|
|
@ -47,10 +47,10 @@ import java.util.StringTokenizer;
|
|
|
|
*/
|
|
|
|
*/
|
|
|
|
public class JWTAuthenticator implements WebappAuthenticator {
|
|
|
|
public class JWTAuthenticator implements WebappAuthenticator {
|
|
|
|
|
|
|
|
|
|
|
|
private static final Log log = LogFactory.getLog(JWTAuthenticator.class);
|
|
|
|
private static final Log log = LogFactory.getLog(JWTAuthenticator.class);
|
|
|
|
public static final String SIGNED_JWT_AUTH_USERNAME = "Username";
|
|
|
|
public static final String SIGNED_JWT_AUTH_USERNAME = "http://wso2.org/claims/enduser";
|
|
|
|
private static final String JWT_AUTHENTICATOR = "JWT";
|
|
|
|
private static final String JWT_AUTHENTICATOR = "JWT";
|
|
|
|
private static final String JWT_ASSERTION_HEADER = "X-JWT-Assertion";
|
|
|
|
private static final String JWT_ASSERTION_HEADER = "X-JWT-Assertion";
|
|
|
|
|
|
|
|
|
|
|
|
@Override
|
|
|
|
@Override
|
|
|
|
public void init() {
|
|
|
|
public void init() {
|
|
|
@ -59,46 +59,45 @@ public class JWTAuthenticator implements WebappAuthenticator {
|
|
|
|
|
|
|
|
|
|
|
|
@Override
|
|
|
|
@Override
|
|
|
|
public boolean canHandle(Request request) {
|
|
|
|
public boolean canHandle(Request request) {
|
|
|
|
String authorizationHeader = request.getHeader(JWTAuthenticator.JWT_ASSERTION_HEADER);
|
|
|
|
String authorizationHeader = request.getHeader(JWTAuthenticator.JWT_ASSERTION_HEADER);
|
|
|
|
if((authorizationHeader != null) && !authorizationHeader.isEmpty()){
|
|
|
|
if ((authorizationHeader != null) && !authorizationHeader.isEmpty()) {
|
|
|
|
return true;
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false;
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
@Override
|
|
|
|
@Override
|
|
|
|
public AuthenticationInfo authenticate(Request request, Response response) {
|
|
|
|
public AuthenticationInfo authenticate(Request request, Response response) {
|
|
|
|
String requestUri = request.getRequestURI();
|
|
|
|
String requestUri = request.getRequestURI();
|
|
|
|
AuthenticationInfo authenticationInfo = new AuthenticationInfo();
|
|
|
|
AuthenticationInfo authenticationInfo = new AuthenticationInfo();
|
|
|
|
if (requestUri == null || "".equals(requestUri)) {
|
|
|
|
if (requestUri == null || "".equals(requestUri)) {
|
|
|
|
authenticationInfo.setStatus(Status.CONTINUE);
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
StringTokenizer tokenizer = new StringTokenizer(requestUri, "/");
|
|
|
|
|
|
|
|
String context = tokenizer.nextToken();
|
|
|
|
|
|
|
|
if (context == null || "".equals(context)) {
|
|
|
|
|
|
|
|
authenticationInfo.setStatus(Status.CONTINUE);
|
|
|
|
authenticationInfo.setStatus(Status.CONTINUE);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
StringTokenizer tokenizer = new StringTokenizer(requestUri, "/");
|
|
|
|
//Get the filesystem keystore default primary certificate
|
|
|
|
String context = tokenizer.nextToken();
|
|
|
|
KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(MultitenantConstants.SUPER_TENANT_ID);
|
|
|
|
if (context == null || "".equals(context)) {
|
|
|
|
try {
|
|
|
|
authenticationInfo.setStatus(Status.CONTINUE);
|
|
|
|
keyStoreManager.getDefaultPrimaryCertificate();
|
|
|
|
}
|
|
|
|
String authorizationHeader = request.getHeader(HTTPConstants.HEADER_AUTHORIZATION);
|
|
|
|
|
|
|
|
String headerData = decodeAuthorizationHeader(authorizationHeader);
|
|
|
|
//Get the filesystem keystore default primary certificate
|
|
|
|
JWSVerifier verifier =
|
|
|
|
KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(MultitenantConstants.SUPER_TENANT_ID);
|
|
|
|
new RSASSAVerifier((RSAPublicKey) keyStoreManager.getDefaultPublicKey());
|
|
|
|
try {
|
|
|
|
SignedJWT jwsObject = SignedJWT.parse(headerData);
|
|
|
|
keyStoreManager.getDefaultPrimaryCertificate();
|
|
|
|
if (jwsObject.verify(verifier)) {
|
|
|
|
String authorizationHeader = request.getHeader(JWT_ASSERTION_HEADER);
|
|
|
|
String username = jwsObject.getJWTClaimsSet().getStringClaim(SIGNED_JWT_AUTH_USERNAME);
|
|
|
|
JWSVerifier verifier =
|
|
|
|
String tenantDomain = MultitenantUtils.getTenantDomain(username);
|
|
|
|
new RSASSAVerifier((RSAPublicKey) keyStoreManager.getDefaultPublicKey());
|
|
|
|
username = MultitenantUtils.getTenantAwareUsername(username);
|
|
|
|
SignedJWT jwsObject = SignedJWT.parse(authorizationHeader);
|
|
|
|
TenantManager tenantManager = AuthenticatorFrameworkDataHolder.getInstance().getRealmService().
|
|
|
|
if (jwsObject.verify(verifier)) {
|
|
|
|
|
|
|
|
String username = jwsObject.getJWTClaimsSet().getStringClaim(SIGNED_JWT_AUTH_USERNAME);
|
|
|
|
|
|
|
|
String tenantDomain = MultitenantUtils.getTenantDomain(username);
|
|
|
|
|
|
|
|
username = MultitenantUtils.getTenantAwareUsername(username);
|
|
|
|
|
|
|
|
TenantManager tenantManager = AuthenticatorFrameworkDataHolder.getInstance().getRealmService().
|
|
|
|
getTenantManager();
|
|
|
|
getTenantManager();
|
|
|
|
int tenantId = tenantManager.getTenantId(tenantDomain);
|
|
|
|
int tenantId = tenantManager.getTenantId(tenantDomain);
|
|
|
|
if (tenantId == -1) {
|
|
|
|
if (tenantId == -1) {
|
|
|
|
log.error("tenantDomain is not valid. username : " + username + ", tenantDomain " +
|
|
|
|
log.error("tenantDomain is not valid. username : " + username + ", tenantDomain " +
|
|
|
|
": " + tenantDomain);
|
|
|
|
": " + tenantDomain);
|
|
|
|
} else {
|
|
|
|
} else {
|
|
|
|
UserStoreManager userStore = AuthenticatorFrameworkDataHolder.getInstance().getRealmService().
|
|
|
|
UserStoreManager userStore = AuthenticatorFrameworkDataHolder.getInstance().getRealmService().
|
|
|
|
getTenantUserRealm(tenantId).getUserStoreManager();
|
|
|
|
getTenantUserRealm(tenantId).getUserStoreManager();
|
|
|
|
if (userStore.isExistingUser(username)) {
|
|
|
|
if (userStore.isExistingUser(username)) {
|
|
|
@ -108,41 +107,43 @@ public class JWTAuthenticator implements WebappAuthenticator {
|
|
|
|
authenticationInfo.setStatus(Status.CONTINUE);
|
|
|
|
authenticationInfo.setStatus(Status.CONTINUE);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
} catch (UserStoreException e) {
|
|
|
|
authenticationInfo.setStatus(Status.FAILURE);
|
|
|
|
log.error("Error occurred while obtaining the user.", e);
|
|
|
|
}
|
|
|
|
} catch (ParseException e) {
|
|
|
|
} catch (UserStoreException e) {
|
|
|
|
log.error("Error occurred while parsing the JWT header.", e);
|
|
|
|
log.error("Error occurred while obtaining the user.", e);
|
|
|
|
} catch (JOSEException e) {
|
|
|
|
} catch (ParseException e) {
|
|
|
|
log.error("Error occurred while verifying the JWT header.", e);
|
|
|
|
log.error("Error occurred while parsing the JWT header.", e);
|
|
|
|
} catch (Exception e) {
|
|
|
|
} catch (JOSEException e) {
|
|
|
|
log.error("Error occurred while verifying the JWT header.", e);
|
|
|
|
log.error("Error occurred while verifying the JWT header.", e);
|
|
|
|
}
|
|
|
|
} catch (Exception e) {
|
|
|
|
return authenticationInfo;
|
|
|
|
log.error("Error occurred while verifying the JWT header.", e);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return authenticationInfo;
|
|
|
|
private String decodeAuthorizationHeader(String authorizationHeader) {
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if(authorizationHeader == null) {
|
|
|
|
private String decodeAuthorizationHeader(String authorizationHeader) {
|
|
|
|
return null;
|
|
|
|
|
|
|
|
}
|
|
|
|
if (authorizationHeader == null) {
|
|
|
|
|
|
|
|
return null;
|
|
|
|
String[] splitValues = authorizationHeader.trim().split(" ");
|
|
|
|
}
|
|
|
|
byte[] decodedBytes = Base64Utils.decode(splitValues[1].trim());
|
|
|
|
|
|
|
|
if (decodedBytes != null) {
|
|
|
|
String[] splitValues = authorizationHeader.trim().split(" ");
|
|
|
|
return new String(decodedBytes);
|
|
|
|
byte[] decodedBytes = Base64Utils.decode(splitValues[1].trim());
|
|
|
|
} else {
|
|
|
|
if (decodedBytes != null) {
|
|
|
|
if (log.isDebugEnabled()) {
|
|
|
|
return new String(decodedBytes);
|
|
|
|
log.debug("Error decoding authorization header.");
|
|
|
|
} else {
|
|
|
|
}
|
|
|
|
if (log.isDebugEnabled()) {
|
|
|
|
return null;
|
|
|
|
log.debug("Error decoding authorization header.");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return null;
|
|
|
|
|
|
|
|
}
|
|
|
|
@Override
|
|
|
|
}
|
|
|
|
public String getName() {
|
|
|
|
|
|
|
|
return JWTAuthenticator.JWT_AUTHENTICATOR;
|
|
|
|
@Override
|
|
|
|
}
|
|
|
|
public String getName() {
|
|
|
|
|
|
|
|
return JWTAuthenticator.JWT_AUTHENTICATOR;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
@Override
|
|
|
|
@Override
|
|
|
|
public void setProperties(Properties properties) {
|
|
|
|
public void setProperties(Properties properties) {
|
|
|
|