| /** |
| * Licensed to the Apache Software Foundation (ASF) under one |
| * or more contributor license agreements. See the NOTICE file |
| * distributed with this work for additional information |
| * regarding copyright ownership. The ASF licenses this file |
| * to you under the Apache License, Version 2.0 (the |
| * "License"); you may not use this file except in compliance |
| * with the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, |
| * software distributed under the License is distributed on an |
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| * KIND, either express or implied. See the License for the |
| * specific language governing permissions and limitations |
| * under the License. |
| */ |
| package org.apache.cxf.rs.security.jose.jaxrs; |
| |
| import java.io.IOException; |
| |
| import javax.annotation.Priority; |
| import javax.ws.rs.Priorities; |
| import javax.ws.rs.client.ClientRequestContext; |
| import javax.ws.rs.client.ClientRequestFilter; |
| import javax.ws.rs.core.HttpHeaders; |
| |
| import org.apache.cxf.common.util.Base64UrlUtility; |
| import org.apache.cxf.configuration.security.AuthorizationPolicy; |
| import org.apache.cxf.jaxrs.utils.JAXRSUtils; |
| import org.apache.cxf.message.Message; |
| import org.apache.cxf.phase.PhaseInterceptorChain; |
| import org.apache.cxf.rs.security.jose.common.JoseException; |
| import org.apache.cxf.rs.security.jose.jwe.JweHeaders; |
| import org.apache.cxf.rs.security.jose.jwt.JoseJwtProducer; |
| import org.apache.cxf.rs.security.jose.jwt.JwtClaims; |
| import org.apache.cxf.rs.security.jose.jwt.JwtConstants; |
| import org.apache.cxf.rs.security.jose.jwt.JwtToken; |
| import org.apache.cxf.rt.security.crypto.CryptoUtils; |
| |
| @Priority(Priorities.AUTHENTICATION) |
| public class JwtAuthenticationClientFilter extends JoseJwtProducer |
| implements ClientRequestFilter { |
| |
| private static final String DEFAULT_AUTH_SCHEME = "JWT"; |
| private String authScheme = DEFAULT_AUTH_SCHEME; |
| @Override |
| public void filter(ClientRequestContext requestContext) throws IOException { |
| JwtToken jwt = getJwtToken(requestContext); |
| if (jwt == null && super.isJweRequired()) { |
| AuthorizationPolicy ap = JAXRSUtils.getCurrentMessage().getExchange() |
| .getEndpoint().getEndpointInfo().getExtensor(AuthorizationPolicy.class); |
| if (ap != null && ap.getUserName() != null) { |
| JwtClaims claims = new JwtClaims(); |
| claims.setSubject(ap.getUserName()); |
| claims.setClaim("password", ap.getPassword()); |
| claims.setIssuedAt(System.currentTimeMillis() / 1000L); |
| jwt = new JwtToken(new JweHeaders(), claims); |
| } |
| } |
| if (jwt == null) { |
| throw new JoseException("JWT token is not available"); |
| } |
| String data = super.processJwt(jwt); |
| requestContext.getHeaders().putSingle(HttpHeaders.AUTHORIZATION, |
| authScheme + " " + data); |
| } |
| |
| protected JwtToken getJwtToken(ClientRequestContext requestContext) { |
| // Try the filter properties first, then the message properties |
| JwtToken token = (JwtToken)requestContext.getProperty(JwtConstants.JWT_TOKEN); |
| if (token == null) { |
| Message m = PhaseInterceptorChain.getCurrentMessage(); |
| token = (JwtToken)m.getContextualProperty(JwtConstants.JWT_TOKEN); |
| } |
| |
| if (token != null) { |
| return token; |
| } |
| |
| // Otherwise check to see if we have some claims + construct the header ourselves |
| JwtClaims claims = (JwtClaims)requestContext.getProperty(JwtConstants.JWT_CLAIMS); |
| if (claims == null) { |
| Message m = PhaseInterceptorChain.getCurrentMessage(); |
| claims = (JwtClaims)m.getContextualProperty(JwtConstants.JWT_CLAIMS); |
| } |
| |
| if (claims != null) { |
| token = new JwtToken(claims); |
| } |
| |
| return token; |
| } |
| |
| protected String getContextPropertyValue() { |
| return Base64UrlUtility.encode(CryptoUtils.generateSecureRandomBytes(16)); |
| } |
| |
| public void setAuthScheme(String authScheme) { |
| this.authScheme = authScheme; |
| } |
| |
| |
| |
| } |