cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: [CXF-7110] Supporting a custom audience property
Date Mon, 07 Nov 2016 12:58:28 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 9e1ba100a -> 4ca530b75


[CXF-7110] Supporting a custom audience property


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/4ca530b7
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/4ca530b7
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/4ca530b7

Branch: refs/heads/master
Commit: 4ca530b7511baa6d17680c7a4848bbc8550a8563
Parents: 9e1ba10
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Mon Nov 7 12:58:05 2016 +0000
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Mon Nov 7 12:58:05 2016 +0000

----------------------------------------------------------------------
 .../jose/jaxrs/JwtAuthenticationFilter.java      | 11 ++++++++++-
 .../cxf/rs/security/jose/jwt/JwtConstants.java   |  3 ++-
 .../cxf/rs/security/jose/jwt/JwtUtils.java       | 19 +++++++------------
 .../oauth2/grants/jwt/AbstractJwtHandler.java    | 14 ++++++++++++++
 4 files changed, 33 insertions(+), 14 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/4ca530b7/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
index eeda86d..c702244 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
@@ -50,6 +50,7 @@ public class JwtAuthenticationFilter extends JoseJwtConsumer implements
Containe
     private int clockOffset;
     private String roleClaim;
     private int ttl;
+    private boolean validateAudience = true;
     
     @Override
     public void filter(ContainerRequestContext requestContext) throws IOException {
@@ -97,7 +98,7 @@ public class JwtAuthenticationFilter extends JoseJwtConsumer implements
Containe
     
     @Override
     protected void validateToken(JwtToken jwt) {
-        JwtUtils.validateTokenClaims(jwt.getClaims(), ttl, clockOffset, true);
+        JwtUtils.validateTokenClaims(jwt.getClaims(), ttl, clockOffset, isValidateAudience());
     }
 
     public int getClockOffset() {
@@ -123,4 +124,12 @@ public class JwtAuthenticationFilter extends JoseJwtConsumer implements
Containe
     public void setTtl(int ttl) {
         this.ttl = ttl;
     }
+
+    public boolean isValidateAudience() {
+        return validateAudience;
+    }
+
+    public void setValidateAudience(boolean validateAudience) {
+        this.validateAudience = validateAudience;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/4ca530b7/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtConstants.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtConstants.java
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtConstants.java
index d0a663d..eae9091 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtConstants.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtConstants.java
@@ -32,7 +32,8 @@ public final class JwtConstants {
     public static final String JWT_TOKEN = "jwt.token";
     public static final String JWT_CLAIMS = "jwt.claims";
     
-        
+    public static final String EXPECTED_CLAIM_AUDIENCE = "expected.claim.audience";
+    
     private JwtConstants() {
         
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/4ca530b7/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
index cf5e1c2..14604c9 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
@@ -115,24 +115,19 @@ public final class JwtUtils {
     }
     
     public static void validateJwtAudienceRestriction(JwtClaims claims, Message message)
{
-        // Get the endpoint URL
-        String requestURL = null;
-        if (message.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL) !=
null) {
-            requestURL = (String)message.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL);
+        String expectedAudience = (String)message.getContextualProperty(JwtConstants.EXPECTED_CLAIM_AUDIENCE);
+        if (expectedAudience == null) {
+            expectedAudience = (String)message.getContextualProperty(Message.REQUEST_URL);
         }
         
-        if (requestURL != null) {
-            boolean match = false;
+        if (expectedAudience != null) {
             for (String audience : claims.getAudiences()) {
-                if (requestURL.equals(audience)) {
-                    match = true;
-                    break;
+                if (expectedAudience.equals(audience)) {
+                    return;
                 }
             }
-            if (!match) {
-                throw new JwtException("Invalid audience restriction");
-            }
         }
+        throw new JwtException("Invalid audience restriction");
     }
     
     public static void validateTokenClaims(JwtClaims claims, int timeToLive, int clockOffset,

http://git-wip-us.apache.org/repos/asf/cxf/blob/4ca530b7/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java
index 5855165..f3a6366 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java
@@ -21,6 +21,7 @@ package org.apache.cxf.rs.security.oauth2.grants.jwt;
 import java.util.List;
 import java.util.Set;
 
+import org.apache.cxf.jaxrs.utils.JAXRSUtils;
 import org.apache.cxf.rs.security.jose.jws.JwsHeaders;
 import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
 import org.apache.cxf.rs.security.jose.jws.JwsUtils;
@@ -37,10 +38,12 @@ import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
  * The "JWT Bearer" grant handler
  */
 public abstract class AbstractJwtHandler extends AbstractGrantHandler {
+    
     private Set<String> supportedIssuers; 
     private JwsSignatureVerifier jwsVerifier;
     private int ttl;
     private int clockOffset;
+    private String audience;
         
     protected AbstractJwtHandler(List<String> grants) {
         super(grants);
@@ -54,6 +57,9 @@ public abstract class AbstractJwtHandler extends AbstractGrantHandler {
     }
     
     protected void validateClaims(Client client, JwtClaims claims) {
+        if (getAudience() != null) {
+            JAXRSUtils.getCurrentMessage().put(JwtConstants.EXPECTED_CLAIM_AUDIENCE, getAudience());
+        }
         JwtUtils.validateTokenClaims(claims, ttl, clockOffset, true);
         
         validateIssuer(claims.getIssuer());
@@ -106,4 +112,12 @@ public abstract class AbstractJwtHandler extends AbstractGrantHandler
{
     public void setClockOffset(int clockOffset) {
         this.clockOffset = clockOffset;
     }
+
+    public String getAudience() {
+        return audience;
+    }
+
+    public void setAudience(String audience) {
+        this.audience = audience;
+    }
 }


Mime
View raw message