Merge pull request payara#5008 from fturizo/FISH-651_MP_JWT_Disable_T…

…ype_Validation Added proprietary property to disable verification of token's "typ" c…
Cousjava · Nov 30, 2020 · d2fbddd · d2fbddd
1 parent 5fa6b36
commit d2fbddd
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 6 deletions.
diff --git a/...uth/src/main/java/fish/payara/microprofile/jwtauth/eesecurity/SignedJWTIdentityStore.java b/...uth/src/main/java/fish/payara/microprofile/jwtauth/eesecurity/SignedJWTIdentityStore.java
@@ -73,7 +73,7 @@
 
 /**
  * Identity store capable of asserting that a signed JWT token is valid
- * according to the MP-JWT 1.0 spec.
+ * according to the MP-JWT 1.1 spec.
  *
  * @author Arjan Tijms
  */
@@ -86,6 +86,7 @@ public class SignedJWTIdentityStore implements IdentityStore {
     private final String acceptedIssuer;
     private final Optional<Boolean> enabledNamespace;
     private final Optional<String> customNamespace;
+    private final Optional<Boolean> disableTypeVerification;
 
     private final Config config;
 
@@ -99,10 +100,11 @@ public SignedJWTIdentityStore() {
 
         enabledNamespace = readEnabledNamespace(properties);
         customNamespace = readCustomNamespace(properties);
+        disableTypeVerification = readDisableTypeVerification(properties);
     }
 
     public CredentialValidationResult validate(SignedJWTCredential signedJWTCredential) {
-        final JwtTokenParser jwtTokenParser = new JwtTokenParser(enabledNamespace, customNamespace);
+        final JwtTokenParser jwtTokenParser = new JwtTokenParser(enabledNamespace, customNamespace, disableTypeVerification);
         try {
             jwtTokenParser.parse(signedJWTCredential.getSignedJWT());
             String keyID = jwtTokenParser.getKeyID();
@@ -161,6 +163,10 @@ private Optional<String> readCustomNamespace(Optional<Properties> properties) {
         return properties.isPresent() ? Optional.ofNullable(properties.get().getProperty("custom.namespace", null)) : Optional.empty();
     }
 
+    private Optional<Boolean> readDisableTypeVerification(Optional<Properties> properties) {
+        return properties.isPresent() ? Optional.ofNullable(Boolean.valueOf(properties.get().getProperty("disable.type.verification", "false"))) : Optional.empty();
+    }
+
     private Optional<PublicKey> readDefaultPublicKey() throws Exception {
         return readPublicKeyFromLocation("/publicKey.pem", null);
     }
@@ -280,5 +286,4 @@ private JsonObject findJwk(JsonArray keys, String keyID) {
 
         throw new IllegalStateException("No matching JWK for KeyID.");
     }
-
 }
diff --git a/...roprofile/jwt-auth/src/main/java/fish/payara/microprofile/jwtauth/jwt/JwtTokenParser.java b/...roprofile/jwt-auth/src/main/java/fish/payara/microprofile/jwtauth/jwt/JwtTokenParser.java
@@ -39,6 +39,7 @@
  */
 package fish.payara.microprofile.jwtauth.jwt;
 
+import com.nimbusds.jose.JOSEObjectType;
 import com.nimbusds.jose.JWSHeader;
 import com.nimbusds.jose.crypto.RSASSAVerifier;
 import com.nimbusds.jwt.SignedJWT;
@@ -71,18 +72,21 @@ public class JwtTokenParser {
     private final List<Claims> requiredClaims = asList(iss, sub, exp, iat, jti, groups);
 
     private final boolean enableNamespacedClaims;
+    private final boolean disableTypeVerification;
     private final Optional<String> customNamespace;
+
 
     private String rawToken;
     private SignedJWT signedJWT;
 
-    public JwtTokenParser(Optional<Boolean> enableNamespacedClaims, Optional<String> customNamespace) {
+    public JwtTokenParser(Optional<Boolean> enableNamespacedClaims, Optional<String> customNamespace, Optional<Boolean> disableTypeVerification) {
         this.enableNamespacedClaims = enableNamespacedClaims.orElse(false);
+        this.disableTypeVerification = disableTypeVerification.orElse(false);
         this.customNamespace = customNamespace;
     }
 
     public JwtTokenParser() {
-        this(Optional.empty(), Optional.empty());
+        this(Optional.empty(), Optional.empty(), Optional.empty());
     }
 
     public void parse(String bearerToken) throws Exception {
@@ -197,7 +201,10 @@ private boolean checkIssuer(Map<String, JsonValue> presentedClaims, String accep
     }
 
     private boolean checkIsJWT(JWSHeader header) {
-        return header.getType().toString().equals("JWT");
+        return disableTypeVerification || Optional.ofNullable(header.getType())
+                                                    .map(JOSEObjectType::toString)
+                                                    .orElse("")
+                                                    .equals("JWT");
     }
 
     private String getCallerPrincipalName(Map<String, JsonValue> rawClaims) {