Commit e4eb0b693b618f5d46611a29a842ca2d010e998a

Authored by Paulo Gladson
1 parent b0000174

Ajuste nos escopos e correções no JWT

demoiselle-security-jwt/pom.xml
... ... @@ -26,14 +26,7 @@
26 26 <dependency>
27 27 <groupId>org.bitbucket.b_c</groupId>
28 28 <artifactId>jose4j</artifactId>
29   - <version>0.4.1</version>
30   - </dependency>
31   -
32   - <dependency>
33   - <groupId>com.google.code.gson</groupId>
34   - <artifactId>gson</artifactId>
35   - <version>2.2.2</version>
36   - <scope>compile</scope>
  29 + <version>0.5.2</version>
37 30 </dependency>
38 31  
39 32 </dependencies>
... ...
demoiselle-security-jwt/src/main/java/org/demoiselle/jee/security/jwt/impl/TokensManagerImpl.java
... ... @@ -14,6 +14,7 @@ import javax.servlet.http.HttpServletRequest;
14 14 import org.demoiselle.jee.core.interfaces.security.DemoisellePrincipal;
15 15 import org.demoiselle.jee.core.interfaces.security.Token;
16 16 import org.demoiselle.jee.core.interfaces.security.TokensManager;
  17 +import org.jose4j.jwk.JsonWebKey;
17 18 import org.jose4j.jwk.RsaJsonWebKey;
18 19 import org.jose4j.jwk.RsaJwkGenerator;
19 20 import org.jose4j.jws.AlgorithmIdentifiers;
... ... @@ -47,7 +48,8 @@ public class TokensManagerImpl implements TokensManager {
47 48  
48 49 public TokensManagerImpl() throws JoseException {
49 50 if (rsaJsonWebKey == null) {
50   - rsaJsonWebKey = (RsaJsonWebKey) RsaJsonWebKey.Factory.newPublicJwk(RsaJwkGenerator.generateJwk(2048).getKey());
  51 + String chave = RsaJwkGenerator.generateJwk(2048).toJson(JsonWebKey.OutputControlLevel.INCLUDE_PRIVATE);
  52 + rsaJsonWebKey = (RsaJsonWebKey) RsaJsonWebKey.Factory.newPublicJwk(chave);
51 53 rsaJsonWebKey.setKeyId("demoiselle-security-jwt");
52 54 }
53 55 }
... ... @@ -61,7 +63,8 @@ public class TokensManagerImpl implements TokensManager {
61 63 .setAllowedClockSkewInSeconds(60) // allow some leeway in validating time based claims to account for clock skew
62 64 .setExpectedIssuer("demoiselle") // whom the JWT needs to have been issued by
63 65 .setExpectedAudience("demoiselle") // to whom the JWT is intended for
64   - .setVerificationKey(rsaJsonWebKey.getKey()) // verify the signature with the public key
  66 + .setDecryptionKey(rsaJsonWebKey.getPrivateKey()) // decrypt with the receiver's private key
  67 + .setVerificationKey(rsaJsonWebKey.getPublicKey())
65 68 .build(); // create the JwtConsumer instance
66 69 JwtClaims jwtClaims = jwtConsumer.processToClaims(token.getKey());
67 70 loggedUser.setId((String) jwtClaims.getClaimValue("id"));
... ... @@ -102,14 +105,14 @@ public class TokensManagerImpl implements TokensManager {
102 105  
103 106 JsonWebSignature jws = new JsonWebSignature();
104 107 jws.setPayload(claims.toJson());
105   - jws.setKey(rsaJsonWebKey.getKey());
  108 + jws.setKey(rsaJsonWebKey.getRsaPrivateKey());
106 109 jws.setKeyIdHeaderValue(rsaJsonWebKey.getKeyId());
107   - jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.HMAC_SHA512);
  110 + jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256);
108 111 token.setKey(jws.getCompactSerialization());
109 112 token.setType("JWT");
110 113 } catch (JoseException ex) {
111   - ex.printStackTrace();
112   - // logger.severe(ex.getMessage());
  114 + //ex.printStackTrace();
  115 + logger.severe(ex.getMessage());
113 116 }
114 117  
115 118 }
... ...
demoiselle-security-token/src/main/java/org/demoiselle/jee/security/token/impl/TokensManagerImpl.java
... ... @@ -8,7 +8,7 @@ package org.demoiselle.jee.security.token.impl;
8 8 import static java.util.UUID.randomUUID;
9 9 import java.util.concurrent.ConcurrentHashMap;
10 10 import java.util.logging.Logger;
11   -import javax.enterprise.context.Dependent;
  11 +import javax.enterprise.context.ApplicationScoped;
12 12 import javax.inject.Inject;
13 13 import org.demoiselle.jee.core.interfaces.security.DemoisellePrincipal;
14 14 import org.demoiselle.jee.core.interfaces.security.Token;
... ... @@ -18,10 +18,10 @@ import org.demoiselle.jee.core.interfaces.security.TokensManager;
18 18 *
19 19 * @author 70744416353
20 20 */
21   -@Dependent
  21 +@ApplicationScoped
22 22 public class TokensManagerImpl implements TokensManager {
23 23  
24   - private static ConcurrentHashMap<String, DemoisellePrincipal> repo = new ConcurrentHashMap<>();
  24 + private ConcurrentHashMap<String, DemoisellePrincipal> repo = new ConcurrentHashMap<>();
25 25  
26 26 @Inject
27 27 private Logger logger;
... ... @@ -56,7 +56,7 @@ public class TokensManagerImpl implements TokensManager {
56 56  
57 57 @Override
58 58 public boolean validate() {
59   - return getUser() != null && getUser().getId() != null;
  59 + return getUser() != null;
60 60 }
61 61  
62 62 }
... ...
demoiselle-security/src/main/java/org/demoiselle/jee/security/impl/SecurityContextImpl.java
... ... @@ -6,6 +6,7 @@
6 6 */
7 7 package org.demoiselle.jee.security.impl;
8 8  
  9 +import javax.enterprise.context.Dependent;
9 10 import javax.enterprise.context.RequestScoped;
10 11 import javax.inject.Inject;
11 12 import org.demoiselle.jee.core.interfaces.security.DemoisellePrincipal;
... ...
demoiselle-security/src/main/java/org/demoiselle/jee/security/interceptor/RequiredPermissionInterceptor.java
... ... @@ -76,7 +76,6 @@ public class RequiredPermissionInterceptor implements Serializable {
76 76 }
77 77  
78 78 if (!securityContext.hasPermission(resource, operation)) {
79   - logger.severe(bundle.doesNotHavePermission(operation, resource));
80 79 throw new DemoiselleSecurityException(bundle.doesNotHavePermission(operation, resource), UNAUTHORIZED.getStatusCode());
81 80 }
82 81  
... ...
demoiselle-security/src/main/java/org/demoiselle/jee/security/interceptor/RequiredRoleInterceptor.java
... ... @@ -83,7 +83,6 @@ public class RequiredRoleInterceptor implements Serializable {
83 83 }
84 84  
85 85 if (userRoles.isEmpty()) {
86   - logger.severe(bundle.doesNotHaveRole(roles.toString()));
87 86 throw new DemoiselleSecurityException(bundle.doesNotHaveRole(roles.toString()), UNAUTHORIZED.getStatusCode());
88 87 }
89 88  
... ...