[SYNCOPE-1117] - Add a "DefaultCredentialChecker" to log a warning if the default JWS key is being used
Project: http://git-wip-us.apache.org/repos/asf/syncope/repo Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/579d5b7c Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/579d5b7c Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/579d5b7c Branch: refs/heads/2_0_X Commit: 579d5b7c8ef9bdbe4716c14932fc3597f5975591 Parents: fe20846 Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Thu Jun 22 16:33:25 2017 +0100 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Thu Jun 22 17:09:02 2017 +0100 ---------------------------------------------------------------------- .../java/data/AccessTokenDataBinderImpl.java | 8 +++ .../src/test/resources/provisioningTest.xml | 4 ++ .../security/DefaultCredentialChecker.java | 55 ++++++++++++++++++++ .../security/JWTAuthenticationFilter.java | 5 ++ .../src/main/resources/securityContext.xml | 6 +++ 5 files changed, 78 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/syncope/blob/579d5b7c/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/AccessTokenDataBinderImpl.java ---------------------------------------------------------------------- diff --git a/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/AccessTokenDataBinderImpl.java b/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/AccessTokenDataBinderImpl.java index d4d8afc..13a5b93 100644 --- a/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/AccessTokenDataBinderImpl.java +++ b/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/AccessTokenDataBinderImpl.java @@ -42,6 +42,7 @@ import org.apache.syncope.core.provisioning.api.data.AccessTokenDataBinder; import org.apache.syncope.core.provisioning.api.serialization.POJOHelper; import org.apache.syncope.core.spring.BeanUtils; import org.apache.syncope.core.spring.security.AuthContextUtils; +import org.apache.syncope.core.spring.security.DefaultCredentialChecker; import org.apache.syncope.core.spring.security.Encryptor; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -77,10 +78,15 @@ public class AccessTokenDataBinderImpl implements AccessTokenDataBinder { @Autowired private EntityFactory entityFactory; + @Autowired + private DefaultCredentialChecker credentialChecker; + @Override public Triple<String, String, Date> generateJWT( final String subject, final int duration, final Map<String, Object> claims) { + credentialChecker.checkIsDefaultJWSKeyInUse(); + Date now = new Date(); Date expiry = new Date(now.getTime() + 60L * 1000L * duration); @@ -156,6 +162,8 @@ public class AccessTokenDataBinderImpl implements AccessTokenDataBinder { public Pair<String, Date> update(final AccessToken accessToken) { JwsJwtCompactConsumer consumer = new JwsJwtCompactConsumer(accessToken.getBody()); + credentialChecker.checkIsDefaultJWSKeyInUse(); + Date now = new Date(); int duration = confDAO.find("jwt.lifetime.minutes", "120").getValues().get(0).getLongValue().intValue(); Date expiry = new Date(now.getTime() + 60L * 1000L * duration); http://git-wip-us.apache.org/repos/asf/syncope/blob/579d5b7c/core/provisioning-java/src/test/resources/provisioningTest.xml ---------------------------------------------------------------------- diff --git a/core/provisioning-java/src/test/resources/provisioningTest.xml b/core/provisioning-java/src/test/resources/provisioningTest.xml index 4db50f0..53fb6d9 100644 --- a/core/provisioning-java/src/test/resources/provisioningTest.xml +++ b/core/provisioning-java/src/test/resources/provisioningTest.xml @@ -56,5 +56,9 @@ under the License. <value type="org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm">HS512</value> </constructor-arg> </bean> + <bean id="credentialChecker" class="org.apache.syncope.core.spring.security.DefaultCredentialChecker"> + <constructor-arg value="${jwsKey}" index="0"/> + <constructor-arg value="${adminPassword}" index="1"/> + </bean> </beans> http://git-wip-us.apache.org/repos/asf/syncope/blob/579d5b7c/core/spring/src/main/java/org/apache/syncope/core/spring/security/DefaultCredentialChecker.java ---------------------------------------------------------------------- diff --git a/core/spring/src/main/java/org/apache/syncope/core/spring/security/DefaultCredentialChecker.java b/core/spring/src/main/java/org/apache/syncope/core/spring/security/DefaultCredentialChecker.java new file mode 100644 index 0000000..3dc0ea0 --- /dev/null +++ b/core/spring/src/main/java/org/apache/syncope/core/spring/security/DefaultCredentialChecker.java @@ -0,0 +1,55 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.syncope.core.spring.security; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** + * This class provides some methods to check whether default credentials are being used, and + * logs a warning if they are. + */ +public class DefaultCredentialChecker { + private static final Logger LOG = LoggerFactory.getLogger(DefaultCredentialChecker.class); + + private static final String DEFAULT_JWS_KEY = "ZW7pRixehFuNUtnY5Se47IemgMryTzazPPJ9CGX5LTCmsOJpOgHAQEuPQeV9A28f"; + private static final String DEFAULT_ADMIN_PASSWORD = "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8"; + private final boolean defaultAdminPasswordInUse; + private final boolean defaultJwsKeyInUse; + + public DefaultCredentialChecker(final String jwsKey, final String adminPassword) { + defaultJwsKeyInUse = DEFAULT_JWS_KEY.equals(jwsKey); + defaultAdminPasswordInUse = DEFAULT_ADMIN_PASSWORD.equals(adminPassword); + } + + public void checkIsDefaultJWSKeyInUse() { + if (defaultJwsKeyInUse) { + LOG.warn("The default jwsKey property is being used. " + + "This must be changed to avoid a security breach!"); + } + } + + public void checkIsDefaultAdminPasswordInUse() { + if (defaultAdminPasswordInUse) { + LOG.warn("The default adminPassword property is being used. " + + "This must be changed to avoid a security breach!"); + } + } + +} http://git-wip-us.apache.org/repos/asf/syncope/blob/579d5b7c/core/spring/src/main/java/org/apache/syncope/core/spring/security/JWTAuthenticationFilter.java ---------------------------------------------------------------------- diff --git a/core/spring/src/main/java/org/apache/syncope/core/spring/security/JWTAuthenticationFilter.java b/core/spring/src/main/java/org/apache/syncope/core/spring/security/JWTAuthenticationFilter.java index 44202d1..05b46f0 100644 --- a/core/spring/src/main/java/org/apache/syncope/core/spring/security/JWTAuthenticationFilter.java +++ b/core/spring/src/main/java/org/apache/syncope/core/spring/security/JWTAuthenticationFilter.java @@ -55,6 +55,9 @@ public class JWTAuthenticationFilter extends OncePerRequestFilter { @Autowired private JwsSignatureVerifier jwsSignatureVerifier; + @Autowired + private DefaultCredentialChecker credentialChecker; + public void setAuthenticationEntryPoint(final AuthenticationEntryPoint authenticationEntryPoint) { this.authenticationEntryPoint = authenticationEntryPoint; } @@ -91,6 +94,8 @@ public class JWTAuthenticationFilter extends OncePerRequestFilter { JwsJwtCompactConsumer consumer = new JwsJwtCompactConsumer(stringToken); try { + credentialChecker.checkIsDefaultJWSKeyInUse(); + if (!consumer.verifySignatureWith(jwsSignatureVerifier)) { throw new BadCredentialsException("Invalid signature found in JWT"); } http://git-wip-us.apache.org/repos/asf/syncope/blob/579d5b7c/core/spring/src/main/resources/securityContext.xml ---------------------------------------------------------------------- diff --git a/core/spring/src/main/resources/securityContext.xml b/core/spring/src/main/resources/securityContext.xml index 2705b42..c9016fa 100644 --- a/core/spring/src/main/resources/securityContext.xml +++ b/core/spring/src/main/resources/securityContext.xml @@ -48,6 +48,12 @@ under the License. <bean id="jwsKey" class="java.lang.String"> <constructor-arg value="${jwsKey}"/> </bean> + + <bean id="credentialChecker" class="org.apache.syncope.core.spring.security.DefaultCredentialChecker"> + <constructor-arg value="${jwsKey}" index="0"/> + <constructor-arg value="${adminPassword}" index="1"/> + </bean> + <bean id="jwsSignatureVerifier" class="org.apache.cxf.rs.security.jose.jws.HmacJwsSignatureVerifier"> <constructor-arg value="#{jwsKey.getBytes()}" index="0"/> <constructor-arg index="1">
