You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by bu...@apache.org on 2020/03/12 08:06:13 UTC
[cxf-fediz] branch master updated (fb5843b -> 7adabe3)
This is an automated email from the ASF dual-hosted git repository.
buhhunyx pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git.
from fb5843b Updating Apache DS
new b0c5966 fediz-core: update ConfigUtils
new 5cb9c7a fediz-core: update FederationProcessorImpl
new a9ee6ba fediz-core: update Import-Package
new 7adabe3 fediz-oidc: include key id
The 4 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
plugins/core/pom.xml | 2 -
.../apache/cxf/fediz/core/config/ConfigUtils.java | 21 +++----
.../core/processor/FederationProcessorImpl.java | 71 +++++++++++-----------
.../oidc/src/main/resources/rs.security.properties | 1 +
.../cxf/fediz/systests/oidc/AbstractOIDCTest.java | 23 +++----
5 files changed, 58 insertions(+), 60 deletions(-)
[cxf-fediz] 04/04: fediz-oidc: include key id
Posted by bu...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
buhhunyx pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git
commit 7adabe3dd2f53a5c27265203017afe2afebaec8c
Author: Alexey Markevich <bu...@gmail.com>
AuthorDate: Thu Mar 12 11:04:41 2020 +0300
fediz-oidc: include key id
---
.../oidc/src/main/resources/rs.security.properties | 1 +
.../cxf/fediz/systests/oidc/AbstractOIDCTest.java | 23 +++++++++++-----------
2 files changed, 13 insertions(+), 11 deletions(-)
diff --git a/services/oidc/src/main/resources/rs.security.properties b/services/oidc/src/main/resources/rs.security.properties
index 0b6766b..35fa16c 100644
--- a/services/oidc/src/main/resources/rs.security.properties
+++ b/services/oidc/src/main/resources/rs.security.properties
@@ -22,3 +22,4 @@ rs.security.keystore.file=oidc.jks
#rs.security.encryption.content.algorithm=A128GCM
#rs.security.encryption.key.algorithm=RSA-OAEP
rs.security.signature.algorithm=RS256
+rs.security.signature.include.key.id=true
diff --git a/systests/oidc/src/test/java/org/apache/cxf/fediz/systests/oidc/AbstractOIDCTest.java b/systests/oidc/src/test/java/org/apache/cxf/fediz/systests/oidc/AbstractOIDCTest.java
index aa333b0..36f2bef 100644
--- a/systests/oidc/src/test/java/org/apache/cxf/fediz/systests/oidc/AbstractOIDCTest.java
+++ b/systests/oidc/src/test/java/org/apache/cxf/fediz/systests/oidc/AbstractOIDCTest.java
@@ -68,12 +68,12 @@ import org.apache.catalina.connector.Connector;
import org.apache.catalina.startup.Tomcat;
import org.apache.cxf.fediz.tomcat.FederationAuthenticator;
import org.apache.cxf.jaxrs.json.basic.JsonMapObjectReaderWriter;
-import org.apache.cxf.rs.security.jose.common.JoseConstants;
import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
import org.apache.cxf.rs.security.jose.jwk.JsonWebKeys;
import org.apache.cxf.rs.security.jose.jwk.JwkUtils;
+import org.apache.cxf.rs.security.jose.jws.JwsHeaders;
import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
-import org.apache.cxf.rs.security.jose.jwt.JwtConstants;
+import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.apache.http.auth.AuthScope;
import org.apache.http.auth.UsernamePasswordCredentials;
@@ -1036,24 +1036,25 @@ abstract class AbstractOIDCTest {
private void validateIdToken(String idToken, String audience, String role) throws IOException {
JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(idToken);
JwtToken jwt = jwtConsumer.getJwtToken();
+ JwtClaims jwtClaims = jwt.getClaims();
// Validate claims
- assertEquals("alice", jwt.getClaim("preferred_username"));
- assertEquals("accounts.fediz.com", jwt.getClaim(JwtConstants.CLAIM_ISSUER));
- assertEquals(audience, jwt.getClaim(JwtConstants.CLAIM_AUDIENCE));
- assertNotNull(jwt.getClaim(JwtConstants.CLAIM_EXPIRY));
- assertNotNull(jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT));
+ assertEquals("alice", jwtClaims.getClaim("preferred_username"));
+ assertEquals("accounts.fediz.com", jwtClaims.getIssuer());
+ assertEquals(audience, jwtClaims.getAudience());
+ assertNotNull(jwtClaims.getIssuedAt());
+ assertNotNull(jwtClaims.getExpiryTime());
// Check role
if (role != null) {
- List<String> roles = jwt.getClaims().getListStringProperty("roles");
+ List<String> roles = jwtClaims.getListStringProperty("roles");
assertNotNull(roles);
assertTrue(roles.contains(role));
}
- // TODO: jwt.getJwsHeader(JoseConstants.HEADER_KEY_ID))
- assertTrue(jwtConsumer.verifySignatureWith(jsonWebKeys().getKeys().get(0),
- SignatureAlgorithm.valueOf(jwt.getJwsHeader(JoseConstants.HEADER_ALGORITHM).toString())));
+ JwsHeaders jwsHeaders = jwt.getJwsHeaders();
+ assertTrue(jwtConsumer.verifySignatureWith(
+ jsonWebKeys().getKey(jwsHeaders.getKeyId()), SignatureAlgorithm.valueOf(jwsHeaders.getAlgorithm())));
}
private JsonWebKeys jsonWebKeys() throws IOException {
[cxf-fediz] 02/04: fediz-core: update FederationProcessorImpl
Posted by bu...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
buhhunyx pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git
commit 5cb9c7a13c67412def790366ff5edcabc2385ba0
Author: Alexey Markevich <bu...@gmail.com>
AuthorDate: Tue Mar 10 10:26:14 2020 +0300
fediz-core: update FederationProcessorImpl
---
.../core/processor/FederationProcessorImpl.java | 71 +++++++++++-----------
1 file changed, 35 insertions(+), 36 deletions(-)
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
index fafde08..8dc9069 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java
@@ -24,7 +24,6 @@ import java.io.StringReader;
import java.io.UnsupportedEncodingException;
import java.net.MalformedURLException;
import java.net.URL;
-import java.net.URLEncoder;
import java.security.cert.Certificate;
import java.time.Instant;
import java.time.ZoneOffset;
@@ -84,6 +83,9 @@ import org.joda.time.DateTime;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import static java.net.URLEncoder.encode;
+import static java.nio.charset.StandardCharsets.UTF_8;
+
public class FederationProcessorImpl extends AbstractFedizProcessor {
private static final Logger LOG = LoggerFactory.getLogger(FederationProcessorImpl.class);
@@ -354,7 +356,7 @@ public class FederationProcessorImpl extends AbstractFedizProcessor {
throws ProcessingException {
String redirectURL = null;
- RequestState requestState = null;
+ final RequestState requestState;
try {
if (!(config.getProtocol() instanceof FederationProtocol)) {
LOG.error("Unsupported protocol");
@@ -363,7 +365,7 @@ public class FederationProcessorImpl extends AbstractFedizProcessor {
String issuerURL = resolveIssuer(request, config);
LOG.debug("Issuer url: {}", issuerURL);
- if (issuerURL != null && issuerURL.length() > 0) {
+ if (issuerURL != null && !issuerURL.isEmpty()) {
redirectURL = issuerURL;
}
@@ -382,7 +384,7 @@ public class FederationProcessorImpl extends AbstractFedizProcessor {
String signInQuery = resolveSignInQuery(request, config);
LOG.debug("SignIn Query: {}", signInQuery);
- String wctx = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+ String wctx = encode(UUID.randomUUID().toString(), UTF_8.name());
StringBuffer requestURL = request.getRequestURL();
String params = request.getQueryString();
if (params != null && !params.isEmpty()) {
@@ -399,7 +401,7 @@ public class FederationProcessorImpl extends AbstractFedizProcessor {
sb.append(FederationConstants.PARAM_ACTION).append('=').append(FederationConstants.ACTION_SIGNIN);
String reply = resolveReply(request, config);
- if (reply == null || reply.length() == 0) {
+ if (reply == null || reply.isEmpty()) {
reply = request.getRequestURL().toString();
} else {
try {
@@ -414,41 +416,38 @@ public class FederationProcessorImpl extends AbstractFedizProcessor {
}
LOG.debug("wreply={}", reply);
- sb.append('&').append(FederationConstants.PARAM_REPLY).append('=');
- sb.append(URLEncoder.encode(reply, "UTF-8"));
+ sb.append('&').append(FederationConstants.PARAM_REPLY).append('=')
+ .append(encode(reply, UTF_8.name()));
String realm = resolveWTRealm(request, config);
LOG.debug("wtrealm={}", realm);
// add wtrealm parameter
- sb.append('&').append(FederationConstants.PARAM_TREALM).append('=').append(URLEncoder
- .encode(realm, "UTF-8"));
+ sb.append('&').append(FederationConstants.PARAM_TREALM).append('=')
+ .append(encode(realm, UTF_8.name()));
// add authentication type parameter wauth if set
- if (wAuth != null && wAuth.length() > 0) {
- sb.append('&').append(FederationConstants.PARAM_AUTH_TYPE).append('=').append(URLEncoder
- .encode(wAuth,
- "UTF-8"));
+ if (wAuth != null && !wAuth.isEmpty()) {
+ sb.append('&').append(FederationConstants.PARAM_AUTH_TYPE).append('=')
+ .append(encode(wAuth, UTF_8.name()));
}
// add tokenRequest parameter wreq if set
- if (wReq != null && wReq.length() > 0) {
- sb.append('&').append(FederationConstants.PARAM_REQUEST).append('=').append(URLEncoder.encode(wReq,
- "UTF-8"));
+ if (wReq != null && !wReq.isEmpty()) {
+ sb.append('&').append(FederationConstants.PARAM_REQUEST).append('=')
+ .append(encode(wReq, UTF_8.name()));
}
// add home realm parameter whr if set
- if (homeRealm != null && homeRealm.length() > 0) {
- sb.append('&').append(FederationConstants.PARAM_HOME_REALM).append('=').append(URLEncoder
- .encode(homeRealm,
- "UTF-8"));
+ if (homeRealm != null && !homeRealm.isEmpty()) {
+ sb.append('&').append(FederationConstants.PARAM_HOME_REALM).append('=')
+ .append(encode(homeRealm, UTF_8.name()));
}
// add freshness parameter wfresh if set
- if (freshness != null && freshness.length() > 0) {
- sb.append('&').append(FederationConstants.PARAM_FRESHNESS).append('=').append(URLEncoder
- .encode(freshness,
- "UTF-8"));
+ if (freshness != null && !freshness.isEmpty()) {
+ sb.append('&').append(FederationConstants.PARAM_FRESHNESS).append('=')
+ .append(encode(freshness, UTF_8.name()));
}
// add current time parameter wct
@@ -456,18 +455,18 @@ public class FederationProcessorImpl extends AbstractFedizProcessor {
DateTimeFormatter formatter = DateUtil.getDateTimeFormatter(true);
String wct = now.atZone(ZoneOffset.UTC).format(formatter);
sb.append('&').append(FederationConstants.PARAM_CURRENT_TIME).append('=')
- .append(URLEncoder.encode(wct, "UTF-8"));
+ .append(encode(wct, UTF_8.name()));
LOG.debug("wctx={}", wctx);
- sb.append('&').append(FederationConstants.PARAM_CONTEXT).append('=');
- sb.append(URLEncoder.encode(wctx, "UTF-8"));
+ sb.append('&').append(FederationConstants.PARAM_CONTEXT).append('=')
+ .append(encode(wctx, UTF_8.name()));
// add signin query extensions
if (signInQuery != null && signInQuery.length() > 0) {
sb.append('&').append(signInQuery);
}
- redirectURL = redirectURL + "?" + sb.toString();
+ redirectURL = redirectURL + '?' + sb.toString();
} catch (Exception ex) {
LOG.error("Failed to create SignInRequest", ex);
throw new ProcessingException("Failed to create SignInRequest", ex);
@@ -492,7 +491,7 @@ public class FederationProcessorImpl extends AbstractFedizProcessor {
String issuerURL = resolveIssuer(request, config);
LOG.debug("Issuer url: {}", issuerURL);
- if (issuerURL != null && issuerURL.length() > 0) {
+ if (issuerURL != null && !issuerURL.isEmpty()) {
redirectURL = issuerURL;
}
@@ -529,16 +528,16 @@ public class FederationProcessorImpl extends AbstractFedizProcessor {
}
LOG.debug("wreply={}", logoutRedirectTo);
- sb.append('&').append(FederationConstants.PARAM_REPLY).append('=');
- sb.append(URLEncoder.encode(logoutRedirectTo, "UTF-8"));
+ sb.append('&').append(FederationConstants.PARAM_REPLY).append('=')
+ .append(encode(logoutRedirectTo, UTF_8.name()));
}
String realm = resolveWTRealm(request, config);
LOG.debug("wtrealm={}", realm);
// add wtrealm parameter
- sb.append('&').append(FederationConstants.PARAM_TREALM).append('=').append(URLEncoder
- .encode(realm, "UTF-8"));
+ sb.append('&').append(FederationConstants.PARAM_TREALM).append('=')
+ .append(encode(realm, UTF_8.name()));
String signOutQuery = resolveSignOutQuery(request, config);
LOG.debug("SignIn Query: {}", signOutQuery);
@@ -548,7 +547,7 @@ public class FederationProcessorImpl extends AbstractFedizProcessor {
sb.append('&').append(signOutQuery);
}
- redirectURL = redirectURL + "?" + sb.toString();
+ redirectURL = redirectURL + '?' + sb.toString();
} catch (Exception ex) {
LOG.error("Failed to create SignInRequest", ex);
throw new ProcessingException("Failed to create SignInRequest");
@@ -579,7 +578,7 @@ public class FederationProcessorImpl extends AbstractFedizProcessor {
if (sbQuery.length() > 0) {
sbQuery.append('&');
}
- sbQuery.append(entry.getKey()).append('=').append(URLEncoder.encode(entry.getValue(), "UTF-8"));
+ sbQuery.append(entry.getKey()).append('=').append(encode(entry.getValue(), UTF_8.name()));
}
signInQuery = sbQuery.toString();
}
@@ -623,7 +622,7 @@ public class FederationProcessorImpl extends AbstractFedizProcessor {
if (sbQuery.length() > 0) {
sbQuery.append('&');
}
- sbQuery.append(entry.getKey()).append('=').append(URLEncoder.encode(entry.getValue(), "UTF-8"));
+ sbQuery.append(entry.getKey()).append('=').append(encode(entry.getValue(), UTF_8.name()));
}
signOutQuery = sbQuery.toString();
}
[cxf-fediz] 03/04: fediz-core: update Import-Package
Posted by bu...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
buhhunyx pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git
commit a9ee6ba1b63daa756437a5425d52d1d8bb8ddf42
Author: Alexey Markevich <bu...@gmail.com>
AuthorDate: Tue Mar 10 10:26:57 2020 +0300
fediz-core: update Import-Package
---
plugins/core/pom.xml | 2 --
1 file changed, 2 deletions(-)
diff --git a/plugins/core/pom.xml b/plugins/core/pom.xml
index b85a781..4165fc7 100644
--- a/plugins/core/pom.xml
+++ b/plugins/core/pom.xml
@@ -144,8 +144,6 @@
org.apache.wss4j.dom.*,
javax.xml.crypto.*,
org.apache.xml.security.*,
- org.bouncycastle.*;resolution:=optional,
- org.apache.jcp.xml.dsig.internal.dom.*,
org.opensaml.*;resolution:=optional,
*;resolution:=optional
</Import-Package>
[cxf-fediz] 01/04: fediz-core: update ConfigUtils
Posted by bu...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
buhhunyx pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git
commit b0c59662a9619af425bed52fdf9d1843864406b6
Author: Alexey Markevich <bu...@gmail.com>
AuthorDate: Thu Mar 5 12:09:30 2020 +0300
fediz-core: update ConfigUtils
---
.../apache/cxf/fediz/core/config/ConfigUtils.java | 21 ++++++++++-----------
1 file changed, 10 insertions(+), 11 deletions(-)
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/ConfigUtils.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/ConfigUtils.java
index 70b450a..2dba210 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/ConfigUtils.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/ConfigUtils.java
@@ -43,26 +43,25 @@ final class ConfigUtils {
if (cbt.getType() == null || cbt.getType().equals(ArgumentType.STRING)) {
return cbt.getValue();
} else if (cbt.getType().equals(ArgumentType.CLASS)) {
- List<Object> handler = new ArrayList<>();
- String[] cbtHandler = cbt.getValue().split(",");
+ final String[] cbtHandler = cbt.getValue().split(",");
+ // Backward compatible return handler directly if only one is configured
+ final List<Object> handlers = cbtHandler.length == 1 ? null : new ArrayList<>(cbtHandler.length);
for (String cbh : cbtHandler) {
try {
- if (classLoader == null) {
- handler.add(ClassLoaderUtils.loadClass(cbh, ConfigUtils.class).newInstance());
+ final Object handler = (classLoader == null
+ ? ClassLoaderUtils.loadClass(cbh, ConfigUtils.class)
+ : classLoader.loadClass(cbh)).getDeclaredConstructor().newInstance();
+ if (handlers != null) {
+ handlers.add(handler);
} else {
- handler.add(classLoader.loadClass(cbh).newInstance());
+ return handler;
}
} catch (Exception e) {
LOG.error("Failed to create instance of " + cbh, e);
//throw new IllegalStateException("Failed to create instance of " + cbt.getValue());
}
}
- if (handler.size() == 1) {
- // Backward compatible return handler directly if only one is configured
- return handler.get(0);
- } else {
- return handler;
- }
+ return handlers;
} else {
LOG.error("Only String and Class are supported for '{}'", name);
throw new IllegalStateException("Only String and Class are supported for '" + name + "'");