Repository: cxf Updated Branches: refs/heads/master fe39afe42 -> ac7c1114a
Checking if the refresh token has expired and minor changes to JwkUtils Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/ad0903a3 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/ad0903a3 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/ad0903a3 Branch: refs/heads/master Commit: ad0903a381db8dddb7301dc8e964ec7d247b137e Parents: c686b1a Author: Sergey Beryozkin <sberyoz...@gmail.com> Authored: Thu Nov 26 09:42:29 2015 +0000 Committer: Sergey Beryozkin <sberyoz...@gmail.com> Committed: Thu Nov 26 09:42:29 2015 +0000 ---------------------------------------------------------------------- .../rs/security/jose/jwa/AlgorithmUtils.java | 3 ++ .../cxf/rs/security/jose/jwk/JwkUtils.java | 31 ++++++++++++-------- .../provider/AbstractOAuthDataProvider.java | 4 ++- 3 files changed, 24 insertions(+), 14 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/ad0903a3/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/AlgorithmUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/AlgorithmUtils.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/AlgorithmUtils.java index 0145b5d..d52054b 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/AlgorithmUtils.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/AlgorithmUtils.java @@ -197,6 +197,9 @@ public final class AlgorithmUtils { public static boolean isRsa(String algo) { return isRsaKeyWrap(algo) || isRsaSign(algo); } + public static boolean isEc(String algo) { + return isEcDsaSign(algo) || isEcdhEsWrap(algo); + } public static boolean isRsaKeyWrap(String algo) { return RSA_CEK_SET.contains(algo); } http://git-wip-us.apache.org/repos/asf/cxf/blob/ad0903a3/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java index eca04a5..38c299a 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java @@ -349,9 +349,7 @@ public final class JwkUtils { return KeyManagementUtils.toX509CertificateChain(base64EncodedChain); } public static JsonWebKey fromECPublicKey(ECPublicKey pk, String curve) { - JsonWebKey jwk = new JsonWebKey(); - jwk.setKeyType(KeyType.EC); - jwk.setProperty(JsonWebKey.EC_CURVE, curve); + JsonWebKey jwk = prepareECJwk(curve); jwk.setProperty(JsonWebKey.EC_X_COORDINATE, Base64UrlUtility.encode(pk.getW().getAffineX().toByteArray())); jwk.setProperty(JsonWebKey.EC_Y_COORDINATE, @@ -359,9 +357,7 @@ public final class JwkUtils { return jwk; } public static JsonWebKey fromECPrivateKey(ECPrivateKey pk, String curve) { - JsonWebKey jwk = new JsonWebKey(); - jwk.setKeyType(KeyType.EC); - jwk.setProperty(JsonWebKey.EC_CURVE, curve); + JsonWebKey jwk = prepareECJwk(curve); jwk.setProperty(JsonWebKey.EC_PRIVATE_KEY, Base64UrlUtility.encode(pk.getS().toByteArray())); return jwk; @@ -375,10 +371,11 @@ public final class JwkUtils { public static JsonWebKey fromPublicKey(PublicKey key, Properties props, String algoProp) { JsonWebKey jwk = null; if (key instanceof RSAPublicKey) { - jwk = JwkUtils.fromRSAPublicKey((RSAPublicKey)key, props.getProperty(algoProp)); + String algo = props.getProperty(algoProp); + jwk = JwkUtils.fromRSAPublicKey((RSAPublicKey)key, algo); } else { - jwk = JwkUtils.fromECPublicKey((ECPublicKey)key, - props.getProperty(JoseConstants.RSSEC_EC_CURVE)); + jwk = JwkUtils.fromECPublicKey((ECPublicKey)key, + props.getProperty(JoseConstants.RSSEC_EC_CURVE)); } String kid = props.getProperty(JoseConstants.RSSEC_KEY_STORE_ALIAS); if (kid != null) { @@ -475,16 +472,24 @@ public final class JwkUtils { return new AesCbcHmacJweDecryption(keyDecryption); } private static JsonWebKey prepareRSAJwk(BigInteger modulus, String algo) { - if (!AlgorithmUtils.isRsa(algo)) { - throw new JwkException("Invalid algorithm"); - } JsonWebKey jwk = new JsonWebKey(); jwk.setKeyType(KeyType.RSA); - jwk.setAlgorithm(algo); + if (algo != null) { + if (!AlgorithmUtils.isRsa(algo)) { + throw new JwkException("Invalid algorithm"); + } + jwk.setAlgorithm(algo); + } String encodedModulus = Base64UrlUtility.encode(modulus.toByteArray()); jwk.setProperty(JsonWebKey.RSA_MODULUS, encodedModulus); return jwk; } + private static JsonWebKey prepareECJwk(String curve) { + JsonWebKey jwk = new JsonWebKey(); + jwk.setKeyType(KeyType.EC); + jwk.setProperty(JsonWebKey.EC_CURVE, curve); + return jwk; + } private static String toString(byte[] bytes) { try { return new String(bytes, StandardCharsets.UTF_8); http://git-wip-us.apache.org/repos/asf/cxf/blob/ad0903a3/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java index 8eba936..78e2aa7 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java @@ -29,6 +29,7 @@ import org.apache.cxf.rs.security.oauth2.common.UserSubject; import org.apache.cxf.rs.security.oauth2.tokens.bearer.BearerAccessToken; import org.apache.cxf.rs.security.oauth2.tokens.refresh.RefreshToken; import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants; +import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils; public abstract class AbstractOAuthDataProvider implements OAuthDataProvider { private long accessTokenLifetime = 3600L; @@ -52,7 +53,8 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider { public ServerAccessToken refreshAccessToken(Client client, String refreshTokenKey, List<String> restrictedScopes) throws OAuthServiceException { RefreshToken oldRefreshToken = revokeRefreshAndAccessTokens(client, refreshTokenKey); - if (oldRefreshToken == null) { + if (oldRefreshToken == null + || OAuthUtils.isExpired(oldRefreshToken.getIssuedAt(), oldRefreshToken.getExpiresIn())) { throw new OAuthServiceException(OAuthConstants.ACCESS_DENIED); } return doRefreshAccessToken(client, oldRefreshToken, restrictedScopes);