CODE_CHALLENGE));
         if (!authorizationCanBeSkipped) {
             secData.setPermissions(requestedPerms);
             secData.setAlreadyAuthorizedPermissions(alreadyAuthorizedPerms);
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/PublicClientTest.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/PublicClientTest.java
index 4fa89db..dab76fc 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/PublicClientTest.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/PublicClientTest.java
@@ -38,6 +38,8 @@ import org.apache.cxf.testutil.common.AbstractClientServerTestBase;
 import org.apache.cxf.testutil.common.TestUtil;
 
 import org.junit.BeforeClass;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
 
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
@@ -47,26 +49,49 @@ import static org.junit.Assert.fail;
 /**
  * Some tests for public clients.
  */
+@RunWith(value = org.junit.runners.Parameterized.class)
 public class PublicClientTest extends AbstractClientServerTestBase {
     public static final String JCACHE_PORT = TestUtil.getPortNumber("jaxrs-oauth2-grants-jcache-public");
     public static final String JCACHE_PORT2 = TestUtil.getPortNumber("jaxrs-oauth2-grants2-jcache-public");
 
-    // services2 doesn't require basic auth
-    private static final String TOKEN_SERVICE_ADDRESS_PLAIN = "https://localhost:" + JCACHE_PORT + "/services2/";
-    // services3 doesn't require basic auth
-    private static final String TOKEN_SERVICE_ADDRESS_DIGEST = "https://localhost:" + JCACHE_PORT + "/services3/";
+    public static final String JCACHE_PORT_SESSION =
+            TestUtil.getPortNumber("jaxrs-oauth2-grants-jcache-public-session");
+    public static final String JCACHE_PORT_SESSION2 =
+            TestUtil.getPortNumber("jaxrs-oauth2-grants2-jcache-public-session");
+
+    final String port;
+
+    private final String tokenServiceAddressPlain;
+    private final String tokenServiceAddressDigest;
+
+    public PublicClientTest(String port) {
+        this.port = port;
+        // services2 doesn't require basic auth
+        tokenServiceAddressPlain = "https://localhost:" + port + "/services2/";
+        // services3 doesn't require basic auth
+        tokenServiceAddressDigest = "https://localhost:" + port + "/services3/";
+    }
 
     @BeforeClass
     public static void startServers() throws Exception {
         assertTrue("server did not launch correctly",
-                   launchServer(BookServerOAuth2GrantsJCache.class, true));
+                launchServer(BookServerOAuth2GrantsJCache.class, true));
+        assertTrue("server did not launch correctly",
+                launchServer(BookServerOAuth2GrantsJCacheSession.class, true));
+    }
+
+    @Parameterized.Parameters(name = "{0}")
+    public static String[] data() {
+        return new String[] {
+            JCACHE_PORT,
+            JCACHE_PORT_SESSION};
     }
 
     @org.junit.Test
     public void testAuthorizationCodeGrant() throws Exception {
         URL busFile = PublicClientTest.class.getResource("publicclient.xml");
 
-        String address = "https://localhost:" + JCACHE_PORT + "/services/";
+        String address = "https://localhost:" + port + "/services/";
         WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(),
                                             "alice", "security", busFile.toString());
         // Save the Cookie for the second request...
@@ -78,7 +103,7 @@ public class PublicClientTest extends AbstractClientServerTestBase {
         assertNotNull(code);
 
         // Now get the access token - note services2 doesn't require basic auth
-        String address2 = "https://localhost:" + JCACHE_PORT + "/services2/";
+        String address2 = "https://localhost:" + port + "/services2/";
         client = WebClient.create(address2, busFile.toString());
 
         ClientAccessToken accessToken =
@@ -90,7 +115,7 @@ public class PublicClientTest extends AbstractClientServerTestBase {
     public void testAuthorizationCodeGrantNoRedirectURI() throws Exception {
         URL busFile = PublicClientTest.class.getResource("publicclient.xml");
 
-        String address = "https://localhost:" + JCACHE_PORT + "/services/";
+        String address = "https://localhost:" + port + "/services/";
         WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(),
                                             "alice", "security", busFile.toString());
         // Save the Cookie for the second request...
@@ -108,38 +133,38 @@ public class PublicClientTest extends AbstractClientServerTestBase {
 
     @org.junit.Test
     public void testPKCEPlain() throws Exception {
-        testPKCE(new PlainCodeVerifier(), TOKEN_SERVICE_ADDRESS_PLAIN);
+        testPKCE(new PlainCodeVerifier(), tokenServiceAddressPlain);
     }
 
     @org.junit.Test
     public void testPKCEPlainMissingVerifier() throws Exception {
-        testPKCEMissingVerifier(new PlainCodeVerifier(), TOKEN_SERVICE_ADDRESS_PLAIN);
+        testPKCEMissingVerifier(new PlainCodeVerifier(), tokenServiceAddressPlain);
     }
 
     @org.junit.Test
     public void testPKCEPlainDifferentVerifier() throws Exception {
-        testPKCEDifferentVerifier(new PlainCodeVerifier(), TOKEN_SERVICE_ADDRESS_PLAIN);
+        testPKCEDifferentVerifier(new PlainCodeVerifier(), tokenServiceAddressPlain);
     }
 
     @org.junit.Test
     public void testPKCEDigest() {
-        testPKCE(new DigestCodeVerifier(), TOKEN_SERVICE_ADDRESS_DIGEST);
+        testPKCE(new DigestCodeVerifier(), tokenServiceAddressDigest);
     }
 
     @org.junit.Test
     public void testPKCEDigestMissingVerifier() {
-        testPKCEMissingVerifier(new DigestCodeVerifier(), TOKEN_SERVICE_ADDRESS_DIGEST);
+        testPKCEMissingVerifier(new DigestCodeVerifier(), tokenServiceAddressDigest);
     }
 
     @org.junit.Test
     public void testPKCEDigestDifferentVerifier() {
-        testPKCEDifferentVerifier(new DigestCodeVerifier(), TOKEN_SERVICE_ADDRESS_DIGEST);
+        testPKCEDifferentVerifier(new DigestCodeVerifier(), tokenServiceAddressDigest);
     }
 
     private void testPKCE(CodeVerifierTransformer transformer, String tokenServiceAddress) {
         URL busFile = PublicClientTest.class.getResource("publicclient.xml");
 
-        String address = "https://localhost:" + JCACHE_PORT + "/services/";
+        String address = "https://localhost:" + port + "/services/";
         WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(),
                                             "alice", "security", busFile.toString());
         // Save the Cookie for the second request...
@@ -169,7 +194,7 @@ public class PublicClientTest extends AbstractClientServerTestBase {
     private void testPKCEMissingVerifier(CodeVerifierTransformer transformer, String tokenServiceAddress) {
         URL busFile = PublicClientTest.class.getResource("publicclient.xml");
 
-        String address = "https://localhost:" + JCACHE_PORT + "/services/";
+        String address = "https://localhost:" + port + "/services/";
         WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(),
                                             "alice", "security", busFile.toString());
         // Save the Cookie for the second request...
@@ -202,7 +227,7 @@ public class PublicClientTest extends AbstractClientServerTestBase {
     private void testPKCEDifferentVerifier(CodeVerifierTransformer transformer, String tokenServiceAddress) {
         URL busFile = PublicClientTest.class.getResource("publicclient.xml");
 
-        String address = "https://localhost:" + JCACHE_PORT + "/services/";
+        String address = "https://localhost:" + port + "/services/";
         WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(),
                                             "alice", "security", busFile.toString());
         // Save the Cookie for the second request...
@@ -243,4 +268,10 @@ public class PublicClientTest extends AbstractClientServerTestBase {
         }
     }
 
+    public static class BookServerOAuth2GrantsJCacheSession extends AbstractBusTestServerBase {
+        protected void run() {
+            setBus(new SpringBusFactory().createBus(getClass().getResource("grants-server-public-session.xml")));
+        }
+    }
+
 }
diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-server-public.xml b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-server-public-session.xml
similarity index 72%
copy from systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-server-public.xml
copy to systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-server-public-session.xml
index e922f21..0b9cd88 100644
--- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-server-public.xml
+++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-server-public-session.xml
@@ -48,7 +48,7 @@ under the License.
     <bean id="oauthJson" class="org.apache.cxf.rs.security.oauth2.provider.OAuthJSONProvider"/>
     
     <httpj:engine-factory id="tls-config">
-        <httpj:engine port="${testutil.ports.jaxrs-oauth2-grants-jcache-public}">
+        <httpj:engine port="${testutil.ports.jaxrs-oauth2-grants-jcache-public-session}">
             <httpj:tlsServerParameters>
                 <sec:keyManagers keyPassword="password">
                     <sec:keyStore type="JKS" password="password" resource="keys/Bethal.jks"/>
@@ -63,15 +63,19 @@ under the License.
     </httpj:engine-factory>
     
    <bean id="oauthProvider" class="org.apache.cxf.systest.jaxrs.security.oauth2.common.JCacheOAuthDataProviderImpl">
-       <constructor-arg><value>${testutil.ports.jaxrs-oauth2-grants2-jcache-public}</value></constructor-arg>
+       <constructor-arg><value>${testutil.ports.jaxrs-oauth2-grants2-jcache-public-session}</value></constructor-arg>
        <constructor-arg><value>null</value></constructor-arg>
        <constructor-arg><value>false</value></constructor-arg>
        <constructor-arg><value>true</value></constructor-arg>
    </bean>
-  
+
+    <bean id="sessionTokenProvider" class="org.apache.cxf.rs.security.oauth2.provider.JoseSessionTokenProvider">
+    </bean>
+
    <bean id="authorizationService" class="org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService">
       <property name="dataProvider" ref="oauthProvider"/>
       <property name="canSupportPublicClients" value="true"/>
+       <property name="sessionAuthenticityTokenProvider" ref="sessionTokenProvider"/>
    </bean>
   
    <bean id="implicitService" class="org.apache.cxf.rs.security.oauth2.services.ImplicitGrantService">
@@ -106,10 +110,12 @@ under the License.
    <bean id="basicAuthFilter" class="org.apache.cxf.systest.jaxrs.security.oauth2.common.WSS4JBasicAuthFilter">
        <property name="callbackHandler" ref="callbackHandler"/>
    </bean>
-  
+
+    <bean id="keyPasswordProvider" class="org.apache.cxf.systest.jaxrs.security.jose.jwejws.PrivateKeyPasswordProviderImpl"/>
+
    <jaxrs:server
        depends-on="tls-config"
-       address="<a href="https://localhost:$">https://localhost:${testutil.ports.jaxrs-oauth2-grants-jcache-public}/services">
+       address="<a href="https://localhost:$">https://localhost:${testutil.ports.jaxrs-oauth2-grants-jcache-public-session}/services">
        <jaxrs:serviceBeans>
            <ref bean="authorizationService"/>
            <ref bean="implicitService"/>
@@ -118,30 +124,28 @@ under the License.
            <ref bean="basicAuthFilter"/>
        </jaxrs:providers>
        <jaxrs:properties>
-           <entry key="security.signature.properties"
-                  value="org/apache/cxf/systest/jaxrs/security/bob.properties"/>
-           <entry key="rs.security.keystore.type" value="jks" />
-           <entry key="rs.security.keystore.alias" value="alice"/>
-           <entry key="rs.security.keystore.password" value="password"/>
-           <entry key="rs.security.keystore.file" value="keys/alice.jks" />
-           <entry key="rs.security.signature.algorithm" value="RS256" />
+           <entry key="rs.security.signature.out.properties" value="org/apache/cxf/systest/jaxrs/security/alice.rs.properties"/>
+           <entry key="rs.security.encryption.in.properties" value="org/apache/cxf/systest/jaxrs/security/bob.rs.properties"/>
+           <entry key="rs.security.encryption.out.properties" value="org/apache/cxf/systest/jaxrs/security/bob.rs.properties"/>
+           <entry key="rs.security.signature.in.properties" value="org/apache/cxf/systest/jaxrs/security/alice.rs.properties"/>
+           <entry key="rs.security.signature.key.password.provider" value-ref="keyPasswordProvider"/>
+           <entry key="rs.security.decryption.key.password.provider" value-ref="keyPasswordProvider"/>
        </jaxrs:properties>
    </jaxrs:server>
   
    <jaxrs:server
        depends-on="tls-config"
-       address="<a href="https://localhost:$">https://localhost:${testutil.ports.jaxrs-oauth2-grants-jcache-public}/services2">
+       address="<a href="https://localhost:$">https://localhost:${testutil.ports.jaxrs-oauth2-grants-jcache-public-session}/services2">
        <jaxrs:serviceBeans>
            <ref bean="tokenService"/>
        </jaxrs:serviceBeans>
        <jaxrs:properties>
-           <entry key="security.signature.properties"
-                  value="org/apache/cxf/systest/jaxrs/security/bob.properties"/>
-           <entry key="rs.security.keystore.type" value="jks" />
-           <entry key="rs.security.keystore.alias" value="alice"/>
-           <entry key="rs.security.keystore.password" value="password"/>
-           <entry key="rs.security.keystore.file" value="keys/alice.jks" />
-           <entry key="rs.security.signature.algorithm" value="RS256" />
+           <entry key="rs.security.signature.out.properties" value="org/apache/cxf/systest/jaxrs/security/alice.rs.properties"/>
+           <entry key="rs.security.encryption.in.properties" value="org/apache/cxf/systest/jaxrs/security/bob.rs.properties"/>
+           <entry key="rs.security.encryption.out.properties" value="org/apache/cxf/systest/jaxrs/security/bob.rs.properties"/>
+           <entry key="rs.security.signature.in.properties" value="org/apache/cxf/systest/jaxrs/security/alice.rs.properties"/>
+           <entry key="rs.security.signature.key.password.provider" value-ref="keyPasswordProvider"/>
+           <entry key="rs.security.decryption.key.password.provider" value-ref="keyPasswordProvider"/>
        </jaxrs:properties>
    </jaxrs:server>
   
@@ -163,18 +167,17 @@ under the License.
   
    <jaxrs:server
        depends-on="tls-config"
-       address="<a href="https://localhost:$">https://localhost:${testutil.ports.jaxrs-oauth2-grants-jcache-public}/services3">
+       address="<a href="https://localhost:$">https://localhost:${testutil.ports.jaxrs-oauth2-grants-jcache-public-session}/services3">
        <jaxrs:serviceBeans>
            <ref bean="digestTokenService"/>
        </jaxrs:serviceBeans>
        <jaxrs:properties>
-           <entry key="security.signature.properties"
-                  value="org/apache/cxf/systest/jaxrs/security/bob.properties"/>
-           <entry key="rs.security.keystore.type" value="jks" />
-           <entry key="rs.security.keystore.alias" value="alice"/>
-           <entry key="rs.security.keystore.password" value="password"/>
-           <entry key="rs.security.keystore.file" value="keys/alice.jks" />
-           <entry key="rs.security.signature.algorithm" value="RS256" />
+           <entry key="rs.security.signature.out.properties" value="org/apache/cxf/systest/jaxrs/security/alice.rs.properties"/>
+           <entry key="rs.security.encryption.in.properties" value="org/apache/cxf/systest/jaxrs/security/bob.rs.properties"/>
+           <entry key="rs.security.encryption.out.properties" value="org/apache/cxf/systest/jaxrs/security/bob.rs.properties"/>
+           <entry key="rs.security.signature.in.properties" value="org/apache/cxf/systest/jaxrs/security/alice.rs.properties"/>
+           <entry key="rs.security.signature.key.password.provider" value-ref="keyPasswordProvider"/>
+           <entry key="rs.security.decryption.key.password.provider" value-ref="keyPasswordProvider"/>
        </jaxrs:properties>
    </jaxrs:server>
   
diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-server-public.xml b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-server-public.xml
index e922f21..91c8f8f 100644
--- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-server-public.xml
+++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/grants-server-public.xml
@@ -118,8 +118,6 @@ under the License.
            <ref bean="basicAuthFilter"/>
        </jaxrs:providers>
        <jaxrs:properties>
-           <entry key="security.signature.properties"
-                  value="org/apache/cxf/systest/jaxrs/security/bob.properties"/>
            <entry key="rs.security.keystore.type" value="jks" />
            <entry key="rs.security.keystore.alias" value="alice"/>
            <entry key="rs.security.keystore.password" value="password"/>
@@ -135,8 +133,6 @@ under the License.
            <ref bean="tokenService"/>
        </jaxrs:serviceBeans>
        <jaxrs:properties>
-           <entry key="security.signature.properties"
-                  value="org/apache/cxf/systest/jaxrs/security/bob.properties"/>
            <entry key="rs.security.keystore.type" value="jks" />
            <entry key="rs.security.keystore.alias" value="alice"/>
            <entry key="rs.security.keystore.password" value="password"/>
@@ -168,8 +164,6 @@ under the License.
            <ref bean="digestTokenService"/>
        </jaxrs:serviceBeans>
        <jaxrs:properties>
-           <entry key="security.signature.properties"
-                  value="org/apache/cxf/systest/jaxrs/security/bob.properties"/>
            <entry key="rs.security.keystore.type" value="jks" />
            <entry key="rs.security.keystore.alias" value="alice"/>
            <entry key="rs.security.keystore.password" value="password"/>