DryRunSecurity / Authn/Authz Analyzer
succeeded
Jul 9, 2024 in 1s
Details
Authn/Authz Analyzer Findings: 6 detected
⚠️ Potential Authn/Authz Function Used or Modified jans-auth-server/server/src/main/java/io/jans/as/server/userinfo/ws/rs/UserInfoRestWebServiceImpl.java (click for details)
|
|
Type |
Potential Authn/Authz Function Used or Modified |
Description |
The code contains a method named getJSonResponse that takes a User object, an AuthorizationGrant object, and a collection of scopes as parameters. This suggests that the code is related to authentication and authorization, as it is likely processing user information and authorization-related data to generate a JSON response. |
Filename |
jans-auth-server/server/src/main/java/io/jans/as/server/userinfo/ws/rs/UserInfoRestWebServiceImpl.java |
CodeLink |
|
/** |
|
* Builds a JSon String with the response parameters. |
|
*/ |
|
public String getJSonResponse(User user, AuthorizationGrant authorizationGrant, Collection<String> scopes) throws InvalidClaimException { |
|
log.trace("Building JSON reponse with next scopes {} for user {} and user custom attributes {}", scopes, user.getUserId(), user.getCustomAttributes()); |
|
|
|
JsonWebResponse jwr = new JsonWebResponse(); |
|
|
|
userInfoService.fillJwr(jwr, authorizationGrant); |
|
|
|
// Claims |
|
List<Scope> dynamicScopes = new ArrayList<>(); |
|
⚠️ Potential Authn/Authz Function Used or Modified jans-auth-server/server/src/main/java/io/jans/as/server/userinfo/ws/rs/UserInfoRestWebServiceImpl.java (click for details)
|
|
Type |
Potential Authn/Authz Function Used or Modified |
Description |
The code contains a method called getJSonResponse that takes a User object and an AuthorizationGrant object as parameters, which suggests that the code is related to authentication or authorization. The AuthorizationGrant object is likely used to manage the user's access privileges or permissions, which is a common function of an authorization system. |
Filename |
jans-auth-server/server/src/main/java/io/jans/as/server/userinfo/ws/rs/UserInfoRestWebServiceImpl.java |
CodeLink |
|
} |
|
} |
|
|
|
jwr.getClaims().setClaim(scope.getId(), groupClaim); |
|
} else { |
|
for (Map.Entry<String, Object> entry : claims.entrySet()) { |
|
String key = entry.getKey(); |
|
Object value = entry.getValue(); |
|
|
|
if (value instanceof List) { |
|
jwr.getClaims().setClaim(key, (List<String>) value); |
|
} else if (value instanceof Boolean) { |
|
jwr.getClaims().setClaim(key, (Boolean) value); |
|
} else if (value instanceof Date) { |
|
Serializable formattedValue = dateFormatterService.formatClaim((Date) value, key); |
|
jwr.getClaims().setClaimObject(key, formattedValue, true); |
|
} else { |
|
jwr.getClaims().setClaim(key, String.valueOf(value)); |
|
} |
|
} |
|
} |
|
⚠️ Potential Authn/Authz Function Used or Modified jans-auth-server/server/src/main/java/io/jans/as/server/userinfo/ws/rs/UserInfoRestWebServiceImpl.java (click for details)
|
|
Type |
Potential Authn/Authz Function Used or Modified |
Description |
The provided Java code contains functions related to authentication and authorization. The getJSonResponse method is responsible for handling the authorization grant, which is a crucial part of the authentication and authorization process. Additionally, the code includes functions like validateRequesteClaim and executeExternalUpdateMethods that are likely involved in managing user claims and authorization-related operations. |
Filename |
jans-auth-server/server/src/main/java/io/jans/as/server/userinfo/ws/rs/UserInfoRestWebServiceImpl.java |
CodeLink |
|
if (validateRequesteClaim(jansAttribute, client.getClaims(), scopes)) { |
|
String ldapClaimName = jansAttribute.getName(); |
|
Object attribute = user.getAttribute(ldapClaimName, optional, jansAttribute.getOxMultiValuedAttribute()); |
|
jwr.getClaims().setClaimFromJsonObject(claim.getName(), attribute); |
|
} |
|
} |
|
} |
|
} |
|
|
|
jwr.getClaims().setSubjectIdentifier(authorizationGrant.getSub()); |
|
|
|
if ((dynamicScopes.size() > 0) && externalDynamicScopeService.isEnabled()) { |
|
final UnmodifiableAuthorizationGrant unmodifiableAuthorizationGrant = new UnmodifiableAuthorizationGrant(authorizationGrant); |
|
DynamicScopeExternalContext dynamicScopeContext = new DynamicScopeExternalContext(dynamicScopes, jwr, unmodifiableAuthorizationGrant); |
|
externalDynamicScopeService.executeExternalUpdateMethods(dynamicScopeContext); |
|
} |
|
|
|
return jwr.toString(); |
|
} |
|
|
|
public boolean validateRequesteClaim(JansAttribute jansAttribute, String[] clientAllowedClaims, Collection<String> scopes) { |
|
⚠️ Potential Authn/Authz Function Used or Modified jans-auth-server/server/src/main/java/io/jans/as/server/userinfo/ws/rs/UserInfoRestWebServiceImpl.java (click for details)
|
|
Type |
Potential Authn/Authz Function Used or Modified |
Description |
The code contains a function that appears to be handling authorization-related logic. The function getJSonResponse takes a User object and an AuthorizationGrant object as parameters, which suggests that it is part of an authorization or authentication process. Additionally, the function is iterating through a list of jansAttribute objects, which may be used to retrieve user attributes that are relevant to access control or authentication. |
Filename |
jans-auth-server/server/src/main/java/io/jans/as/server/userinfo/ws/rs/UserInfoRestWebServiceImpl.java |
CodeLink |
|
String ldapClaimName = jansAttribute.getName(); |
|
|
|
Object attribute = user.getAttribute(ldapClaimName, optional, jansAttribute.getOxMultiValuedAttribute()); |
|
jwr.getClaims().setClaimFromJsonObject(claimName, attribute); |
|
} |
|
} |
|
} |
|
⚠️ Potential Authn/Authz Function Used or Modified jans-auth-server/server/src/main/java/io/jans/as/server/userinfo/ws/rs/UserInfoRestWebServiceImpl.java (click for details)
|
|
Type |
Potential Authn/Authz Function Used or Modified |
Description |
The code contains a method called requestUserInfoGet that takes parameters accessToken and authorization , which are commonly used in authentication and authorization processes. Additionally, the method is part of a class called UserInfoRestWebServiceImpl , which suggests that it is related to user information and potentially involves authentication or authorization functionality. |
Filename |
jans-auth-server/server/src/main/java/io/jans/as/server/userinfo/ws/rs/UserInfoRestWebServiceImpl.java |
CodeLink |
|
@Inject |
|
private DateFormatterService dateFormatterService; |
|
|
|
@Inject |
|
private UserInfoService userInfoService; |
|
|
|
@Override |
|
public Response requestUserInfoGet(String accessToken, String authorization, HttpServletRequest request, SecurityContext securityContext) { |
|
return requestUserInfo(accessToken, authorization, request, securityContext); |
|
⚠️ Potential Authn/Authz Function Used or Modified jans-auth-server/server/src/main/java/io/jans/as/server/userinfo/ws/rs/UserInfoService.java (click for details)
|
|
Type |
Potential Authn/Authz Function Used or Modified |
Description |
The provided Java code contains a function named fillJwr that takes an AuthorizationGrant object as a parameter. This suggests that the code is related to authentication or authorization processes, as the AuthorizationGrant object is likely used to manage the authorization of users or clients in the application. |
Filename |
jans-auth-server/server/src/main/java/io/jans/as/server/userinfo/ws/rs/UserInfoService.java |
CodeLink |
|
package io.jans.as.server.userinfo.ws.rs; |
|
|
|
import io.jans.as.model.token.JsonWebResponse; |
|
import io.jans.as.server.model.common.AuthorizationGrant; |
|
import io.jans.util.IdUtil; |
|
import jakarta.enterprise.context.ApplicationScoped; |
|
import jakarta.inject.Inject; |
|
import org.apache.commons.lang3.StringUtils; |
|
import org.slf4j.Logger; |
|
|
|
/** |
|
* @author Yuriy Z |
|
*/ |
|
@ApplicationScoped |
|
public class UserInfoService { |
|
|
|
@Inject |
|
private Logger log; |
|
|
|
public void fillJwr(JsonWebResponse jwr, AuthorizationGrant authorizationGrant) { |
|
final String clientId = authorizationGrant.getClientId(); |
|
|
|
jwr.getClaims().setClaim("jti", IdUtil.randomShortUUID()); |
|
|
|
if (StringUtils.isNotBlank(clientId)) { |
|
jwr.getClaims().setClaim("client_id", clientId); |
|
} |
|
} |
|
} |
|