cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Prototyping the support for a private_key_jwt oidc/oauth2 authentication mode
Date Wed, 21 Dec 2016 15:10:10 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.1.x-fixes 0522c5be3 -> 0b9097fbd


Prototyping the support for a private_key_jwt oidc/oauth2 authentication mode


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/0b9097fb
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/0b9097fb
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/0b9097fb

Branch: refs/heads/3.1.x-fixes
Commit: 0b9097fbd1cddbb4a183e9448576bde2a6eb2589
Parents: 0522c5b
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Wed Dec 21 15:08:04 2016 +0000
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Wed Dec 21 15:09:42 2016 +0000

----------------------------------------------------------------------
 .../oauth2/grants/jwt/JwtBearerAuthHandler.java |  6 +-
 .../oauth2/provider/OAuthJoseJwtConsumer.java   | 13 +++-
 .../provider/OAuthServerJoseJwtConsumer.java    | 68 ++++++++++++++++++++
 3 files changed, 83 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/0b9097fb/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/JwtBearerAuthHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/JwtBearerAuthHandler.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/JwtBearerAuthHandler.java
index c504b14..2099607 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/JwtBearerAuthHandler.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/JwtBearerAuthHandler.java
@@ -36,12 +36,12 @@ import org.apache.cxf.rs.security.jose.jwt.JwtToken;
 import org.apache.cxf.rs.security.jose.jwt.JwtUtils;
 import org.apache.cxf.rs.security.oauth2.common.Client;
 import org.apache.cxf.rs.security.oauth2.provider.ClientRegistrationProvider;
-import org.apache.cxf.rs.security.oauth2.provider.OAuthJoseJwtConsumer;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthServerJoseJwtConsumer;
 import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
 import org.apache.cxf.security.SecurityContext;
 
-public class JwtBearerAuthHandler extends OAuthJoseJwtConsumer implements ContainerRequestFilter
{
+public class JwtBearerAuthHandler extends OAuthServerJoseJwtConsumer implements ContainerRequestFilter
{
     private ClientRegistrationProvider clientProvider;
     private FormEncodingProvider<Form> provider = new FormEncodingProvider<Form>(true);
     private boolean validateAudience = true;
@@ -76,7 +76,7 @@ public class JwtBearerAuthHandler extends OAuthJoseJwtConsumer implements
Contai
                 message.put(Client.class, client);
             }
         }
-        JwtToken token = super.getJwtToken(assertion, client == null ? null : client.getClientSecret());
+        JwtToken token = super.getJwtToken(assertion, client);
         
         String subjectName = (String)token.getClaim(JwtConstants.CLAIM_SUBJECT);
         if (clientId != null && !clientId.equals(subjectName)) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/0b9097fb/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJoseJwtConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJoseJwtConsumer.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJoseJwtConsumer.java
index a6e4541..c1a13d8 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJoseJwtConsumer.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJoseJwtConsumer.java
@@ -51,10 +51,21 @@ public class OAuthJoseJwtConsumer extends JoseJwtConsumer {
         }
     }
 
+    public boolean isDecryptWithClientSecret() {
+        return decryptWithClientSecret;
+    }
+
     public void setDecryptWithClientSecret(boolean decryptWithClientSecret) {
-        this.decryptWithClientSecret = verifyWithClientSecret;
+        this.decryptWithClientSecret = decryptWithClientSecret;
+    }
+
+    public boolean isVerifyWithClientSecret() {
+        return verifyWithClientSecret;
     }
+
     public void setVerifyWithClientSecret(boolean verifyWithClientSecret) {
         this.verifyWithClientSecret = verifyWithClientSecret;
     }
+
+    
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/0b9097fb/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthServerJoseJwtConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthServerJoseJwtConsumer.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthServerJoseJwtConsumer.java
new file mode 100644
index 0000000..b4677e1
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthServerJoseJwtConsumer.java
@@ -0,0 +1,68 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.provider;
+
+import java.security.cert.X509Certificate;
+
+import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
+import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider;
+import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
+import org.apache.cxf.rs.security.jose.jws.JwsUtils;
+import org.apache.cxf.rs.security.jose.jwt.JwtToken;
+import org.apache.cxf.rs.security.oauth2.common.Client;
+import org.apache.cxf.rt.security.crypto.CryptoUtils;
+
+public class OAuthServerJoseJwtConsumer extends OAuthJoseJwtConsumer {
+    private boolean verifyWithClientCertificates;
+   
+    public JwtToken getJwtToken(String wrappedJwtToken, Client client) {
+        return getJwtToken(wrappedJwtToken, 
+                           getInitializedDecryptionProvider(client),
+                           getInitializedSignatureVerifier(client));
+    }
+    
+    protected JweDecryptionProvider getInitializedDecryptionProvider(Client c) {
+        if (c == null) {
+            return null;
+        }
+        return super.getInitializedDecryptionProvider(c.getClientSecret());
+    }
+    
+    protected JwsSignatureVerifier getInitializedSignatureVerifier(Client c) {
+        JwsSignatureVerifier theSignatureVerifier = null;
+        if (verifyWithClientCertificates && c != null && !c.getApplicationCertificates().isEmpty())
{
+            X509Certificate cert = 
+                (X509Certificate)CryptoUtils.decodeCertificate(c.getApplicationCertificates().get(0));
+            theSignatureVerifier = JwsUtils.getPublicKeySignatureVerifier(cert.getPublicKey(),

+                                                                          SignatureAlgorithm.RS256);
+        }
+        if (theSignatureVerifier == null && c != null && c.getClientSecret()
!= null) {
+            theSignatureVerifier = super.getInitializedSignatureVerifier(c.getClientSecret());
+        }
+        return theSignatureVerifier;
+    }
+
+    public void setVerifyWithClientCertificates(boolean verifyWithClientCertificates) {
+        if (isVerifyWithClientSecret()) {
+            throw new SecurityException();
+        }
+        this.verifyWithClientCertificates = verifyWithClientCertificates;
+    }
+    
+}


Mime
View raw message