Ajuste nos escopos e correções no JWT

Paulo Gladson
1 parent b0000174
Showing 6 changed files with 15 additions and 20 deletions Show diff stats
demoiselle-security-jwt/pom.xml
demoiselle-security-jwt/src/main/java/org/demoiselle/jee/security/jwt/impl/TokensManagerImpl.java
demoiselle-security-token/src/main/java/org/demoiselle/jee/security/token/impl/TokensManagerImpl.java
demoiselle-security/src/main/java/org/demoiselle/jee/security/impl/SecurityContextImpl.java
demoiselle-security/src/main/java/org/demoiselle/jee/security/interceptor/RequiredPermissionInterceptor.java
demoiselle-security/src/main/java/org/demoiselle/jee/security/interceptor/RequiredRoleInterceptor.java
@@ -26,14 +26,7 @@
         <dependency>
             <groupId>org.bitbucket.b_c</groupId>
             <artifactId>jose4j</artifactId>
-            <version>0.4.1</version>
-        </dependency>
-        
-        <dependency>
-            <groupId>com.google.code.gson</groupId>
-            <artifactId>gson</artifactId>
-            <version>2.2.2</version>
-            <scope>compile</scope>
+            <version>0.5.2</version>
         </dependency>
  
     </dependencies>
@@ -14,6 +14,7 @@ import javax.servlet.http.HttpServletRequest;
 import org.demoiselle.jee.core.interfaces.security.DemoisellePrincipal;
 import org.demoiselle.jee.core.interfaces.security.Token;
 import org.demoiselle.jee.core.interfaces.security.TokensManager;
+import org.jose4j.jwk.JsonWebKey;
 import org.jose4j.jwk.RsaJsonWebKey;
 import org.jose4j.jwk.RsaJwkGenerator;
 import org.jose4j.jws.AlgorithmIdentifiers;
@@ -47,7 +48,8 @@ public class TokensManagerImpl implements TokensManager {
  
     public TokensManagerImpl() throws JoseException {
         if (rsaJsonWebKey == null) {
-            rsaJsonWebKey = (RsaJsonWebKey) RsaJsonWebKey.Factory.newPublicJwk(RsaJwkGenerator.generateJwk(2048).getKey());
+            String chave = RsaJwkGenerator.generateJwk(2048).toJson(JsonWebKey.OutputControlLevel.INCLUDE_PRIVATE);
+            rsaJsonWebKey = (RsaJsonWebKey) RsaJsonWebKey.Factory.newPublicJwk(chave);
             rsaJsonWebKey.setKeyId("demoiselle-security-jwt");
         }
     }
@@ -61,7 +63,8 @@ public class TokensManagerImpl implements TokensManager {
                         .setAllowedClockSkewInSeconds(60) // allow some leeway in validating time based claims to account for clock skew
                         .setExpectedIssuer("demoiselle") // whom the JWT needs to have been issued by
                         .setExpectedAudience("demoiselle") // to whom the JWT is intended for
-                        .setVerificationKey(rsaJsonWebKey.getKey()) // verify the signature with the public key
+                        .setDecryptionKey(rsaJsonWebKey.getPrivateKey()) // decrypt with the receiver's private key
+                        .setVerificationKey(rsaJsonWebKey.getPublicKey())
                         .build(); // create the JwtConsumer instance
                 JwtClaims jwtClaims = jwtConsumer.processToClaims(token.getKey());
                 loggedUser.setId((String) jwtClaims.getClaimValue("id"));
@@ -102,14 +105,14 @@ public class TokensManagerImpl implements TokensManager {
  
             JsonWebSignature jws = new JsonWebSignature();
             jws.setPayload(claims.toJson());
-            jws.setKey(rsaJsonWebKey.getKey());
+            jws.setKey(rsaJsonWebKey.getRsaPrivateKey());
             jws.setKeyIdHeaderValue(rsaJsonWebKey.getKeyId());
-            jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.HMAC_SHA512);
+            jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256);
             token.setKey(jws.getCompactSerialization());
             token.setType("JWT");
         } catch (JoseException ex) {
-            ex.printStackTrace();
-            //  logger.severe(ex.getMessage());
+            //ex.printStackTrace();
+            logger.severe(ex.getMessage());
         }
  
     }
@@ -8,7 +8,7 @@ package org.demoiselle.jee.security.token.impl;
 import static java.util.UUID.randomUUID;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.logging.Logger;
-import javax.enterprise.context.Dependent;
+import javax.enterprise.context.ApplicationScoped;
 import javax.inject.Inject;
 import org.demoiselle.jee.core.interfaces.security.DemoisellePrincipal;
 import org.demoiselle.jee.core.interfaces.security.Token;
@@ -18,10 +18,10 @@ import org.demoiselle.jee.core.interfaces.security.TokensManager;
  *
  * @author 70744416353
  */
-@Dependent
+@ApplicationScoped
 public class TokensManagerImpl implements TokensManager {
  
-    private static ConcurrentHashMap<String, DemoisellePrincipal> repo = new ConcurrentHashMap<>();
+    private ConcurrentHashMap<String, DemoisellePrincipal> repo = new ConcurrentHashMap<>();
  
     @Inject
     private Logger logger;
@@ -56,7 +56,7 @@ public class TokensManagerImpl implements TokensManager {
  
     @Override
     public boolean validate() {
-        return getUser() != null && getUser().getId() != null;
+        return getUser() != null;
     }
  
 }
@@ -6,6 +6,7 @@
  */
 package org.demoiselle.jee.security.impl;
  
+import javax.enterprise.context.Dependent;
 import javax.enterprise.context.RequestScoped;
 import javax.inject.Inject;
 import org.demoiselle.jee.core.interfaces.security.DemoisellePrincipal;
@@ -76,7 +76,6 @@ public class RequiredPermissionInterceptor implements Serializable {
         }
  
         if (!securityContext.hasPermission(resource, operation)) {
-            logger.severe(bundle.doesNotHavePermission(operation, resource));
             throw new DemoiselleSecurityException(bundle.doesNotHavePermission(operation, resource), UNAUTHORIZED.getStatusCode());
         }
  
@@ -83,7 +83,6 @@ public class RequiredRoleInterceptor implements Serializable {
         }
  
         if (userRoles.isEmpty()) {
-            logger.severe(bundle.doesNotHaveRole(roles.toString()));
             throw new DemoiselleSecurityException(bundle.doesNotHaveRole(roles.toString()), UNAUTHORIZED.getStatusCode());
         }
...	...	@@ -26,14 +26,7 @@
26	26	<dependency>
27	27	<groupId>org.bitbucket.b_c</groupId>
28	28	<artifactId>jose4j</artifactId>
29		- <version>0.4.1</version>
30		- </dependency>
31		-
32		- <dependency>
33		- <groupId>com.google.code.gson</groupId>
34		- <artifactId>gson</artifactId>
35		- <version>2.2.2</version>
36		- <scope>compile</scope>
	29	+ <version>0.5.2</version>
37	30	</dependency>
38	31
39	32	</dependencies>
...	...
...	...	@@ -14,6 +14,7 @@ import javax.servlet.http.HttpServletRequest;
14	14	import org.demoiselle.jee.core.interfaces.security.DemoisellePrincipal;
15	15	import org.demoiselle.jee.core.interfaces.security.Token;
16	16	import org.demoiselle.jee.core.interfaces.security.TokensManager;
	17	+import org.jose4j.jwk.JsonWebKey;
17	18	import org.jose4j.jwk.RsaJsonWebKey;
18	19	import org.jose4j.jwk.RsaJwkGenerator;
19	20	import org.jose4j.jws.AlgorithmIdentifiers;
...	...	@@ -47,7 +48,8 @@ public class TokensManagerImpl implements TokensManager {
47	48
48	49	public TokensManagerImpl() throws JoseException {
49	50	if (rsaJsonWebKey == null) {
50		- rsaJsonWebKey = (RsaJsonWebKey) RsaJsonWebKey.Factory.newPublicJwk(RsaJwkGenerator.generateJwk(2048).getKey());
	51	+ String chave = RsaJwkGenerator.generateJwk(2048).toJson(JsonWebKey.OutputControlLevel.INCLUDE_PRIVATE);
	52	+ rsaJsonWebKey = (RsaJsonWebKey) RsaJsonWebKey.Factory.newPublicJwk(chave);
51	53	rsaJsonWebKey.setKeyId("demoiselle-security-jwt");
52	54	}
53	55	}
...	...	@@ -61,7 +63,8 @@ public class TokensManagerImpl implements TokensManager {
61	63	.setAllowedClockSkewInSeconds(60) // allow some leeway in validating time based claims to account for clock skew
62	64	.setExpectedIssuer("demoiselle") // whom the JWT needs to have been issued by
63	65	.setExpectedAudience("demoiselle") // to whom the JWT is intended for
64		- .setVerificationKey(rsaJsonWebKey.getKey()) // verify the signature with the public key
	66	+ .setDecryptionKey(rsaJsonWebKey.getPrivateKey()) // decrypt with the receiver's private key
	67	+ .setVerificationKey(rsaJsonWebKey.getPublicKey())
65	68	.build(); // create the JwtConsumer instance
66	69	JwtClaims jwtClaims = jwtConsumer.processToClaims(token.getKey());
67	70	loggedUser.setId((String) jwtClaims.getClaimValue("id"));
...	...	@@ -102,14 +105,14 @@ public class TokensManagerImpl implements TokensManager {
102	105
103	106	JsonWebSignature jws = new JsonWebSignature();
104	107	jws.setPayload(claims.toJson());
105		- jws.setKey(rsaJsonWebKey.getKey());
	108	+ jws.setKey(rsaJsonWebKey.getRsaPrivateKey());
106	109	jws.setKeyIdHeaderValue(rsaJsonWebKey.getKeyId());
107		- jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.HMAC_SHA512);
	110	+ jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256);
108	111	token.setKey(jws.getCompactSerialization());
109	112	token.setType("JWT");
110	113	} catch (JoseException ex) {
111		- ex.printStackTrace();
112		- // logger.severe(ex.getMessage());
	114	+ //ex.printStackTrace();
	115	+ logger.severe(ex.getMessage());
113	116	}
114	117
115	118	}
...	...
...	...	@@ -8,7 +8,7 @@ package org.demoiselle.jee.security.token.impl;
8	8	import static java.util.UUID.randomUUID;
9	9	import java.util.concurrent.ConcurrentHashMap;
10	10	import java.util.logging.Logger;
11		-import javax.enterprise.context.Dependent;
	11	+import javax.enterprise.context.ApplicationScoped;
12	12	import javax.inject.Inject;
13	13	import org.demoiselle.jee.core.interfaces.security.DemoisellePrincipal;
14	14	import org.demoiselle.jee.core.interfaces.security.Token;
...	...	@@ -18,10 +18,10 @@ import org.demoiselle.jee.core.interfaces.security.TokensManager;
18	18	*
19	19	* @author 70744416353
20	20	*/
21		-@Dependent
	21	+@ApplicationScoped
22	22	public class TokensManagerImpl implements TokensManager {
23	23
24		- private static ConcurrentHashMap<String, DemoisellePrincipal> repo = new ConcurrentHashMap<>();
	24	+ private ConcurrentHashMap<String, DemoisellePrincipal> repo = new ConcurrentHashMap<>();
25	25
26	26	@Inject
27	27	private Logger logger;
...	...	@@ -56,7 +56,7 @@ public class TokensManagerImpl implements TokensManager {
56	56
57	57	@Override
58	58	public boolean validate() {
59		- return getUser() != null && getUser().getId() != null;
	59	+ return getUser() != null;
60	60	}
61	61
62	62	}
...	...
...	...	@@ -6,6 +6,7 @@
6	6	*/
7	7	package org.demoiselle.jee.security.impl;
8	8
	9	+import javax.enterprise.context.Dependent;
9	10	import javax.enterprise.context.RequestScoped;
10	11	import javax.inject.Inject;
11	12	import org.demoiselle.jee.core.interfaces.security.DemoisellePrincipal;
...	...
...	...	@@ -76,7 +76,6 @@ public class RequiredPermissionInterceptor implements Serializable {
76	76	}
77	77
78	78	if (!securityContext.hasPermission(resource, operation)) {
79		- logger.severe(bundle.doesNotHavePermission(operation, resource));
80	79	throw new DemoiselleSecurityException(bundle.doesNotHavePermission(operation, resource), UNAUTHORIZED.getStatusCode());
81	80	}
82	81
...	...
...	...	@@ -83,7 +83,6 @@ public class RequiredRoleInterceptor implements Serializable {
83	83	}
84	84
85	85	if (userRoles.isEmpty()) {
86		- logger.severe(bundle.doesNotHaveRole(roles.toString()));
87	86	throw new DemoiselleSecurityException(bundle.doesNotHaveRole(roles.toString()), UNAUTHORIZED.getStatusCode());
88	87	}
89	88
...	...