Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-07-05 02:02:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

Additional Jwt Validation Debug Messages

Browse Source 
Closes gh-8589

Co-authored-by: MattyA <mat.auburn@gmail.com>
This commit is contained in:
Josh Cummings 2020-07-30 16:21:28 -06:00
parent 57db8e5d4a
commit 950769fa00
No known key found for this signature in database
GPG Key ID: 49EF60DD7FF83443
2 changed files with 26 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtClaimValidator.java
View File

@ -15,6 +15,8 @@
*/ */
package org.springframework.security.oauth2.jwt; package org.springframework.security.oauth2.jwt;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.security.oauth2.core.OAuth2Error; import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2ErrorCodes; import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
import org.springframework.security.oauth2.core.OAuth2TokenValidator; import org.springframework.security.oauth2.core.OAuth2TokenValidator;
@ -30,6 +32,7 @@ import java.util.function.Predicate;
* @since 5.3 * @since 5.3
*/ */
public final class JwtClaimValidator<T> implements OAuth2TokenValidator<Jwt> { public final class JwtClaimValidator<T> implements OAuth2TokenValidator<Jwt> {
private final Log logger = LogFactory.getLog(getClass());
private final String claim; private final String claim;
private final Predicate<T> test; private final Predicate<T> test;
@ -61,6 +64,7 @@ public final class JwtClaimValidator<T> implements OAuth2TokenValidator<Jwt> {
if (test.test(claimValue)) { if (test.test(claimValue)) {
return OAuth2TokenValidatorResult.success(); return OAuth2TokenValidatorResult.success();
} else { } else {
logger.debug(error.getDescription());
return OAuth2TokenValidatorResult.failure(error); return OAuth2TokenValidatorResult.failure(error);
} }
} }

38
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtTimestampValidator.java
View File

@ -15,17 +15,20 @@
*/ */
package org.springframework.security.oauth2.jwt; package org.springframework.security.oauth2.jwt;
import java.time.Clock; import org.apache.commons.logging.Log;
import java.time.Duration; import org.apache.commons.logging.LogFactory;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import org.springframework.security.oauth2.core.OAuth2Error; import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2ErrorCodes; import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
import org.springframework.security.oauth2.core.OAuth2TokenValidator; import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult; import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
import org.springframework.util.Assert; import org.springframework.util.Assert;
import java.time.Clock;
import java.time.Duration;
import java.time.Instant;
import java.time.format.DateTimeFormatter;
import java.time.temporal.ChronoUnit;
/** /**
* An implementation of {@link OAuth2TokenValidator} for verifying claims in a Jwt-based access token * An implementation of {@link OAuth2TokenValidator} for verifying claims in a Jwt-based access token
* *
@ -41,6 +44,8 @@ import org.springframework.util.Assert;
* @see <a target="_blank" href="https://tools.ietf.org/html/rfc7519">JSON Web Token (JWT)</a> * @see <a target="_blank" href="https://tools.ietf.org/html/rfc7519">JSON Web Token (JWT)</a>
*/ */
public final class JwtTimestampValidator implements OAuth2TokenValidator<Jwt> { public final class JwtTimestampValidator implements OAuth2TokenValidator<Jwt> {
private final Log logger = LogFactory.getLog(getClass());
private static final Duration DEFAULT_MAX_CLOCK_SKEW = Duration.of(60, ChronoUnit.SECONDS); private static final Duration DEFAULT_MAX_CLOCK_SKEW = Duration.of(60, ChronoUnit.SECONDS);
private final Duration clockSkew; private final Duration clockSkew;
@ -56,7 +61,6 @@ public final class JwtTimestampValidator implements OAuth2TokenValidator<Jwt> {
public JwtTimestampValidator(Duration clockSkew) { public JwtTimestampValidator(Duration clockSkew) {
Assert.notNull(clockSkew, "clockSkew cannot be null"); Assert.notNull(clockSkew, "clockSkew cannot be null");
this.clockSkew = clockSkew; this.clockSkew = clockSkew;
} }
@ -71,11 +75,8 @@ public final class JwtTimestampValidator implements OAuth2TokenValidator<Jwt> {
if (expiry != null) { if (expiry != null) {
if (Instant.now(this.clock).minus(clockSkew).isAfter(expiry)) { if (Instant.now(this.clock).minus(clockSkew).isAfter(expiry)) {
OAuth2Error error = new OAuth2Error( OAuth2Error oAuth2Error = createOAuth2Error(String.format("Jwt expired at %s", jwt.getExpiresAt()));
OAuth2ErrorCodes.INVALID_REQUEST, return OAuth2TokenValidatorResult.failure(oAuth2Error);
String.format("Jwt expired at %s", jwt.getExpiresAt()),
"https://tools.ietf.org/html/rfc6750#section-3.1");
return OAuth2TokenValidatorResult.failure(error);
} }
} }
@ -83,17 +84,22 @@ public final class JwtTimestampValidator implements OAuth2TokenValidator<Jwt> {
if (notBefore != null) { if (notBefore != null) {
if (Instant.now(this.clock).plus(clockSkew).isBefore(notBefore)) { if (Instant.now(this.clock).plus(clockSkew).isBefore(notBefore)) {
OAuth2Error error = new OAuth2Error( OAuth2Error oAuth2Error = createOAuth2Error(String.format("Jwt used before %s", jwt.getNotBefore()));
OAuth2ErrorCodes.INVALID_REQUEST, return OAuth2TokenValidatorResult.failure(oAuth2Error);
String.format("Jwt used before %s", jwt.getNotBefore()),
"https://tools.ietf.org/html/rfc6750#section-3.1");
return OAuth2TokenValidatorResult.failure(error);
} }
} }
return OAuth2TokenValidatorResult.success(); return OAuth2TokenValidatorResult.success();
} }
private OAuth2Error createOAuth2Error(String reason) {
logger.debug(reason);
return new OAuth2Error(
OAuth2ErrorCodes.INVALID_REQUEST,
reason,
"https://tools.ietf.org/html/rfc6750#section-3.1");
}
/** /**
* ' * '
* Use this {@link Clock} with {@link Instant#now()} for assessing * Use this {@link Clock} with {@link Instant#now()} for assessing