You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2015/12/01 15:17:28 UTC
[1/3] cxf git commit: Adding a filter to authenticate JWT Tokens for
the JWT Bearer Client Authentication case
Repository: cxf
Updated Branches:
refs/heads/3.0.x-fixes 3ff04d2b4 -> bd26eadf9
Adding a filter to authenticate JWT Tokens for the JWT Bearer Client Authentication case
Conflicts:
rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/da4ea36f
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/da4ea36f
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/da4ea36f
Branch: refs/heads/3.0.x-fixes
Commit: da4ea36fa12b745bee1894305df45b7c451d7bab
Parents: 3ff04d2
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Dec 1 14:02:22 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Tue Dec 1 14:12:20 2015 +0000
----------------------------------------------------------------------
.../jose/jaxrs/JwtAuthenticationFilter.java | 10 +-
.../cxf/rs/security/jose/jwt/JwtUtils.java | 16 +++
rt/rs/security/oauth-parent/oauth2/pom.xml | 2 +-
.../oauth2/grants/jwt/AbstractJwtHandler.java | 22 ++--
.../oauth2/grants/jwt/JwtBearerAuthHandler.java | 111 +++++++++++++++++++
5 files changed, 140 insertions(+), 21 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/da4ea36f/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
index 4f590c9..be781b9 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
@@ -96,15 +96,7 @@ public class JwtAuthenticationFilter extends AbstractJoseJwtConsumer implements
@Override
protected void validateToken(JwtToken jwt) {
- // If we have no issued time then we need to have an expiry
- boolean expiredRequired = jwt.getClaims().getIssuedAt() == null;
- JwtUtils.validateJwtExpiry(jwt.getClaims(), clockOffset, expiredRequired);
-
- JwtUtils.validateJwtNotBefore(jwt.getClaims(), clockOffset, false);
-
- // If we have no expiry then we must have an issued at
- boolean issuedAtRequired = jwt.getClaims().getExpiryTime() == null;
- JwtUtils.validateJwtIssuedAt(jwt.getClaims(), ttl, clockOffset, issuedAtRequired);
+ JwtUtils.validateTokenClaims(jwt.getClaims(), ttl, clockOffset);
}
public int getClockOffset() {
http://git-wip-us.apache.org/repos/asf/cxf/blob/da4ea36f/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
index 4a54f49..641fbe1 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
@@ -109,6 +109,7 @@ public final class JwtUtils {
}
}
}
+<<<<<<< HEAD
public static void validateJwtTimeClaims(JwtClaims claims, int clockOffset,
int issuedAtRange, boolean claimsRequired) {
@@ -133,4 +134,19 @@ public final class JwtUtils {
validateJwtTimeClaims(claims, 0, 0, false);
}
+=======
+
+ public static void validateTokenClaims(JwtClaims claims, int timeToLive, int clockOffset) {
+ // If we have no issued time then we need to have an expiry
+ boolean expiredRequired = claims.getIssuedAt() == null;
+ validateJwtExpiry(claims, clockOffset, expiredRequired);
+
+ validateJwtNotBefore(claims, clockOffset, false);
+
+ // If we have no expiry then we must have an issued at
+ boolean issuedAtRequired = claims.getExpiryTime() == null;
+ validateJwtIssuedAt(claims, timeToLive, clockOffset, issuedAtRequired);
+ }
+
+>>>>>>> c66b1a1... Adding a filter to authenticate JWT Tokens for the JWT Bearer Client Authentication case
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/da4ea36f/rt/rs/security/oauth-parent/oauth2/pom.xml
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/pom.xml b/rt/rs/security/oauth-parent/oauth2/pom.xml
index 07aeacb..8118949 100644
--- a/rt/rs/security/oauth-parent/oauth2/pom.xml
+++ b/rt/rs/security/oauth-parent/oauth2/pom.xml
@@ -44,7 +44,7 @@
</dependency>
<dependency>
<groupId>org.apache.cxf</groupId>
- <artifactId>cxf-rt-rs-security-jose</artifactId>
+ <artifactId>cxf-rt-rs-security-jose-jaxrs</artifactId>
<version>${project.version}</version>
</dependency>
<dependency>
http://git-wip-us.apache.org/repos/asf/cxf/blob/da4ea36f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java
index 4f966c2..b8c6267 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java
@@ -25,6 +25,7 @@ import org.apache.cxf.rs.security.jose.jws.JwsHeaders;
import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
import org.apache.cxf.rs.security.jose.jws.JwsUtils;
import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
+import org.apache.cxf.rs.security.jose.jwt.JwtConstants;
import org.apache.cxf.rs.security.jose.jwt.JwtUtils;
import org.apache.cxf.rs.security.oauth2.common.Client;
import org.apache.cxf.rs.security.oauth2.grants.AbstractGrantHandler;
@@ -53,19 +54,16 @@ public abstract class AbstractJwtHandler extends AbstractGrantHandler {
}
protected void validateClaims(Client client, JwtClaims claims) {
+ JwtUtils.validateTokenClaims(claims, ttl, clockOffset);
+
validateIssuer(claims.getIssuer());
validateSubject(client, claims.getSubject());
validateAudience(client, claims.getAudience());
- // If we have no issued time then we need to have an expiry
- boolean expiredRequired = claims.getIssuedAt() == null;
- JwtUtils.validateJwtExpiry(claims, clockOffset, expiredRequired);
-
- JwtUtils.validateJwtNotBefore(claims, clockOffset, false);
-
- // If we have no expiry then we must have an issued at
- boolean issuedAtRequired = claims.getExpiryTime() == null;
- JwtUtils.validateJwtIssuedAt(claims, ttl, clockOffset, issuedAtRequired);
+ // We must have an Expiry
+ if (claims.getClaim(JwtConstants.CLAIM_EXPIRY) == null) {
+ throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
+ }
}
protected void validateIssuer(String issuer) {
@@ -75,10 +73,12 @@ public abstract class AbstractJwtHandler extends AbstractGrantHandler {
}
protected void validateSubject(Client client, String subject) {
- //TODO
+ // We must have a Subject
+ if (subject == null) {
+ throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
+ }
}
protected void validateAudience(Client client, String audience) {
- //TODO
}
public void setSupportedIssuers(Set<String> supportedIssuers) {
this.supportedIssuers = supportedIssuers;
http://git-wip-us.apache.org/repos/asf/cxf/blob/da4ea36f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/JwtBearerAuthHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/JwtBearerAuthHandler.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/JwtBearerAuthHandler.java
new file mode 100644
index 0000000..f8c4ee5
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/JwtBearerAuthHandler.java
@@ -0,0 +1,111 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rs.security.oauth2.grants.jwt;
+
+import javax.ws.rs.container.ContainerRequestContext;
+import javax.ws.rs.core.Form;
+import javax.ws.rs.core.MultivaluedMap;
+
+import org.apache.cxf.jaxrs.provider.FormEncodingProvider;
+import org.apache.cxf.jaxrs.utils.ExceptionUtils;
+import org.apache.cxf.jaxrs.utils.FormUtils;
+import org.apache.cxf.jaxrs.utils.HttpUtils;
+import org.apache.cxf.jaxrs.utils.JAXRSUtils;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.rs.security.jose.jaxrs.JwtAuthenticationFilter;
+import org.apache.cxf.rs.security.jose.jwt.JwtConstants;
+import org.apache.cxf.rs.security.jose.jwt.JwtToken;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
+import org.apache.cxf.security.SecurityContext;
+
+public class JwtBearerAuthHandler extends JwtAuthenticationFilter {
+ private FormEncodingProvider<Form> provider = new FormEncodingProvider<Form>(true);
+
+ public JwtBearerAuthHandler() {
+ }
+
+ @Override
+ public void filter(ContainerRequestContext context) {
+ Message message = JAXRSUtils.getCurrentMessage();
+ Form form = readFormData(message);
+ MultivaluedMap<String, String> formData = form.asMap();
+ String assertionType = formData.getFirst(Constants.CLIENT_AUTH_ASSERTION_TYPE);
+ String decodedAssertionType = assertionType != null ? HttpUtils.urlDecode(assertionType) : null;
+ if (decodedAssertionType == null || !Constants.CLIENT_AUTH_JWT_BEARER.equals(decodedAssertionType)) {
+ throw ExceptionUtils.toNotAuthorizedException(null, null);
+ }
+
+ String assertion = formData.getFirst(Constants.CLIENT_AUTH_ASSERTION_PARAM);
+ JwtToken token = super.getJwtToken(assertion);
+
+ String clientId = formData.getFirst(OAuthConstants.CLIENT_ID);
+ String subjectName = (String)token.getClaim(JwtConstants.CLAIM_SUBJECT);
+ if (clientId != null && !clientId.equals(subjectName)) {
+ throw ExceptionUtils.toNotAuthorizedException(null, null);
+ }
+ message.put(OAuthConstants.CLIENT_ID, subjectName);
+
+ formData.remove(OAuthConstants.CLIENT_ID);
+ formData.remove(Constants.CLIENT_AUTH_ASSERTION_PARAM);
+ formData.remove(Constants.CLIENT_AUTH_ASSERTION_TYPE);
+
+ SecurityContext securityContext = configureSecurityContext(token);
+ if (securityContext != null) {
+ JAXRSUtils.getCurrentMessage().put(SecurityContext.class, securityContext);
+ }
+
+ // restore input stream
+ try {
+ FormUtils.restoreForm(provider, form, message);
+ } catch (Exception ex) {
+ throw ExceptionUtils.toNotAuthorizedException(null, null);
+ }
+ }
+
+ private Form readFormData(Message message) {
+ try {
+ return FormUtils.readForm(provider, message);
+ } catch (Exception ex) {
+ throw ExceptionUtils.toNotAuthorizedException(null, null);
+ }
+ }
+
+ @Override
+ protected void validateToken(JwtToken jwt) {
+ super.validateToken(jwt);
+
+ // We must have an issuer
+ if (jwt.getClaim(JwtConstants.CLAIM_ISSUER) == null) {
+ throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
+ }
+
+ // We must have a Subject
+ if (jwt.getClaim(JwtConstants.CLAIM_SUBJECT) == null) {
+ throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
+ }
+
+ // We must have an Expiry
+ if (jwt.getClaim(JwtConstants.CLAIM_EXPIRY) == null) {
+ throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
+ }
+ }
+
+}
[3/3] cxf git commit: Fixing merge
Posted by co...@apache.org.
Fixing merge
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/bd26eadf
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/bd26eadf
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/bd26eadf
Branch: refs/heads/3.0.x-fixes
Commit: bd26eadf9990343dc7d37c8090ef16e5999c06c9
Parents: c890d32
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Dec 1 14:17:19 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Tue Dec 1 14:17:19 2015 +0000
----------------------------------------------------------------------
.../main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java | 4 ----
1 file changed, 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/bd26eadf/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
index 641fbe1..e739347 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
@@ -109,7 +109,6 @@ public final class JwtUtils {
}
}
}
-<<<<<<< HEAD
public static void validateJwtTimeClaims(JwtClaims claims, int clockOffset,
int issuedAtRange, boolean claimsRequired) {
@@ -134,8 +133,6 @@ public final class JwtUtils {
validateJwtTimeClaims(claims, 0, 0, false);
}
-=======
-
public static void validateTokenClaims(JwtClaims claims, int timeToLive, int clockOffset) {
// If we have no issued time then we need to have an expiry
boolean expiredRequired = claims.getIssuedAt() == null;
@@ -148,5 +145,4 @@ public final class JwtUtils {
validateJwtIssuedAt(claims, timeToLive, clockOffset, issuedAtRequired);
}
->>>>>>> c66b1a1... Adding a filter to authenticate JWT Tokens for the JWT Bearer Client Authentication case
}
[2/3] cxf git commit: Recording .gitmergeinfo Changes
Posted by co...@apache.org.
Recording .gitmergeinfo Changes
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/c890d32b
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/c890d32b
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/c890d32b
Branch: refs/heads/3.0.x-fixes
Commit: c890d32b38fc2c74d588ca57ba23829f225d4f89
Parents: da4ea36
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Dec 1 14:12:21 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Tue Dec 1 14:12:21 2015 +0000
----------------------------------------------------------------------
.gitmergeinfo | 2 ++
1 file changed, 2 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/c890d32b/.gitmergeinfo
----------------------------------------------------------------------
diff --git a/.gitmergeinfo b/.gitmergeinfo
index 50c501b..ff645de 100644
--- a/.gitmergeinfo
+++ b/.gitmergeinfo
@@ -286,6 +286,7 @@ B 80d7128a3ba1944a603c73e5e908d86c9bf27648
B 8176b1b0faad2de44a4ff85083c74b5a4b74918a
B 817727ddca9aad39a66f7001bf5f1c959dc7f581
B 81bc682a409806567fc3485157e184e72feaf086
+B 82c4bff5276cc32490507fba4cb9d18539d41907
B 842fade62621490a407729fa1357f043216f25e6
B 8516661b64e630e033425b24b7af53680d1229ca
B 857b55796dc7fc2b302e26d99f84df1712ff9c58
@@ -767,6 +768,7 @@ M c34bf7ad6bc55b6584dfd009f49a3f4eb8ececc9
M c5548689b61809d26b20db1d08331b6988f92734
M c55664128b1223667dedacc2011ccd5945d9c8b9
M c5dbb84ac4e5bf73555e85ae1e65a5065393c602
+M c66b1a18100ac752e8a2fff712c01e6c682ffcd7
M c72cac8cbd73d92a9e0264c816176c2a33dcbcf2
M ca0a435219e82734269f2c8330f0989576f019d2
M cda58270486b4d394b98a1a1a1d5bfcb366af2c1