From ace6c2dbfc2a58c03750280d1190fd167e5daeae Mon Sep 17 00:00:00 2001 From: mharindu Date: Mon, 16 May 2016 18:13:00 +0530 Subject: [PATCH] Fixed issues in JWT Authenticator --- .../authenticator/JWTAuthenticator.java | 149 +++++++++--------- 1 file changed, 75 insertions(+), 74 deletions(-) diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/JWTAuthenticator.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/JWTAuthenticator.java index cb1d11d34f..98ab57a61b 100644 --- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/JWTAuthenticator.java +++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/JWTAuthenticator.java @@ -47,10 +47,10 @@ import java.util.StringTokenizer; */ public class JWTAuthenticator implements WebappAuthenticator { - private static final Log log = LogFactory.getLog(JWTAuthenticator.class); - public static final String SIGNED_JWT_AUTH_USERNAME = "Username"; - private static final String JWT_AUTHENTICATOR = "JWT"; - private static final String JWT_ASSERTION_HEADER = "X-JWT-Assertion"; + private static final Log log = LogFactory.getLog(JWTAuthenticator.class); + public static final String SIGNED_JWT_AUTH_USERNAME = "http://wso2.org/claims/enduser"; + private static final String JWT_AUTHENTICATOR = "JWT"; + private static final String JWT_ASSERTION_HEADER = "X-JWT-Assertion"; @Override public void init() { @@ -59,46 +59,45 @@ public class JWTAuthenticator implements WebappAuthenticator { @Override public boolean canHandle(Request request) { - String authorizationHeader = request.getHeader(JWTAuthenticator.JWT_ASSERTION_HEADER); - if((authorizationHeader != null) && !authorizationHeader.isEmpty()){ - return true; - } - return false; + String authorizationHeader = request.getHeader(JWTAuthenticator.JWT_ASSERTION_HEADER); + if ((authorizationHeader != null) && !authorizationHeader.isEmpty()) { + return true; + } + return false; } @Override - public AuthenticationInfo authenticate(Request request, Response response) { - String requestUri = request.getRequestURI(); - AuthenticationInfo authenticationInfo = new AuthenticationInfo(); - if (requestUri == null || "".equals(requestUri)) { - authenticationInfo.setStatus(Status.CONTINUE); - } - StringTokenizer tokenizer = new StringTokenizer(requestUri, "/"); - String context = tokenizer.nextToken(); - if (context == null || "".equals(context)) { + public AuthenticationInfo authenticate(Request request, Response response) { + String requestUri = request.getRequestURI(); + AuthenticationInfo authenticationInfo = new AuthenticationInfo(); + if (requestUri == null || "".equals(requestUri)) { authenticationInfo.setStatus(Status.CONTINUE); - } - - //Get the filesystem keystore default primary certificate - KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(MultitenantConstants.SUPER_TENANT_ID); - try { - keyStoreManager.getDefaultPrimaryCertificate(); - String authorizationHeader = request.getHeader(HTTPConstants.HEADER_AUTHORIZATION); - String headerData = decodeAuthorizationHeader(authorizationHeader); - JWSVerifier verifier = - new RSASSAVerifier((RSAPublicKey) keyStoreManager.getDefaultPublicKey()); - SignedJWT jwsObject = SignedJWT.parse(headerData); - if (jwsObject.verify(verifier)) { - String username = jwsObject.getJWTClaimsSet().getStringClaim(SIGNED_JWT_AUTH_USERNAME); - String tenantDomain = MultitenantUtils.getTenantDomain(username); - username = MultitenantUtils.getTenantAwareUsername(username); - TenantManager tenantManager = AuthenticatorFrameworkDataHolder.getInstance().getRealmService(). + } + StringTokenizer tokenizer = new StringTokenizer(requestUri, "/"); + String context = tokenizer.nextToken(); + if (context == null || "".equals(context)) { + authenticationInfo.setStatus(Status.CONTINUE); + } + + //Get the filesystem keystore default primary certificate + KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(MultitenantConstants.SUPER_TENANT_ID); + try { + keyStoreManager.getDefaultPrimaryCertificate(); + String authorizationHeader = request.getHeader(JWT_ASSERTION_HEADER); + JWSVerifier verifier = + new RSASSAVerifier((RSAPublicKey) keyStoreManager.getDefaultPublicKey()); + SignedJWT jwsObject = SignedJWT.parse(authorizationHeader); + if (jwsObject.verify(verifier)) { + String username = jwsObject.getJWTClaimsSet().getStringClaim(SIGNED_JWT_AUTH_USERNAME); + String tenantDomain = MultitenantUtils.getTenantDomain(username); + username = MultitenantUtils.getTenantAwareUsername(username); + TenantManager tenantManager = AuthenticatorFrameworkDataHolder.getInstance().getRealmService(). getTenantManager(); - int tenantId = tenantManager.getTenantId(tenantDomain); - if (tenantId == -1) { - log.error("tenantDomain is not valid. username : " + username + ", tenantDomain " + - ": " + tenantDomain); - } else { + int tenantId = tenantManager.getTenantId(tenantDomain); + if (tenantId == -1) { + log.error("tenantDomain is not valid. username : " + username + ", tenantDomain " + + ": " + tenantDomain); + } else { UserStoreManager userStore = AuthenticatorFrameworkDataHolder.getInstance().getRealmService(). getTenantUserRealm(tenantId).getUserStoreManager(); if (userStore.isExistingUser(username)) { @@ -108,41 +107,43 @@ public class JWTAuthenticator implements WebappAuthenticator { authenticationInfo.setStatus(Status.CONTINUE); } } - } - } catch (UserStoreException e) { - log.error("Error occurred while obtaining the user.", e); - } catch (ParseException e) { - log.error("Error occurred while parsing the JWT header.", e); - } catch (JOSEException e) { - log.error("Error occurred while verifying the JWT header.", e); - } catch (Exception e) { - log.error("Error occurred while verifying the JWT header.", e); - } - return authenticationInfo; - } - - private String decodeAuthorizationHeader(String authorizationHeader) { - - if(authorizationHeader == null) { - return null; - } - - String[] splitValues = authorizationHeader.trim().split(" "); - byte[] decodedBytes = Base64Utils.decode(splitValues[1].trim()); - if (decodedBytes != null) { - return new String(decodedBytes); - } else { - if (log.isDebugEnabled()) { - log.debug("Error decoding authorization header."); - } - return null; - } - } - - @Override - public String getName() { - return JWTAuthenticator.JWT_AUTHENTICATOR; - } + } else { + authenticationInfo.setStatus(Status.FAILURE); + } + } catch (UserStoreException e) { + log.error("Error occurred while obtaining the user.", e); + } catch (ParseException e) { + log.error("Error occurred while parsing the JWT header.", e); + } catch (JOSEException e) { + log.error("Error occurred while verifying the JWT header.", e); + } catch (Exception e) { + log.error("Error occurred while verifying the JWT header.", e); + } + return authenticationInfo; + } + + private String decodeAuthorizationHeader(String authorizationHeader) { + + if (authorizationHeader == null) { + return null; + } + + String[] splitValues = authorizationHeader.trim().split(" "); + byte[] decodedBytes = Base64Utils.decode(splitValues[1].trim()); + if (decodedBytes != null) { + return new String(decodedBytes); + } else { + if (log.isDebugEnabled()) { + log.debug("Error decoding authorization header."); + } + return null; + } + } + + @Override + public String getName() { + return JWTAuthenticator.JWT_AUTHENTICATOR; + } @Override public void setProperties(Properties properties) {