Example #1
0
  private Subject createSubjectFromToken(JWTToken token) {
    final String principal = token.getPrincipal();

    HashSet emptySet = new HashSet();
    Set<Principal> principals = new HashSet<Principal>();
    Principal p =
        new Principal() {
          @Override
          public String getName() {
            return principal;
          }
        };
    principals.add(p);

    //        The newly constructed Sets check whether this Subject has been set read-only
    //        before permitting subsequent modifications. The newly created Sets also prevent
    //        illegal modifications by ensuring that callers have sufficient permissions.
    //
    //        To modify the Principals Set, the caller must have AuthPermission("modifyPrincipals").
    //        To modify the public credential Set, the caller must have
    // AuthPermission("modifyPublicCredentials").
    //        To modify the private credential Set, the caller must have
    // AuthPermission("modifyPrivateCredentials").
    javax.security.auth.Subject subject =
        new javax.security.auth.Subject(true, principals, emptySet, emptySet);
    return subject;
  }
Example #2
0
 public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
     throws IOException, ServletException {
   String header = ((HttpServletRequest) request).getHeader("Authorization");
   if (header != null && header.startsWith(BEARER)) {
     // what follows the bearer designator should be the JWT token being used to request or as an
     // access token
     String wireToken = header.substring(BEARER.length());
     JWTToken token;
     try {
       token = JWTToken.parseToken(wireToken);
     } catch (ParseException e) {
       throw new ServletException(
           "ParseException encountered while processing the JWT token: ", e);
     }
     boolean verified = false;
     try {
       verified = authority.verifyToken(token);
     } catch (TokenServiceException e) {
       log.unableToVerifyToken(e);
     }
     if (verified) {
       // TODO: validate expiration
       // confirm that audience matches intended target - which for this filter must be HSSO
       if (token.getAudience().equals("HSSO")) {
         // TODO: verify that the user requesting access to the service/resource is authorized for
         // it - need scopes?
         Subject subject = createSubjectFromToken(token);
         continueWithEstablishedSecurityContext(
             subject, (HttpServletRequest) request, (HttpServletResponse) response, chain);
       } else {
         ((HttpServletResponse) response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
         return; // break filter chain
       }
     } else {
       ((HttpServletResponse) response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
       return; // break filter chain
     }
   } else {
     // no token provided in header
     // TODO: may have to check cookie and url as well before sending error
     ((HttpServletResponse) response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
     return; // break filter chain
   }
 }
  /* (non-Javadoc)
   * @see org.apache.hadoop.gateway.provider.federation.jwt.JWTokenAuthority#issueToken(java.security.Principal, java.lang.String, java.lang.String)
   */
  @Override
  public JWTToken issueToken(Principal p, String audience, String algorithm, long expires)
      throws TokenServiceException {
    String[] claimArray = new String[4];
    claimArray[0] = "HSSO";
    claimArray[1] = p.getName();
    if (audience == null) {
      audience = "HSSO";
    }
    claimArray[2] = audience;
    // TODO: make the validity period configurable
    if (expires == -1) {
      claimArray[3] = Long.toString((System.currentTimeMillis()) + 30000);
    } else {
      claimArray[3] = String.valueOf(expires);
    }

    JWTToken token = null;
    if ("RS256".equals(algorithm)) {
      token = new JWTToken("RS256", claimArray);
      RSAPrivateKey key;
      char[] passphrase = null;
      try {
        passphrase = as.getGatewayIdentityPassphrase();
      } catch (AliasServiceException e) {
        throw new TokenServiceException(e);
      }
      try {
        key = (RSAPrivateKey) ks.getKeyForGateway("gateway-identity", passphrase);
        JWSSigner signer = new RSASSASigner(key);
        token.sign(signer);
      } catch (KeystoreServiceException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
      }
    } else {
      // log inappropriate alg
    }

    return token;
  }
 @Override
 public boolean verifyToken(JWTToken token) throws TokenServiceException {
   boolean rc = false;
   PublicKey key;
   try {
     key = ks.getKeystoreForGateway().getCertificate("gateway-identity").getPublicKey();
     JWSVerifier verifier = new RSASSAVerifier((RSAPublicKey) key);
     // TODO: interrogate the token for issuer claim in order to determine the public key to use
     // for verification
     // consider jwk for specifying the key too
     rc = token.verify(verifier);
   } catch (KeyStoreException e) {
     throw new TokenServiceException("Cannot verify token.", e);
   } catch (KeystoreServiceException e) {
     throw new TokenServiceException("Cannot verify token.", e);
   }
   return rc;
 }