@Override
  protected boolean login(Request request, HttpServletResponse response) throws LoginException {
    String tokenHeader = request.getHeader("X-Auth-Signed-Token");
    if (tokenHeader == null) return false; // throw new LoginException("No X-Auth-Signed-Token");
    // if we don't have a trust store, we'll just use the key store.
    KeyStore keyStore = null;
    if (domain != null) {
      if (domain instanceof SecurityDomain) {
        keyStore = ((SecurityDomain) domain).getKeyStore();
      } else if (domain instanceof JSSESecurityDomain) {
        keyStore = ((JSSESecurityDomain) domain).getKeyStore();
      }
    }
    if (keyStore == null) throw new LoginException("No trust store found");
    X509Certificate certificate = null;
    try {
      certificate = (X509Certificate) keyStore.getCertificate(skeletonKeyCertificateAlias);
    } catch (KeyStoreException e) {
      throw new LoginException("Could not get certificate from keyStore");
    }
    try {
      PKCS7SignatureInput input = new PKCS7SignatureInput(tokenHeader);
      if (input.verify(certificate) == false) throw new LoginException("Bad Signature");
      access = (Access) input.getEntity(Access.class, MediaType.APPLICATION_JSON_TYPE);

    } catch (LoginException le) {
      throw le;
    } catch (Exception e) {
      throw new LoginException("Bad Token");
    }

    if (access.getToken().expired()) {
      throw new LoginException("Token expired");
    }
    if (!projectId.equals(access.getToken().getProject().getId())) {
      throw new LoginException("Token project id doesn't match");
    }

    this.loginOk = true;
    return true;
  }
Ejemplo n.º 2
0
  @Test
  public void testSignedAuth() throws Exception {
    // Use our own providerFactory to test json context provider
    ResteasyProviderFactory providerFactory = new ResteasyProviderFactory();
    RegisterBuiltin.register(providerFactory);
    ResteasyClient client = new ResteasyClient(providerFactory);
    WebTarget target = client.target(generateBaseUrl());
    SkeletonKeyAdminClient admin =
        new SkeletonKeyClientBuilder().username("wburke").password("geheim").idp(target).admin();

    StoredUser newUser = new StoredUser();
    newUser.setName("John Smith");
    newUser.setUsername("jsmith");
    newUser.setEnabled(true);
    Map creds = new HashMap();
    creds.put("password", "foobar");
    newUser.setCredentials(creds);
    Response response = admin.users().create(newUser);
    User user = response.readEntity(User.class);
    response = admin.roles().create("user");
    Role role = response.readEntity(Role.class);
    Projects projects = admin.projects().query("Skeleton Key");
    Project project = projects.getList().get(0);
    admin.projects().addUserRole(project.getId(), user.getId(), role.getId());

    String signed =
        new SkeletonKeyClientBuilder()
            .username("jsmith")
            .password("foobar")
            .idp(target)
            .obtainSignedToken("Skeleton Key");
    System.out.println(signed);
    PKCS7SignatureInput input = new PKCS7SignatureInput(signed);
    input.setCertificate(certificate);
    Assert.assertTrue(input.verify());
  }