src/main/java/org/apache/geronimo/microprofile/impl/jwtauth/jwt/JwtParser.java - geronimo-jwt-auth - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.geronimo.microprofile.impl.jwtauth.jwt;

 import static java.util.Collections.emptyMap;

 import java.io.ByteArrayInputStream;
 import java.net.HttpURLConnection;
 import java.util.Base64;

 import javax.annotation.PostConstruct;
 import javax.enterprise.context.ApplicationScoped;
 import javax.inject.Inject;
 import javax.json.Json;
 import javax.json.JsonObject;
 import javax.json.JsonReaderFactory;
 import javax.json.JsonString;

 import org.apache.geronimo.microprofile.impl.jwtauth.JwtException;
 import org.apache.geronimo.microprofile.impl.jwtauth.config.GeronimoJwtAuthConfig;
 import org.eclipse.microprofile.jwt.Claims;
 import org.eclipse.microprofile.jwt.JsonWebToken;

 @ApplicationScoped
 public class JwtParser {
     @Inject
     private GeronimoJwtAuthConfig config;

     @Inject
     private KidMapper kidMapper;

     @Inject
     private DateValidator dateValidator;

     @Inject
     private SignatureValidator signatureValidator;

     private JsonReaderFactory readerFactory;

     private String defaultKid;
     private String defaultAlg;
     private String defaultTyp;
     private boolean validateTyp;

     @PostConstruct
     private void init() {
         readerFactory = Json.createReaderFactory(emptyMap());
         defaultKid = config.read("jwt.header.kid.default", null);
         defaultAlg = config.read("jwt.header.alg.default", "RS256");
         defaultTyp = config.read("jwt.header.typ.default", "JWT");
         validateTyp = Boolean.parseBoolean(config.read("jwt.header.typ.validate", "true"));
     }

     public JsonWebToken parse(final String jwt) {
         final int firstDot = jwt.indexOf('.');
         if (firstDot < 0) {
             throw new JwtException("JWT is not valid", HttpURLConnection.HTTP_BAD_REQUEST);
         }
         final int secondDot = jwt.indexOf('.', firstDot + 1);
         if (secondDot < 0 || jwt.indexOf('.', secondDot + 1) > 0 || jwt.length() <= secondDot) {
             throw new JwtException("JWT is not valid", HttpURLConnection.HTTP_BAD_REQUEST);
         }

         final String rawHeader = jwt.substring(0, firstDot);
         final JsonObject header = loadJson(rawHeader);
         if (validateTyp && !getAttribute(header, "typ", defaultTyp).equalsIgnoreCase("jwt")) {
             throw new JwtException("Invalid typ", HttpURLConnection.HTTP_UNAUTHORIZED);
         }

         final JsonObject payload = loadJson(jwt.substring(firstDot + 1, secondDot));
         dateValidator.checkInterval(payload);

         final String alg = getAttribute(header, "alg", defaultAlg);
         final String kid = getAttribute(header, "kid", defaultKid);
         if (kidMapper.loadIssuers(kid).noneMatch(it -> it.equals(payload.getString(Claims.iss.name())))) {
             throw new JwtException("Invalid issuer", HttpURLConnection.HTTP_UNAUTHORIZED);
         }
         signatureValidator.verifySignature(alg, kidMapper.loadKey(kid), jwt.substring(0, secondDot), jwt.substring(secondDot + 1));

         return new GeronimoJsonWebToken(jwt, payload);
     }

     private String getAttribute(final JsonObject payload, final String key, final String def) {
         final JsonString json = payload.getJsonString(key);
         final String value = json != null ? json.getString() : def;
         if (value == null) {
             throw new JwtException("No " + key + " in JWT", HttpURLConnection.HTTP_UNAUTHORIZED);
         }
         return value;
     }

     private JsonObject loadJson(final String src) {
         return readerFactory.createReader(new ByteArrayInputStream(Base64.getUrlDecoder().decode(src))).readObject();
     }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.geronimo.microprofile.impl.jwtauth.jwt;

	import static java.util.Collections.emptyMap;

	import java.io.ByteArrayInputStream;
	import java.net.HttpURLConnection;
	import java.util.Base64;

	import javax.annotation.PostConstruct;
	import javax.enterprise.context.ApplicationScoped;
	import javax.inject.Inject;
	import javax.json.Json;
	import javax.json.JsonObject;
	import javax.json.JsonReaderFactory;
	import javax.json.JsonString;

	import org.apache.geronimo.microprofile.impl.jwtauth.JwtException;
	import org.apache.geronimo.microprofile.impl.jwtauth.config.GeronimoJwtAuthConfig;
	import org.eclipse.microprofile.jwt.Claims;
	import org.eclipse.microprofile.jwt.JsonWebToken;

	@ApplicationScoped
	public class JwtParser {
	@Inject
	private GeronimoJwtAuthConfig config;

	@Inject
	private KidMapper kidMapper;

	@Inject
	private DateValidator dateValidator;

	@Inject
	private SignatureValidator signatureValidator;

	private JsonReaderFactory readerFactory;

	private String defaultKid;
	private String defaultAlg;
	private String defaultTyp;
	private boolean validateTyp;

	@PostConstruct
	private void init() {
	readerFactory = Json.createReaderFactory(emptyMap());
	defaultKid = config.read("jwt.header.kid.default", null);
	defaultAlg = config.read("jwt.header.alg.default", "RS256");
	defaultTyp = config.read("jwt.header.typ.default", "JWT");
	validateTyp = Boolean.parseBoolean(config.read("jwt.header.typ.validate", "true"));
	}

	public JsonWebToken parse(final String jwt) {
	final int firstDot = jwt.indexOf('.');
	if (firstDot < 0) {
	throw new JwtException("JWT is not valid", HttpURLConnection.HTTP_BAD_REQUEST);
	}
	final int secondDot = jwt.indexOf('.', firstDot + 1);
	if (secondDot < 0 \|\| jwt.indexOf('.', secondDot + 1) > 0 \|\| jwt.length() <= secondDot) {
	throw new JwtException("JWT is not valid", HttpURLConnection.HTTP_BAD_REQUEST);
	}

	final String rawHeader = jwt.substring(0, firstDot);
	final JsonObject header = loadJson(rawHeader);
	if (validateTyp && !getAttribute(header, "typ", defaultTyp).equalsIgnoreCase("jwt")) {
	throw new JwtException("Invalid typ", HttpURLConnection.HTTP_UNAUTHORIZED);
	}

	final JsonObject payload = loadJson(jwt.substring(firstDot + 1, secondDot));
	dateValidator.checkInterval(payload);

	final String alg = getAttribute(header, "alg", defaultAlg);
	final String kid = getAttribute(header, "kid", defaultKid);
	if (kidMapper.loadIssuers(kid).noneMatch(it -> it.equals(payload.getString(Claims.iss.name())))) {
	throw new JwtException("Invalid issuer", HttpURLConnection.HTTP_UNAUTHORIZED);
	}
	signatureValidator.verifySignature(alg, kidMapper.loadKey(kid), jwt.substring(0, secondDot), jwt.substring(secondDot + 1));

	return new GeronimoJsonWebToken(jwt, payload);
	}

	private String getAttribute(final JsonObject payload, final String key, final String def) {
	final JsonString json = payload.getJsonString(key);
	final String value = json != null ? json.getString() : def;
	if (value == null) {
	throw new JwtException("No " + key + " in JWT", HttpURLConnection.HTTP_UNAUTHORIZED);
	}
	return value;
	}

	private JsonObject loadJson(final String src) {
	return readerFactory.createReader(new ByteArrayInputStream(Base64.getUrlDecoder().decode(src))).readObject();
	}
	}