Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id E0C2F200CA7 for ; Wed, 14 Jun 2017 17:52:43 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id DDA2D160BDB; Wed, 14 Jun 2017 15:52:43 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id AFA4F160BC0 for ; Wed, 14 Jun 2017 17:52:42 +0200 (CEST) Received: (qmail 72955 invoked by uid 500); 14 Jun 2017 15:52:41 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 72946 invoked by uid 99); 14 Jun 2017 15:52:41 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 14 Jun 2017 15:52:41 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id C59ECDFAF1; Wed, 14 Jun 2017 15:52:41 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: sergeyb@apache.org To: commits@cxf.apache.org Message-Id: X-Mailer: ASF-Git Admin Mailer Subject: cxf git commit: [CXF-7407] Adding the helpers for protecting a non-JWT content Date: Wed, 14 Jun 2017 15:52:41 +0000 (UTC) archived-at: Wed, 14 Jun 2017 15:52:44 -0000 Repository: cxf Updated Branches: refs/heads/3.1.x-fixes 07ee787c4 -> 0e83d4aa1 [CXF-7407] Adding the helpers for protecting a non-JWT content Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/0e83d4aa Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/0e83d4aa Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/0e83d4aa Branch: refs/heads/3.1.x-fixes Commit: 0e83d4aa188aea124bce5cbce92fab125ced3769 Parents: 07ee787 Author: Sergey Beryozkin Authored: Wed Jun 14 16:38:55 2017 +0100 Committer: Sergey Beryozkin Committed: Wed Jun 14 16:52:24 2017 +0100 ---------------------------------------------------------------------- .../jose/common/AbstractJoseConsumer.java | 25 +++++++- .../jose/common/AbstractJoseProducer.java | 24 ++++++++ .../rs/security/jose/common/JoseConsumer.java | 62 ++++++++++++++++++++ .../rs/security/jose/common/JoseProducer.java | 61 +++++++++++++++++++ .../jose/common/JoseProducerConsumer.java | 39 ++++++++++++ .../rs/security/jose/jwt/JoseJwtConsumer.java | 23 +------- .../rs/security/jose/jwt/JoseJwtProducer.java | 29 ++------- .../jose/jwt/JoseJwtProducerConsumer.java | 39 ++++++++++++ 8 files changed, 256 insertions(+), 46 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/0e83d4aa/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/AbstractJoseConsumer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/AbstractJoseConsumer.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/AbstractJoseConsumer.java index b8454b0..fbb5292 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/AbstractJoseConsumer.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/AbstractJoseConsumer.java @@ -26,6 +26,8 @@ import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier; import org.apache.cxf.rs.security.jose.jws.JwsUtils; public abstract class AbstractJoseConsumer { + private boolean jwsRequired = true; + private boolean jweRequired; private JweDecryptionProvider jweDecryptor; private JwsSignatureVerifier jwsVerifier; @@ -59,4 +61,25 @@ public abstract class AbstractJoseConsumer { return JwsUtils.loadSignatureVerifier(jwsHeaders, false); } -} \ No newline at end of file + public boolean isJwsRequired() { + return jwsRequired; + } + + public void setJwsRequired(boolean jwsRequired) { + this.jwsRequired = jwsRequired; + } + + public boolean isJweRequired() { + return jweRequired; + } + + public void setJweRequired(boolean jweRequired) { + this.jweRequired = jweRequired; + } + + protected void checkProcessRequirements() { + if (!isJwsRequired() && !isJweRequired()) { + throw new JoseException("Unable to process the data"); + } + } +} http://git-wip-us.apache.org/repos/asf/cxf/blob/0e83d4aa/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/AbstractJoseProducer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/AbstractJoseProducer.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/AbstractJoseProducer.java index bad28f1..ba31ec6 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/AbstractJoseProducer.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/AbstractJoseProducer.java @@ -26,6 +26,8 @@ import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider; import org.apache.cxf.rs.security.jose.jws.JwsUtils; public abstract class AbstractJoseProducer { + private boolean jwsRequired = true; + private boolean jweRequired; private JwsSignatureProvider sigProvider; private JweEncryptionProvider encryptionProvider; @@ -50,4 +52,26 @@ public abstract class AbstractJoseProducer { public void setSignatureProvider(JwsSignatureProvider signatureProvider) { this.sigProvider = signatureProvider; } + + public boolean isJwsRequired() { + return jwsRequired; + } + + public void setJwsRequired(boolean jwsRequired) { + this.jwsRequired = jwsRequired; + } + + public boolean isJweRequired() { + return jweRequired; + } + + public void setJweRequired(boolean jweRequired) { + this.jweRequired = jweRequired; + } + + protected void checkProcessRequirements() { + if (!isJwsRequired() && !isJweRequired()) { + throw new JoseException("Unable to process the data"); + } + } } \ No newline at end of file http://git-wip-us.apache.org/repos/asf/cxf/blob/0e83d4aa/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/JoseConsumer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/JoseConsumer.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/JoseConsumer.java new file mode 100644 index 0000000..7bfda94b --- /dev/null +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/JoseConsumer.java @@ -0,0 +1,62 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.jose.common; + +import org.apache.cxf.rs.security.jose.jwe.JweCompactConsumer; +import org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput; +import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider; +import org.apache.cxf.rs.security.jose.jws.JwsCompactConsumer; +import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier; +import org.apache.cxf.rs.security.jose.jwt.JwtException; + +public class JoseConsumer extends AbstractJoseConsumer { + + public String getData(String data) { + super.checkProcessRequirements(); + + if (isJweRequired()) { + JweCompactConsumer jweConsumer = new JweCompactConsumer(data); + + JweDecryptionProvider theDecryptor = getInitializedDecryptionProvider(jweConsumer.getJweHeaders()); + if (theDecryptor == null) { + throw new JwtException("Unable to decrypt JWT"); + } + + if (!isJwsRequired()) { + return jweConsumer.getDecryptedContentText(theDecryptor); + } + + JweDecryptionOutput decOutput = theDecryptor.decrypt(data); + data = decOutput.getContentText(); + } + + JwsCompactConsumer jwsConsumer = new JwsCompactConsumer(data); + if (isJwsRequired()) { + JwsSignatureVerifier theSigVerifier = getInitializedSignatureVerifier(jwsConsumer.getJwsHeaders()); + if (theSigVerifier == null) { + throw new JwtException("Unable to validate JWT"); + } + + if (!jwsConsumer.verifySignatureWith(theSigVerifier)) { + throw new JwtException("Invalid Signature"); + } + } + return jwsConsumer.getDecodedJwsPayload(); + } +} http://git-wip-us.apache.org/repos/asf/cxf/blob/0e83d4aa/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/JoseProducer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/JoseProducer.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/JoseProducer.java new file mode 100644 index 0000000..0f602b7 --- /dev/null +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/JoseProducer.java @@ -0,0 +1,61 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.jose.common; + +import org.apache.cxf.common.util.StringUtils; +import org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider; +import org.apache.cxf.rs.security.jose.jwe.JweHeaders; +import org.apache.cxf.rs.security.jose.jws.JwsCompactProducer; +import org.apache.cxf.rs.security.jose.jws.JwsHeaders; +import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider; + +public class JoseProducer extends AbstractJoseProducer { + + public String processData(String data) { + super.checkProcessRequirements(); + + JweEncryptionProvider theEncProvider = null; + JweHeaders jweHeaders = new JweHeaders(); + if (isJweRequired()) { + theEncProvider = getInitializedEncryptionProvider(jweHeaders); + if (theEncProvider == null) { + throw new JoseException("Unable to encrypt the data"); + } + } + + if (isJwsRequired()) { + JwsHeaders jwsHeaders = new JwsHeaders(); + JwsCompactProducer jws = new JwsCompactProducer(jwsHeaders, data); + + JwsSignatureProvider theSigProvider = getInitializedSignatureProvider(jwsHeaders); + + if (theSigProvider == null) { + throw new JoseException("Unable to sign the data"); + } + + data = jws.signWith(theSigProvider); + + } + if (theEncProvider != null) { + data = theEncProvider.encrypt(StringUtils.toBytesUTF8(data), jweHeaders); + } + return data; + } + +} http://git-wip-us.apache.org/repos/asf/cxf/blob/0e83d4aa/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/JoseProducerConsumer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/JoseProducerConsumer.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/JoseProducerConsumer.java new file mode 100644 index 0000000..f0e8237 --- /dev/null +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/JoseProducerConsumer.java @@ -0,0 +1,39 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.jose.common; + +public class JoseProducerConsumer { + + private JoseProducer producer = new JoseProducer(); + private JoseConsumer consumer = new JoseConsumer(); + + public String processData(String data) { + return producer.processData(data); + } + public String getData(String data) { + return consumer.getData(data); + } + + public void setProducer(JoseProducer producer) { + this.producer = producer; + } + public void setConsumer(JoseConsumer consumer) { + this.consumer = consumer; + } +} http://git-wip-us.apache.org/repos/asf/cxf/blob/0e83d4aa/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JoseJwtConsumer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JoseJwtConsumer.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JoseJwtConsumer.java index 54b691a..fb24f6dc 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JoseJwtConsumer.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JoseJwtConsumer.java @@ -27,8 +27,6 @@ import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer; import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier; public class JoseJwtConsumer extends AbstractJoseConsumer { - private boolean jwsRequired = true; - private boolean jweRequired; private int clockOffset; private int ttl; @@ -39,10 +37,8 @@ public class JoseJwtConsumer extends AbstractJoseConsumer { public JwtToken getJwtToken(String wrappedJwtToken, JweDecryptionProvider theDecryptor, JwsSignatureVerifier theSigVerifier) { - if (!isJwsRequired() && !isJweRequired()) { - throw new JwtException("Unable to process JWT"); - } - + super.checkProcessRequirements(); + JweHeaders jweHeaders = new JweHeaders(); if (isJweRequired()) { JweJwtCompactConsumer jwtConsumer = new JweJwtCompactConsumer(wrappedJwtToken); @@ -91,21 +87,6 @@ public class JoseJwtConsumer extends AbstractJoseConsumer { protected void validateToken(JwtToken jwt) { } - public boolean isJwsRequired() { - return jwsRequired; - } - - public void setJwsRequired(boolean jwsRequired) { - this.jwsRequired = jwsRequired; - } - - public boolean isJweRequired() { - return jweRequired; - } - - public void setJweRequired(boolean jweRequired) { - this.jweRequired = jweRequired; - } public int getClockOffset() { return clockOffset; http://git-wip-us.apache.org/repos/asf/cxf/blob/0e83d4aa/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JoseJwtProducer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JoseJwtProducer.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JoseJwtProducer.java index c729cbe..70005c0 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JoseJwtProducer.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JoseJwtProducer.java @@ -26,8 +26,6 @@ import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactProducer; import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider; public class JoseJwtProducer extends AbstractJoseProducer { - private boolean jwsRequired = true; - private boolean jweRequired; public String processJwt(JwtToken jwt) { return processJwt(jwt, null, null); @@ -35,9 +33,7 @@ public class JoseJwtProducer extends AbstractJoseProducer { public String processJwt(JwtToken jwt, JweEncryptionProvider theEncProvider, JwsSignatureProvider theSigProvider) { - if (!isJwsRequired() && !isJweRequired()) { - throw new JwtException("Unable to secure JWT"); - } + super.checkProcessRequirements(); String data = null; if (isJweRequired() && theEncProvider == null) { @@ -48,12 +44,13 @@ public class JoseJwtProducer extends AbstractJoseProducer { } if (isJwsRequired()) { + JwsJwtCompactProducer jws = new JwsJwtCompactProducer(jwt); if (jws.isPlainText()) { data = jws.getSignedEncodedJws(); } else { if (theSigProvider == null) { - theSigProvider = getInitializedSignatureProvider(jwt.getJwsHeaders()); + theSigProvider = getInitializedSignatureProvider(jws.getJwsHeaders()); } if (theSigProvider == null) { @@ -63,29 +60,13 @@ public class JoseJwtProducer extends AbstractJoseProducer { data = jws.signWith(theSigProvider); } if (theEncProvider != null) { - data = theEncProvider.encrypt(StringUtils.toBytesUTF8(data), null); + data = theEncProvider.encrypt(StringUtils.toBytesUTF8(data), jwt.getJweHeaders()); } } else { - JweJwtCompactProducer jwe = new JweJwtCompactProducer(jwt); + JweJwtCompactProducer jwe = new JweJwtCompactProducer(jwt.getJweHeaders(), jwt.getClaims()); data = jwe.encryptWith(theEncProvider); } return data; } - public boolean isJwsRequired() { - return jwsRequired; - } - - public void setJwsRequired(boolean jwsRequired) { - this.jwsRequired = jwsRequired; - } - - public boolean isJweRequired() { - return jweRequired; - } - - public void setJweRequired(boolean jweRequired) { - this.jweRequired = jweRequired; - } - } http://git-wip-us.apache.org/repos/asf/cxf/blob/0e83d4aa/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JoseJwtProducerConsumer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JoseJwtProducerConsumer.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JoseJwtProducerConsumer.java new file mode 100644 index 0000000..e1a0710 --- /dev/null +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JoseJwtProducerConsumer.java @@ -0,0 +1,39 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.jose.jwt; + +public class JoseJwtProducerConsumer { + + private JoseJwtProducer producer = new JoseJwtProducer(); + private JoseJwtConsumer consumer = new JoseJwtConsumer(); + + public String processJwt(JwtToken jwt) { + return producer.processJwt(jwt); + } + public JwtToken getJwtToken(String wrappedJwtToken) { + return consumer.getJwtToken(wrappedJwtToken); + } + + public void setProducer(JoseJwtProducer producer) { + this.producer = producer; + } + public void setConsumer(JoseJwtConsumer consumer) { + this.consumer = consumer; + } +}