Example 6 with JwsSignatureProvider
use of org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider in project cxf by apache.
the class AbstractJwsJsonWriterProvider method getInitializedSigProviders.
protected List<JwsSignatureProvider> getInitializedSigProviders(List<String> propLocs, List<JwsHeaders> protectedHeaders) {
if (sigProviders != null) {
return sigProviders;
}
Message m = JAXRSUtils.getCurrentMessage();
List<JwsSignatureProvider> theSigProviders = new LinkedList<JwsSignatureProvider>();
for (int i = 0; i < propLocs.size(); i++) {
Properties props = JwsUtils.loadJwsProperties(m, propLocs.get(i));
theSigProviders.add(JwsUtils.loadSignatureProvider(props, protectedHeaders.get(i)));
}
return theSigProviders;
}
Also used :
Message(org.apache.cxf.message.Message)
Properties(java.util.Properties)
LinkedList(java.util.LinkedList)
JwsSignatureProvider(org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider)
Example 7 with JwsSignatureProvider
use of org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider in project cxf by apache.
the class AuthorizationGrantNegativeTest method testJWTUnauthenticatedSignature.
@org.junit.Test
public void testJWTUnauthenticatedSignature() throws Exception {
URL busFile = AuthorizationGrantNegativeTest.class.getResource("client.xml");
String address = "https://localhost:" + PORT + "/services/";
WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), "alice", "security", busFile.toString());
// Create the JWT Token
// Create the JWT Token
JwtClaims claims = new JwtClaims();
claims.setSubject("consumer-id");
claims.setIssuer("DoubleItSTSIssuer");
Instant now = Instant.now();
claims.setIssuedAt(now.getEpochSecond());
claims.setExpiryTime(now.plusSeconds(60L).getEpochSecond());
String audience = "https://localhost:" + PORT + "/services/token";
claims.setAudiences(Collections.singletonList(audience));
// Sign the JWT Token
Properties signingProperties = new Properties();
signingProperties.put("rs.security.keystore.type", "jks");
signingProperties.put("rs.security.keystore.password", "security");
signingProperties.put("rs.security.keystore.alias", "smallkey");
signingProperties.put("rs.security.keystore.file", "org/apache/cxf/systest/jaxrs/security/certs/smallkeysize.jks");
signingProperties.put("rs.security.key.password", "security");
signingProperties.put("rs.security.signature.algorithm", "RS256");
JwsHeaders jwsHeaders = new JwsHeaders(signingProperties);
JwsJwtCompactProducer jws = new JwsJwtCompactProducer(jwsHeaders, claims);
JwsSignatureProvider sigProvider = JwsUtils.loadSignatureProvider(signingProperties, jwsHeaders);
String token = jws.signWith(sigProvider);
// Get Access Token
client.type("application/x-www-form-urlencoded").accept("application/json");
client.path("token");
Form form = new Form();
form.param("grant_type", "urn:ietf:params:oauth:grant-type:jwt-bearer");
form.param("assertion", token);
form.param("client_id", "consumer-id");
Response response = client.post(form);
try {
response.readEntity(ClientAccessToken.class);
fail("Failure expected on an unauthenticated token");
} catch (Exception ex) {
// expected
}
}
Also used :
Response(javax.ws.rs.core.Response)
JwsHeaders(org.apache.cxf.rs.security.jose.jws.JwsHeaders)
JwsJwtCompactProducer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactProducer)
JwtClaims(org.apache.cxf.rs.security.jose.jwt.JwtClaims)
Form(javax.ws.rs.core.Form)
Instant(java.time.Instant)
Properties(java.util.Properties)
WebClient(org.apache.cxf.jaxrs.client.WebClient)
URL(java.net.URL)
ResponseProcessingException(javax.ws.rs.client.ResponseProcessingException)
JwsSignatureProvider(org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider)
Example 8 with JwsSignatureProvider
use of org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider in project cxf by apache.
the class OAuth2TestUtils method createToken.
public static String createToken(String issuer, String subject, String audience, boolean expiry, boolean sign) {
// Create the JWT Token
JwtClaims claims = new JwtClaims();
claims.setSubject(subject);
if (issuer != null) {
claims.setIssuer(issuer);
}
Instant now = Instant.now();
claims.setIssuedAt(now.getEpochSecond());
if (expiry) {
claims.setExpiryTime(now.plusSeconds(60L).getEpochSecond());
}
if (audience != null) {
claims.setAudiences(Collections.singletonList(audience));
}
if (sign) {
// Sign the JWT Token
Properties signingProperties = new Properties();
signingProperties.put("rs.security.keystore.type", "jks");
signingProperties.put("rs.security.keystore.password", "password");
signingProperties.put("rs.security.keystore.alias", "alice");
signingProperties.put("rs.security.keystore.file", "keys/alice.jks");
signingProperties.put("rs.security.key.password", "password");
signingProperties.put("rs.security.signature.algorithm", "RS256");
JwsHeaders jwsHeaders = new JwsHeaders(signingProperties);
JwsJwtCompactProducer jws = new JwsJwtCompactProducer(jwsHeaders, claims);
JwsSignatureProvider sigProvider = JwsUtils.loadSignatureProvider(signingProperties, jwsHeaders);
return jws.signWith(sigProvider);
}
JwsHeaders jwsHeaders = new JwsHeaders(SignatureAlgorithm.NONE);
JwsJwtCompactProducer jws = new JwsJwtCompactProducer(jwsHeaders, claims);
return jws.getSignedEncodedJws();
}
Also used :
JwsHeaders(org.apache.cxf.rs.security.jose.jws.JwsHeaders)
JwsJwtCompactProducer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactProducer)
JwtClaims(org.apache.cxf.rs.security.jose.jwt.JwtClaims)
Instant(java.time.Instant)
Properties(java.util.Properties)
JwsSignatureProvider(org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider)
Example 9 with JwsSignatureProvider
use of org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider in project meecrowave by apache.
the class OAuth2Configurer method preCompute.
// TODO: still some missing configuration for jwt etc to add/wire from OAuth2Options
@PostConstruct
private void preCompute() {
configuration = builder.getExtension(OAuth2Options.class);
AbstractOAuthDataProvider provider;
switch(configuration.getProvider().toLowerCase(ENGLISH)) {
case "jpa":
{
if (!configuration.isAuthorizationCodeSupport()) {
// else use code impl
final JPAOAuthDataProvider jpaProvider = new JPAOAuthDataProvider();
jpaProvider.setEntityManagerFactory(JPAAdapter.createEntityManagerFactory(configuration));
provider = jpaProvider;
break;
}
}
case "jpa-code":
{
final JPACodeDataProvider jpaProvider = new JPACodeDataProvider();
jpaProvider.setEntityManagerFactory(JPAAdapter.createEntityManagerFactory(configuration));
provider = jpaProvider;
break;
}
case "jcache":
if (!configuration.isAuthorizationCodeSupport()) {
// else use code impl
jCacheConfigurer.doSetup(configuration);
try {
provider = new JCacheOAuthDataProvider(configuration.getJcacheConfigUri(), bus, configuration.isJcacheStoreJwtKeyOnly());
} catch (final Exception e) {
throw new IllegalStateException(e);
}
break;
}
case "jcache-code":
jCacheConfigurer.doSetup(configuration);
try {
provider = new JCacheCodeDataProvider(configuration, bus);
} catch (final Exception e) {
throw new IllegalStateException(e);
}
break;
case // not sure it makes sense since we have jcache but this one is cheap to support
"ehcache":
provider = new DefaultEHCacheOAuthDataProvider(configuration.getJcacheConfigUri(), bus);
break;
case "encrypted":
if (!configuration.isAuthorizationCodeSupport()) {
// else use code impl
provider = new DefaultEncryptingOAuthDataProvider(new SecretKeySpec(configuration.getEncryptedKey().getBytes(StandardCharsets.UTF_8), configuration.getEncryptedAlgo()));
break;
}
case "encrypted-code":
provider = new DefaultEncryptingCodeDataProvider(new SecretKeySpec(configuration.getEncryptedKey().getBytes(StandardCharsets.UTF_8), configuration.getEncryptedAlgo()));
break;
default:
throw new IllegalArgumentException("Unsupported oauth2 provider: " + configuration.getProvider());
}
final RefreshTokenGrantHandler refreshTokenGrantHandler = new RefreshTokenGrantHandler();
refreshTokenGrantHandler.setDataProvider(provider);
refreshTokenGrantHandler.setUseAllClientScopes(configuration.isUseAllClientScopes());
refreshTokenGrantHandler.setPartialMatchScopeValidation(configuration.isPartialMatchScopeValidation());
final ResourceOwnerLoginHandler loginHandler = configuration.isJaas() ? new JAASResourceOwnerLoginHandler() : (client, name, password) -> {
try {
request.login(name, password);
try {
final Principal pcp = request.getUserPrincipal();
final List<String> roles = GenericPrincipal.class.isInstance(pcp) ? new ArrayList<>(asList(GenericPrincipal.class.cast(pcp).getRoles())) : Collections.<String>emptyList();
final UserSubject userSubject = new UserSubject(name, roles);
userSubject.setAuthenticationMethod(PASSWORD);
return userSubject;
} finally {
request.logout();
}
} catch (final ServletException e) {
throw new AuthenticationException(e.getMessage());
}
};
final List<AccessTokenGrantHandler> handlers = new ArrayList<>();
handlers.add(refreshTokenGrantHandler);
handlers.add(new ClientCredentialsGrantHandler());
handlers.add(new ResourceOwnerGrantHandler() {
{
setLoginHandler(loginHandler);
}
});
handlers.add(new AuthorizationCodeGrantHandler());
handlers.add(new JwtBearerGrantHandler());
provider.setUseJwtFormatForAccessTokens(configuration.isUseJwtFormatForAccessTokens());
provider.setAccessTokenLifetime(configuration.getAccessTokenLifetime());
provider.setRefreshTokenLifetime(configuration.getRefreshTokenLifetime());
provider.setRecycleRefreshTokens(configuration.isRecycleRefreshTokens());
provider.setSupportPreauthorizedTokens(configuration.isSupportPreauthorizedTokens());
ofNullable(configuration.getRequiredScopes()).map(s -> asList(s.split(","))).ifPresent(provider::setRequiredScopes);
ofNullable(configuration.getDefaultScopes()).map(s -> asList(s.split(","))).ifPresent(provider::setDefaultScopes);
ofNullable(configuration.getInvisibleToClientScopes()).map(s -> asList(s.split(","))).ifPresent(provider::setInvisibleToClientScopes);
ofNullable(configuration.getJwtAccessTokenClaimMap()).map(s -> new Properties() {
{
try {
load(new StringReader(s));
} catch (IOException e) {
throw new IllegalArgumentException("Bad claim map configuration, use properties syntax");
}
}
}).ifPresent(m -> provider.setJwtAccessTokenClaimMap(new HashMap<>(Map.class.cast(m))));
final OAuthDataProvider dataProvider;
if (configuration.isRefreshToken()) {
dataProvider = new RefreshTokenEnabledProvider(provider);
if (provider.getInvisibleToClientScopes() == null) {
provider.setInvisibleToClientScopes(new ArrayList<>());
}
provider.getInvisibleToClientScopes().add(OAuthConstants.REFRESH_TOKEN_SCOPE);
} else {
dataProvider = provider;
}
handlers.stream().filter(AbstractGrantHandler.class::isInstance).forEach(h -> {
final AbstractGrantHandler handler = AbstractGrantHandler.class.cast(h);
handler.setDataProvider(dataProvider);
handler.setCanSupportPublicClients(configuration.isCanSupportPublicClients());
handler.setPartialMatchScopeValidation(configuration.isPartialMatchScopeValidation());
});
abstractTokenServiceConsumer = s -> {
// this is used @RequestScoped so ensure it is not slow for no reason
s.setCanSupportPublicClients(configuration.isCanSupportPublicClients());
s.setBlockUnsecureRequests(configuration.isBlockUnsecureRequests());
s.setWriteCustomErrors(configuration.isWriteCustomErrors());
s.setWriteOptionalParameters(configuration.isWriteOptionalParameters());
s.setDataProvider(dataProvider);
};
tokenServiceConsumer = s -> {
// this is used @RequestScoped so ensure it is not slow for no reason
abstractTokenServiceConsumer.accept(s);
s.setGrantHandlers(handlers);
};
final List<String> noConsentScopes = ofNullable(configuration.getScopesRequiringNoConsent()).map(s -> asList(s.split(","))).orElse(null);
// we prefix them oauth2.cxf. but otherwise it is the plain cxf config
final Map<String, String> contextualProperties = ofNullable(builder.getProperties()).map(Properties::stringPropertyNames).orElse(emptySet()).stream().filter(s -> s.startsWith("oauth2.cxf.rs.security.")).collect(toMap(s -> s.substring("oauth2.cxf.".length()), s -> builder.getProperties().getProperty(s)));
final JoseSessionTokenProvider sessionAuthenticityTokenProvider = new JoseSessionTokenProvider() {
private int maxDefaultSessionInterval;
private boolean jweRequired;
private JweEncryptionProvider jweEncryptor;
// workaround a NPE of 3.2.0 - https://issues.apache.org/jira/browse/CXF-7504
@Override
public String createSessionToken(final MessageContext mc, final MultivaluedMap<String, String> params, final UserSubject subject, final OAuthRedirectionState secData) {
String stateString = convertStateToString(secData);
final JwsSignatureProvider jws = getInitializedSigProvider();
final JweEncryptionProvider jwe = jweEncryptor == null ? JweUtils.loadEncryptionProvider(new JweHeaders(), jweRequired) : jweEncryptor;
if (jws == null && jwe == null) {
throw new OAuthServiceException("Session token can not be created");
}
if (jws != null) {
stateString = JwsUtils.sign(jws, stateString, null);
}
if (jwe != null) {
stateString = jwe.encrypt(StringUtils.toBytesUTF8(stateString), null);
}
return OAuthUtils.setSessionToken(mc, stateString, maxDefaultSessionInterval);
}
public void setJweEncryptor(final JweEncryptionProvider jweEncryptor) {
super.setJweEncryptor(jweEncryptor);
this.jweEncryptor = jweEncryptor;
}
@Override
public void setJweRequired(final boolean jweRequired) {
super.setJweRequired(jweRequired);
this.jweRequired = jweRequired;
}
@Override
public void setMaxDefaultSessionInterval(final int maxDefaultSessionInterval) {
super.setMaxDefaultSessionInterval(maxDefaultSessionInterval);
this.maxDefaultSessionInterval = maxDefaultSessionInterval;
}
};
sessionAuthenticityTokenProvider.setMaxDefaultSessionInterval(configuration.getMaxDefaultSessionInterval());
// TODO: other configs
redirectionBasedGrantServiceConsumer = s -> {
s.setDataProvider(dataProvider);
s.setBlockUnsecureRequests(configuration.isBlockUnsecureRequests());
s.setWriteOptionalParameters(configuration.isWriteOptionalParameters());
s.setUseAllClientScopes(configuration.isUseAllClientScopes());
s.setPartialMatchScopeValidation(configuration.isPartialMatchScopeValidation());
s.setUseRegisteredRedirectUriIfPossible(configuration.isUseRegisteredRedirectUriIfPossible());
s.setMaxDefaultSessionInterval(configuration.getMaxDefaultSessionInterval());
s.setMatchRedirectUriWithApplicationUri(configuration.isMatchRedirectUriWithApplicationUri());
s.setScopesRequiringNoConsent(noConsentScopes);
s.setSessionAuthenticityTokenProvider(sessionAuthenticityTokenProvider);
// TODO: make it even more contextual, client based?
final Message currentMessage = PhaseInterceptorChain.getCurrentMessage();
contextualProperties.forEach(currentMessage::put);
};
}
Also used :
JCacheOAuthDataProvider(org.apache.cxf.rs.security.oauth2.provider.JCacheOAuthDataProvider)
ServletException(javax.servlet.ServletException)
StringUtils(org.apache.cxf.common.util.StringUtils)
SecretKeySpec(javax.crypto.spec.SecretKeySpec)
Collectors.toMap(java.util.stream.Collectors.toMap)
AbstractTokenService(org.apache.cxf.rs.security.oauth2.services.AbstractTokenService)
ClientCredentialsGrantHandler(org.apache.cxf.rs.security.oauth2.grants.clientcred.ClientCredentialsGrantHandler)
Arrays.asList(java.util.Arrays.asList)
Map(java.util.Map)
JCacheCodeDataProvider(org.apache.meecrowave.oauth2.provider.JCacheCodeDataProvider)
RefreshTokenEnabledProvider(org.apache.meecrowave.oauth2.data.RefreshTokenEnabledProvider)
AuthorizationCodeGrantHandler(org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeGrantHandler)
DefaultEncryptingCodeDataProvider(org.apache.cxf.rs.security.oauth2.grants.code.DefaultEncryptingCodeDataProvider)
JwtBearerGrantHandler(org.apache.cxf.rs.security.oauth2.grants.jwt.JwtBearerGrantHandler)
ResourceOwnerLoginHandler(org.apache.cxf.rs.security.oauth2.grants.owner.ResourceOwnerLoginHandler)
ENGLISH(java.util.Locale.ENGLISH)
ResourceOwnerGrantHandler(org.apache.cxf.rs.security.oauth2.grants.owner.ResourceOwnerGrantHandler)
OAuth2TokenService(org.apache.meecrowave.oauth2.resource.OAuth2TokenService)
JPACodeDataProvider(org.apache.cxf.rs.security.oauth2.grants.code.JPACodeDataProvider)
JweEncryptionProvider(org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider)
StandardCharsets(java.nio.charset.StandardCharsets)
JwsSignatureProvider(org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider)
JweUtils(org.apache.cxf.rs.security.jose.jwe.JweUtils)
OAuthDataProvider(org.apache.cxf.rs.security.oauth2.provider.OAuthDataProvider)
List(java.util.List)
Principal(java.security.Principal)
AbstractGrantHandler(org.apache.cxf.rs.security.oauth2.grants.AbstractGrantHandler)
PostConstruct(javax.annotation.PostConstruct)
ApplicationScoped(javax.enterprise.context.ApplicationScoped)
PASSWORD(org.apache.cxf.rs.security.oauth2.common.AuthenticationMethod.PASSWORD)
AccessTokenGrantHandler(org.apache.cxf.rs.security.oauth2.provider.AccessTokenGrantHandler)
Meecrowave(org.apache.meecrowave.Meecrowave)
Bus(org.apache.cxf.Bus)
JAASResourceOwnerLoginHandler(org.apache.cxf.rs.security.oauth2.grants.owner.JAASResourceOwnerLoginHandler)
OAuthServiceException(org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException)
RefreshTokenGrantHandler(org.apache.cxf.rs.security.oauth2.grants.refresh.RefreshTokenGrantHandler)
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
Inject(javax.inject.Inject)
AbstractOAuthDataProvider(org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthDataProvider)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
AuthenticationException(org.apache.cxf.interceptor.security.AuthenticationException)
MessageContext(org.apache.cxf.jaxrs.ext.MessageContext)
DefaultEncryptingOAuthDataProvider(org.apache.cxf.rs.security.oauth2.provider.DefaultEncryptingOAuthDataProvider)
RedirectionBasedGrantService(org.apache.cxf.rs.security.oauth2.services.RedirectionBasedGrantService)
OAuthUtils(org.apache.cxf.rs.security.oauth2.utils.OAuthUtils)
JoseSessionTokenProvider(org.apache.cxf.rs.security.oauth2.provider.JoseSessionTokenProvider)
GenericPrincipal(org.apache.catalina.realm.GenericPrincipal)
JweHeaders(org.apache.cxf.rs.security.jose.jwe.JweHeaders)
Properties(java.util.Properties)
JPAOAuthDataProvider(org.apache.cxf.rs.security.oauth2.provider.JPAOAuthDataProvider)
Collections.emptySet(java.util.Collections.emptySet)
Message(org.apache.cxf.message.Message)
Optional.ofNullable(java.util.Optional.ofNullable)
IOException(java.io.IOException)
MultivaluedMap(javax.ws.rs.core.MultivaluedMap)
Consumer(java.util.function.Consumer)
DefaultEHCacheOAuthDataProvider(org.apache.cxf.rs.security.oauth2.provider.DefaultEHCacheOAuthDataProvider)
StringReader(java.io.StringReader)
PhaseInterceptorChain(org.apache.cxf.phase.PhaseInterceptorChain)
OAuthConstants(org.apache.cxf.rs.security.oauth2.utils.OAuthConstants)
UserSubject(org.apache.cxf.rs.security.oauth2.common.UserSubject)
JwsUtils(org.apache.cxf.rs.security.jose.jws.JwsUtils)
Collections(java.util.Collections)
OAuthRedirectionState(org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState)
AbstractGrantHandler(org.apache.cxf.rs.security.oauth2.grants.AbstractGrantHandler)
JPAOAuthDataProvider(org.apache.cxf.rs.security.oauth2.provider.JPAOAuthDataProvider)
AuthenticationException(org.apache.cxf.interceptor.security.AuthenticationException)
HashMap(java.util.HashMap)
JweEncryptionProvider(org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider)
OAuthServiceException(org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException)
ArrayList(java.util.ArrayList)
JPACodeDataProvider(org.apache.cxf.rs.security.oauth2.grants.code.JPACodeDataProvider)
ResourceOwnerLoginHandler(org.apache.cxf.rs.security.oauth2.grants.owner.ResourceOwnerLoginHandler)
JAASResourceOwnerLoginHandler(org.apache.cxf.rs.security.oauth2.grants.owner.JAASResourceOwnerLoginHandler)
JoseSessionTokenProvider(org.apache.cxf.rs.security.oauth2.provider.JoseSessionTokenProvider)
ServletException(javax.servlet.ServletException)
SecretKeySpec(javax.crypto.spec.SecretKeySpec)
DefaultEHCacheOAuthDataProvider(org.apache.cxf.rs.security.oauth2.provider.DefaultEHCacheOAuthDataProvider)
JCacheCodeDataProvider(org.apache.meecrowave.oauth2.provider.JCacheCodeDataProvider)
JwsSignatureProvider(org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider)
OAuthRedirectionState(org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState)
DefaultEncryptingOAuthDataProvider(org.apache.cxf.rs.security.oauth2.provider.DefaultEncryptingOAuthDataProvider)
RefreshTokenGrantHandler(org.apache.cxf.rs.security.oauth2.grants.refresh.RefreshTokenGrantHandler)
RefreshTokenEnabledProvider(org.apache.meecrowave.oauth2.data.RefreshTokenEnabledProvider)
JCacheOAuthDataProvider(org.apache.cxf.rs.security.oauth2.provider.JCacheOAuthDataProvider)
Collectors.toMap(java.util.stream.Collectors.toMap)
Map(java.util.Map)
HashMap(java.util.HashMap)
MultivaluedMap(javax.ws.rs.core.MultivaluedMap)
DefaultEncryptingCodeDataProvider(org.apache.cxf.rs.security.oauth2.grants.code.DefaultEncryptingCodeDataProvider)
Message(org.apache.cxf.message.Message)
AccessTokenGrantHandler(org.apache.cxf.rs.security.oauth2.provider.AccessTokenGrantHandler)
Properties(java.util.Properties)
JweHeaders(org.apache.cxf.rs.security.jose.jwe.JweHeaders)
UserSubject(org.apache.cxf.rs.security.oauth2.common.UserSubject)
ResourceOwnerGrantHandler(org.apache.cxf.rs.security.oauth2.grants.owner.ResourceOwnerGrantHandler)
StringReader(java.io.StringReader)
MessageContext(org.apache.cxf.jaxrs.ext.MessageContext)
AbstractOAuthDataProvider(org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthDataProvider)
JwtBearerGrantHandler(org.apache.cxf.rs.security.oauth2.grants.jwt.JwtBearerGrantHandler)
AuthorizationCodeGrantHandler(org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeGrantHandler)
IOException(java.io.IOException)
ServletException(javax.servlet.ServletException)
OAuthServiceException(org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException)
AuthenticationException(org.apache.cxf.interceptor.security.AuthenticationException)
IOException(java.io.IOException)
ClientCredentialsGrantHandler(org.apache.cxf.rs.security.oauth2.grants.clientcred.ClientCredentialsGrantHandler)
JCacheOAuthDataProvider(org.apache.cxf.rs.security.oauth2.provider.JCacheOAuthDataProvider)
OAuthDataProvider(org.apache.cxf.rs.security.oauth2.provider.OAuthDataProvider)
AbstractOAuthDataProvider(org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthDataProvider)
DefaultEncryptingOAuthDataProvider(org.apache.cxf.rs.security.oauth2.provider.DefaultEncryptingOAuthDataProvider)
JPAOAuthDataProvider(org.apache.cxf.rs.security.oauth2.provider.JPAOAuthDataProvider)
DefaultEHCacheOAuthDataProvider(org.apache.cxf.rs.security.oauth2.provider.DefaultEHCacheOAuthDataProvider)
GenericPrincipal(org.apache.catalina.realm.GenericPrincipal)
MultivaluedMap(javax.ws.rs.core.MultivaluedMap)
JAASResourceOwnerLoginHandler(org.apache.cxf.rs.security.oauth2.grants.owner.JAASResourceOwnerLoginHandler)
Principal(java.security.Principal)
GenericPrincipal(org.apache.catalina.realm.GenericPrincipal)
PostConstruct(javax.annotation.PostConstruct)
Example 10 with JwsSignatureProvider
use of org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider in project cxf by apache.
the class JWTTokenProvider method signToken.
private String signToken(JwtClaims claims, RealmProperties jwtRealm, STSPropertiesMBean stsProperties) throws Exception {
if (signToken) {
// Initialise signature objects with defaults of STSPropertiesMBean
Crypto signatureCrypto = stsProperties.getSignatureCrypto();
CallbackHandler callbackHandler = stsProperties.getCallbackHandler();
SignatureProperties signatureProperties = stsProperties.getSignatureProperties();
String alias = stsProperties.getSignatureUsername();
if (jwtRealm != null) {
// callbackhandler and alias of STSPropertiesMBean is ignored
if (jwtRealm.getSignatureCrypto() != null) {
LOG.fine("SAMLRealm signature keystore used");
signatureCrypto = jwtRealm.getSignatureCrypto();
callbackHandler = jwtRealm.getCallbackHandler();
alias = jwtRealm.getSignatureAlias();
}
// SignatureProperties can be defined independently of SignatureCrypto
if (jwtRealm.getSignatureProperties() != null) {
signatureProperties = jwtRealm.getSignatureProperties();
}
}
// Get the signature algorithm to use - for now we don't allow the client to ask
// for a particular signature algorithm, as with SAML
String signatureAlgorithm = signatureProperties.getSignatureAlgorithm();
try {
SignatureAlgorithm.getAlgorithm(signatureAlgorithm);
} catch (IllegalArgumentException ex) {
signatureAlgorithm = SignatureAlgorithm.RS256.name();
}
// If alias not defined, get the default of the SignatureCrypto
if ((alias == null || "".equals(alias)) && (signatureCrypto != null)) {
alias = signatureCrypto.getDefaultX509Identifier();
if (LOG.isLoggable(Level.FINE)) {
LOG.fine("Signature alias is null so using default alias: " + alias);
}
}
// Get the password
String password = null;
if (callbackHandler != null) {
WSPasswordCallback[] cb = { new WSPasswordCallback(alias, WSPasswordCallback.SIGNATURE) };
callbackHandler.handle(cb);
password = cb[0].getPassword();
}
Properties signingProperties = new Properties();
signingProperties.put(JoseConstants.RSSEC_SIGNATURE_ALGORITHM, signatureAlgorithm);
if (alias != null) {
signingProperties.put(JoseConstants.RSSEC_KEY_STORE_ALIAS, alias);
}
if (password != null) {
signingProperties.put(JoseConstants.RSSEC_KEY_PSWD, password);
} else {
throw new STSException("Can't get the password", STSException.REQUEST_FAILED);
}
if (!(signatureCrypto instanceof Merlin)) {
throw new STSException("Can't get the keystore", STSException.REQUEST_FAILED);
}
KeyStore keystore = ((Merlin) signatureCrypto).getKeyStore();
signingProperties.put(JoseConstants.RSSEC_KEY_STORE, keystore);
JwsHeaders jwsHeaders = new JwsHeaders(signingProperties);
JwsJwtCompactProducer jws = new JwsJwtCompactProducer(jwsHeaders, claims);
JwsSignatureProvider sigProvider = JwsUtils.loadSignatureProvider(signingProperties, jwsHeaders);
return jws.signWith(sigProvider);
}
JwsHeaders jwsHeaders = new JwsHeaders(SignatureAlgorithm.NONE);
JwsJwtCompactProducer jws = new JwsJwtCompactProducer(jwsHeaders, claims);
return jws.getSignedEncodedJws();
}
Also used :
CallbackHandler(javax.security.auth.callback.CallbackHandler)
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties)
SignatureProperties(org.apache.cxf.sts.SignatureProperties)
Properties(java.util.Properties)
RealmProperties(org.apache.cxf.sts.token.realm.RealmProperties)
KeyStore(java.security.KeyStore)
JwsHeaders(org.apache.cxf.rs.security.jose.jws.JwsHeaders)
JwsJwtCompactProducer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactProducer)
Crypto(org.apache.wss4j.common.crypto.Crypto)
SignatureProperties(org.apache.cxf.sts.SignatureProperties)
WSPasswordCallback(org.apache.wss4j.common.ext.WSPasswordCallback)
Merlin(org.apache.wss4j.common.crypto.Merlin)
JwsSignatureProvider(org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider)
Aggregations
JwsSignatureProvider (org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider)11
JwsHeaders (org.apache.cxf.rs.security.jose.jws.JwsHeaders)7
Properties (java.util.Properties)5
JweEncryptionProvider (org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider)4
ArrayList (java.util.ArrayList)3
JwsCompactProducer (org.apache.cxf.rs.security.jose.jws.JwsCompactProducer)3
JwsJwtCompactProducer (org.apache.cxf.rs.security.jose.jws.JwsJwtCompactProducer)3
JwsSignature (org.apache.cxf.rs.security.jose.jws.JwsSignature)3
OutputStream (java.io.OutputStream)2
Instant (java.time.Instant)2
List (java.util.List)2
Base64UrlOutputStream (org.apache.cxf.common.util.Base64UrlOutputStream)2
CachedOutputStream (org.apache.cxf.io.CachedOutputStream)2
Message (org.apache.cxf.message.Message)2
JweHeaders (org.apache.cxf.rs.security.jose.jwe.JweHeaders)2
IOException (java.io.IOException)1
StringReader (java.io.StringReader)1
URL (java.net.URL)1
StandardCharsets (java.nio.charset.StandardCharsets)1
KeyStore (java.security.KeyStore)1
