Repository: cxf Updated Branches: refs/heads/master c8905fd54 -> 92b8fbba1
Introducing a dedicated property for checking client secret algorithms Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/92b8fbba Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/92b8fbba Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/92b8fbba Branch: refs/heads/master Commit: 92b8fbba1f1c192a26aa77e6c0bb42e7ae1d63c1 Parents: c8905fd Author: Sergey Beryozkin <[email protected]> Authored: Fri Nov 13 16:46:39 2015 +0000 Committer: Sergey Beryozkin <[email protected]> Committed: Fri Nov 13 16:46:39 2015 +0000 ---------------------------------------------------------------------- .../oauth2/provider/AbstractOAuthJoseJwtConsumer.java | 9 +++++++-- .../oauth2/provider/AbstractOAuthJoseJwtProducer.java | 9 +++++++-- .../apache/cxf/rs/security/oauth2/utils/OAuthConstants.java | 5 +++++ 3 files changed, 19 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/92b8fbba/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java index 5d2fa3b..175346e 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java @@ -31,6 +31,7 @@ import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier; import org.apache.cxf.rs.security.jose.jws.JwsUtils; import org.apache.cxf.rs.security.jose.jwt.AbstractJoseJwtConsumer; import org.apache.cxf.rs.security.jose.jwt.JwtToken; +import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants; import org.apache.cxf.rt.security.crypto.CryptoUtils; public abstract class AbstractOAuthJoseJwtConsumer extends AbstractJoseJwtConsumer { @@ -47,7 +48,9 @@ public abstract class AbstractOAuthJoseJwtConsumer extends AbstractJoseJwtConsum protected JwsSignatureVerifier getInitializedSignatureVerifier(String clientSecret) { if (verifyWithClientSecret) { Properties props = JwsUtils.loadSignatureInProperties(false); - SignatureAlgorithm sigAlgo = JwsUtils.getSignatureAlgorithm(props, SignatureAlgorithm.HS256); + SignatureAlgorithm sigAlgo = SignatureAlgorithm.getAlgorithm( + props.getProperty(OAuthConstants.CLIENT_SECRET_SIGNATURE_ALGORITHM)); + sigAlgo = sigAlgo != null ? sigAlgo : SignatureAlgorithm.HS256; if (AlgorithmUtils.isHmacSign(sigAlgo)) { return JwsUtils.getHmacSignatureVerifier(clientSecret, sigAlgo); } @@ -59,7 +62,9 @@ public abstract class AbstractOAuthJoseJwtConsumer extends AbstractJoseJwtConsum if (decryptWithClientSecret) { SecretKey key = CryptoUtils.decodeSecretKey(clientSecret); Properties props = JweUtils.loadEncryptionInProperties(false); - ContentAlgorithm ctAlgo = JweUtils.getContentEncryptionAlgorithm(props, ContentAlgorithm.A128GCM); + ContentAlgorithm ctAlgo = ContentAlgorithm.getAlgorithm( + props.getProperty(OAuthConstants.CLIENT_SECRET_ENCRYPTION_ALGORITHM)); + ctAlgo = ctAlgo != null ? ctAlgo : ContentAlgorithm.A128GCM; theDecryptionProvider = JweUtils.getDirectKeyJweDecryption(key, ctAlgo); } return theDecryptionProvider; http://git-wip-us.apache.org/repos/asf/cxf/blob/92b8fbba/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java index fec38bc..5e1c870 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java @@ -32,6 +32,7 @@ import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider; import org.apache.cxf.rs.security.jose.jws.JwsUtils; import org.apache.cxf.rs.security.jose.jwt.AbstractJoseJwtProducer; import org.apache.cxf.rs.security.jose.jwt.JwtToken; +import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants; import org.apache.cxf.rt.security.crypto.CryptoUtils; public abstract class AbstractOAuthJoseJwtProducer extends AbstractJoseJwtProducer { @@ -47,7 +48,9 @@ public abstract class AbstractOAuthJoseJwtProducer extends AbstractJoseJwtProduc protected JwsSignatureProvider getInitializedSignatureProvider(String clientSecret) { if (signWithClientSecret && !StringUtils.isEmpty(clientSecret)) { Properties props = JwsUtils.loadSignatureOutProperties(false); - SignatureAlgorithm sigAlgo = JwsUtils.getSignatureAlgorithm(props, SignatureAlgorithm.HS256); + SignatureAlgorithm sigAlgo = SignatureAlgorithm.getAlgorithm( + props.getProperty(OAuthConstants.CLIENT_SECRET_SIGNATURE_ALGORITHM)); + sigAlgo = sigAlgo != null ? sigAlgo : SignatureAlgorithm.HS256; if (AlgorithmUtils.isHmacSign(sigAlgo)) { return JwsUtils.getHmacSignatureProvider(clientSecret, sigAlgo); } @@ -58,7 +61,9 @@ public abstract class AbstractOAuthJoseJwtProducer extends AbstractJoseJwtProduc if (encryptWithClientSecret && !StringUtils.isEmpty(clientSecret)) { SecretKey key = CryptoUtils.decodeSecretKey(clientSecret); Properties props = JweUtils.loadEncryptionOutProperties(false); - ContentAlgorithm ctAlgo = JweUtils.getContentEncryptionAlgorithm(props, ContentAlgorithm.A128GCM); + ContentAlgorithm ctAlgo = ContentAlgorithm.getAlgorithm( + props.getProperty(OAuthConstants.CLIENT_SECRET_ENCRYPTION_ALGORITHM)); + ctAlgo = ctAlgo != null ? ctAlgo : ContentAlgorithm.A128GCM; return JweUtils.getDirectKeyJweEncryption(key, ctAlgo); } return null; http://git-wip-us.apache.org/repos/asf/cxf/blob/92b8fbba/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java index dea3e11..e15f85e 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java @@ -129,7 +129,12 @@ public final class OAuthConstants { // Default refresh token scope value - checked by CXF utility code public static final String REFRESH_TOKEN_SCOPE = "refreshToken"; + // Client Secret (JWS) Signature Algorithm + public static final String CLIENT_SECRET_SIGNATURE_ALGORITHM = "client.secret.signature.algorithm"; + // Client Secret (JWE) Encryption Algorithm + public static final String CLIENT_SECRET_ENCRYPTION_ALGORITHM = "client.secret.encryption.algorithm"; + // Client Secret Encrypting Algorithm private OAuthConstants() { }
