web/http-oauth.git - Ulrich Hilger Code Repository

			@@ -22,7 +22,7 @@
			import com.sun.net.httpserver.HttpExchange;
			import com.sun.net.httpserver.HttpPrincipal;
			import de.uhilger.httpserver.auth.realm.Realm;
			import de.uhilger.httpserver.base.handler.HttpResponder;
			import de.uhilger.httpserver.base.HttpResponder;
			import io.jsonwebtoken.Claims;
			import io.jsonwebtoken.JwtException;
			import io.jsonwebtoken.Jwts;
			@@ -36,12 +36,10 @@

			/**
			* Die Klasse Authenticator authentifziert gemäß OAuth-Spezifikation
			*
			*
			* "The OAuth 2.0 Authorization Framework: Bearer Token Usage"
			* https://datatracker.ietf.org/doc/html/rfc6750
			*
			*
			* weitere Info-Links
			* https://www.oauth.com/oauth2-servers/making-authenticated-requests/refreshing-an-access-token/
			* https://swagger.io/docs/specification/authentication/bearer-authentication/
			*
			@@ -230,6 +228,22 @@
			if(parts != null && parts.length > 1) {
			token = parts[1].trim();
			}
			} else {
			// unschoen, aber fuer Image-Links in HTML-Inhalten
			// mit Query versuchen
			// z.B.
			// GET /resource?access_token=mF_9.B5f-4.1JqM HTTP/1.1
			// Host: server.example.com
			String query = exchange.getRequestURI().getQuery();
			if(query != null && query.toLowerCase().contains("access_token")) {
			String[] parts = query.split("&");
			for(String part : parts) {
			String[] keyVal = part.split("=");
			if(keyVal[0].equalsIgnoreCase("access_token")) {
			token = keyVal[1].trim();
			}
			}
			}
			}
			return token;
			}
			@@ -239,6 +253,7 @@
			* im WWW-Authenticate Header bestimmen
			*
			* @param exchange
			* @return den Ausdruck fuer den WWW-Authenticate Header
			*/
			protected String getWWWAuthRealm(HttpExchange exchange) {
			return wwwAuthRealm;
			@@ -308,8 +323,7 @@
			* WWW-Authenticate: Bearer realm="example"
			*
			* @param exchange
			* @return
			* @throws java.io.IOException
			* @return das Ergebnis
			*/
			protected Result unauthorized(HttpExchange exchange) {
			StringBuilder sb = new StringBuilder();