You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by pl...@apache.org on 2015/10/23 09:42:05 UTC
directory-kerby git commit: DIRKRB-436 KDC accepts an unsigned JWT
token.
Repository: directory-kerby
Updated Branches:
refs/heads/master e567dfdce -> 23eee00f8
DIRKRB-436 KDC accepts an unsigned JWT token.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/23eee00f
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/23eee00f
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/23eee00f
Branch: refs/heads/master
Commit: 23eee00f8e320559d45a9285a9983610aaad146f
Parents: e567dfd
Author: plusplus_jiajia <ji...@intel.com>
Authored: Fri Oct 23 15:41:23 2015 +0800
Committer: plusplus_jiajia <ji...@intel.com>
Committed: Fri Oct 23 15:41:23 2015 +0800
----------------------------------------------------------------------
.../org/apache/kerby/kerberos/kdc/WithAccessTokenKdcTest.java | 4 +---
.../apache/kerby/kerberos/kdc/WithIdentityTokenKdcTest.java | 4 +---
.../kerberos/kerb/server/preauth/token/TokenPreauth.java | 3 +++
.../apache/kerby/kerberos/provider/token/JwtTokenDecoder.java | 7 +++++++
4 files changed, 12 insertions(+), 6 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/23eee00f/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithAccessTokenKdcTest.java
----------------------------------------------------------------------
diff --git a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithAccessTokenKdcTest.java b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithAccessTokenKdcTest.java
index 6c8020e..3a2d4ff 100644
--- a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithAccessTokenKdcTest.java
+++ b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithAccessTokenKdcTest.java
@@ -71,10 +71,8 @@ public class WithAccessTokenKdcTest extends WithTokenKdcTestBase {
Assert.assertTrue(ex instanceof KrbException);
}
}
-
- // TODO - not failing yet.
+
@Test
- @org.junit.Ignore
public void testUnsignedToken() throws Exception {
prepareToken(getServerPrincipal(), ISSUER, AUDIENCE, null, null);
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/23eee00f/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithIdentityTokenKdcTest.java
----------------------------------------------------------------------
diff --git a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithIdentityTokenKdcTest.java b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithIdentityTokenKdcTest.java
index b0dd04d..3c0895f 100644
--- a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithIdentityTokenKdcTest.java
+++ b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithIdentityTokenKdcTest.java
@@ -73,10 +73,8 @@ public class WithIdentityTokenKdcTest extends WithTokenKdcTestBase {
Assert.assertTrue(ex instanceof KrbException);
}
}
-
- // TODO - not failing yet.
+
@Test
- @org.junit.Ignore
public void testUnsignedToken() throws Exception {
prepareToken(null, ISSUER, "krbtgt2@EXAMPLE.COM", null, null);
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/23eee00f/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
index f3c8741..a2c57d6 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
@@ -88,6 +88,9 @@ public class TokenPreauth extends AbstractPreauthPlugin {
AuthToken authToken = null;
try {
authToken = tokenDecoder.decodeFromBytes(token.getTokenValue());
+ if (!((JwtTokenDecoder) tokenDecoder).isSigned()) {
+ throw new KrbException("Token should be signed.");
+ }
} catch (IOException e) {
throw new KrbException("Decoding failed", e);
}
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/23eee00f/kerby-provider/token-provider/src/main/java/org/apache/kerby/kerberos/provider/token/JwtTokenDecoder.java
----------------------------------------------------------------------
diff --git a/kerby-provider/token-provider/src/main/java/org/apache/kerby/kerberos/provider/token/JwtTokenDecoder.java b/kerby-provider/token-provider/src/main/java/org/apache/kerby/kerberos/provider/token/JwtTokenDecoder.java
index 50a2ece..b42dd86 100644
--- a/kerby-provider/token-provider/src/main/java/org/apache/kerby/kerberos/provider/token/JwtTokenDecoder.java
+++ b/kerby-provider/token-provider/src/main/java/org/apache/kerby/kerberos/provider/token/JwtTokenDecoder.java
@@ -55,6 +55,7 @@ public class JwtTokenDecoder implements TokenDecoder {
private Object decryptionKey;
private Object verifyKey;
private List<String> audiences = null;
+ private boolean signed = false;
/**
* {@inheritDoc}
@@ -100,6 +101,7 @@ public class JwtTokenDecoder implements TokenDecoder {
boolean success = verifySignedJWT(signedJWT) && verifyToken(signedJWT);
if (success) {
try {
+ signed = true;
return new JwtAuthToken(signedJWT.getJWTClaimsSet());
} catch (ParseException e) {
throw new IOException("Failed to get JWT claims set", e);
@@ -123,6 +125,7 @@ public class JwtTokenDecoder implements TokenDecoder {
boolean success = verifySignedJWT(signedJWT) && verifyToken(signedJWT);
if (success) {
try {
+ signed = true;
return new JwtAuthToken(signedJWT.getJWTClaimsSet());
} catch (ParseException e) {
throw new IOException("Failed to get JWT claims set", e);
@@ -274,4 +277,8 @@ public class JwtTokenDecoder implements TokenDecoder {
}
return valid;
}
+
+ public boolean isSigned() {
+ return signed;
+ }
}