Allow setting claims directly for JWT
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/979dc1f0 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/979dc1f0 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/979dc1f0 Branch: refs/heads/master Commit: 979dc1f02444c9b6b42187de93b5328b3ac13b20 Parents: 80f2e9f Author: Colm O hEigeartaigh <[email protected]> Authored: Wed Oct 14 11:06:47 2015 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Wed Oct 14 11:06:47 2015 +0100 ---------------------------------------------------------------------- .../cxf/rs/security/jose/jwt/JwtConstants.java | 1 + .../jaxrs/JwtAuthenticationClientFilter.java | 43 ++++++++++++++++++-- 2 files changed, 41 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/979dc1f0/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtConstants.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtConstants.java b/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtConstants.java index bdbb544..d0a663d 100644 --- a/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtConstants.java +++ b/rt/rs/security/jose/jose-core/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtConstants.java @@ -30,6 +30,7 @@ public final class JwtConstants { public static final String CLAIM_JWT_ID = "jti"; public static final String JWT_TOKEN = "jwt.token"; + public static final String JWT_CLAIMS = "jwt.claims"; private JwtConstants() { http://git-wip-us.apache.org/repos/asf/cxf/blob/979dc1f0/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationClientFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationClientFilter.java b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationClientFilter.java index 3a79b84..dfb5223 100644 --- a/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationClientFilter.java +++ b/rt/rs/security/jose/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationClientFilter.java @@ -32,8 +32,12 @@ import org.apache.cxf.jaxrs.utils.JAXRSUtils; import org.apache.cxf.message.Message; import org.apache.cxf.phase.PhaseInterceptorChain; import org.apache.cxf.rs.security.jose.common.JoseException; +import org.apache.cxf.rs.security.jose.common.JoseType; import org.apache.cxf.rs.security.jose.common.JoseUtils; +import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils; +import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm; import org.apache.cxf.rs.security.jose.jwe.JweHeaders; +import org.apache.cxf.rs.security.jose.jws.JwsHeaders; import org.apache.cxf.rs.security.jose.jwt.AbstractJoseJwtProducer; import org.apache.cxf.rs.security.jose.jwt.JwtClaims; import org.apache.cxf.rs.security.jose.jwt.JwtConstants; @@ -56,7 +60,7 @@ public class JwtAuthenticationClientFilter extends AbstractJoseJwtProducer JwtClaims claims = new JwtClaims(); claims.setSubject(ap.getUserName()); claims.setClaim("password", ap.getPassword()); - claims.setIssuedAt(System.currentTimeMillis() / 1000); + claims.setIssuedAt(System.currentTimeMillis() / 1000L); jwt = new JwtToken(new JweHeaders(), claims); } } @@ -69,16 +73,49 @@ public class JwtAuthenticationClientFilter extends AbstractJoseJwtProducer requestContext.getHeaders().putSingle(HttpHeaders.AUTHORIZATION, authScheme + " " + data); } + protected JwtToken getJwtToken(ClientRequestContext requestContext) { // Try the filter properties first, then the message properties JwtToken token = (JwtToken)requestContext.getProperty(JwtConstants.JWT_TOKEN); + if (token == null) { + Message m = PhaseInterceptorChain.getCurrentMessage(); + token = (JwtToken)m.getContextualProperty(JwtConstants.JWT_TOKEN); + } + if (token != null) { return token; } - Message m = PhaseInterceptorChain.getCurrentMessage(); - return (JwtToken)m.getContextualProperty(JwtConstants.JWT_TOKEN); + // Otherwise check to see if we have some claims + construct the header ourselves + JwtClaims claims = (JwtClaims)requestContext.getProperty(JwtConstants.JWT_CLAIMS); + if (claims == null) { + Message m = PhaseInterceptorChain.getCurrentMessage(); + claims = (JwtClaims)m.getContextualProperty(JwtConstants.JWT_CLAIMS); + } + + if (claims != null) { + if (super.isJwsRequired()) { + JwsHeaders headers = new JwsHeaders(); + headers.setType(JoseType.JWT); + + Message m = PhaseInterceptorChain.getCurrentMessage(); + // TODO revisit this constant + String signatureAlgorithm = + (String)m.getContextualProperty("rs.security.jws.content.signature.algorithm"); + if (signatureAlgorithm == null) { + signatureAlgorithm = AlgorithmUtils.RS_SHA_256_ALGO; + } + headers.setSignatureAlgorithm(SignatureAlgorithm.getAlgorithm(signatureAlgorithm)); + + token = new JwtToken(headers, claims); + } else { + // TODO + } + } + + return token; } + protected String getContextPropertyValue() { return Base64UrlUtility.encode(CryptoUtils.generateSecureRandomBytes(16)); }
