refactored signing and validation, added jwk-based cache, removed keyfetcher, refactored client side class structure

2013-03-01 16:52:00 -05:00 · 2013-03-01 16:52:00 -05:00 · 6c1e6b2d74
parent 385853fa1f
commit 6c1e6b2d74
4 changed files with 14 additions and 7 deletions
--- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/AbstractOIDCAuthenticationFilter.java
+++ b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/AbstractOIDCAuthenticationFilter.java
@ -43,7 +43,7 @@ import org.apache.http.impl.client.DefaultHttpClient;
 import org.apache.http.message.BasicNameValuePair;
 import org.mitre.jwt.signer.service.JwtSigningAndValidationService;
 import org.mitre.jwt.signer.service.impl.DefaultJwtSigningAndValidationService;
-import org.mitre.jwt.signer.service.impl.JWKSetSigningAndValidationServiceCache;
+import org.mitre.jwt.signer.service.impl.JWKSetSigningAndValidationServiceCacheService;
 import org.mitre.key.fetch.KeyFetcher;
 import org.mitre.openid.connect.config.OIDCServerConfiguration;
 import org.springframework.beans.factory.annotation.Autowired;
@ -90,7 +90,7 @@ public class AbstractOIDCAuthenticationFilter extends
 	private int timeSkewAllowance = 300;

 	@Autowired
-	JWKSetSigningAndValidationServiceCache validationServices;
+	JWKSetSigningAndValidationServiceCacheService validationServices;
 	
 	/**
 	 * Builds the redirect_uri that will be sent to the Authorization Endpoint.
--- a/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/JWKSetSigningAndValidationServiceCacheService.java
+++ b/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/JWKSetSigningAndValidationServiceCacheService.java
@ -16,6 +16,7 @@ import org.apache.http.client.HttpClient;
 import org.apache.http.impl.client.DefaultHttpClient;
 import org.mitre.jwt.signer.service.JwtSigningAndValidationService;
 import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
+import org.springframework.stereotype.Service;
 import org.springframework.web.client.RestTemplate;

 import com.google.common.cache.Cache;
@ -37,11 +38,12 @@ import com.nimbusds.jose.crypto.RSASSAVerifier;
 * @author jricher
 *
 */
-public class JWKSetSigningAndValidationServiceCache {
+@Service
+public class JWKSetSigningAndValidationServiceCacheService {

 	private Cache<String, JwtSigningAndValidationService> cache;

-	public JWKSetSigningAndValidationServiceCache() {
+	public JWKSetSigningAndValidationServiceCacheService() {
 		this.cache = CacheBuilder.newBuilder()
 				.maximumSize(100)
 				.build(new JWKSetFetcher());
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectAuthorizationRequestManager.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectAuthorizationRequestManager.java
@ -12,6 +12,7 @@ import net.minidev.json.JSONObject;

 import org.joda.time.DateTime;
 import org.joda.time.Period;
+import org.mitre.jwt.signer.service.impl.JWKSetSigningAndValidationServiceCacheService;
 import org.mitre.oauth2.exception.NonceReuseException;
 import org.mitre.openid.connect.model.Nonce;
 import org.mitre.openid.connect.service.NonceService;
@ -34,6 +35,7 @@ import org.springframework.stereotype.Component;
 import com.google.common.base.Strings;
 import com.nimbusds.jose.JWSObject;
 import com.nimbusds.jose.util.JSONObjectUtils;
+import com.nimbusds.jwt.SignedJWT;

@Component("authorizationRequestManager")
 public class ConnectAuthorizationRequestManager implements AuthorizationRequestManager, InitializingBean {
@ -45,6 +47,9 @@ public class ConnectAuthorizationRequestManager implements AuthorizationRequestM
 	
 	@Autowired
 	private ClientDetailsService clientDetailsService;
+
+	@Autowired
+	private JWKSetSigningAndValidationServiceCacheService validators;
 	
 	private Period nonceStorageDuration;

@ -151,7 +156,7 @@ public class ConnectAuthorizationRequestManager implements AuthorizationRequestM

    	// parse the request object
        try {
-        	JWSObject jwsObject = JWSObject.parse(jwtString);
+        	SignedJWT jwsObject = SignedJWT.parse(jwtString);
 			JSONObject claims = jwsObject.getPayload().toJSONObject(); 
 			
 			// TODO: validate JWT signature
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerAuthenticationProvider.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerAuthenticationProvider.java
@ -7,7 +7,7 @@ import java.text.ParseException;
 import java.util.Date;

 import org.mitre.jwt.signer.service.JwtSigningAndValidationService;
-import org.mitre.jwt.signer.service.impl.JWKSetSigningAndValidationServiceCache;
+import org.mitre.jwt.signer.service.impl.JWKSetSigningAndValidationServiceCacheService;
 import org.mitre.oauth2.exception.ClientNotFoundException;
 import org.mitre.oauth2.model.ClientDetailsEntity;
 import org.mitre.oauth2.service.ClientDetailsEntityService;
@ -35,7 +35,7 @@ public class JwtBearerAuthenticationProvider implements AuthenticationProvider {

 	// map of verifiers, load keys for clients
 	@Autowired
-	private JWKSetSigningAndValidationServiceCache validators;
+	private JWKSetSigningAndValidationServiceCacheService validators;
 	
 	// Allow for time sync issues by having a window of X seconds.
 	private int timeSkewAllowance = 300;