You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by pl...@apache.org on 2016/07/07 06:41:53 UTC

[08/27] directory-kerby git commit: Just write out the JWT token "as is" if there is no signature key

Just write out the JWT token "as is" if there is no signature key


Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/55e90d92
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/55e90d92
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/55e90d92

Branch: refs/heads/kpasswd
Commit: 55e90d922e85f969de084fc3e2322a7925547080
Parents: 5e75bf5
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Jul 4 12:18:02 2016 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Jul 4 12:18:32 2016 +0100

----------------------------------------------------------------------
 .../test/jaas/TokenAuthLoginModule.java         | 73 +++++++++++++-------
 .../kerberos/provider/token/JwtAuthToken.java   |  6 +-
 2 files changed, 51 insertions(+), 28 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/55e90d92/kerby-kerb/integration-test/src/main/java/org/apache/kerby/kerberos/kerb/integration/test/jaas/TokenAuthLoginModule.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/integration-test/src/main/java/org/apache/kerby/kerberos/kerb/integration/test/jaas/TokenAuthLoginModule.java b/kerby-kerb/integration-test/src/main/java/org/apache/kerby/kerberos/kerb/integration/test/jaas/TokenAuthLoginModule.java
index 7eee5ba..d0e8549 100644
--- a/kerby-kerb/integration-test/src/main/java/org/apache/kerby/kerberos/kerb/integration/test/jaas/TokenAuthLoginModule.java
+++ b/kerby-kerb/integration-test/src/main/java/org/apache/kerby/kerberos/kerb/integration/test/jaas/TokenAuthLoginModule.java
@@ -33,10 +33,14 @@ import org.apache.kerby.kerberos.kerb.type.base.KrbToken;
 import org.apache.kerby.kerberos.kerb.type.base.TokenFormat;
 import org.apache.kerby.kerberos.kerb.type.kdc.EncKdcRepPart;
 import org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket;
+import org.apache.kerby.kerberos.provider.token.JwtAuthToken;
 import org.apache.kerby.kerberos.provider.token.JwtTokenEncoder;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTParser;
+
 import javax.security.auth.Subject;
 import javax.security.auth.callback.CallbackHandler;
 import javax.security.auth.kerberos.KerberosPrincipal;
@@ -50,6 +54,7 @@ import java.io.IOException;
 import java.security.Principal;
 import java.security.PrivateKey;
 import java.security.interfaces.RSAPrivateKey;
+import java.text.ParseException;
 import java.util.Date;
 import java.util.Iterator;
 import java.util.Map;
@@ -245,38 +250,55 @@ public class TokenAuthLoginModule implements LoginModule {
                 throw new LoginException("No valid token was found in token cache: " + tokenCacheName);
             }
         }
-        TokenDecoder tokenDecoder = KrbRuntime.getTokenProvider().createTokenDecoder();
-        try {
-            authToken = tokenDecoder.decodeFromString(tokenStr);
-        } catch (IOException e) {
-            e.printStackTrace();
-        }
-        krbToken = new KrbToken(authToken, TokenFormat.JWT);
-        TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider().createTokenEncoder();
 
-        if (tokenEncoder instanceof JwtTokenEncoder && signKeyFile != null) {
-            PrivateKey signKey = null;
+        krbToken = new KrbToken();
+        
+        // Sign the token.
+        if (signKeyFile != null) {
             try {
-                FileInputStream fis = new FileInputStream(signKeyFile);
-                signKey = PrivateKeyReader.loadPrivateKey(fis);
-            } catch (FileNotFoundException e) {
-                e.printStackTrace();
-            } catch (Exception e) {
-                e.printStackTrace();
+                TokenDecoder tokenDecoder = KrbRuntime.getTokenProvider().createTokenDecoder();
+                try {
+                    authToken = tokenDecoder.decodeFromString(tokenStr);
+                } catch (IOException e) {
+                    e.printStackTrace();
+                }
+                krbToken = new KrbToken(authToken, TokenFormat.JWT);
+                TokenEncoder tokenEncoder = KrbRuntime.getTokenProvider().createTokenEncoder();
+    
+                if (tokenEncoder instanceof JwtTokenEncoder) {
+                    PrivateKey signKey = null;
+                    try {
+                        FileInputStream fis = new FileInputStream(signKeyFile);
+                        signKey = PrivateKeyReader.loadPrivateKey(fis);
+                    } catch (FileNotFoundException e) {
+                        e.printStackTrace();
+                    } catch (Exception e) {
+                        e.printStackTrace();
+                    }
+    
+                    ((JwtTokenEncoder) tokenEncoder).setSignKey((RSAPrivateKey) signKey);
+                }
+                
+                krbToken.setTokenValue(tokenEncoder.encodeAsBytes(authToken));
+            } catch (KrbException e) {
+                throw new RuntimeException("Failed to encode AuthToken", e);
+            }
+        } else {
+            // Otherwise just write out the token (which could be already signed)
+            krbToken.setTokenValue(tokenStr.getBytes());
+            
+            try {
+                JWT jwt = JWTParser.parse(tokenStr);
+                authToken = new JwtAuthToken(jwt.getJWTClaimsSet());
+            } catch (ParseException e) {
+                // Invalid JWT encoding
+                throw new RuntimeException("Failed to parse JWT token string", e);
             }
-
-            ((JwtTokenEncoder) tokenEncoder).setSignKey((RSAPrivateKey) signKey);
         }
-
-        krbToken = new KrbToken();
+        
         krbToken.setInnerToken(authToken);
         krbToken.setTokenType();
         krbToken.setTokenFormat(TokenFormat.JWT);
-        try {
-            krbToken.setTokenValue(tokenEncoder.encodeAsBytes(authToken));
-        } catch (KrbException e) {
-            throw new RuntimeException("Failed to encode AuthToken", e);
-        }
 
         KrbClient krbClient = null;
         try {
@@ -290,6 +312,7 @@ public class TokenAuthLoginModule implements LoginModule {
         } catch (IOException e) {
             e.printStackTrace();
         }
+        
         KrbTokenClient tokenClient = new KrbTokenClient(krbClient);
         try {
             tgtTicket = tokenClient.requestTgt(krbToken,

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/55e90d92/kerby-provider/token-provider/src/main/java/org/apache/kerby/kerberos/provider/token/JwtAuthToken.java
----------------------------------------------------------------------
diff --git a/kerby-provider/token-provider/src/main/java/org/apache/kerby/kerberos/provider/token/JwtAuthToken.java b/kerby-provider/token-provider/src/main/java/org/apache/kerby/kerberos/provider/token/JwtAuthToken.java
index e5d92c8..b6e60c4 100644
--- a/kerby-provider/token-provider/src/main/java/org/apache/kerby/kerberos/provider/token/JwtAuthToken.java
+++ b/kerby-provider/token-provider/src/main/java/org/apache/kerby/kerberos/provider/token/JwtAuthToken.java
@@ -40,15 +40,15 @@ public class JwtAuthToken implements AuthToken {
     private Boolean isIdToken = true;
     private Boolean isAcToken = false;
 
-    protected JwtAuthToken() {
+    public JwtAuthToken() {
         this(new JWTClaimsSet());
     }
 
-    protected JwtAuthToken(JWTClaimsSet jwtClaims) {
+    public JwtAuthToken(JWTClaimsSet jwtClaims) {
         this.jwtClaims = jwtClaims;
     }
 
-    protected JwtAuthToken(ReadOnlyJWTClaimsSet jwtClaims) {
+    public JwtAuthToken(ReadOnlyJWTClaimsSet jwtClaims) {
         this.jwtClaims = JwtUtil.from(jwtClaims);
     }