Search in sources :

Example 1 with TokenServiceException

use of org.apache.knox.gateway.services.security.token.TokenServiceException in project knox by apache.

the class AbstractJWTFilter method validateToken.

protected boolean validateToken(HttpServletRequest request, HttpServletResponse response, FilterChain chain, JWT token) throws IOException, ServletException {
    boolean verified = false;
    try {
        if (publicKey == null) {
            verified = authority.verifyToken(token);
        } else {
            verified = authority.verifyToken(token, publicKey);
        }
    } catch (TokenServiceException e) {
        log.unableToVerifyToken(e);
    }
    // Check received signature algorithm
    if (verified) {
        try {
            String receivedSigAlg = JWSHeader.parse(token.getHeader()).getAlgorithm().getName();
            if (!receivedSigAlg.equals(expectedSigAlg)) {
                verified = false;
            }
        } catch (ParseException e) {
            log.unableToVerifyToken(e);
            verified = false;
        }
    }
    if (verified) {
        // confirm that issue matches intended target
        if (expectedIssuer.equals(token.getIssuer())) {
            // the designated expiration time
            if (tokenIsStillValid(token)) {
                boolean audValid = validateAudiences(token);
                if (audValid) {
                    Date nbf = token.getNotBeforeDate();
                    if (nbf == null || new Date().after(nbf)) {
                        return true;
                    } else {
                        log.notBeforeCheckFailed();
                        handleValidationError(request, response, HttpServletResponse.SC_BAD_REQUEST, "Bad request: the NotBefore check failed");
                    }
                } else {
                    log.failedToValidateAudience();
                    handleValidationError(request, response, HttpServletResponse.SC_BAD_REQUEST, "Bad request: missing required token audience");
                }
            } else {
                log.tokenHasExpired();
                handleValidationError(request, response, HttpServletResponse.SC_BAD_REQUEST, "Bad request: token has expired");
            }
        } else {
            handleValidationError(request, response, HttpServletResponse.SC_UNAUTHORIZED, null);
        }
    } else {
        log.failedToVerifyTokenSignature();
        handleValidationError(request, response, HttpServletResponse.SC_UNAUTHORIZED, null);
    }
    return false;
}
Also used : ParseException(java.text.ParseException) TokenServiceException(org.apache.knox.gateway.services.security.token.TokenServiceException) Date(java.util.Date)

Example 2 with TokenServiceException

use of org.apache.knox.gateway.services.security.token.TokenServiceException in project knox by apache.

the class AccessTokenFederationFilter method doFilter.

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    String header = ((HttpServletRequest) request).getHeader("Authorization");
    if (header != null && header.startsWith(BEARER)) {
        // what follows the bearer designator should be the JWT token being used to request or as an access token
        String wireToken = header.substring(BEARER.length());
        JWTToken token;
        try {
            token = JWTToken.parseToken(wireToken);
        } catch (ParseException e) {
            throw new ServletException("ParseException encountered while processing the JWT token: ", e);
        }
        boolean verified = false;
        try {
            verified = authority.verifyToken(token);
        } catch (TokenServiceException e) {
            log.unableToVerifyToken(e);
        }
        if (verified) {
            long expires = Long.parseLong(token.getExpires());
            if (expires > System.currentTimeMillis()) {
                if (((HttpServletRequest) request).getRequestURL().indexOf(token.getAudience().toLowerCase()) != -1) {
                    Subject subject = createSubjectFromToken(token);
                    continueWithEstablishedSecurityContext(subject, (HttpServletRequest) request, (HttpServletResponse) response, chain);
                } else {
                    log.failedToValidateAudience();
                    sendUnauthorized(response);
                    // break the chain
                    return;
                }
            } else {
                log.tokenHasExpired();
                sendUnauthorized(response);
                // break the chain
                return;
            }
        } else {
            log.failedToVerifyTokenSignature();
            sendUnauthorized(response);
            // break the chain
            return;
        }
    } else {
        log.missingBearerToken();
        sendUnauthorized(response);
        // break the chain
        return;
    }
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) ServletException(javax.servlet.ServletException) ParseException(java.text.ParseException) JWTToken(org.apache.knox.gateway.services.security.token.impl.JWTToken) TokenServiceException(org.apache.knox.gateway.services.security.token.TokenServiceException) Subject(javax.security.auth.Subject)

Example 3 with TokenServiceException

use of org.apache.knox.gateway.services.security.token.TokenServiceException in project knox by apache.

the class JWTAccessTokenAssertionFilter method getAccessToken.

private String getAccessToken(final String principalName, String serviceName, long expires) {
    String accessToken = null;
    Principal p = new Principal() {

        @Override
        public String getName() {
            // TODO Auto-generated method stub
            return principalName;
        }
    };
    JWT token = null;
    try {
        token = authority.issueToken(p, serviceName, "RS256", expires);
        // Coverity CID 1327961
        if (token != null) {
            accessToken = token.toString();
        }
    } catch (TokenServiceException e) {
        log.unableToIssueToken(e);
    }
    return accessToken;
}
Also used : JWT(org.apache.knox.gateway.services.security.token.impl.JWT) Principal(java.security.Principal) TokenServiceException(org.apache.knox.gateway.services.security.token.TokenServiceException)

Example 4 with TokenServiceException

use of org.apache.knox.gateway.services.security.token.TokenServiceException in project knox by apache.

the class JWTAuthCodeAssertionFilter method doFilter.

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    Subject subject = Subject.getSubject(AccessController.getContext());
    String principalName = getPrincipalName(subject);
    principalName = mapper.mapUserPrincipal(principalName);
    JWT authCode;
    try {
        authCode = authority.issueToken(subject, "RS256");
        // get the url for the token service
        String url = null;
        if (sr != null) {
            url = sr.lookupServiceURL("token", "TGS");
        }
        HashMap<String, Object> map = new HashMap<>();
        // Coverity CID 1327960
        if (authCode != null) {
            map.put("iss", authCode.getIssuer());
            map.put("sub", authCode.getPrincipal());
            map.put("aud", authCode.getAudience());
            map.put("exp", authCode.getExpires());
            map.put("code", authCode.toString());
        }
        if (url != null) {
            map.put("tke", url);
        }
        String jsonResponse = JsonUtils.renderAsJsonString(map);
        response.getWriter().write(jsonResponse);
    // KNOX-685: response.getWriter().flush();
    } catch (TokenServiceException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    }
    // break filter chain
    return;
}
Also used : HashMap(java.util.HashMap) JWT(org.apache.knox.gateway.services.security.token.impl.JWT) Subject(javax.security.auth.Subject) TokenServiceException(org.apache.knox.gateway.services.security.token.TokenServiceException)

Example 5 with TokenServiceException

use of org.apache.knox.gateway.services.security.token.TokenServiceException in project knox by apache.

the class DefaultTokenAuthorityService method verifyToken.

@Override
public boolean verifyToken(JWT token, RSAPublicKey publicKey) throws TokenServiceException {
    boolean rc = false;
    PublicKey key;
    try {
        if (publicKey == null) {
            key = ks.getSigningKeystore().getCertificate(getSigningKeyAlias()).getPublicKey();
        } else {
            key = publicKey;
        }
        JWSVerifier verifier = new RSASSAVerifier((RSAPublicKey) key);
        // TODO: interrogate the token for issuer claim in order to determine the public key to use for verification
        // consider jwk for specifying the key too
        rc = token.verify(verifier);
    } catch (KeyStoreException e) {
        throw new TokenServiceException("Cannot verify token.", e);
    } catch (KeystoreServiceException e) {
        throw new TokenServiceException("Cannot verify token.", e);
    }
    return rc;
}
Also used : RSAPublicKey(java.security.interfaces.RSAPublicKey) PublicKey(java.security.PublicKey) RSASSAVerifier(com.nimbusds.jose.crypto.RSASSAVerifier) JWSVerifier(com.nimbusds.jose.JWSVerifier) KeyStoreException(java.security.KeyStoreException) KeystoreServiceException(org.apache.knox.gateway.services.security.KeystoreServiceException) TokenServiceException(org.apache.knox.gateway.services.security.token.TokenServiceException)

Aggregations

TokenServiceException (org.apache.knox.gateway.services.security.token.TokenServiceException)10 JWT (org.apache.knox.gateway.services.security.token.impl.JWT)5 Principal (java.security.Principal)4 HttpServletRequest (javax.servlet.http.HttpServletRequest)4 ParseException (java.text.ParseException)3 HashMap (java.util.HashMap)3 Subject (javax.security.auth.Subject)3 JWTokenAuthority (org.apache.knox.gateway.services.security.token.JWTokenAuthority)3 JWTToken (org.apache.knox.gateway.services.security.token.impl.JWTToken)3 IOException (java.io.IOException)2 ServletException (javax.servlet.ServletException)2 GatewayServices (org.apache.knox.gateway.services.GatewayServices)2 KeystoreServiceException (org.apache.knox.gateway.services.security.KeystoreServiceException)2 JWSSigner (com.nimbusds.jose.JWSSigner)1 JWSVerifier (com.nimbusds.jose.JWSVerifier)1 RSASSASigner (com.nimbusds.jose.crypto.RSASSASigner)1 RSASSAVerifier (com.nimbusds.jose.crypto.RSASSAVerifier)1 File (java.io.File)1 URI (java.net.URI)1 URISyntaxException (java.net.URISyntaxException)1