Repository: syncope Updated Branches: refs/heads/master 6d7fb400d -> 227f08516
[SYNCOPE-1263] Now checking for invalid JWT string Project: http://git-wip-us.apache.org/repos/asf/syncope/repo Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/227f0851 Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/227f0851 Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/227f0851 Branch: refs/heads/master Commit: 227f085161f3027d1ab200a07d8460f3a644b75f Parents: 6d7fb40 Author: Francesco Chicchiriccò <ilgro...@apache.org> Authored: Mon Jan 22 11:36:21 2018 +0100 Committer: Francesco Chicchiriccò <ilgro...@apache.org> Committed: Mon Jan 22 11:36:39 2018 +0100 ---------------------------------------------------------------------- .../syncope/common/lib/types/StandardEntitlement.java | 4 ++-- .../core/spring/security/JWTAuthenticationFilter.java | 8 ++++++-- .../test/java/org/apache/syncope/fit/core/RESTITCase.java | 9 +++++++++ 3 files changed, 17 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/syncope/blob/227f0851/common/lib/src/main/java/org/apache/syncope/common/lib/types/StandardEntitlement.java ---------------------------------------------------------------------- diff --git a/common/lib/src/main/java/org/apache/syncope/common/lib/types/StandardEntitlement.java b/common/lib/src/main/java/org/apache/syncope/common/lib/types/StandardEntitlement.java index 4942037..12066f8 100644 --- a/common/lib/src/main/java/org/apache/syncope/common/lib/types/StandardEntitlement.java +++ b/common/lib/src/main/java/org/apache/syncope/common/lib/types/StandardEntitlement.java @@ -278,9 +278,9 @@ public final class StandardEntitlement { public static final String SECURITY_QUESTION_DELETE = "SECURITY_QUESTION_DELETE"; - public static final String ACCESS_TOKEN_LIST = "TASK_LIST"; + public static final String ACCESS_TOKEN_LIST = "ACCESS_TOKEN_LIST"; - public static final String ACCESS_TOKEN_DELETE = "TASK_DELETE"; + public static final String ACCESS_TOKEN_DELETE = "ACCESS_TOKEN_DELETE"; public static final String IMPLEMENTATION_LIST = "IMPLEMENTATION_LIST"; http://git-wip-us.apache.org/repos/asf/syncope/blob/227f0851/core/spring/src/main/java/org/apache/syncope/core/spring/security/JWTAuthenticationFilter.java ---------------------------------------------------------------------- diff --git a/core/spring/src/main/java/org/apache/syncope/core/spring/security/JWTAuthenticationFilter.java b/core/spring/src/main/java/org/apache/syncope/core/spring/security/JWTAuthenticationFilter.java index faf0576..8a2812d 100644 --- a/core/spring/src/main/java/org/apache/syncope/core/spring/security/JWTAuthenticationFilter.java +++ b/core/spring/src/main/java/org/apache/syncope/core/spring/security/JWTAuthenticationFilter.java @@ -24,7 +24,7 @@ import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.ws.rs.core.HttpHeaders; - +import org.apache.cxf.rs.security.jose.jws.JwsException; import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -94,10 +94,10 @@ public class JWTAuthenticationFilter extends OncePerRequestFilter { String stringToken = parts[1]; LOG.debug("JWT received: {}", stringToken); - JwsJwtCompactConsumer consumer = new JwsJwtCompactConsumer(stringToken); try { credentialChecker.checkIsDefaultJWSKeyInUse(); + JwsJwtCompactConsumer consumer = new JwsJwtCompactConsumer(stringToken); JWTSSOProvider jwtSSOProvider = dataAccessor.getJWTSSOProvider(consumer.getJwtClaims().getIssuer()); if (!consumer.verifySignatureWith(jwtSSOProvider)) { throw new BadCredentialsException("Invalid signature found in JWT"); @@ -108,6 +108,10 @@ public class JWTAuthenticationFilter extends OncePerRequestFilter { SecurityContextHolder.getContext().setAuthentication(authentication); chain.doFilter(request, response); + } catch (JwsException e) { + SecurityContextHolder.clearContext(); + this.authenticationEntryPoint.commence( + request, response, new BadCredentialsException("Invalid JWT: " + stringToken, e)); } catch (AuthenticationException e) { SecurityContextHolder.clearContext(); this.authenticationEntryPoint.commence(request, response, e); http://git-wip-us.apache.org/repos/asf/syncope/blob/227f0851/fit/core-reference/src/test/java/org/apache/syncope/fit/core/RESTITCase.java ---------------------------------------------------------------------- diff --git a/fit/core-reference/src/test/java/org/apache/syncope/fit/core/RESTITCase.java b/fit/core-reference/src/test/java/org/apache/syncope/fit/core/RESTITCase.java index 2cee05f..cc10939 100644 --- a/fit/core-reference/src/test/java/org/apache/syncope/fit/core/RESTITCase.java +++ b/fit/core-reference/src/test/java/org/apache/syncope/fit/core/RESTITCase.java @@ -37,6 +37,7 @@ import javax.ws.rs.core.MediaType; import javax.ws.rs.core.MultivaluedMap; import javax.ws.rs.core.Response; import org.apache.commons.io.IOUtils; +import org.apache.commons.lang3.RandomStringUtils; import org.apache.commons.lang3.StringUtils; import org.apache.cxf.jaxrs.client.WebClient; import org.apache.syncope.client.lib.BasicAuthenticationHandler; @@ -77,6 +78,14 @@ public class RESTITCase extends AbstractITCase { assertNotNull(e); } + // service with invalid JWT string: 401 unauthorized + try { + clientFactory.create(RandomStringUtils.random(20, true, true)).self(); + fail(); + } catch (AccessControlException e) { + assertNotNull(e); + } + // service with good password, but no entitlements owned: 403 forbidden SyncopeClient goodClient = clientFactory.create("bellini", "password"); try {
