cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Adding some initial JWT access token validation code
Date Thu, 27 Nov 2014 17:00:41 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 74ba19524 -> f34d5aaad


Adding some initial JWT access token validation code


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/f34d5aaa
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/f34d5aaa
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/f34d5aaa

Branch: refs/heads/master
Commit: f34d5aaadb1a06d77193bf274078fce47020a39c
Parents: 74ba195
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Thu Nov 27 17:00:08 2014 +0000
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Thu Nov 27 17:00:08 2014 +0000

----------------------------------------------------------------------
 .../cxf/rs/security/jose/jwt/JwtUtils.java      | 11 ++++++
 .../oauth2/grants/jwt/AbstractJwtHandler.java   | 26 +------------
 .../oauth2/tokens/jwt/JwtAccessTokenUtils.java  | 39 +++++++++++++-------
 3 files changed, 39 insertions(+), 37 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/f34d5aaa/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
index 30d365b..582a7e7 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
@@ -41,4 +41,15 @@ public final class JwtUtils {
         }
         return reader.fromJsonClaims(json);
     }
+    public static void validateJwtTimeClaims(JwtClaims claims) {
+        Long currentTimeInSecs = System.currentTimeMillis() / 1000;
+        Long expiryTimeInSecs = claims.getExpiryTime();
+        if (expiryTimeInSecs != null && currentTimeInSecs > expiryTimeInSecs)
{
+            throw new SecurityException("The token expired");
+        }
+        Long issuedAtInSecs = claims.getIssuedAt();
+        if (issuedAtInSecs != null && issuedAtInSecs > currentTimeInSecs) {
+            throw new SecurityException("Invalid issuedAt");
+        }
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/f34d5aaa/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java
index 33c1ecf..a7677e6 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java
@@ -24,6 +24,7 @@ import java.util.Set;
 import org.apache.cxf.rs.security.jose.JoseHeaders;
 import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
 import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
+import org.apache.cxf.rs.security.jose.jwt.JwtUtils;
 import org.apache.cxf.rs.security.oauth2.common.Client;
 import org.apache.cxf.rs.security.oauth2.grants.AbstractGrantHandler;
 import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
@@ -51,10 +52,7 @@ public abstract class AbstractJwtHandler extends AbstractGrantHandler {
         validateIssuer(claims.getIssuer());
         validateSubject(client, claims.getSubject());
         validateAudience(client, claims.getAudience());
-        validateExpiryTime(claims.getExpiryTime());
-        validateNotBeforeTime(claims.getNotBefore());
-        validateIssuedAtTime(claims.getIssuedAt());
-        validateTokenId(claims.getTokenId());
+        JwtUtils.validateJwtTimeClaims(claims);    
     }
 
     protected void validateIssuer(String issuer) {
@@ -69,26 +67,6 @@ public abstract class AbstractJwtHandler extends AbstractGrantHandler {
     protected void validateAudience(Client client, String audience) {
         //TODO
     }
-    protected void validateExpiryTime(Long timestamp) {
-        if (timestamp != null) {
-            //TODO
-        }
-    }
-    protected void validateNotBeforeTime(Long timestamp) {
-        if (timestamp != null) {
-            //TODO    
-        }
-    }
-    protected void validateIssuedAtTime(Long timestamp) {
-        if (timestamp != null) {
-            //TODO
-        }
-    }
-    protected void validateTokenId(String tokenId) {
-        if (tokenId != null) {
-            //TODO
-        }
-    }
     public void setSupportedIssuers(Set<String> supportedIssuers) {
         this.supportedIssuers = supportedIssuers;
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/f34d5aaa/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/jwt/JwtAccessTokenUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/jwt/JwtAccessTokenUtils.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/jwt/JwtAccessTokenUtils.java
index f425e3e..33e74e4 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/jwt/JwtAccessTokenUtils.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/jwt/JwtAccessTokenUtils.java
@@ -37,7 +37,9 @@ import org.apache.cxf.rs.security.jose.jws.JwsSignature;
 import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider;
 import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
 import org.apache.cxf.rs.security.jose.jws.JwsUtils;
+import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
 import org.apache.cxf.rs.security.jose.jwt.JwtToken;
+import org.apache.cxf.rs.security.jose.jwt.JwtUtils;
 import org.apache.cxf.rs.security.oauth2.common.Client;
 import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
 import org.apache.cxf.rs.security.oauth2.tokens.bearer.BearerAccessToken;
@@ -65,19 +67,12 @@ public final class JwtAccessTokenUtils {
     private static ServerAccessToken toAccessToken(JwtToken jwt, 
                                                    Client client,
                                                    String tokenId) {
-        Long issuedAt = jwt.getClaims().getIssuedAt();
-        Long notBefore = jwt.getClaims().getNotBefore();
-        if (issuedAt == null) {
-            issuedAt = System.currentTimeMillis();
-            notBefore = null;
-        }
-        Long expiresIn = null;
-        if (notBefore == null) {
-            expiresIn = 3600L;
-        } else {
-            expiresIn = notBefore - issuedAt;
-        }
-       
+        JwtClaims claims = jwt.getClaims();
+        validateJwtSubjectAndAudience(claims, client);
+        Long issuedAt = claims.getIssuedAt();
+        Long notBefore = claims.getNotBefore();
+        Long expiresIn = notBefore - issuedAt;
+        
         return new BearerAccessToken(client, tokenId, issuedAt, expiresIn);
     }
     public static JwtToken decryptFromfromAccessToken(String tokenId, SecretKey key) {
@@ -115,6 +110,24 @@ public final class JwtAccessTokenUtils {
             throw new SecurityException();
         }
     }
+    public static void validateJwtClaims(JwtClaims claims, Client c) {
+        validateJwtSubjectAndAudience(claims, c);
+        JwtUtils.validateJwtTimeClaims(claims);
+    }
+    
+    private static void validateJwtSubjectAndAudience(JwtClaims claims, Client c) {
+        if (claims.getSubject() == null || !claims.getSubject().equals(c.getClientId()))
{
+            throw new SecurityException("Invalid subject");
+        }
+        // validate audience
+        String aud = claims.getAudience();
+        if (aud == null 
+            || !c.getRegisteredAudiences().isEmpty() && !c.getRegisteredAudiences().contains(aud))
{
+            throw new SecurityException("Invalid audience");
+        }
+        // TODO: the issuer is indirectly validated by validating the signature
+        // but an extra check can be done
+    }
     private static class NoneSignatureProvider implements JwsSignatureProvider {
 
         @Override


Mime
View raw message