Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 2FE1B11609 for ; Mon, 16 Jun 2014 12:39:54 +0000 (UTC) Received: (qmail 62122 invoked by uid 500); 16 Jun 2014 12:39:54 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 62057 invoked by uid 500); 16 Jun 2014 12:39:54 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 62048 invoked by uid 99); 16 Jun 2014 12:39:53 -0000 Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org) (140.211.11.114) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 16 Jun 2014 12:39:53 +0000 Received: by tyr.zones.apache.org (Postfix, from userid 65534) id A4460940124; Mon, 16 Jun 2014 12:39:53 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: sergeyb@apache.org To: commits@cxf.apache.org Message-Id: <6c549cbc851b4b97a2f39be33e5667e0@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: git commit: [CXF-5311] Experimenting with JWS interfaces Date: Mon, 16 Jun 2014 12:39:53 +0000 (UTC) Repository: cxf Updated Branches: refs/heads/master ad4e3dde6 -> 8515dcba6 [CXF-5311] Experimenting with JWS interfaces Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/8515dcba Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/8515dcba Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/8515dcba Branch: refs/heads/master Commit: 8515dcba6d14a4a4b96bae40a51aef3295c04c30 Parents: ad4e3dd Author: Sergey Beryozkin Authored: Mon Jun 16 13:39:34 2014 +0100 Committer: Sergey Beryozkin Committed: Mon Jun 16 13:39:34 2014 +0100 ---------------------------------------------------------------------- .../oauth2/jwe/AbstractJweEncryptor.java | 9 ++-- .../rs/security/oauth2/jwe/JweEncryptor.java | 4 +- .../jws/AbstractJwsSignatureProvider.java | 52 ++++++++++++++++++++ .../oauth2/jws/HmacJwsSignatureProvider.java | 12 ++++- .../security/oauth2/jws/JwsCompactProducer.java | 47 +++++++++++++----- .../oauth2/jws/JwsJwtCompactProducer.java | 3 ++ .../oauth2/jws/JwsSignatureProvider.java | 1 + .../jws/PrivateKeyJwsSignatureProvider.java | 11 ++++- .../jwt/jaxrs/AbstractJweDecryptingFilter.java | 13 ++++- .../jwt/jaxrs/JweClientResponseFilter.java | 14 ++++-- .../jwt/jaxrs/JweContainerRequestFilter.java | 13 ++++- .../oauth2/jwt/jaxrs/JweWriterInterceptor.java | 13 ++++- .../jwt/jaxrs/JwsClientResponseFilter.java | 2 +- .../jwt/jaxrs/JwsContainerRequestFilter.java | 2 +- .../oauth2/jwt/jaxrs/JwsWriterInterceptor.java | 5 +- .../oauth2/jwe/JweCompactReaderWriterTest.java | 4 +- 16 files changed, 171 insertions(+), 34 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/8515dcba/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryptor.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryptor.java index 316d091..798ae61 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryptor.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryptor.java @@ -90,7 +90,7 @@ public abstract class AbstractJweEncryptor implements JweEncryptor { protected JweHeaders getJweHeaders() { return headers; } - public String encrypt(byte[] content) { + public String encrypt(byte[] content, String contentType) { byte[] theCek = getContentEncryptionKey(); String contentEncryptionAlgoJavaName = Algorithm.toJavaName(headers.getContentEncryptionAlgorithm()); KeyProperties keyProps = new KeyProperties(contentEncryptionAlgoJavaName); @@ -107,6 +107,9 @@ public abstract class AbstractJweEncryptor implements JweEncryptor { keyProps); byte[] jweContentEncryptionKey = getEncryptedContentEncryptionKey(theCek); + if (contentType != null) { + headers.setContentType(contentType); + } JweCompactProducer producer = new JweCompactProducer(headers, jweContentEncryptionKey, theIv, @@ -115,9 +118,9 @@ public abstract class AbstractJweEncryptor implements JweEncryptor { return producer.getJweContent(); } - public String encryptText(String text) { + public String encryptText(String text, String contentType) { try { - return encrypt(text.getBytes("UTF-8")); + return encrypt(text.getBytes("UTF-8"), contentType); } catch (UnsupportedEncodingException ex) { throw new SecurityException(ex); } http://git-wip-us.apache.org/repos/asf/cxf/blob/8515dcba/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptor.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptor.java index 09554fe..f8eb013 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptor.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptor.java @@ -20,6 +20,6 @@ package org.apache.cxf.rs.security.oauth2.jwe; public interface JweEncryptor { - String encrypt(byte[] jweContent); - String encryptText(String jweContent); + String encrypt(byte[] jweContent, String contentType); + String encryptText(String jweContent, String contentType); } http://git-wip-us.apache.org/repos/asf/cxf/blob/8515dcba/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/AbstractJwsSignatureProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/AbstractJwsSignatureProvider.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/AbstractJwsSignatureProvider.java new file mode 100644 index 0000000..5a5dd71 --- /dev/null +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/AbstractJwsSignatureProvider.java @@ -0,0 +1,52 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.oauth2.jws; + +import java.util.Set; + +import org.apache.cxf.rs.security.oauth2.jwt.JwtHeaders; + +public abstract class AbstractJwsSignatureProvider implements JwsSignatureProvider { + private Set supportedAlgorithms; + private String defaultJwtAlgorithm; + + public AbstractJwsSignatureProvider(Set supportedAlgorithms, String algo) { + this.supportedAlgorithms = supportedAlgorithms; + this.defaultJwtAlgorithm = algo; + } + @Override + public void prepareHeaders(JwtHeaders headers) { + String algo = headers.getAlgorithm(); + if (algo != null) { + checkAlgorithm(algo); + } else { + headers.setAlgorithm(defaultJwtAlgorithm); + } + + } + public void setDefaultJwtAlgorithm(String algo) { + this.defaultJwtAlgorithm = algo; + } + protected void checkAlgorithm(String algo) { + if (algo == null || !supportedAlgorithms.contains(algo)) { + throw new SecurityException(); + } + } + +} http://git-wip-us.apache.org/repos/asf/cxf/blob/8515dcba/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/HmacJwsSignatureProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/HmacJwsSignatureProvider.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/HmacJwsSignatureProvider.java index e2ed53c..642d908 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/HmacJwsSignatureProvider.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/HmacJwsSignatureProvider.java @@ -19,6 +19,8 @@ package org.apache.cxf.rs.security.oauth2.jws; import java.util.Arrays; +import java.util.HashSet; +import java.util.Set; import org.apache.cxf.common.util.Base64Exception; import org.apache.cxf.rs.security.oauth2.jwt.Algorithm; @@ -26,12 +28,19 @@ import org.apache.cxf.rs.security.oauth2.jwt.JwtHeaders; import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility; import org.apache.cxf.rs.security.oauth2.utils.crypto.HmacUtils; -public class HmacJwsSignatureProvider implements JwsSignatureProvider, JwsSignatureVerifier { +public class HmacJwsSignatureProvider extends AbstractJwsSignatureProvider implements JwsSignatureVerifier { + private static final Set SUPPORTED_ALGORITHMS = new HashSet( + Arrays.asList(Algorithm.HmacSHA256.getJwtName(), + Algorithm.HmacSHA384.getJwtName(), + Algorithm.HmacSHA512.getJwtName())); private byte[] key; + public HmacJwsSignatureProvider(byte[] key) { + super(SUPPORTED_ALGORITHMS, Algorithm.HmacSHA256.getJwtName()); this.key = key; } public HmacJwsSignatureProvider(String encodedKey) { + super(SUPPORTED_ALGORITHMS, Algorithm.HmacSHA256.getJwtName()); try { this.key = Base64UrlUtility.decode(encodedKey); } catch (Base64Exception ex) { @@ -41,6 +50,7 @@ public class HmacJwsSignatureProvider implements JwsSignatureProvider, JwsSignat @Override public byte[] sign(JwtHeaders headers, String unsignedText) { + checkAlgorithm(headers.getAlgorithm()); return computeMac(headers, unsignedText); } http://git-wip-us.apache.org/repos/asf/cxf/blob/8515dcba/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactProducer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactProducer.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactProducer.java index cc41731..0e0b1f7 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactProducer.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactProducer.java @@ -32,8 +32,11 @@ public class JwsCompactProducer { private String signature; private String plainRep; - public JwsCompactProducer(JwtHeaders headers, String payload) { - this(headers, null, payload); + public JwsCompactProducer(String plainJwsPayload) { + this(null, null, plainJwsPayload); + } + public JwsCompactProducer(JwtHeaders headers, String plainJwsPayload) { + this(headers, null, plainJwsPayload); } public JwsCompactProducer(JwtHeaders headers, JwtHeadersWriter w, String plainJwsPayload) { this.headers = headers; @@ -42,10 +45,16 @@ public class JwsCompactProducer { } this.plainJwsPayload = plainJwsPayload; } - + public JwtHeaders getHeaders() { + if (headers == null) { + headers = new JwtHeaders(); + } + return headers; + } public String getUnsignedEncodedJws() { + checkAlgorithm(); if (plainRep == null) { - plainRep = Base64UrlUtility.encode(writer.headersToJson(headers)) + plainRep = Base64UrlUtility.encode(writer.headersToJson(getHeaders())) + "." + Base64UrlUtility.encode(plainJwsPayload); } @@ -53,26 +62,42 @@ public class JwsCompactProducer { } public String getSignedEncodedJws() { + checkAlgorithm(); boolean noSignature = StringUtils.isEmpty(signature); if (noSignature && !isPlainText()) { throw new IllegalStateException("Signature is not available"); } return getUnsignedEncodedJws() + "." + (noSignature ? "" : signature); } - public void signWith(JwsSignatureProvider signer) { - setSignatureOctets(signer.sign(headers, getUnsignedEncodedJws())); + + public String signWith(JwsSignatureProvider signer) { + signer.prepareHeaders(getHeaders()); + signWith(signer.sign(getHeaders(), getUnsignedEncodedJws())); + return getSignedEncodedJws(); } - public void setSignatureText(String sig) { - setEncodedSignature(Base64UrlUtility.encode(sig)); + public String signWith(String signatureText) { + setEncodedSignature(Base64UrlUtility.encode(signatureText)); + return getSignedEncodedJws(); } - public void setSignatureOctets(byte[] bytes) { - setEncodedSignature(Base64UrlUtility.encode(bytes)); + + public String signWith(byte[] signatureOctets) { + setEncodedSignature(Base64UrlUtility.encode(signatureOctets)); + return getSignedEncodedJws(); } + private void setEncodedSignature(String sig) { this.signature = sig; } private boolean isPlainText() { - return JwtConstants.PLAIN_TEXT_ALGO.equals(headers.getAlgorithm()); + return JwtConstants.PLAIN_TEXT_ALGO.equals(getAlgorithm()); + } + private String getAlgorithm() { + return getHeaders().getAlgorithm(); + } + private void checkAlgorithm() { + if (getAlgorithm() == null) { + throw new IllegalStateException("Algorithm header is not set"); + } } } http://git-wip-us.apache.org/repos/asf/cxf/blob/8515dcba/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsJwtCompactProducer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsJwtCompactProducer.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsJwtCompactProducer.java index 7d43a8d..149dfba 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsJwtCompactProducer.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsJwtCompactProducer.java @@ -29,6 +29,9 @@ public class JwsJwtCompactProducer extends JwsCompactProducer { public JwsJwtCompactProducer(JwtToken token) { this(token, null); } + public JwsJwtCompactProducer(JwtClaims claims) { + this(new JwtToken(null, claims), null); + } public JwsJwtCompactProducer(JwtHeaders headers, JwtClaims claims) { this(headers, claims, null); } http://git-wip-us.apache.org/repos/asf/cxf/blob/8515dcba/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureProvider.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureProvider.java index 6c7a84f..6fe5e3c 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureProvider.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureProvider.java @@ -21,5 +21,6 @@ package org.apache.cxf.rs.security.oauth2.jws; import org.apache.cxf.rs.security.oauth2.jwt.JwtHeaders; public interface JwsSignatureProvider { + void prepareHeaders(JwtHeaders headers); byte[] sign(JwtHeaders headers, String unsignedText); } http://git-wip-us.apache.org/repos/asf/cxf/blob/8515dcba/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/PrivateKeyJwsSignatureProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/PrivateKeyJwsSignatureProvider.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/PrivateKeyJwsSignatureProvider.java index 2647915..64de375 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/PrivateKeyJwsSignatureProvider.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/PrivateKeyJwsSignatureProvider.java @@ -21,12 +21,19 @@ package org.apache.cxf.rs.security.oauth2.jws; import java.security.PrivateKey; import java.security.SecureRandom; import java.security.spec.AlgorithmParameterSpec; +import java.util.Arrays; +import java.util.HashSet; +import java.util.Set; import org.apache.cxf.rs.security.oauth2.jwt.Algorithm; import org.apache.cxf.rs.security.oauth2.jwt.JwtHeaders; import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; -public class PrivateKeyJwsSignatureProvider implements JwsSignatureProvider { +public class PrivateKeyJwsSignatureProvider extends AbstractJwsSignatureProvider { + private static final Set SUPPORTED_ALGORITHMS = new HashSet( + Arrays.asList(Algorithm.SHA256withRSA.getJwtName(), + Algorithm.SHA384withRSA.getJwtName(), + Algorithm.SHA512withRSA.getJwtName())); private PrivateKey key; private SecureRandom random; private AlgorithmParameterSpec signatureSpec; @@ -38,6 +45,7 @@ public class PrivateKeyJwsSignatureProvider implements JwsSignatureProvider { this(key, null, spec); } public PrivateKeyJwsSignatureProvider(PrivateKey key, SecureRandom random, AlgorithmParameterSpec spec) { + super(SUPPORTED_ALGORITHMS, Algorithm.SHA256withRSA.getJwtName()); this.key = key; this.random = random; this.signatureSpec = spec; @@ -46,6 +54,7 @@ public class PrivateKeyJwsSignatureProvider implements JwsSignatureProvider { @Override public byte[] sign(JwtHeaders headers, String unsignedText) { + checkAlgorithm(headers.getAlgorithm()); try { return CryptoUtils.signData(unsignedText.getBytes("UTF-8"), key, http://git-wip-us.apache.org/repos/asf/cxf/blob/8515dcba/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJweDecryptingFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJweDecryptingFilter.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJweDecryptingFilter.java index 6df6647..20d1281 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJweDecryptingFilter.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJweDecryptingFilter.java @@ -41,14 +41,15 @@ public class AbstractJweDecryptingFilter { private JweDecryptor decryptor; private JweCryptoProperties cryptoProperties; - protected byte[] decrypt(InputStream is) throws IOException { + private String defaultMediaType; + protected JweDecryptionOutput decrypt(InputStream is) throws IOException { JweDecryptor theDecryptor = getInitializedDecryptor(); if (theDecryptor == null) { throw new SecurityException(); } JweDecryptionOutput out = theDecryptor.decrypt(new String(IOUtils.readBytesFromStream(is), "UTF-8")); validateHeaders(out.getHeaders()); - return out.getContent(); + return out; } protected void validateHeaders(JweHeaders headers) { @@ -79,4 +80,12 @@ public class AbstractJweDecryptingFilter { this.cryptoProperties = cryptoProperties; } + public String getDefaultMediaType() { + return defaultMediaType; + } + + public void setDefaultMediaType(String defaultMediaType) { + this.defaultMediaType = defaultMediaType; + } + } http://git-wip-us.apache.org/repos/asf/cxf/blob/8515dcba/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JweClientResponseFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JweClientResponseFilter.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JweClientResponseFilter.java index 1cc35f6..53b9890 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JweClientResponseFilter.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JweClientResponseFilter.java @@ -26,13 +26,21 @@ import javax.ws.rs.client.ClientRequestContext; import javax.ws.rs.client.ClientResponseContext; import javax.ws.rs.client.ClientResponseFilter; +import org.apache.cxf.rs.security.oauth2.jwe.JweDecryptionOutput; +import org.apache.cxf.rs.security.oauth2.jwt.JwtUtils; + @Priority(Priorities.JWE_CLIENT_READ_PRIORITY) public class JweClientResponseFilter extends AbstractJweDecryptingFilter implements ClientResponseFilter { @Override public void filter(ClientRequestContext req, ClientResponseContext res) throws IOException { - res.setEntityStream(new ByteArrayInputStream( - decrypt(res.getEntityStream()))); - + JweDecryptionOutput out = decrypt(res.getEntityStream()); + byte[] bytes = out.getContent(); + res.setEntityStream(new ByteArrayInputStream(bytes)); + res.getHeaders().putSingle("Content-Length", Integer.toString(bytes.length)); + String ct = JwtUtils.checkContentType(out.getHeaders().getContentType(), getDefaultMediaType()); + if (ct != null) { + res.getHeaders().putSingle("Content-Type", ct); + } } } http://git-wip-us.apache.org/repos/asf/cxf/blob/8515dcba/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JweContainerRequestFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JweContainerRequestFilter.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JweContainerRequestFilter.java index 10a8ef2..e12a251 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JweContainerRequestFilter.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JweContainerRequestFilter.java @@ -26,12 +26,21 @@ import javax.ws.rs.container.ContainerRequestContext; import javax.ws.rs.container.ContainerRequestFilter; import javax.ws.rs.container.PreMatching; +import org.apache.cxf.rs.security.oauth2.jwe.JweDecryptionOutput; +import org.apache.cxf.rs.security.oauth2.jwt.JwtUtils; + @PreMatching @Priority(Priorities.JWE_SERVER_READ_PRIORITY) public class JweContainerRequestFilter extends AbstractJweDecryptingFilter implements ContainerRequestFilter { @Override public void filter(ContainerRequestContext context) throws IOException { - context.setEntityStream(new ByteArrayInputStream( - decrypt(context.getEntityStream()))); + JweDecryptionOutput out = decrypt(context.getEntityStream()); + byte[] bytes = out.getContent(); + context.setEntityStream(new ByteArrayInputStream(bytes)); + context.getHeaders().putSingle("Content-Length", Integer.toString(bytes.length)); + String ct = JwtUtils.checkContentType(out.getHeaders().getContentType(), getDefaultMediaType()); + if (ct != null) { + context.getHeaders().putSingle("Content-Type", ct); + } } } http://git-wip-us.apache.org/repos/asf/cxf/blob/8515dcba/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JweWriterInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JweWriterInterceptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JweWriterInterceptor.java index fc6719b..ee30d9d 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JweWriterInterceptor.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JweWriterInterceptor.java @@ -25,6 +25,7 @@ import java.security.PublicKey; import javax.annotation.Priority; import javax.ws.rs.WebApplicationException; +import javax.ws.rs.core.MediaType; import javax.ws.rs.ext.WriterInterceptor; import javax.ws.rs.ext.WriterInterceptorContext; @@ -44,7 +45,8 @@ import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; public class JweWriterInterceptor implements WriterInterceptor { private static final String RSSEC_ENCRYPTION_PROPS = "rs-security.encryption.properties"; private JweEncryptor encryptor; - + private boolean contentTypeRequired = true; + @Override public void aroundWriteTo(WriterInterceptorContext ctx) throws IOException, WebApplicationException { OutputStream actualOs = ctx.getOutputStream(); @@ -53,7 +55,14 @@ public class JweWriterInterceptor implements WriterInterceptor { ctx.proceed(); JweEncryptor theEncryptor = getInitializedEncryptor(); - String jweContent = theEncryptor.encrypt(cos.getBytes()); + String ctString = null; + if (contentTypeRequired) { + MediaType mt = ctx.getMediaType(); + if (mt != null) { + ctString = JAXRSUtils.mediaTypeToString(mt); + } + } + String jweContent = theEncryptor.encrypt(cos.getBytes(), ctString); IOUtils.copy(new ByteArrayInputStream(jweContent.getBytes("UTF-8")), actualOs); actualOs.flush(); } http://git-wip-us.apache.org/repos/asf/cxf/blob/8515dcba/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JwsClientResponseFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JwsClientResponseFilter.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JwsClientResponseFilter.java index 715f65f..e5a872e 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JwsClientResponseFilter.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JwsClientResponseFilter.java @@ -41,10 +41,10 @@ public class JwsClientResponseFilter extends AbstractJwsReaderProvider implement p.verifySignatureWith(theSigVerifier); byte[] bytes = p.getDecodedJwsPayloadBytes(); res.setEntityStream(new ByteArrayInputStream(bytes)); + res.getHeaders().putSingle("Content-Length", Integer.toString(bytes.length)); String ct = JwtUtils.checkContentType(p.getJwtHeaders().getContentType(), getDefaultMediaType()); if (ct != null) { res.getHeaders().putSingle("Content-Type", ct); - res.getHeaders().putSingle("Content-Length", Integer.toString(bytes.length)); } } http://git-wip-us.apache.org/repos/asf/cxf/blob/8515dcba/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JwsContainerRequestFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JwsContainerRequestFilter.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JwsContainerRequestFilter.java index 3f05670..d431cc1 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JwsContainerRequestFilter.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JwsContainerRequestFilter.java @@ -43,11 +43,11 @@ public class JwsContainerRequestFilter extends AbstractJwsReaderProvider impleme p.verifySignatureWith(theSigVerifier); byte[] bytes = p.getDecodedJwsPayloadBytes(); context.setEntityStream(new ByteArrayInputStream(bytes)); + context.getHeaders().putSingle("Content-Length", Integer.toString(bytes.length)); String ct = JwtUtils.checkContentType(p.getJwtHeaders().getContentType(), getDefaultMediaType()); if (ct != null) { context.getHeaders().putSingle("Content-Type", ct); - context.getHeaders().putSingle("Content-Length", Integer.toString(bytes.length)); } } } http://git-wip-us.apache.org/repos/asf/cxf/blob/8515dcba/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JwsWriterInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JwsWriterInterceptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JwsWriterInterceptor.java index 3ec449b..62c4126 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JwsWriterInterceptor.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JwsWriterInterceptor.java @@ -30,12 +30,11 @@ import javax.ws.rs.ext.WriterInterceptorContext; import org.apache.cxf.io.CachedOutputStream; import org.apache.cxf.jaxrs.utils.JAXRSUtils; import org.apache.cxf.rs.security.oauth2.jws.JwsCompactProducer; -import org.apache.cxf.rs.security.oauth2.jwt.Algorithm; import org.apache.cxf.rs.security.oauth2.jwt.JwtHeaders; @Priority(Priorities.JWS_WRITE_PRIORITY) public class JwsWriterInterceptor extends AbstractJwsWriterProvider implements WriterInterceptor { - private boolean contentTypeRequired; + private boolean contentTypeRequired = true; @Override public void aroundWriteTo(WriterInterceptorContext ctx) throws IOException, WebApplicationException { OutputStream actualOs = ctx.getOutputStream(); @@ -43,7 +42,7 @@ public class JwsWriterInterceptor extends AbstractJwsWriterProvider implements W ctx.setOutputStream(cos); ctx.proceed(); - JwtHeaders headers = new JwtHeaders(Algorithm.SHA256withRSA.getJwtName()); + JwtHeaders headers = new JwtHeaders(); if (contentTypeRequired) { MediaType mt = ctx.getMediaType(); if (mt != null) { http://git-wip-us.apache.org/repos/asf/cxf/blob/8515dcba/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java index 981ffd8..e2de7f6 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java @@ -110,11 +110,11 @@ public class JweCompactReaderWriterTest extends Assert { key, jwtKeyName, INIT_VECTOR); - return encryptor.encryptText(content); + return encryptor.encryptText(content, null); } private String encryptContentDirect(SecretKey key, String content) throws Exception { DirectKeyJweEncryptor encryptor = new DirectKeyJweEncryptor(key, INIT_VECTOR); - return encryptor.encryptText(content); + return encryptor.encryptText(content, null); } private void decrypt(String jweContent, String plainContent, boolean unwrap) throws Exception { RSAPrivateKey privateKey = CryptoUtils.getRSAPrivateKey(RSA_MODULUS_ENCODED, RSA_PRIVATE_EXPONENT_ENCODED);