Example 1 with TokenServiceException
use of org.apache.knox.gateway.services.security.token.TokenServiceException in project knox by apache.
the class AbstractJWTFilter method validateToken.
protected boolean validateToken(HttpServletRequest request, HttpServletResponse response, FilterChain chain, JWT token) throws IOException, ServletException {
boolean verified = false;
try {
if (publicKey == null) {
verified = authority.verifyToken(token);
} else {
verified = authority.verifyToken(token, publicKey);
}
} catch (TokenServiceException e) {
log.unableToVerifyToken(e);
}
// Check received signature algorithm
if (verified) {
try {
String receivedSigAlg = JWSHeader.parse(token.getHeader()).getAlgorithm().getName();
if (!receivedSigAlg.equals(expectedSigAlg)) {
verified = false;
}
} catch (ParseException e) {
log.unableToVerifyToken(e);
verified = false;
}
}
if (verified) {
// confirm that issue matches intended target
if (expectedIssuer.equals(token.getIssuer())) {
// the designated expiration time
if (tokenIsStillValid(token)) {
boolean audValid = validateAudiences(token);
if (audValid) {
Date nbf = token.getNotBeforeDate();
if (nbf == null || new Date().after(nbf)) {
return true;
} else {
log.notBeforeCheckFailed();
handleValidationError(request, response, HttpServletResponse.SC_BAD_REQUEST, "Bad request: the NotBefore check failed");
}
} else {
log.failedToValidateAudience();
handleValidationError(request, response, HttpServletResponse.SC_BAD_REQUEST, "Bad request: missing required token audience");
}
} else {
log.tokenHasExpired();
handleValidationError(request, response, HttpServletResponse.SC_BAD_REQUEST, "Bad request: token has expired");
}
} else {
handleValidationError(request, response, HttpServletResponse.SC_UNAUTHORIZED, null);
}
} else {
log.failedToVerifyTokenSignature();
handleValidationError(request, response, HttpServletResponse.SC_UNAUTHORIZED, null);
}
return false;
}
Also used :
ParseException(java.text.ParseException)
TokenServiceException(org.apache.knox.gateway.services.security.token.TokenServiceException)
Date(java.util.Date)
Example 2 with TokenServiceException
use of org.apache.knox.gateway.services.security.token.TokenServiceException in project knox by apache.
the class AccessTokenFederationFilter method doFilter.
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
String header = ((HttpServletRequest) request).getHeader("Authorization");
if (header != null && header.startsWith(BEARER)) {
// what follows the bearer designator should be the JWT token being used to request or as an access token
String wireToken = header.substring(BEARER.length());
JWTToken token;
try {
token = JWTToken.parseToken(wireToken);
} catch (ParseException e) {
throw new ServletException("ParseException encountered while processing the JWT token: ", e);
}
boolean verified = false;
try {
verified = authority.verifyToken(token);
} catch (TokenServiceException e) {
log.unableToVerifyToken(e);
}
if (verified) {
long expires = Long.parseLong(token.getExpires());
if (expires > System.currentTimeMillis()) {
if (((HttpServletRequest) request).getRequestURL().indexOf(token.getAudience().toLowerCase()) != -1) {
Subject subject = createSubjectFromToken(token);
continueWithEstablishedSecurityContext(subject, (HttpServletRequest) request, (HttpServletResponse) response, chain);
} else {
log.failedToValidateAudience();
sendUnauthorized(response);
// break the chain
return;
}
} else {
log.tokenHasExpired();
sendUnauthorized(response);
// break the chain
return;
}
} else {
log.failedToVerifyTokenSignature();
sendUnauthorized(response);
// break the chain
return;
}
} else {
log.missingBearerToken();
sendUnauthorized(response);
// break the chain
return;
}
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
ServletException(javax.servlet.ServletException)
ParseException(java.text.ParseException)
JWTToken(org.apache.knox.gateway.services.security.token.impl.JWTToken)
TokenServiceException(org.apache.knox.gateway.services.security.token.TokenServiceException)
Subject(javax.security.auth.Subject)
Example 3 with TokenServiceException
use of org.apache.knox.gateway.services.security.token.TokenServiceException in project knox by apache.
the class JWTAccessTokenAssertionFilter method getAccessToken.
private String getAccessToken(final String principalName, String serviceName, long expires) {
String accessToken = null;
Principal p = new Principal() {
@Override
public String getName() {
// TODO Auto-generated method stub
return principalName;
}
};
JWT token = null;
try {
token = authority.issueToken(p, serviceName, "RS256", expires);
// Coverity CID 1327961
if (token != null) {
accessToken = token.toString();
}
} catch (TokenServiceException e) {
log.unableToIssueToken(e);
}
return accessToken;
}
Also used :
JWT(org.apache.knox.gateway.services.security.token.impl.JWT)
Principal(java.security.Principal)
TokenServiceException(org.apache.knox.gateway.services.security.token.TokenServiceException)
Example 4 with TokenServiceException
use of org.apache.knox.gateway.services.security.token.TokenServiceException in project knox by apache.
the class JWTAuthCodeAssertionFilter method doFilter.
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
Subject subject = Subject.getSubject(AccessController.getContext());
String principalName = getPrincipalName(subject);
principalName = mapper.mapUserPrincipal(principalName);
JWT authCode;
try {
authCode = authority.issueToken(subject, "RS256");
// get the url for the token service
String url = null;
if (sr != null) {
url = sr.lookupServiceURL("token", "TGS");
}
HashMap<String, Object> map = new HashMap<>();
// Coverity CID 1327960
if (authCode != null) {
map.put("iss", authCode.getIssuer());
map.put("sub", authCode.getPrincipal());
map.put("aud", authCode.getAudience());
map.put("exp", authCode.getExpires());
map.put("code", authCode.toString());
}
if (url != null) {
map.put("tke", url);
}
String jsonResponse = JsonUtils.renderAsJsonString(map);
response.getWriter().write(jsonResponse);
// KNOX-685: response.getWriter().flush();
} catch (TokenServiceException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
// break filter chain
return;
}
Also used :
HashMap(java.util.HashMap)
JWT(org.apache.knox.gateway.services.security.token.impl.JWT)
Subject(javax.security.auth.Subject)
TokenServiceException(org.apache.knox.gateway.services.security.token.TokenServiceException)
Example 5 with TokenServiceException
use of org.apache.knox.gateway.services.security.token.TokenServiceException in project knox by apache.
the class DefaultTokenAuthorityService method verifyToken.
@Override
public boolean verifyToken(JWT token, RSAPublicKey publicKey) throws TokenServiceException {
boolean rc = false;
PublicKey key;
try {
if (publicKey == null) {
key = ks.getSigningKeystore().getCertificate(getSigningKeyAlias()).getPublicKey();
} else {
key = publicKey;
}
JWSVerifier verifier = new RSASSAVerifier((RSAPublicKey) key);
// TODO: interrogate the token for issuer claim in order to determine the public key to use for verification
// consider jwk for specifying the key too
rc = token.verify(verifier);
} catch (KeyStoreException e) {
throw new TokenServiceException("Cannot verify token.", e);
} catch (KeystoreServiceException e) {
throw new TokenServiceException("Cannot verify token.", e);
}
return rc;
}
Also used :
RSAPublicKey(java.security.interfaces.RSAPublicKey)
PublicKey(java.security.PublicKey)
RSASSAVerifier(com.nimbusds.jose.crypto.RSASSAVerifier)
JWSVerifier(com.nimbusds.jose.JWSVerifier)
KeyStoreException(java.security.KeyStoreException)
KeystoreServiceException(org.apache.knox.gateway.services.security.KeystoreServiceException)
TokenServiceException(org.apache.knox.gateway.services.security.token.TokenServiceException)
Aggregations
TokenServiceException (org.apache.knox.gateway.services.security.token.TokenServiceException)10
JWT (org.apache.knox.gateway.services.security.token.impl.JWT)5
Principal (java.security.Principal)4
HttpServletRequest (javax.servlet.http.HttpServletRequest)4
ParseException (java.text.ParseException)3
HashMap (java.util.HashMap)3
Subject (javax.security.auth.Subject)3
JWTokenAuthority (org.apache.knox.gateway.services.security.token.JWTokenAuthority)3
JWTToken (org.apache.knox.gateway.services.security.token.impl.JWTToken)3
IOException (java.io.IOException)2
ServletException (javax.servlet.ServletException)2
GatewayServices (org.apache.knox.gateway.services.GatewayServices)2
KeystoreServiceException (org.apache.knox.gateway.services.security.KeystoreServiceException)2
JWSSigner (com.nimbusds.jose.JWSSigner)1
JWSVerifier (com.nimbusds.jose.JWSVerifier)1
RSASSASigner (com.nimbusds.jose.crypto.RSASSASigner)1
RSASSAVerifier (com.nimbusds.jose.crypto.RSASSAVerifier)1
File (java.io.File)1
URI (java.net.URI)1
URISyntaxException (java.net.URISyntaxException)1
