Ajuste nos escopos e correções no JWT

Paulo Gladson
1 parent b0000174
Showing 6 changed files with 15 additions and 20 deletions Show diff stats
demoiselle-security-jwt/pom.xml
demoiselle-security-jwt/src/main/java/org/demoiselle/jee/security/jwt/impl/TokensManagerImpl.java
demoiselle-security-token/src/main/java/org/demoiselle/jee/security/token/impl/TokensManagerImpl.java
demoiselle-security/src/main/java/org/demoiselle/jee/security/impl/SecurityContextImpl.java
demoiselle-security/src/main/java/org/demoiselle/jee/security/interceptor/RequiredPermissionInterceptor.java
demoiselle-security/src/main/java/org/demoiselle/jee/security/interceptor/RequiredRoleInterceptor.java
@@ -26,14 +26,7 @@
         <dependency>
             <groupId>org.bitbucket.b_c</groupId>
             <artifactId>jose4j</artifactId>
-            <version>0.4.1</version>
-        </dependency>
-        
-        <dependency>
-            <groupId>com.google.code.gson</groupId>
-            <artifactId>gson</artifactId>
-            <version>2.2.2</version>
-            <scope>compile</scope>
+            <version>0.5.2</version>
         </dependency>
     </dependencies>
@@ -14,6 +14,7 @@ import javax.servlet.http.HttpServletRequest;
 import org.demoiselle.jee.core.interfaces.security.DemoisellePrincipal;
 import org.demoiselle.jee.core.interfaces.security.Token;
 import org.demoiselle.jee.core.interfaces.security.TokensManager;
+import org.jose4j.jwk.JsonWebKey;
 import org.jose4j.jwk.RsaJsonWebKey;
 import org.jose4j.jwk.RsaJwkGenerator;
 import org.jose4j.jws.AlgorithmIdentifiers;
@@ -47,7 +48,8 @@ public class TokensManagerImpl implements TokensManager {
     public TokensManagerImpl() throws JoseException {
         if (rsaJsonWebKey == null) {
-            rsaJsonWebKey = (RsaJsonWebKey) RsaJsonWebKey.Factory.newPublicJwk(RsaJwkGenerator.generateJwk(2048).getKey());
+            String chave = RsaJwkGenerator.generateJwk(2048).toJson(JsonWebKey.OutputControlLevel.INCLUDE_PRIVATE);
+            rsaJsonWebKey = (RsaJsonWebKey) RsaJsonWebKey.Factory.newPublicJwk(chave);
             rsaJsonWebKey.setKeyId("demoiselle-security-jwt");
         }
     }
@@ -61,7 +63,8 @@ public class TokensManagerImpl implements TokensManager {
                         .setAllowedClockSkewInSeconds(60) // allow some leeway in validating time based claims to account for clock skew
                         .setExpectedIssuer("demoiselle") // whom the JWT needs to have been issued by
                         .setExpectedAudience("demoiselle") // to whom the JWT is intended for
-                        .setVerificationKey(rsaJsonWebKey.getKey()) // verify the signature with the public key
+                        .setDecryptionKey(rsaJsonWebKey.getPrivateKey()) // decrypt with the receiver's private key
+                        .setVerificationKey(rsaJsonWebKey.getPublicKey())
                         .build(); // create the JwtConsumer instance
                 JwtClaims jwtClaims = jwtConsumer.processToClaims(token.getKey());
                 loggedUser.setId((String) jwtClaims.getClaimValue("id"));
@@ -102,14 +105,14 @@ public class TokensManagerImpl implements TokensManager {
             JsonWebSignature jws = new JsonWebSignature();
             jws.setPayload(claims.toJson());
-            jws.setKey(rsaJsonWebKey.getKey());
+            jws.setKey(rsaJsonWebKey.getRsaPrivateKey());
             jws.setKeyIdHeaderValue(rsaJsonWebKey.getKeyId());
-            jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.HMAC_SHA512);
+            jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256);
             token.setKey(jws.getCompactSerialization());
             token.setType("JWT");
         } catch (JoseException ex) {
-            ex.printStackTrace();
-            //  logger.severe(ex.getMessage());
+            //ex.printStackTrace();
+            logger.severe(ex.getMessage());
         }
     }
@@ -8,7 +8,7 @@ package org.demoiselle.jee.security.token.impl;
 import static java.util.UUID.randomUUID;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.logging.Logger;
-import javax.enterprise.context.Dependent;
+import javax.enterprise.context.ApplicationScoped;
 import javax.inject.Inject;
 import org.demoiselle.jee.core.interfaces.security.DemoisellePrincipal;
 import org.demoiselle.jee.core.interfaces.security.Token;
@@ -18,10 +18,10 @@ import org.demoiselle.jee.core.interfaces.security.TokensManager;
  *
  * @author 70744416353
  */
-@Dependent
+@ApplicationScoped
 public class TokensManagerImpl implements TokensManager {
-    private static ConcurrentHashMap<String, DemoisellePrincipal> repo = new ConcurrentHashMap<>();
+    private ConcurrentHashMap<String, DemoisellePrincipal> repo = new ConcurrentHashMap<>();
     @Inject
     private Logger logger;
@@ -56,7 +56,7 @@ public class TokensManagerImpl implements TokensManager {
     @Override
     public boolean validate() {
-        return getUser() != null && getUser().getId() != null;
+        return getUser() != null;
     }
 }
@@ -6,6 +6,7 @@
  */
 package org.demoiselle.jee.security.impl;
+import javax.enterprise.context.Dependent;
 import javax.enterprise.context.RequestScoped;
 import javax.inject.Inject;
 import org.demoiselle.jee.core.interfaces.security.DemoisellePrincipal;
@@ -76,7 +76,6 @@ public class RequiredPermissionInterceptor implements Serializable {
         }
         if (!securityContext.hasPermission(resource, operation)) {
-            logger.severe(bundle.doesNotHavePermission(operation, resource));
             throw new DemoiselleSecurityException(bundle.doesNotHavePermission(operation, resource), UNAUTHORIZED.getStatusCode());
         }
@@ -83,7 +83,6 @@ public class RequiredRoleInterceptor implements Serializable {
         }
         if (userRoles.isEmpty()) {
-            logger.severe(bundle.doesNotHaveRole(roles.toString()));
             throw new DemoiselleSecurityException(bundle.doesNotHaveRole(roles.toString()), UNAUTHORIZED.getStatusCode());
         }
	@@ -26,14 +26,7 @@		@@ -26,14 +26,7 @@
26	<dependency>	26	<dependency>
27	<groupId>org.bitbucket.b_c</groupId>	27	<groupId>org.bitbucket.b_c</groupId>
28	<artifactId>jose4j</artifactId>	28	<artifactId>jose4j</artifactId>
29	- <version>0.4.1</version>
30	- </dependency>
31	-
32	- <dependency>
33	- <groupId>com.google.code.gson</groupId>
34	- <artifactId>gson</artifactId>
35	- <version>2.2.2</version>
36	- <scope>compile</scope>	29	+ <version>0.5.2</version>
37	</dependency>	30	</dependency>
38		31
39	</dependencies>	32	</dependencies>
	@@ -8,7 +8,7 @@ package org.demoiselle.jee.security.token.impl;		@@ -8,7 +8,7 @@ package org.demoiselle.jee.security.token.impl;
8	import static java.util.UUID.randomUUID;	8	import static java.util.UUID.randomUUID;
9	import java.util.concurrent.ConcurrentHashMap;	9	import java.util.concurrent.ConcurrentHashMap;
10	import java.util.logging.Logger;	10	import java.util.logging.Logger;
11	-import javax.enterprise.context.Dependent;	11	+import javax.enterprise.context.ApplicationScoped;
12	import javax.inject.Inject;	12	import javax.inject.Inject;
13	import org.demoiselle.jee.core.interfaces.security.DemoisellePrincipal;	13	import org.demoiselle.jee.core.interfaces.security.DemoisellePrincipal;
14	import org.demoiselle.jee.core.interfaces.security.Token;	14	import org.demoiselle.jee.core.interfaces.security.Token;
	@@ -18,10 +18,10 @@ import org.demoiselle.jee.core.interfaces.security.TokensManager;		@@ -18,10 +18,10 @@ import org.demoiselle.jee.core.interfaces.security.TokensManager;
18	*	18	*
19	* @author 70744416353	19	* @author 70744416353
20	*/	20	*/
21	-@Dependent	21	+@ApplicationScoped
22	public class TokensManagerImpl implements TokensManager {	22	public class TokensManagerImpl implements TokensManager {
23		23
24	- private static ConcurrentHashMap<String, DemoisellePrincipal> repo = new ConcurrentHashMap<>();	24	+ private ConcurrentHashMap<String, DemoisellePrincipal> repo = new ConcurrentHashMap<>();
25		25
26	@Inject	26	@Inject
27	private Logger logger;	27	private Logger logger;
	@@ -56,7 +56,7 @@ public class TokensManagerImpl implements TokensManager {		@@ -56,7 +56,7 @@ public class TokensManagerImpl implements TokensManager {
56		56
57	@Override	57	@Override
58	public boolean validate() {	58	public boolean validate() {
59	- return getUser() != null && getUser().getId() != null;	59	+ return getUser() != null;
60	}	60	}
61		61
62	}	62	}
	@@ -6,6 +6,7 @@		@@ -6,6 +6,7 @@
6	*/	6	*/
7	package org.demoiselle.jee.security.impl;	7	package org.demoiselle.jee.security.impl;
8		8
		9	+import javax.enterprise.context.Dependent;
9	import javax.enterprise.context.RequestScoped;	10	import javax.enterprise.context.RequestScoped;
10	import javax.inject.Inject;	11	import javax.inject.Inject;
11	import org.demoiselle.jee.core.interfaces.security.DemoisellePrincipal;	12	import org.demoiselle.jee.core.interfaces.security.DemoisellePrincipal;
	@@ -76,7 +76,6 @@ public class RequiredPermissionInterceptor implements Serializable {		@@ -76,7 +76,6 @@ public class RequiredPermissionInterceptor implements Serializable {
76	}	76	}
77		77
78	if (!securityContext.hasPermission(resource, operation)) {	78	if (!securityContext.hasPermission(resource, operation)) {
79	- logger.severe(bundle.doesNotHavePermission(operation, resource));
80	throw new DemoiselleSecurityException(bundle.doesNotHavePermission(operation, resource), UNAUTHORIZED.getStatusCode());	79	throw new DemoiselleSecurityException(bundle.doesNotHavePermission(operation, resource), UNAUTHORIZED.getStatusCode());
81	}	80	}
82		81
	@@ -83,7 +83,6 @@ public class RequiredRoleInterceptor implements Serializable {		@@ -83,7 +83,6 @@ public class RequiredRoleInterceptor implements Serializable {
83	}	83	}
84		84
85	if (userRoles.isEmpty()) {	85	if (userRoles.isEmpty()) {
86	- logger.severe(bundle.doesNotHaveRole(roles.toString()));
87	throw new DemoiselleSecurityException(bundle.doesNotHaveRole(roles.toString()), UNAUTHORIZED.getStatusCode());	86	throw new DemoiselleSecurityException(bundle.doesNotHaveRole(roles.toString()), UNAUTHORIZED.getStatusCode());
88	}	87	}
89		88