Repository: james-project Updated Branches: refs/heads/master 7d3c8efae -> 794173534
JAMES-2053 JWT should not accept None algorithm Project: http://git-wip-us.apache.org/repos/asf/james-project/repo Commit: http://git-wip-us.apache.org/repos/asf/james-project/commit/475f338a Tree: http://git-wip-us.apache.org/repos/asf/james-project/tree/475f338a Diff: http://git-wip-us.apache.org/repos/asf/james-project/diff/475f338a Branch: refs/heads/master Commit: 475f338ad68bb3939467f7b5d2eea3ecbaeb1281 Parents: 7d3c8ef Author: benwa <[email protected]> Authored: Mon Jun 12 11:03:41 2017 +0700 Committer: benwa <[email protected]> Committed: Mon Jun 12 16:11:22 2017 +0700 ---------------------------------------------------------------------- .../apache/james/jwt/JwtTokenVerifierTest.java | 29 ++++++++++++++++++++ 1 file changed, 29 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/james-project/blob/475f338a/server/protocols/jwt/src/test/java/org/apache/james/jwt/JwtTokenVerifierTest.java ---------------------------------------------------------------------- diff --git a/server/protocols/jwt/src/test/java/org/apache/james/jwt/JwtTokenVerifierTest.java b/server/protocols/jwt/src/test/java/org/apache/james/jwt/JwtTokenVerifierTest.java index 698b28d..ae77048 100644 --- a/server/protocols/jwt/src/test/java/org/apache/james/jwt/JwtTokenVerifierTest.java +++ b/server/protocols/jwt/src/test/java/org/apache/james/jwt/JwtTokenVerifierTest.java @@ -58,6 +58,11 @@ public class JwtTokenVerifierTest { "-yDYktd4WT8MYhqY7MgS-wR0vO9jZFv8ZCgd_MkKCvCO0HmMjP5iQPZ0kqGkgWUH7X123tfR38MfbCVAdPDba-K3MfkogV1xvDhlkPScFr_6MxE" + "xtedOK2JnQZn7t9sUzSrcyjWverm7gZkPptkIVoS8TsEeMMME5vFXe_nqkEG69q3kuBUm_33tbR5oNS0ZGZKlG9r41lHBjyf9J1xN4UYV8n866d" + "a7RPPCzshIWUtO0q9T2umWTnp-6OnOdBCkndrZmRR6pPxsD5YL0_77Wq8KT_5__fGA"; + // Generated on https://jwt.io/ + private static final String TOKEN_NONE_ALGORITHM = "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiIxMjM0NTY3ODkwIiwi" + + "bmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.2XijNOVI9LXP9nWf-oj2SEWWNlcwmxzlQNGK1WdaWcQ"; + private static final String TOKEN_NONE_ALGORITHM_NO_SIGNATURE = "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiIxMjM0NTY3ODkwIiwi" + + "bmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9."; private JwtTokenVerifier sut; @Rule @@ -116,11 +121,35 @@ public class JwtTokenVerifierTest { } @Test + public void verifyShouldNotAcceptNoneAlgorithm() { + assertThat(sut.verify(TOKEN_NONE_ALGORITHM)).isFalse(); + } + + @Test + public void verifyShouldNotAcceptNoneAlgorithmWithoutSignature() { + assertThat(sut.verify(TOKEN_NONE_ALGORITHM_NO_SIGNATURE)).isFalse(); + } + + @Test public void shouldReturnUserLoginFromValidToken() { assertThat(sut.extractLogin(VALID_TOKEN_WITHOUT_ADMIN)).isEqualTo("1234567890"); } @Test + public void hasAttributeShouldReturnFalseOnNoneAlgorithm() throws Exception { + boolean authorized = sut.hasAttribute("admin", true, TOKEN_NONE_ALGORITHM); + + assertThat(authorized).isFalse(); + } + + @Test + public void hasAttributeShouldReturnFalseOnNoneAlgorithmWithoutSignature() throws Exception { + boolean authorized = sut.hasAttribute("admin", true, TOKEN_NONE_ALGORITHM_NO_SIGNATURE); + + assertThat(authorized).isFalse(); + } + + @Test public void hasAttributeShouldReturnTrueIfClaimValid() throws Exception { boolean authorized = sut.hasAttribute("admin", true, VALID_TOKEN_ADMIN_TRUE); --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
