You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2015/07/26 20:58:28 UTC

cxf git commit: [CXF-6487] Initial prototyping of validatig self-issued idp

Repository: cxf
Updated Branches:
  refs/heads/master ce81b3829 -> d29745feb


[CXF-6487] Initial prototyping of validatig self-issued idp


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/d29745fe
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/d29745fe
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/d29745fe

Branch: refs/heads/master
Commit: d29745feb07852f4c7af13cb36808b570a331856
Parents: ce81b38
Author: Sergey Beryozkin <sb...@talend.com>
Authored: Sun Jul 26 21:58:04 2015 +0300
Committer: Sergey Beryozkin <sb...@talend.com>
Committed: Sun Jul 26 21:58:04 2015 +0300

----------------------------------------------------------------------
 .../oidc/rp/AbstractTokenValidator.java         | 41 +++++++++++++-------
 1 file changed, 28 insertions(+), 13 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/d29745fe/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
index a84dfa1..84d7650 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
@@ -34,12 +34,14 @@ import org.apache.cxf.rs.security.jose.jwt.JwtToken;
 import org.apache.cxf.rs.security.jose.jwt.JwtUtils;
 
 public abstract class AbstractTokenValidator {
+    private static final String SELF_ISSUED_ISSUER = "https://self-issued.me";
     private JweDecryptionProvider jweDecryptor;
     private JwsSignatureVerifier jwsVerifier;
     private String issuerId;
     private int issuedAtRange;
     private int clockOffset;
     private WebClient jwkSetClient;
+    private boolean supportSelfIssuedProvider;
     private ConcurrentHashMap<String, JsonWebKey> keyMap = new ConcurrentHashMap<String, JsonWebKey>(); 
     
     protected JwtToken getJwtToken(String wrappedJwtToken, boolean jweOnly) {
@@ -62,22 +64,30 @@ public abstract class AbstractTokenValidator {
     }
     
     protected void validateJwtClaims(JwtClaims claims, String clientId, boolean validateClaimsAlways) {
-        // validate subject
-        if (claims.getSubject() == null) {
-            throw new SecurityException("Invalid subject");
-        }
-        // validate audience
-        String aud = claims.getAudience();
-        if (aud == null && validateClaimsAlways || aud != null && !clientId.equals(aud)) {
-            throw new SecurityException("Invalid audience");
-        }
-
-        // validate the provider
+        // validate the issuer
         String issuer = claims.getIssuer();
-        if (issuer == null && validateClaimsAlways || issuer != null && !issuer.equals(issuerId)) {
+        if (issuer == null && validateClaimsAlways) {
             throw new SecurityException("Invalid provider");
         }
-        JwtUtils.validateJwtTimeClaims(claims, clockOffset, issuedAtRange, validateClaimsAlways);
+        if (supportSelfIssuedProvider && issuerId == null 
+            && issuer != null && SELF_ISSUED_ISSUER.equals(issuer)) {
+            //TODO: self-issued provider token validation
+        } else {
+            if (issuer != null && !issuer.equals(issuerId)) {
+                throw new SecurityException("Invalid provider");
+            }
+            // validate subject
+            if (claims.getSubject() == null) {
+                throw new SecurityException("Invalid subject");
+            }
+            // validate audience
+            String aud = claims.getAudience();
+            if (aud == null && validateClaimsAlways || aud != null && !clientId.equals(aud)) {
+                throw new SecurityException("Invalid audience");
+            }
+    
+            JwtUtils.validateJwtTimeClaims(claims, clockOffset, issuedAtRange, validateClaimsAlways);
+        }
     }
     
     
@@ -125,6 +135,7 @@ public abstract class AbstractTokenValidator {
         String keyId = jwt.getHeaders().getKeyId();
         JsonWebKey key = keyId != null ? keyMap.get(keyId) : null;
         if (key == null) {
+            //TODO: check self-issued JWK 
             if (jwkSetClient == null) {
                 throw new SecurityException("Provider Jwk Set Client is not available");
             }
@@ -151,4 +162,8 @@ public abstract class AbstractTokenValidator {
     public void setClockOffset(int clockOffset) {
         this.clockOffset = clockOffset;
     }
+
+    public void setSupportSelfIssuedProvider(boolean supportSelfIssuedProvider) {
+        this.supportSelfIssuedProvider = supportSelfIssuedProvider;
+    }
 }