Example 1 with InvalidSignatureException
use of org.springframework.security.jwt.crypto.sign.InvalidSignatureException in project credhub by cloudfoundry-incubator.
the class AuditOAuth2AuthenticationExceptionHandler method commence.
@Override
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
String token = (String) request.getAttribute(OAuth2AuthenticationDetails.ACCESS_TOKEN_VALUE);
final Map<String, Object> tokenInformation = extractTokenInformation(token);
Throwable cause = extractCause(authException);
Exception exception;
if (tokenIsExpired(tokenInformation)) {
exception = new AccessTokenExpiredException("Access token expired", cause);
} else if (cause instanceof InvalidSignatureException || cause instanceof SignatureException) {
exception = new InvalidTokenException(messageSourceAccessor.getMessage("error.invalid_token_signature"), cause);
} else {
exception = new InvalidTokenException(removeTokenFromMessage(authException.getMessage(), token), cause);
}
exception.setStackTrace(authException.getStackTrace());
try {
doHandle(request, response, exception);
} finally {
final String message = removeTokenFromMessage(exception.getMessage(), token);
logAuthFailureToDb(request, tokenInformation, response.getStatus(), message);
}
}
Also used :
InvalidTokenException(org.springframework.security.oauth2.common.exceptions.InvalidTokenException)
AccessTokenExpiredException(org.cloudfoundry.credhub.exceptions.AccessTokenExpiredException)
InvalidSignatureException(org.springframework.security.jwt.crypto.sign.InvalidSignatureException)
InvalidSignatureException(org.springframework.security.jwt.crypto.sign.InvalidSignatureException)
SignatureException(java.security.SignatureException)
ServletException(javax.servlet.ServletException)
InvalidSignatureException(org.springframework.security.jwt.crypto.sign.InvalidSignatureException)
AuthenticationException(org.springframework.security.core.AuthenticationException)
SignatureException(java.security.SignatureException)
IOException(java.io.IOException)
AccessTokenExpiredException(org.cloudfoundry.credhub.exceptions.AccessTokenExpiredException)
InvalidTokenException(org.springframework.security.oauth2.common.exceptions.InvalidTokenException)
Example 2 with InvalidSignatureException
use of org.springframework.security.jwt.crypto.sign.InvalidSignatureException in project spring-security-oauth by spring-projects.
the class JwtAccessTokenConverter method afterPropertiesSet.
public void afterPropertiesSet() throws Exception {
if (verifier != null) {
// Assume signer also set independently if needed
return;
}
SignatureVerifier verifier = new MacSigner(verifierKey);
try {
verifier = new RsaVerifier(verifierKey);
} catch (Exception e) {
logger.warn("Unable to create an RSA verifier from verifierKey (ignoreable if using MAC)");
}
// Check the signing and verification keys match
if (signer instanceof RsaSigner) {
byte[] test = "test".getBytes();
try {
verifier.verify(test, signer.sign(test));
logger.info("Signing and verification RSA keys match");
} catch (InvalidSignatureException e) {
logger.error("Signing and verification RSA keys do not match");
}
} else if (verifier instanceof MacSigner) {
// Avoid a race condition where setters are called in the wrong order. Use of
// == is intentional.
Assert.state(this.signingKey == this.verifierKey, "For MAC signing you do not need to specify the verifier key separately, and if you do it must match the signing key");
}
this.verifier = verifier;
}
Also used :
RsaVerifier(org.springframework.security.jwt.crypto.sign.RsaVerifier)
InvalidSignatureException(org.springframework.security.jwt.crypto.sign.InvalidSignatureException)
MacSigner(org.springframework.security.jwt.crypto.sign.MacSigner)
RsaSigner(org.springframework.security.jwt.crypto.sign.RsaSigner)
SignatureVerifier(org.springframework.security.jwt.crypto.sign.SignatureVerifier)
InvalidSignatureException(org.springframework.security.jwt.crypto.sign.InvalidSignatureException)
InvalidTokenException(org.springframework.security.oauth2.common.exceptions.InvalidTokenException)
Example 3 with InvalidSignatureException
use of org.springframework.security.jwt.crypto.sign.InvalidSignatureException in project CzechIdMng by bcvsolutions.
the class JwtIdmAuthenticationFilter method authorize.
@Override
public boolean authorize(String token, HttpServletRequest request, HttpServletResponse response) {
IdmJwtAuthenticationDto claims = null;
try {
Optional<Jwt> jwt = HttpFilterUtils.parseToken(token);
if (!jwt.isPresent()) {
return false;
}
HttpFilterUtils.verifyToken(jwt.get(), jwtTokenMapper.getVerifier());
// authentication dto from request
claims = jwtTokenMapper.getClaims(jwt.get());
// we need to check expiration, before current (automatically prolonged) token is used by mapper
if (claims.getExpiration() != null && claims.getExpiration().isBefore(ZonedDateTime.now())) {
throw new ResultCodeException(CoreResultCode.AUTH_EXPIRED);
}
// resolve actual authentication from given authentication dto (token is loaded)
IdmJwtAuthentication authentication = jwtTokenMapper.fromDto(claims);
// set current authentication dto to context
ctx.setToken(jwtTokenMapper.toDto(authentication));
// try to authenticate
Authentication auth = authenticationManager.authenticate(authentication);
LOG.debug("User [{}] successfully logged in.", auth.getName());
return auth.isAuthenticated();
} catch (ResultCodeException ex) {
String statusEnum = ex.getError().getError().getStatusEnum();
if (CoreResultCode.TOKEN_NOT_FOUND.getCode().equals(statusEnum) || CoreResultCode.AUTHORITIES_CHANGED.getCode().equals(statusEnum) || CoreResultCode.AUTH_EXPIRED.getCode().equals(statusEnum)) {
LOG.warn("Invalid token, reason: [{}]", ex.getMessage());
ctx.setCodeEx(ex);
// only expired or authorities changed
ctx.setToken(claims);
} else {
// publish additional authentication requirement
throw ex;
}
} catch (AuthenticationException ex) {
LOG.warn("Invalid authentication, reason: [{}]", ex.getMessage());
ctx.setAuthEx(ex);
} catch (InvalidSignatureException | IOException | IllegalArgumentException ex) {
// client sent some rubbish, just log and ignore
LOG.warn("Invalid IdM auth token received.", ex);
}
return false;
}
Also used :
InvalidSignatureException(org.springframework.security.jwt.crypto.sign.InvalidSignatureException)
AuthenticationException(org.springframework.security.core.AuthenticationException)
Jwt(org.springframework.security.jwt.Jwt)
IdmJwtAuthentication(eu.bcvsolutions.idm.core.security.api.domain.IdmJwtAuthentication)
Authentication(org.springframework.security.core.Authentication)
ResultCodeException(eu.bcvsolutions.idm.core.api.exception.ResultCodeException)
IdmJwtAuthentication(eu.bcvsolutions.idm.core.security.api.domain.IdmJwtAuthentication)
IdmJwtAuthenticationDto(eu.bcvsolutions.idm.core.security.api.dto.IdmJwtAuthenticationDto)
IOException(java.io.IOException)
Aggregations
InvalidSignatureException (org.springframework.security.jwt.crypto.sign.InvalidSignatureException)3
IOException (java.io.IOException)2
AuthenticationException (org.springframework.security.core.AuthenticationException)2
InvalidTokenException (org.springframework.security.oauth2.common.exceptions.InvalidTokenException)2
ResultCodeException (eu.bcvsolutions.idm.core.api.exception.ResultCodeException)1
IdmJwtAuthentication (eu.bcvsolutions.idm.core.security.api.domain.IdmJwtAuthentication)1
IdmJwtAuthenticationDto (eu.bcvsolutions.idm.core.security.api.dto.IdmJwtAuthenticationDto)1
SignatureException (java.security.SignatureException)1
ServletException (javax.servlet.ServletException)1
AccessTokenExpiredException (org.cloudfoundry.credhub.exceptions.AccessTokenExpiredException)1
Authentication (org.springframework.security.core.Authentication)1
Jwt (org.springframework.security.jwt.Jwt)1
MacSigner (org.springframework.security.jwt.crypto.sign.MacSigner)1
RsaSigner (org.springframework.security.jwt.crypto.sign.RsaSigner)1
RsaVerifier (org.springframework.security.jwt.crypto.sign.RsaVerifier)1
SignatureVerifier (org.springframework.security.jwt.crypto.sign.SignatureVerifier)1
