Repository: cxf Updated Branches: refs/heads/master 614f040f6 -> a4e25aad7
Allow unsigned JWT tokens Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/a4e25aad Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/a4e25aad Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/a4e25aad Branch: refs/heads/master Commit: a4e25aad7ccf45dfd53605e31c78bb1f48f87778 Parents: 614f040 Author: Colm O hEigeartaigh <[email protected]> Authored: Tue Oct 13 15:57:31 2015 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Tue Oct 13 15:57:31 2015 +0100 ---------------------------------------------------------------------- .../jose/common/AbstractJoseConsumer.java | 11 ++++++++++- .../security/jose/jws/JwsCompactProducer.java | 7 ++++--- .../cxf/rs/security/jose/jws/JwsUtils.java | 8 ++++++++ .../jose/jwt/AbstractJoseJwtConsumer.java | 10 ++++++++++ .../jose/jwt/AbstractJoseJwtProducer.java | 20 +++++++++++++------- 5 files changed, 45 insertions(+), 11 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/a4e25aad/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/common/AbstractJoseConsumer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/common/AbstractJoseConsumer.java b/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/common/AbstractJoseConsumer.java index b15abce..ddf1d4f 100644 --- a/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/common/AbstractJoseConsumer.java +++ b/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/common/AbstractJoseConsumer.java @@ -30,10 +30,18 @@ public abstract class AbstractJoseConsumer { public void setJweDecryptor(JweDecryptionProvider jweDecryptor) { this.jweDecryptor = jweDecryptor; } + + public JweDecryptionProvider getJweDecryptor() { + return jweDecryptor; + } public void setJwsVerifier(JwsSignatureVerifier theJwsVerifier) { this.jwsVerifier = theJwsVerifier; } + + public JwsSignatureVerifier getJwsVerifier() { + return jwsVerifier; + } protected JweDecryptionProvider getInitializedDecryptionProvider() { if (jweDecryptor != null) { @@ -44,7 +52,8 @@ public abstract class AbstractJoseConsumer { protected JwsSignatureVerifier getInitializedSignatureVerifier() { if (jwsVerifier != null) { return jwsVerifier; - } + } + return JwsUtils.loadSignatureVerifier(false); } http://git-wip-us.apache.org/repos/asf/cxf/blob/a4e25aad/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactProducer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactProducer.java b/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactProducer.java index 9795c10..a74960a 100644 --- a/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactProducer.java +++ b/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactProducer.java @@ -114,6 +114,10 @@ public class JwsCompactProducer { return getSignedEncodedJws(); } + public boolean isPlainText() { + return SignatureAlgorithm.NONE == getAlgorithm(); + } + public String setSignatureBytes(byte[] signatureOctets) { setEncodedSignature(Base64UrlUtility.encode(signatureOctets)); return getSignedEncodedJws(); @@ -122,9 +126,6 @@ public class JwsCompactProducer { private void setEncodedSignature(String sig) { this.signature = sig; } - private boolean isPlainText() { - return SignatureAlgorithm.NONE == getAlgorithm(); - } private SignatureAlgorithm getAlgorithm() { return getJwsHeaders().getSignatureAlgorithm(); } http://git-wip-us.apache.org/repos/asf/cxf/blob/a4e25aad/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java b/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java index 9b07fcf..8acc6b2 100644 --- a/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java +++ b/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java @@ -56,6 +56,8 @@ public final class JwsUtils { private static final String RSSEC_SIGNATURE_PROPS = "rs.security.signature.properties"; private static final String RSSEC_REPORT_KEY_PROP = "rs.security.jws.report.public.key"; private static final String RSSEC_REPORT_KEY_ID_PROP = "rs.security.jws.report.public.key.id"; + private static final String RSSEC_SIGNATURE_ALLOW_NONE_SIGNATURE = "rs.security.jws.allow.none.signature"; + private JwsUtils() { } @@ -208,6 +210,12 @@ public final class JwsUtils { } public static JwsSignatureVerifier loadSignatureVerifier(JwsHeaders headers, boolean required) { Message m = PhaseInterceptorChain.getCurrentMessage(); + boolean allowNoneSignature = + MessageUtils.getContextualBoolean(m, RSSEC_SIGNATURE_ALLOW_NONE_SIGNATURE, false); + if (allowNoneSignature && SignatureAlgorithm.NONE.getJwaName().equals(headers.getAlgorithm())) { + return new NoneJwsSignatureVerifier(); + } + Properties props = KeyManagementUtils.loadStoreProperties(m, required, RSSEC_SIGNATURE_IN_PROPS, RSSEC_SIGNATURE_PROPS); if (props == null) { http://git-wip-us.apache.org/repos/asf/cxf/blob/a4e25aad/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtConsumer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtConsumer.java b/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtConsumer.java index f93cfb7..daea97b 100644 --- a/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtConsumer.java +++ b/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtConsumer.java @@ -21,8 +21,10 @@ package org.apache.cxf.rs.security.jose.jwt; import org.apache.cxf.rs.security.jose.common.AbstractJoseConsumer; import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider; import org.apache.cxf.rs.security.jose.jwe.JweJwtCompactConsumer; +import org.apache.cxf.rs.security.jose.jws.JwsHeaders; import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer; import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier; +import org.apache.cxf.rs.security.jose.jws.JwsUtils; public abstract class AbstractJoseJwtConsumer extends AbstractJoseConsumer { private boolean jwsRequired = true; @@ -73,6 +75,14 @@ public abstract class AbstractJoseJwtConsumer extends AbstractJoseConsumer { return jwt; } protected JwsSignatureVerifier getInitializedSignatureVerifier(JwtToken jwt) { + if (super.getJwsVerifier() != null) { + return super.getJwsVerifier(); + } + + if (jwt.getHeaders() instanceof JwsHeaders) { + return JwsUtils.loadSignatureVerifier((JwsHeaders)jwt.getHeaders(), false); + } + return super.getInitializedSignatureVerifier(); } protected void validateToken(JwtToken jwt) { http://git-wip-us.apache.org/repos/asf/cxf/blob/a4e25aad/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtProducer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtProducer.java b/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtProducer.java index 374e5ca..a5f5c37 100644 --- a/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtProducer.java +++ b/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtProducer.java @@ -48,14 +48,20 @@ public abstract class AbstractJoseJwtProducer extends AbstractJoseProducer { } if (isJwsRequired()) { - if (theSigProvider == null) { - theSigProvider = getInitializedSignatureProvider(); + JwsJwtCompactProducer jws = new JwsJwtCompactProducer(jwt); + if (jws.isPlainText()) { + data = jws.getSignedEncodedJws(); + } else { + if (theSigProvider == null) { + theSigProvider = getInitializedSignatureProvider(); + } + + if (theSigProvider == null) { + throw new JwtException("Unable to sign JWT"); + } + + data = jws.signWith(theSigProvider); } - if (theSigProvider == null) { - throw new JwtException("Unable to sign JWT"); - } - JwsJwtCompactProducer jws = new JwsJwtCompactProducer(jwt); - data = jws.signWith(theSigProvider); if (theEncProvider != null) { data = theEncProvider.encrypt(StringUtils.toBytesUTF8(data), null); }
