Merge pull request #27701 from jimmy1wu/jwtRunAsServer

runAsServer before signing/verifying jws and encrypting/decrypting jwe

dev/com.ibm.ws.security.jwt/bnd.bnd

@@ -1,5 +1,5 @@
 #*******************************************************************************
-# Copyright (c) 2017, 2023 IBM Corporation and others.
+# Copyright (c) 2017, 2024 IBM Corporation and others.
 # All rights reserved. This program and the accompanying materials
 # are made available under the terms of the Eclipse Public License 2.0
 # which accompanies this distribution, and is available at
@@ -75,7 +75,8 @@ Import-Package: \
     com.ibm.ws.ssl;version="[1.0.0, 2.0)";resolution:=optional, \
     com.ibm.ws.security.wim;version="[1.0.0, 2.0)";resolution:=optional, \
     com.ibm.wsspi.security.wim.model;version="[1.0.0, 2.0)";resolution:=optional, \
-    com.ibm.ws.kernel.productinfo
+    com.ibm.ws.kernel.productinfo, \
+    com.ibm.ws.kernel.security.thread
 
 Private-Package: \
     com.ibm.ws.security.jwt.internal.*, \
@@ -137,7 +138,8 @@ instrument.classesExcludes: com/ibm/ws/security/jwt/internal/resources/*.class
     io.openliberty.com.google.gson;version=latest, \
     com.ibm.ws.org.osgi.annotation.versioning;version=latest, \
     com.ibm.json4j;version=latest, \
-    com.ibm.ws.kernel.boot.core;version=latest
+    com.ibm.ws.kernel.boot.core;version=latest, \
+    com.ibm.ws.kernel.security.thread;version=latest
 
 -testpath: \
     ../build.sharedResources/lib/junit/old/junit.jar;version=file, \

dev/com.ibm.ws.security.jwt/src/com/ibm/ws/security/jwt/internal/ConsumerUtil.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2016, 2023 IBM Corporation and others.
+ * Copyright (c) 2016, 2024 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License 2.0
  * which accompanies this distribution, and is available at
@@ -45,6 +45,7 @@
 import com.ibm.websphere.security.jwt.JwtToken;
 import com.ibm.websphere.security.jwt.KeyException;
 import com.ibm.websphere.security.jwt.KeyStoreServiceException;
+import com.ibm.ws.kernel.security.thread.ThreadIdentityManager;
 import com.ibm.ws.security.common.crypto.KeyAlgorithmChecker;
 import com.ibm.ws.security.common.jwk.impl.JwKRetriever;
 import com.ibm.ws.security.common.time.TimeUtils;
@@ -855,6 +856,7 @@ void validateAlgorithm(String requiredAlg, String tokenAlg) throws InvalidTokenE
 
     void processJwtContextWithConsumer(JwtConsumer jwtConsumer, JwtContext jwtContext)
             throws InvalidTokenException, InvalidJwtException {
+        Object token = ThreadIdentityManager.runAsServer();
         try {
             jwtConsumer.processContext(jwtContext);
         } catch (InvalidJwtSignatureException e) {
@@ -869,6 +871,8 @@ void processJwtContextWithConsumer(JwtConsumer jwtConsumer, JwtContext jwtContex
                 // message
                 throw e;
             }
+        } finally {
+            ThreadIdentityManager.reset(token);
         }
     }
 

dev/com.ibm.ws.security.jwt/src/com/ibm/ws/security/jwt/utils/JweHelper.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2020, 2022 IBM Corporation and others.
+ * Copyright (c) 2020, 2024 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License 2.0
  * which accompanies this distribution, and is available at
@@ -32,6 +32,7 @@
 import com.ibm.websphere.security.jwt.InvalidTokenException;
 import com.ibm.websphere.security.jwt.KeyException;
 import com.ibm.ws.ffdc.annotation.FFDCIgnore;
+import com.ibm.ws.kernel.security.thread.ThreadIdentityManager;
 import com.ibm.ws.security.common.jwk.impl.JwKRetriever;
 import com.ibm.ws.security.common.jwk.impl.JwkKidBuilder;
 import com.ibm.ws.security.jwt.config.JwtConfig;
@@ -169,7 +170,13 @@ static String getJwePayload(String jweString, @Sensitive Key decryptionKey) thro
         JsonWebEncryption jwe = new JsonWebEncryption();
         jwe.setCompactSerialization(jweString);
         jwe.setKey(decryptionKey);
-        String payload = jwe.getPayload();
+        String payload = null;
+        Object token = ThreadIdentityManager.runAsServer();
+        try {
+            payload = jwe.getPayload();
+        } finally {
+            ThreadIdentityManager.reset(token);
+        }
         if (isJws(payload)) {
             verifyContentType(jwe);
         }
@@ -317,10 +324,13 @@ static String getContentEncryptionAlgorithmFromConfig(JwtConfig jwtConfig) {
 
     static String getJwtString(JsonWebEncryption jwe) throws JwtTokenException {
         String jwt = null;
+        Object token = ThreadIdentityManager.runAsServer();
         try {
             jwt = jwe.getCompactSerialization();
         } catch (Exception e) {
             throw new JwtTokenException(e.getLocalizedMessage(), e);
+        } finally {
+            ThreadIdentityManager.reset(token);
         }
         return jwt;
     }

dev/com.ibm.ws.security.jwt/src/com/ibm/ws/security/jwt/utils/JwsSigner.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2016 IBM Corporation and others.
+ * Copyright (c) 2016, 2024 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License 2.0
  * which accompanies this distribution, and is available at
@@ -20,6 +20,7 @@
 import org.jose4j.jwt.JwtClaims;
 
 import com.ibm.ws.ffdc.annotation.FFDCIgnore;
+import com.ibm.ws.kernel.security.thread.ThreadIdentityManager;
 import com.ibm.ws.security.jwt.internal.JwtTokenException;
 
 /**
@@ -85,7 +86,7 @@ public static String getSignedJwt(JwtClaims claims, JwtData jwtData) throws JwtT
 		// payload
 		// of a JsonWebEncryption object and set the cty (Content Type) header
 		// to "jwt".
-
+		Object token = ThreadIdentityManager.runAsServer();
 		try {
 			jwt = jws.getCompactSerialization();
 		} catch (Exception e) {
@@ -95,6 +96,8 @@ public static String getSignedJwt(JwtClaims claims, JwtData jwtData) throws JwtT
 			// * Tr.formatMessage(tc,
 			// * "JWT_CANNOT_GENERATE_JWT", objs),
 			// */"Can not generate JWT", e);
+		} finally {
+			ThreadIdentityManager.reset(token);
 		}
 		// if (tc.isDebugEnabled()) {
 		// Tr.debug(tc, "JWT=", jwt);

dev/com.ibm.ws.security.oauth/bnd.bnd

@@ -1,5 +1,5 @@
 #*******************************************************************************
-# Copyright (c) 2019, 2023 IBM Corporation and others.
+# Copyright (c) 2019, 2024 IBM Corporation and others.
 # All rights reserved. This program and the accompanying materials
 # are made available under the terms of the Eclipse Public License 2.0
 # which accompanies this distribution, and is available at
@@ -145,7 +145,8 @@ Include-Resource: \
 	com.ibm.ws.org.eclipse.equinox.metatype;version=latest,\
 	com.ibm.ws.security.jwt;version=latest,\
 	com.ibm.ws.kernel.boot.core;version=latest,\
-	com.ibm.ws.security.sso.common;version=latest
+	com.ibm.ws.security.sso.common;version=latest,\
+	com.ibm.ws.kernel.security.thread;version=latest
 
 -testpath: \
     ../build.sharedResources/lib/junit/old/junit.jar;version=file, \

dev/com.ibm.ws.security.oauth/src/com/ibm/ws/security/oauth20/plugins/jose4j/JwsSigner.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2016 IBM Corporation and others.
+ * Copyright (c) 2016, 2024 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License 2.0
  * which accompanies this distribution, and is available at
@@ -22,6 +22,7 @@
 import com.ibm.websphere.ras.Tr;
 import com.ibm.websphere.ras.TraceComponent;
 import com.ibm.ws.ffdc.annotation.FFDCIgnore;
+import com.ibm.ws.kernel.security.thread.ThreadIdentityManager;
 import com.ibm.ws.security.oauth20.TraceConstants;
 import com.ibm.ws.webcontainer.security.openidconnect.OidcServerConfig;
 
@@ -82,12 +83,15 @@ public static String getSignedJwt(JwtClaims claims, OidcServerConfig oidcServerC
         // base64url-encoded parts in the form Header.Payload.Signature
         // If you wanted to encrypt it, you can simply set this jwt as the payload
         // of a JsonWebEncryption object and set the cty (Content Type) header to "jwt".
+        Object token = ThreadIdentityManager.runAsServer();
         try {
             jwt = jws.getCompactSerialization();
         } catch (Exception e) {
             Object[] objs = new Object[] { oidcServerConfig.getProviderId(), e.getLocalizedMessage() };
             Tr.error(tc, "JWT_CANNOT_GENERATE_JWT", objs);
             throw new JWTTokenException(Tr.formatMessage(tc, "JWT_CANNOT_GENERATE_JWT", objs), e);
+        } finally {
+            ThreadIdentityManager.reset(token);
         }
         if (tc.isDebugEnabled()) {
             Tr.debug(tc, "JWT=", jwt);

dev/com.ibm.ws.security.openidconnect.clients.common/bnd.bnd

@@ -1,5 +1,5 @@
 #*******************************************************************************
-# Copyright (c) 2018, 2023 IBM Corporation and others.
+# Copyright (c) 2018, 2024 IBM Corporation and others.
 # All rights reserved. This program and the accompanying materials
 # are made available under the terms of the Eclipse Public License 2.0
 # which accompanies this distribution, and is available at
@@ -84,7 +84,8 @@ Private-Package: \
 	com.ibm.ws.config;version=latest,\
 	io.openliberty.security.oidcclientcore.internal;version=latest,\
 	io.openliberty.security.common.jwt;version=latest,\
-	com.ibm.ws.security.oauth.2.0;version=latest
+	com.ibm.ws.security.oauth.2.0;version=latest,\
+	com.ibm.ws.kernel.security.thread;version=latest
 
 -testpath: \
 	../build.sharedResources/lib/junit/old/junit.jar;version=file,\

dev/com.ibm.ws.security.openidconnect.clients.common/src/com/ibm/ws/security/openidconnect/jose4j/Jose4jValidator.java

@@ -34,6 +34,7 @@
 import com.ibm.websphere.ras.Tr;
 import com.ibm.websphere.ras.TraceComponent;
 import com.ibm.ws.ffdc.annotation.FFDCIgnore;
+import com.ibm.ws.kernel.security.thread.ThreadIdentityManager;
 import com.ibm.ws.security.openidconnect.backchannellogout.BackchannelLogoutConstants;
 import com.ibm.ws.security.openidconnect.clients.common.Constants;
 import com.ibm.ws.security.openidconnect.clients.common.OidcClientRequest;
@@ -189,7 +190,7 @@ public JwtClaims parseJwtWithValidation(String jwtString,
         }
 
         JwtConsumer jwtConsumer = builder.build();
-
+        Object token = ThreadIdentityManager.runAsServer();
         try {
             JwtContext validatedJwtContext = jwtConsumer.process(jwtString);
 
@@ -226,6 +227,8 @@ public JwtClaims parseJwtWithValidation(String jwtString,
                 // otherwise throw original Exception
                 throw e;
             }
+        } finally {
+            ThreadIdentityManager.reset(token);
         }
 
         return jwtClaims;
@@ -327,6 +330,7 @@ public JwtClaims validateJwsSignature(JsonWebSignature signature, String jwtStri
         }
 
         JwtConsumer jwtConsumer = builder.build();
+        Object token = ThreadIdentityManager.runAsServer();
         try {
             JwtContext validatedJwtContext = jwtConsumer.process(jwtString);
             return validatedJwtContext.getJwtClaims();
@@ -344,6 +348,8 @@ public JwtClaims validateJwsSignature(JsonWebSignature signature, String jwtStri
             } else {
                 throw new JWTTokenValidationFailedException(e.getMessage(), e);
             }
+        } finally {
+            ThreadIdentityManager.reset(token);
         }
     }
 

dev/com.ibm.ws.security.openidconnect.clients.common/src/com/ibm/ws/security/openidconnect/token/JWT.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2013, 2023 IBM Corporation and others.
+ * Copyright (c) 2013, 2024 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License 2.0
  * which accompanies this distribution, and is available at
@@ -34,6 +34,7 @@
 import com.ibm.websphere.ras.annotation.Sensitive;
 import com.ibm.ws.ffdc.FFDCFilter;
 import com.ibm.ws.ffdc.annotation.FFDCIgnore;
+import com.ibm.ws.kernel.security.thread.ThreadIdentityManager;
 import com.ibm.ws.security.openidconnect.clients.common.Constants;
 
 public class JWT {
@@ -360,8 +361,13 @@ private String serializeAndSign(WSJsonToken token) throws InvalidKeyException, U
         }
         // todo: did we miss any?
         jws.setKey(getKey(alg)); // private key
-        return jws.getCompactSerialization();
 
+        Object threadIdentityToken = ThreadIdentityManager.runAsServer();
+        try {
+            return jws.getCompactSerialization();
+        } finally {
+            ThreadIdentityManager.reset(threadIdentityToken);
+        }
     }
 
     public String getSignedJWTString() throws SignatureException, InvalidKeyException {

dev/com.ibm.ws.security.openidconnect.clients.common/src/com/ibm/ws/security/openidconnect/token/JsonTokenUtil.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2013, 2022 IBM Corporation and others.
+ * Copyright (c) 2013, 2024 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License 2.0
  * which accompanies this distribution, and is available at
@@ -43,6 +43,7 @@
 import com.google.gson.stream.JsonToken;
 import com.ibm.websphere.ras.annotation.Sensitive;
 import com.ibm.ws.common.encoder.Base64Coder;
+import com.ibm.ws.kernel.security.thread.ThreadIdentityManager;
 
 /**
  * Some utility functions for {@link JsonToken}s.
@@ -383,7 +384,12 @@ public static void validateTokenString(String tokenString, String alg, @Sensitiv
         }
 
         JwtConsumer secondPassJwtConsumer = secondBuilder.build();
-        secondPassJwtConsumer.processContext(jwtContext);
+        Object token = ThreadIdentityManager.runAsServer();
+        try {
+            secondPassJwtConsumer.processContext(jwtContext);
+        } finally {
+            ThreadIdentityManager.reset(token);
+        }
     }
 
     static Object getJsonPrimitive(JsonPrimitive primitive) {

dev/io.openliberty.security.common.jwt/bnd.bnd

@@ -1,5 +1,5 @@
 #*******************************************************************************
-# Copyright (c) 2022, 2023 IBM Corporation and others.
+# Copyright (c) 2022, 2024 IBM Corporation and others.
 # All rights reserved. This program and the accompanying materials
 # are made available under the terms of the Eclipse Public License 2.0
 # which accompanies this distribution, and is available at
@@ -42,7 +42,8 @@ Private-Package: \
     com.ibm.ws.security.common;version=latest,\
     com.ibm.ws.security.common.jsonwebkey;version=latest,\
     com.ibm.ws.org.apache.httpcomponents;version=latest,\
-    com.ibm.ws.ssl;version=latest
+    com.ibm.ws.ssl;version=latest, \
+    com.ibm.ws.kernel.security.thread;version=latest
 
 -testpath: \
     ../build.sharedResources/lib/junit/old/junit.jar;version=file,\

dev/io.openliberty.security.common.jwt/src/io/openliberty/security/common/jwt/jws/JwsSignatureVerifier.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2022, 2023 IBM Corporation and others.
+ * Copyright (c) 2022, 2024 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License 2.0
  * which accompanies this distribution, and is available at
@@ -24,6 +24,7 @@
 
 import com.ibm.websphere.ras.Tr;
 import com.ibm.websphere.ras.TraceComponent;
+import com.ibm.ws.kernel.security.thread.ThreadIdentityManager;
 
 import io.openliberty.security.common.jwt.JwtParsingUtils;
 import io.openliberty.security.common.jwt.exceptions.JwtContextMissingJoseObjects;
@@ -81,8 +82,13 @@ public JwtClaims validateJwsSignature(JwtContext jwtContext) throws JwtContextMi
         JwtConsumerBuilder builder = createJwtConsumerBuilderWithConstraints(algHeader);
 
         JwtConsumer jwtConsumer = builder.build();
-        JwtContext validatedJwtContext = jwtConsumer.process(jwtContext.getJwt());
-        return validatedJwtContext.getJwtClaims();
+        Object token = ThreadIdentityManager.runAsServer();
+        try {
+            JwtContext validatedJwtContext = jwtConsumer.process(jwtContext.getJwt());
+            return validatedJwtContext.getJwtClaims();
+        } finally {
+            ThreadIdentityManager.reset(token);
+        }
     }
 
     public JwtConsumerBuilder createJwtConsumerBuilderWithConstraints(String algHeader) throws SigningKeyNotSpecifiedException {

dev/io.openliberty.security.oidcclientcore.internal/bnd.bnd

@@ -1,5 +1,5 @@
 #*******************************************************************************
-# Copyright (c) 2022, 2023 IBM Corporation and others.
+# Copyright (c) 2022, 2024 IBM Corporation and others.
 # All rights reserved. This program and the accompanying materials
 # are made available under the terms of the Eclipse Public License 2.0
 # which accompanies this distribution, and is available at
@@ -61,7 +61,8 @@ Export-Package: \
 	com.ibm.ws.org.jose4j;version=latest,\
 	com.ibm.ws.security.common.jsonwebkey;version=latest,\
 	io.openliberty.security.common.jwt;version=latest,\
-	com.ibm.ws.kernel.boot.core;version=latest
+	com.ibm.ws.kernel.boot.core;version=latest, \
+	com.ibm.ws.kernel.security.thread;version=latest
 
 -testpath: \
 	../build.sharedResources/lib/junit/old/junit.jar;version=file,\

dev/io.openliberty.security.oidcclientcore.internal/src/io/openliberty/security/oidcclientcore/token/auth/PrivateKeyJwtAuthMethod.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2023 IBM Corporation and others.
+ * Copyright (c) 2023, 2024 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License 2.0
  * which accompanies this distribution, and is available at
@@ -25,6 +25,7 @@
 import com.ibm.websphere.ras.TraceComponent;
 import com.ibm.websphere.ras.annotation.Sensitive;
 import com.ibm.ws.ffdc.annotation.FFDCIgnore;
+import com.ibm.ws.kernel.security.thread.ThreadIdentityManager;
 import com.ibm.ws.security.common.ssl.SecuritySSLUtils;
 import com.ibm.ws.ssl.KeyStoreService;
 
@@ -140,7 +141,12 @@ private String getSignedJwt(JwtClaims claims) throws Exception {
         jws.setKey(clientAssertionSigningKey);
         jws.setDoKeyValidation(false);
 
-        return jws.getCompactSerialization();
+        Object token = ThreadIdentityManager.runAsServer();
+        try {
+            return jws.getCompactSerialization();
+        } finally {
+            ThreadIdentityManager.reset(token);
+        }
     }
 
     @Sensitive