@Override
protected boolean login(Request request, HttpServletResponse response) throws LoginException {
String tokenHeader = request.getHeader("X-Auth-Signed-Token");
if (tokenHeader == null) return false; // throw new LoginException("No X-Auth-Signed-Token");
// if we don't have a trust store, we'll just use the key store.
KeyStore keyStore = null;
if (domain != null) {
if (domain instanceof SecurityDomain) {
keyStore = ((SecurityDomain) domain).getKeyStore();
} else if (domain instanceof JSSESecurityDomain) {
keyStore = ((JSSESecurityDomain) domain).getKeyStore();
}
}
if (keyStore == null) throw new LoginException("No trust store found");
X509Certificate certificate = null;
try {
certificate = (X509Certificate) keyStore.getCertificate(skeletonKeyCertificateAlias);
} catch (KeyStoreException e) {
throw new LoginException("Could not get certificate from keyStore");
}
try {
PKCS7SignatureInput input = new PKCS7SignatureInput(tokenHeader);
if (input.verify(certificate) == false) throw new LoginException("Bad Signature");
access = (Access) input.getEntity(Access.class, MediaType.APPLICATION_JSON_TYPE);
} catch (LoginException le) {
throw le;
} catch (Exception e) {
throw new LoginException("Bad Token");
}
if (access.getToken().expired()) {
throw new LoginException("Token expired");
}
if (!projectId.equals(access.getToken().getProject().getId())) {
throw new LoginException("Token project id doesn't match");
}
this.loginOk = true;
return true;
}
@Test
public void testSignedAuth() throws Exception {
// Use our own providerFactory to test json context provider
ResteasyProviderFactory providerFactory = new ResteasyProviderFactory();
RegisterBuiltin.register(providerFactory);
ResteasyClient client = new ResteasyClient(providerFactory);
WebTarget target = client.target(generateBaseUrl());
SkeletonKeyAdminClient admin =
new SkeletonKeyClientBuilder().username("wburke").password("geheim").idp(target).admin();
StoredUser newUser = new StoredUser();
newUser.setName("John Smith");
newUser.setUsername("jsmith");
newUser.setEnabled(true);
Map creds = new HashMap();
creds.put("password", "foobar");
newUser.setCredentials(creds);
Response response = admin.users().create(newUser);
User user = response.readEntity(User.class);
response = admin.roles().create("user");
Role role = response.readEntity(Role.class);
Projects projects = admin.projects().query("Skeleton Key");
Project project = projects.getList().get(0);
admin.projects().addUserRole(project.getId(), user.getId(), role.getId());
String signed =
new SkeletonKeyClientBuilder()
.username("jsmith")
.password("foobar")
.idp(target)
.obtainSignedToken("Skeleton Key");
System.out.println(signed);
PKCS7SignatureInput input = new PKCS7SignatureInput(signed);
input.setCertificate(certificate);
Assert.assertTrue(input.verify());
}