You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@syncope.apache.org by co...@apache.org on 2017/06/22 16:08:38 UTC
[1/3] syncope git commit: Add a test to make sure we can't fake a JWT
Id
Repository: syncope
Updated Branches:
refs/heads/master 0e21f7c1a -> a4f351196
Add a test to make sure we can't fake a JWT Id
Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/9ed7b7bb
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/9ed7b7bb
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/9ed7b7bb
Branch: refs/heads/master
Commit: 9ed7b7bb6831696d036a6afc95267ef8d5712f3d
Parents: 0e21f7c
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Thu Jun 22 15:39:16 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Thu Jun 22 15:39:16 2017 +0100
----------------------------------------------------------------------
.../org/apache/syncope/fit/core/JWTITCase.java | 45 ++++++++++++++++++++
1 file changed, 45 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/syncope/blob/9ed7b7bb/fit/core-reference/src/test/java/org/apache/syncope/fit/core/JWTITCase.java
----------------------------------------------------------------------
diff --git a/fit/core-reference/src/test/java/org/apache/syncope/fit/core/JWTITCase.java b/fit/core-reference/src/test/java/org/apache/syncope/fit/core/JWTITCase.java
index 703a706..bc1767a 100644
--- a/fit/core-reference/src/test/java/org/apache/syncope/fit/core/JWTITCase.java
+++ b/fit/core-reference/src/test/java/org/apache/syncope/fit/core/JWTITCase.java
@@ -48,6 +48,8 @@ import org.apache.syncope.common.rest.api.service.UserSelfService;
import org.apache.syncope.fit.AbstractITCase;
import org.junit.Test;
+import com.fasterxml.uuid.Generators;
+
/**
* Some tests for JWT Tokens
*/
@@ -339,4 +341,47 @@ public class JWTITCase extends AbstractITCase {
}
}
+ @Test
+ public void testUnknownId() throws ParseException {
+ // Get an initial token
+ SyncopeClient adminClient = clientFactory.create(ADMIN_UNAME, ADMIN_PWD);
+ AccessTokenService accessTokenService = adminClient.getService(AccessTokenService.class);
+
+ Response response = accessTokenService.login();
+ String token = response.getHeaderString(RESTHeaders.TOKEN);
+ assertNotNull(token);
+
+ // Create a new token using an unknown Id
+ Date now = new Date();
+
+ Calendar expiry = Calendar.getInstance();
+ expiry.setTime(now);
+ expiry.add(Calendar.MINUTE, 5);
+
+ JwtClaims jwtClaims = new JwtClaims();
+ jwtClaims.setTokenId(Generators.randomBasedGenerator().generate().toString());
+ jwtClaims.setSubject("admin");
+ jwtClaims.setIssuedAt(now.getTime());
+ jwtClaims.setIssuer(JWT_ISSUER);
+ jwtClaims.setExpiryTime(expiry.getTime().getTime());
+ jwtClaims.setNotBefore(now.getTime());
+
+ JwsHeaders jwsHeaders = new JwsHeaders(JoseType.JWT, SignatureAlgorithm.HS512);
+ JwtToken jwtToken = new JwtToken(jwsHeaders, jwtClaims);
+ JwsJwtCompactProducer producer = new JwsJwtCompactProducer(jwtToken);
+
+ JwsSignatureProvider jwsSignatureProvider =
+ new HmacJwsSignatureProvider(JWS_KEY.getBytes(), SignatureAlgorithm.HS512);
+ String signed = producer.signWith(jwsSignatureProvider);
+
+ SyncopeClient jwtClient = clientFactory.create(signed);
+ UserSelfService jwtUserSelfService = jwtClient.getService(UserSelfService.class);
+ try {
+ jwtUserSelfService.read();
+ fail("Failure expected on an unknown id");
+ } catch (AccessControlException ex) {
+ // expected
+ }
+ }
+
}
[2/3] syncope git commit: Changing test file to reference the jws
bytes correctly
Posted by co...@apache.org.
Changing test file to reference the jws bytes correctly
Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/24f3eebf
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/24f3eebf
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/24f3eebf
Branch: refs/heads/master
Commit: 24f3eebf53aed4c380d142a879ee4bc98d702d35
Parents: 9ed7b7b
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Thu Jun 22 16:09:39 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Thu Jun 22 16:09:39 2017 +0100
----------------------------------------------------------------------
core/provisioning-java/src/test/resources/provisioningTest.xml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/syncope/blob/24f3eebf/core/provisioning-java/src/test/resources/provisioningTest.xml
----------------------------------------------------------------------
diff --git a/core/provisioning-java/src/test/resources/provisioningTest.xml b/core/provisioning-java/src/test/resources/provisioningTest.xml
index b16780f..4db50f0 100644
--- a/core/provisioning-java/src/test/resources/provisioningTest.xml
+++ b/core/provisioning-java/src/test/resources/provisioningTest.xml
@@ -45,13 +45,13 @@ under the License.
<constructor-arg value="${jwsKey}"/>
</bean>
<bean id="jwsSignatureVerifier" class="org.apache.cxf.rs.security.jose.jws.HmacJwsSignatureVerifier">
- <constructor-arg value="${jwsKey}.bytes" index="0"/>
+ <constructor-arg value="#{jwsKey.getBytes()}" index="0"/>
<constructor-arg index="1">
<value type="org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm">HS512</value>
</constructor-arg>
</bean>
<bean id="jwsSignatureProvider" class="org.apache.cxf.rs.security.jose.jws.HmacJwsSignatureProvider">
- <constructor-arg value="${jwsKey}.bytes" index="0"/>
+ <constructor-arg value="#{jwsKey.getBytes()}" index="0"/>
<constructor-arg index="1">
<value type="org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm">HS512</value>
</constructor-arg>
[3/3] syncope git commit: [SYNCOPE-1117] - Add a
"DefaultCredentialChecker" to log a warning if the default JWS key is being
used
Posted by co...@apache.org.
[SYNCOPE-1117] - Add a "DefaultCredentialChecker" to log a warning if the default JWS key is being used
Project: http://git-wip-us.apache.org/repos/asf/syncope/repo
Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/a4f35119
Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/a4f35119
Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/a4f35119
Branch: refs/heads/master
Commit: a4f351196912442cd54b2e4329d952cd9855ea34
Parents: 24f3eeb
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Thu Jun 22 16:33:25 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Thu Jun 22 16:33:25 2017 +0100
----------------------------------------------------------------------
.../java/data/AccessTokenDataBinderImpl.java | 8 +++
.../src/test/resources/provisioningTest.xml | 4 ++
.../security/DefaultCredentialChecker.java | 55 ++++++++++++++++++++
.../security/JWTAuthenticationFilter.java | 5 ++
.../src/main/resources/securityContext.xml | 6 +++
5 files changed, 78 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/syncope/blob/a4f35119/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/AccessTokenDataBinderImpl.java
----------------------------------------------------------------------
diff --git a/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/AccessTokenDataBinderImpl.java b/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/AccessTokenDataBinderImpl.java
index d4d8afc..13a5b93 100644
--- a/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/AccessTokenDataBinderImpl.java
+++ b/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/AccessTokenDataBinderImpl.java
@@ -42,6 +42,7 @@ import org.apache.syncope.core.provisioning.api.data.AccessTokenDataBinder;
import org.apache.syncope.core.provisioning.api.serialization.POJOHelper;
import org.apache.syncope.core.spring.BeanUtils;
import org.apache.syncope.core.spring.security.AuthContextUtils;
+import org.apache.syncope.core.spring.security.DefaultCredentialChecker;
import org.apache.syncope.core.spring.security.Encryptor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -77,10 +78,15 @@ public class AccessTokenDataBinderImpl implements AccessTokenDataBinder {
@Autowired
private EntityFactory entityFactory;
+ @Autowired
+ private DefaultCredentialChecker credentialChecker;
+
@Override
public Triple<String, String, Date> generateJWT(
final String subject, final int duration, final Map<String, Object> claims) {
+ credentialChecker.checkIsDefaultJWSKeyInUse();
+
Date now = new Date();
Date expiry = new Date(now.getTime() + 60L * 1000L * duration);
@@ -156,6 +162,8 @@ public class AccessTokenDataBinderImpl implements AccessTokenDataBinder {
public Pair<String, Date> update(final AccessToken accessToken) {
JwsJwtCompactConsumer consumer = new JwsJwtCompactConsumer(accessToken.getBody());
+ credentialChecker.checkIsDefaultJWSKeyInUse();
+
Date now = new Date();
int duration = confDAO.find("jwt.lifetime.minutes", "120").getValues().get(0).getLongValue().intValue();
Date expiry = new Date(now.getTime() + 60L * 1000L * duration);
http://git-wip-us.apache.org/repos/asf/syncope/blob/a4f35119/core/provisioning-java/src/test/resources/provisioningTest.xml
----------------------------------------------------------------------
diff --git a/core/provisioning-java/src/test/resources/provisioningTest.xml b/core/provisioning-java/src/test/resources/provisioningTest.xml
index 4db50f0..53fb6d9 100644
--- a/core/provisioning-java/src/test/resources/provisioningTest.xml
+++ b/core/provisioning-java/src/test/resources/provisioningTest.xml
@@ -56,5 +56,9 @@ under the License.
<value type="org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm">HS512</value>
</constructor-arg>
</bean>
+ <bean id="credentialChecker" class="org.apache.syncope.core.spring.security.DefaultCredentialChecker">
+ <constructor-arg value="${jwsKey}" index="0"/>
+ <constructor-arg value="${adminPassword}" index="1"/>
+ </bean>
</beans>
http://git-wip-us.apache.org/repos/asf/syncope/blob/a4f35119/core/spring/src/main/java/org/apache/syncope/core/spring/security/DefaultCredentialChecker.java
----------------------------------------------------------------------
diff --git a/core/spring/src/main/java/org/apache/syncope/core/spring/security/DefaultCredentialChecker.java b/core/spring/src/main/java/org/apache/syncope/core/spring/security/DefaultCredentialChecker.java
new file mode 100644
index 0000000..3dc0ea0
--- /dev/null
+++ b/core/spring/src/main/java/org/apache/syncope/core/spring/security/DefaultCredentialChecker.java
@@ -0,0 +1,55 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.syncope.core.spring.security;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * This class provides some methods to check whether default credentials are being used, and
+ * logs a warning if they are.
+ */
+public class DefaultCredentialChecker {
+ private static final Logger LOG = LoggerFactory.getLogger(DefaultCredentialChecker.class);
+
+ private static final String DEFAULT_JWS_KEY = "ZW7pRixehFuNUtnY5Se47IemgMryTzazPPJ9CGX5LTCmsOJpOgHAQEuPQeV9A28f";
+ private static final String DEFAULT_ADMIN_PASSWORD = "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8";
+ private final boolean defaultAdminPasswordInUse;
+ private final boolean defaultJwsKeyInUse;
+
+ public DefaultCredentialChecker(final String jwsKey, final String adminPassword) {
+ defaultJwsKeyInUse = DEFAULT_JWS_KEY.equals(jwsKey);
+ defaultAdminPasswordInUse = DEFAULT_ADMIN_PASSWORD.equals(adminPassword);
+ }
+
+ public void checkIsDefaultJWSKeyInUse() {
+ if (defaultJwsKeyInUse) {
+ LOG.warn("The default jwsKey property is being used. "
+ + "This must be changed to avoid a security breach!");
+ }
+ }
+
+ public void checkIsDefaultAdminPasswordInUse() {
+ if (defaultAdminPasswordInUse) {
+ LOG.warn("The default adminPassword property is being used. "
+ + "This must be changed to avoid a security breach!");
+ }
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/syncope/blob/a4f35119/core/spring/src/main/java/org/apache/syncope/core/spring/security/JWTAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/core/spring/src/main/java/org/apache/syncope/core/spring/security/JWTAuthenticationFilter.java b/core/spring/src/main/java/org/apache/syncope/core/spring/security/JWTAuthenticationFilter.java
index 44202d1..05b46f0 100644
--- a/core/spring/src/main/java/org/apache/syncope/core/spring/security/JWTAuthenticationFilter.java
+++ b/core/spring/src/main/java/org/apache/syncope/core/spring/security/JWTAuthenticationFilter.java
@@ -55,6 +55,9 @@ public class JWTAuthenticationFilter extends OncePerRequestFilter {
@Autowired
private JwsSignatureVerifier jwsSignatureVerifier;
+ @Autowired
+ private DefaultCredentialChecker credentialChecker;
+
public void setAuthenticationEntryPoint(final AuthenticationEntryPoint authenticationEntryPoint) {
this.authenticationEntryPoint = authenticationEntryPoint;
}
@@ -91,6 +94,8 @@ public class JWTAuthenticationFilter extends OncePerRequestFilter {
JwsJwtCompactConsumer consumer = new JwsJwtCompactConsumer(stringToken);
try {
+ credentialChecker.checkIsDefaultJWSKeyInUse();
+
if (!consumer.verifySignatureWith(jwsSignatureVerifier)) {
throw new BadCredentialsException("Invalid signature found in JWT");
}
http://git-wip-us.apache.org/repos/asf/syncope/blob/a4f35119/core/spring/src/main/resources/securityContext.xml
----------------------------------------------------------------------
diff --git a/core/spring/src/main/resources/securityContext.xml b/core/spring/src/main/resources/securityContext.xml
index 2705b42..c9016fa 100644
--- a/core/spring/src/main/resources/securityContext.xml
+++ b/core/spring/src/main/resources/securityContext.xml
@@ -48,6 +48,12 @@ under the License.
<bean id="jwsKey" class="java.lang.String">
<constructor-arg value="${jwsKey}"/>
</bean>
+
+ <bean id="credentialChecker" class="org.apache.syncope.core.spring.security.DefaultCredentialChecker">
+ <constructor-arg value="${jwsKey}" index="0"/>
+ <constructor-arg value="${adminPassword}" index="1"/>
+ </bean>
+
<bean id="jwsSignatureVerifier" class="org.apache.cxf.rs.security.jose.jws.HmacJwsSignatureVerifier">
<constructor-arg value="#{jwsKey.getBytes()}" index="0"/>
<constructor-arg index="1">