Permalink
Browse files

CF-244: Fix logic in JwtTokenEnhancer so verifier and signer are cons…

…istent

Change-Id: I780a8c7715b5a00d89e4e29fa8de49ee65024827
  • Loading branch information...
1 parent bd9957b commit 8085d0d08c78612e94ebc39afb15fde97f2e8bdb @dsyer dsyer committed Feb 9, 2013
@@ -124,14 +124,18 @@ private boolean isPublic(String key) {
* @param key the signature verification key (typically an RSA public key)
*/
public void setVerifierKey(String key) {
- this.verifierKey = key;
+ boolean valid = false;
try {
- new RsaSigner(verifierKey);
- throw new IllegalArgumentException("Private key cannot be set as verifierKey property");
+ new RsaSigner(key);
}
catch (Exception expected) {
// Expected
+ valid = true;
}
+ if (!valid) {
+ throw new IllegalArgumentException("Private key cannot be set as verifierKey property");
+ }
+ this.verifierKey = key;
}
public OAuth2AccessToken enhance(OAuth2AccessToken accessToken, OAuth2Authentication authentication) {
@@ -178,7 +182,7 @@ public void afterPropertiesSet() throws Exception {
}
}
else {
- // Avoid a race condition where
+ // Avoid a race condition where verifier is set after signer to a different (possibly incompatible value)
Assert.state(this.signingKey == this.verifierKey,
"For MAC signing you do not need to specify the verifier key separately, and if you do it must match the signing key");
}
@@ -59,6 +59,22 @@ public void testEnhanceAccessToken() {
assertTrue("Wrong claims: " + claims, claims.contains("\"" + JwtTokenEnhancer.TOKEN_ID + "\""));
}
+ @Test(expected=IllegalArgumentException.class)
+ public void accidentallySetPrivateKeyAsVerifier() throws Exception {
+ String rsaKey = "-----BEGIN RSA PRIVATE KEY-----\n"
+ + "MIIBywIBAAJhAOTeb4AZ+NwOtPh+ynIgGqa6UWNVe6JyJi+loPmPZdpHtzoqubnC \n"
+ + "wEs6JSiSZ3rButEAw8ymgLV6iBY02hdjsl3h5Z0NWaxx8dzMZfXe4EpfB04ISoqq\n"
+ + "hZCxchvuSDP4eQIDAQABAmEAqUuYsuuDWFRQrZgsbGsvC7G6zn3HLIy/jnM4NiJK\n"
+ + "t0JhWNeN9skGsR7bqb1Sak2uWqW8ZqnqgAC32gxFRYHTavJEk6LTaHWovwDEhPqc\n"
+ + "Zs+vXd6tZojJQ35chR/slUEBAjEA/sAd1oFLWb6PHkaz7r2NllwUBTvXL4VcMWTS\n"
+ + "pN+5cU41i9fsZcHw6yZEl+ZCicDxAjEA5f3R+Bj42htNI7eylebew1+sUnFv1xT8\n"
+ + "jlzxSzwVkoZo+vef7OD6OcFLeInAHzAJAjEAs6izolK+3ETa1CRSwz0lPHQlnmdM\n"
+ + "Y/QuR5tuPt6U/saEVuJpkn4LNRtg5qt6I4JRAjAgFRYTG7irBB/wmZFp47izXEc3\n"
+ + "gOdvA1hvq3tlWU5REDrYt24xpviA0fvrJpwMPbECMAKDKdiDi6Q4/iBkkzNMefA8\n"
+ + "7HX27b9LR33don/1u/yvzMUo+lrRdKAFJ+9GPE9XFA== \n" + "-----END RSA PRIVATE KEY-----";
+ tokenEnhancer.setVerifierKey(rsaKey);
+ }
+
@Test
public void rsaKeyCreatesValidRsaSignedTokens() throws Exception {
String rsaKey = "-----BEGIN RSA PRIVATE KEY----- \n"
@@ -71,7 +87,7 @@ public void rsaKeyCreatesValidRsaSignedTokens() throws Exception {
+ "jlzxSzwVkoZo+vef7OD6OcFLeInAHzAJAjEAs6izolK+3ETa1CRSwz0lPHQlnmdM\n"
+ "Y/QuR5tuPt6U/saEVuJpkn4LNRtg5qt6I4JRAjAgFRYTG7irBB/wmZFp47izXEc3\n"
+ "gOdvA1hvq3tlWU5REDrYt24xpviA0fvrJpwMPbECMAKDKdiDi6Q4/iBkkzNMefA8\n"
- + "7HX27b9LR33don/1u/yvzMUo+lrRdKAFJ+9GPE9XFA== \n" + "-----END RSA PRIVATE KEY----- ";
+ + "7HX27b9LR33don/1u/yvzMUo+lrRdKAFJ+9GPE9XFA== \n" + "-----END RSA PRIVATE KEY-----";
tokenEnhancer.setSigningKey(rsaKey);
OAuth2Authentication authentication = new OAuth2Authentication(new DefaultAuthorizationRequest("foo", null),
userAuthentication);
@@ -123,4 +139,11 @@ public void keysNotMatchingWithMacSigner() throws Exception {
tokenEnhancer.afterPropertiesSet();
}
+ @Test(expected = IllegalStateException.class)
+ public void keysNotSameWithMacSigner() throws Exception {
+ tokenEnhancer.setSigningKey("aKey");
+ tokenEnhancer.setVerifierKey(new String("aKey"));
+ tokenEnhancer.afterPropertiesSet();
+ }
+
}

0 comments on commit 8085d0d

Please sign in to comment.