cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [1/2] cxf git commit: Adding a filter to authenticate JWT Tokens for the JWT Bearer Client Authentication case
Date Tue, 01 Dec 2015 14:04:31 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 6d58c0742 -> a77774de4


Adding a filter to authenticate JWT Tokens for the JWT Bearer Client Authentication case


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/a77774de
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/a77774de
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/a77774de

Branch: refs/heads/master
Commit: a77774de468e4e068f63da91d917dfc0b87c3e3b
Parents: 49b24fa
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Tue Dec 1 14:02:22 2015 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Tue Dec 1 14:02:44 2015 +0000

----------------------------------------------------------------------
 .../jose/jaxrs/JwtAuthenticationFilter.java     |  10 +-
 .../cxf/rs/security/jose/jwt/JwtUtils.java      |  12 ++
 rt/rs/security/oauth-parent/oauth2/pom.xml      |   2 +-
 .../oauth2/grants/jwt/AbstractJwtHandler.java   |  22 ++--
 .../oauth2/grants/jwt/JwtBearerAuthHandler.java | 111 +++++++++++++++++++
 5 files changed, 136 insertions(+), 21 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/a77774de/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
index e52897c..2dc6095 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
@@ -96,15 +96,7 @@ public class JwtAuthenticationFilter extends AbstractJoseJwtConsumer implements
     
     @Override
     protected void validateToken(JwtToken jwt) {
-        // If we have no issued time then we need to have an expiry
-        boolean expiredRequired = jwt.getClaims().getIssuedAt() == null;
-        JwtUtils.validateJwtExpiry(jwt.getClaims(), clockOffset, expiredRequired);
-        
-        JwtUtils.validateJwtNotBefore(jwt.getClaims(), clockOffset, false);
-        
-        // If we have no expiry then we must have an issued at
-        boolean issuedAtRequired = jwt.getClaims().getExpiryTime() == null;
-        JwtUtils.validateJwtIssuedAt(jwt.getClaims(), ttl, clockOffset, issuedAtRequired);
+        JwtUtils.validateTokenClaims(jwt.getClaims(), ttl, clockOffset);
     }
 
     public int getClockOffset() {

http://git-wip-us.apache.org/repos/asf/cxf/blob/a77774de/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
index 9f1c1d6..fa6989a 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
@@ -110,4 +110,16 @@ public final class JwtUtils {
         }
     }
     
+    public static void validateTokenClaims(JwtClaims claims, int timeToLive, int clockOffset)
{
+        // If we have no issued time then we need to have an expiry
+        boolean expiredRequired = claims.getIssuedAt() == null;
+        validateJwtExpiry(claims, clockOffset, expiredRequired);
+        
+        validateJwtNotBefore(claims, clockOffset, false);
+        
+        // If we have no expiry then we must have an issued at
+        boolean issuedAtRequired = claims.getExpiryTime() == null;
+        validateJwtIssuedAt(claims, timeToLive, clockOffset, issuedAtRequired);
+    }
+    
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/a77774de/rt/rs/security/oauth-parent/oauth2/pom.xml
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/pom.xml b/rt/rs/security/oauth-parent/oauth2/pom.xml
index 17ea095..84af41c 100644
--- a/rt/rs/security/oauth-parent/oauth2/pom.xml
+++ b/rt/rs/security/oauth-parent/oauth2/pom.xml
@@ -44,7 +44,7 @@
         </dependency>
         <dependency>
             <groupId>org.apache.cxf</groupId>
-            <artifactId>cxf-rt-rs-security-jose</artifactId>
+            <artifactId>cxf-rt-rs-security-jose-jaxrs</artifactId>
             <version>${project.version}</version>
         </dependency> 
         <dependency>

http://git-wip-us.apache.org/repos/asf/cxf/blob/a77774de/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java
index 4f966c2..b8c6267 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java
@@ -25,6 +25,7 @@ import org.apache.cxf.rs.security.jose.jws.JwsHeaders;
 import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
 import org.apache.cxf.rs.security.jose.jws.JwsUtils;
 import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
+import org.apache.cxf.rs.security.jose.jwt.JwtConstants;
 import org.apache.cxf.rs.security.jose.jwt.JwtUtils;
 import org.apache.cxf.rs.security.oauth2.common.Client;
 import org.apache.cxf.rs.security.oauth2.grants.AbstractGrantHandler;
@@ -53,19 +54,16 @@ public abstract class AbstractJwtHandler extends AbstractGrantHandler
{
     }
     
     protected void validateClaims(Client client, JwtClaims claims) {
+        JwtUtils.validateTokenClaims(claims, ttl, clockOffset);
+        
         validateIssuer(claims.getIssuer());
         validateSubject(client, claims.getSubject());
         validateAudience(client, claims.getAudience());
         
-        // If we have no issued time then we need to have an expiry
-        boolean expiredRequired = claims.getIssuedAt() == null;
-        JwtUtils.validateJwtExpiry(claims, clockOffset, expiredRequired);
-        
-        JwtUtils.validateJwtNotBefore(claims, clockOffset, false);
-        
-        // If we have no expiry then we must have an issued at
-        boolean issuedAtRequired = claims.getExpiryTime() == null;
-        JwtUtils.validateJwtIssuedAt(claims, ttl, clockOffset, issuedAtRequired);
+        // We must have an Expiry
+        if (claims.getClaim(JwtConstants.CLAIM_EXPIRY) == null) {
+            throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
+        }
     }
 
     protected void validateIssuer(String issuer) {
@@ -75,10 +73,12 @@ public abstract class AbstractJwtHandler extends AbstractGrantHandler
{
     }
     
     protected void validateSubject(Client client, String subject) {
-        //TODO
+        // We must have a Subject
+        if (subject == null) {
+            throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
+        }
     }
     protected void validateAudience(Client client, String audience) {
-        //TODO
     }
     public void setSupportedIssuers(Set<String> supportedIssuers) {
         this.supportedIssuers = supportedIssuers;

http://git-wip-us.apache.org/repos/asf/cxf/blob/a77774de/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/JwtBearerAuthHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/JwtBearerAuthHandler.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/JwtBearerAuthHandler.java
new file mode 100644
index 0000000..f8c4ee5
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/JwtBearerAuthHandler.java
@@ -0,0 +1,111 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rs.security.oauth2.grants.jwt;
+
+import javax.ws.rs.container.ContainerRequestContext;
+import javax.ws.rs.core.Form;
+import javax.ws.rs.core.MultivaluedMap;
+
+import org.apache.cxf.jaxrs.provider.FormEncodingProvider;
+import org.apache.cxf.jaxrs.utils.ExceptionUtils;
+import org.apache.cxf.jaxrs.utils.FormUtils;
+import org.apache.cxf.jaxrs.utils.HttpUtils;
+import org.apache.cxf.jaxrs.utils.JAXRSUtils;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.rs.security.jose.jaxrs.JwtAuthenticationFilter;
+import org.apache.cxf.rs.security.jose.jwt.JwtConstants;
+import org.apache.cxf.rs.security.jose.jwt.JwtToken;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
+import org.apache.cxf.security.SecurityContext;
+
+public class JwtBearerAuthHandler extends JwtAuthenticationFilter {
+    private FormEncodingProvider<Form> provider = new FormEncodingProvider<Form>(true);
+    
+    public JwtBearerAuthHandler() {
+    }
+    
+    @Override
+    public void filter(ContainerRequestContext context) {
+        Message message = JAXRSUtils.getCurrentMessage();
+        Form form = readFormData(message);
+        MultivaluedMap<String, String> formData = form.asMap();
+        String assertionType = formData.getFirst(Constants.CLIENT_AUTH_ASSERTION_TYPE);
+        String decodedAssertionType = assertionType != null ? HttpUtils.urlDecode(assertionType)
: null;
+        if (decodedAssertionType == null || !Constants.CLIENT_AUTH_JWT_BEARER.equals(decodedAssertionType))
{
+            throw ExceptionUtils.toNotAuthorizedException(null, null);
+        }
+        
+        String assertion = formData.getFirst(Constants.CLIENT_AUTH_ASSERTION_PARAM);
+        JwtToken token = super.getJwtToken(assertion);
+        
+        String clientId = formData.getFirst(OAuthConstants.CLIENT_ID);
+        String subjectName = (String)token.getClaim(JwtConstants.CLAIM_SUBJECT);
+        if (clientId != null && !clientId.equals(subjectName)) {
+            throw ExceptionUtils.toNotAuthorizedException(null, null);
+        }
+        message.put(OAuthConstants.CLIENT_ID, subjectName);
+        
+        formData.remove(OAuthConstants.CLIENT_ID);
+        formData.remove(Constants.CLIENT_AUTH_ASSERTION_PARAM);
+        formData.remove(Constants.CLIENT_AUTH_ASSERTION_TYPE);
+        
+        SecurityContext securityContext = configureSecurityContext(token);
+        if (securityContext != null) {
+            JAXRSUtils.getCurrentMessage().put(SecurityContext.class, securityContext);
+        }
+        
+        // restore input stream
+        try {
+            FormUtils.restoreForm(provider, form, message);
+        } catch (Exception ex) {
+            throw ExceptionUtils.toNotAuthorizedException(null, null);
+        }
+    }
+    
+    private Form readFormData(Message message) {
+        try {
+            return FormUtils.readForm(provider, message);
+        } catch (Exception ex) {
+            throw ExceptionUtils.toNotAuthorizedException(null, null);    
+        }
+    }
+    
+    @Override
+    protected void validateToken(JwtToken jwt) {
+        super.validateToken(jwt);
+        
+        // We must have an issuer
+        if (jwt.getClaim(JwtConstants.CLAIM_ISSUER) == null) {
+            throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
+        }
+        
+        // We must have a Subject
+        if (jwt.getClaim(JwtConstants.CLAIM_SUBJECT) == null) {
+            throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
+        }
+        
+        // We must have an Expiry
+        if (jwt.getClaim(JwtConstants.CLAIM_EXPIRY) == null) {
+            throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
+        }
+    }
+    
+}


Mime
View raw message