Repository: cxf Updated Branches: refs/heads/3.0.x-fixes b5b9898a6 -> 1d802c274
[CXF-6085] Updating JweJsonConsumer to select the entries based on the extra properties Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/1d802c27 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/1d802c27 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/1d802c27 Branch: refs/heads/3.0.x-fixes Commit: 1d802c2747869e217146df1dabb226207e9ff221 Parents: b5b9898 Author: Sergey Beryozkin <[email protected]> Authored: Tue Mar 1 17:41:22 2016 +0000 Committer: Sergey Beryozkin <[email protected]> Committed: Tue Mar 1 17:43:45 2016 +0000 ---------------------------------------------------------------------- .../jaxrs/AbstractJweJsonDecryptingFilter.java | 14 ++++++++++--- .../jaxrs/JweJsonContainerRequestFilter.java | 21 +++++++++++++------- .../rs/security/jose/jwe/JweJsonConsumer.java | 11 ++++++++-- 3 files changed, 34 insertions(+), 12 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/1d802c27/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweJsonDecryptingFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweJsonDecryptingFilter.java b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweJsonDecryptingFilter.java index 5dc52d9..8bfc807 100644 --- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweJsonDecryptingFilter.java +++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweJsonDecryptingFilter.java @@ -21,11 +21,13 @@ package org.apache.cxf.rs.security.jose.jaxrs; import java.io.IOException; import java.io.InputStream; import java.nio.charset.StandardCharsets; +import java.util.Map; import org.apache.cxf.helpers.IOUtils; import org.apache.cxf.jaxrs.utils.JAXRSUtils; import org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput; import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider; +import org.apache.cxf.rs.security.jose.jwe.JweException; import org.apache.cxf.rs.security.jose.jwe.JweHeaders; import org.apache.cxf.rs.security.jose.jwe.JweJsonConsumer; import org.apache.cxf.rs.security.jose.jwe.JweJsonEncryptionEntry; @@ -34,13 +36,15 @@ import org.apache.cxf.rs.security.jose.jwe.JweUtils; public class AbstractJweJsonDecryptingFilter { private JweDecryptionProvider decryption; private String defaultMediaType; + private Map<String, Object> recipientProperties; protected JweDecryptionOutput decrypt(InputStream is) throws IOException { JweJsonConsumer c = new JweJsonConsumer(new String(IOUtils.readBytesFromStream(is), StandardCharsets.UTF_8)); JweDecryptionProvider theProvider = getInitializedDecryptionProvider(c.getProtectedHeader()); - //TODO: support the extra properties that can be matched against per-recipient headers - // which will be needed if we have multiple entries with the same key encryption algorithm - JweJsonEncryptionEntry entry = c.getJweDecryptionEntry(theProvider); + JweJsonEncryptionEntry entry = c.getJweDecryptionEntry(theProvider, recipientProperties); + if (entry == null) { + throw new JweException(JweException.Error.INVALID_JSON_JWE); + } JweDecryptionOutput out = c.decryptWith(theProvider, entry); JAXRSUtils.getCurrentMessage().put(JweJsonConsumer.class, c); @@ -66,6 +70,10 @@ public class AbstractJweJsonDecryptingFilter { public void setDefaultMediaType(String defaultMediaType) { this.defaultMediaType = defaultMediaType; + } + + public void setRecipientProperties(Map<String, Object> recipientProperties) { + this.recipientProperties = recipientProperties; } } http://git-wip-us.apache.org/repos/asf/cxf/blob/1d802c27/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweJsonContainerRequestFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweJsonContainerRequestFilter.java b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweJsonContainerRequestFilter.java index 1b6ab90..d0bb31f 100644 --- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweJsonContainerRequestFilter.java +++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweJsonContainerRequestFilter.java @@ -27,8 +27,10 @@ import javax.ws.rs.container.ContainerRequestContext; import javax.ws.rs.container.ContainerRequestFilter; import javax.ws.rs.container.PreMatching; +import org.apache.cxf.jaxrs.utils.JAXRSUtils; import org.apache.cxf.rs.security.jose.common.JoseUtils; import org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput; +import org.apache.cxf.rs.security.jose.jwe.JweException; @PreMatching @Priority(Priorities.JWE_SERVER_READ_PRIORITY) @@ -38,13 +40,18 @@ public class JweJsonContainerRequestFilter extends AbstractJweJsonDecryptingFilt if (HttpMethod.GET.equals(context.getMethod())) { return; } - JweDecryptionOutput out = decrypt(context.getEntityStream()); - byte[] bytes = out.getContent(); - context.setEntityStream(new ByteArrayInputStream(bytes)); - context.getHeaders().putSingle("Content-Length", Integer.toString(bytes.length)); - String ct = JoseUtils.checkContentType(out.getHeaders().getContentType(), getDefaultMediaType()); - if (ct != null) { - context.getHeaders().putSingle("Content-Type", ct); + try { + JweDecryptionOutput out = decrypt(context.getEntityStream()); + byte[] bytes = out.getContent(); + context.setEntityStream(new ByteArrayInputStream(bytes)); + context.getHeaders().putSingle("Content-Length", Integer.toString(bytes.length)); + String ct = JoseUtils.checkContentType(out.getHeaders().getContentType(), getDefaultMediaType()); + if (ct != null) { + context.getHeaders().putSingle("Content-Type", ct); + } + } catch (JweException ex) { + context.abortWith(JAXRSUtils.toResponse(400)); + return; } } } http://git-wip-us.apache.org/repos/asf/cxf/blob/1d802c27/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumer.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumer.java index 55bfde1..715760b 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumer.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumer.java @@ -83,12 +83,19 @@ public class JweJsonConsumer { } public JweJsonEncryptionEntry getJweDecryptionEntry(JweDecryptionProvider jwe) { - //TODO: support a similar method that will check per-recipient unprotected headers - // which will be needed if we have multiple entries with the same key encryption algorithm + return getJweDecryptionEntry(jwe, null); + } + + public JweJsonEncryptionEntry getJweDecryptionEntry(JweDecryptionProvider jwe, + Map<String, Object> recipientProps) { for (Map.Entry<JweJsonEncryptionEntry, JweHeaders> entry : recipientsMap.entrySet()) { KeyAlgorithm keyAlgo = entry.getValue().getKeyEncryptionAlgorithm(); if (keyAlgo != null && keyAlgo.equals(jwe.getKeyAlgorithm()) || keyAlgo == null && jwe.getKeyAlgorithm() == null) { + if (recipientProps != null + && !entry.getValue().asMap().entrySet().containsAll(recipientProps.entrySet())) { + continue; + } return entry.getKey(); } }
