cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject cxf git commit: Set up security context for JWT tokens if a public key algorithm is used
Date Tue, 20 Oct 2015 16:29:10 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.0.x-fixes f2d0618c4 -> dc6728643


Set up security context for JWT tokens if a public key algorithm is used


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/dc672864
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/dc672864
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/dc672864

Branch: refs/heads/3.0.x-fixes
Commit: dc67286439abc065ba166baeb56833dae4fe161d
Parents: f2d0618
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Tue Oct 20 17:27:00 2015 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Tue Oct 20 17:28:11 2015 +0100

----------------------------------------------------------------------
 .../rs/security/jose/common/JoseConstants.java  | 11 +++++++++
 .../security/jose/jwa/SignatureAlgorithm.java   |  9 +++++++
 .../jose/jaxrs/JwtAuthenticationFilter.java     | 26 ++++++++++++++++++--
 3 files changed, 44 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/dc672864/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/common/JoseConstants.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/common/JoseConstants.java
b/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/common/JoseConstants.java
index e0bf28b..f2c0b75 100644
--- a/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/common/JoseConstants.java
+++ b/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/common/JoseConstants.java
@@ -212,6 +212,17 @@ public final class JoseConstants {
     public static final String RSSEC_ENCRYPTION_REPORT_KEY_PROP = "rs.security.encryption.report.public.key";
     public static final String RSSEC_ENCRYPTION_REPORT_KEY_ID_PROP = "rs.security.encryption.report.public.key.id";
     
+    //
+    // JWT specific configuration
+    //
+    
+    /**
+     * Whether to allow unsigned JWT tokens as SecurityContext Principals. The default is
false.
+     */
+    public static final String ENABLE_UNSIGNED_JWT_PRINCIPAL = "rs.security.enable.unsigned-jwt.principal";
+    
+    
+    
     private JoseConstants() {
         
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/dc672864/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jwa/SignatureAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jwa/SignatureAlgorithm.java
b/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jwa/SignatureAlgorithm.java
index fe6418a..920e2fe 100644
--- a/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jwa/SignatureAlgorithm.java
+++ b/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jwa/SignatureAlgorithm.java
@@ -80,4 +80,13 @@ public enum SignatureAlgorithm {
         
     }
     
+    public static boolean isPublicKeyAlgorithm(SignatureAlgorithm sigAlgorithm) {
+        if (sigAlgorithm == null || sigAlgorithm.getJwaName() == null) {
+            return false;
+        }
+        
+        return sigAlgorithm.getJwaName().startsWith("RS") || sigAlgorithm.getJwaName().startsWith("PS")
+            || sigAlgorithm.getJwaName().startsWith("ES");
+    }
+    
 }
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/cxf/blob/dc672864/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
index 390d737..0a7c98f 100644
--- a/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
+++ b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
@@ -30,8 +30,12 @@ import javax.ws.rs.core.HttpHeaders;
 
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.jaxrs.utils.JAXRSUtils;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.message.MessageUtils;
+import org.apache.cxf.rs.security.jose.common.JoseConstants;
 import org.apache.cxf.rs.security.jose.common.JoseException;
 import org.apache.cxf.rs.security.jose.common.JoseUtils;
+import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
 import org.apache.cxf.rs.security.jose.jwt.AbstractJoseJwtConsumer;
 import org.apache.cxf.rs.security.jose.jwt.JwtToken;
 import org.apache.cxf.rs.security.jose.jwt.JwtUtils;
@@ -62,11 +66,29 @@ public class JwtAuthenticationFilter extends AbstractJoseJwtConsumer implements
         if (securityContext != null) {
             JAXRSUtils.getCurrentMessage().put(SecurityContext.class, securityContext);
         }
-
     }
     
     protected SecurityContext configureSecurityContext(JwtToken jwt) {
-        return new JwtTokenSecurityContext(jwt, roleClaim);
+        Message m = JAXRSUtils.getCurrentMessage();
+        boolean enableUnsignedJwt = 
+            MessageUtils.getContextualBoolean(m, JoseConstants.ENABLE_UNSIGNED_JWT_PRINCIPAL,
false);
+        
+        // The token must be signed/verified with a public key to set up the security context,

+        // unless we directly configure otherwise
+        if (isVerifiedWithAPublicKey(jwt) || enableUnsignedJwt) {
+            return new JwtTokenSecurityContext(jwt, roleClaim);
+        }
+        return null;
+    }
+    
+    private boolean isVerifiedWithAPublicKey(JwtToken jwt) {
+        if (isJwsRequired()) {
+            String alg = (String)jwt.getHeader(JoseConstants.HEADER_ALGORITHM);
+            SignatureAlgorithm sigAlg = SignatureAlgorithm.getAlgorithm(alg);
+            return SignatureAlgorithm.isPublicKeyAlgorithm(sigAlg);
+        }
+        
+        return false;
     }
 
     


Mime
View raw message