Repository: cxf Updated Branches: refs/heads/3.0.x-fixes 47b248a25 -> ae1e17b92
[CXF-6338] Fixing a broken check in JWT bearer AbstractJwtHandler, patch from Jeffrey Samarziya applied, This closes #62 Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/ae1e17b9 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/ae1e17b9 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/ae1e17b9 Branch: refs/heads/3.0.x-fixes Commit: ae1e17b925337cb1108de0b88e029874708e1f79 Parents: 47b248a Author: Sergey Beryozkin <[email protected]> Authored: Thu Apr 9 11:10:40 2015 +0100 Committer: Sergey Beryozkin <[email protected]> Committed: Thu Apr 9 11:12:00 2015 +0100 ---------------------------------------------------------------------- .../oauth2/grants/jwt/AbstractJwtHandler.java | 2 +- .../grants/jwt/AbstractJwtHandlerTest.java | 88 ++++++++++++++++++++ 2 files changed, 89 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/ae1e17b9/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java index 5b31366..66af402 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java @@ -45,7 +45,7 @@ public abstract class AbstractJwtHandler extends AbstractGrantHandler { protected void validateSignature(JoseHeaders headers, String unsignedText, byte[] signature) { JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier(); - if (theSigVerifier.verify(headers, unsignedText, signature)) { + if (!theSigVerifier.verify(headers, unsignedText, signature)) { throw new OAuthServiceException(OAuthConstants.INVALID_GRANT); } } http://git-wip-us.apache.org/repos/asf/cxf/blob/ae1e17b9/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandlerTest.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandlerTest.java b/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandlerTest.java new file mode 100644 index 0000000..5ee0145 --- /dev/null +++ b/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandlerTest.java @@ -0,0 +1,88 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.oauth2.grants.jwt; + +import java.util.Arrays; + +import javax.ws.rs.core.MultivaluedMap; + +import org.apache.cxf.rs.security.jose.JoseHeaders; +import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier; +import org.apache.cxf.rs.security.oauth2.common.Client; +import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken; +import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException; +import org.easymock.EasyMockRule; +import org.easymock.Mock; + +import org.junit.Before; +import org.junit.Rule; +import org.junit.Test; + +import static org.easymock.EasyMock.expect; +import static org.easymock.EasyMock.replay; +import static org.easymock.EasyMock.verify; + +import static org.junit.Assert.fail; + +public class AbstractJwtHandlerTest { + private static final String UNSIGNED_TEXT = "myUnsignedText"; + private static final byte[] SIGNATURE = "mySignature".getBytes(); + + @Rule + //CHECKSTYLE:OFF + public EasyMockRule rule = new EasyMockRule(this); + //CHECKSTYLE:ON + private AbstractJwtHandler handler; + @Mock + private JwsSignatureVerifier signatureVerifier; + @Mock + private JoseHeaders headers; + + @Before + public void setUp() { + handler = new AbstractJwtHandler(Arrays.asList("someGrantType")) { + @Override + public ServerAccessToken createAccessToken(Client client, MultivaluedMap<String, String> params) + throws OAuthServiceException { + throw new UnsupportedOperationException("not implemented"); + } + }; + handler.setJwsVerifier(signatureVerifier); + } + + @Test + public void testValidateSignatureWithValidSignature() { + expect(signatureVerifier.verify(headers, UNSIGNED_TEXT, SIGNATURE)).andReturn(true); + replay(signatureVerifier); + handler.validateSignature(headers, UNSIGNED_TEXT, SIGNATURE); + verify(signatureVerifier); + } + + @Test + public void testValidateSignatureWithInvalidSignature() { + expect(signatureVerifier.verify(headers, UNSIGNED_TEXT, SIGNATURE)).andReturn(false); + replay(signatureVerifier); + try { + handler.validateSignature(headers, UNSIGNED_TEXT, SIGNATURE); + fail("OAuthServiceException expected"); + } catch (OAuthServiceException expected) { + } + verify(signatureVerifier); + } +}
