Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix security vulnerability
  • Loading branch information
alessiostalla committed Apr 1, 2021
1 parent cc3aebd commit 8c754a0
Show file tree
Hide file tree
Showing 3 changed files with 11 additions and 15 deletions.
3 changes: 2 additions & 1 deletion CHANGELOG.md
Expand Up @@ -13,8 +13,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
- Security.groovy can now have user beans injected with @Autowired.

### Fixed
- Backwards compatibility: revert `T extends Serializable` in CRUD actions, introduced in v5.2.0. [#428](https://github.com/ManyDesigns/Portofino/issues/428)
- Important security vulnerability that may have allowed access with forged tokens.
- Authentication token refresh after expiration. [#430](https://github.com/ManyDesigns/Portofino/issues/430)
- Backwards compatibility: revert `T extends Serializable` in CRUD actions, introduced in v5.2.0. [#428](https://github.com/ManyDesigns/Portofino/issues/428)

## [5.2.0] – 2020-11-30

Expand Down
@@ -1,9 +1,7 @@
package com.manydesigns.portofino.dispatcher.security.jwt;

import com.manydesigns.portofino.dispatcher.security.RolesPermission;
import io.jsonwebtoken.Jwt;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.*;
import io.jsonwebtoken.io.Decoders;
import org.apache.commons.configuration2.Configuration;
import org.apache.shiro.authc.AuthenticationException;
Expand Down Expand Up @@ -53,9 +51,9 @@ protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token)
String secret = getSecret();
Key key = new SecretKeySpec(Decoders.BASE64.decode(secret), getSignatureAlgorithm().getJcaName());

Jwt jwt = Jwts.parser().
Jws<Claims> jwt = Jwts.parser().
setSigningKey(key).
parse((String) token.getPrincipal());
parseClaimsJws((String) token.getPrincipal());
Map<String, Serializable> principal = getPrincipal(jwt);
return new SimpleAuthenticationInfo(principal, ((String) token.getCredentials()).toCharArray(), getName());
}
Expand All @@ -64,7 +62,7 @@ protected SignatureAlgorithm getSignatureAlgorithm() {
return SignatureAlgorithm.HS512;
}

protected Map<String, Serializable> getPrincipal(Jwt jwt) {
protected Map<String, Serializable> getPrincipal(Jws<Claims> jwt) {
Map<String, Serializable> principal = new HashMap<>();
principal.put("jwt", (Serializable) jwt.getBody());
return principal;
Expand Down
Expand Up @@ -24,10 +24,7 @@
import com.manydesigns.elements.reflection.JavaClassAccessor;
import com.manydesigns.portofino.code.CodeBase;
import com.manydesigns.portofino.security.SecurityLogic;
import io.jsonwebtoken.Jwt;
import io.jsonwebtoken.JwtException;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.*;
import io.jsonwebtoken.io.Decoders;
import org.apache.commons.configuration2.Configuration;
import org.apache.shiro.authc.AuthenticationException;
Expand Down Expand Up @@ -100,9 +97,9 @@ public boolean supports(AuthenticationToken token) {

public AuthenticationInfo loadAuthenticationInfo(JSONWebToken token) {
Key key = getJWTKey();
Jwt jwt;
Jws<Claims> jwt;
try {
jwt = Jwts.parser().setSigningKey(key).parse(token.getPrincipal());
jwt = Jwts.parser().setSigningKey(key).parseClaimsJws(token.getPrincipal());
} catch (JwtException e) {
throw new AuthenticationException(e);
}
Expand All @@ -111,8 +108,8 @@ public AuthenticationInfo loadAuthenticationInfo(JSONWebToken token) {
return new SimpleAuthenticationInfo(principal, credentials, getName());
}

protected Object extractPrincipalFromWebToken(Jwt jwt) {
Map body = (Map) jwt.getBody();
protected Object extractPrincipalFromWebToken(Jws<Claims> jwt) {
Map<String, Object> body = jwt.getBody();
String base64Principal = (String) body.get("serialized-principal");
byte[] serializedPrincipal = Base64.decode(base64Principal);
Object principal;
Expand Down

0 comments on commit 8c754a0

Please sign in to comment.