BVB Source Codes

spring-security-oauth Show JwkVerifyingJwtAccessTokenConverter.java Source code

Return Download spring-security-oauth: download JwkVerifyingJwtAccessTokenConverter.java Source code - Download spring-security-oauth Source code - Type:.java
  1. /*
  2.  * Copyright 2012-2017 the original author or authors.
  3.  *
  4.  * Licensed under the Apache License, Version 2.0 (the "License");
  5.  * you may not use this file except in compliance with the License.
  6.  * You may obtain a copy of the License at
  7.  *
  8.  *      http://www.apache.org/licenses/LICENSE-2.0
  9.  *
  10.  * Unless required by applicable law or agreed to in writing, software
  11.  * distributed under the License is distributed on an "AS IS" BASIS,
  12.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13.  * See the License for the specific language governing permissions and
  14.  * limitations under the License.
  15.  */
  16. package org.springframework.security.oauth2.provider.token.store.jwk;
  17.  
  18. import org.springframework.security.jwt.Jwt;
  19. import org.springframework.security.jwt.JwtHelper;
  20. import org.springframework.security.jwt.crypto.sign.SignatureVerifier;
  21. import org.springframework.security.oauth2.common.OAuth2AccessToken;
  22. import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
  23. import org.springframework.security.oauth2.common.util.JsonParser;
  24. import org.springframework.security.oauth2.common.util.JsonParserFactory;
  25. import org.springframework.security.oauth2.provider.OAuth2Authentication;
  26. import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;
  27.  
  28. import java.util.Map;
  29.  
  30. import static org.springframework.security.oauth2.provider.token.store.jwk.JwkAttributes.ALGORITHM;
  31. import static org.springframework.security.oauth2.provider.token.store.jwk.JwkAttributes.KEY_ID;
  32.  
  33. /**
  34.  * A specialized extension of {@link JwtAccessTokenConverter} that is responsible for verifying
  35.  * the JSON Web Signature (JWS) for a JSON Web Token (JWT) using the corresponding JSON Web Key (JWK).
  36.  * This implementation is associated with a {@link JwkDefinitionSource} for looking up
  37.  * the matching {@link JwkDefinition} using the value of the JWT header parameter <b>&quot;kid&quot;</b>.
  38.  * <br>
  39.  * <br>
  40.  *
  41.  * The JWS is verified in the following step sequence:
  42.  * <br>
  43.  * <br>
  44.  * <ol>
  45.  *     <li>Extract the <b>&quot;kid&quot;</b> parameter from the JWT header.</li>
  46.  *     <li>Find the matching {@link JwkDefinition} from the {@link JwkDefinitionSource} with the corresponding <b>&quot;kid&quot;</b> attribute.</li>
  47.  *     <li>Obtain the {@link SignatureVerifier} associated with the {@link JwkDefinition} via the {@link JwkDefinitionSource} and verify the signature.</li>
  48.  * </ol>
  49.  * <br>
  50.  * <b>NOTE:</b> The algorithms currently supported by this implementation are: RS256, RS384 and RS512.
  51.  * <br>
  52.  * <br>
  53.  *
  54.  * <b>NOTE:</b> This {@link JwtAccessTokenConverter} <b>does not</b> support signing JWTs (JWS) and therefore
  55.  * the {@link #encode(OAuth2AccessToken, OAuth2Authentication)} method implementation, if called,
  56.  * will explicitly throw a {@link JwkException} reporting <i>&quot;JWT signing (JWS) is not supported.&quot;</i>.
  57.  * <br>
  58.  * <br>
  59.  *
  60.  * @see JwtAccessTokenConverter
  61.  * @see JwtHeaderConverter
  62.  * @see JwkDefinitionSource
  63.  * @see JwkDefinition
  64.  * @see SignatureVerifier
  65.  * @see <a target="_blank" href="https://tools.ietf.org/html/rfc7517">JSON Web Key (JWK)</a>
  66.  * @see <a target="_blank" href="https://tools.ietf.org/html/rfc7519">JSON Web Token (JWT)</a>
  67.  * @see <a target="_blank" href="https://tools.ietf.org/html/rfc7515">JSON Web Signature (JWS)</a>
  68.  *
  69.  * @author Joe Grandja
  70.  */
  71. class JwkVerifyingJwtAccessTokenConverter extends JwtAccessTokenConverter {
  72.         private final JwkDefinitionSource jwkDefinitionSource;
  73.         private final JwtHeaderConverter jwtHeaderConverter = new JwtHeaderConverter();
  74.         private final JsonParser jsonParser = JsonParserFactory.create();
  75.  
  76.         /**
  77.          * Creates a new instance using the provided {@link JwkDefinitionSource}
  78.          * as the primary source for looking up {@link JwkDefinition}(s).
  79.          *
  80.          * @param jwkDefinitionSource the source for {@link JwkDefinition}(s)
  81.          */
  82.         JwkVerifyingJwtAccessTokenConverter(JwkDefinitionSource jwkDefinitionSource) {
  83.                 this.jwkDefinitionSource = jwkDefinitionSource;
  84.         }
  85.  
  86.         /**
  87.          * Decodes and validates the supplied JWT followed by signature verification
  88.          * before returning the Claims from the JWT Payload.
  89.          *
  90.          * @param token the JSON Web Token
  91.          * @return a <code>Map</code> of the JWT Claims
  92.          * @throws JwkException if the JWT is invalid or if the JWS could not be verified
  93.          */
  94.         @Override
  95.         protected Map<String, Object> decode(String token) {
  96.                 Map<String, String> headers = this.jwtHeaderConverter.convert(token);
  97.  
  98.                 // Validate "kid" header
  99.                 String keyIdHeader = headers.get(KEY_ID);
  100.                 if (keyIdHeader == null) {
  101.                         throw new InvalidTokenException("Invalid JWT/JWS: " + KEY_ID + " is a required JOSE Header");
  102.                 }
  103.                 JwkDefinition jwkDefinition = this.jwkDefinitionSource.getDefinitionLoadIfNecessary(keyIdHeader);
  104.                 if (jwkDefinition == null) {
  105.                         throw new InvalidTokenException("Invalid JOSE Header " + KEY_ID + " (" + keyIdHeader + ")");
  106.                 }
  107.  
  108.                 // Validate "alg" header
  109.                 String algorithmHeader = headers.get(ALGORITHM);
  110.                 if (algorithmHeader == null) {
  111.                         throw new InvalidTokenException("Invalid JWT/JWS: " + ALGORITHM + " is a required JOSE Header");
  112.                 }
  113.                 if (!algorithmHeader.equals(jwkDefinition.getAlgorithm().headerParamValue())) {
  114.                         throw new InvalidTokenException("Invalid JOSE Header " + ALGORITHM + " (" + algorithmHeader + ")" +
  115.                                         " does not match algorithm associated to JWK with " + KEY_ID + " (" + keyIdHeader + ")");
  116.                 }
  117.  
  118.                 // Verify signature
  119.                 SignatureVerifier verifier = this.jwkDefinitionSource.getVerifier(keyIdHeader);
  120.                 Jwt jwt = JwtHelper.decode(token);
  121.                 jwt.verifySignature(verifier);
  122.  
  123.                 Map<String, Object> claims = this.jsonParser.parseMap(jwt.getClaims());
  124.                 if (claims.containsKey(EXP) && claims.get(EXP) instanceof Integer) {
  125.                         Integer expiryInt = (Integer) claims.get(EXP);
  126.                         claims.put(EXP, new Long(expiryInt));
  127.                 }
  128.  
  129.                 return claims;
  130.         }
  131.  
  132.         /**
  133.          * This operation (JWT signing) is not supported and if called,
  134.          * will throw a {@link JwkException}.
  135.          *
  136.          * @throws JwkException
  137.          */
  138.         @Override
  139.         protected String encode(OAuth2AccessToken accessToken, OAuth2Authentication authentication) {
  140.                 throw new JwkException("JWT signing (JWS) is not supported.");
  141.         }
  142. }
downloadJwkVerifyingJwtAccessTokenConverter.java Source code - Download spring-security-oauth Source code
Related Source Codes/Software:
Toucan - Fabulous Image Processing in Swift 2017-04-23
CoffeeScriptRedux - 2017-04-23
breakpoint - Really simple media queries in Sa 2017-04-23
libsvm - 2017-04-22
grr - GRR Rapid Response: remote live forensics for inci... 2017-04-22
rouge - A pure-ruby code highlighter that is compatible wi... 2017-04-23
sphinx_rtd_theme - Sphinx theme for readthedocs.org 2017-04-23
BlurEffectForAndroidDesign - Sample to show how to implement blur graphical tri... 2017-04-23
mama2 - Mother plan - all firewood high flame 2017-04-23
JKeyboardPanelSwitch - For resolve the layout conflict when keybord & amp... 2017-04-23
react-music - Make beats with React! http... 2017-04-30
java-code-styles - IntelliJ IDEA code style settings for Square's Jav... 2017-04-30
swing - A swipeable cards interface. The swipe-left/swipe-... 2017-04-30
qTip2 - qTip2 - Pretty powerful tooltips ... 2017-04-30
jo - JSON output from a shell 2017-04-30
Fluidbox - Replicating and improving the lightbox module seen... 2017-04-30
boto3 - AWS SDK for Python http://a... 2017-04-30
PreloadJS - PreloadJS makes preloading assets & getting ag... 2017-04-29
gotraining - Go Training Class Material : ... 2017-04-29
eigen - The Art World in Your Pocket or Your Trendy Tech C... 2017-04-29

 Back to top