src/main/java/org/apache/geronimo/microprofile/impl/jwtauth/servlet/JwtRequest.java - geronimo-jwt-auth - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.geronimo.microprofile.impl.jwtauth.servlet;

 import static java.util.Collections.emptySet;
 import static java.util.stream.Collectors.toList;

 import java.security.Principal;
 import java.util.LinkedHashSet;
 import java.util.Locale;
 import java.util.Set;
 import java.util.concurrent.Callable;
 import java.util.function.Supplier;
 import java.util.stream.Stream;

 import javax.security.auth.Subject;
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletRequestWrapper;
 import javax.servlet.http.HttpServletResponse;

 import org.apache.geronimo.microprofile.impl.jwtauth.JwtException;
 import org.apache.geronimo.microprofile.impl.jwtauth.jaxrs.JAXRSRequestForwarder;
 import org.apache.geronimo.microprofile.impl.jwtauth.jwt.JwtParser;
 import org.eclipse.microprofile.jwt.JsonWebToken;

 public class JwtRequest extends HttpServletRequestWrapper implements TokenAccessor {
     private final Supplier<JsonWebToken> tokenExtractor;
     private final String headerName;
     private volatile JsonWebToken token; // cache for perf reasons

     public JwtRequest(final JwtParser service, final String header, final String cookie,
                       final String prefix, final HttpServletRequest request) {
         super(request);
         this.headerName = header;

         this.tokenExtractor = () -> {
             if (token != null) {
                 return token;
             }

             synchronized (this) {
                 if (token != null) {
                     return token;
                 }

                 boolean fromHeader = true;
                 String auth = String.class.cast(
                     getAttribute("org.apache.geronimo.microprofile.impl.jwtauth.jaxrs.JAXRSRequestForwarder.header"));
                 if (auth == null) {
                     auth = getHeader(header);
                 }
                 if (auth == null) {
                     final Cookie[] cookies = getCookies();
                     if (cookies != null) {
                         fromHeader = false;
                         auth = Stream.of(cookies)
                             .filter(it -> cookie.equalsIgnoreCase(it.getName()))
                             .findFirst()
                             .map(Cookie::getValue)
                             .orElse(null);
                     }
                 }
                 if (auth == null || auth.isEmpty()) {
                     throw new JwtException("No " + header + " header", HttpServletResponse.SC_UNAUTHORIZED);
                 }
                 if (fromHeader) {
                     if (!auth.toLowerCase(Locale.ROOT).startsWith(prefix)) {
                         throw new JwtException("No prefix " + prefix + " in header " + header, HttpServletResponse.SC_UNAUTHORIZED);
                     }
                     token = service.parse(auth.substring(prefix.length()));
                 } else {
                     token = service.parse(auth.startsWith(prefix) ? auth.substring(prefix.length()) : auth);
                 }
                 setAttribute(JsonWebToken.class.getName(), token);
                 return token;
             }
         };

         // integration hook if needed
         setAttribute(JwtRequest.class.getName(), this);
         setAttribute(JsonWebToken.class.getName() + ".supplier", tokenExtractor);
         setAttribute(Principal.class.getName() + ".supplier", tokenExtractor);
         // not portable but used by some servers like tomee
         setAttribute("javax.security.auth.subject.callable", (Callable<Subject>) () -> {
             final Set<Principal> principals = new LinkedHashSet<>();
             final JsonWebToken namePrincipal = tokenExtractor.get();
             principals.add(namePrincipal);
             principals.addAll(namePrincipal.getGroups().stream().map(role -> (Principal) () -> role).collect(toList()));
             return new Subject(true, principals, emptySet(), emptySet());
         });
     }

     public String getHeaderName() {
         return headerName;
     }

     public TokenAccessor asTokenAccessor() {
         return this;
     }

     @Override
     public JsonWebToken getToken() {
         return tokenExtractor.get();
     }

     @Override
     public Principal getUserPrincipal() {
         return tokenExtractor.get();
     }

     @Override
     public boolean isUserInRole(final String role) {
         return tokenExtractor.get().getGroups().contains(role);
     }

     @Override
     public String getAuthType() {
         return "MP-JWT";
     }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.geronimo.microprofile.impl.jwtauth.servlet;

	import static java.util.Collections.emptySet;
	import static java.util.stream.Collectors.toList;

	import java.security.Principal;
	import java.util.LinkedHashSet;
	import java.util.Locale;
	import java.util.Set;
	import java.util.concurrent.Callable;
	import java.util.function.Supplier;
	import java.util.stream.Stream;

	import javax.security.auth.Subject;
	import javax.servlet.http.Cookie;
	import javax.servlet.http.HttpServletRequest;
	import javax.servlet.http.HttpServletRequestWrapper;
	import javax.servlet.http.HttpServletResponse;

	import org.apache.geronimo.microprofile.impl.jwtauth.JwtException;
	import org.apache.geronimo.microprofile.impl.jwtauth.jaxrs.JAXRSRequestForwarder;
	import org.apache.geronimo.microprofile.impl.jwtauth.jwt.JwtParser;
	import org.eclipse.microprofile.jwt.JsonWebToken;

	public class JwtRequest extends HttpServletRequestWrapper implements TokenAccessor {
	private final Supplier<JsonWebToken> tokenExtractor;
	private final String headerName;
	private volatile JsonWebToken token; // cache for perf reasons

	public JwtRequest(final JwtParser service, final String header, final String cookie,
	final String prefix, final HttpServletRequest request) {
	super(request);
	this.headerName = header;

	this.tokenExtractor = () -> {
	if (token != null) {
	return token;
	}

	synchronized (this) {
	if (token != null) {
	return token;
	}

	boolean fromHeader = true;
	String auth = String.class.cast(
	getAttribute("org.apache.geronimo.microprofile.impl.jwtauth.jaxrs.JAXRSRequestForwarder.header"));
	if (auth == null) {
	auth = getHeader(header);
	}
	if (auth == null) {
	final Cookie[] cookies = getCookies();
	if (cookies != null) {
	fromHeader = false;
	auth = Stream.of(cookies)
	.filter(it -> cookie.equalsIgnoreCase(it.getName()))
	.findFirst()
	.map(Cookie::getValue)
	.orElse(null);
	}
	}
	if (auth == null \|\| auth.isEmpty()) {
	throw new JwtException("No " + header + " header", HttpServletResponse.SC_UNAUTHORIZED);
	}
	if (fromHeader) {
	if (!auth.toLowerCase(Locale.ROOT).startsWith(prefix)) {
	throw new JwtException("No prefix " + prefix + " in header " + header, HttpServletResponse.SC_UNAUTHORIZED);
	}
	token = service.parse(auth.substring(prefix.length()));
	} else {
	token = service.parse(auth.startsWith(prefix) ? auth.substring(prefix.length()) : auth);
	}
	setAttribute(JsonWebToken.class.getName(), token);
	return token;
	}
	};

	// integration hook if needed
	setAttribute(JwtRequest.class.getName(), this);
	setAttribute(JsonWebToken.class.getName() + ".supplier", tokenExtractor);
	setAttribute(Principal.class.getName() + ".supplier", tokenExtractor);
	// not portable but used by some servers like tomee
	setAttribute("javax.security.auth.subject.callable", (Callable<Subject>) () -> {
	final Set<Principal> principals = new LinkedHashSet<>();
	final JsonWebToken namePrincipal = tokenExtractor.get();
	principals.add(namePrincipal);
	principals.addAll(namePrincipal.getGroups().stream().map(role -> (Principal) () -> role).collect(toList()));
	return new Subject(true, principals, emptySet(), emptySet());
	});
	}

	public String getHeaderName() {
	return headerName;
	}

	public TokenAccessor asTokenAccessor() {
	return this;
	}

	@Override
	public JsonWebToken getToken() {
	return tokenExtractor.get();
	}

	@Override
	public Principal getUserPrincipal() {
	return tokenExtractor.get();
	}

	@Override
	public boolean isUserInRole(final String role) {
	return tokenExtractor.get().getGroups().contains(role);
	}

	@Override
	public String getAuthType() {
	return "MP-JWT";
	}
	}