This is an automated email from the ASF dual-hosted git repository.
jlmonteiro pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomee.git
The following commit(s) were added to refs/heads/master by this push:
new a9e18f1 Fix invocation handler for Principal proxy and CLaimBean
accordingly
a9e18f1 is described below
commit a9e18f153ab9679690cf87cc6227b441bd0b4abc
Author: Jean-Louis Monteiro <[email protected]>
AuthorDate: Fri May 3 15:41:10 2019 +0200
Fix invocation handler for Principal proxy and CLaimBean accordingly
---
.../apache/openejb/cdi/ManagedSecurityService.java | 35 +++++++++++++++-------
.../tomee/microprofile/jwt/cdi/ClaimBean.java | 19 ++++++++++--
2 files changed, 42 insertions(+), 12 deletions(-)
diff --git
a/container/openejb-core/src/main/java/org/apache/openejb/cdi/ManagedSecurityService.java
b/container/openejb-core/src/main/java/org/apache/openejb/cdi/ManagedSecurityService.java
index 018cc7c..12de027 100644
---
a/container/openejb-core/src/main/java/org/apache/openejb/cdi/ManagedSecurityService.java
+++
b/container/openejb-core/src/main/java/org/apache/openejb/cdi/ManagedSecurityService.java
@@ -31,6 +31,8 @@ import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Properties;
+import java.util.function.Consumer;
+import java.util.function.Supplier;
public class ManagedSecurityService implements
org.apache.webbeans.spi.SecurityService {
@@ -77,16 +79,8 @@ public class ManagedSecurityService implements
org.apache.webbeans.spi.SecurityS
interfaceList.add(java.security.Principal.class);
}
- proxy = Principal.class.cast(Proxy.newProxyInstance(loader,
interfaceList.toArray(new Class[0]), new InvocationHandler() {
- @Override
- public Object invoke(final Object proxy, final Method method,
final Object[] args) throws Throwable {
- final Principal principal = doGetPrincipal();
- if (principal == null) {
- return null;
- }
- return method.invoke(principal, args);
- }
- }));
+ proxy = Principal.class.cast(Proxy.newProxyInstance(
+ loader, interfaceList.toArray(new Class[0]), new
PrincipalInvocationHandler(this::doGetPrincipal)));
}
}
@@ -173,4 +167,25 @@ public class ManagedSecurityService implements
org.apache.webbeans.spi.SecurityS
return delegate.doPrivilegedGetSystemProperties();
}
+ public static class PrincipalInvocationHandler implements
InvocationHandler {
+
+ private final Supplier<Principal> principalSupplier;
+
+ public PrincipalInvocationHandler(final Supplier<Principal>
principalSupplier) {
+ this.principalSupplier = principalSupplier;
+ }
+
+ @Override
+ public Object invoke(final Object proxy, final Method method, final
Object[] args) throws Throwable {
+ final Principal principal = principalSupplier.get();
+ if (principal == null) {
+ return null;
+ }
+ return method.invoke(principal, args);
+ }
+
+ public boolean isLogged() {
+ return principalSupplier.get() != null;
+ }
+ }
}
diff --git
a/mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/cdi/ClaimBean.java
b/mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/cdi/ClaimBean.java
index 67d9067..2d6eccc 100644
--- a/mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/cdi/ClaimBean.java
+++ b/mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/cdi/ClaimBean.java
@@ -16,6 +16,7 @@
*/
package org.apache.tomee.microprofile.jwt.cdi;
+import org.apache.openejb.cdi.ManagedSecurityService;
import org.apache.xbean.propertyeditor.PropertyEditorRegistry;
import org.apache.xbean.propertyeditor.PropertyEditors;
import org.eclipse.microprofile.jwt.Claim;
@@ -42,6 +43,7 @@ import javax.json.JsonValue;
import javax.json.bind.Jsonb;
import java.lang.annotation.Annotation;
import java.lang.reflect.ParameterizedType;
+import java.lang.reflect.Proxy;
import java.lang.reflect.Type;
import java.security.Principal;
import java.util.Collection;
@@ -272,18 +274,31 @@ public class ClaimBean<T> implements Bean<T>,
PassivationCapable {
return claim.standard() == Claims.UNKNOWN ? claim.value() :
claim.standard().name();
}
+ // some JAX RS classes may have public classes. Make sure to not log
warnings when no principal exists
+ // it may be because we have a public method and we did not receive a JWT
private T getClaimValue(final String name) {
final Bean<?> bean = bm.resolve(bm.getBeans(Principal.class));
final Principal principal = Principal.class.cast(bm.getReference(bean,
Principal.class, null));
if (principal == null) {
- logger.warning(String.format("Can't retrieve claim %s. No active
principal.", name));
+ logger.fine(String.format("Can't retrieve claim %s. No active
principal.", name));
return null;
}
+ // TomEE sometimes wraps the principal with a proxy so we may have a
non null principal even if we aren't authenticated
+ // we could merge this test with previous sanity check, but it would
make it less readable
+ final boolean isProxy = Proxy.isProxyClass(principal.getClass())
+ &&
ManagedSecurityService.PrincipalInvocationHandler.class.isInstance(Proxy.getInvocationHandler(principal));
+ if (isProxy) {
+ if
(!ManagedSecurityService.PrincipalInvocationHandler.class.cast(Proxy.getInvocationHandler(principal)).isLogged())
{
+ logger.fine(String.format("Can't retrieve claim %s. No active
principal.", name));
+ return null;
+ }
+ }
+
JsonWebToken jsonWebToken = null;
if (!JsonWebToken.class.isInstance(principal)) {
- logger.warning(String.format("Can't retrieve claim %s. Active
principal is not a JWT.", name));
+ logger.fine(String.format("Can't retrieve claim %s. Active
principal is not a JWT.", name));
return null;
}
