use of fish.payara.microprofile.jwtauth.eesecurity.JWTProcessingException in project Payara by payara.
the class JwtTokenParser method verifyAndParseSignedJWT.
private JsonWebTokenImpl verifyAndParseSignedJWT(String issuer, PublicKey publicKey) throws JWTProcessingException {
if (signedJWT == null) {
throw new IllegalStateException("No parsed SignedJWT.");
}
JWSAlgorithm signAlgorithmName = signedJWT.getHeader().getAlgorithm();
// 1.0 4.1 alg + MP-JWT 1.0 6.1 1
if (!signAlgorithmName.equals(RS256) && !signAlgorithmName.equals(ES256)) {
throw new JWTProcessingException("Only RS256 or ES256 algorithms supported for JWT signing, used " + signAlgorithmName);
}
try (JsonReader reader = Json.createReader(new StringReader(signedJWT.getPayload().toString()))) {
Map<String, JsonValue> rawClaims = new HashMap<>(reader.readObject());
// Vendor - Process namespaced claims
rawClaims = handleNamespacedClaims(rawClaims);
// MP-JWT 1.0 4.1 Minimum MP-JWT Required Claims
if (!checkRequiredClaimsPresent(rawClaims)) {
throw new JWTProcessingException("Not all required claims present");
}
// MP-JWT 1.0 4.1 upn - has fallbacks
String callerPrincipalName = getCallerPrincipalName(rawClaims);
if (callerPrincipalName == null) {
throw new JWTProcessingException("One of upn, preferred_username or sub is required to be non null");
}
// MP-JWT 1.0 6.1 2
if (!checkIssuer(rawClaims, issuer)) {
throw new JWTProcessingException("Bad issuer");
}
if (!checkNotExpired(rawClaims)) {
throw new JWTProcessingException("JWT token expired");
}
// MP-JWT 1.0 6.1 2
try {
if (signAlgorithmName.equals(RS256)) {
if (!signedJWT.verify(new RSASSAVerifier((RSAPublicKey) publicKey))) {
throw new JWTProcessingException("Signature of the JWT token is invalid");
}
} else {
if (!signedJWT.verify(new ECDSAVerifier((ECPublicKey) publicKey))) {
throw new JWTProcessingException("Signature of the JWT token is invalid");
}
}
} catch (JOSEException ex) {
throw new JWTProcessingException("Exception during JWT signature validation", ex);
}
rawClaims.put(raw_token.name(), createObjectBuilder().add("token", rawToken).build().get("token"));
return new JsonWebTokenImpl(callerPrincipalName, rawClaims);
}
}
use of fish.payara.microprofile.jwtauth.eesecurity.JWTProcessingException in project Payara by payara.
the class JwtTokenParser method parse.
public JsonWebTokenImpl parse(String bearerToken, boolean encryptionRequired, JwtPublicKeyStore publicKeyStore, String acceptedIssuer, JwtPrivateKeyStore privateKeyStore) throws JWTProcessingException {
JsonWebTokenImpl jsonWebToken;
try {
rawToken = bearerToken;
String keyId;
// not interested in parts above 5
int parts = rawToken.split("\\.", 5).length;
if (parts == 3) {
// signed JWT has 3 parts
signedJWT = SignedJWT.parse(rawToken);
if (!checkIsSignedJWT(signedJWT)) {
throw new JWTProcessingException("Not signed JWT, typ must be 'JWT'");
}
keyId = signedJWT.getHeader().getKeyID();
} else {
// encrypted JWT has 5 parts
encryptedJWT = EncryptedJWT.parse(rawToken);
if (!checkIsEncryptedJWT(encryptedJWT)) {
throw new JWTProcessingException("Not encrypted JWT, cty must be 'JWT'");
}
keyId = encryptedJWT.getHeader().getKeyID();
}
PublicKey publicKey = publicKeyStore.getPublicKey(keyId);
// first, parse the payload of the encrypting envelope, save signedJWT
if (encryptedJWT == null) {
if (encryptionRequired) {
// see JWT Auth 1.2, Requirements for accepting signed and encrypted tokens
throw new JWTProcessingException("JWT expected to be encrypted, mp.jwt.decrypt.key.location was defined!");
}
jsonWebToken = verifyAndParseSignedJWT(acceptedIssuer, publicKey);
} else {
jsonWebToken = verifyAndParseEncryptedJWT(acceptedIssuer, publicKey, privateKeyStore.getPrivateKey(keyId));
}
} catch (JWTProcessingException | ParseException ex) {
throw new JWTProcessingException(ex);
}
return jsonWebToken;
}
use of fish.payara.microprofile.jwtauth.eesecurity.JWTProcessingException in project Payara by payara.
the class JwtTokenParser method verifyAndParseEncryptedJWT.
private JsonWebTokenImpl verifyAndParseEncryptedJWT(String issuer, PublicKey publicKey, PrivateKey privateKey) throws JWTProcessingException {
if (encryptedJWT == null) {
throw new IllegalStateException("EncryptedJWT not parsed");
}
String algName = encryptedJWT.getHeader().getAlgorithm().getName();
if (!RSA_OAEP.getName().equals(algName)) {
throw new JWTProcessingException("Only RSA-OAEP algorithm is supported for JWT encryption, used " + algName);
}
try {
encryptedJWT.decrypt(new RSADecrypter(privateKey));
} catch (JOSEException ex) {
throw new JWTProcessingException("Exception during decrypting JWT token", ex);
}
signedJWT = encryptedJWT.getPayload().toSignedJWT();
if (signedJWT == null) {
throw new JWTProcessingException("Unable to parse signed JWT.");
}
return verifyAndParseSignedJWT(issuer, publicKey);
}
Aggregations