This is an automated email from the ASF dual-hosted git repository.
exceptionfactory pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push:
new 40b8e7548b Revert "NIFI-15211 Replaced deprecated
setSigningKeyResolver in JwtParserBuilder for NiFi Registry (#10521)"
40b8e7548b is described below
commit 40b8e7548b63112b2d26f5befe1f5ed8b034ff01
Author: exceptionfactory <[email protected]>
AuthorDate: Thu Nov 13 08:13:08 2025 -0600
Revert "NIFI-15211 Replaced deprecated setSigningKeyResolver in
JwtParserBuilder for NiFi Registry (#10521)"
This reverts commit 06edc1fcf80abf2452dece5aa04027e74e1b3db8.
Signed-off-by: David Handermann <[email protected]>
---
.../web/security/authentication/jwt/JwtService.java | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
diff --git
a/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/authentication/jwt/JwtService.java
b/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/authentication/jwt/JwtService.java
index 19b960112c..030e82bb40 100644
---
a/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/authentication/jwt/JwtService.java
+++
b/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/authentication/jwt/JwtService.java
@@ -23,6 +23,7 @@ import io.jsonwebtoken.JwsHeader;
import io.jsonwebtoken.JwtException;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.MalformedJwtException;
+import io.jsonwebtoken.SigningKeyResolverAdapter;
import io.jsonwebtoken.UnsupportedJwtException;
import io.jsonwebtoken.security.Keys;
import io.jsonwebtoken.security.MacAlgorithm;
@@ -100,18 +101,21 @@ public class JwtService {
private Jws<Claims> parseTokenFromBase64EncodedString(final String
base64EncodedToken) throws JwtException {
try {
- return Jwts.parser().keyLocator(header -> {
- if (header instanceof JwsHeader) {
- final String keyId = (String) header.get(KEY_ID_CLAIM);
+ return Jwts.parser().setSigningKeyResolver(new
SigningKeyResolverAdapter() {
+ @Override
+ public byte[] resolveSigningKeyBytes(JwsHeader header, Claims
claims) {
+ final String identity = claims.getSubject();
+
+ // Get the key based on the key id in the claims
+ final String keyId = claims.get(KEY_ID_CLAIM,
String.class);
final Key key = keyService.getKey(keyId);
// Ensure we were able to find a key that was previously
issued by this key service for this user
if (key == null || key.getKey() == null) {
- throw new UnsupportedJwtException("Unable to determine
signing key for kid: " + keyId);
+ throw new UnsupportedJwtException("Unable to determine
signing key for " + identity + " [kid: " + keyId + "]");
}
- return
Keys.hmacShaKeyFor(key.getKey().getBytes(StandardCharsets.UTF_8));
- } else {
- throw new UnsupportedJwtException("JWE is not currently
supported");
+
+ return key.getKey().getBytes(StandardCharsets.UTF_8);
}
}).build().parseSignedClaims(base64EncodedToken);
} catch (final MalformedJwtException | UnsupportedJwtException |
SignatureException | ExpiredJwtException | IllegalArgumentException e) {
