Repository: cxf Updated Branches: refs/heads/master c4595f21f -> 4ca438df7
Prototyping a jws jwt auth filter Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/4ca438df Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/4ca438df Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/4ca438df Branch: refs/heads/master Commit: 4ca438df70c5773598202c5a854df06518a44b05 Parents: c4595f2 Author: Sergey Beryozkin <[email protected]> Authored: Wed Nov 19 16:34:09 2014 +0100 Committer: Sergey Beryozkin <[email protected]> Committed: Wed Nov 19 16:34:09 2014 +0100 ---------------------------------------------------------------------- .../jose/jaxrs/JwsContainerRequestFilter.java | 16 +++-- .../jose/jaxrs/JwtJwsAuthenticationFilter.java | 68 ++++++++++++++++++++ .../jose/jaxrs/JwtTokenSecurityContext.java | 34 ++++++++++ 3 files changed, 112 insertions(+), 6 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/4ca438df/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java index 6ced711..1b5f5d2 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java @@ -59,13 +59,17 @@ public class JwsContainerRequestFilter extends AbstractJwsReaderProvider impleme } } protected void validateRequestContextProperty(JwsCompactConsumer c) { - String context = (String)JAXRSUtils.getCurrentMessage().get(JWS_CONTEXT_PROPERTY); - if (context != null) { - String headerCtx = (String)c.getJoseHeaders().getHeader(JWS_CONTEXT_PROPERTY); - if (headerCtx == null || !headerCtx.equals(context)) { - throw new SecurityException(); - } + Object requestContext = JAXRSUtils.getCurrentMessage().get(JWS_CONTEXT_PROPERTY); + Object headerContext = c.getJoseHeaders().getHeader(JWS_CONTEXT_PROPERTY); + if (requestContext == null && headerContext == null) { + return; + } + if (requestContext == null && headerContext != null + || requestContext != null && headerContext == null + || !requestContext.equals(headerContext)) { + throw new SecurityException(); } + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/4ca438df/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtJwsAuthenticationFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtJwsAuthenticationFilter.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtJwsAuthenticationFilter.java new file mode 100644 index 0000000..68d222f --- /dev/null +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtJwsAuthenticationFilter.java @@ -0,0 +1,68 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.jose.jaxrs; + +import java.io.IOException; + +import javax.annotation.Priority; +import javax.ws.rs.container.ContainerRequestContext; +import javax.ws.rs.container.ContainerRequestFilter; +import javax.ws.rs.container.PreMatching; +import javax.ws.rs.core.HttpHeaders; + +import org.apache.cxf.jaxrs.utils.JAXRSUtils; +import org.apache.cxf.message.Message; +import org.apache.cxf.rs.security.jose.jws.JwsCompactConsumer; +import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer; +import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier; +import org.apache.cxf.rs.security.jose.jwt.JwtToken; +import org.apache.cxf.security.SecurityContext; + +@PreMatching +@Priority(Priorities.JWS_SERVER_READ_PRIORITY) +public class JwtJwsAuthenticationFilter extends AbstractJwsReaderProvider implements ContainerRequestFilter { + private static final String JWS_CONTEXT_PROPERTY = "org.apache.cxf.jws.context"; + private static final String JWT_SCHEME_PROPERTY = "JWT"; + @Override + public void filter(ContainerRequestContext context) throws IOException { + String authHeader = context.getHeaderString(HttpHeaders.AUTHORIZATION); + String[] schemeData = authHeader.split(" "); + if (schemeData.length != 2 || !JWT_SCHEME_PROPERTY.equals(schemeData[0])) { + throw new SecurityException(); + } + + JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier(); + JwsJwtCompactConsumer p = new JwsJwtCompactConsumer(schemeData[1]); + if (!p.verifySignatureWith(theSigVerifier)) { + context.abortWith(JAXRSUtils.toResponse(400)); + return; + } + Message m = JAXRSUtils.getCurrentMessage(); + setRequestContextProperty(m, p); + JwtToken token = p.getJwtToken(); + m.put(SecurityContext.class, new JwtTokenSecurityContext(token)); + + } + protected void setRequestContextProperty(Message m, JwsCompactConsumer c) { + Object headerContext = c.getJoseHeaders().getHeader(JWS_CONTEXT_PROPERTY); + if (headerContext != null) { + m.put(JWS_CONTEXT_PROPERTY, headerContext); + } + } +} http://git-wip-us.apache.org/repos/asf/cxf/blob/4ca438df/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtTokenSecurityContext.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtTokenSecurityContext.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtTokenSecurityContext.java new file mode 100644 index 0000000..11a2c94 --- /dev/null +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtTokenSecurityContext.java @@ -0,0 +1,34 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.jose.jaxrs; + +import org.apache.cxf.common.security.SimpleSecurityContext; +import org.apache.cxf.rs.security.jose.jwt.JwtToken; + +public class JwtTokenSecurityContext extends SimpleSecurityContext { + private JwtToken token; + public JwtTokenSecurityContext(JwtToken jwt) { + super(jwt.getClaims().getSubject()); + this.token = jwt; + } + public JwtToken getToken() { + return token; + } + +}
