Repository: cxf Updated Branches: refs/heads/master b494ea0db -> cb25e7260
Some more work about making it easier for conusmer to propagate/deal with JWE or JWS Json payloads where more than one recipient is set Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/cb25e726 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/cb25e726 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/cb25e726 Branch: refs/heads/master Commit: cb25e7260fc18158adc5bd4377829b764e66bf09 Parents: b494ea0 Author: Sergey Beryozkin <[email protected]> Authored: Tue Mar 1 17:21:23 2016 +0000 Committer: Sergey Beryozkin <[email protected]> Committed: Tue Mar 1 17:21:23 2016 +0000 ---------------------------------------------------------------------- .../jose/jaxrs/AbstractJweJsonDecryptingFilter.java | 14 ++++++++++++-- .../jose/jaxrs/AbstractJwsJsonReaderProvider.java | 12 ++++++++++++ .../jose/jaxrs/JwsJsonClientResponseFilter.java | 12 ++++-------- .../jose/jaxrs/JwsJsonContainerRequestFilter.java | 13 ++++--------- .../cxf/rs/security/jose/jwe/JweJsonConsumer.java | 4 +++- .../cxf/rs/security/jose/jws/JwsJsonProducer.java | 6 ------ 6 files changed, 35 insertions(+), 26 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/cb25e726/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweJsonDecryptingFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweJsonDecryptingFilter.java b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweJsonDecryptingFilter.java index c63e39d..5dc52d9 100644 --- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweJsonDecryptingFilter.java +++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweJsonDecryptingFilter.java @@ -23,19 +23,29 @@ import java.io.InputStream; import java.nio.charset.StandardCharsets; import org.apache.cxf.helpers.IOUtils; +import org.apache.cxf.jaxrs.utils.JAXRSUtils; import org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput; import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider; import org.apache.cxf.rs.security.jose.jwe.JweHeaders; import org.apache.cxf.rs.security.jose.jwe.JweJsonConsumer; +import org.apache.cxf.rs.security.jose.jwe.JweJsonEncryptionEntry; import org.apache.cxf.rs.security.jose.jwe.JweUtils; public class AbstractJweJsonDecryptingFilter { private JweDecryptionProvider decryption; private String defaultMediaType; protected JweDecryptionOutput decrypt(InputStream is) throws IOException { - JweJsonConsumer jwe = new JweJsonConsumer(new String(IOUtils.readBytesFromStream(is), + JweJsonConsumer c = new JweJsonConsumer(new String(IOUtils.readBytesFromStream(is), StandardCharsets.UTF_8)); - return jwe.decryptWith(getInitializedDecryptionProvider(jwe.getProtectedHeader())); + JweDecryptionProvider theProvider = getInitializedDecryptionProvider(c.getProtectedHeader()); + //TODO: support the extra properties that can be matched against per-recipient headers + // which will be needed if we have multiple entries with the same key encryption algorithm + JweJsonEncryptionEntry entry = c.getJweDecryptionEntry(theProvider); + JweDecryptionOutput out = c.decryptWith(theProvider, entry); + + JAXRSUtils.getCurrentMessage().put(JweJsonConsumer.class, c); + JAXRSUtils.getCurrentMessage().put(JweJsonEncryptionEntry.class, entry); + return out; } protected void validateHeaders(JweHeaders headers) { http://git-wip-us.apache.org/repos/asf/cxf/blob/cb25e726/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonReaderProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonReaderProvider.java b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonReaderProvider.java index c2c3031..5b328e4 100644 --- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonReaderProvider.java +++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonReaderProvider.java @@ -31,6 +31,8 @@ import org.apache.cxf.message.Message; import org.apache.cxf.message.MessageUtils; import org.apache.cxf.rs.security.jose.common.JoseConstants; import org.apache.cxf.rs.security.jose.jws.JwsException; +import org.apache.cxf.rs.security.jose.jws.JwsJsonConsumer; +import org.apache.cxf.rs.security.jose.jws.JwsJsonSignatureEntry; import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier; import org.apache.cxf.rs.security.jose.jws.JwsUtils; @@ -94,4 +96,14 @@ public class AbstractJwsJsonReaderProvider { this.strictVerification = strictVerification; } + protected void validate(JwsJsonConsumer c, List<JwsSignatureVerifier> theSigVerifiers) throws JwsException { + + List<JwsJsonSignatureEntry> remaining = c.verifyAndGetNonValidated(theSigVerifiers, + isStrictVerification()); + if (!remaining.isEmpty()) { + JAXRSUtils.getCurrentMessage().put("jws.json.remaining.entries", remaining); + } + JAXRSUtils.getCurrentMessage().put(JwsJsonConsumer.class, c); + } + } http://git-wip-us.apache.org/repos/asf/cxf/blob/cb25e726/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java index b9550e4..dc9a352 100644 --- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java +++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java @@ -29,7 +29,6 @@ import javax.ws.rs.client.ClientResponseFilter; import org.apache.cxf.helpers.IOUtils; import org.apache.cxf.rs.security.jose.common.JoseUtils; -import org.apache.cxf.rs.security.jose.jws.JwsException; import org.apache.cxf.rs.security.jose.jws.JwsJsonConsumer; import org.apache.cxf.rs.security.jose.jws.JwsJsonSignatureEntry; import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier; @@ -39,17 +38,14 @@ public class JwsJsonClientResponseFilter extends AbstractJwsJsonReaderProvider i @Override public void filter(ClientRequestContext req, ClientResponseContext res) throws IOException { List<JwsSignatureVerifier> theSigVerifiers = getInitializedSigVerifiers(); - JwsJsonConsumer p = new JwsJsonConsumer(IOUtils.readStringFromStream(res.getEntityStream())); - if (isStrictVerification() && p.getSignatureEntries().size() != theSigVerifiers.size() - || !p.verifySignatureWith(theSigVerifiers)) { - throw new JwsException(JwsException.Error.INVALID_SIGNATURE); - } - byte[] bytes = p.getDecodedJwsPayloadBytes(); + JwsJsonConsumer c = new JwsJsonConsumer(IOUtils.readStringFromStream(res.getEntityStream())); + validate(c, theSigVerifiers); + byte[] bytes = c.getDecodedJwsPayloadBytes(); res.setEntityStream(new ByteArrayInputStream(bytes)); res.getHeaders().putSingle("Content-Length", Integer.toString(bytes.length)); // the list is guaranteed to be non-empty - JwsJsonSignatureEntry sigEntry = p.getSignatureEntries().get(0); + JwsJsonSignatureEntry sigEntry = c.getSignatureEntries().get(0); String ct = JoseUtils.checkContentType(sigEntry.getUnionHeader().getContentType(), getDefaultMediaType()); if (ct != null) { res.getHeaders().putSingle("Content-Type", ct); http://git-wip-us.apache.org/repos/asf/cxf/blob/cb25e726/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java index 1f42701..3b705a3 100644 --- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java +++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java @@ -49,25 +49,20 @@ public class JwsJsonContainerRequestFilter extends AbstractJwsJsonReaderProvider context.abortWith(JAXRSUtils.toResponse(400)); return; } - JwsJsonConsumer p = new JwsJsonConsumer(IOUtils.readStringFromStream(context.getEntityStream())); - + JwsJsonConsumer c = new JwsJsonConsumer(IOUtils.readStringFromStream(context.getEntityStream())); try { - List<JwsJsonSignatureEntry> remaining = p.verifyAndGetNonValidated(theSigVerifiers, - isStrictVerification()); - if (!remaining.isEmpty()) { - JAXRSUtils.getCurrentMessage().put("jws.json.remaining.entries", remaining); - } + validate(c, theSigVerifiers); } catch (JwsException ex) { context.abortWith(JAXRSUtils.toResponse(400)); return; } - byte[] bytes = p.getDecodedJwsPayloadBytes(); + byte[] bytes = c.getDecodedJwsPayloadBytes(); context.setEntityStream(new ByteArrayInputStream(bytes)); context.getHeaders().putSingle("Content-Length", Integer.toString(bytes.length)); // the list is guaranteed to be non-empty - JwsJsonSignatureEntry sigEntry = p.getSignatureEntries().get(0); + JwsJsonSignatureEntry sigEntry = c.getSignatureEntries().get(0); String ct = JoseUtils.checkContentType(sigEntry.getUnionHeader().getContentType(), getDefaultMediaType()); if (ct != null) { context.getHeaders().putSingle("Content-Type", ct); http://git-wip-us.apache.org/repos/asf/cxf/blob/cb25e726/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumer.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumer.java index 4c2a694..0d98455 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumer.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumer.java @@ -81,7 +81,9 @@ public class JweJsonConsumer { return input; } - private JweJsonEncryptionEntry getJweDecryptionEntry(JweDecryptionProvider jwe) { + public JweJsonEncryptionEntry getJweDecryptionEntry(JweDecryptionProvider jwe) { + //TODO: support a similar method that will check per-recipient unprotected headers + // which will be needed if we have multiple entries with the same key encryption algorithm for (Map.Entry<JweJsonEncryptionEntry, JweHeaders> entry : recipientsMap.entrySet()) { KeyAlgorithm keyAlgo = entry.getValue().getKeyEncryptionAlgorithm(); if (keyAlgo != null && keyAlgo.equals(jwe.getKeyAlgorithm()) http://git-wip-us.apache.org/repos/asf/cxf/blob/cb25e726/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonProducer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonProducer.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonProducer.java index e96a630..e75e68a 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonProducer.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonProducer.java @@ -94,12 +94,6 @@ public class JwsJsonProducer { return signatures; } - /* - * TODO - public MultivaluedMap<SignatureAlgorithm, JwsJsonSignatureEntry> getSignatureEntryMap() { - return JwsUtils.getJwsJsonSignatureMap(signatures); - } - */ public String signWith(List<JwsSignatureProvider> signers) { for (JwsSignatureProvider signer : signers) { signWith(signer);
