cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf-fediz git commit: [FEDIZ-134] Getting the JWS provider code more flexible
Date Wed, 11 Nov 2015 14:15:38 GMT
Repository: cxf-fediz
Updated Branches:
  refs/heads/master 6d7bc5f9e -> 789d3fc38


[FEDIZ-134] Getting the JWS provider code more flexible


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/789d3fc3
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/789d3fc3
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/789d3fc3

Branch: refs/heads/master
Commit: 789d3fc3898d6fb4adf001f58066a5a7689214d6
Parents: 6d7bc5f
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Wed Nov 11 14:15:14 2015 +0000
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Wed Nov 11 14:15:14 2015 +0000

----------------------------------------------------------------------
 .../service/oidc/ClientRegistrationService.java |  5 ++-
 .../fediz/service/oidc/OAuthDataManager.java    | 43 ++++++++++++++++----
 .../main/webapp/WEB-INF/applicationContext.xml  |  3 ++
 3 files changed, 43 insertions(+), 8 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/789d3fc3/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/ClientRegistrationService.java
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/ClientRegistrationService.java
b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/ClientRegistrationService.java
index 070c5f7..cafe39a 100644
--- a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/ClientRegistrationService.java
+++ b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/ClientRegistrationService.java
@@ -50,6 +50,7 @@ public class ClientRegistrationService {
     @Context
     private SecurityContext sc;
     
+    
     @GET
     @Produces(MediaType.TEXT_HTML)
     @Path("/")
@@ -82,7 +83,9 @@ public class ClientRegistrationService {
     }
     
     protected String generateClientSecret() {
-        return Base64UrlUtility.encode(CryptoUtils.generateSecureRandomBytes(15));
+        // TODO: may need to be 384/8 or 512/8 if not a default HS256 but HS384 or HS512
+        int keySizeOctets = manager.isSignIdTokenWithClientSecret() ? 32 : 16; 
+        return Base64UrlUtility.encode(CryptoUtils.generateSecureRandomBytes(keySizeOctets));
     }
     
     private Consumers registerNewClient(Client newClient) {

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/789d3fc3/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java
b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java
index c00197d..085ea54 100644
--- a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java
+++ b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java
@@ -23,12 +23,16 @@ import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Properties;
 import java.util.concurrent.ConcurrentHashMap;
 
 import org.apache.cxf.fediz.core.FedizPrincipal;
 import org.apache.cxf.jaxrs.ext.MessageContext;
+import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
+import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
 import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactProducer;
-import org.apache.cxf.rs.security.jose.jws.NoneJwsSignatureProvider;
+import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider;
+import org.apache.cxf.rs.security.jose.jws.JwsUtils;
 import org.apache.cxf.rs.security.oauth2.common.Client;
 import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
 import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
@@ -57,7 +61,7 @@ public class OAuthDataManager extends AbstractCodeDataProvider {
     private Map<String, RefreshToken> refreshTokens = new ConcurrentHashMap<String,
RefreshToken>();
     private Map<String, ServerAuthorizationCodeGrant> codeGrants = 
             new ConcurrentHashMap<String, ServerAuthorizationCodeGrant>();
-    
+    private boolean signIdTokenWithClientSecret;
     
     
     public OAuthDataManager() {
@@ -83,8 +87,7 @@ public class OAuthDataManager extends AbstractCodeDataProvider {
         
         if (principal instanceof FedizPrincipal) {
             grant.getSubject().getProperties().put("id_token", 
-                    getJoseIdToken((FedizPrincipal)principal,
-                                grant.getClient().getClientId()));
+                    getJoseIdToken((FedizPrincipal)principal, grant.getClient()));
         } else {
             throw new OAuthServiceException("Unsupported principal");
         }
@@ -96,12 +99,26 @@ public class OAuthDataManager extends AbstractCodeDataProvider {
         
     }
 
-    protected String getJoseIdToken(FedizPrincipal principal, String clientId) {
+    protected String getJoseIdToken(FedizPrincipal principal, Client client) {
         IdToken jwtClaims = tokenConverter.convertToIdToken(principal.getLoginToken().getOwnerDocument(),
                                                           principal.getName(), 
-                                                          clientId);
+                                                          client.getClientId());
         JwsJwtCompactProducer p = new JwsJwtCompactProducer(jwtClaims);
-        return p.signWith(new NoneJwsSignatureProvider());
+        return p.signWith(getJwsSignatureProvider(client));
+    }
+
+    protected JwsSignatureProvider getJwsSignatureProvider(Client client) {
+        if (signIdTokenWithClientSecret && client.isConfidential() && client.getClientSecret()
!= null) {
+            Properties sigProps = JwsUtils.loadSignatureOutProperties(false);
+            // HS256, HS384, HS512
+            SignatureAlgorithm sigAlgo = JwsUtils.getSignatureAlgorithm(sigProps, 
+                    SignatureAlgorithm.HS256); 
+            if (AlgorithmUtils.isHmacSign(sigAlgo.getJwaName())) {
+                return JwsUtils.getHmacSignatureProvider(client.getClientSecret(), sigAlgo);
+            }
+        } 
+        return JwsUtils.loadSignatureProvider(true);
+        
     }
 
     @Override
@@ -176,4 +193,16 @@ public class OAuthDataManager extends AbstractCodeDataProvider {
             permissionMap.put(entry.getKey(), permission);
         }
     }
+
+    /**
+     * Enable the symmetric signature with the client secret. 
+     * This property will be ignored if a client is public 
+     */
+    public void setSignIdTokenWithClientSecret(boolean signIdTokenWithClientSecret) {
+        this.signIdTokenWithClientSecret = signIdTokenWithClientSecret;
+    }
+
+    public boolean isSignIdTokenWithClientSecret() {
+        return signIdTokenWithClientSecret;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/789d3fc3/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml b/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml
index 20044c0..7b5f660 100644
--- a/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml
+++ b/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml
@@ -90,6 +90,9 @@
           </map>
         </property>
     -->
+    <!--
+        <property name="signIdTokenWithClientSecret" value="true"/>
+    -->
     </bean>
     
 </beans>


Mime
View raw message