cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Adding the missing files
Date Fri, 14 Nov 2014 09:53:41 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.0.x-fixes a0e70fbf3 -> 9ff85bdbb


Adding the missing files


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/9ff85bdb
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/9ff85bdb
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/9ff85bdb

Branch: refs/heads/3.0.x-fixes
Commit: 9ff85bdbb52a2620b7c69afc6afba16dd5d44830
Parents: a0e70fb
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Fri Nov 14 09:52:15 2014 +0000
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Fri Nov 14 09:53:24 2014 +0000

----------------------------------------------------------------------
 .../oidc/rp/AbstractTokenValidator.java         | 144 +++++++++++++++++++
 .../security/oidc/rp/UserProfileValidator.java  |  66 +++++++++
 2 files changed, 210 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/9ff85bdb/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
new file mode 100644
index 0000000..1553258
--- /dev/null
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
@@ -0,0 +1,144 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oidc.rp;
+
+import java.util.concurrent.ConcurrentHashMap;
+
+import org.apache.cxf.jaxrs.client.WebClient;
+import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider;
+import org.apache.cxf.rs.security.jose.jwe.JweJwtCompactConsumer;
+import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
+import org.apache.cxf.rs.security.jose.jwk.JsonWebKeys;
+import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
+import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
+import org.apache.cxf.rs.security.jose.jws.JwsUtils;
+import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
+import org.apache.cxf.rs.security.jose.jwt.JwtToken;
+
+public abstract class AbstractTokenValidator {
+    private JweDecryptionProvider jweDecryptor;
+    private JwsSignatureVerifier jwsVerifier;
+    private String issuerId;
+    private int issuedAtRange;
+    private WebClient jwkSetClient;
+    private ConcurrentHashMap<String, JsonWebKey> keyMap = new ConcurrentHashMap<String,
JsonWebKey>(); 
+    
+    protected JwtToken getJwtToken(String wrappedJwtToken, String clientId, String idTokenKid,

+                                   boolean jweOnly) {
+        if (wrappedJwtToken == null) {
+            throw new SecurityException("ID Token is missing");
+        }
+        // Decrypt the token if needed
+        if (jweDecryptor != null) {
+            if (jweOnly) {
+                return new JweJwtCompactConsumer(wrappedJwtToken).decryptWith(jweDecryptor);
   
+            }
+            wrappedJwtToken = jweDecryptor.decrypt(wrappedJwtToken).getContentText();
+        } else if (jweOnly) {
+            throw new SecurityException("Token can not be decrypted");
+        }
+
+        // validate token signature
+        return getTokenValidateSignature(wrappedJwtToken, idTokenKid);
+    }
+    
+    protected void validateJwtClaims(JwtClaims claims, String clientId, boolean validateClaimsAlways)
{
+        // validate subject
+        if (claims.getSubject() == null) {
+            throw new SecurityException("Invalid subject");
+        }
+        // validate audience
+        String aud = claims.getAudience();
+        if (aud == null && validateClaimsAlways || aud != null && !clientId.equals(aud))
{
+            throw new SecurityException("Invalid audience");
+        }
+
+        // validate the provider
+        String issuer = claims.getIssuer();
+        if (issuerId == null && validateClaimsAlways || issuerId != null &&
!issuerId.equals(issuer)) {
+            throw new SecurityException("Invalid provider");
+        }
+        Long currentTimeInSecs = System.currentTimeMillis() / 1000;
+        Long expiryTimeInSecs = claims.getExpiryTime();
+        if (expiryTimeInSecs == null && validateClaimsAlways 
+            || expiryTimeInSecs != null && currentTimeInSecs > expiryTimeInSecs)
{
+            throw new SecurityException("The token expired");
+        }
+        Long issuedAtInSecs = claims.getIssuedAt();
+        if (issuedAtInSecs == null && validateClaimsAlways 
+            || issuedAtInSecs != null && (issuedAtInSecs > currentTimeInSecs ||
issuedAtRange > 0
+            && issuedAtInSecs < currentTimeInSecs - issuedAtRange)) {
+            throw new SecurityException("Invalid issuedAt");
+        }
+        
+    }
+    
+    protected JwtToken getTokenValidateSignature(String wrappedJwtToken, String idTokenKid)
{
+        // read id_token into JwtToken
+        JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(wrappedJwtToken);
+        JwtToken jwt = jwtConsumer.getJwtToken(); 
+        if (jwsVerifier != null) {
+            return validateToken(jwtConsumer, jwt, jwsVerifier);
+        }
+        if (jwkSetClient == null) {
+            throw new SecurityException("Provider Jwk Set Client is not available");
+        }
+        String keyId = idTokenKid != null ? idTokenKid : jwtConsumer.getJwtToken().getHeaders().getKeyId();
+        if (keyId == null) {
+            throw new SecurityException("Provider JWK key id is null");
+        }
+        JsonWebKey key = keyMap.get(keyId);
+        if (key == null) {
+            JsonWebKeys keys = jwkSetClient.get(JsonWebKeys.class);
+            key = keys.getKey(keyId);
+            keyMap.putAll(keys.getKeyIdMap());
+        }
+        if (key == null) {
+            throw new SecurityException("JWK key with the key id: \"" + keyId + "\" is not
available");
+        }
+        return validateToken(jwtConsumer, jwt, JwsUtils.getSignatureVerifier(key));
+    }
+    protected JwtToken validateToken(JwsJwtCompactConsumer consumer, JwtToken jwt, JwsSignatureVerifier
jws) {
+        if (consumer.verifySignatureWith(jws)) {
+            throw new SecurityException("Invalid Signature");
+        }
+        return jwt;
+    }
+    public void setJweDecryptor(JweDecryptionProvider jweDecryptor) {
+        this.jweDecryptor = jweDecryptor;
+    }
+
+    public void setJweVerifier(JwsSignatureVerifier theJwsVerifier) {
+        this.jwsVerifier = theJwsVerifier;
+    }
+
+    public void setIssuerId(String issuerId) {
+        this.issuerId = issuerId;
+    }
+
+    public void setJwkSetClient(WebClient jwkSetClient) {
+        this.jwkSetClient = jwkSetClient;
+    }
+
+    public void setIssuedAtRange(int issuedAtRange) {
+        this.issuedAtRange = issuedAtRange;
+    }
+
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/9ff85bdb/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserProfileValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserProfileValidator.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserProfileValidator.java
new file mode 100644
index 0000000..d1f6ffe
--- /dev/null
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserProfileValidator.java
@@ -0,0 +1,66 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oidc.rp;
+
+import org.apache.cxf.jaxrs.client.WebClient;
+import org.apache.cxf.rs.security.jose.jwt.JwtToken;
+import org.apache.cxf.rs.security.oidc.common.UserIdToken;
+import org.apache.cxf.rs.security.oidc.common.UserProfile;
+
+public class UserProfileValidator extends AbstractTokenValidator {
+    private boolean encryptedOnly;
+    
+    public UserProfile getProfile(WebClient profileClient, UserIdToken idToken) {
+        return getProfile(profileClient, idToken, false);
+    }
+    public UserProfile getProfile(WebClient profileClient, UserIdToken idToken, boolean asJwt)
{
+        if (asJwt) {
+            String jwt = profileClient.get(String.class);
+            return getProfileFromJwt(jwt, idToken);
+        } else {
+            UserProfile profile = profileClient.get(UserProfile.class);
+            validateUserProfile(profile, idToken);
+            return profile;
+        }
+        
+    }
+    public UserProfile getProfileFromJwt(String profileJwtToken, UserIdToken idToken) {
+        JwtToken jwt = getProfileJwtToken(profileJwtToken, idToken);
+        return getProfileFromJwt(jwt, idToken);
+    }
+    public UserProfile getProfileFromJwt(JwtToken jwt, UserIdToken idToken) {
+        UserProfile profile = new UserProfile(jwt.getClaims().asMap());
+        validateUserProfile(profile, idToken);
+        return profile;
+    }
+    public JwtToken getProfileJwtToken(String profileJwtToken, UserIdToken idToken) {
+        return getJwtToken(profileJwtToken, idToken.getAudience(), (String)idToken.getProperty("kid"),
encryptedOnly);
+    }
+    public void validateUserProfile(UserProfile profile, UserIdToken idToken) {
+        validateJwtClaims(profile, idToken.getAudience(), false);
+        // validate subject
+        if (!idToken.getSubject().equals(profile.getSubject())) {
+            throw new SecurityException("Invalid subject");
+        }
+    }
+    public void setEncryptedOnly(boolean encryptedOnly) {
+        this.encryptedOnly = encryptedOnly;
+    }
+    
+}


Mime
View raw message