@Override public Pair<String, Date> generateJWT( final String tokenId, final String subject, final long duration, final Map<String, Object> claims) { credentialChecker.checkIsDefaultJWSKeyInUse(); long currentTime = new Date().getTime() / 1000L; long expiryTime = currentTime + 60L * duration; JwtClaims jwtClaims = new JwtClaims(); jwtClaims.setTokenId(tokenId); jwtClaims.setSubject(subject); jwtClaims.setIssuedAt(currentTime); jwtClaims.setIssuer(jwtIssuer); jwtClaims.setExpiryTime(expiryTime); jwtClaims.setNotBefore(currentTime); claims.forEach((key, value) -> { jwtClaims.setClaim(key, value); }); JwsHeaders jwsHeaders = new JwsHeaders(JoseType.JWT, jwsSignatureProvider.getAlgorithm()); JwtToken token = new JwtToken(jwsHeaders, jwtClaims); JwsJwtCompactProducer producer = new JwsJwtCompactProducer(token); String signed = producer.signWith(jwsSignatureProvider); return Pair.of(signed, new Date(expiryTime * 1000L)); }
@org.junit.Test public void testBadSigningKey() throws Exception { URL busFile = JWTAlgorithmTest.class.getResource("client.xml"); List<Object> providers = new ArrayList<>(); providers.add(new JacksonJsonProvider()); providers.add(new JwtAuthenticationClientFilter()); String address = "https://localhost:" + PORT + "/signedjwt/bookstore/books"; WebClient client = WebClient.create(address, providers, busFile.toString()); client.type("application/json").accept("application/json"); // Create the JWT Token JwtClaims claims = new JwtClaims(); claims.setSubject("alice"); claims.setIssuer("DoubleItSTSIssuer"); claims.setIssuedAt(Instant.now().getEpochSecond()); claims.setAudiences(toList(address)); JwtToken token = new JwtToken(claims); Map<String, Object> properties = new HashMap<>(); properties.put("rs.security.keystore.type", "jks"); properties.put("rs.security.keystore.password", "password"); properties.put("rs.security.key.password", "password"); properties.put("rs.security.keystore.alias", "alice"); properties.put("rs.security.keystore.file", "keys/alice.jks"); properties.put("rs.security.signature.algorithm", "RS256"); properties.put(JwtConstants.JWT_TOKEN, token); WebClient.getConfig(client).getRequestContext().putAll(properties); Response response = client.post(new Book("book", 123L)); assertNotEquals(response.getStatus(), 200); }
@org.junit.Test public void testAuthenticationFailure() throws Exception { URL busFile = JWTAuthnAuthzTest.class.getResource("client.xml"); List<Object> providers = new ArrayList<>(); providers.add(new JacksonJsonProvider()); providers.add(new JwtAuthenticationClientFilter()); String address = "https://localhost:" + PORT + "/signedjwt/bookstore/books"; WebClient client = WebClient.create(address, providers, busFile.toString()); client.type("application/json").accept("application/json"); // Create the JWT Token JwtClaims claims = new JwtClaims(); claims.setSubject("alice"); claims.setIssuer("DoubleItSTSIssuer"); claims.setIssuedAt(Instant.now().getEpochSecond()); claims.setAudiences(toList(address)); JwtToken token = new JwtToken(claims); Map<String, Object> properties = new HashMap<>(); properties.put("rs.security.keystore.type", "jks"); properties.put("rs.security.keystore.password", "password"); properties.put("rs.security.key.password", "password"); properties.put("rs.security.keystore.alias", "alice"); properties.put("rs.security.keystore.file", "keys/alice.jks"); properties.put("rs.security.signature.algorithm", "RS256"); properties.put(JwtConstants.JWT_TOKEN, token); WebClient.getConfig(client).getRequestContext().putAll(properties); Response response = client.post(new Book("book", 123L)); assertNotEquals(response.getStatus(), 200); }
@org.junit.Test public void testMultipleAudiences() throws Exception { URL busFile = JWTPropertiesTest.class.getResource("client.xml"); List<Object> providers = new ArrayList<>(); providers.add(new JacksonJsonProvider()); providers.add(new JwtAuthenticationClientFilter()); String address = "https://localhost:" + PORT + "/unsignedjwt/bookstore/books"; WebClient client = WebClient.create(address, providers, busFile.toString()); client.type("application/json").accept("application/json"); // Create the JWT Token JwtClaims claims = new JwtClaims(); claims.setSubject("alice"); claims.setIssuer("DoubleItSTSIssuer"); ZonedDateTime now = ZonedDateTime.now(ZoneOffset.UTC); claims.setIssuedAt(now.toEpochSecond()); String badAddress = "https://localhost:" + PORT + "/badunsignedjwt/bookstore/books"; List<String> audiences = new ArrayList<>(); audiences.add(address); audiences.add(badAddress); claims.setAudiences(audiences); Map<String, Object> properties = new HashMap<>(); properties.put("rs.security.signature.algorithm", "none"); properties.put(JwtConstants.JWT_CLAIMS, claims); WebClient.getConfig(client).getRequestContext().putAll(properties); Response response = client.post(new Book("book", 123L)); assertEquals(response.getStatus(), 200); }
@org.junit.Test public void testAuthorizationNoRole() throws Exception { URL busFile = JWTAuthnAuthzTest.class.getResource("client.xml"); List<Object> providers = new ArrayList<>(); providers.add(new JacksonJsonProvider()); providers.add(new JwtAuthenticationClientFilter()); String address = "https://localhost:" + PORT + "/signedjwtauthz/bookstore/books"; WebClient client = WebClient.create(address, providers, busFile.toString()); client.type("application/json").accept("application/json"); // Create the JWT Token JwtClaims claims = new JwtClaims(); claims.setSubject("alice"); claims.setIssuer("DoubleItSTSIssuer"); claims.setIssuedAt(Instant.now().getEpochSecond()); claims.setAudiences(toList(address)); JwtToken token = new JwtToken(claims); Map<String, Object> properties = new HashMap<>(); properties.put("rs.security.keystore.type", "jwk"); properties.put("rs.security.keystore.alias", "2011-04-29"); properties.put("rs.security.keystore.file", "org/apache/cxf/systest/jaxrs/security/certs/jwkPrivateSet.txt"); properties.put("rs.security.signature.algorithm", "RS256"); properties.put(JwtConstants.JWT_TOKEN, token); WebClient.getConfig(client).getRequestContext().putAll(properties); Response response = client.post(new Book("book", 123L)); assertNotEquals(response.getStatus(), 200); }
@org.junit.Test public void testWrongSignatureAlgorithm() throws Exception { URL busFile = JWTAlgorithmTest.class.getResource("client.xml"); List<Object> providers = new ArrayList<>(); providers.add(new JacksonJsonProvider()); providers.add(new JwtAuthenticationClientFilter()); String address = "https://localhost:" + PORT + "/signedjwt/bookstore/books"; WebClient client = WebClient.create(address, providers, busFile.toString()); client.type("application/json").accept("application/json"); // Create the JWT Token JwtClaims claims = new JwtClaims(); claims.setSubject("alice"); claims.setIssuer("DoubleItSTSIssuer"); claims.setIssuedAt(Instant.now().getEpochSecond()); claims.setAudiences(toList(address)); JwtToken token = new JwtToken(claims); Map<String, Object> properties = new HashMap<>(); properties.put("rs.security.keystore.type", "jwk"); properties.put("rs.security.keystore.alias", "2011-04-29"); properties.put("rs.security.keystore.file", "org/apache/cxf/systest/jaxrs/security/certs/jwkPrivateSet.txt"); properties.put("rs.security.signature.algorithm", "PS256"); properties.put(JwtConstants.JWT_TOKEN, token); WebClient.getConfig(client).getRequestContext().putAll(properties); Response response = client.post(new Book("book", 123L)); assertNotEquals(response.getStatus(), 200); }
claims.setSubject("alice"); claims.setIssuer("DoubleItSTSIssuer"); claims.setIssuedAt(Instant.now().getEpochSecond()); claims.setAudiences(toList(address));
@org.junit.Test public void testNoAudience() throws Exception { URL busFile = JWTPropertiesTest.class.getResource("client.xml"); List<Object> providers = new ArrayList<>(); providers.add(new JacksonJsonProvider()); providers.add(new JwtAuthenticationClientFilter()); String address = "https://localhost:" + PORT + "/unsignedjwt/bookstore/books"; WebClient client = WebClient.create(address, providers, busFile.toString()); client.type("application/json").accept("application/json"); // Create the JWT Token JwtClaims claims = new JwtClaims(); claims.setSubject("alice"); claims.setIssuer("DoubleItSTSIssuer"); ZonedDateTime now = ZonedDateTime.now(ZoneOffset.UTC); claims.setIssuedAt(now.toEpochSecond()); Map<String, Object> properties = new HashMap<>(); properties.put("rs.security.signature.algorithm", "none"); properties.put(JwtConstants.JWT_CLAIMS, claims); WebClient.getConfig(client).getRequestContext().putAll(properties); Response response = client.post(new Book("book", 123L)); assertEquals(response.getStatus(), 200); }
@org.junit.Test public void testSetClaimsDirectly() throws Exception { URL busFile = JWTPropertiesTest.class.getResource("client.xml"); List<Object> providers = new ArrayList<>(); providers.add(new JacksonJsonProvider()); providers.add(new JwtAuthenticationClientFilter()); String address = "https://localhost:" + PORT + "/unsignedjwt/bookstore/books"; WebClient client = WebClient.create(address, providers, busFile.toString()); client.type("application/json").accept("application/json"); // Create the JWT Token JwtClaims claims = new JwtClaims(); claims.setSubject("alice"); claims.setIssuer("DoubleItSTSIssuer"); ZonedDateTime now = ZonedDateTime.now(ZoneOffset.UTC); claims.setIssuedAt(now.toEpochSecond()); claims.setAudiences(toList(address)); Map<String, Object> properties = new HashMap<>(); properties.put("rs.security.signature.algorithm", "none"); properties.put(JwtConstants.JWT_CLAIMS, claims); WebClient.getConfig(client).getRequestContext().putAll(properties); Response response = client.post(new Book("book", 123L)); assertEquals(response.getStatus(), 200); }
@org.junit.Test public void testUnsignedTokenFailure() throws Exception { URL busFile = JWTAlgorithmTest.class.getResource("client.xml"); List<Object> providers = new ArrayList<>(); providers.add(new JacksonJsonProvider()); providers.add(new JwtAuthenticationClientFilter()); String address = "https://localhost:" + PORT + "/signedjwt/bookstore/books"; WebClient client = WebClient.create(address, providers, busFile.toString()); client.type("application/json").accept("application/json"); // Create the JWT Token JwtClaims claims = new JwtClaims(); claims.setSubject("alice"); claims.setIssuer("DoubleItSTSIssuer"); claims.setIssuedAt(Instant.now().getEpochSecond()); claims.setAudiences(toList(address)); JwtToken token = new JwtToken(claims); Map<String, Object> properties = new HashMap<>(); properties.put("rs.security.signature.algorithm", "none"); properties.put(JwtConstants.JWT_TOKEN, token); WebClient.getConfig(client).getRequestContext().putAll(properties); Response response = client.post(new Book("book", 123L)); assertNotEquals(response.getStatus(), 200); }
claims.setSubject("alice"); claims.setIssuer("DoubleItSTSIssuer"); claims.setIssuedAt(Instant.now().getEpochSecond()); claims.setAudiences(toList(address));
@org.junit.Test public void testBadAudience() throws Exception { URL busFile = JWTPropertiesTest.class.getResource("client.xml"); List<Object> providers = new ArrayList<>(); providers.add(new JacksonJsonProvider()); providers.add(new JwtAuthenticationClientFilter()); String address = "https://localhost:" + PORT + "/unsignedjwt/bookstore/books"; WebClient client = WebClient.create(address, providers, busFile.toString()); client.type("application/json").accept("application/json"); // Create the JWT Token JwtClaims claims = new JwtClaims(); claims.setSubject("alice"); claims.setIssuer("DoubleItSTSIssuer"); ZonedDateTime now = ZonedDateTime.now(ZoneOffset.UTC); claims.setIssuedAt(now.toEpochSecond()); String badAddress = "https://localhost:" + PORT + "/badunsignedjwt/bookstore/books"; claims.setAudiences(toList(badAddress)); Map<String, Object> properties = new HashMap<>(); properties.put("rs.security.signature.algorithm", "none"); properties.put(JwtConstants.JWT_CLAIMS, claims); WebClient.getConfig(client).getRequestContext().putAll(properties); Response response = client.post(new Book("book", 123L)); assertNotEquals(response.getStatus(), 200); }
@org.junit.Test public void testSignatureProperties() throws Exception { URL busFile = JWTAlgorithmTest.class.getResource("client.xml"); List<Object> providers = new ArrayList<>(); providers.add(new JacksonJsonProvider()); providers.add(new JwtAuthenticationClientFilter()); String address = "https://localhost:" + PORT + "/signedjwt/bookstore/books"; WebClient client = WebClient.create(address, providers, busFile.toString()); client.type("application/json").accept("application/json"); // Create the JWT Token JwtClaims claims = new JwtClaims(); claims.setSubject("alice"); claims.setIssuer("DoubleItSTSIssuer"); claims.setIssuedAt(Instant.now().getEpochSecond()); claims.setAudiences(toList(address)); JwtToken token = new JwtToken(claims); Map<String, Object> properties = new HashMap<>(); properties.put("rs.security.signature.properties", "org/apache/cxf/systest/jaxrs/security/alice.jwk.properties"); properties.put(JwtConstants.JWT_TOKEN, token); WebClient.getConfig(client).getRequestContext().putAll(properties); Response response = client.post(new Book("book", 123L)); assertEquals(response.getStatus(), 200); Book returnedBook = response.readEntity(Book.class); assertEquals(returnedBook.getName(), "book"); assertEquals(returnedBook.getId(), 123L); }
@org.junit.Test public void testUnsignedTokenSuccess() throws Exception { URL busFile = JWTAlgorithmTest.class.getResource("client.xml"); List<Object> providers = new ArrayList<>(); providers.add(new JacksonJsonProvider()); providers.add(new JwtAuthenticationClientFilter()); String address = "https://localhost:" + PORT + "/unsignedjwt/bookstore/books"; WebClient client = WebClient.create(address, providers, busFile.toString()); client.type("application/json").accept("application/json"); // Create the JWT Token JwtClaims claims = new JwtClaims(); claims.setSubject("alice"); claims.setIssuer("DoubleItSTSIssuer"); claims.setIssuedAt(Instant.now().getEpochSecond()); claims.setAudiences(toList(address)); JwtToken token = new JwtToken(claims); Map<String, Object> properties = new HashMap<>(); properties.put("rs.security.signature.algorithm", "none"); properties.put(JwtConstants.JWT_TOKEN, token); WebClient.getConfig(client).getRequestContext().putAll(properties); Response response = client.post(new Book("book", 123L)); assertEquals(response.getStatus(), 200); Book returnedBook = response.readEntity(Book.class); assertEquals(returnedBook.getName(), "book"); assertEquals(returnedBook.getId(), 123L); }
@org.junit.Test public void testNearFutureTokenFailure() throws Exception { URL busFile = JWTPropertiesTest.class.getResource("client.xml"); List<Object> providers = new ArrayList<>(); providers.add(new JacksonJsonProvider()); providers.add(new JwtAuthenticationClientFilter()); String address = "https://localhost:" + PORT + "/unsignedjwt/bookstore/books"; WebClient client = WebClient.create(address, providers, busFile.toString()); client.type("application/json").accept("application/json"); // Create the JWT Token JwtClaims claims = new JwtClaims(); claims.setSubject("alice"); claims.setIssuer("DoubleItSTSIssuer"); claims.setAudiences(toList(address)); // Set the issued date to be in the near future ZonedDateTime now = ZonedDateTime.now(ZoneOffset.UTC); claims.setIssuedAt(now.plusSeconds(30L).toEpochSecond()); JwtToken token = new JwtToken(claims); Map<String, Object> properties = new HashMap<>(); properties.put("rs.security.signature.algorithm", "none"); properties.put(JwtConstants.JWT_TOKEN, token); WebClient.getConfig(client).getRequestContext().putAll(properties); Response response = client.post(new Book("book", 123L)); assertNotEquals(response.getStatus(), 200); }
@org.junit.Test public void testNearFutureTokenSuccess() throws Exception { URL busFile = JWTPropertiesTest.class.getResource("client.xml"); List<Object> providers = new ArrayList<>(); providers.add(new JacksonJsonProvider()); providers.add(new JwtAuthenticationClientFilter()); String address = "https://localhost:" + PORT + "/unsignedjwtnearfuture/bookstore/books"; WebClient client = WebClient.create(address, providers, busFile.toString()); client.type("application/json").accept("application/json"); // Create the JWT Token JwtClaims claims = new JwtClaims(); claims.setSubject("alice"); claims.setIssuer("DoubleItSTSIssuer"); claims.setAudiences(toList(address)); // Set the issued date to be in the near future ZonedDateTime now = ZonedDateTime.now(ZoneOffset.UTC); claims.setIssuedAt(now.plusSeconds(30L).toEpochSecond()); JwtToken token = new JwtToken(claims); Map<String, Object> properties = new HashMap<>(); properties.put("rs.security.signature.algorithm", "none"); properties.put(JwtConstants.JWT_TOKEN, token); WebClient.getConfig(client).getRequestContext().putAll(properties); Response response = client.post(new Book("book", 123L)); assertEquals(response.getStatus(), 200); }
@org.junit.Test public void testFutureToken() throws Exception { URL busFile = JWTPropertiesTest.class.getResource("client.xml"); List<Object> providers = new ArrayList<>(); providers.add(new JacksonJsonProvider()); providers.add(new JwtAuthenticationClientFilter()); String address = "https://localhost:" + PORT + "/unsignedjwt/bookstore/books"; WebClient client = WebClient.create(address, providers, busFile.toString()); client.type("application/json").accept("application/json"); // Create the JWT Token JwtClaims claims = new JwtClaims(); claims.setSubject("alice"); claims.setIssuer("DoubleItSTSIssuer"); claims.setAudiences(toList(address)); // Set the issued date to be in the future ZonedDateTime now = ZonedDateTime.now(ZoneOffset.UTC); claims.setIssuedAt(now.plusDays(1L).toEpochSecond()); JwtToken token = new JwtToken(claims); Map<String, Object> properties = new HashMap<>(); properties.put("rs.security.signature.algorithm", "none"); properties.put(JwtConstants.JWT_TOKEN, token); WebClient.getConfig(client).getRequestContext().putAll(properties); Response response = client.post(new Book("book", 123L)); assertNotEquals(response.getStatus(), 200); }
@Override public void filter(ClientRequestContext requestContext) throws IOException { JwtToken jwt = getJwtToken(requestContext); if (jwt == null && super.isJweRequired()) { AuthorizationPolicy ap = JAXRSUtils.getCurrentMessage().getExchange() .getEndpoint().getEndpointInfo().getExtensor(AuthorizationPolicy.class); if (ap != null && ap.getUserName() != null) { JwtClaims claims = new JwtClaims(); claims.setSubject(ap.getUserName()); claims.setClaim("password", ap.getPassword()); claims.setIssuedAt(System.currentTimeMillis() / 1000L); jwt = new JwtToken(new JweHeaders(), claims); } } if (jwt == null) { throw new JoseException("JWT token is not available"); } String data = super.processJwt(jwt); requestContext.getHeaders().putSingle(HttpHeaders.AUTHORIZATION, authScheme + " " + data); }
@org.junit.Test public void testNotBeforeFailure() throws Exception { URL busFile = JWTPropertiesTest.class.getResource("client.xml"); List<Object> providers = new ArrayList<>(); providers.add(new JacksonJsonProvider()); providers.add(new JwtAuthenticationClientFilter()); String address = "https://localhost:" + PORT + "/unsignedjwt/bookstore/books"; WebClient client = WebClient.create(address, providers, busFile.toString()); client.type("application/json").accept("application/json"); // Create the JWT Token JwtClaims claims = new JwtClaims(); claims.setSubject("alice"); claims.setIssuer("DoubleItSTSIssuer"); claims.setAudiences(toList(address)); // Set the issued date to be in the near future ZonedDateTime now = ZonedDateTime.now(ZoneOffset.UTC); claims.setIssuedAt(now.toEpochSecond()); claims.setNotBefore(now.plusSeconds(30L).toEpochSecond()); JwtToken token = new JwtToken(claims); Map<String, Object> properties = new HashMap<>(); properties.put("rs.security.signature.algorithm", "none"); properties.put(JwtConstants.JWT_TOKEN, token); WebClient.getConfig(client).getRequestContext().putAll(properties); Response response = client.post(new Book("book", 123L)); assertNotEquals(response.getStatus(), 200); }
private ClientAccessToken getAccessToken() { JwsHeaders headers = new JwsHeaders(JoseType.JWT, SignatureAlgorithm.RS256); JwtClaims claims = new JwtClaims(); claims.setIssuer(config.getServiceAccountClientId()); claims.setAudience("https://accounts.google.com/o/oauth2/token"); claims.setSubject(config.getServiceAccountSubject()); long issuedAt = OAuthUtils.getIssuedAt(); long tokenTimeout = config.getServiceAccountTokenLifetime(); claims.setIssuedAt(issuedAt); claims.setExpiryTime(issuedAt + tokenTimeout); claims.setProperty("scope", "https://www.googleapis.com/auth/admin.directory.group.readonly https://www.googleapis.com/auth/admin.directory.user"); JwtToken token = new JwtToken(headers, claims); JwsJwtCompactProducer p = new JwsJwtCompactProducer(token); String base64UrlAssertion = p.signWith(privateKey); JwtBearerGrant grant = new JwtBearerGrant(base64UrlAssertion); WebClient accessTokenService = WebClient.create("https://accounts.google.com/o/oauth2/token", Arrays.asList(new OAuthJSONProvider(), new AccessTokenGrantWriter())); accessTokenService.type(MediaType.APPLICATION_FORM_URLENCODED).accept(MediaType.APPLICATION_JSON); return accessTokenService.post(grant, ClientAccessToken.class); }