Example 26 with JWTValidationInfo
use of org.wso2.carbon.apimgt.common.gateway.dto.JWTValidationInfo in project carbon-apimgt by wso2.
the class JWTValidator method validateScopes.
/**
* Validate scopes bound to the resource of the API being invoked against the scopes specified
* in the JWT token payload.
*
* @param apiContext API Context
* @param apiVersion API Version
* @param matchingResource Accessed API resource
* @param httpMethod API resource's HTTP method
* @param jwtValidationInfo Validated JWT Information
* @param jwtToken JWT Token
* @throws APISecurityException in case of scope validation failure
*/
private void validateScopes(String apiContext, String apiVersion, String matchingResource, String httpMethod, JWTValidationInfo jwtValidationInfo, SignedJWTInfo jwtToken) throws APISecurityException {
String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain();
// Generate TokenValidationContext
TokenValidationContext tokenValidationContext = new TokenValidationContext();
APIKeyValidationInfoDTO apiKeyValidationInfoDTO = new APIKeyValidationInfoDTO();
Set<String> scopeSet = new HashSet<>();
scopeSet.addAll(jwtValidationInfo.getScopes());
apiKeyValidationInfoDTO.setScopes(scopeSet);
tokenValidationContext.setValidationInfoDTO(apiKeyValidationInfoDTO);
tokenValidationContext.setAccessToken(jwtToken.getToken());
tokenValidationContext.setHttpVerb(httpMethod);
tokenValidationContext.setMatchingResource(matchingResource);
tokenValidationContext.setContext(apiContext);
tokenValidationContext.setVersion(apiVersion);
boolean valid = this.apiKeyValidator.validateScopes(tokenValidationContext, tenantDomain);
if (valid) {
if (log.isDebugEnabled()) {
log.debug("Scope validation successful for the resource: " + matchingResource + ", user: " + jwtValidationInfo.getUser());
}
} else {
String message = "User is NOT authorized to access the Resource: " + matchingResource + ". Scope validation failed.";
log.debug(message);
throw new APISecurityException(APISecurityConstants.INVALID_SCOPE, message);
}
}
Also used :
APISecurityException(org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException)
TokenValidationContext(org.wso2.carbon.apimgt.keymgt.service.TokenValidationContext)
APIKeyValidationInfoDTO(org.wso2.carbon.apimgt.impl.dto.APIKeyValidationInfoDTO)
HashSet(java.util.HashSet)
Example 27 with JWTValidationInfo
use of org.wso2.carbon.apimgt.common.gateway.dto.JWTValidationInfo in project carbon-apimgt by wso2.
the class JWTValidator method authenticateForWebSocket.
/**
* Authenticates the given WebSocket handshake request with a JWT token to see if an API consumer is allowed to
* access a particular API or not.
*
* @param signedJWTInfo The JWT token sent with the API request
* @param apiContext The context of the invoked API
* @param apiVersion The version of the invoked API
* @param matchingResource template of matching api resource
* @return an AuthenticationContext object which contains the authentication information
* @throws APISecurityException in case of authentication failure
*/
@MethodStats
public AuthenticationContext authenticateForWebSocket(SignedJWTInfo signedJWTInfo, String apiContext, String apiVersion, String matchingResource) throws APISecurityException {
String tokenSignature = signedJWTInfo.getSignedJWT().getSignature().toString();
JWTClaimsSet jwtClaimsSet = signedJWTInfo.getJwtClaimsSet();
String jti = getJWTTokenIdentifier(signedJWTInfo);
JWTValidationInfo jwtValidationInfo = validateTokenForWS(signedJWTInfo, tokenSignature, jti);
if (jwtValidationInfo != null && jwtValidationInfo.isValid()) {
APIKeyValidationInfoDTO apiKeyValidationInfoDTO = validateSubscriptionsForWS(jwtValidationInfo, apiContext, apiVersion);
if (apiKeyValidationInfoDTO.isAuthorized()) {
validateScopes(apiContext, apiVersion, matchingResource, WebSocketApiConstants.WEBSOCKET_DUMMY_HTTP_METHOD_NAME, jwtValidationInfo, signedJWTInfo);
log.debug("JWT authentication successful. user: " + apiKeyValidationInfoDTO.getEndUserName());
String endUserToken = generateBackendJWTForWS(jwtValidationInfo, apiKeyValidationInfoDTO, apiContext, apiVersion, tokenSignature);
return generateAuthenticationContextForWS(jti, jwtValidationInfo, apiKeyValidationInfoDTO, endUserToken, apiVersion);
} else {
String message = "User is NOT authorized to access the Resource. API Subscription validation failed.";
log.debug(message);
throw new APISecurityException(apiKeyValidationInfoDTO.getValidationStatus(), message);
}
} else if (!jwtValidationInfo.isValid()) {
throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid JWT token");
}
throw new APISecurityException(APISecurityConstants.API_AUTH_GENERAL_ERROR, APISecurityConstants.API_AUTH_GENERAL_ERROR_MESSAGE);
}
Also used :
APISecurityException(org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException)
JWTClaimsSet(com.nimbusds.jwt.JWTClaimsSet)
APIKeyValidationInfoDTO(org.wso2.carbon.apimgt.impl.dto.APIKeyValidationInfoDTO)
JWTValidationInfo(org.wso2.carbon.apimgt.common.gateway.dto.JWTValidationInfo)
MethodStats(org.wso2.carbon.apimgt.gateway.MethodStats)
Example 28 with JWTValidationInfo
use of org.wso2.carbon.apimgt.common.gateway.dto.JWTValidationInfo in project carbon-apimgt by wso2.
the class JWTValidator method validateSubscriptionsForWS.
/**
* This method is used to validate subscriptions for WS API requests.
*
* @param jwtValidationInfo JWTValidationInfo
* @param apiContext API Context
* @param apiVersion API Version
* @return APIKeyValidationInfoDTO
* @throws APISecurityException if an error occurs.
*/
private APIKeyValidationInfoDTO validateSubscriptionsForWS(JWTValidationInfo jwtValidationInfo, String apiContext, String apiVersion) throws APISecurityException {
log.debug("Begin subscription validation via Key Manager: " + jwtValidationInfo.getKeyManager());
APIKeyValidationInfoDTO apiKeyValidationInfoDTO = validateSubscriptionUsingKeyManager(apiContext, apiVersion, jwtValidationInfo);
if (log.isDebugEnabled()) {
log.debug("Subscription validation via Key Manager: " + jwtValidationInfo.getKeyManager() + ". Status: " + apiKeyValidationInfoDTO.isAuthorized());
}
return apiKeyValidationInfoDTO;
}
Also used :
APIKeyValidationInfoDTO(org.wso2.carbon.apimgt.impl.dto.APIKeyValidationInfoDTO)
Example 29 with JWTValidationInfo
use of org.wso2.carbon.apimgt.common.gateway.dto.JWTValidationInfo in project carbon-apimgt by wso2.
the class JWTValidator method generateBackendJWTForWS.
/**
* Generate backend JWT for WS API requests.
*
* @param jwtValidationInfo JWTValidationInfo
* @param apiKeyValidationInfoDTO APIKeyValidationInfoDTO
* @param apiContext API Context
* @param apiVersion API Version
* @param tokenSignature Token signature
* @return Backend JWT String
* @throws APISecurityException if an error ocurrs
*/
private String generateBackendJWTForWS(JWTValidationInfo jwtValidationInfo, APIKeyValidationInfoDTO apiKeyValidationInfoDTO, String apiContext, String apiVersion, String tokenSignature) throws APISecurityException {
String endUserToken = null;
JWTInfoDto jwtInfoDto;
if (jwtGenerationEnabled) {
jwtInfoDto = GatewayUtils.generateJWTInfoDto(jwtValidationInfo, apiKeyValidationInfoDTO, apiContext, apiVersion);
endUserToken = generateAndRetrieveJWTToken(tokenSignature, jwtInfoDto);
}
return endUserToken;
}
Also used :
JWTInfoDto(org.wso2.carbon.apimgt.common.gateway.dto.JWTInfoDto)
Example 30 with JWTValidationInfo
use of org.wso2.carbon.apimgt.common.gateway.dto.JWTValidationInfo in project carbon-apimgt by wso2.
the class GatewayUtils method generateJWTInfoDto.
public static JWTInfoDto generateJWTInfoDto(JSONObject subscribedAPI, JWTValidationInfo jwtValidationInfo, APIKeyValidationInfoDTO apiKeyValidationInfoDTO, org.apache.synapse.MessageContext synCtx) {
JWTInfoDto jwtInfoDto = new JWTInfoDto();
jwtInfoDto.setJwtValidationInfo(jwtValidationInfo);
// jwtInfoDto.setMessageContext(synCtx);
String apiContext = (String) synCtx.getProperty(RESTConstants.REST_API_CONTEXT);
String apiVersion = (String) synCtx.getProperty(RESTConstants.SYNAPSE_REST_API_VERSION);
jwtInfoDto.setApiContext(apiContext);
jwtInfoDto.setVersion(apiVersion);
constructJWTContent(subscribedAPI, apiKeyValidationInfoDTO, jwtInfoDto);
return jwtInfoDto;
}
Also used :
JWTInfoDto(org.wso2.carbon.apimgt.common.gateway.dto.JWTInfoDto)
Aggregations
JWTValidationInfo (org.wso2.carbon.apimgt.common.gateway.dto.JWTValidationInfo)23
APIKeyValidationInfoDTO (org.wso2.carbon.apimgt.impl.dto.APIKeyValidationInfoDTO)14
APISecurityException (org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException)12
Axis2MessageContext (org.apache.synapse.core.axis2.Axis2MessageContext)11
AuthenticationContext (org.wso2.carbon.apimgt.gateway.handlers.security.AuthenticationContext)11
SignedJWTInfo (org.wso2.carbon.apimgt.impl.jwt.SignedJWTInfo)11
HashMap (java.util.HashMap)10
SignedJWT (com.nimbusds.jwt.SignedJWT)9
Cache (javax.cache.Cache)9
MessageContext (org.apache.synapse.MessageContext)9
Test (org.junit.Test)9
PrepareForTest (org.powermock.core.classloader.annotations.PrepareForTest)9
APIKeyValidator (org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator)9
APIManagerConfiguration (org.wso2.carbon.apimgt.impl.APIManagerConfiguration)9
ExtendedJWTConfigurationDto (org.wso2.carbon.apimgt.impl.dto.ExtendedJWTConfigurationDto)9
JWTValidationService (org.wso2.carbon.apimgt.impl.jwt.JWTValidationService)9
TokenValidationContext (org.wso2.carbon.apimgt.keymgt.service.TokenValidationContext)8
JWTInfoDto (org.wso2.carbon.apimgt.common.gateway.dto.JWTInfoDto)6
APIManagementException (org.wso2.carbon.apimgt.api.APIManagementException)5
JWTClaimsSet (com.nimbusds.jwt.JWTClaimsSet)4
