Example 21 with JWTToken
use of org.apache.knox.gateway.services.security.token.impl.JWTToken in project knox by apache.
the class DefaultTokenAuthorityService method issueToken.
@Override
public JWT issueToken(Principal p, List<String> audiences, String algorithm, long expires) throws TokenServiceException {
String[] claimArray = new String[4];
claimArray[0] = "KNOXSSO";
claimArray[1] = p.getName();
claimArray[2] = null;
if (expires == -1) {
claimArray[3] = null;
} else {
claimArray[3] = String.valueOf(expires);
}
JWT token = null;
if (SUPPORTED_SIG_ALGS.contains(algorithm)) {
token = new JWTToken(algorithm, claimArray, audiences);
RSAPrivateKey key;
char[] passphrase = null;
try {
passphrase = getSigningKeyPassphrase();
} catch (AliasServiceException e) {
throw new TokenServiceException(e);
}
try {
key = (RSAPrivateKey) ks.getSigningKey(getSigningKeyAlias(), passphrase);
JWSSigner signer = new RSASSASigner(key);
token.sign(signer);
} catch (KeystoreServiceException e) {
throw new TokenServiceException(e);
}
} else {
throw new TokenServiceException("Cannot issue token - Unsupported algorithm");
}
return token;
}
Also used :
JWT(org.apache.knox.gateway.services.security.token.impl.JWT)
AliasServiceException(org.apache.knox.gateway.services.security.AliasServiceException)
RSASSASigner(com.nimbusds.jose.crypto.RSASSASigner)
KeystoreServiceException(org.apache.knox.gateway.services.security.KeystoreServiceException)
JWTToken(org.apache.knox.gateway.services.security.token.impl.JWTToken)
RSAPrivateKey(java.security.interfaces.RSAPrivateKey)
JWSSigner(com.nimbusds.jose.JWSSigner)
TokenServiceException(org.apache.knox.gateway.services.security.token.TokenServiceException)
Example 22 with JWTToken
use of org.apache.knox.gateway.services.security.token.impl.JWTToken in project knox by apache.
the class JWTAccessTokenAssertionFilter method doFilter.
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
String jsonResponse = null;
String header = ((HttpServletRequest) request).getHeader("Authorization");
if (header != null && header.startsWith(BEARER)) {
// what follows the bearer designator should be the JWT token being used to request or as an access token
String wireToken = header.substring(BEARER.length());
JWTToken token;
try {
token = JWTToken.parseToken(wireToken);
} catch (ParseException e) {
throw new ServletException("ParseException encountered while processing the JWT token: ", e);
}
// ensure that there is a valid jwt token available and that there isn't a misconfiguration of filters
if (token != null) {
try {
authority.verifyToken(token);
} catch (TokenServiceException e) {
log.unableToVerifyToken(e);
}
} else {
throw new ServletException("Expected JWT Token not provided as Bearer token");
}
// authorization of the user for the requested service (and resource?) should have been done by
// the JWTFederationFilter - once we get here we can assume that it is authorized and we just need
// to assert the identity via an access token
Subject subject = Subject.getSubject(AccessController.getContext());
String principalName = getPrincipalName(subject);
principalName = mapper.mapUserPrincipal(principalName);
// calculate expiration timestamp: validity * 1000 + currentTimeInMillis
long expires = System.currentTimeMillis() + validity * 1000;
String serviceName = request.getParameter("service-name");
String clusterName = request.getParameter("cluster-name");
String accessToken = getAccessToken(principalName, serviceName, expires);
String serviceURL = sr.lookupServiceURL(clusterName, serviceName);
HashMap<String, Object> map = new HashMap<>();
// TODO: populate map from JWT authorization code
map.put(ACCESS_TOKEN, accessToken);
map.put(TOKEN_TYPE, BEARER);
map.put(EXPIRES_IN, expires);
// TODO: this url needs to be rewritten when in gateway deployments....
map.put(SVC_URL, serviceURL);
jsonResponse = JsonUtils.renderAsJsonString(map);
response.getWriter().write(jsonResponse);
// break filter chain
return;
} else {
// no token provided in header
// something is really wrong since the JWTFederationFilter should have verified its existence already
// TODO: may have to check cookie and url as well before sending error
((HttpServletResponse) response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
// break filter chain
return;
}
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
ServletException(javax.servlet.ServletException)
HashMap(java.util.HashMap)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
ParseException(java.text.ParseException)
JWTToken(org.apache.knox.gateway.services.security.token.impl.JWTToken)
TokenServiceException(org.apache.knox.gateway.services.security.token.TokenServiceException)
Subject(javax.security.auth.Subject)
Aggregations
JWTToken (org.apache.knox.gateway.services.security.token.impl.JWTToken)22
HttpServletRequest (javax.servlet.http.HttpServletRequest)21
HttpServletResponse (javax.servlet.http.HttpServletResponse)20
JWT (org.apache.knox.gateway.services.security.token.impl.JWT)19
Principal (java.security.Principal)17
ServletContext (javax.servlet.ServletContext)17
GatewayServices (org.apache.knox.gateway.services.GatewayServices)17
JWTokenAuthority (org.apache.knox.gateway.services.security.token.JWTokenAuthority)17
Test (org.junit.Test)17
PrimaryPrincipal (org.apache.knox.gateway.security.PrimaryPrincipal)10
PrintWriter (java.io.PrintWriter)9
StringWriter (java.io.StringWriter)9
Response (javax.ws.rs.core.Response)9
TokenResource (org.apache.knox.gateway.service.knoxtoken.TokenResource)9
Date (java.util.Date)8
ServletOutputStream (javax.servlet.ServletOutputStream)8
Cookie (javax.servlet.http.Cookie)8
ParseException (java.text.ParseException)4
Subject (javax.security.auth.Subject)4
TokenServiceException (org.apache.knox.gateway.services.security.token.TokenServiceException)3
