cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: [CXF-7366] Optional protection of the selected HTTP headers with JWS Compact and JWS JSON filters
Date Wed, 10 May 2017 16:20:27 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.1.x-fixes 46768c066 -> 3b8e7c156


[CXF-7366] Optional protection of the selected HTTP headers with JWS Compact and JWS JSON
filters


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/3b8e7c15
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/3b8e7c15
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/3b8e7c15

Branch: refs/heads/3.1.x-fixes
Commit: 3b8e7c156d703cfd363a4c5427592e38396a926a
Parents: 46768c0
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Wed May 10 17:13:54 2017 +0100
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Wed May 10 17:20:10 2017 +0100

----------------------------------------------------------------------
 .../jaxrs/AbstractJwsJsonReaderProvider.java    | 46 +++++++++++++++++-
 .../jose/jaxrs/AbstractJwsReaderProvider.java   | 49 ++++++++++++++++++++
 .../jose/jaxrs/JwsClientResponseFilter.java     |  5 ++
 .../jose/jaxrs/JwsContainerRequestFilter.java   |  8 +++-
 .../jaxrs/JwsJsonContainerRequestFilter.java    |  3 ++
 .../jose/jaxrs/JwsJsonWriterInterceptor.java    | 34 ++++++++++++++
 .../jose/jaxrs/JwsWriterInterceptor.java        | 37 +++++++++++++++
 .../security/jose/jwejws/JAXRSJweJwsTest.java   | 15 ++++--
 .../jaxrs/security/jose/jwejws/server.xml       | 16 +++++++
 9 files changed, 208 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/3b8e7c15/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonReaderProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonReaderProvider.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonReaderProvider.java
index 8555006..8185bc7 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonReaderProvider.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonReaderProvider.java
@@ -18,14 +18,22 @@
  */
 package org.apache.cxf.rs.security.jose.jaxrs;
 
+import java.util.Arrays;
 import java.util.Collections;
+import java.util.HashMap;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import java.util.logging.Logger;
 
+import javax.ws.rs.core.HttpHeaders;
+import javax.ws.rs.core.MultivaluedMap;
+
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.jaxrs.utils.JAXRSUtils;
 import org.apache.cxf.rs.security.jose.jws.JwsException;
+import org.apache.cxf.rs.security.jose.jws.JwsHeaders;
 import org.apache.cxf.rs.security.jose.jws.JwsJsonConsumer;
 import org.apache.cxf.rs.security.jose.jws.JwsJsonSignatureEntry;
 import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
@@ -33,7 +41,10 @@ import org.apache.cxf.rs.security.jose.jws.JwsUtils;
 
 public class AbstractJwsJsonReaderProvider {
     protected static final Logger LOG = LogUtils.getL7dLogger(AbstractJwsJsonReaderProvider.class);
-    
+    private static final Set<String> DEFAULT_PROTECTED_HTTP_HEADERS = 
+        new HashSet<String>(Arrays.asList(HttpHeaders.CONTENT_TYPE, HttpHeaders.ACCEPT));
+    private Set<String> protectedHttpHeaders = DEFAULT_PROTECTED_HTTP_HEADERS;
+    private boolean validateHttpHeaders;
     private JwsSignatureVerifier sigVerifier;
     private String defaultMediaType;
     private Map<String, Object> entryProps;
@@ -75,5 +86,38 @@ public class AbstractJwsJsonReaderProvider {
     public void setEntryProps(Map<String, Object> entryProps) {
         this.entryProps = entryProps;
     }
+
+    public void setValidateHttpHeaders(boolean validateHttpHeaders) {
+        this.validateHttpHeaders = validateHttpHeaders;
+    }
+    public boolean isValidateHttpHeaders() {
+        return validateHttpHeaders;
+    }
     
+    protected void validateHttpHeadersIfNeeded(MultivaluedMap<String, String> httpHeaders,
JwsHeaders jwsHeaders) {
+        Map<String, String> jwsHttpHeaders = new HashMap<String, String>();
+        Map<String, String> updatedHttpHeaders = new HashMap<String, String>();
+        final String prefix = "http.";
+        for (String headerName : protectedHttpHeaders) {
+            List<String> headerValues = httpHeaders.get(headerName);
+            if (headerValues != null) {
+                String headerValue = headerValues.size() > 1 ? headerValues.toString()
+                    : headerValues.get(0).toString();
+                String prefixedHeaderName = prefix + headerName;
+                updatedHttpHeaders.put(prefixedHeaderName, headerValue);
+                String jwsHeaderValue = jwsHeaders.getStringProperty(prefixedHeaderName);
+                if (jwsHeaderValue != null) {
+                    jwsHttpHeaders.put(prefixedHeaderName, jwsHeaderValue);
+                }    
+            }
+            
+        }
+        if (jwsHttpHeaders.size() != updatedHttpHeaders.size() 
+            || !jwsHttpHeaders.entrySet().containsAll(updatedHttpHeaders.entrySet())) { 
+            throw new JwsException(JwsException.Error.INVALID_SIGNATURE);
+        }
+    }
+    public void setProtectedHttpHeaders(Set<String> protectedHttpHeaders) {
+        this.protectedHttpHeaders = protectedHttpHeaders;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/3b8e7c15/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsReaderProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsReaderProvider.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsReaderProvider.java
index 82e612c..5a58a49 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsReaderProvider.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsReaderProvider.java
@@ -18,12 +18,28 @@
  */
 package org.apache.cxf.rs.security.jose.jaxrs;
 
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import javax.ws.rs.core.HttpHeaders;
+import javax.ws.rs.core.MultivaluedMap;
+
 import org.apache.cxf.rs.security.jose.common.JoseUtils;
+import org.apache.cxf.rs.security.jose.jws.JwsException;
 import org.apache.cxf.rs.security.jose.jws.JwsHeaders;
 import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
 import org.apache.cxf.rs.security.jose.jws.JwsUtils;
 
 public class AbstractJwsReaderProvider {
+    private static final Set<String> DEFAULT_PROTECTED_HTTP_HEADERS = 
+        new HashSet<String>(Arrays.asList(HttpHeaders.CONTENT_TYPE, HttpHeaders.ACCEPT));
+    private Set<String> protectedHttpHeaders = DEFAULT_PROTECTED_HTTP_HEADERS;
+    private boolean validateHttpHeaders;
+    
     private JwsSignatureVerifier sigVerifier;
     private String defaultMediaType;
     
@@ -46,5 +62,38 @@ public class AbstractJwsReaderProvider {
     public void setDefaultMediaType(String defaultMediaType) {
         this.defaultMediaType = defaultMediaType;
     }
+
+    public void setValidateHttpHeaders(boolean validateHttpHeaders) {
+        this.validateHttpHeaders = validateHttpHeaders;
+    }
+    public boolean isValidateHttpHeaders() {
+        return validateHttpHeaders;
+    }
     
+    protected void validateHttpHeadersIfNeeded(MultivaluedMap<String, String> httpHeaders,
JwsHeaders jwsHeaders) {
+        Map<String, String> jwsHttpHeaders = new HashMap<String, String>();
+        Map<String, String> updatedHttpHeaders = new HashMap<String, String>();
+        final String prefix = "http.";
+        for (String headerName : protectedHttpHeaders) {
+            List<String> headerValues = httpHeaders.get(headerName);
+            if (headerValues != null) {
+                String headerValue = headerValues.size() > 1 ? headerValues.toString()
+                    : headerValues.get(0).toString();
+                String prefixedHeaderName = prefix + headerName;
+                updatedHttpHeaders.put(prefixedHeaderName, headerValue);
+                String jwsHeaderValue = jwsHeaders.getStringProperty(prefixedHeaderName);
+                if (jwsHeaderValue != null) {
+                    jwsHttpHeaders.put(prefixedHeaderName, jwsHeaderValue);
+                }    
+            }
+            
+        }
+        if (jwsHttpHeaders.size() != updatedHttpHeaders.size() 
+            || !jwsHttpHeaders.entrySet().containsAll(updatedHttpHeaders.entrySet())) { 
+            throw new JwsException(JwsException.Error.INVALID_SIGNATURE);
+        }
+    }
+    public void setProtectedHttpHeaders(Set<String> protectedHttpHeaders) {
+        this.protectedHttpHeaders = protectedHttpHeaders;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/3b8e7c15/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java
index bf9bbba..164a0ef 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java
@@ -41,6 +41,7 @@ public class JwsClientResponseFilter extends AbstractJwsReaderProvider implement
         if (!p.verifySignatureWith(theSigVerifier)) {
             throw new JwsException(JwsException.Error.INVALID_SIGNATURE);
         }
+        
         byte[] bytes = p.getDecodedJwsPayloadBytes();
         res.setEntityStream(new ByteArrayInputStream(bytes));
         res.getHeaders().putSingle("Content-Length", Integer.toString(bytes.length));
@@ -48,6 +49,10 @@ public class JwsClientResponseFilter extends AbstractJwsReaderProvider
implement
         if (ct != null) {
             res.getHeaders().putSingle("Content-Type", ct);
         }
+        
+        if (super.isValidateHttpHeaders()) {
+            super.validateHttpHeadersIfNeeded(res.getHeaders(), p.getJwsHeaders());
+        }
     }
 
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/3b8e7c15/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java
index a238384..3c6956d 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java
@@ -51,6 +51,7 @@ public class JwsContainerRequestFilter extends AbstractJwsReaderProvider
impleme
             return;
         }
         JoseUtils.validateRequestContextProperty(p.getJwsHeaders());
+        
         byte[] bytes = p.getDecodedJwsPayloadBytes();
         context.setEntityStream(new ByteArrayInputStream(bytes));
         context.getHeaders().putSingle("Content-Length", Integer.toString(bytes.length));
@@ -59,8 +60,13 @@ public class JwsContainerRequestFilter extends AbstractJwsReaderProvider
impleme
         if (ct != null) {
             context.getHeaders().putSingle("Content-Type", ct);
         }
+
+        if (super.isValidateHttpHeaders()) {
+            super.validateHttpHeadersIfNeeded(context.getHeaders(), p.getJwsHeaders());
+        }
         
-        Principal currentPrincipal = context.getSecurityContext().getUserPrincipal(); 
+        Principal currentPrincipal = context.getSecurityContext().getUserPrincipal();
+
         if (currentPrincipal == null || currentPrincipal.getName() == null) {
             SecurityContext securityContext = configureSecurityContext(theSigVerifier);
             if (securityContext != null) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/3b8e7c15/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
index 56cf430..e4bbb03 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
@@ -62,5 +62,8 @@ public class JwsJsonContainerRequestFilter extends AbstractJwsJsonReaderProvider
         if (ct != null) {
             context.getHeaders().putSingle("Content-Type", ct);
         }
+        if (super.isValidateHttpHeaders()) {
+            super.validateHttpHeadersIfNeeded(context.getHeaders(), sigEntry.getProtectedHeader());
+        }
     }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/3b8e7c15/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonWriterInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonWriterInterceptor.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonWriterInterceptor.java
index dc99b7c..38e1529 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonWriterInterceptor.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonWriterInterceptor.java
@@ -22,11 +22,16 @@ import java.io.IOException;
 import java.io.OutputStream;
 import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashSet;
 import java.util.List;
+import java.util.Set;
 
 import javax.annotation.Priority;
 import javax.ws.rs.WebApplicationException;
+import javax.ws.rs.core.HttpHeaders;
 import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.ext.WriterInterceptor;
 import javax.ws.rs.ext.WriterInterceptorContext;
 
@@ -46,6 +51,10 @@ import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider;
 
 @Priority(Priorities.JWS_WRITE_PRIORITY)
 public class JwsJsonWriterInterceptor extends AbstractJwsJsonWriterProvider implements WriterInterceptor
{
+    private static final Set<String> DEFAULT_PROTECTED_HTTP_HEADERS = 
+        new HashSet<String>(Arrays.asList(HttpHeaders.CONTENT_TYPE, HttpHeaders.ACCEPT));
+    private Set<String> protectedHttpHeaders = DEFAULT_PROTECTED_HTTP_HEADERS;
+    private boolean protectHttpHeaders;
     private JsonMapObjectReaderWriter writer = new JsonMapObjectReaderWriter();
     private boolean contentTypeRequired = true;
     private boolean useJwsOutputStream;
@@ -109,6 +118,7 @@ public class JwsJsonWriterInterceptor extends AbstractJwsJsonWriterProvider
impl
         if (!encodePayload) {
             headers.setPayloadEncodingStatus(false);
         }
+        protectHttpHeadersIfNeeded(ctx, headers);
         return headers;
     }
     
@@ -136,4 +146,28 @@ public class JwsJsonWriterInterceptor extends AbstractJwsJsonWriterProvider
impl
         this.encodePayload = encodePayload;
     }
     
+    protected void protectHttpHeadersIfNeeded(WriterInterceptorContext ctx, JwsHeaders jwsHeaders)
{
+        if (protectHttpHeaders) {
+            final String prefix = "http.";
+            MultivaluedMap<String, Object> httpHeaders = ctx.getHeaders(); 
+            for (String headerName : protectedHttpHeaders) {
+                List<Object> headerValues = httpHeaders.get(headerName);
+                if (headerValues != null) {
+                    String jwsHeaderValue = headerValues.size() > 1 ? headerValues.toString()
+                        : headerValues.get(0).toString();
+                    String prefixedHeaderName = prefix + headerName;
+                    jwsHeaders.setHeader(prefixedHeaderName, jwsHeaderValue);
+                }
+            }
+        }
+        
+    }
+
+    public void setProtectHttpHeaders(boolean protectHttpHeaders) {
+        this.protectHttpHeaders = protectHttpHeaders;
+    }
+
+    public void setProtectedHttpHeaders(Set<String> protectedHttpHeaders) {
+        this.protectedHttpHeaders = protectedHttpHeaders;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/3b8e7c15/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsWriterInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsWriterInterceptor.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsWriterInterceptor.java
index ccf122e..9b9cd6d 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsWriterInterceptor.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsWriterInterceptor.java
@@ -21,10 +21,16 @@ package org.apache.cxf.rs.security.jose.jaxrs;
 import java.io.IOException;
 import java.io.OutputStream;
 import java.nio.charset.StandardCharsets;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
 
 import javax.annotation.Priority;
 import javax.ws.rs.WebApplicationException;
+import javax.ws.rs.core.HttpHeaders;
 import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.ext.WriterInterceptor;
 import javax.ws.rs.ext.WriterInterceptorContext;
 
@@ -45,10 +51,16 @@ import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider;
 
 @Priority(Priorities.JWS_WRITE_PRIORITY)
 public class JwsWriterInterceptor extends AbstractJwsWriterProvider implements WriterInterceptor
{
+    private static final Set<String> DEFAULT_PROTECTED_HTTP_HEADERS = 
+        new HashSet<String>(Arrays.asList(HttpHeaders.CONTENT_TYPE, HttpHeaders.ACCEPT));
+    private Set<String> protectedHttpHeaders = DEFAULT_PROTECTED_HTTP_HEADERS;
+    private boolean protectHttpHeaders;
+    
     private boolean contentTypeRequired = true;
     private boolean useJwsOutputStream;
     private boolean encodePayload = true;
     private JsonMapObjectReaderWriter writer = new JsonMapObjectReaderWriter();
+    
     @Override
     public void aroundWriteTo(WriterInterceptorContext ctx) throws IOException, WebApplicationException
{
         if (ctx.getEntity() == null) {
@@ -61,6 +73,7 @@ public class JwsWriterInterceptor extends AbstractJwsWriterProvider implements
W
         if (!encodePayload) {
             headers.setPayloadEncodingStatus(false);
         }
+        protectHttpHeadersIfNeeded(ctx, headers);
         OutputStream actualOs = ctx.getOutputStream();
         if (useJwsOutputStream) {
             JwsSignature jwsSignature = sigProvider.createJwsSignature(headers);
@@ -121,4 +134,28 @@ public class JwsWriterInterceptor extends AbstractJwsWriterProvider implements
W
     public void setEncodePayload(boolean encodePayload) {
         this.encodePayload = encodePayload;
     }
+    protected void protectHttpHeadersIfNeeded(WriterInterceptorContext ctx, JwsHeaders jwsHeaders)
{
+        if (protectHttpHeaders) {
+            final String prefix = "http.";
+            MultivaluedMap<String, Object> httpHeaders = ctx.getHeaders(); 
+            for (String headerName : protectedHttpHeaders) {
+                List<Object> headerValues = httpHeaders.get(headerName);
+                if (headerValues != null) {
+                    String jwsHeaderValue = headerValues.size() > 1 ? headerValues.toString()
+                        : headerValues.get(0).toString();
+                    String prefixedHeaderName = prefix + headerName;
+                    jwsHeaders.setHeader(prefixedHeaderName, jwsHeaderValue);
+                }
+            }
+        }
+        
+    }
+
+    public void setProtectHttpHeaders(boolean protectHttpHeaders) {
+        this.protectHttpHeaders = protectHttpHeaders;
+    }
+
+    public void setProtectedHttpHeaders(Set<String> protectedHttpHeaders) {
+        this.protectedHttpHeaders = protectedHttpHeaders;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/3b8e7c15/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwejws/JAXRSJweJwsTest.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwejws/JAXRSJweJwsTest.java
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwejws/JAXRSJweJwsTest.java
index bb5127b..7d22c4a 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwejws/JAXRSJweJwsTest.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwejws/JAXRSJweJwsTest.java
@@ -254,9 +254,16 @@ public class JAXRSJweJwsTest extends AbstractBusClientServerTestBase
{
         assertEquals("book", text);
     }
     @Test
+    public void testJwsJwkPlainTextHMacHttpHeaders() throws Exception {
+        String address = "https://localhost:" + PORT + "/jwsjwkhmacHttpHeaders";
+        BookStore bs = createJwsBookStore(address, null, true, true);
+        String text = bs.echoText("book");
+        assertEquals("book", text);
+    }
+    @Test
     public void testJwsJwkPlainTextHMacUnencoded() throws Exception {
         String address = "https://localhost:" + PORT + "/jwsjwkhmac";
-        BookStore bs = createJwsBookStore(address, null, false);
+        BookStore bs = createJwsBookStore(address, null, false, false);
         String text = bs.echoText("book");
         assertEquals("book", text);
     }
@@ -271,11 +278,12 @@ public class JAXRSJweJwsTest extends AbstractBusClientServerTestBase
{
     }
     private BookStore createJwsBookStore(String address, 
                                          List<?> mbProviders) throws Exception {
-        return createJwsBookStore(address, mbProviders, true);
+        return createJwsBookStore(address, mbProviders, true, false);
     }
     private BookStore createJwsBookStore(String address, 
                                          List<?> mbProviders,
-                                         boolean encodePayload) throws Exception {
+                                         boolean encodePayload,
+                                         boolean protectHttpHeaders) throws Exception {
         JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean();
         SpringBusFactory bf = new SpringBusFactory();
         URL busFile = JAXRSJweJwsTest.class.getResource("client.xml");
@@ -285,6 +293,7 @@ public class JAXRSJweJwsTest extends AbstractBusClientServerTestBase {
         bean.setAddress(address);
         List<Object> providers = new LinkedList<Object>();
         JwsWriterInterceptor jwsWriter = new JwsWriterInterceptor();
+        jwsWriter.setProtectHttpHeaders(protectHttpHeaders);
         jwsWriter.setEncodePayload(encodePayload);
         jwsWriter.setUseJwsOutputStream(true);
         providers.add(jwsWriter);

http://git-wip-us.apache.org/repos/asf/cxf/blob/3b8e7c15/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml
b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml
index 873b11e..8e99760 100644
--- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml
+++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml
@@ -72,6 +72,9 @@ under the License.
        <property name="signatureVerifier" ref="hmacSigVerifier"/>
     </bean>
     <bean id="jwsInFilter" class="org.apache.cxf.rs.security.jose.jaxrs.JwsContainerRequestFilter"/>
+    <bean id="jwsInFilterHttpHeaders" class="org.apache.cxf.rs.security.jose.jaxrs.JwsContainerRequestFilter">
+        <property name="validateHttpHeaders" value="true"/>
+    </bean>
     <bean id="jwsOutFilter" class="org.apache.cxf.rs.security.jose.jaxrs.JwsWriterInterceptor"/>
     <bean id="keyPasswordProvider" class="org.apache.cxf.systest.jaxrs.security.jose.jwejws.PrivateKeyPasswordProviderImpl"/>
     <bean id="keyPasswordProvider2" class="org.apache.cxf.systest.jaxrs.security.jose.jwejws.PrivateKeyPasswordProviderImpl">
@@ -207,6 +210,19 @@ under the License.
             <entry key="rs.security.signature.properties" value="org/apache/cxf/systest/jaxrs/security/secret.jwk.properties"/>
         </jaxrs:properties>
     </jaxrs:server>
+    <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-jwt}/jwsjwkhmacHttpHeaders">
+        <jaxrs:serviceBeans>
+            <ref bean="serviceBean"/>
+        </jaxrs:serviceBeans>
+        <jaxrs:providers>
+            <ref bean="jwsInFilterHttpHeaders"/>
+            <ref bean="jwsOutFilter"/>
+            <ref bean="jackson"/>
+        </jaxrs:providers>
+        <jaxrs:properties>
+            <entry key="rs.security.signature.properties" value="org/apache/cxf/systest/jaxrs/security/secret.jwk.properties"/>
+        </jaxrs:properties>
+    </jaxrs:server>
     <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-jwt}/jwsjwkec">
         <jaxrs:serviceBeans>
             <ref bean="serviceBean"/>


Mime
View raw message