From 6c1e6b2d74e7ee35367c483c871863833f88a389 Mon Sep 17 00:00:00 2001 From: Justin Richer Date: Fri, 1 Mar 2013 16:52:00 -0500 Subject: [PATCH] refactored signing and validation, added jwk-based cache, removed keyfetcher, refactored client side class structure --- .../connect/client/AbstractOIDCAuthenticationFilter.java | 4 ++-- ... => JWKSetSigningAndValidationServiceCacheService.java} | 6 ++++-- .../openid/connect/ConnectAuthorizationRequestManager.java | 7 ++++++- .../connect/assertion/JwtBearerAuthenticationProvider.java | 4 ++-- 4 files changed, 14 insertions(+), 7 deletions(-) rename openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/{JWKSetSigningAndValidationServiceCache.java => JWKSetSigningAndValidationServiceCacheService.java} (95%) diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/AbstractOIDCAuthenticationFilter.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/AbstractOIDCAuthenticationFilter.java index fe7dbd293..839178010 100644 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/AbstractOIDCAuthenticationFilter.java +++ b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/AbstractOIDCAuthenticationFilter.java @@ -43,7 +43,7 @@ import org.apache.http.impl.client.DefaultHttpClient; import org.apache.http.message.BasicNameValuePair; import org.mitre.jwt.signer.service.JwtSigningAndValidationService; import org.mitre.jwt.signer.service.impl.DefaultJwtSigningAndValidationService; -import org.mitre.jwt.signer.service.impl.JWKSetSigningAndValidationServiceCache; +import org.mitre.jwt.signer.service.impl.JWKSetSigningAndValidationServiceCacheService; import org.mitre.key.fetch.KeyFetcher; import org.mitre.openid.connect.config.OIDCServerConfiguration; import org.springframework.beans.factory.annotation.Autowired; @@ -90,7 +90,7 @@ public class AbstractOIDCAuthenticationFilter extends private int timeSkewAllowance = 300; @Autowired - JWKSetSigningAndValidationServiceCache validationServices; + JWKSetSigningAndValidationServiceCacheService validationServices; /** * Builds the redirect_uri that will be sent to the Authorization Endpoint. diff --git a/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/JWKSetSigningAndValidationServiceCache.java b/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/JWKSetSigningAndValidationServiceCacheService.java similarity index 95% rename from openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/JWKSetSigningAndValidationServiceCache.java rename to openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/JWKSetSigningAndValidationServiceCacheService.java index 62f94bab8..2e0dcfb17 100644 --- a/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/JWKSetSigningAndValidationServiceCache.java +++ b/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/JWKSetSigningAndValidationServiceCacheService.java @@ -16,6 +16,7 @@ import org.apache.http.client.HttpClient; import org.apache.http.impl.client.DefaultHttpClient; import org.mitre.jwt.signer.service.JwtSigningAndValidationService; import org.springframework.http.client.HttpComponentsClientHttpRequestFactory; +import org.springframework.stereotype.Service; import org.springframework.web.client.RestTemplate; import com.google.common.cache.Cache; @@ -37,11 +38,12 @@ import com.nimbusds.jose.crypto.RSASSAVerifier; * @author jricher * */ -public class JWKSetSigningAndValidationServiceCache { +@Service +public class JWKSetSigningAndValidationServiceCacheService { private Cache cache; - public JWKSetSigningAndValidationServiceCache() { + public JWKSetSigningAndValidationServiceCacheService() { this.cache = CacheBuilder.newBuilder() .maximumSize(100) .build(new JWKSetFetcher()); diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectAuthorizationRequestManager.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectAuthorizationRequestManager.java index cfd29fd38..8340ed236 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectAuthorizationRequestManager.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectAuthorizationRequestManager.java @@ -12,6 +12,7 @@ import net.minidev.json.JSONObject; import org.joda.time.DateTime; import org.joda.time.Period; +import org.mitre.jwt.signer.service.impl.JWKSetSigningAndValidationServiceCacheService; import org.mitre.oauth2.exception.NonceReuseException; import org.mitre.openid.connect.model.Nonce; import org.mitre.openid.connect.service.NonceService; @@ -34,6 +35,7 @@ import org.springframework.stereotype.Component; import com.google.common.base.Strings; import com.nimbusds.jose.JWSObject; import com.nimbusds.jose.util.JSONObjectUtils; +import com.nimbusds.jwt.SignedJWT; @Component("authorizationRequestManager") public class ConnectAuthorizationRequestManager implements AuthorizationRequestManager, InitializingBean { @@ -45,6 +47,9 @@ public class ConnectAuthorizationRequestManager implements AuthorizationRequestM @Autowired private ClientDetailsService clientDetailsService; + + @Autowired + private JWKSetSigningAndValidationServiceCacheService validators; private Period nonceStorageDuration; @@ -151,7 +156,7 @@ public class ConnectAuthorizationRequestManager implements AuthorizationRequestM // parse the request object try { - JWSObject jwsObject = JWSObject.parse(jwtString); + SignedJWT jwsObject = SignedJWT.parse(jwtString); JSONObject claims = jwsObject.getPayload().toJSONObject(); // TODO: validate JWT signature diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerAuthenticationProvider.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerAuthenticationProvider.java index 6c2dc0da7..cfc07c53a 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerAuthenticationProvider.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerAuthenticationProvider.java @@ -7,7 +7,7 @@ import java.text.ParseException; import java.util.Date; import org.mitre.jwt.signer.service.JwtSigningAndValidationService; -import org.mitre.jwt.signer.service.impl.JWKSetSigningAndValidationServiceCache; +import org.mitre.jwt.signer.service.impl.JWKSetSigningAndValidationServiceCacheService; import org.mitre.oauth2.exception.ClientNotFoundException; import org.mitre.oauth2.model.ClientDetailsEntity; import org.mitre.oauth2.service.ClientDetailsEntityService; @@ -35,7 +35,7 @@ public class JwtBearerAuthenticationProvider implements AuthenticationProvider { // map of verifiers, load keys for clients @Autowired - private JWKSetSigningAndValidationServiceCache validators; + private JWKSetSigningAndValidationServiceCacheService validators; // Allow for time sync issues by having a window of X seconds. private int timeSkewAllowance = 300;