syncope-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ilgro...@apache.org
Subject syncope git commit: [SYNCOPE-1263] Now checking for invalid JWT string
Date Mon, 22 Jan 2018 10:36:29 GMT
Repository: syncope
Updated Branches:
  refs/heads/2_0_X 783f2f78f -> 79b669603


[SYNCOPE-1263] Now checking for invalid JWT string


Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/79b66960
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/79b66960
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/79b66960

Branch: refs/heads/2_0_X
Commit: 79b66960301b4b238037c00c570f46b88fb9c2aa
Parents: 783f2f7
Author: Francesco Chicchiriccò <ilgrosso@apache.org>
Authored: Mon Jan 22 11:36:21 2018 +0100
Committer: Francesco Chicchiriccò <ilgrosso@apache.org>
Committed: Mon Jan 22 11:36:21 2018 +0100

----------------------------------------------------------------------
 .../syncope/common/lib/types/StandardEntitlement.java       | 4 ++--
 .../core/spring/security/JWTAuthenticationFilter.java       | 8 ++++++--
 .../test/java/org/apache/syncope/fit/core/RESTITCase.java   | 9 +++++++++
 3 files changed, 17 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/syncope/blob/79b66960/common/lib/src/main/java/org/apache/syncope/common/lib/types/StandardEntitlement.java
----------------------------------------------------------------------
diff --git a/common/lib/src/main/java/org/apache/syncope/common/lib/types/StandardEntitlement.java
b/common/lib/src/main/java/org/apache/syncope/common/lib/types/StandardEntitlement.java
index 8a7fe36..99c66d7 100644
--- a/common/lib/src/main/java/org/apache/syncope/common/lib/types/StandardEntitlement.java
+++ b/common/lib/src/main/java/org/apache/syncope/common/lib/types/StandardEntitlement.java
@@ -278,9 +278,9 @@ public final class StandardEntitlement {
 
     public static final String SECURITY_QUESTION_DELETE = "SECURITY_QUESTION_DELETE";
 
-    public static final String ACCESS_TOKEN_LIST = "TASK_LIST";
+    public static final String ACCESS_TOKEN_LIST = "ACCESS_TOKEN_LIST";
 
-    public static final String ACCESS_TOKEN_DELETE = "TASK_DELETE";
+    public static final String ACCESS_TOKEN_DELETE = "ACCESS_TOKEN_DELETE";
 
     private static final Set<String> VALUES;
 

http://git-wip-us.apache.org/repos/asf/syncope/blob/79b66960/core/spring/src/main/java/org/apache/syncope/core/spring/security/JWTAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/core/spring/src/main/java/org/apache/syncope/core/spring/security/JWTAuthenticationFilter.java
b/core/spring/src/main/java/org/apache/syncope/core/spring/security/JWTAuthenticationFilter.java
index faf0576..8a2812d 100644
--- a/core/spring/src/main/java/org/apache/syncope/core/spring/security/JWTAuthenticationFilter.java
+++ b/core/spring/src/main/java/org/apache/syncope/core/spring/security/JWTAuthenticationFilter.java
@@ -24,7 +24,7 @@ import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.ws.rs.core.HttpHeaders;
-
+import org.apache.cxf.rs.security.jose.jws.JwsException;
 import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -94,10 +94,10 @@ public class JWTAuthenticationFilter extends OncePerRequestFilter {
         String stringToken = parts[1];
         LOG.debug("JWT received: {}", stringToken);
 
-        JwsJwtCompactConsumer consumer = new JwsJwtCompactConsumer(stringToken);
         try {
             credentialChecker.checkIsDefaultJWSKeyInUse();
 
+            JwsJwtCompactConsumer consumer = new JwsJwtCompactConsumer(stringToken);
             JWTSSOProvider jwtSSOProvider = dataAccessor.getJWTSSOProvider(consumer.getJwtClaims().getIssuer());
             if (!consumer.verifySignatureWith(jwtSSOProvider)) {
                 throw new BadCredentialsException("Invalid signature found in JWT");
@@ -108,6 +108,10 @@ public class JWTAuthenticationFilter extends OncePerRequestFilter {
             SecurityContextHolder.getContext().setAuthentication(authentication);
 
             chain.doFilter(request, response);
+        } catch (JwsException e) {
+            SecurityContextHolder.clearContext();
+            this.authenticationEntryPoint.commence(
+                    request, response, new BadCredentialsException("Invalid JWT: " + stringToken,
e));
         } catch (AuthenticationException e) {
             SecurityContextHolder.clearContext();
             this.authenticationEntryPoint.commence(request, response, e);

http://git-wip-us.apache.org/repos/asf/syncope/blob/79b66960/fit/core-reference/src/test/java/org/apache/syncope/fit/core/RESTITCase.java
----------------------------------------------------------------------
diff --git a/fit/core-reference/src/test/java/org/apache/syncope/fit/core/RESTITCase.java
b/fit/core-reference/src/test/java/org/apache/syncope/fit/core/RESTITCase.java
index b9d605f..66419eb 100644
--- a/fit/core-reference/src/test/java/org/apache/syncope/fit/core/RESTITCase.java
+++ b/fit/core-reference/src/test/java/org/apache/syncope/fit/core/RESTITCase.java
@@ -37,6 +37,7 @@ import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.core.Response;
 import org.apache.commons.io.IOUtils;
+import org.apache.commons.lang3.RandomStringUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.cxf.jaxrs.client.WebClient;
 import org.apache.syncope.client.lib.BasicAuthenticationHandler;
@@ -77,6 +78,14 @@ public class RESTITCase extends AbstractITCase {
             assertNotNull(e);
         }
 
+        // service with invalid JWT string: 401 unauthorized
+        try {
+            clientFactory.create(RandomStringUtils.random(20, true, true)).self();
+            fail();
+        } catch (AccessControlException e) {
+            assertNotNull(e);
+        }
+
         // service with good password, but no entitlements owned: 403 forbidden
         SyncopeClient goodClient = clientFactory.create("bellini", "password");
         try {


Mime
View raw message