You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2017/04/07 16:13:07 UTC
cxf git commit: Recording the cert confirmation in the access token,
with the validation work and tests to follow later on
Repository: cxf
Updated Branches:
refs/heads/master 664e761fc -> 2519863ca
Recording the cert confirmation in the access token, with the validation work and tests to follow later on
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2519863c
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2519863c
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2519863c
Branch: refs/heads/master
Commit: 2519863ca4d11ca1b6f3ac74361f3eaba3918690
Parents: 664e761
Author: Sergey Beryozkin <sb...@gmail.com>
Authored: Fri Apr 7 17:12:53 2017 +0100
Committer: Sergey Beryozkin <sb...@gmail.com>
Committed: Fri Apr 7 17:12:53 2017 +0100
----------------------------------------------------------------------
.../apache/cxf/rs/security/jose/jwt/JwtConstants.java | 1 +
.../grants/code/AuthorizationCodeGrantHandler.java | 1 +
.../oauth2/provider/AbstractOAuthDataProvider.java | 14 ++++++++++++++
.../cxf/rs/security/oauth2/utils/JwtTokenUtils.java | 13 +++++++++++--
4 files changed, 27 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/2519863c/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtConstants.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtConstants.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtConstants.java
index a9f3d7f..2f18217 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtConstants.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtConstants.java
@@ -28,6 +28,7 @@ public final class JwtConstants {
public static final String CLAIM_NOT_BEFORE = "nbf";
public static final String CLAIM_ISSUED_AT = "iat";
public static final String CLAIM_JWT_ID = "jti";
+ public static final String CLAIM_CONFIRMATION = "cnf";
public static final String JWT_TOKEN = "jwt.token";
public static final String JWT_CLAIMS = "jwt.claims";
http://git-wip-us.apache.org/repos/asf/cxf/blob/2519863c/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
index 9dfd7a3..1fe42d1 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
@@ -146,6 +146,7 @@ public class AuthorizationCodeGrantHandler extends AbstractGrantHandler {
reg.setResponseType(grant.getResponseType());
reg.setClientCodeVerifier(codeVerifier);
reg.setGrantType(OAuthConstants.CODE_RESPONSE_TYPE);
+ reg.getExtraProperties().putAll(grant.getExtraProperties());
return getDataProvider().createAccessToken(reg);
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/2519863c/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
index 4b0509f..22568cb 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
@@ -28,7 +28,9 @@ import java.util.Map;
import javax.ws.rs.core.MultivaluedMap;
import org.apache.cxf.jaxrs.ext.MessageContext;
+import org.apache.cxf.rs.security.jose.common.JoseConstants;
import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
+import org.apache.cxf.rs.security.jose.jwt.JwtConstants;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration;
import org.apache.cxf.rs.security.oauth2.common.Client;
@@ -87,10 +89,22 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
at.setGrantCode(atReg.getGrantCode());
at.getExtraProperties().putAll(atReg.getExtraProperties());
+ String certCnf = null;
+ if (messageContext != null) {
+ certCnf = (String)messageContext.get(JoseConstants.HEADER_X509_THUMBPRINT_SHA256);
+ }
+
if (isUseJwtFormatForAccessTokens()) {
JwtClaims claims = createJwtAccessToken(at);
+ // At a later stage we will likely introduce a dedicate Confirmation bean (as it is used in POP etc)
+ if (certCnf != null) {
+ claims.setClaim(JwtConstants.CLAIM_CONFIRMATION,
+ Collections.singletonMap(JoseConstants.HEADER_X509_THUMBPRINT_SHA256, certCnf));
+ }
String jose = processJwtAccessToken(claims);
at.setTokenKey(jose);
+ } else if (certCnf != null) {
+ at.getExtraProperties().put(JoseConstants.HEADER_X509_THUMBPRINT_SHA256, certCnf);
}
return at;
http://git-wip-us.apache.org/repos/asf/cxf/blob/2519863c/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/JwtTokenUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/JwtTokenUtils.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/JwtTokenUtils.java
index 6afa739..8bfdf32 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/JwtTokenUtils.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/JwtTokenUtils.java
@@ -24,8 +24,10 @@ import java.util.Map;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.helpers.CastUtils;
+import org.apache.cxf.rs.security.jose.common.JoseConstants;
import org.apache.cxf.rs.security.jose.jwt.JoseJwtConsumer;
import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
+import org.apache.cxf.rs.security.jose.jwt.JwtConstants;
import org.apache.cxf.rs.security.oauth2.common.Client;
import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
@@ -116,12 +118,19 @@ public final class JwtTokenUtils {
if (nonce != null) {
at.setNonce(nonce);
}
+
Map<String, String> extraProperties = CastUtils.cast((Map<?, ?>)claims.getClaim("extra_propertirs"));
if (extraProperties != null) {
at.getExtraProperties().putAll(extraProperties);
}
-
-
+
+ // At the moment only a string 'x5#S256' cnf property is recognized
+ Map<String, Object> cnf = CastUtils.cast((Map<?, ?>)claims.getClaim(JwtConstants.CLAIM_CONFIRMATION));
+ if (cnf != null && cnf.containsKey(JoseConstants.HEADER_X509_THUMBPRINT_SHA256)) {
+ String certCnf = cnf.get(JoseConstants.HEADER_X509_THUMBPRINT_SHA256).toString();
+ at.getExtraProperties().put(JoseConstants.HEADER_X509_THUMBPRINT_SHA256, certCnf);
+ }
+
return at;
}
}