Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-08 13:12:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

Additional Jwt Validation Debug Messages

Browse Source 
Closes gh-8589

Co-authored-by: MattyA <mat.auburn@gmail.com>
This commit is contained in:
Josh Cummings 2020-07-30 16:21:28 -06:00
parent e937366f50
commit 48a0514965
No known key found for this signature in database
GPG Key ID: 49EF60DD7FF83443
2 changed files with 23 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtIssuerValidator.java
View File

@ -15,6 +15,9 @@
*/ */
package org.springframework.security.oauth2.jwt; package org.springframework.security.oauth2.jwt;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.security.oauth2.core.OAuth2Error; import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2ErrorCodes; import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
import org.springframework.security.oauth2.core.OAuth2TokenValidator; import org.springframework.security.oauth2.core.OAuth2TokenValidator;
@ -28,6 +31,8 @@ import org.springframework.util.Assert;
* @since 5.1 * @since 5.1
*/ */
public final class JwtIssuerValidator implements OAuth2TokenValidator<Jwt> { public final class JwtIssuerValidator implements OAuth2TokenValidator<Jwt> {
private final Log logger = LogFactory.getLog(getClass());
private static OAuth2Error INVALID_ISSUER = private static OAuth2Error INVALID_ISSUER =
new OAuth2Error( new OAuth2Error(
OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ErrorCodes.INVALID_REQUEST,
@ -57,6 +62,7 @@ public final class JwtIssuerValidator implements OAuth2TokenValidator<Jwt> {
if (this.issuer.equals(tokenIssuer)) { if (this.issuer.equals(tokenIssuer)) {
return OAuth2TokenValidatorResult.success(); return OAuth2TokenValidatorResult.success();
} else { } else {
logger.debug(INVALID_ISSUER.getDescription());
return OAuth2TokenValidatorResult.failure(INVALID_ISSUER); return OAuth2TokenValidatorResult.failure(INVALID_ISSUER);
} }
} }

28
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtTimestampValidator.java
View File

@ -20,11 +20,13 @@ import java.time.Duration;
import java.time.Instant; import java.time.Instant;
import java.time.temporal.ChronoUnit; import java.time.temporal.ChronoUnit;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.security.oauth2.core.OAuth2Error; import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2ErrorCodes; import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
import org.springframework.security.oauth2.core.OAuth2TokenValidator; import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult; import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.util.Assert; import org.springframework.util.Assert;
/** /**
@ -42,6 +44,8 @@ import org.springframework.util.Assert;
* @see <a target="_blank" href="https://tools.ietf.org/html/rfc7519">JSON Web Token (JWT)</a> * @see <a target="_blank" href="https://tools.ietf.org/html/rfc7519">JSON Web Token (JWT)</a>
*/ */
public final class JwtTimestampValidator implements OAuth2TokenValidator<Jwt> { public final class JwtTimestampValidator implements OAuth2TokenValidator<Jwt> {
private final Log logger = LogFactory.getLog(getClass());
private static final Duration DEFAULT_MAX_CLOCK_SKEW = Duration.of(60, ChronoUnit.SECONDS); private static final Duration DEFAULT_MAX_CLOCK_SKEW = Duration.of(60, ChronoUnit.SECONDS);
private final Duration maxClockSkew; private final Duration maxClockSkew;
@ -72,11 +76,8 @@ public final class JwtTimestampValidator implements OAuth2TokenValidator<Jwt> {
if (expiry != null) { if (expiry != null) {
if (Instant.now(this.clock).minus(maxClockSkew).isAfter(expiry)) { if (Instant.now(this.clock).minus(maxClockSkew).isAfter(expiry)) {
OAuth2Error error = new OAuth2Error( OAuth2Error oAuth2Error = createOAuth2Error(String.format("Jwt expired at %s", jwt.getExpiresAt()));
OAuth2ErrorCodes.INVALID_REQUEST, return OAuth2TokenValidatorResult.failure(oAuth2Error);
String.format("Jwt expired at %s", jwt.getExpiresAt()),
"https://tools.ietf.org/html/rfc6750#section-3.1");
return OAuth2TokenValidatorResult.failure(error);
} }
} }
@ -84,17 +85,22 @@ public final class JwtTimestampValidator implements OAuth2TokenValidator<Jwt> {
if (notBefore != null) { if (notBefore != null) {
if (Instant.now(this.clock).plus(maxClockSkew).isBefore(notBefore)) { if (Instant.now(this.clock).plus(maxClockSkew).isBefore(notBefore)) {
OAuth2Error error = new OAuth2Error( OAuth2Error oAuth2Error = createOAuth2Error(String.format("Jwt used before %s", jwt.getNotBefore()));
OAuth2ErrorCodes.INVALID_REQUEST, return OAuth2TokenValidatorResult.failure(oAuth2Error);
String.format("Jwt used before %s", jwt.getNotBefore()),
"https://tools.ietf.org/html/rfc6750#section-3.1");
return OAuth2TokenValidatorResult.failure(error);
} }
} }
return OAuth2TokenValidatorResult.success(); return OAuth2TokenValidatorResult.success();
} }
private OAuth2Error createOAuth2Error(String reason) {
logger.debug(reason);
return new OAuth2Error(
OAuth2ErrorCodes.INVALID_REQUEST,
reason,
"https://tools.ietf.org/html/rfc6750#section-3.1");
}
/** /**
* ' * '
* Use this {@link Clock} with {@link Instant#now()} for assessing * Use this {@link Clock} with {@link Instant#now()} for assessing