diff --git a/appserver/payara-appserver-modules/microprofile/jwt-auth/src/main/java/fish/payara/microprofile/jwtauth/eesecurity/SignedJWTIdentityStore.java b/appserver/payara-appserver-modules/microprofile/jwt-auth/src/main/java/fish/payara/microprofile/jwtauth/eesecurity/SignedJWTIdentityStore.java index 5c5a18c2a1b..42159180174 100644 --- a/appserver/payara-appserver-modules/microprofile/jwt-auth/src/main/java/fish/payara/microprofile/jwtauth/eesecurity/SignedJWTIdentityStore.java +++ b/appserver/payara-appserver-modules/microprofile/jwt-auth/src/main/java/fish/payara/microprofile/jwtauth/eesecurity/SignedJWTIdentityStore.java @@ -1,7 +1,7 @@ /* * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. * - * Copyright (c) 2017-2018 Payara Foundation and/or its affiliates. All rights reserved. + * Copyright (c) 2017-2019 Payara Foundation and/or its affiliates. All rights reserved. * * The contents of this file are subject to the terms of either the GNU * General Public License Version 2 only ("GPL") or the Common Development @@ -113,12 +113,8 @@ public CredentialValidationResult validate(SignedJWTCredential signedJWTCredenti throw new IllegalStateException("No PublicKey found"); } - JsonWebTokenImpl jsonWebToken - = jwtTokenParser.parse( - signedJWTCredential.getSignedJWT(), - acceptedIssuer, - publicKey.get() - ); + jwtTokenParser.parse(signedJWTCredential.getSignedJWT()); + JsonWebTokenImpl jsonWebToken = jwtTokenParser.verify(acceptedIssuer, publicKey.get()); List groups = new ArrayList<>( jsonWebToken.getClaim("groups")); diff --git a/appserver/payara-appserver-modules/microprofile/jwt-auth/src/main/java/fish/payara/microprofile/jwtauth/jwt/JwtTokenParser.java b/appserver/payara-appserver-modules/microprofile/jwt-auth/src/main/java/fish/payara/microprofile/jwtauth/jwt/JwtTokenParser.java index 08919d0f7d9..7de6c72df8b 100644 --- a/appserver/payara-appserver-modules/microprofile/jwt-auth/src/main/java/fish/payara/microprofile/jwtauth/jwt/JwtTokenParser.java +++ b/appserver/payara-appserver-modules/microprofile/jwt-auth/src/main/java/fish/payara/microprofile/jwtauth/jwt/JwtTokenParser.java @@ -1,7 +1,7 @@ /* * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. * - * Copyright (c) 2017-2018 Payara Foundation and/or its affiliates. All rights reserved. + * Copyright (c) 2017-2019 Payara Foundation and/or its affiliates. All rights reserved. * * The contents of this file are subject to the terms of either the GNU * General Public License Version 2 only ("GPL") or the Common Development @@ -72,6 +72,9 @@ public class JwtTokenParser { private final boolean enableNamespacedClaims; private final Optional customNamespace; + private String rawToken; + private SignedJWT signedJWT; + public JwtTokenParser(Optional enableNamespacedClaims, Optional customNamespace) { this.enableNamespacedClaims = enableNamespacedClaims.orElse(false); this.customNamespace = customNamespace; @@ -81,8 +84,19 @@ public JwtTokenParser() { this(Optional.empty(), Optional.empty()); } - public JsonWebTokenImpl parse(String bearerToken, String issuer, PublicKey publicKey) throws Exception { - SignedJWT signedJWT = SignedJWT.parse(bearerToken); + public void parse(String bearerToken) throws Exception { + rawToken = bearerToken; + signedJWT = SignedJWT.parse(rawToken); + + if (!checkIsJWT(signedJWT.getHeader())) { + throw new IllegalStateException("Not JWT"); + } + } + + public JsonWebTokenImpl verify(String issuer, PublicKey publicKey) throws Exception { + if (signedJWT == null) { + parse(rawToken); + } // MP-JWT 1.0 4.1 typ if (!checkIsJWT(signedJWT.getHeader())) { @@ -127,7 +141,7 @@ public JsonWebTokenImpl parse(String bearerToken, String issuer, PublicKey publi rawClaims.put( raw_token.name(), - createObjectBuilder().add("token", bearerToken).build().get("token")); + createObjectBuilder().add("token", rawToken).build().get("token")); return new JsonWebTokenImpl(callerPrincipalName, rawClaims); } diff --git a/appserver/payara-appserver-modules/microprofile/jwt-auth/src/main/java/fish/payara/microprofile/jwtauth/tck/MockTokenParser.java b/appserver/payara-appserver-modules/microprofile/jwt-auth/src/main/java/fish/payara/microprofile/jwtauth/tck/MockTokenParser.java new file mode 100644 index 00000000000..988fa869c10 --- /dev/null +++ b/appserver/payara-appserver-modules/microprofile/jwt-auth/src/main/java/fish/payara/microprofile/jwtauth/tck/MockTokenParser.java @@ -0,0 +1,69 @@ +/* + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. + * + * Copyright (c) 2017-2019 Payara Foundation and/or its affiliates. All rights reserved. + * + * The contents of this file are subject to the terms of either the GNU + * General Public License Version 2 only ("GPL") or the Common Development + * and Distribution License("CDDL") (collectively, the "License"). You + * may not use this file except in compliance with the License. You can + * obtain a copy of the License at + * https://github.com/payara/Payara/blob/master/LICENSE.txt + * See the License for the specific + * language governing permissions and limitations under the License. + * + * When distributing the software, include this License Header Notice in each + * file and include the License file at glassfish/legal/LICENSE.txt. + * + * GPL Classpath Exception: + * The Payara Foundation designates this particular file as subject to the "Classpath" + * exception as provided by the Payara Foundation in the GPL Version 2 section of the License + * file that accompanied this code. + * + * Modifications: + * If applicable, add the following below the License Header, with the fields + * enclosed by brackets [] replaced by your own identifying information: + * "Portions Copyright [year] [name of copyright owner]" + * + * Contributor(s): + * If you wish your version of this file to be governed by only the CDDL or + * only the GPL Version 2, indicate your decision by adding "[Contributor] + * elects to include this software in this distribution under the [CDDL or GPL + * Version 2] license." If you don't indicate a single choice of license, a + * recipient has the option to distribute your version of this file under + * either the CDDL, the GPL Version 2 or to extend the choice of license to + * its licensees as provided above. However, if you add GPL Version 2 code + * and therefore, elected the GPL Version 2 license, then the option applies + * only if the new code is made subject to such option by the copyright + * holder. + */ +package fish.payara.microprofile.jwtauth.tck; + +import java.security.PublicKey; +import org.eclipse.microprofile.jwt.JsonWebToken; +import fish.payara.microprofile.jwtauth.jwt.JwtTokenParser; + +/** + * + * * This implements the artefact mandated by the MP-JWT TCK for offline + * (outside container) testing + * of the token parser. + * + * @author Arjan Tijms + * + */ +public class MockTokenParser { + + private final JwtTokenParser jwtTokenParser = new JwtTokenParser(); + + public JsonWebToken parse(String bearerToken, String issuer, PublicKey signedBy) throws Exception { + try { + jwtTokenParser.parse(bearerToken); + return jwtTokenParser.verify(issuer, signedBy); + } catch (Exception e) { + throw new IllegalStateException("", e); + } + } + +} +