create a more flexible interface for the creation of access tokens

Provide a AccessTokenBuilderFactory to simplify the creation of access tokens and a default implementation which is based on JWT. Added also an AccessTokenCookieIssuer to unify the creation of access token cookies. Removed old BearerTokenGenerator.

scm-core/src/main/java/sonia/scm/security/AccessToken.java

@@ -0,0 +1,107 @@
+/**
+ * Copyright (c) 2014, Sebastian Sdorra
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright notice,
+ *    this list of conditions and the following disclaimer in the documentation
+ *    and/or other materials provided with the distribution.
+ * 3. Neither the name of SCM-Manager; nor the names of its
+ *    contributors may be used to endorse or promote products derived from this
+ *    software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * http://bitbucket.org/sdorra/scm-manager
+ *
+ */
+package sonia.scm.security;
+
+import java.util.Date;
+import java.util.Optional;
+
+/**
+ * An access token can be used to access scm-manager without providing username and password. An {@link AccessToken} can
+ * be issued from a restful webservice endpoint by providing credentials. After the token was issued, the token must be
+ * send along with every request. The token should be send in its compact representation as bearer authorization header
+ * or as cookie.
+ * 
+ * @author Sebastian Sdorra
+ * @since 2.0.0
+ */
+public interface AccessToken {
+  
+  /**
+   * Returns unique id of the access token.
+   * 
+   * @return unique id
+   */
+  String getId();
+  
+  /**
+   * Returns name of subject which identifies the principal.
+   * 
+   * @return name of subject
+   */
+  String getSubject();
+  
+  /**
+   * Returns optional issuer. The issuer identifies the principal that issued the token.
+   * 
+   * @return optional issuer
+   */
+  Optional<String> getIssuer();
+  
+  /**
+   * Returns time at which the token was issued.
+   * 
+   * @return time at which the token was issued
+   */
+  Date getIssuedAt();
+  
+  /**
+   * Returns the expiration time of token.
+   * 
+   * @return expiration time
+   */
+  Date getExpiration();
+  
+  /**
+   * Returns the scope of the token. The scope is able to reduce the permissions of the subject in the context of this 
+   * token. For example we could issue a token which can only be used to read a single repository. for more informations
+   * please have a look at {@link Scope}.
+   * 
+   * @return scope of token.
+   */
+  Scope getScope();
+  
+  /**
+   * Returns an optional value of a custom token field.
+   * 
+   * @param <T> type of field
+   * @param key key of token field
+   * 
+   * @return optional value of custom field
+   */
+  <T> Optional<T> getCustom(String key);
+  
+  /**
+   * Returns compact representation of token.
+   * 
+   * @return compact representation
+   */
+  String compact();
+}

scm-core/src/main/java/sonia/scm/security/AccessTokenBuilder.java

@@ -0,0 +1,99 @@
+/**
+ * Copyright (c) 2014, Sebastian Sdorra
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright notice,
+ *    this list of conditions and the following disclaimer in the documentation
+ *    and/or other materials provided with the distribution.
+ * 3. Neither the name of SCM-Manager; nor the names of its
+ *    contributors may be used to endorse or promote products derived from this
+ *    software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * http://bitbucket.org/sdorra/scm-manager
+ *
+ */
+package sonia.scm.security;
+
+import java.util.concurrent.TimeUnit;
+
+/**
+ * The access token builder is able to create {@link AccessToken}. For more informations about access tokens have look
+ * at {@link AccessToken}.
+ * 
+ * @author Sebastian Sdorra
+ * @since 2.0.0
+ */
+public interface AccessTokenBuilder {
+  
+  /**
+   * Sets the subject for the token. 
+   * If the subject is not set the currently authenticated subject will be used instead.
+   * 
+   * @param subject subject of token
+   * 
+   * @return * @return {@code this}
+   */
+  AccessTokenBuilder subject(String subject);
+  
+  /**
+   * Adds a custom entry to the token.
+   * 
+   * @param key key of custom entry
+   * @param value value of entry
+   * 
+   * @return {@code this}
+   */
+  AccessTokenBuilder custom(String key, Object value);
+  
+  /**
+   * Sets the issuer for the token.
+   * 
+   * @param issuer issuer name or url
+   * 
+   * @return {@code this}
+   */
+  AccessTokenBuilder issuer(String issuer);
+  
+  /**
+   * Sets the expiration for the token.
+   * 
+   * @param count expiration count
+   * @param unit expirtation unit
+   * 
+   * @return {@code this}
+   */
+  AccessTokenBuilder expiresIn(long count, TimeUnit unit);
+  
+  /**
+   * Reduces the permissions of the token by providing a scope.
+   * 
+   * @param scope scope of token
+   * 
+   * @return {@code this}
+   */
+  AccessTokenBuilder scope(Scope scope);
+  
+  /**
+   * Creates a new {@link AccessToken} with the provided settings.
+   * 
+   * @return new {@link AccessToken}
+   */
+  AccessToken build();
+  
+}

scm-core/src/main/java/sonia/scm/security/AccessTokenBuilderFactory.java

@@ -0,0 +1,51 @@
+/**
+ * Copyright (c) 2014, Sebastian Sdorra
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright notice,
+ *    this list of conditions and the following disclaimer in the documentation
+ *    and/or other materials provided with the distribution.
+ * 3. Neither the name of SCM-Manager; nor the names of its
+ *    contributors may be used to endorse or promote products derived from this
+ *    software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * http://bitbucket.org/sdorra/scm-manager
+ *
+ */
+package sonia.scm.security;
+
+import sonia.scm.plugin.ExtensionPoint;
+
+/**
+ * Creates new {@link AccessTokenBuilder}. The AccessTokenBuilderFactory resolves all required dependencies for the 
+ * access token builder. The builder factory is the main entry point for creating {@link AccessToken}.
+ * 
+ * @author Sebastian Sdorra
+ * @since 2.0.0
+ */
+@ExtensionPoint(multi = false)
+public interface AccessTokenBuilderFactory {
+  
+  /**
+   * Creates a new {@link AccessTokenBuilder}.
+   * 
+   * @return new {@link AccessTokenBuilder}
+   */
+  AccessTokenBuilder create();
+}

scm-core/src/main/java/sonia/scm/util/HttpUtil.java

@@ -86,6 +86,9 @@ public final class HttpUtil
 
   /**
    * Name of bearer authentication cookie.
+   * 
+   * TODO find a better place
+   * 
    * @since 2.0.0
    */
   public static final String COOKIE_BEARER_AUTHENTICATION = "X-Bearer-Token";