private void checkToken(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException { try { String token = httpServletRequest.getHeader("oauth_token"); String sessionId = httpServletRequest.getHeader("sessionid"); LOG.debug("Token: {} for session: {}", token, sessionId); if(StringUtils.stringNotEmpty(token) && StringUtils.stringNotEmpty(sessionId)) { UserSession session = sessionManager.getSession(sessionId); if(session != null) { CryptoEngine cryptoEngine = CryptoFactory.getEngine(); String expectedTokenHash = cryptoEngine.hash(sessionId, token); if (expectedTokenHash.equals(session.getAccessToken())) { httpServletRequest.setAttribute("session", new UserSessionImpl(sessionId, token, session.getEncryptedContentKey(), session.getUser())); filterChain.doFilter(httpServletRequest, httpServletResponse); } else { handleErrorResponse(httpServletResponse, UNAUTHORIZED_CODE, "Invalid token"); } } else { handleErrorResponse(httpServletResponse, UNAUTHORIZED_CODE, "Invalid token"); } } else { handleErrorResponse(httpServletResponse, UNAUTHORIZED_CODE, "No token"); } } catch(JasDBStorageException e) { LOG.error("Unknown error happened when processing token", e); handleErrorResponse(httpServletResponse, 500, "Unknown error"); } }
public SecureUserSession(UserSession userSession) { this.sessionId = userSession.getSessionId(); this.user = userSession.getUser(); this.encryptedContentKey = userSession.getEncryptedContentKey(); try { CryptoEngine cryptoEngine = CryptoFactory.getEngine(); accessTokenHash = cryptoEngine.hash(sessionId, userSession.getAccessToken()); } catch(JasDBSecurityException e) { throw new RuntimeJasDBException("Unable to hash token", e); } }
@Override public User addUser(UserSession currentSession, String userName, String allowedHost, String password) throws JasDBStorageException { authorize(currentSession, "/Users", AccessMode.WRITE); User currentUser = currentSession.getUser(); CryptoEngine cryptoEngine = CryptoFactory.getEngine(); String contentKey = cryptoEngine.decrypt(currentUser.getPasswordSalt(), currentSession.getAccessToken(), currentSession.getEncryptedContentKey()); return credentialsProvider.addUser(userName, allowedHost, contentKey, password); }
private GrantObject decrypt(UserSession session, EncryptedGrants encryptedGrants) throws JasDBStorageException { CryptoEngine contentCryptoEngine = CryptoFactory.getEngine(); String contentKey = contentCryptoEngine.decrypt(session.getUser().getPasswordSalt(), session.getAccessToken(), session.getEncryptedContentKey()); CryptoEngine cryptoEngine = CryptoFactory.getEngine(encryptedGrants.getEncryptionEngine()); String decryptedData = cryptoEngine.decrypt(encryptedGrants.getSalt(), contentKey, encryptedGrants.getEncryptedData()); return GrantObjectMeta.fromEntity(SimpleEntity.fromJson(decryptedData)); }
private EncryptedGrants encryptGrants(GrantObject grantObject, UserSession userSession) throws JasDBStorageException { CryptoEngine cryptoEngine = CryptoFactory.getEngine(); String contentKey = CryptoFactory.getEngine().decrypt(userSession.getUser().getPasswordSalt(), userSession.getAccessToken(), userSession.getEncryptedContentKey()); String salt = cryptoEngine.generateSalt(); String unencryptedData = SimpleEntity.toJson(GrantObjectMeta.toEntity(grantObject)); String encryptedData = cryptoEngine.encrypt(salt, contentKey, unencryptedData); return new EncryptedGrants(grantObject.getObjectName(), encryptedData, salt, cryptoEngine.getDescriptor()); }