private Subject createSubjectFromToken(JWTToken token) {
final String principal = token.getPrincipal();
HashSet emptySet = new HashSet();
Set<Principal> principals = new HashSet<Principal>();
Principal p =
new Principal() {
@Override
public String getName() {
return principal;
}
};
principals.add(p);
// The newly constructed Sets check whether this Subject has been set read-only
// before permitting subsequent modifications. The newly created Sets also prevent
// illegal modifications by ensuring that callers have sufficient permissions.
//
// To modify the Principals Set, the caller must have AuthPermission("modifyPrincipals").
// To modify the public credential Set, the caller must have
// AuthPermission("modifyPublicCredentials").
// To modify the private credential Set, the caller must have
// AuthPermission("modifyPrivateCredentials").
javax.security.auth.Subject subject =
new javax.security.auth.Subject(true, principals, emptySet, emptySet);
return subject;
}
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
String header = ((HttpServletRequest) request).getHeader("Authorization");
if (header != null && header.startsWith(BEARER)) {
// what follows the bearer designator should be the JWT token being used to request or as an
// access token
String wireToken = header.substring(BEARER.length());
JWTToken token;
try {
token = JWTToken.parseToken(wireToken);
} catch (ParseException e) {
throw new ServletException(
"ParseException encountered while processing the JWT token: ", e);
}
boolean verified = false;
try {
verified = authority.verifyToken(token);
} catch (TokenServiceException e) {
log.unableToVerifyToken(e);
}
if (verified) {
// TODO: validate expiration
// confirm that audience matches intended target - which for this filter must be HSSO
if (token.getAudience().equals("HSSO")) {
// TODO: verify that the user requesting access to the service/resource is authorized for
// it - need scopes?
Subject subject = createSubjectFromToken(token);
continueWithEstablishedSecurityContext(
subject, (HttpServletRequest) request, (HttpServletResponse) response, chain);
} else {
((HttpServletResponse) response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
return; // break filter chain
}
} else {
((HttpServletResponse) response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
return; // break filter chain
}
} else {
// no token provided in header
// TODO: may have to check cookie and url as well before sending error
((HttpServletResponse) response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
return; // break filter chain
}
}
/* (non-Javadoc)
* @see org.apache.hadoop.gateway.provider.federation.jwt.JWTokenAuthority#issueToken(java.security.Principal, java.lang.String, java.lang.String)
*/
@Override
public JWTToken issueToken(Principal p, String audience, String algorithm, long expires)
throws TokenServiceException {
String[] claimArray = new String[4];
claimArray[0] = "HSSO";
claimArray[1] = p.getName();
if (audience == null) {
audience = "HSSO";
}
claimArray[2] = audience;
// TODO: make the validity period configurable
if (expires == -1) {
claimArray[3] = Long.toString((System.currentTimeMillis()) + 30000);
} else {
claimArray[3] = String.valueOf(expires);
}
JWTToken token = null;
if ("RS256".equals(algorithm)) {
token = new JWTToken("RS256", claimArray);
RSAPrivateKey key;
char[] passphrase = null;
try {
passphrase = as.getGatewayIdentityPassphrase();
} catch (AliasServiceException e) {
throw new TokenServiceException(e);
}
try {
key = (RSAPrivateKey) ks.getKeyForGateway("gateway-identity", passphrase);
JWSSigner signer = new RSASSASigner(key);
token.sign(signer);
} catch (KeystoreServiceException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
} else {
// log inappropriate alg
}
return token;
}
@Override
public boolean verifyToken(JWTToken token) throws TokenServiceException {
boolean rc = false;
PublicKey key;
try {
key = ks.getKeystoreForGateway().getCertificate("gateway-identity").getPublicKey();
JWSVerifier verifier = new RSASSAVerifier((RSAPublicKey) key);
// TODO: interrogate the token for issuer claim in order to determine the public key to use
// for verification
// consider jwk for specifying the key too
rc = token.verify(verifier);
} catch (KeyStoreException e) {
throw new TokenServiceException("Cannot verify token.", e);
} catch (KeystoreServiceException e) {
throw new TokenServiceException("Cannot verify token.", e);
}
return rc;
}
