cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject cxf git commit: Allow unsigned JWT tokens
Date Tue, 13 Oct 2015 14:57:57 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 614f040f6 -> a4e25aad7


Allow unsigned JWT tokens


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/a4e25aad
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/a4e25aad
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/a4e25aad

Branch: refs/heads/master
Commit: a4e25aad7ccf45dfd53605e31c78bb1f48f87778
Parents: 614f040
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Tue Oct 13 15:57:31 2015 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Tue Oct 13 15:57:31 2015 +0100

----------------------------------------------------------------------
 .../jose/common/AbstractJoseConsumer.java       | 11 ++++++++++-
 .../security/jose/jws/JwsCompactProducer.java   |  7 ++++---
 .../cxf/rs/security/jose/jws/JwsUtils.java      |  8 ++++++++
 .../jose/jwt/AbstractJoseJwtConsumer.java       | 10 ++++++++++
 .../jose/jwt/AbstractJoseJwtProducer.java       | 20 +++++++++++++-------
 5 files changed, 45 insertions(+), 11 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/a4e25aad/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/common/AbstractJoseConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/common/AbstractJoseConsumer.java
b/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/common/AbstractJoseConsumer.java
index b15abce..ddf1d4f 100644
--- a/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/common/AbstractJoseConsumer.java
+++ b/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/common/AbstractJoseConsumer.java
@@ -30,10 +30,18 @@ public abstract class AbstractJoseConsumer {
     public void setJweDecryptor(JweDecryptionProvider jweDecryptor) {
         this.jweDecryptor = jweDecryptor;
     }
+    
+    public JweDecryptionProvider getJweDecryptor() {
+        return jweDecryptor;
+    }
 
     public void setJwsVerifier(JwsSignatureVerifier theJwsVerifier) {
         this.jwsVerifier = theJwsVerifier;
     }
+    
+    public JwsSignatureVerifier getJwsVerifier() {
+        return jwsVerifier;
+    }
 
     protected JweDecryptionProvider getInitializedDecryptionProvider() {
         if (jweDecryptor != null) {
@@ -44,7 +52,8 @@ public abstract class AbstractJoseConsumer {
     protected JwsSignatureVerifier getInitializedSignatureVerifier() {
         if (jwsVerifier != null) {
             return jwsVerifier;    
-        } 
+        }
+        
         return JwsUtils.loadSignatureVerifier(false);
     }
 

http://git-wip-us.apache.org/repos/asf/cxf/blob/a4e25aad/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactProducer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactProducer.java
b/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactProducer.java
index 9795c10..a74960a 100644
--- a/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactProducer.java
+++ b/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactProducer.java
@@ -114,6 +114,10 @@ public class JwsCompactProducer {
         return getSignedEncodedJws();
     }
     
+    public boolean isPlainText() {
+        return SignatureAlgorithm.NONE == getAlgorithm();
+    }
+    
     public String setSignatureBytes(byte[] signatureOctets) {
         setEncodedSignature(Base64UrlUtility.encode(signatureOctets));
         return getSignedEncodedJws();
@@ -122,9 +126,6 @@ public class JwsCompactProducer {
     private void setEncodedSignature(String sig) {
         this.signature = sig;
     }
-    private boolean isPlainText() {
-        return SignatureAlgorithm.NONE == getAlgorithm();
-    }
     private SignatureAlgorithm getAlgorithm() {
         return getJwsHeaders().getSignatureAlgorithm();
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/a4e25aad/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
b/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
index 9b07fcf..8acc6b2 100644
--- a/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
+++ b/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
@@ -56,6 +56,8 @@ public final class JwsUtils {
     private static final String RSSEC_SIGNATURE_PROPS = "rs.security.signature.properties";
     private static final String RSSEC_REPORT_KEY_PROP = "rs.security.jws.report.public.key";
     private static final String RSSEC_REPORT_KEY_ID_PROP = "rs.security.jws.report.public.key.id";
+    private static final String RSSEC_SIGNATURE_ALLOW_NONE_SIGNATURE = "rs.security.jws.allow.none.signature";
+    
     private JwsUtils() {
         
     }
@@ -208,6 +210,12 @@ public final class JwsUtils {
     }
     public static JwsSignatureVerifier loadSignatureVerifier(JwsHeaders headers, boolean
required) {
         Message m = PhaseInterceptorChain.getCurrentMessage();
+        boolean allowNoneSignature = 
+            MessageUtils.getContextualBoolean(m, RSSEC_SIGNATURE_ALLOW_NONE_SIGNATURE, false);
+        if (allowNoneSignature && SignatureAlgorithm.NONE.getJwaName().equals(headers.getAlgorithm()))
{
+            return new NoneJwsSignatureVerifier();
+        }
+            
         Properties props = KeyManagementUtils.loadStoreProperties(m, required, 
                                                                   RSSEC_SIGNATURE_IN_PROPS,
RSSEC_SIGNATURE_PROPS);
         if (props == null) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/a4e25aad/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtConsumer.java
b/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtConsumer.java
index f93cfb7..daea97b 100644
--- a/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtConsumer.java
+++ b/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtConsumer.java
@@ -21,8 +21,10 @@ package org.apache.cxf.rs.security.jose.jwt;
 import org.apache.cxf.rs.security.jose.common.AbstractJoseConsumer;
 import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider;
 import org.apache.cxf.rs.security.jose.jwe.JweJwtCompactConsumer;
+import org.apache.cxf.rs.security.jose.jws.JwsHeaders;
 import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
 import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
+import org.apache.cxf.rs.security.jose.jws.JwsUtils;
 
 public abstract class AbstractJoseJwtConsumer extends AbstractJoseConsumer {
     private boolean jwsRequired = true;
@@ -73,6 +75,14 @@ public abstract class AbstractJoseJwtConsumer extends AbstractJoseConsumer
{
         return jwt; 
     }
     protected JwsSignatureVerifier getInitializedSignatureVerifier(JwtToken jwt) {
+        if (super.getJwsVerifier() != null) {
+            return super.getJwsVerifier();    
+        }
+        
+        if (jwt.getHeaders() instanceof JwsHeaders) {
+            return JwsUtils.loadSignatureVerifier((JwsHeaders)jwt.getHeaders(), false);
+        }
+        
         return super.getInitializedSignatureVerifier();
     }
     protected void validateToken(JwtToken jwt) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/a4e25aad/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtProducer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtProducer.java
b/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtProducer.java
index 374e5ca..a5f5c37 100644
--- a/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtProducer.java
+++ b/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtProducer.java
@@ -48,14 +48,20 @@ public abstract class AbstractJoseJwtProducer extends AbstractJoseProducer
{
         }
         
         if (isJwsRequired()) {
-            if (theSigProvider == null) {
-                theSigProvider = getInitializedSignatureProvider();
+            JwsJwtCompactProducer jws = new JwsJwtCompactProducer(jwt);
+            if (jws.isPlainText()) {
+                data = jws.getSignedEncodedJws();
+            } else {
+                if (theSigProvider == null) {
+                    theSigProvider = getInitializedSignatureProvider();
+                }
+                
+                if (theSigProvider == null) {
+                    throw new JwtException("Unable to sign JWT");
+                }
+                
+                data = jws.signWith(theSigProvider);
             }
-            if (theSigProvider == null) {
-                throw new JwtException("Unable to sign JWT");
-            }
-            JwsJwtCompactProducer jws = new JwsJwtCompactProducer(jwt); 
-            data = jws.signWith(theSigProvider);
             if (theEncProvider != null) {
                 data = theEncProvider.encrypt(StringUtils.toBytesUTF8(data), null);
             }


Mime
View raw message