Examples with Jwt org.forgerock.json.jose.jwt.Jwt used on opensource projects

Example 1 with Jwt

use of org.forgerock.json.jose.jwt.Jwt in project OpenAM by OpenRock.

the class PersistentCookieAuthModule method process.

/**
     * If Jwt is invalid then throws LoginException, otherwise Jwt is valid and the realm is check to ensure
     * the user is authenticating in the same realm.
     *
     * @param messageInfo {@inheritDoc}
     * @param clientSubject {@inheritDoc}
     * @param callbacks {@inheritDoc}
     * @return {@inheritDoc}
     * @throws LoginException {@inheritDoc}
     */
@Override
protected boolean process(MessageInfo messageInfo, Subject clientSubject, Callback[] callbacks) throws LoginException {
    final Jwt jwt = getServerAuthModule().validateJwtSessionCookie(messageInfo);
    if (jwt == null) {
        //BAD
        throw new AuthLoginException(AUTH_RESOURCE_BUNDLE_NAME, "cookieNotValid", null);
    } else {
        //GOOD
        final Map<String, Object> claimsSetContext = jwt.getClaimsSet().getClaim(AuthenticationFramework.ATTRIBUTE_AUTH_CONTEXT, Map.class);
        if (claimsSetContext == null) {
            throw new AuthLoginException(AUTH_RESOURCE_BUNDLE_NAME, "jaspiContextNotFound", null);
        }
        // Need to check realm
        final String jwtRealm = (String) claimsSetContext.get(OPENAM_REALM_CLAIM_KEY);
        if (!getRequestOrg().equals(jwtRealm)) {
            throw new AuthLoginException(AUTH_RESOURCE_BUNDLE_NAME, "authFailedDiffRealm", null);
        }
        final String storedClientIP = (String) claimsSetContext.get(OPENAM_CLIENT_IP_CLAIM_KEY);
        if (enforceClientIP) {
            enforceClientIP(storedClientIP);
        }
        // Need to get user from jwt to use in Principal
        final String username = (String) claimsSetContext.get(OPENAM_USER_CLAIM_KEY);
        principal = new Principal() {

            public String getName() {
                return username;
            }
        };
        setUserSessionProperty(JwtSessionModule.JWT_VALIDATED_KEY, Boolean.TRUE.toString());
        return true;
    }
}

Example 2 with Jwt

use of org.forgerock.json.jose.jwt.Jwt in project OpenAM by OpenRock.

the class PersistentCookieAuthModuleTest method shouldEnforceClientIPOnLoginWhenClientIPIsDifferent.

@Test(expectedExceptions = AuthLoginException.class)
public void shouldEnforceClientIPOnLoginWhenClientIPIsDifferent() throws LoginException {
    //Given
    MessageInfo messageInfo = mock(MessageInfo.class);
    Subject clientSubject = new Subject();
    Callback[] callbacks = new Callback[0];
    Jwt jwt = mock(Jwt.class);
    JwtClaimsSet claimsSet = mock(JwtClaimsSet.class);
    Map<String, Object> claimsSetContext = new HashMap<String, Object>();
    HttpServletRequest request = mock(HttpServletRequest.class);
    Map options = new HashMap();
    options.put("openam-auth-persistent-cookie-enforce-ip", Collections.singleton("true"));
    persistentCookieAuthModule.initialize(null, null, options);
    given(jwtSessionModule.validateJwtSessionCookie(messageInfo)).willReturn(jwt);
    given(jwt.getClaimsSet()).willReturn(claimsSet);
    given(claimsSet.getClaim(AuthenticationFramework.ATTRIBUTE_AUTH_CONTEXT, Map.class)).willReturn(claimsSetContext);
    claimsSetContext.put("openam.rlm", "REALM");
    given(amLoginModuleBinder.getRequestOrg()).willReturn("REALM");
    claimsSetContext.put("openam-auth-persistent-cookie-enforce-ip", "CLIENT_IP");
    given(amLoginModuleBinder.getHttpServletRequest()).willReturn(request);
    given(request.getRemoteAddr()).willReturn("CLIENT_IP_2");
    //When
    persistentCookieAuthModule.process(messageInfo, clientSubject, callbacks);
    //Then
    fail();
}

Example 3 with Jwt

use of org.forgerock.json.jose.jwt.Jwt in project OpenAM by OpenRock.

the class PolicyRequestTest method shouldAllowJwtSubject.

@Test
public void shouldAllowJwtSubject() throws Exception {
    // Given
    final String subjectName = "test";
    given(subjectContext.getCallerSubject()).willReturn(restSubject);
    Jwt jwt = getJwtSubject(subjectName);
    given(actionRequest.getContent()).willReturn(json(object(field("subject", object(field("jwt", jwt.build()))))));
    // When
    Context context = buildContextStructure("/abc");
    PolicyRequest request = getRequest(context, actionRequest);
    // Then
    Subject policySubject = request.getPolicySubject();
    Set<JwtPrincipal> jwtPrincipals = policySubject.getPrincipals(JwtPrincipal.class);
    assertThat(jwtPrincipals).hasSize(1);
    assertThat(jwtPrincipals).contains(new JwtPrincipal(getJsonSubject(subjectName)));
}

Example 4 with Jwt

use of org.forgerock.json.jose.jwt.Jwt in project OpenAM by OpenRock.

the class PersistentCookieAuthModuleTest method shouldProcessCallbacksWhenJwtRealmIsDifferent.

@Test
public void shouldProcessCallbacksWhenJwtRealmIsDifferent() throws LoginException {
    //Given
    Callback[] callbacks = new Callback[0];
    int state = ISAuthConstants.LOGIN_START;
    Jwt jwt = mock(Jwt.class);
    JwtClaimsSet claimsSet = mock(JwtClaimsSet.class);
    Map<String, Object> internalMap = mock(HashMap.class);
    given(jwtSessionModule.validateJwtSessionCookie(Matchers.<MessageInfo>anyObject())).willReturn(jwt);
    given(jwt.getClaimsSet()).willReturn(claimsSet);
    given(claimsSet.getClaim("org.forgerock.authentication.context", Map.class)).willReturn(internalMap);
    given(internalMap.get("openam.rlm")).willReturn("REALM");
    given(amLoginModuleBinder.getRequestOrg()).willReturn("OTHER_REALM");
    shouldInitialiseAuthModule();
    //When
    boolean exceptionCaught = false;
    AuthLoginException exception = null;
    try {
        persistentCookieAuthModule.process(callbacks, state);
    } catch (AuthLoginException e) {
        exceptionCaught = true;
        exception = e;
    }
    //Then
    verify(amLoginModuleBinder).setUserSessionProperty(JwtSessionModule.TOKEN_IDLE_TIME_IN_MINUTES_CLAIM_KEY, "60");
    verify(amLoginModuleBinder).setUserSessionProperty(JwtSessionModule.MAX_TOKEN_LIFE_IN_MINUTES_KEY, "300");
    verify(jwtSessionModule).validateJwtSessionCookie(Matchers.<MessageInfo>anyObject());
    assertTrue(exceptionCaught);
    assertEquals(exception.getErrorCode(), "authFailedDiffRealm");
}

Example 5 with Jwt

use of org.forgerock.json.jose.jwt.Jwt in project OpenAM by OpenRock.

the class PersistentCookieAuthModuleTest method shouldProcessCallbacksWhenJwtValid.

@Test
public void shouldProcessCallbacksWhenJwtValid() throws LoginException {
    //Given
    Callback[] callbacks = new Callback[0];
    int state = ISAuthConstants.LOGIN_START;
    Jwt jwt = mock(Jwt.class);
    JwtClaimsSet claimsSet = mock(JwtClaimsSet.class);
    Map<String, Object> internalMap = mock(HashMap.class);
    given(jwtSessionModule.validateJwtSessionCookie(Matchers.<MessageInfo>anyObject())).willReturn(jwt);
    given(jwt.getClaimsSet()).willReturn(claimsSet);
    given(claimsSet.getClaim("org.forgerock.authentication.context", Map.class)).willReturn(internalMap);
    given(amLoginModuleBinder.getRequestOrg()).willReturn("REALM");
    given(internalMap.get("openam.rlm")).willReturn("REALM");
    given(internalMap.get("openam.usr")).willReturn("USER");
    shouldInitialiseAuthModule();
    //When
    int returnedState = persistentCookieAuthModule.process(callbacks, state);
    //Then
    verify(amLoginModuleBinder).setUserSessionProperty(JwtSessionModule.TOKEN_IDLE_TIME_IN_MINUTES_CLAIM_KEY, "60");
    verify(amLoginModuleBinder).setUserSessionProperty(JwtSessionModule.MAX_TOKEN_LIFE_IN_MINUTES_KEY, "300");
    verify(jwtSessionModule).validateJwtSessionCookie(Matchers.<MessageInfo>anyObject());
    verify(amLoginModuleBinder).setUserSessionProperty("jwtValidated", "true");
    assertEquals(returnedState, ISAuthConstants.LOGIN_SUCCEED);
}