Repository: cxf Updated Branches: refs/heads/master 4946ee58a -> 087ae7575
Add the ability to sign/encrypt UserInfoService responses using asymmetric keys Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/087ae757 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/087ae757 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/087ae757 Branch: refs/heads/master Commit: 087ae75756e9bbd6984cd3bd1a7d609ae8bd659f Parents: 4946ee5 Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Tue Feb 16 17:06:39 2016 +0000 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Tue Feb 16 17:07:58 2016 +0000 ---------------------------------------------------------------------- .../oauth2/provider/OAuthServerJoseJwtProducer.java | 14 +++++++++++--- .../cxf/rs/security/oidc/idp/UserInfoService.java | 8 ++++++-- 2 files changed, 17 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/087ae757/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthServerJoseJwtProducer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthServerJoseJwtProducer.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthServerJoseJwtProducer.java index 24e6a16..35a323f 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthServerJoseJwtProducer.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthServerJoseJwtProducer.java @@ -25,6 +25,7 @@ import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm; import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm; import org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider; import org.apache.cxf.rs.security.jose.jwe.JweUtils; +import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider; import org.apache.cxf.rs.security.jose.jwt.JwtToken; import org.apache.cxf.rs.security.oauth2.common.Client; import org.apache.cxf.rt.security.crypto.CryptoUtils; @@ -35,12 +36,12 @@ public class OAuthServerJoseJwtProducer extends OAuthJoseJwtProducer { public String processJwt(JwtToken jwt, Client client) { return processJwt(jwt, getInitializedEncryptionProvider(client), - getInitializedSignatureProvider(client.getClientSecret())); + getInitializedSignatureProvider(client)); } protected JweEncryptionProvider getInitializedEncryptionProvider(Client c) { JweEncryptionProvider theEncryptionProvider = null; - if (encryptWithClientCertificates) { + if (encryptWithClientCertificates && c != null && !c.getApplicationCertificates().isEmpty()) { X509Certificate cert = (X509Certificate)CryptoUtils.decodeCertificate(c.getApplicationCertificates().get(0)); theEncryptionProvider = JweUtils.createJweEncryptionProvider((RSAPublicKey)cert.getPublicKey(), @@ -48,12 +49,19 @@ public class OAuthServerJoseJwtProducer extends OAuthJoseJwtProducer { ContentAlgorithm.A128GCM, null); } - if (theEncryptionProvider == null) { + if (theEncryptionProvider == null && c != null && c.getClientSecret() != null) { theEncryptionProvider = super.getInitializedEncryptionProvider(c.getClientSecret()); } return theEncryptionProvider; } + + protected JwsSignatureProvider getInitializedSignatureProvider(Client c) { + if (c == null) { + return null; + } + return super.getInitializedSignatureProvider(c.getClientSecret()); + } public void setEncryptWithClientCertificates(boolean encryptWithClientCertificates) { if (isEncryptWithClientSecret()) { http://git-wip-us.apache.org/repos/asf/cxf/blob/087ae757/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java index 9955bf9..5edf228 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java @@ -26,6 +26,7 @@ import javax.ws.rs.core.Response; import org.apache.cxf.jaxrs.ext.MessageContext; import org.apache.cxf.rs.security.jose.jwt.JwtToken; +import org.apache.cxf.rs.security.oauth2.common.Client; import org.apache.cxf.rs.security.oauth2.common.OAuthContext; import org.apache.cxf.rs.security.oauth2.provider.OAuthDataProvider; import org.apache.cxf.rs.security.oauth2.provider.OAuthServerJoseJwtProducer; @@ -64,8 +65,11 @@ public class UserInfoService extends OAuthServerJoseJwtProducer { Object responseEntity = userInfo; // UserInfo may be returned in a clear form as JSON if (super.isJwsRequired() || super.isJweRequired()) { - responseEntity = super.processJwt(new JwtToken(userInfo), - oauthDataProvider.getClient(oauth.getClientId())); + Client client = null; + if (oauthDataProvider != null) { + client = oauthDataProvider.getClient(oauth.getClientId()); + } + responseEntity = super.processJwt(new JwtToken(userInfo), client); } return Response.ok(responseEntity).build();
