You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2015/07/26 20:58:28 UTC
cxf git commit: [CXF-6487] Initial prototyping of validatig
self-issued idp
Repository: cxf
Updated Branches:
refs/heads/master ce81b3829 -> d29745feb
[CXF-6487] Initial prototyping of validatig self-issued idp
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/d29745fe
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/d29745fe
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/d29745fe
Branch: refs/heads/master
Commit: d29745feb07852f4c7af13cb36808b570a331856
Parents: ce81b38
Author: Sergey Beryozkin <sb...@talend.com>
Authored: Sun Jul 26 21:58:04 2015 +0300
Committer: Sergey Beryozkin <sb...@talend.com>
Committed: Sun Jul 26 21:58:04 2015 +0300
----------------------------------------------------------------------
.../oidc/rp/AbstractTokenValidator.java | 41 +++++++++++++-------
1 file changed, 28 insertions(+), 13 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/d29745fe/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
index a84dfa1..84d7650 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
@@ -34,12 +34,14 @@ import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.apache.cxf.rs.security.jose.jwt.JwtUtils;
public abstract class AbstractTokenValidator {
+ private static final String SELF_ISSUED_ISSUER = "https://self-issued.me";
private JweDecryptionProvider jweDecryptor;
private JwsSignatureVerifier jwsVerifier;
private String issuerId;
private int issuedAtRange;
private int clockOffset;
private WebClient jwkSetClient;
+ private boolean supportSelfIssuedProvider;
private ConcurrentHashMap<String, JsonWebKey> keyMap = new ConcurrentHashMap<String, JsonWebKey>();
protected JwtToken getJwtToken(String wrappedJwtToken, boolean jweOnly) {
@@ -62,22 +64,30 @@ public abstract class AbstractTokenValidator {
}
protected void validateJwtClaims(JwtClaims claims, String clientId, boolean validateClaimsAlways) {
- // validate subject
- if (claims.getSubject() == null) {
- throw new SecurityException("Invalid subject");
- }
- // validate audience
- String aud = claims.getAudience();
- if (aud == null && validateClaimsAlways || aud != null && !clientId.equals(aud)) {
- throw new SecurityException("Invalid audience");
- }
-
- // validate the provider
+ // validate the issuer
String issuer = claims.getIssuer();
- if (issuer == null && validateClaimsAlways || issuer != null && !issuer.equals(issuerId)) {
+ if (issuer == null && validateClaimsAlways) {
throw new SecurityException("Invalid provider");
}
- JwtUtils.validateJwtTimeClaims(claims, clockOffset, issuedAtRange, validateClaimsAlways);
+ if (supportSelfIssuedProvider && issuerId == null
+ && issuer != null && SELF_ISSUED_ISSUER.equals(issuer)) {
+ //TODO: self-issued provider token validation
+ } else {
+ if (issuer != null && !issuer.equals(issuerId)) {
+ throw new SecurityException("Invalid provider");
+ }
+ // validate subject
+ if (claims.getSubject() == null) {
+ throw new SecurityException("Invalid subject");
+ }
+ // validate audience
+ String aud = claims.getAudience();
+ if (aud == null && validateClaimsAlways || aud != null && !clientId.equals(aud)) {
+ throw new SecurityException("Invalid audience");
+ }
+
+ JwtUtils.validateJwtTimeClaims(claims, clockOffset, issuedAtRange, validateClaimsAlways);
+ }
}
@@ -125,6 +135,7 @@ public abstract class AbstractTokenValidator {
String keyId = jwt.getHeaders().getKeyId();
JsonWebKey key = keyId != null ? keyMap.get(keyId) : null;
if (key == null) {
+ //TODO: check self-issued JWK
if (jwkSetClient == null) {
throw new SecurityException("Provider Jwk Set Client is not available");
}
@@ -151,4 +162,8 @@ public abstract class AbstractTokenValidator {
public void setClockOffset(int clockOffset) {
this.clockOffset = clockOffset;
}
+
+ public void setSupportSelfIssuedProvider(boolean supportSelfIssuedProvider) {
+ this.supportSelfIssuedProvider = supportSelfIssuedProvider;
+ }
}