You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2015/07/10 18:14:34 UTC
cxf git commit: [CXF-6487] Varios minor jose and oidc updates
Repository: cxf
Updated Branches:
refs/heads/master dabf5833e -> e49c7fd65
[CXF-6487] Varios minor jose and oidc updates
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/e49c7fd6
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/e49c7fd6
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/e49c7fd6
Branch: refs/heads/master
Commit: e49c7fd65d6a266329188179baf7fa815e815453
Parents: dabf583
Author: Sergey Beryozkin <sb...@talend.com>
Authored: Fri Jul 10 17:14:19 2015 +0100
Committer: Sergey Beryozkin <sb...@talend.com>
Committed: Fri Jul 10 17:14:19 2015 +0100
----------------------------------------------------------------------
.../org/apache/cxf/common/util/StringUtils.java | 2 +-
.../apache/cxf/common/util/StringUtilsTest.java | 10 +++++++++
.../apache/cxf/rs/security/jose/JoseUtils.java | 8 ++++++-
.../security/jose/jwe/JweCompactConsumer.java | 6 ++---
.../cxf/rs/security/jose/jwe/JweUtils.java | 1 +
.../security/jose/jws/JwsCompactConsumer.java | 5 +----
.../oidc/rp/AbstractTokenValidator.java | 23 ++++++++++----------
.../cxf/rs/security/oidc/rp/IdTokenReader.java | 2 +-
.../cxf/rs/security/oidc/rp/UserInfoClient.java | 2 +-
9 files changed, 36 insertions(+), 23 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/e49c7fd6/core/src/main/java/org/apache/cxf/common/util/StringUtils.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/common/util/StringUtils.java b/core/src/main/java/org/apache/cxf/common/util/StringUtils.java
index 8eb14f5..a8cc568 100644
--- a/core/src/main/java/org/apache/cxf/common/util/StringUtils.java
+++ b/core/src/main/java/org/apache/cxf/common/util/StringUtils.java
@@ -34,7 +34,7 @@ import java.util.regex.Pattern;
public final class StringUtils {
public static final Map<String, Pattern> PATTERN_MAP = new HashMap<String, Pattern>();
static {
- String patterns[] = {"/", " ", ":", "," , ";", "="};
+ String patterns[] = {"/", " ", ":", "," , ";", "=", "\\."};
for (String p : patterns) {
PATTERN_MAP.put(p, Pattern.compile(p));
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/e49c7fd6/core/src/test/java/org/apache/cxf/common/util/StringUtilsTest.java
----------------------------------------------------------------------
diff --git a/core/src/test/java/org/apache/cxf/common/util/StringUtilsTest.java b/core/src/test/java/org/apache/cxf/common/util/StringUtilsTest.java
index 8f725af..1e38c3a 100644
--- a/core/src/test/java/org/apache/cxf/common/util/StringUtilsTest.java
+++ b/core/src/test/java/org/apache/cxf/common/util/StringUtilsTest.java
@@ -53,6 +53,16 @@ public class StringUtilsTest extends Assert {
}
@Test
+ public void testSplitWithDot() throws Exception {
+ String str = "a.b.c";
+ String[] parts = StringUtils.split(str, "\\.", -1);
+ assertEquals(3, parts.length);
+ assertEquals("a", parts[0]);
+ assertEquals("b", parts[1]);
+ assertEquals("c", parts[2]);
+ }
+
+ @Test
public void testGetFound() throws Exception {
String regex = "velocity-\\d+\\.\\d+\\.jar";
http://git-wip-us.apache.org/repos/asf/cxf/blob/e49c7fd6/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseUtils.java
index 635ca76..03a379d 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseUtils.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseUtils.java
@@ -25,6 +25,7 @@ import java.util.Set;
import java.util.logging.Logger;
import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.rt.security.crypto.CryptoUtils;
@@ -33,7 +34,12 @@ public final class JoseUtils {
private JoseUtils() {
}
-
+ public static String[] getCompactParts(String compactContent) {
+ if (compactContent.startsWith("\"") && compactContent.endsWith("\"")) {
+ compactContent = compactContent.substring(1, compactContent.length() - 1);
+ }
+ return StringUtils.split(compactContent, "\\.");
+ }
public static void setJoseContextProperty(JoseHeaders headers) {
String context = (String)JAXRSUtils.getCurrentMessage().get(JoseConstants.JOSE_CONTEXT_PROPERTY);
if (context != null) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/e49c7fd6/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java
index 4fb17b4..cd34c7c 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java
@@ -28,16 +28,14 @@ import org.apache.cxf.common.util.Base64UrlUtility;
import org.apache.cxf.rs.security.jose.JoseException;
import org.apache.cxf.rs.security.jose.JoseHeaders;
import org.apache.cxf.rs.security.jose.JoseHeadersReaderWriter;
+import org.apache.cxf.rs.security.jose.JoseUtils;
public class JweCompactConsumer {
protected static final Logger LOG = LogUtils.getL7dLogger(JweCompactConsumer.class);
private JweDecryptionInput jweDecryptionInput;
public JweCompactConsumer(String jweContent) {
- if (jweContent.startsWith("\"") && jweContent.endsWith("\"")) {
- jweContent = jweContent.substring(1, jweContent.length() - 1);
- }
- String[] parts = jweContent.split("\\.");
+ String[] parts = JoseUtils.getCompactParts(jweContent);
if (parts.length != 5) {
LOG.warning("5 JWE parts are expected");
throw new JweException(JweException.Error.INVALID_COMPACT_JWE);
http://git-wip-us.apache.org/repos/asf/cxf/blob/e49c7fd6/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
index bac9ba7..065091a 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
@@ -625,4 +625,5 @@ public final class JweUtils {
RSSEC_ENCRYPTION_IN_PROPS, RSSEC_ENCRYPTION_PROPS);
KeyManagementUtils.validateCertificateChain(props, certs);
}
+
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/e49c7fd6/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactConsumer.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactConsumer.java
index 62975a6..2f860e4 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactConsumer.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactConsumer.java
@@ -47,10 +47,7 @@ public class JwsCompactConsumer {
if (r != null) {
this.reader = r;
}
- if (encodedJws.startsWith("\"") && encodedJws.endsWith("\"")) {
- encodedJws = encodedJws.substring(1, encodedJws.length() - 1);
- }
- String[] parts = encodedJws.split("\\.");
+ String[] parts = JoseUtils.getCompactParts(encodedJws);
if (parts.length != 3) {
if (parts.length == 2 && encodedJws.endsWith(".")) {
encodedSignature = "";
http://git-wip-us.apache.org/repos/asf/cxf/blob/e49c7fd6/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
index 6037c53..a84dfa1 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
@@ -42,9 +42,7 @@ public abstract class AbstractTokenValidator {
private WebClient jwkSetClient;
private ConcurrentHashMap<String, JsonWebKey> keyMap = new ConcurrentHashMap<String, JsonWebKey>();
- protected JwtToken getJwtToken(String wrappedJwtToken,
- String idTokenKid,
- boolean jweOnly) {
+ protected JwtToken getJwtToken(String wrappedJwtToken, boolean jweOnly) {
if (wrappedJwtToken == null) {
throw new SecurityException("ID Token is missing");
}
@@ -58,7 +56,7 @@ public abstract class AbstractTokenValidator {
JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(wrappedJwtToken);
JwtToken jwt = jwtConsumer.getJwtToken();
- JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier(jwt, idTokenKid);
+ JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier(jwt);
return validateToken(jwtConsumer, jwt, theSigVerifier);
}
@@ -115,7 +113,7 @@ public abstract class AbstractTokenValidator {
}
return JweUtils.loadDecryptionProvider(jweOnly);
}
- protected JwsSignatureVerifier getInitializedSigVerifier(JwtToken jwt, String idTokenKid) {
+ protected JwsSignatureVerifier getInitializedSigVerifier(JwtToken jwt) {
if (jwsVerifier != null) {
return jwsVerifier;
}
@@ -123,12 +121,13 @@ public abstract class AbstractTokenValidator {
if (theJwsVerifier != null) {
return theJwsVerifier;
}
- if (jwkSetClient == null) {
- throw new SecurityException("Provider Jwk Set Client is not available");
- }
- String keyId = idTokenKid != null ? idTokenKid : jwt.getHeaders().getKeyId();
+
+ String keyId = jwt.getHeaders().getKeyId();
JsonWebKey key = keyId != null ? keyMap.get(keyId) : null;
if (key == null) {
+ if (jwkSetClient == null) {
+ throw new SecurityException("Provider Jwk Set Client is not available");
+ }
JsonWebKeys keys = jwkSetClient.get(JsonWebKeys.class);
if (keyId != null) {
key = keys.getKey(keyId);
@@ -141,9 +140,11 @@ public abstract class AbstractTokenValidator {
throw new SecurityException("JWK key with the key id: \"" + keyId + "\" is not available");
}
theJwsVerifier = JwsUtils.getSignatureVerifier(key);
- if (jwkSetClient == null) {
- throw new SecurityException();
+
+ if (theJwsVerifier == null) {
+ throw new SecurityException("JWS Verifier is not available");
}
+
return theJwsVerifier;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/e49c7fd6/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java
index f0305cd..ff633a1 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java
@@ -40,7 +40,7 @@ public class IdTokenReader extends AbstractTokenValidator {
return jwt;
}
public JwtToken getIdJwtToken(String idJwtToken, String clientId) {
- JwtToken jwt = getJwtToken(idJwtToken, null, false);
+ JwtToken jwt = getJwtToken(idJwtToken, false);
validateJwtClaims(jwt.getClaims(), clientId, true);
return jwt;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/e49c7fd6/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java
index 1823f12..706368b 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java
@@ -52,7 +52,7 @@ public class UserInfoClient extends IdTokenReader {
return profile;
}
public JwtToken getUserInfoJwt(String profileJwtToken, IdToken idToken) {
- return getJwtToken(profileJwtToken, (String)idToken.getProperty("kid"), encryptedOnly);
+ return getJwtToken(profileJwtToken, encryptedOnly);
}
public void validateUserInfo(UserInfo profile, IdToken idToken) {
validateJwtClaims(profile, idToken.getAudience(), false);