Example 1 with EncryptionConfiguration
use of org.pac4j.jwt.config.encryption.EncryptionConfiguration in project pac4j by pac4j.
the class JwtAuthenticator method validate.
@Override
public void validate(final TokenCredentials credentials, final WebContext context) {
init();
final String token = credentials.getToken();
if (context != null) {
// set the www-authenticate in case of error
context.setResponseHeader(HttpConstants.AUTHENTICATE_HEADER, "Bearer realm=\"" + realmName + "\"");
}
try {
// Parse the token
JWT jwt = JWTParser.parse(token);
if (jwt instanceof PlainJWT) {
if (signatureConfigurations.isEmpty()) {
logger.debug("JWT is not signed and no signature configurations -> verified");
} else {
throw new CredentialsException("A non-signed JWT cannot be accepted as signature configurations have been defined");
}
} else {
SignedJWT signedJWT = null;
if (jwt instanceof SignedJWT) {
signedJWT = (SignedJWT) jwt;
}
// encrypted?
if (jwt instanceof EncryptedJWT) {
logger.debug("JWT is encrypted");
final EncryptedJWT encryptedJWT = (EncryptedJWT) jwt;
boolean found = false;
final JWEHeader header = encryptedJWT.getHeader();
final JWEAlgorithm algorithm = header.getAlgorithm();
final EncryptionMethod method = header.getEncryptionMethod();
for (final EncryptionConfiguration config : encryptionConfigurations) {
if (config.supports(algorithm, method)) {
logger.debug("Using encryption configuration: {}", config);
try {
config.decrypt(encryptedJWT);
signedJWT = encryptedJWT.getPayload().toSignedJWT();
if (signedJWT != null) {
jwt = signedJWT;
}
found = true;
break;
} catch (final JOSEException e) {
logger.debug("Decryption fails with encryption configuration: {}, passing to the next one", config);
}
}
}
if (!found) {
throw new CredentialsException("No encryption algorithm found for JWT: " + token);
}
}
// signed?
if (signedJWT != null) {
logger.debug("JWT is signed");
boolean verified = false;
boolean found = false;
final JWSAlgorithm algorithm = signedJWT.getHeader().getAlgorithm();
for (final SignatureConfiguration config : signatureConfigurations) {
if (config.supports(algorithm)) {
logger.debug("Using signature configuration: {}", config);
try {
verified = config.verify(signedJWT);
found = true;
if (verified) {
break;
}
} catch (final JOSEException e) {
logger.debug("Verification fails with signature configuration: {}, passing to the next one", config);
}
}
}
if (!found) {
throw new CredentialsException("No signature algorithm found for JWT: " + token);
}
if (!verified) {
throw new CredentialsException("JWT verification failed: " + token);
}
}
}
createJwtProfile(credentials, jwt);
} catch (final ParseException e) {
throw new CredentialsException("Cannot decrypt / verify JWT", e);
}
}
Also used :
PlainJWT(com.nimbusds.jwt.PlainJWT)
SignatureConfiguration(org.pac4j.jwt.config.signature.SignatureConfiguration)
EncryptionConfiguration(org.pac4j.jwt.config.encryption.EncryptionConfiguration)
PlainJWT(com.nimbusds.jwt.PlainJWT)
JWT(com.nimbusds.jwt.JWT)
SignedJWT(com.nimbusds.jwt.SignedJWT)
EncryptedJWT(com.nimbusds.jwt.EncryptedJWT)
SignedJWT(com.nimbusds.jwt.SignedJWT)
EncryptionMethod(com.nimbusds.jose.EncryptionMethod)
CredentialsException(org.pac4j.core.exception.CredentialsException)
JWSAlgorithm(com.nimbusds.jose.JWSAlgorithm)
JWEHeader(com.nimbusds.jose.JWEHeader)
JWEAlgorithm(com.nimbusds.jose.JWEAlgorithm)
ParseException(java.text.ParseException)
EncryptedJWT(com.nimbusds.jwt.EncryptedJWT)
JOSEException(com.nimbusds.jose.JOSEException)
Example 2 with EncryptionConfiguration
use of org.pac4j.jwt.config.encryption.EncryptionConfiguration in project pac4j by pac4j.
the class JwtTests method testGenerateAuthenticateDifferentSecrets.
@Test
public void testGenerateAuthenticateDifferentSecrets() {
final SignatureConfiguration signatureConfiguration = new SecretSignatureConfiguration(MAC_SECRET);
final EncryptionConfiguration encryptionConfiguration = new SecretEncryptionConfiguration(KEY2);
final JwtGenerator<FacebookProfile> generator = new JwtGenerator<>(signatureConfiguration, encryptionConfiguration);
final FacebookProfile profile = createProfile();
final String token = generator.generate(profile);
assertToken(profile, token, new JwtAuthenticator(signatureConfiguration, encryptionConfiguration));
}
Also used :
JwtGenerator(org.pac4j.jwt.profile.JwtGenerator)
SecretSignatureConfiguration(org.pac4j.jwt.config.signature.SecretSignatureConfiguration)
SignatureConfiguration(org.pac4j.jwt.config.signature.SignatureConfiguration)
ECSignatureConfiguration(org.pac4j.jwt.config.signature.ECSignatureConfiguration)
SecretEncryptionConfiguration(org.pac4j.jwt.config.encryption.SecretEncryptionConfiguration)
EncryptionConfiguration(org.pac4j.jwt.config.encryption.EncryptionConfiguration)
JwtAuthenticator(org.pac4j.jwt.credentials.authenticator.JwtAuthenticator)
SecretEncryptionConfiguration(org.pac4j.jwt.config.encryption.SecretEncryptionConfiguration)
SecretSignatureConfiguration(org.pac4j.jwt.config.signature.SecretSignatureConfiguration)
FacebookProfile(org.pac4j.oauth.profile.facebook.FacebookProfile)
Test(org.junit.Test)
Example 3 with EncryptionConfiguration
use of org.pac4j.jwt.config.encryption.EncryptionConfiguration in project pac4j by pac4j.
the class JwtTests method testGenerateAuthenticateUselessSignatureConfiguration.
@Test
public void testGenerateAuthenticateUselessSignatureConfiguration() {
final SignatureConfiguration signatureConfiguration = new SecretSignatureConfiguration(KEY2);
final SignatureConfiguration signatureConfiguration2 = new SecretSignatureConfiguration(MAC_SECRET);
final EncryptionConfiguration encryptionConfiguration = new SecretEncryptionConfiguration(MAC_SECRET);
final JwtGenerator<FacebookProfile> generator = new JwtGenerator<>(signatureConfiguration, encryptionConfiguration);
final FacebookProfile profile = createProfile();
final String token = generator.generate(profile);
final JwtAuthenticator jwtAuthenticator = new JwtAuthenticator();
jwtAuthenticator.addSignatureConfiguration(signatureConfiguration);
jwtAuthenticator.addSignatureConfiguration(signatureConfiguration2);
jwtAuthenticator.setEncryptionConfiguration(encryptionConfiguration);
assertToken(profile, token, jwtAuthenticator);
}
Also used :
JwtGenerator(org.pac4j.jwt.profile.JwtGenerator)
SecretSignatureConfiguration(org.pac4j.jwt.config.signature.SecretSignatureConfiguration)
SignatureConfiguration(org.pac4j.jwt.config.signature.SignatureConfiguration)
ECSignatureConfiguration(org.pac4j.jwt.config.signature.ECSignatureConfiguration)
SecretEncryptionConfiguration(org.pac4j.jwt.config.encryption.SecretEncryptionConfiguration)
EncryptionConfiguration(org.pac4j.jwt.config.encryption.EncryptionConfiguration)
JwtAuthenticator(org.pac4j.jwt.credentials.authenticator.JwtAuthenticator)
SecretEncryptionConfiguration(org.pac4j.jwt.config.encryption.SecretEncryptionConfiguration)
SecretSignatureConfiguration(org.pac4j.jwt.config.signature.SecretSignatureConfiguration)
FacebookProfile(org.pac4j.oauth.profile.facebook.FacebookProfile)
Test(org.junit.Test)
Aggregations
EncryptionConfiguration (org.pac4j.jwt.config.encryption.EncryptionConfiguration)3
SignatureConfiguration (org.pac4j.jwt.config.signature.SignatureConfiguration)3
Test (org.junit.Test)2
SecretEncryptionConfiguration (org.pac4j.jwt.config.encryption.SecretEncryptionConfiguration)2
ECSignatureConfiguration (org.pac4j.jwt.config.signature.ECSignatureConfiguration)2
SecretSignatureConfiguration (org.pac4j.jwt.config.signature.SecretSignatureConfiguration)2
JwtAuthenticator (org.pac4j.jwt.credentials.authenticator.JwtAuthenticator)2
JwtGenerator (org.pac4j.jwt.profile.JwtGenerator)2
FacebookProfile (org.pac4j.oauth.profile.facebook.FacebookProfile)2
EncryptionMethod (com.nimbusds.jose.EncryptionMethod)1
JOSEException (com.nimbusds.jose.JOSEException)1
JWEAlgorithm (com.nimbusds.jose.JWEAlgorithm)1
JWEHeader (com.nimbusds.jose.JWEHeader)1
JWSAlgorithm (com.nimbusds.jose.JWSAlgorithm)1
EncryptedJWT (com.nimbusds.jwt.EncryptedJWT)1
JWT (com.nimbusds.jwt.JWT)1
PlainJWT (com.nimbusds.jwt.PlainJWT)1
SignedJWT (com.nimbusds.jwt.SignedJWT)1
ParseException (java.text.ParseException)1
CredentialsException (org.pac4j.core.exception.CredentialsException)1
