Repository: cxf Updated Branches: refs/heads/3.1.x-fixes 5e8334b2d -> 4744117f9
Introducing a dedicated property for checking client secret algorithms Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/4744117f Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/4744117f Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/4744117f Branch: refs/heads/3.1.x-fixes Commit: 4744117f9228e8f25cc2cba2255f6e6a516e2d2a Parents: 5e8334b Author: Sergey Beryozkin <[email protected]> Authored: Fri Nov 13 16:46:39 2015 +0000 Committer: Sergey Beryozkin <[email protected]> Committed: Fri Nov 13 16:48:30 2015 +0000 ---------------------------------------------------------------------- .../oauth2/provider/AbstractOAuthJoseJwtConsumer.java | 9 +++++++-- .../oauth2/provider/AbstractOAuthJoseJwtProducer.java | 9 +++++++-- .../apache/cxf/rs/security/oauth2/utils/OAuthConstants.java | 5 +++++ 3 files changed, 19 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/4744117f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java index 5d2fa3b..175346e 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java @@ -31,6 +31,7 @@ import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier; import org.apache.cxf.rs.security.jose.jws.JwsUtils; import org.apache.cxf.rs.security.jose.jwt.AbstractJoseJwtConsumer; import org.apache.cxf.rs.security.jose.jwt.JwtToken; +import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants; import org.apache.cxf.rt.security.crypto.CryptoUtils; public abstract class AbstractOAuthJoseJwtConsumer extends AbstractJoseJwtConsumer { @@ -47,7 +48,9 @@ public abstract class AbstractOAuthJoseJwtConsumer extends AbstractJoseJwtConsum protected JwsSignatureVerifier getInitializedSignatureVerifier(String clientSecret) { if (verifyWithClientSecret) { Properties props = JwsUtils.loadSignatureInProperties(false); - SignatureAlgorithm sigAlgo = JwsUtils.getSignatureAlgorithm(props, SignatureAlgorithm.HS256); + SignatureAlgorithm sigAlgo = SignatureAlgorithm.getAlgorithm( + props.getProperty(OAuthConstants.CLIENT_SECRET_SIGNATURE_ALGORITHM)); + sigAlgo = sigAlgo != null ? sigAlgo : SignatureAlgorithm.HS256; if (AlgorithmUtils.isHmacSign(sigAlgo)) { return JwsUtils.getHmacSignatureVerifier(clientSecret, sigAlgo); } @@ -59,7 +62,9 @@ public abstract class AbstractOAuthJoseJwtConsumer extends AbstractJoseJwtConsum if (decryptWithClientSecret) { SecretKey key = CryptoUtils.decodeSecretKey(clientSecret); Properties props = JweUtils.loadEncryptionInProperties(false); - ContentAlgorithm ctAlgo = JweUtils.getContentEncryptionAlgorithm(props, ContentAlgorithm.A128GCM); + ContentAlgorithm ctAlgo = ContentAlgorithm.getAlgorithm( + props.getProperty(OAuthConstants.CLIENT_SECRET_ENCRYPTION_ALGORITHM)); + ctAlgo = ctAlgo != null ? ctAlgo : ContentAlgorithm.A128GCM; theDecryptionProvider = JweUtils.getDirectKeyJweDecryption(key, ctAlgo); } return theDecryptionProvider; http://git-wip-us.apache.org/repos/asf/cxf/blob/4744117f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java index fec38bc..5e1c870 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java @@ -32,6 +32,7 @@ import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider; import org.apache.cxf.rs.security.jose.jws.JwsUtils; import org.apache.cxf.rs.security.jose.jwt.AbstractJoseJwtProducer; import org.apache.cxf.rs.security.jose.jwt.JwtToken; +import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants; import org.apache.cxf.rt.security.crypto.CryptoUtils; public abstract class AbstractOAuthJoseJwtProducer extends AbstractJoseJwtProducer { @@ -47,7 +48,9 @@ public abstract class AbstractOAuthJoseJwtProducer extends AbstractJoseJwtProduc protected JwsSignatureProvider getInitializedSignatureProvider(String clientSecret) { if (signWithClientSecret && !StringUtils.isEmpty(clientSecret)) { Properties props = JwsUtils.loadSignatureOutProperties(false); - SignatureAlgorithm sigAlgo = JwsUtils.getSignatureAlgorithm(props, SignatureAlgorithm.HS256); + SignatureAlgorithm sigAlgo = SignatureAlgorithm.getAlgorithm( + props.getProperty(OAuthConstants.CLIENT_SECRET_SIGNATURE_ALGORITHM)); + sigAlgo = sigAlgo != null ? sigAlgo : SignatureAlgorithm.HS256; if (AlgorithmUtils.isHmacSign(sigAlgo)) { return JwsUtils.getHmacSignatureProvider(clientSecret, sigAlgo); } @@ -58,7 +61,9 @@ public abstract class AbstractOAuthJoseJwtProducer extends AbstractJoseJwtProduc if (encryptWithClientSecret && !StringUtils.isEmpty(clientSecret)) { SecretKey key = CryptoUtils.decodeSecretKey(clientSecret); Properties props = JweUtils.loadEncryptionOutProperties(false); - ContentAlgorithm ctAlgo = JweUtils.getContentEncryptionAlgorithm(props, ContentAlgorithm.A128GCM); + ContentAlgorithm ctAlgo = ContentAlgorithm.getAlgorithm( + props.getProperty(OAuthConstants.CLIENT_SECRET_ENCRYPTION_ALGORITHM)); + ctAlgo = ctAlgo != null ? ctAlgo : ContentAlgorithm.A128GCM; return JweUtils.getDirectKeyJweEncryption(key, ctAlgo); } return null; http://git-wip-us.apache.org/repos/asf/cxf/blob/4744117f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java index dea3e11..e15f85e 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java @@ -129,7 +129,12 @@ public final class OAuthConstants { // Default refresh token scope value - checked by CXF utility code public static final String REFRESH_TOKEN_SCOPE = "refreshToken"; + // Client Secret (JWS) Signature Algorithm + public static final String CLIENT_SECRET_SIGNATURE_ALGORITHM = "client.secret.signature.algorithm"; + // Client Secret (JWE) Encryption Algorithm + public static final String CLIENT_SECRET_ENCRYPTION_ALGORITHM = "client.secret.encryption.algorithm"; + // Client Secret Encrypting Algorithm private OAuthConstants() { }
