cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Adding JwtCookieAuthenticationInterceptor
Date Wed, 18 Jan 2017 11:36:54 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 0f6d97c0e -> 2582d3958


Adding JwtCookieAuthenticationInterceptor


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2582d395
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2582d395
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2582d395

Branch: refs/heads/master
Commit: 2582d3958a1080c42e1610557966bd2f57c03feb
Parents: 0f6d97c
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Wed Jan 18 11:36:35 2017 +0000
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Wed Jan 18 11:36:35 2017 +0000

----------------------------------------------------------------------
 .../jaxrs/AbstractJwtAuthenticationFilter.java  | 108 +++++++++++++++++++
 .../jose/jaxrs/JwtAuthenticationFilter.java     |  79 +-------------
 .../jaxrs/JwtCookieAuthenticationFilter.java    |  41 +++++++
 3 files changed, 152 insertions(+), 76 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/2582d395/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwtAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwtAuthenticationFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwtAuthenticationFilter.java
new file mode 100644
index 0000000..dea0f85
--- /dev/null
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwtAuthenticationFilter.java
@@ -0,0 +1,108 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jaxrs;
+
+import java.io.IOException;
+import java.util.logging.Logger;
+
+import javax.annotation.Priority;
+import javax.ws.rs.Priorities;
+import javax.ws.rs.container.ContainerRequestContext;
+import javax.ws.rs.container.ContainerRequestFilter;
+import javax.ws.rs.container.PreMatching;
+
+import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.jaxrs.utils.JAXRSUtils;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.message.MessageUtils;
+import org.apache.cxf.rs.security.jose.common.JoseConstants;
+import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
+import org.apache.cxf.rs.security.jose.jwt.JoseJwtConsumer;
+import org.apache.cxf.rs.security.jose.jwt.JwtToken;
+import org.apache.cxf.rs.security.jose.jwt.JwtUtils;
+import org.apache.cxf.security.SecurityContext;
+
+@PreMatching
+@Priority(Priorities.AUTHENTICATION)
+public abstract class AbstractJwtAuthenticationFilter extends JoseJwtConsumer implements
ContainerRequestFilter {
+    protected static final Logger LOG = LogUtils.getL7dLogger(AbstractJwtAuthenticationFilter.class);
+    
+    private String roleClaim;
+    private boolean validateAudience = true;
+    
+    @Override
+    public void filter(ContainerRequestContext requestContext) throws IOException {
+        String encodedJwtToken = getEncodedJwtToken(requestContext);
+        JwtToken token = super.getJwtToken(encodedJwtToken);
+        
+        SecurityContext securityContext = configureSecurityContext(token);
+        if (securityContext != null) {
+            JAXRSUtils.getCurrentMessage().put(SecurityContext.class, securityContext);
+        }
+    }
+    
+    protected abstract String getEncodedJwtToken(ContainerRequestContext requestContext);
+
+    protected SecurityContext configureSecurityContext(JwtToken jwt) {
+        Message m = JAXRSUtils.getCurrentMessage();
+        boolean enableUnsignedJwt = 
+            MessageUtils.getContextualBoolean(m, JoseConstants.ENABLE_UNSIGNED_JWT_PRINCIPAL,
false);
+        
+        // The token must be signed/verified with a public key to set up the security context,

+        // unless we directly configure otherwise
+        if (jwt.getClaims().getSubject() != null 
+            && (isVerifiedWithAPublicKey(jwt) || enableUnsignedJwt)) {
+            return new JwtTokenSecurityContext(jwt, roleClaim);
+        }
+        return null;
+    }
+    
+    private boolean isVerifiedWithAPublicKey(JwtToken jwt) {
+        if (isJwsRequired()) {
+            String alg = (String)jwt.getJwsHeader(JoseConstants.HEADER_ALGORITHM);
+            SignatureAlgorithm sigAlg = SignatureAlgorithm.getAlgorithm(alg);
+            return SignatureAlgorithm.isPublicKeyAlgorithm(sigAlg);
+        }
+        
+        return false;
+    }
+
+    
+    @Override
+    protected void validateToken(JwtToken jwt) {
+        JwtUtils.validateTokenClaims(jwt.getClaims(), getTtl(), getClockOffset(), isValidateAudience());
+    }
+
+    public String getRoleClaim() {
+        return roleClaim;
+    }
+
+    public void setRoleClaim(String roleClaim) {
+        this.roleClaim = roleClaim;
+    }
+
+    public boolean isValidateAudience() {
+        return validateAudience;
+    }
+
+    public void setValidateAudience(boolean validateAudience) {
+        this.validateAudience = validateAudience;
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/2582d395/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
index ef10149..984de22 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
@@ -18,100 +18,27 @@
  */
 package org.apache.cxf.rs.security.jose.jaxrs;
 
-import java.io.IOException;
-import java.util.logging.Logger;
-
-import javax.annotation.Priority;
-import javax.ws.rs.Priorities;
 import javax.ws.rs.container.ContainerRequestContext;
-import javax.ws.rs.container.ContainerRequestFilter;
-import javax.ws.rs.container.PreMatching;
 import javax.ws.rs.core.HttpHeaders;
 
-import org.apache.cxf.common.logging.LogUtils;
-import org.apache.cxf.jaxrs.utils.JAXRSUtils;
-import org.apache.cxf.message.Message;
-import org.apache.cxf.message.MessageUtils;
-import org.apache.cxf.rs.security.jose.common.JoseConstants;
 import org.apache.cxf.rs.security.jose.common.JoseException;
-import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
-import org.apache.cxf.rs.security.jose.jwt.JoseJwtConsumer;
-import org.apache.cxf.rs.security.jose.jwt.JwtToken;
-import org.apache.cxf.rs.security.jose.jwt.JwtUtils;
-import org.apache.cxf.security.SecurityContext;
 
-@PreMatching
-@Priority(Priorities.AUTHENTICATION)
-public class JwtAuthenticationFilter extends JoseJwtConsumer implements ContainerRequestFilter
{
-    protected static final Logger LOG = LogUtils.getL7dLogger(JwtAuthenticationFilter.class);
-    
+public class JwtAuthenticationFilter extends AbstractJwtAuthenticationFilter {
     private static final String DEFAULT_AUTH_SCHEME = "JWT";
     private String expectedAuthScheme = DEFAULT_AUTH_SCHEME;
-    private String roleClaim;
-    private boolean validateAudience = true;
     
-    @Override
-    public void filter(ContainerRequestContext requestContext) throws IOException {
+    protected String getEncodedJwtToken(ContainerRequestContext requestContext) {
         String auth = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
         String[] parts = auth == null ? null : auth.split(" ");
         if (parts == null || !expectedAuthScheme.equals(parts[0]) || parts.length != 2) {
             throw new JoseException(expectedAuthScheme + " scheme is expected");
         }
-        JwtToken token = super.getJwtToken(parts[1]);
-        
-        SecurityContext securityContext = configureSecurityContext(token);
-        if (securityContext != null) {
-            JAXRSUtils.getCurrentMessage().put(SecurityContext.class, securityContext);
-        }
-    }
-    
-    protected SecurityContext configureSecurityContext(JwtToken jwt) {
-        Message m = JAXRSUtils.getCurrentMessage();
-        boolean enableUnsignedJwt = 
-            MessageUtils.getContextualBoolean(m, JoseConstants.ENABLE_UNSIGNED_JWT_PRINCIPAL,
false);
-        
-        // The token must be signed/verified with a public key to set up the security context,

-        // unless we directly configure otherwise
-        if (jwt.getClaims().getSubject() != null 
-            && (isVerifiedWithAPublicKey(jwt) || enableUnsignedJwt)) {
-            return new JwtTokenSecurityContext(jwt, roleClaim);
-        }
-        return null;
-    }
-    
-    private boolean isVerifiedWithAPublicKey(JwtToken jwt) {
-        if (isJwsRequired()) {
-            String alg = (String)jwt.getJwsHeader(JoseConstants.HEADER_ALGORITHM);
-            SignatureAlgorithm sigAlg = SignatureAlgorithm.getAlgorithm(alg);
-            return SignatureAlgorithm.isPublicKeyAlgorithm(sigAlg);
-        }
-        
-        return false;
+        return parts[1];
     }
 
-    
     public void setExpectedAuthScheme(String expectedAuthScheme) {
         this.expectedAuthScheme = expectedAuthScheme;
     }
     
-    @Override
-    protected void validateToken(JwtToken jwt) {
-        JwtUtils.validateTokenClaims(jwt.getClaims(), getTtl(), getClockOffset(), isValidateAudience());
-    }
 
-    public String getRoleClaim() {
-        return roleClaim;
-    }
-
-    public void setRoleClaim(String roleClaim) {
-        this.roleClaim = roleClaim;
-    }
-
-    public boolean isValidateAudience() {
-        return validateAudience;
-    }
-
-    public void setValidateAudience(boolean validateAudience) {
-        this.validateAudience = validateAudience;
-    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/2582d395/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtCookieAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtCookieAuthenticationFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtCookieAuthenticationFilter.java
new file mode 100644
index 0000000..0b154ae
--- /dev/null
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtCookieAuthenticationFilter.java
@@ -0,0 +1,41 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jaxrs;
+
+import javax.ws.rs.container.ContainerRequestContext;
+import javax.ws.rs.core.Cookie;
+
+import org.apache.cxf.rs.security.jose.common.JoseException;
+
+public class JwtCookieAuthenticationFilter extends AbstractJwtAuthenticationFilter {
+    private static final String DEFAULT_COOKIE_NAME = "access_token";
+    private String cookieName = DEFAULT_COOKIE_NAME;
+    
+    protected String getEncodedJwtToken(ContainerRequestContext requestContext) {
+        Cookie cookie = requestContext.getCookies().get(cookieName);
+        if (cookie == null || cookie.getValue() == null) {
+            throw new JoseException("JWT cookie is not available");
+        }
+        return cookie.getValue();
+    }
+    
+    public void setCookieName(String cookieName) {
+        this.cookieName = cookieName;
+    }
+}


Mime
View raw message