cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: [CXF-7366] Optional protection of the selected HTTP headers with JWS Compact and JWS JSON filters
Date Wed, 10 May 2017 16:14:10 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 2f25e4d74 -> f40e11663


[CXF-7366] Optional protection of the selected HTTP headers with JWS Compact and JWS JSON
filters


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/f40e1166
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/f40e1166
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/f40e1166

Branch: refs/heads/master
Commit: f40e11663072ee940dd412821c3ab98230445e5a
Parents: 2f25e4d
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Wed May 10 17:13:54 2017 +0100
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Wed May 10 17:13:54 2017 +0100

----------------------------------------------------------------------
 .../jaxrs/AbstractJwsJsonReaderProvider.java    | 48 +++++++++++++++++-
 .../jose/jaxrs/AbstractJwsReaderProvider.java   | 51 +++++++++++++++++++-
 .../jose/jaxrs/JwsClientResponseFilter.java     |  5 ++
 .../jose/jaxrs/JwsContainerRequestFilter.java   |  5 ++
 .../jaxrs/JwsJsonContainerRequestFilter.java    |  3 ++
 .../jose/jaxrs/JwsJsonWriterInterceptor.java    | 35 ++++++++++++++
 .../jose/jaxrs/JwsWriterInterceptor.java        | 37 ++++++++++++++
 .../security/jose/jwejws/JAXRSJweJwsTest.java   | 15 ++++--
 .../jaxrs/security/jose/jwejws/server.xml       | 16 ++++++
 9 files changed, 209 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/f40e1166/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonReaderProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonReaderProvider.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonReaderProvider.java
index 0b986a9..c772714 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonReaderProvider.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonReaderProvider.java
@@ -18,14 +18,22 @@
  */
 package org.apache.cxf.rs.security.jose.jaxrs;
 
+import java.util.Arrays;
 import java.util.Collections;
+import java.util.HashMap;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import java.util.logging.Logger;
 
+import javax.ws.rs.core.HttpHeaders;
+import javax.ws.rs.core.MultivaluedMap;
+
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.jaxrs.utils.JAXRSUtils;
 import org.apache.cxf.rs.security.jose.jws.JwsException;
+import org.apache.cxf.rs.security.jose.jws.JwsHeaders;
 import org.apache.cxf.rs.security.jose.jws.JwsJsonConsumer;
 import org.apache.cxf.rs.security.jose.jws.JwsJsonSignatureEntry;
 import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
@@ -33,11 +41,14 @@ import org.apache.cxf.rs.security.jose.jws.JwsUtils;
 
 public class AbstractJwsJsonReaderProvider {
     protected static final Logger LOG = LogUtils.getL7dLogger(AbstractJwsJsonReaderProvider.class);
-
+    private static final Set<String> DEFAULT_PROTECTED_HTTP_HEADERS = 
+        new HashSet<String>(Arrays.asList(HttpHeaders.CONTENT_TYPE, HttpHeaders.ACCEPT));
+    private Set<String> protectedHttpHeaders = DEFAULT_PROTECTED_HTTP_HEADERS;
+    private boolean validateHttpHeaders;
     private JwsSignatureVerifier sigVerifier;
     private String defaultMediaType;
     private Map<String, Object> entryProps;
-
+    
     public void setSignatureVerifier(JwsSignatureVerifier signatureVerifier) {
         this.sigVerifier = signatureVerifier;
     }
@@ -76,4 +87,37 @@ public class AbstractJwsJsonReaderProvider {
         this.entryProps = entryProps;
     }
 
+    public void setValidateHttpHeaders(boolean validateHttpHeaders) {
+        this.validateHttpHeaders = validateHttpHeaders;
+    }
+    public boolean isValidateHttpHeaders() {
+        return validateHttpHeaders;
+    }
+    
+    protected void validateHttpHeadersIfNeeded(MultivaluedMap<String, String> httpHeaders,
JwsHeaders jwsHeaders) {
+        Map<String, String> jwsHttpHeaders = new HashMap<String, String>();
+        Map<String, String> updatedHttpHeaders = new HashMap<String, String>();
+        final String prefix = "http.";
+        for (String headerName : protectedHttpHeaders) {
+            List<String> headerValues = httpHeaders.get(headerName);
+            if (headerValues != null) {
+                String headerValue = headerValues.size() > 1 ? headerValues.toString()
+                    : headerValues.get(0).toString();
+                String prefixedHeaderName = prefix + headerName;
+                updatedHttpHeaders.put(prefixedHeaderName, headerValue);
+                String jwsHeaderValue = jwsHeaders.getStringProperty(prefixedHeaderName);
+                if (jwsHeaderValue != null) {
+                    jwsHttpHeaders.put(prefixedHeaderName, jwsHeaderValue);
+                }    
+            }
+            
+        }
+        if (jwsHttpHeaders.size() != updatedHttpHeaders.size() 
+            || !jwsHttpHeaders.entrySet().containsAll(updatedHttpHeaders.entrySet())) { 
+            throw new JwsException(JwsException.Error.INVALID_SIGNATURE);
+        }
+    }
+    public void setProtectedHttpHeaders(Set<String> protectedHttpHeaders) {
+        this.protectedHttpHeaders = protectedHttpHeaders;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/f40e1166/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsReaderProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsReaderProvider.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsReaderProvider.java
index 8a630b7..1780574 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsReaderProvider.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsReaderProvider.java
@@ -18,15 +18,31 @@
  */
 package org.apache.cxf.rs.security.jose.jaxrs;
 
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import javax.ws.rs.core.HttpHeaders;
+import javax.ws.rs.core.MultivaluedMap;
+
 import org.apache.cxf.rs.security.jose.common.JoseUtils;
+import org.apache.cxf.rs.security.jose.jws.JwsException;
 import org.apache.cxf.rs.security.jose.jws.JwsHeaders;
 import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
 import org.apache.cxf.rs.security.jose.jws.JwsUtils;
 
 public class AbstractJwsReaderProvider {
+    private static final Set<String> DEFAULT_PROTECTED_HTTP_HEADERS = 
+        new HashSet<String>(Arrays.asList(HttpHeaders.CONTENT_TYPE, HttpHeaders.ACCEPT));
+    private Set<String> protectedHttpHeaders = DEFAULT_PROTECTED_HTTP_HEADERS;
+    private boolean validateHttpHeaders;
+    
     private JwsSignatureVerifier sigVerifier;
     private String defaultMediaType;
-
+    
     public void setSignatureVerifier(JwsSignatureVerifier signatureVerifier) {
         this.sigVerifier = signatureVerifier;
     }
@@ -47,4 +63,37 @@ public class AbstractJwsReaderProvider {
         this.defaultMediaType = defaultMediaType;
     }
 
+    public void setValidateHttpHeaders(boolean validateHttpHeaders) {
+        this.validateHttpHeaders = validateHttpHeaders;
+    }
+    public boolean isValidateHttpHeaders() {
+        return validateHttpHeaders;
+    }
+    
+    protected void validateHttpHeadersIfNeeded(MultivaluedMap<String, String> httpHeaders,
JwsHeaders jwsHeaders) {
+        Map<String, String> jwsHttpHeaders = new HashMap<String, String>();
+        Map<String, String> updatedHttpHeaders = new HashMap<String, String>();
+        final String prefix = "http.";
+        for (String headerName : protectedHttpHeaders) {
+            List<String> headerValues = httpHeaders.get(headerName);
+            if (headerValues != null) {
+                String headerValue = headerValues.size() > 1 ? headerValues.toString()
+                    : headerValues.get(0).toString();
+                String prefixedHeaderName = prefix + headerName;
+                updatedHttpHeaders.put(prefixedHeaderName, headerValue);
+                String jwsHeaderValue = jwsHeaders.getStringProperty(prefixedHeaderName);
+                if (jwsHeaderValue != null) {
+                    jwsHttpHeaders.put(prefixedHeaderName, jwsHeaderValue);
+                }    
+            }
+            
+        }
+        if (jwsHttpHeaders.size() != updatedHttpHeaders.size() 
+            || !jwsHttpHeaders.entrySet().containsAll(updatedHttpHeaders.entrySet())) { 
+            throw new JwsException(JwsException.Error.INVALID_SIGNATURE);
+        }
+    }
+    public void setProtectedHttpHeaders(Set<String> protectedHttpHeaders) {
+        this.protectedHttpHeaders = protectedHttpHeaders;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/f40e1166/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java
index bf9bbba..164a0ef 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java
@@ -41,6 +41,7 @@ public class JwsClientResponseFilter extends AbstractJwsReaderProvider implement
         if (!p.verifySignatureWith(theSigVerifier)) {
             throw new JwsException(JwsException.Error.INVALID_SIGNATURE);
         }
+        
         byte[] bytes = p.getDecodedJwsPayloadBytes();
         res.setEntityStream(new ByteArrayInputStream(bytes));
         res.getHeaders().putSingle("Content-Length", Integer.toString(bytes.length));
@@ -48,6 +49,10 @@ public class JwsClientResponseFilter extends AbstractJwsReaderProvider
implement
         if (ct != null) {
             res.getHeaders().putSingle("Content-Type", ct);
         }
+        
+        if (super.isValidateHttpHeaders()) {
+            super.validateHttpHeadersIfNeeded(res.getHeaders(), p.getJwsHeaders());
+        }
     }
 
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/f40e1166/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java
index dcd0fc1..7992fd0 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java
@@ -51,6 +51,7 @@ public class JwsContainerRequestFilter extends AbstractJwsReaderProvider
impleme
             return;
         }
         JoseUtils.validateRequestContextProperty(p.getJwsHeaders());
+        
         byte[] bytes = p.getDecodedJwsPayloadBytes();
         context.setEntityStream(new ByteArrayInputStream(bytes));
         context.getHeaders().putSingle("Content-Length", Integer.toString(bytes.length));
@@ -60,6 +61,10 @@ public class JwsContainerRequestFilter extends AbstractJwsReaderProvider
impleme
             context.getHeaders().putSingle("Content-Type", ct);
         }
 
+        if (super.isValidateHttpHeaders()) {
+            super.validateHttpHeadersIfNeeded(context.getHeaders(), p.getJwsHeaders());
+        }
+        
         Principal currentPrincipal = context.getSecurityContext().getUserPrincipal();
         if (currentPrincipal == null || currentPrincipal.getName() == null) {
             SecurityContext securityContext = configureSecurityContext(theSigVerifier);

http://git-wip-us.apache.org/repos/asf/cxf/blob/f40e1166/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
index 0519e25..68a1267 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
@@ -62,5 +62,8 @@ public class JwsJsonContainerRequestFilter extends AbstractJwsJsonReaderProvider
         if (ct != null) {
             context.getHeaders().putSingle("Content-Type", ct);
         }
+        if (super.isValidateHttpHeaders()) {
+            super.validateHttpHeadersIfNeeded(context.getHeaders(), sigEntry.getProtectedHeader());
+        }
     }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/f40e1166/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonWriterInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonWriterInterceptor.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonWriterInterceptor.java
index 1a5848d..0f3bebe 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonWriterInterceptor.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonWriterInterceptor.java
@@ -22,11 +22,16 @@ import java.io.IOException;
 import java.io.OutputStream;
 import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashSet;
 import java.util.List;
+import java.util.Set;
 
 import javax.annotation.Priority;
 import javax.ws.rs.WebApplicationException;
+import javax.ws.rs.core.HttpHeaders;
 import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.ext.WriterInterceptor;
 import javax.ws.rs.ext.WriterInterceptorContext;
 
@@ -46,6 +51,10 @@ import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider;
 
 @Priority(Priorities.JWS_WRITE_PRIORITY)
 public class JwsJsonWriterInterceptor extends AbstractJwsJsonWriterProvider implements WriterInterceptor
{
+    private static final Set<String> DEFAULT_PROTECTED_HTTP_HEADERS = 
+        new HashSet<String>(Arrays.asList(HttpHeaders.CONTENT_TYPE, HttpHeaders.ACCEPT));
+    private Set<String> protectedHttpHeaders = DEFAULT_PROTECTED_HTTP_HEADERS;
+    private boolean protectHttpHeaders;
     private JsonMapObjectReaderWriter writer = new JsonMapObjectReaderWriter();
     private boolean contentTypeRequired = true;
     private boolean useJwsOutputStream;
@@ -109,6 +118,7 @@ public class JwsJsonWriterInterceptor extends AbstractJwsJsonWriterProvider
impl
         if (!encodePayload) {
             headers.setPayloadEncodingStatus(false);
         }
+        protectHttpHeadersIfNeeded(ctx, headers);
         return headers;
     }
 
@@ -135,5 +145,30 @@ public class JwsJsonWriterInterceptor extends AbstractJwsJsonWriterProvider
impl
     public void setEncodePayload(boolean encodePayload) {
         this.encodePayload = encodePayload;
     }
+    
+    protected void protectHttpHeadersIfNeeded(WriterInterceptorContext ctx, JwsHeaders jwsHeaders)
{
+        if (protectHttpHeaders) {
+            final String prefix = "http.";
+            MultivaluedMap<String, Object> httpHeaders = ctx.getHeaders(); 
+            for (String headerName : protectedHttpHeaders) {
+                List<Object> headerValues = httpHeaders.get(headerName);
+                if (headerValues != null) {
+                    String jwsHeaderValue = headerValues.size() > 1 ? headerValues.toString()
+                        : headerValues.get(0).toString();
+                    String prefixedHeaderName = prefix + headerName;
+                    jwsHeaders.setHeader(prefixedHeaderName, jwsHeaderValue);
+                }
+            }
+        }
+        
+    }
+
+    public void setProtectHttpHeaders(boolean protectHttpHeaders) {
+        this.protectHttpHeaders = protectHttpHeaders;
+    }
+
+    public void setProtectedHttpHeaders(Set<String> protectedHttpHeaders) {
+        this.protectedHttpHeaders = protectedHttpHeaders;
+    }
 
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/f40e1166/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsWriterInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsWriterInterceptor.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsWriterInterceptor.java
index 38ba470..75c655e 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsWriterInterceptor.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsWriterInterceptor.java
@@ -21,10 +21,16 @@ package org.apache.cxf.rs.security.jose.jaxrs;
 import java.io.IOException;
 import java.io.OutputStream;
 import java.nio.charset.StandardCharsets;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
 
 import javax.annotation.Priority;
 import javax.ws.rs.WebApplicationException;
+import javax.ws.rs.core.HttpHeaders;
 import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.ext.WriterInterceptor;
 import javax.ws.rs.ext.WriterInterceptorContext;
 
@@ -45,10 +51,16 @@ import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider;
 
 @Priority(Priorities.JWS_WRITE_PRIORITY)
 public class JwsWriterInterceptor extends AbstractJwsWriterProvider implements WriterInterceptor
{
+    private static final Set<String> DEFAULT_PROTECTED_HTTP_HEADERS = 
+        new HashSet<String>(Arrays.asList(HttpHeaders.CONTENT_TYPE, HttpHeaders.ACCEPT));
+    private Set<String> protectedHttpHeaders = DEFAULT_PROTECTED_HTTP_HEADERS;
+    private boolean protectHttpHeaders;
+    
     private boolean contentTypeRequired = true;
     private boolean useJwsOutputStream;
     private boolean encodePayload = true;
     private JsonMapObjectReaderWriter writer = new JsonMapObjectReaderWriter();
+    
     @Override
     public void aroundWriteTo(WriterInterceptorContext ctx) throws IOException, WebApplicationException
{
         if (ctx.getEntity() == null) {
@@ -61,6 +73,7 @@ public class JwsWriterInterceptor extends AbstractJwsWriterProvider implements
W
         if (!encodePayload) {
             headers.setPayloadEncodingStatus(false);
         }
+        protectHttpHeadersIfNeeded(ctx, headers);
         OutputStream actualOs = ctx.getOutputStream();
         if (useJwsOutputStream) {
             JwsSignature jwsSignature = sigProvider.createJwsSignature(headers);
@@ -121,4 +134,28 @@ public class JwsWriterInterceptor extends AbstractJwsWriterProvider implements
W
     public void setEncodePayload(boolean encodePayload) {
         this.encodePayload = encodePayload;
     }
+    protected void protectHttpHeadersIfNeeded(WriterInterceptorContext ctx, JwsHeaders jwsHeaders)
{
+        if (protectHttpHeaders) {
+            final String prefix = "http.";
+            MultivaluedMap<String, Object> httpHeaders = ctx.getHeaders(); 
+            for (String headerName : protectedHttpHeaders) {
+                List<Object> headerValues = httpHeaders.get(headerName);
+                if (headerValues != null) {
+                    String jwsHeaderValue = headerValues.size() > 1 ? headerValues.toString()
+                        : headerValues.get(0).toString();
+                    String prefixedHeaderName = prefix + headerName;
+                    jwsHeaders.setHeader(prefixedHeaderName, jwsHeaderValue);
+                }
+            }
+        }
+        
+    }
+
+    public void setProtectHttpHeaders(boolean protectHttpHeaders) {
+        this.protectHttpHeaders = protectHttpHeaders;
+    }
+
+    public void setProtectedHttpHeaders(Set<String> protectedHttpHeaders) {
+        this.protectedHttpHeaders = protectedHttpHeaders;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/f40e1166/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwejws/JAXRSJweJwsTest.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwejws/JAXRSJweJwsTest.java
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwejws/JAXRSJweJwsTest.java
index 2b2b38a..3105777 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwejws/JAXRSJweJwsTest.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwejws/JAXRSJweJwsTest.java
@@ -254,9 +254,16 @@ public class JAXRSJweJwsTest extends AbstractBusClientServerTestBase
{
         assertEquals("book", text);
     }
     @Test
+    public void testJwsJwkPlainTextHMacHttpHeaders() throws Exception {
+        String address = "https://localhost:" + PORT + "/jwsjwkhmacHttpHeaders";
+        BookStore bs = createJwsBookStore(address, null, true, true);
+        String text = bs.echoText("book");
+        assertEquals("book", text);
+    }
+    @Test
     public void testJwsJwkPlainTextHMacUnencoded() throws Exception {
         String address = "https://localhost:" + PORT + "/jwsjwkhmac";
-        BookStore bs = createJwsBookStore(address, null, false);
+        BookStore bs = createJwsBookStore(address, null, false, false);
         String text = bs.echoText("book");
         assertEquals("book", text);
     }
@@ -271,11 +278,12 @@ public class JAXRSJweJwsTest extends AbstractBusClientServerTestBase
{
     }
     private BookStore createJwsBookStore(String address,
                                          List<?> mbProviders) throws Exception {
-        return createJwsBookStore(address, mbProviders, true);
+        return createJwsBookStore(address, mbProviders, true, false);
     }
     private BookStore createJwsBookStore(String address,
                                          List<?> mbProviders,
-                                         boolean encodePayload) throws Exception {
+                                         boolean encodePayload,
+                                         boolean protectHttpHeaders) throws Exception {
         JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean();
         SpringBusFactory bf = new SpringBusFactory();
         URL busFile = JAXRSJweJwsTest.class.getResource("client.xml");
@@ -285,6 +293,7 @@ public class JAXRSJweJwsTest extends AbstractBusClientServerTestBase {
         bean.setAddress(address);
         List<Object> providers = new LinkedList<Object>();
         JwsWriterInterceptor jwsWriter = new JwsWriterInterceptor();
+        jwsWriter.setProtectHttpHeaders(protectHttpHeaders);
         jwsWriter.setEncodePayload(encodePayload);
         jwsWriter.setUseJwsOutputStream(true);
         providers.add(jwsWriter);

http://git-wip-us.apache.org/repos/asf/cxf/blob/f40e1166/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml
b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml
index df959aa..abc315b 100644
--- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml
+++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml
@@ -72,6 +72,9 @@ under the License.
        <property name="signatureVerifier" ref="hmacSigVerifier"/>
     </bean>
     <bean id="jwsInFilter" class="org.apache.cxf.rs.security.jose.jaxrs.JwsContainerRequestFilter"/>
+    <bean id="jwsInFilterHttpHeaders" class="org.apache.cxf.rs.security.jose.jaxrs.JwsContainerRequestFilter">
+        <property name="validateHttpHeaders" value="true"/>
+    </bean>
     <bean id="jwsOutFilter" class="org.apache.cxf.rs.security.jose.jaxrs.JwsWriterInterceptor"/>
     <bean id="keyPasswordProvider" class="org.apache.cxf.systest.jaxrs.security.jose.jwejws.PrivateKeyPasswordProviderImpl"/>
     <bean id="keyPasswordProvider2" class="org.apache.cxf.systest.jaxrs.security.jose.jwejws.PrivateKeyPasswordProviderImpl">
@@ -207,6 +210,19 @@ under the License.
             <entry key="rs.security.signature.properties" value="org/apache/cxf/systest/jaxrs/security/secret.jwk.properties"/>
         </jaxrs:properties>
     </jaxrs:server>
+    <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-jwt}/jwsjwkhmacHttpHeaders">
+        <jaxrs:serviceBeans>
+            <ref bean="serviceBean"/>
+        </jaxrs:serviceBeans>
+        <jaxrs:providers>
+            <ref bean="jwsInFilterHttpHeaders"/>
+            <ref bean="jwsOutFilter"/>
+            <ref bean="jackson"/>
+        </jaxrs:providers>
+        <jaxrs:properties>
+            <entry key="rs.security.signature.properties" value="org/apache/cxf/systest/jaxrs/security/secret.jwk.properties"/>
+        </jaxrs:properties>
+    </jaxrs:server>
     <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-jwt}/jwsjwkec">
         <jaxrs:serviceBeans>
             <ref bean="serviceBean"/>


Mime
View raw message