cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Prototyping the support for a client_secret_jwt oidc/oauth2 authentication mode, starting consolidating the time related validations in JsonJwtConsumer
Date Wed, 21 Dec 2016 13:30:45 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 12ca5af84 -> d30e0e556


Prototyping the support for a client_secret_jwt oidc/oauth2 authentication mode, starting
consolidating the time related validations in JsonJwtConsumer


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/d30e0e55
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/d30e0e55
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/d30e0e55

Branch: refs/heads/master
Commit: d30e0e556a579a13415c543c4aef9acc0a2cf22e
Parents: 12ca5af
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Wed Dec 21 13:30:30 2016 +0000
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Wed Dec 21 13:30:30 2016 +0000

----------------------------------------------------------------------
 .../jose/jaxrs/JwtAuthenticationFilter.java     | 20 +--------
 .../rs/security/jose/jwt/JoseJwtConsumer.java   | 18 ++++++++
 .../oauth2/grants/jwt/JwtBearerAuthHandler.java | 44 ++++++++++++++++++--
 .../oauth2/services/AbstractTokenService.java   |  7 +++-
 .../security/oidc/rp/OidcClaimsValidator.java   | 24 ++---------
 5 files changed, 69 insertions(+), 44 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/d30e0e55/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
index c702244..ef10149 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
@@ -47,9 +47,7 @@ public class JwtAuthenticationFilter extends JoseJwtConsumer implements
Containe
     
     private static final String DEFAULT_AUTH_SCHEME = "JWT";
     private String expectedAuthScheme = DEFAULT_AUTH_SCHEME;
-    private int clockOffset;
     private String roleClaim;
-    private int ttl;
     private boolean validateAudience = true;
     
     @Override
@@ -98,17 +96,9 @@ public class JwtAuthenticationFilter extends JoseJwtConsumer implements
Containe
     
     @Override
     protected void validateToken(JwtToken jwt) {
-        JwtUtils.validateTokenClaims(jwt.getClaims(), ttl, clockOffset, isValidateAudience());
+        JwtUtils.validateTokenClaims(jwt.getClaims(), getTtl(), getClockOffset(), isValidateAudience());
     }
 
-    public int getClockOffset() {
-        return clockOffset;
-    }
-
-    public void setClockOffset(int clockOffset) {
-        this.clockOffset = clockOffset;
-    }
-    
     public String getRoleClaim() {
         return roleClaim;
     }
@@ -117,14 +107,6 @@ public class JwtAuthenticationFilter extends JoseJwtConsumer implements
Containe
         this.roleClaim = roleClaim;
     }
 
-    public int getTtl() {
-        return ttl;
-    }
-
-    public void setTtl(int ttl) {
-        this.ttl = ttl;
-    }
-
     public boolean isValidateAudience() {
         return validateAudience;
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/d30e0e55/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JoseJwtConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JoseJwtConsumer.java
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JoseJwtConsumer.java
index 35a6eee..54b691a 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JoseJwtConsumer.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JoseJwtConsumer.java
@@ -30,6 +30,9 @@ public class JoseJwtConsumer extends AbstractJoseConsumer {
     private boolean jwsRequired = true;
     private boolean jweRequired;
     
+    private int clockOffset;
+    private int ttl;
+    
     public JwtToken getJwtToken(String wrappedJwtToken) {
         return getJwtToken(wrappedJwtToken, null, null);
     }
@@ -104,4 +107,19 @@ public class JoseJwtConsumer extends AbstractJoseConsumer {
         this.jweRequired = jweRequired;
     }
     
+    public int getClockOffset() {
+        return clockOffset;
+    }
+
+    public void setClockOffset(int clockOffset) {
+        this.clockOffset = clockOffset;
+    }
+    
+    public int getTtl() {
+        return ttl;
+    }
+
+    public void setTtl(int ttl) {
+        this.ttl = ttl;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/d30e0e55/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/JwtBearerAuthHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/JwtBearerAuthHandler.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/JwtBearerAuthHandler.java
index f8c4ee5..c504b14 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/JwtBearerAuthHandler.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/JwtBearerAuthHandler.java
@@ -20,6 +20,7 @@
 package org.apache.cxf.rs.security.oauth2.grants.jwt;
 
 import javax.ws.rs.container.ContainerRequestContext;
+import javax.ws.rs.container.ContainerRequestFilter;
 import javax.ws.rs.core.Form;
 import javax.ws.rs.core.MultivaluedMap;
 
@@ -29,15 +30,21 @@ import org.apache.cxf.jaxrs.utils.FormUtils;
 import org.apache.cxf.jaxrs.utils.HttpUtils;
 import org.apache.cxf.jaxrs.utils.JAXRSUtils;
 import org.apache.cxf.message.Message;
-import org.apache.cxf.rs.security.jose.jaxrs.JwtAuthenticationFilter;
+import org.apache.cxf.rs.security.jose.jaxrs.JwtTokenSecurityContext;
 import org.apache.cxf.rs.security.jose.jwt.JwtConstants;
 import org.apache.cxf.rs.security.jose.jwt.JwtToken;
+import org.apache.cxf.rs.security.jose.jwt.JwtUtils;
+import org.apache.cxf.rs.security.oauth2.common.Client;
+import org.apache.cxf.rs.security.oauth2.provider.ClientRegistrationProvider;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthJoseJwtConsumer;
 import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
 import org.apache.cxf.security.SecurityContext;
 
-public class JwtBearerAuthHandler extends JwtAuthenticationFilter {
+public class JwtBearerAuthHandler extends OAuthJoseJwtConsumer implements ContainerRequestFilter
{
+    private ClientRegistrationProvider clientProvider;
     private FormEncodingProvider<Form> provider = new FormEncodingProvider<Form>(true);
+    private boolean validateAudience = true;
     
     public JwtBearerAuthHandler() {
     }
@@ -54,9 +61,23 @@ public class JwtBearerAuthHandler extends JwtAuthenticationFilter {
         }
         
         String assertion = formData.getFirst(Constants.CLIENT_AUTH_ASSERTION_PARAM);
-        JwtToken token = super.getJwtToken(assertion);
+        if (assertion == null) {
+            throw ExceptionUtils.toNotAuthorizedException(null, null);
+        }
         
         String clientId = formData.getFirst(OAuthConstants.CLIENT_ID);
+        
+        Client client = null;
+        if (clientId != null && clientProvider != null) {
+            client = clientProvider.getClient(clientId);
+            if (client == null) {
+                throw ExceptionUtils.toNotAuthorizedException(null, null);
+            } else {
+                message.put(Client.class, client);
+            }
+        }
+        JwtToken token = super.getJwtToken(assertion, client == null ? null : client.getClientSecret());
+        
         String subjectName = (String)token.getClaim(JwtConstants.CLAIM_SUBJECT);
         if (clientId != null && !clientId.equals(subjectName)) {
             throw ExceptionUtils.toNotAuthorizedException(null, null);
@@ -80,6 +101,10 @@ public class JwtBearerAuthHandler extends JwtAuthenticationFilter {
         }
     }
     
+    protected SecurityContext configureSecurityContext(JwtToken token) {
+        return new JwtTokenSecurityContext(token, null);
+    }
+
     private Form readFormData(Message message) {
         try {
             return FormUtils.readForm(provider, message);
@@ -106,6 +131,19 @@ public class JwtBearerAuthHandler extends JwtAuthenticationFilter {
         if (jwt.getClaim(JwtConstants.CLAIM_EXPIRY) == null) {
             throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
         }
+        
+        JwtUtils.validateTokenClaims(jwt.getClaims(), getTtl(), getClockOffset(), isValidateAudience());
+    }
+
+    public void setClientProvider(ClientRegistrationProvider clientProvider) {
+        this.clientProvider = clientProvider;
     }
     
+    public boolean isValidateAudience() {
+        return validateAudience;
+    }
+
+    public void setValidateAudience(boolean validateAudience) {
+        this.validateAudience = validateAudience;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/d30e0e55/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
index d763b5b..94aa9ee 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
@@ -74,7 +74,12 @@ public class AbstractTokenService extends AbstractOAuthService {
         } else {
             String clientId = retrieveClientId(params);
             if (clientId != null) {
-                client = getClient(clientId, params);
+                if (clientId.equals(principal.getName())) {
+                    client = (Client)getMessageContext().get(Client.class.getName());
+                }
+                if (client == null) {
+                    client = getClient(clientId, params);
+                }
             } else if (principal.getName() != null) {
                 client = getClient(principal.getName(), params);
             } 

http://git-wip-us.apache.org/repos/asf/cxf/blob/d30e0e55/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClaimsValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClaimsValidator.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClaimsValidator.java
index 31a3111..cf3b929 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClaimsValidator.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClaimsValidator.java
@@ -39,8 +39,6 @@ import org.apache.cxf.rs.security.oidc.common.IdToken;
 public class OidcClaimsValidator extends OAuthJoseJwtConsumer {
     private static final String SELF_ISSUED_ISSUER = "https://self-issued.me";
     private String issuerId;
-    private int clockOffset;
-    private int ttl;
     private WebClient jwkSetClient;
     private boolean supportSelfIssuedProvider;
     private boolean strictTimeValidation;
@@ -88,7 +86,7 @@ public class OidcClaimsValidator extends OAuthJoseJwtConsumer {
             boolean expiredRequired = 
                 validateClaimsAlways || strictTimeValidation && claims.getIssuedAt()
== null;
             try {
-                JwtUtils.validateJwtExpiry(claims, clockOffset, expiredRequired);
+                JwtUtils.validateJwtExpiry(claims, getClockOffset(), expiredRequired);
             } catch (JwtException ex) {
                 throw new OAuthServiceException("ID Token has expired", ex);
             }
@@ -98,13 +96,13 @@ public class OidcClaimsValidator extends OAuthJoseJwtConsumer {
             boolean issuedAtRequired = 
                 validateClaimsAlways || strictTimeValidation && claims.getExpiryTime()
== null;
             try {
-                JwtUtils.validateJwtIssuedAt(claims, ttl, clockOffset, issuedAtRequired);
+                JwtUtils.validateJwtIssuedAt(claims, getTtl(), getClockOffset(), issuedAtRequired);
             } catch (JwtException ex) {
                 throw new OAuthServiceException("Invalid issuedAt claim", ex);
             }
             if (strictTimeValidation) {
                 try {
-                    JwtUtils.validateJwtNotBefore(claims, clockOffset, strictTimeValidation);
+                    JwtUtils.validateJwtNotBefore(claims, getClockOffset(), strictTimeValidation);
                 } catch (JwtException ex) {
                     throw new OAuthServiceException("ID Token can not be used yet", ex);
                 }    
@@ -170,23 +168,7 @@ public class OidcClaimsValidator extends OAuthJoseJwtConsumer {
         this.supportSelfIssuedProvider = supportSelfIssuedProvider;
     }
 
-    public int getClockOffset() {
-        return clockOffset;
-    }
-
-    public void setClockOffset(int clockOffset) {
-        this.clockOffset = clockOffset;
-    }
-
     public void setStrictTimeValidation(boolean strictTimeValidation) {
         this.strictTimeValidation = strictTimeValidation;
     }
-
-    public int getTtl() {
-        return ttl;
-    }
-
-    public void setTtl(int ttl) {
-        this.ttl = ttl;
-    }
 }


Mime
View raw message