You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@syncope.apache.org by il...@apache.org on 2018/01/22 10:36:29 UTC
syncope git commit: [SYNCOPE-1263] Now checking for invalid JWT string
Repository: syncope
Updated Branches:
refs/heads/2_0_X 783f2f78f -> 79b669603
[SYNCOPE-1263] Now checking for invalid JWT string
Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/79b66960
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/79b66960
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/79b66960
Branch: refs/heads/2_0_X
Commit: 79b66960301b4b238037c00c570f46b88fb9c2aa
Parents: 783f2f7
Author: Francesco Chicchiriccò <il...@apache.org>
Authored: Mon Jan 22 11:36:21 2018 +0100
Committer: Francesco Chicchiriccò <il...@apache.org>
Committed: Mon Jan 22 11:36:21 2018 +0100
----------------------------------------------------------------------
.../syncope/common/lib/types/StandardEntitlement.java | 4 ++--
.../core/spring/security/JWTAuthenticationFilter.java | 8 ++++++--
.../test/java/org/apache/syncope/fit/core/RESTITCase.java | 9 +++++++++
3 files changed, 17 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/syncope/blob/79b66960/common/lib/src/main/java/org/apache/syncope/common/lib/types/StandardEntitlement.java
----------------------------------------------------------------------
diff --git a/common/lib/src/main/java/org/apache/syncope/common/lib/types/StandardEntitlement.java b/common/lib/src/main/java/org/apache/syncope/common/lib/types/StandardEntitlement.java
index 8a7fe36..99c66d7 100644
--- a/common/lib/src/main/java/org/apache/syncope/common/lib/types/StandardEntitlement.java
+++ b/common/lib/src/main/java/org/apache/syncope/common/lib/types/StandardEntitlement.java
@@ -278,9 +278,9 @@ public final class StandardEntitlement {
public static final String SECURITY_QUESTION_DELETE = "SECURITY_QUESTION_DELETE";
- public static final String ACCESS_TOKEN_LIST = "TASK_LIST";
+ public static final String ACCESS_TOKEN_LIST = "ACCESS_TOKEN_LIST";
- public static final String ACCESS_TOKEN_DELETE = "TASK_DELETE";
+ public static final String ACCESS_TOKEN_DELETE = "ACCESS_TOKEN_DELETE";
private static final Set<String> VALUES;
http://git-wip-us.apache.org/repos/asf/syncope/blob/79b66960/core/spring/src/main/java/org/apache/syncope/core/spring/security/JWTAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/core/spring/src/main/java/org/apache/syncope/core/spring/security/JWTAuthenticationFilter.java b/core/spring/src/main/java/org/apache/syncope/core/spring/security/JWTAuthenticationFilter.java
index faf0576..8a2812d 100644
--- a/core/spring/src/main/java/org/apache/syncope/core/spring/security/JWTAuthenticationFilter.java
+++ b/core/spring/src/main/java/org/apache/syncope/core/spring/security/JWTAuthenticationFilter.java
@@ -24,7 +24,7 @@ import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.core.HttpHeaders;
-
+import org.apache.cxf.rs.security.jose.jws.JwsException;
import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -94,10 +94,10 @@ public class JWTAuthenticationFilter extends OncePerRequestFilter {
String stringToken = parts[1];
LOG.debug("JWT received: {}", stringToken);
- JwsJwtCompactConsumer consumer = new JwsJwtCompactConsumer(stringToken);
try {
credentialChecker.checkIsDefaultJWSKeyInUse();
+ JwsJwtCompactConsumer consumer = new JwsJwtCompactConsumer(stringToken);
JWTSSOProvider jwtSSOProvider = dataAccessor.getJWTSSOProvider(consumer.getJwtClaims().getIssuer());
if (!consumer.verifySignatureWith(jwtSSOProvider)) {
throw new BadCredentialsException("Invalid signature found in JWT");
@@ -108,6 +108,10 @@ public class JWTAuthenticationFilter extends OncePerRequestFilter {
SecurityContextHolder.getContext().setAuthentication(authentication);
chain.doFilter(request, response);
+ } catch (JwsException e) {
+ SecurityContextHolder.clearContext();
+ this.authenticationEntryPoint.commence(
+ request, response, new BadCredentialsException("Invalid JWT: " + stringToken, e));
} catch (AuthenticationException e) {
SecurityContextHolder.clearContext();
this.authenticationEntryPoint.commence(request, response, e);
http://git-wip-us.apache.org/repos/asf/syncope/blob/79b66960/fit/core-reference/src/test/java/org/apache/syncope/fit/core/RESTITCase.java
----------------------------------------------------------------------
diff --git a/fit/core-reference/src/test/java/org/apache/syncope/fit/core/RESTITCase.java b/fit/core-reference/src/test/java/org/apache/syncope/fit/core/RESTITCase.java
index b9d605f..66419eb 100644
--- a/fit/core-reference/src/test/java/org/apache/syncope/fit/core/RESTITCase.java
+++ b/fit/core-reference/src/test/java/org/apache/syncope/fit/core/RESTITCase.java
@@ -37,6 +37,7 @@ import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import org.apache.commons.io.IOUtils;
+import org.apache.commons.lang3.RandomStringUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.cxf.jaxrs.client.WebClient;
import org.apache.syncope.client.lib.BasicAuthenticationHandler;
@@ -77,6 +78,14 @@ public class RESTITCase extends AbstractITCase {
assertNotNull(e);
}
+ // service with invalid JWT string: 401 unauthorized
+ try {
+ clientFactory.create(RandomStringUtils.random(20, true, true)).self();
+ fail();
+ } catch (AccessControlException e) {
+ assertNotNull(e);
+ }
+
// service with good password, but no entitlements owned: 403 forbidden
SyncopeClient goodClient = clientFactory.create("bellini", "password");
try {