Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id C27FA200BB9 for ; Mon, 7 Nov 2016 13:59:17 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id C131E160AF9; Mon, 7 Nov 2016 12:59:17 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id E1711160AEB for ; Mon, 7 Nov 2016 13:59:16 +0100 (CET) Received: (qmail 87687 invoked by uid 500); 7 Nov 2016 12:59:16 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 87678 invoked by uid 99); 7 Nov 2016 12:59:16 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 07 Nov 2016 12:59:16 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 024CDE07EF; Mon, 7 Nov 2016 12:59:16 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: sergeyb@apache.org To: commits@cxf.apache.org Message-Id: <9d0d8fba30954caca8028a5cdb36ab57@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: cxf git commit: [CXF-7110] Supporting a custom audience property Date: Mon, 7 Nov 2016 12:59:16 +0000 (UTC) archived-at: Mon, 07 Nov 2016 12:59:17 -0000 Repository: cxf Updated Branches: refs/heads/3.1.x-fixes 7092c5d33 -> 9e9dd3949 [CXF-7110] Supporting a custom audience property Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/9e9dd394 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/9e9dd394 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/9e9dd394 Branch: refs/heads/3.1.x-fixes Commit: 9e9dd3949c8720e7ba7493c815fca4aa1a4a5f63 Parents: 7092c5d Author: Sergey Beryozkin Authored: Mon Nov 7 12:58:05 2016 +0000 Committer: Sergey Beryozkin Committed: Mon Nov 7 12:58:56 2016 +0000 ---------------------------------------------------------------------- .../jose/jaxrs/JwtAuthenticationFilter.java | 11 ++++++++++- .../cxf/rs/security/jose/jwt/JwtConstants.java | 3 ++- .../cxf/rs/security/jose/jwt/JwtUtils.java | 19 +++++++------------ .../oauth2/grants/jwt/AbstractJwtHandler.java | 14 ++++++++++++++ 4 files changed, 33 insertions(+), 14 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/9e9dd394/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java index eeda86d..c702244 100644 --- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java +++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java @@ -50,6 +50,7 @@ public class JwtAuthenticationFilter extends JoseJwtConsumer implements Containe private int clockOffset; private String roleClaim; private int ttl; + private boolean validateAudience = true; @Override public void filter(ContainerRequestContext requestContext) throws IOException { @@ -97,7 +98,7 @@ public class JwtAuthenticationFilter extends JoseJwtConsumer implements Containe @Override protected void validateToken(JwtToken jwt) { - JwtUtils.validateTokenClaims(jwt.getClaims(), ttl, clockOffset, true); + JwtUtils.validateTokenClaims(jwt.getClaims(), ttl, clockOffset, isValidateAudience()); } public int getClockOffset() { @@ -123,4 +124,12 @@ public class JwtAuthenticationFilter extends JoseJwtConsumer implements Containe public void setTtl(int ttl) { this.ttl = ttl; } + + public boolean isValidateAudience() { + return validateAudience; + } + + public void setValidateAudience(boolean validateAudience) { + this.validateAudience = validateAudience; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/9e9dd394/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtConstants.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtConstants.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtConstants.java index d0a663d..eae9091 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtConstants.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtConstants.java @@ -32,7 +32,8 @@ public final class JwtConstants { public static final String JWT_TOKEN = "jwt.token"; public static final String JWT_CLAIMS = "jwt.claims"; - + public static final String EXPECTED_CLAIM_AUDIENCE = "expected.claim.audience"; + private JwtConstants() { } http://git-wip-us.apache.org/repos/asf/cxf/blob/9e9dd394/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java index cf5e1c2..14604c9 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java @@ -115,24 +115,19 @@ public final class JwtUtils { } public static void validateJwtAudienceRestriction(JwtClaims claims, Message message) { - // Get the endpoint URL - String requestURL = null; - if (message.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL) != null) { - requestURL = (String)message.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL); + String expectedAudience = (String)message.getContextualProperty(JwtConstants.EXPECTED_CLAIM_AUDIENCE); + if (expectedAudience == null) { + expectedAudience = (String)message.getContextualProperty(Message.REQUEST_URL); } - if (requestURL != null) { - boolean match = false; + if (expectedAudience != null) { for (String audience : claims.getAudiences()) { - if (requestURL.equals(audience)) { - match = true; - break; + if (expectedAudience.equals(audience)) { + return; } } - if (!match) { - throw new JwtException("Invalid audience restriction"); - } } + throw new JwtException("Invalid audience restriction"); } public static void validateTokenClaims(JwtClaims claims, int timeToLive, int clockOffset, http://git-wip-us.apache.org/repos/asf/cxf/blob/9e9dd394/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java index 5855165..f3a6366 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java @@ -21,6 +21,7 @@ package org.apache.cxf.rs.security.oauth2.grants.jwt; import java.util.List; import java.util.Set; +import org.apache.cxf.jaxrs.utils.JAXRSUtils; import org.apache.cxf.rs.security.jose.jws.JwsHeaders; import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier; import org.apache.cxf.rs.security.jose.jws.JwsUtils; @@ -37,10 +38,12 @@ import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants; * The "JWT Bearer" grant handler */ public abstract class AbstractJwtHandler extends AbstractGrantHandler { + private Set supportedIssuers; private JwsSignatureVerifier jwsVerifier; private int ttl; private int clockOffset; + private String audience; protected AbstractJwtHandler(List grants) { super(grants); @@ -54,6 +57,9 @@ public abstract class AbstractJwtHandler extends AbstractGrantHandler { } protected void validateClaims(Client client, JwtClaims claims) { + if (getAudience() != null) { + JAXRSUtils.getCurrentMessage().put(JwtConstants.EXPECTED_CLAIM_AUDIENCE, getAudience()); + } JwtUtils.validateTokenClaims(claims, ttl, clockOffset, true); validateIssuer(claims.getIssuer()); @@ -106,4 +112,12 @@ public abstract class AbstractJwtHandler extends AbstractGrantHandler { public void setClockOffset(int clockOffset) { this.clockOffset = clockOffset; } + + public String getAudience() { + return audience; + } + + public void setAudience(String audience) { + this.audience = audience; + } }