use of org.apache.knox.gateway.services.security.token.TokenServiceException in project knox by apache.
the class AbstractJWTFilter method validateToken.
protected boolean validateToken(HttpServletRequest request, HttpServletResponse response, FilterChain chain, JWT token) throws IOException, ServletException {
boolean verified = false;
try {
if (publicKey == null) {
verified = authority.verifyToken(token);
} else {
verified = authority.verifyToken(token, publicKey);
}
} catch (TokenServiceException e) {
log.unableToVerifyToken(e);
}
// Check received signature algorithm
if (verified) {
try {
String receivedSigAlg = JWSHeader.parse(token.getHeader()).getAlgorithm().getName();
if (!receivedSigAlg.equals(expectedSigAlg)) {
verified = false;
}
} catch (ParseException e) {
log.unableToVerifyToken(e);
verified = false;
}
}
if (verified) {
// confirm that issue matches intended target
if (expectedIssuer.equals(token.getIssuer())) {
// the designated expiration time
if (tokenIsStillValid(token)) {
boolean audValid = validateAudiences(token);
if (audValid) {
Date nbf = token.getNotBeforeDate();
if (nbf == null || new Date().after(nbf)) {
return true;
} else {
log.notBeforeCheckFailed();
handleValidationError(request, response, HttpServletResponse.SC_BAD_REQUEST, "Bad request: the NotBefore check failed");
}
} else {
log.failedToValidateAudience();
handleValidationError(request, response, HttpServletResponse.SC_BAD_REQUEST, "Bad request: missing required token audience");
}
} else {
log.tokenHasExpired();
handleValidationError(request, response, HttpServletResponse.SC_BAD_REQUEST, "Bad request: token has expired");
}
} else {
handleValidationError(request, response, HttpServletResponse.SC_UNAUTHORIZED, null);
}
} else {
log.failedToVerifyTokenSignature();
handleValidationError(request, response, HttpServletResponse.SC_UNAUTHORIZED, null);
}
return false;
}
use of org.apache.knox.gateway.services.security.token.TokenServiceException in project knox by apache.
the class AccessTokenFederationFilter method doFilter.
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
String header = ((HttpServletRequest) request).getHeader("Authorization");
if (header != null && header.startsWith(BEARER)) {
// what follows the bearer designator should be the JWT token being used to request or as an access token
String wireToken = header.substring(BEARER.length());
JWTToken token;
try {
token = JWTToken.parseToken(wireToken);
} catch (ParseException e) {
throw new ServletException("ParseException encountered while processing the JWT token: ", e);
}
boolean verified = false;
try {
verified = authority.verifyToken(token);
} catch (TokenServiceException e) {
log.unableToVerifyToken(e);
}
if (verified) {
long expires = Long.parseLong(token.getExpires());
if (expires > System.currentTimeMillis()) {
if (((HttpServletRequest) request).getRequestURL().indexOf(token.getAudience().toLowerCase()) != -1) {
Subject subject = createSubjectFromToken(token);
continueWithEstablishedSecurityContext(subject, (HttpServletRequest) request, (HttpServletResponse) response, chain);
} else {
log.failedToValidateAudience();
sendUnauthorized(response);
// break the chain
return;
}
} else {
log.tokenHasExpired();
sendUnauthorized(response);
// break the chain
return;
}
} else {
log.failedToVerifyTokenSignature();
sendUnauthorized(response);
// break the chain
return;
}
} else {
log.missingBearerToken();
sendUnauthorized(response);
// break the chain
return;
}
}
use of org.apache.knox.gateway.services.security.token.TokenServiceException in project knox by apache.
the class JWTAccessTokenAssertionFilter method getAccessToken.
private String getAccessToken(final String principalName, String serviceName, long expires) {
String accessToken = null;
Principal p = new Principal() {
@Override
public String getName() {
// TODO Auto-generated method stub
return principalName;
}
};
JWT token = null;
try {
token = authority.issueToken(p, serviceName, "RS256", expires);
// Coverity CID 1327961
if (token != null) {
accessToken = token.toString();
}
} catch (TokenServiceException e) {
log.unableToIssueToken(e);
}
return accessToken;
}
use of org.apache.knox.gateway.services.security.token.TokenServiceException in project knox by apache.
the class JWTAuthCodeAssertionFilter method doFilter.
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
Subject subject = Subject.getSubject(AccessController.getContext());
String principalName = getPrincipalName(subject);
principalName = mapper.mapUserPrincipal(principalName);
JWT authCode;
try {
authCode = authority.issueToken(subject, "RS256");
// get the url for the token service
String url = null;
if (sr != null) {
url = sr.lookupServiceURL("token", "TGS");
}
HashMap<String, Object> map = new HashMap<>();
// Coverity CID 1327960
if (authCode != null) {
map.put("iss", authCode.getIssuer());
map.put("sub", authCode.getPrincipal());
map.put("aud", authCode.getAudience());
map.put("exp", authCode.getExpires());
map.put("code", authCode.toString());
}
if (url != null) {
map.put("tke", url);
}
String jsonResponse = JsonUtils.renderAsJsonString(map);
response.getWriter().write(jsonResponse);
// KNOX-685: response.getWriter().flush();
} catch (TokenServiceException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
// break filter chain
return;
}
use of org.apache.knox.gateway.services.security.token.TokenServiceException in project knox by apache.
the class DefaultTokenAuthorityService method verifyToken.
@Override
public boolean verifyToken(JWT token, RSAPublicKey publicKey) throws TokenServiceException {
boolean rc = false;
PublicKey key;
try {
if (publicKey == null) {
key = ks.getSigningKeystore().getCertificate(getSigningKeyAlias()).getPublicKey();
} else {
key = publicKey;
}
JWSVerifier verifier = new RSASSAVerifier((RSAPublicKey) key);
// TODO: interrogate the token for issuer claim in order to determine the public key to use for verification
// consider jwk for specifying the key too
rc = token.verify(verifier);
} catch (KeyStoreException e) {
throw new TokenServiceException("Cannot verify token.", e);
} catch (KeystoreServiceException e) {
throw new TokenServiceException("Cannot verify token.", e);
}
return rc;
}
Aggregations