Return-Path: 
 <commits-return-40341-apmail-cxf-commits-archive=cxf.apache.org@cxf.apache.org>
X-Original-To: apmail-cxf-commits-archive@www.apache.org
Delivered-To: apmail-cxf-commits-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 35F9F1874A
	for <apmail-cxf-commits-archive@www.apache.org>;
 Fri, 29 Jan 2016 10:51:06 +0000 (UTC)
Received: (qmail 90540 invoked by uid 500); 29 Jan 2016 10:51:03 -0000
Delivered-To: apmail-cxf-commits-archive@cxf.apache.org
Received: (qmail 90481 invoked by uid 500); 29 Jan 2016 10:51:03 -0000
Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@cxf.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@cxf.apache.org>
List-Post: <mailto:commits@cxf.apache.org>
List-Id: <commits.cxf.apache.org>
Reply-To: dev@cxf.apache.org
Delivered-To: mailing list commits@cxf.apache.org
Received: (qmail 90453 invoked by uid 99); 29 Jan 2016 10:51:03 -0000
Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org)
 (140.211.11.23)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 29 Jan 2016 10:51:03 +0000
Received: by git1-us-west.apache.org (ASF Mail Server at
 git1-us-west.apache.org, from userid 33)
	id 03B4EE0B39; Fri, 29 Jan 2016 10:51:03 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: sergeyb@apache.org
To: commits@cxf.apache.org
Message-Id: <27f71fd176114d9eb8cc1e6b94202815@git.apache.org>
X-Mailer: ASF-Git Admin Mailer
Subject: cxf git commit: Optimizing JwtRequestCodeFilter code
Date: Fri, 29 Jan 2016 10:51:03 +0000 (UTC)

Repository: cxf
Updated Branches:
  refs/heads/3.1.x-fixes c811308df -> f5911fb98


Optimizing JwtRequestCodeFilter code


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/f5911fb9
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/f5911fb9
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/f5911fb9

Branch: refs/heads/3.1.x-fixes
Commit: f5911fb98e06b6ec09942edccbf205deb0138e27
Parents: c811308
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Fri Jan 29 10:49:17 2016 +0000
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Fri Jan 29 10:50:48 2016 +0000

----------------------------------------------------------------------
 .../grants/code/JwtRequestCodeFilter.java       | 74 ++++----------------
 1 file changed, 12 insertions(+), 62 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/f5911fb9/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JwtRequestCodeFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JwtRequestCodeFilter.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JwtRequestCodeFilter.java
index 371f61c..ddb4f74 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JwtRequestCodeFilter.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JwtRequestCodeFilter.java
@@ -22,35 +22,29 @@ import java.security.cert.X509Certificate;
 import java.util.List;
 import java.util.Map;
 
-import javax.crypto.SecretKey;
 import javax.ws.rs.core.MultivaluedMap;
 
 import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.jaxrs.client.WebClient;
 import org.apache.cxf.jaxrs.impl.MetadataMap;
 import org.apache.cxf.jaxrs.json.basic.JsonMapObjectReaderWriter;
-import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm;
 import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
 import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider;
-import org.apache.cxf.rs.security.jose.jwe.JweUtils;
-import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
 import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
 import org.apache.cxf.rs.security.jose.jws.JwsUtils;
 import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
+import org.apache.cxf.rs.security.jose.jwt.JwtToken;
 import org.apache.cxf.rs.security.oauth2.common.Client;
 import org.apache.cxf.rs.security.oauth2.common.UserSubject;
+import org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthJoseJwtConsumer;
 import org.apache.cxf.rs.security.oauth2.provider.AuthorizationCodeRequestFilter;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
 import org.apache.cxf.rt.security.crypto.CryptoUtils;
 
-public class JwtRequestCodeFilter implements AuthorizationCodeRequestFilter {
+public class JwtRequestCodeFilter extends AbstractOAuthJoseJwtConsumer implements AuthorizationCodeRequestFilter {
     private static final String REQUEST_PARAM = "request";
     private static final String REQUEST_URI_PARAM = "request_uri";
-    private JweDecryptionProvider jweDecryptor;
-    private JwsSignatureVerifier jwsVerifier;
     private boolean verifyWithClientCertificates;
-    private boolean verifyWithClientSecret;
-    private boolean decryptWithClientSecret;
     private String issuer;
     private JsonMapObjectReaderWriter jsonHandler = new JsonMapObjectReaderWriter();
     @Override
@@ -60,21 +54,15 @@ public class JwtRequestCodeFilter implements AuthorizationCodeRequestFilter {
         String requestToken = params.getFirst(REQUEST_PARAM);
         if (requestToken == null) {
             String requestUri = params.getFirst(REQUEST_URI_PARAM);
-            if (requestUri != null && requestUri.startsWith(getPrefix(client))) {
+            if (isRequestUriValid(client, requestUri)) {
                 requestToken = WebClient.create(requestUri).get(String.class);
             }
         }
         if (requestToken != null) {
-            JweDecryptionProvider theJweDecryptor = getInitializedDecryptionProvider(client);
-            if (theJweDecryptor != null) {
-                requestToken = theJweDecryptor.decrypt(requestToken).getContentText();
-            }
+            JweDecryptionProvider theDecryptor = super.getInitializedDecryptionProvider(client.getClientSecret());
             JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier(client);
-            JwsJwtCompactConsumer consumer = new JwsJwtCompactConsumer(requestToken);
-            if (!consumer.verifySignatureWith(theSigVerifier)) {
-                throw new SecurityException("Invalid Signature");
-            }
-            JwtClaims claims = consumer.getJwtClaims();
+            JwtToken jwt = getJwtToken(requestToken, theDecryptor, theSigVerifier);
+            JwtClaims claims = jwt.getClaims();
             String iss = issuer != null ? issuer : client.getClientId();  
             if (!iss.equals(claims.getIssuer())
                 || claims.getClaim(OAuthConstants.CLIENT_ID) != null 
@@ -100,61 +88,23 @@ public class JwtRequestCodeFilter implements AuthorizationCodeRequestFilter {
             return params;
         }
     }
-    private String getPrefix(Client client) {
+    private boolean isRequestUriValid(Client client, String requestUri) {
         //TODO: consider restricting to specific hosts
-        return "https://";
-    }
-    public void setJweDecryptor(JweDecryptionProvider jweDecryptor) {
-        this.jweDecryptor = jweDecryptor;
-    }
-
-    public void setJweVerifier(JwsSignatureVerifier theJwsVerifier) {
-        this.jwsVerifier = theJwsVerifier;
-    }
-    
-    protected JweDecryptionProvider getInitializedDecryptionProvider(Client c) {
-        if (jweDecryptor != null) {
-            return jweDecryptor;    
-        } 
-        if (decryptWithClientSecret) {
-            SecretKey key = CryptoUtils.decodeSecretKey(c.getClientSecret());
-            return JweUtils.getDirectKeyJweDecryption(key, ContentAlgorithm.A128GCM);
-        }
-        return JweUtils.loadDecryptionProvider(false);
+        return requestUri != null && requestUri.startsWith("https://");
     }
     protected JwsSignatureVerifier getInitializedSigVerifier(Client c) {
-        if (jwsVerifier != null) {
-            return jwsVerifier;    
-        } 
-        if (verifyWithClientSecret) {
-            byte[] hmac = CryptoUtils.decodeSequence(c.getClientSecret());
-            return JwsUtils.getHmacSignatureVerifier(hmac, SignatureAlgorithm.HS256);
-        } else if (verifyWithClientCertificates) {
+        if (verifyWithClientCertificates) {
             X509Certificate cert = 
                 (X509Certificate)CryptoUtils.decodeCertificate(c.getApplicationCertificates().get(0));
             return JwsUtils.getPublicKeySignatureVerifier(cert, SignatureAlgorithm.RS256);
         } 
-        return JwsUtils.loadSignatureVerifier(true);
+        return super.getInitializedSignatureVerifier(c.getClientSecret());
     }
     public void setIssuer(String issuer) {
         this.issuer = issuer;
     }
     public void setVerifyWithClientCertificates(boolean verifyWithClientCertificates) {
-        if (verifyWithClientSecret) {
-            throw new SecurityException();          
-        }
         this.verifyWithClientCertificates = verifyWithClientCertificates;
     }
-    public void setVerifyWithClientSecret(boolean verifyWithClientSecret) {
-        if (decryptWithClientSecret || verifyWithClientCertificates) {
-            throw new SecurityException();          
-        }
-        this.verifyWithClientSecret = verifyWithClientSecret;
-    }
-    public void setDecryptWithClientSecret(boolean decryptWithClientSecret) {
-        if (verifyWithClientSecret) {
-            throw new SecurityException();          
-        }
-        this.decryptWithClientSecret = decryptWithClientSecret;
-    }
+    
 }