From 95be182866c72de84ec907b1394cfcffbb95e0d2 Mon Sep 17 00:00:00 2001 From: nemonik Date: Thu, 16 Feb 2012 15:34:18 -0500 Subject: [PATCH] introduced Utility class to gether static methods; modified jwt signing and validation service interface, imps, and endpoint using; ... --- .../JwtSigningAndValidationService.java | 6 ++-- ...JwtSigningAndValidationServiceDefault.java | 30 +++++++++++------- .../openid/connect/web/CheckIDEndpoint.java | 9 +++--- .../swd/web/SimpleWebDiscoveryEndpoint.java | 20 ++---------- .../src/main/java/org/mitre/util/Utility.java | 31 +++++++++++++++++++ .../WEB-INF/spring/application-context.xml | 4 ++- .../src/test/java/org/mitre/jwt/JwtTest.java | 3 +- 7 files changed, 66 insertions(+), 37 deletions(-) create mode 100644 server/src/main/java/org/mitre/util/Utility.java diff --git a/server/src/main/java/org/mitre/jwt/signer/service/JwtSigningAndValidationService.java b/server/src/main/java/org/mitre/jwt/signer/service/JwtSigningAndValidationService.java index 6060bac53..cb0bb8f1e 100644 --- a/server/src/main/java/org/mitre/jwt/signer/service/JwtSigningAndValidationService.java +++ b/server/src/main/java/org/mitre/jwt/signer/service/JwtSigningAndValidationService.java @@ -30,9 +30,11 @@ public interface JwtSigningAndValidationService { * * @param jwt * the JWT to check the issuer of - * @return true if the JWT was issued by this AS, false if not + * @param expectedIssuer + * the expected issuer + * @return true if the JWT was issued by this expected issuer, false if not */ - public boolean validateIssuedJwt(Jwt jwt); + public boolean validateIssuedJwt(Jwt jwt, String expectedIssuer); /** * Checks the signature of the given JWT against all configured signers, diff --git a/server/src/main/java/org/mitre/jwt/signer/service/impl/JwtSigningAndValidationServiceDefault.java b/server/src/main/java/org/mitre/jwt/signer/service/impl/JwtSigningAndValidationServiceDefault.java index 9af5f71c8..4168a8f00 100644 --- a/server/src/main/java/org/mitre/jwt/signer/service/impl/JwtSigningAndValidationServiceDefault.java +++ b/server/src/main/java/org/mitre/jwt/signer/service/impl/JwtSigningAndValidationServiceDefault.java @@ -3,6 +3,7 @@ package org.mitre.jwt.signer.service.impl; import java.security.PublicKey; import java.security.interfaces.RSAPublicKey; import java.util.ArrayList; +import java.util.Date; import java.util.HashMap; import java.util.List; import java.util.Map; @@ -19,6 +20,7 @@ import org.springframework.beans.factory.InitializingBean; public class JwtSigningAndValidationServiceDefault implements JwtSigningAndValidationService, InitializingBean { + private List signers = new ArrayList(); private static Log logger = LogFactory @@ -40,7 +42,7 @@ public class JwtSigningAndValidationServiceDefault implements List signer) { setSigners(signer); } - + /* * (non-Javadoc) * @@ -55,6 +57,7 @@ public class JwtSigningAndValidationServiceDefault implements } logger.info("JwtSigningAndValidationServiceDefault is open for business"); + } /* @@ -111,8 +114,14 @@ public class JwtSigningAndValidationServiceDefault implements */ @Override public boolean isJwtExpired(Jwt jwt) { - // TODO Auto-generated method stub - return false; + + Date expiration = jwt.getClaims().getExpiration(); + + if (expiration != null) + return new Date().after(expiration); + else + return false; + } /** @@ -125,6 +134,9 @@ public class JwtSigningAndValidationServiceDefault implements this.signers = signers; } + /* (non-Javadoc) + * @see java.lang.Object#toString() + */ @Override public String toString() { return "JwtSigningAndValidationServiceDefault [signers=" + signers @@ -139,15 +151,11 @@ public class JwtSigningAndValidationServiceDefault implements * (org.mitre.jwt.model.Jwt) */ @Override - public boolean validateIssuedJwt(Jwt jwt) { - - // TODO Verify this is correct... - - for (JwtSigner signer : signers) { - if (signer.verify(jwt.toString())) - return true; - } + public boolean validateIssuedJwt(Jwt jwt, String expectedIssuer) { + if (jwt.getClaims().getIssuer() == expectedIssuer) + return true; + return false; } diff --git a/server/src/main/java/org/mitre/openid/connect/web/CheckIDEndpoint.java b/server/src/main/java/org/mitre/openid/connect/web/CheckIDEndpoint.java index 182a62b22..15859f91f 100644 --- a/server/src/main/java/org/mitre/openid/connect/web/CheckIDEndpoint.java +++ b/server/src/main/java/org/mitre/openid/connect/web/CheckIDEndpoint.java @@ -1,11 +1,13 @@ package org.mitre.openid.connect.web; +import javax.servlet.http.HttpServletRequest; + import org.mitre.jwt.signer.service.JwtSigningAndValidationService; import org.mitre.openid.connect.exception.ExpiredTokenException; import org.mitre.openid.connect.exception.InvalidJwtIssuerException; import org.mitre.openid.connect.exception.InvalidJwtSignatureException; import org.mitre.openid.connect.model.IdToken; -import org.mitre.openid.connect.model.IdTokenClaims; +import org.mitre.util.Utility; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; @@ -18,9 +20,8 @@ public class CheckIDEndpoint { @Autowired JwtSigningAndValidationService jwtSignerService; - @RequestMapping("/checkid") - public ModelAndView checkID(@RequestParam("id_token") String tokenString, ModelAndView mav) { + public ModelAndView checkID(@RequestParam("id_token") String tokenString, ModelAndView mav, HttpServletRequest request) { if (!jwtSignerService.validateSignature(tokenString)) { // can't validate @@ -37,7 +38,7 @@ public class CheckIDEndpoint { } // check the issuer (sanity check) - if (!jwtSignerService.validateIssuedJwt(token)) { + if (!jwtSignerService.validateIssuedJwt(token, Utility.findBaseUrl(request))) { throw new InvalidJwtIssuerException(); // TODO: create a view for this exception } diff --git a/server/src/main/java/org/mitre/swd/web/SimpleWebDiscoveryEndpoint.java b/server/src/main/java/org/mitre/swd/web/SimpleWebDiscoveryEndpoint.java index d70be0e9d..273c64762 100644 --- a/server/src/main/java/org/mitre/swd/web/SimpleWebDiscoveryEndpoint.java +++ b/server/src/main/java/org/mitre/swd/web/SimpleWebDiscoveryEndpoint.java @@ -3,17 +3,15 @@ package org.mitre.swd.web; import java.util.HashMap; import java.util.Map; -import javax.servlet.ServletRequest; import javax.servlet.http.HttpServletRequest; -import org.springframework.beans.factory.annotation.Autowired; +import org.mitre.util.Utility; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.servlet.ModelAndView; import com.google.common.collect.Lists; -import com.google.common.collect.Maps; @Controller public class SimpleWebDiscoveryEndpoint { @@ -22,7 +20,7 @@ public class SimpleWebDiscoveryEndpoint { params={"principal", "service=http://openid.net/specs/connect/1.0/issuer"}) public ModelAndView openIdConnectIssuerDiscovery(@RequestParam("principal") String principal, ModelAndView modelAndView, HttpServletRequest request) { - String baseUrl = findBaseUrl(request); + String baseUrl = Utility.findBaseUrl(request); // look up user, see if they're local // if so, return this server @@ -42,7 +40,7 @@ public class SimpleWebDiscoveryEndpoint { @RequestMapping("/.well-known/openid-configuration") public ModelAndView providerConfiguration(ModelAndView modelAndView, HttpServletRequest request) { - String baseUrl = findBaseUrl(request); + String baseUrl = Utility.findBaseUrl(request); /* * version string Version of the provider response. "3.0" is the default. @@ -90,17 +88,5 @@ public class SimpleWebDiscoveryEndpoint { return modelAndView; } - - - private String findBaseUrl(HttpServletRequest request) { - String baseUrl = String.format("%s://%s%s", request.getScheme(), request.getServerName(), request.getContextPath()); - - if ((request.getScheme().equals("http") && request.getServerPort() != 80) - || (request.getScheme().equals("https") && request.getServerPort() != 443)) { - // nonstandard port, need to include it - baseUrl = String.format("%s://%s:%d%s", request.getScheme(), request.getServerName(), request.getServerPort(), request.getContextPath()); - } - return baseUrl; - } } diff --git a/server/src/main/java/org/mitre/util/Utility.java b/server/src/main/java/org/mitre/util/Utility.java new file mode 100644 index 000000000..8799c3cb9 --- /dev/null +++ b/server/src/main/java/org/mitre/util/Utility.java @@ -0,0 +1,31 @@ +package org.mitre.util; + +import javax.servlet.http.HttpServletRequest; + +/** + * A collection of utility methods. + * + */ +public class Utility { + + /** + * Returns the base URL from a HttpServletRequest + * + * @param request + * @return + */ + public static String findBaseUrl(HttpServletRequest request) { + String issuer = String.format("%s://%s%s", request.getScheme(), + request.getServerName(), request.getContextPath()); + + if ((request.getScheme().equals("http") && request.getServerPort() != 80) + || (request.getScheme().equals("https") && request + .getServerPort() != 443)) { + // nonstandard port, need to include it + issuer = String.format("%s://%s:%d%s", request.getScheme(), + request.getServerName(), request.getServerPort(), + request.getContextPath()); + } + return issuer; + } +} diff --git a/server/src/main/webapp/WEB-INF/spring/application-context.xml b/server/src/main/webapp/WEB-INF/spring/application-context.xml index 13500608e..f49e60b56 100644 --- a/server/src/main/webapp/WEB-INF/spring/application-context.xml +++ b/server/src/main/webapp/WEB-INF/spring/application-context.xml @@ -11,7 +11,7 @@ http://www.springframework.org/schema/task http://www.springframework.org/schema/task/spring-task-3.1.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd - http://www.mitre.org/schema/openid-connect/jwt-signer http://www.mitre.org/schema/openid-connect/jwt-signer/jwt-signer.xsd + http://www.mitre.org/schema/openid-connect/jwt-signer http://www.mitre.org/schema/openid-connect/jwt-signer/jwt-signer-1.0.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.1.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd"> @@ -73,6 +73,8 @@ + + diff --git a/server/src/test/java/org/mitre/jwt/JwtTest.java b/server/src/test/java/org/mitre/jwt/JwtTest.java index 5a57c6839..214c7b9f5 100644 --- a/server/src/test/java/org/mitre/jwt/JwtTest.java +++ b/server/src/test/java/org/mitre/jwt/JwtTest.java @@ -158,9 +158,8 @@ public class JwtTest { String jwtString = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjEzMDA4MTkzODAsImlzcyI6ImpvZSIsImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.iGBPJj47S5q_HAhSoQqAdcS6A_1CFj3zrLaImqNbt9E"; boolean valid = signer.verify(jwtString); - + assertThat(valid, equalTo(Boolean.TRUE)); } - }