Repository: cxf Updated Branches: refs/heads/master dabf5833e -> e49c7fd65
[CXF-6487] Varios minor jose and oidc updates Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/e49c7fd6 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/e49c7fd6 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/e49c7fd6 Branch: refs/heads/master Commit: e49c7fd65d6a266329188179baf7fa815e815453 Parents: dabf583 Author: Sergey Beryozkin <[email protected]> Authored: Fri Jul 10 17:14:19 2015 +0100 Committer: Sergey Beryozkin <[email protected]> Committed: Fri Jul 10 17:14:19 2015 +0100 ---------------------------------------------------------------------- .../org/apache/cxf/common/util/StringUtils.java | 2 +- .../apache/cxf/common/util/StringUtilsTest.java | 10 +++++++++ .../apache/cxf/rs/security/jose/JoseUtils.java | 8 ++++++- .../security/jose/jwe/JweCompactConsumer.java | 6 ++--- .../cxf/rs/security/jose/jwe/JweUtils.java | 1 + .../security/jose/jws/JwsCompactConsumer.java | 5 +---- .../oidc/rp/AbstractTokenValidator.java | 23 ++++++++++---------- .../cxf/rs/security/oidc/rp/IdTokenReader.java | 2 +- .../cxf/rs/security/oidc/rp/UserInfoClient.java | 2 +- 9 files changed, 36 insertions(+), 23 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/e49c7fd6/core/src/main/java/org/apache/cxf/common/util/StringUtils.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/cxf/common/util/StringUtils.java b/core/src/main/java/org/apache/cxf/common/util/StringUtils.java index 8eb14f5..a8cc568 100644 --- a/core/src/main/java/org/apache/cxf/common/util/StringUtils.java +++ b/core/src/main/java/org/apache/cxf/common/util/StringUtils.java @@ -34,7 +34,7 @@ import java.util.regex.Pattern; public final class StringUtils { public static final Map<String, Pattern> PATTERN_MAP = new HashMap<String, Pattern>(); static { - String patterns[] = {"/", " ", ":", "," , ";", "="}; + String patterns[] = {"/", " ", ":", "," , ";", "=", "\\."}; for (String p : patterns) { PATTERN_MAP.put(p, Pattern.compile(p)); } http://git-wip-us.apache.org/repos/asf/cxf/blob/e49c7fd6/core/src/test/java/org/apache/cxf/common/util/StringUtilsTest.java ---------------------------------------------------------------------- diff --git a/core/src/test/java/org/apache/cxf/common/util/StringUtilsTest.java b/core/src/test/java/org/apache/cxf/common/util/StringUtilsTest.java index 8f725af..1e38c3a 100644 --- a/core/src/test/java/org/apache/cxf/common/util/StringUtilsTest.java +++ b/core/src/test/java/org/apache/cxf/common/util/StringUtilsTest.java @@ -53,6 +53,16 @@ public class StringUtilsTest extends Assert { } @Test + public void testSplitWithDot() throws Exception { + String str = "a.b.c"; + String[] parts = StringUtils.split(str, "\\.", -1); + assertEquals(3, parts.length); + assertEquals("a", parts[0]); + assertEquals("b", parts[1]); + assertEquals("c", parts[2]); + } + + @Test public void testGetFound() throws Exception { String regex = "velocity-\\d+\\.\\d+\\.jar"; http://git-wip-us.apache.org/repos/asf/cxf/blob/e49c7fd6/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseUtils.java index 635ca76..03a379d 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseUtils.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseUtils.java @@ -25,6 +25,7 @@ import java.util.Set; import java.util.logging.Logger; import org.apache.cxf.common.logging.LogUtils; +import org.apache.cxf.common.util.StringUtils; import org.apache.cxf.jaxrs.utils.JAXRSUtils; import org.apache.cxf.rt.security.crypto.CryptoUtils; @@ -33,7 +34,12 @@ public final class JoseUtils { private JoseUtils() { } - + public static String[] getCompactParts(String compactContent) { + if (compactContent.startsWith("\"") && compactContent.endsWith("\"")) { + compactContent = compactContent.substring(1, compactContent.length() - 1); + } + return StringUtils.split(compactContent, "\\."); + } public static void setJoseContextProperty(JoseHeaders headers) { String context = (String)JAXRSUtils.getCurrentMessage().get(JoseConstants.JOSE_CONTEXT_PROPERTY); if (context != null) { http://git-wip-us.apache.org/repos/asf/cxf/blob/e49c7fd6/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java index 4fb17b4..cd34c7c 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java @@ -28,16 +28,14 @@ import org.apache.cxf.common.util.Base64UrlUtility; import org.apache.cxf.rs.security.jose.JoseException; import org.apache.cxf.rs.security.jose.JoseHeaders; import org.apache.cxf.rs.security.jose.JoseHeadersReaderWriter; +import org.apache.cxf.rs.security.jose.JoseUtils; public class JweCompactConsumer { protected static final Logger LOG = LogUtils.getL7dLogger(JweCompactConsumer.class); private JweDecryptionInput jweDecryptionInput; public JweCompactConsumer(String jweContent) { - if (jweContent.startsWith("\"") && jweContent.endsWith("\"")) { - jweContent = jweContent.substring(1, jweContent.length() - 1); - } - String[] parts = jweContent.split("\\."); + String[] parts = JoseUtils.getCompactParts(jweContent); if (parts.length != 5) { LOG.warning("5 JWE parts are expected"); throw new JweException(JweException.Error.INVALID_COMPACT_JWE); http://git-wip-us.apache.org/repos/asf/cxf/blob/e49c7fd6/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java index bac9ba7..065091a 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java @@ -625,4 +625,5 @@ public final class JweUtils { RSSEC_ENCRYPTION_IN_PROPS, RSSEC_ENCRYPTION_PROPS); KeyManagementUtils.validateCertificateChain(props, certs); } + } http://git-wip-us.apache.org/repos/asf/cxf/blob/e49c7fd6/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactConsumer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactConsumer.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactConsumer.java index 62975a6..2f860e4 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactConsumer.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactConsumer.java @@ -47,10 +47,7 @@ public class JwsCompactConsumer { if (r != null) { this.reader = r; } - if (encodedJws.startsWith("\"") && encodedJws.endsWith("\"")) { - encodedJws = encodedJws.substring(1, encodedJws.length() - 1); - } - String[] parts = encodedJws.split("\\."); + String[] parts = JoseUtils.getCompactParts(encodedJws); if (parts.length != 3) { if (parts.length == 2 && encodedJws.endsWith(".")) { encodedSignature = ""; http://git-wip-us.apache.org/repos/asf/cxf/blob/e49c7fd6/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java index 6037c53..a84dfa1 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java @@ -42,9 +42,7 @@ public abstract class AbstractTokenValidator { private WebClient jwkSetClient; private ConcurrentHashMap<String, JsonWebKey> keyMap = new ConcurrentHashMap<String, JsonWebKey>(); - protected JwtToken getJwtToken(String wrappedJwtToken, - String idTokenKid, - boolean jweOnly) { + protected JwtToken getJwtToken(String wrappedJwtToken, boolean jweOnly) { if (wrappedJwtToken == null) { throw new SecurityException("ID Token is missing"); } @@ -58,7 +56,7 @@ public abstract class AbstractTokenValidator { JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(wrappedJwtToken); JwtToken jwt = jwtConsumer.getJwtToken(); - JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier(jwt, idTokenKid); + JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier(jwt); return validateToken(jwtConsumer, jwt, theSigVerifier); } @@ -115,7 +113,7 @@ public abstract class AbstractTokenValidator { } return JweUtils.loadDecryptionProvider(jweOnly); } - protected JwsSignatureVerifier getInitializedSigVerifier(JwtToken jwt, String idTokenKid) { + protected JwsSignatureVerifier getInitializedSigVerifier(JwtToken jwt) { if (jwsVerifier != null) { return jwsVerifier; } @@ -123,12 +121,13 @@ public abstract class AbstractTokenValidator { if (theJwsVerifier != null) { return theJwsVerifier; } - if (jwkSetClient == null) { - throw new SecurityException("Provider Jwk Set Client is not available"); - } - String keyId = idTokenKid != null ? idTokenKid : jwt.getHeaders().getKeyId(); + + String keyId = jwt.getHeaders().getKeyId(); JsonWebKey key = keyId != null ? keyMap.get(keyId) : null; if (key == null) { + if (jwkSetClient == null) { + throw new SecurityException("Provider Jwk Set Client is not available"); + } JsonWebKeys keys = jwkSetClient.get(JsonWebKeys.class); if (keyId != null) { key = keys.getKey(keyId); @@ -141,9 +140,11 @@ public abstract class AbstractTokenValidator { throw new SecurityException("JWK key with the key id: \"" + keyId + "\" is not available"); } theJwsVerifier = JwsUtils.getSignatureVerifier(key); - if (jwkSetClient == null) { - throw new SecurityException(); + + if (theJwsVerifier == null) { + throw new SecurityException("JWS Verifier is not available"); } + return theJwsVerifier; } http://git-wip-us.apache.org/repos/asf/cxf/blob/e49c7fd6/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java index f0305cd..ff633a1 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java @@ -40,7 +40,7 @@ public class IdTokenReader extends AbstractTokenValidator { return jwt; } public JwtToken getIdJwtToken(String idJwtToken, String clientId) { - JwtToken jwt = getJwtToken(idJwtToken, null, false); + JwtToken jwt = getJwtToken(idJwtToken, false); validateJwtClaims(jwt.getClaims(), clientId, true); return jwt; } http://git-wip-us.apache.org/repos/asf/cxf/blob/e49c7fd6/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java index 1823f12..706368b 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java @@ -52,7 +52,7 @@ public class UserInfoClient extends IdTokenReader { return profile; } public JwtToken getUserInfoJwt(String profileJwtToken, IdToken idToken) { - return getJwtToken(profileJwtToken, (String)idToken.getProperty("kid"), encryptedOnly); + return getJwtToken(profileJwtToken, encryptedOnly); } public void validateUserInfo(UserInfo profile, IdToken idToken) { validateJwtClaims(profile, idToken.getAudience(), false);
