Issue #10 Switching Claims validation after the JWT signature was validated.

This commit is contained in:
josebarrueta 2014-11-21 21:21:05 -08:00
parent 47ec679046
commit 5699a69256
5 changed files with 113 additions and 57 deletions

View File

@ -0,0 +1,48 @@
/*
* Copyright (C) 2014 jsonwebtoken.io
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package io.jsonwebtoken;
/**
* ClaimJwtException is a subclass of the {@link JwtException} that is thrown after a validation of an JTW claim failed.
*
* @since 0.5
*/
public abstract class ClaimJwtException extends JwtException {
private final Header header;
private final Claims claims;
protected ClaimJwtException(Header header, Claims claims, String message) {
super(message);
this.header = header;
this.claims = claims;
}
protected ClaimJwtException(Header header, Claims claims, String message, Throwable cause) {
super(message, cause);
this.header = header;
this.claims = claims;
}
public Claims getClaims() {
return claims;
}
public Header getHeader() {
return header;
}
}

View File

@ -20,13 +20,13 @@ package io.jsonwebtoken;
*
* @since 0.3
*/
public class ExpiredJwtException extends JwtException {
public class ExpiredJwtException extends ClaimJwtException {
public ExpiredJwtException(String message) {
super(message);
public ExpiredJwtException(Header header, Claims claims, String message) {
super(header, claims, message);
}
public ExpiredJwtException(String message, Throwable cause) {
super(message, cause);
public ExpiredJwtException(Header header, Claims claims, String message, Throwable cause) {
super(header, claims, message, cause);
}
}

View File

@ -20,14 +20,14 @@ package io.jsonwebtoken;
*
* @since 0.3
*/
public class PrematureJwtException extends JwtException {
public class PrematureJwtException extends ClaimJwtException {
public PrematureJwtException(String message) {
super(message);
public PrematureJwtException(Header header, Claims claims, String message) {
super(header, claims, message);
}
@SuppressWarnings("UnusedDeclaration")
public PrematureJwtException(String message, Throwable cause) {
super(message, cause);
public PrematureJwtException(Header header, Claims claims, String message, Throwable cause) {
super(header, claims, message, cause);
}
}

View File

@ -178,49 +178,6 @@ public class DefaultJwtParser implements JwtParser {
claims = new DefaultClaims(claimsMap);
}
//since 0.3:
if (claims != null) {
Date now = null;
SimpleDateFormat sdf;
//https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-30#section-4.1.4
//token MUST NOT be accepted on or after any specified exp time:
Date exp = claims.getExpiration();
if (exp != null) {
now = new Date();
if (now.equals(exp) || now.after(exp)) {
sdf = new SimpleDateFormat(ISO_8601_FORMAT);
String expVal = sdf.format(exp);
String nowVal = sdf.format(now);
String msg = "JWT expired at " + expVal + ". Current time: " + nowVal;
throw new ExpiredJwtException(msg);
}
}
//https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-30#section-4.1.5
//token MUST NOT be accepted before any specified nbf time:
Date nbf = claims.getNotBefore();
if (nbf != null) {
if (now == null) {
now = new Date();
}
if (now.before(nbf)) {
sdf = new SimpleDateFormat(ISO_8601_FORMAT);
String nbfVal = sdf.format(nbf);
String nowVal = sdf.format(now);
String msg = "JWT must not be accepted before " + nbfVal + ". Current time: " + nowVal;
throw new PrematureJwtException(msg);
}
}
}
// =============== Signature =================
if (base64UrlEncodedDigest != null) { //it is signed - validate the signature
@ -287,6 +244,49 @@ public class DefaultJwtParser implements JwtParser {
}
}
//since 0.3:
if (claims != null) {
Date now = null;
SimpleDateFormat sdf;
//https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-30#section-4.1.4
//token MUST NOT be accepted on or after any specified exp time:
Date exp = claims.getExpiration();
if (exp != null) {
now = new Date();
if (now.equals(exp) || now.after(exp)) {
sdf = new SimpleDateFormat(ISO_8601_FORMAT);
String expVal = sdf.format(exp);
String nowVal = sdf.format(now);
String msg = "JWT expired at " + expVal + ". Current time: " + nowVal;
throw new ExpiredJwtException(header, claims, msg);
}
}
//https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-30#section-4.1.5
//token MUST NOT be accepted before any specified nbf time:
Date nbf = claims.getNotBefore();
if (nbf != null) {
if (now == null) {
now = new Date();
}
if (now.before(nbf)) {
sdf = new SimpleDateFormat(ISO_8601_FORMAT);
String nbfVal = sdf.format(nbf);
String nowVal = sdf.format(now);
String msg = "JWT must not be accepted before " + nbfVal + ". Current time: " + nowVal;
throw new PrematureJwtException(header, claims, msg);
}
}
}
Object body = claims != null ? claims : payload;
if (base64UrlEncodedDigest != null) {

View File

@ -421,35 +421,43 @@ class JwtParserTest {
@Test
void testParseClaimsJwsWithExpiredJws() {
String sub = 'Joe'
byte[] key = randomKey()
long nowMillis = System.currentTimeMillis();
//some time in the past:
Date exp = new Date(nowMillis - 1000);
String compact = Jwts.builder().setSubject('Joe').signWith(SignatureAlgorithm.HS256, key).setExpiration(exp).compact()
String compact = Jwts.builder().setSubject(sub).signWith(SignatureAlgorithm.HS256, key).setExpiration(exp).compact()
try {
Jwts.parser().parseClaimsJwt(compact);
Jwts.parser().setSigningKey(key).parseClaimsJwt(compact);
fail();
} catch (ExpiredJwtException e) {
assertTrue e.getMessage().startsWith('JWT expired at ')
assertEquals e.getClaims().getSubject(), sub
assertEquals e.getHeader().getAlgorithm(), "HS256"
}
}
@Test
void testParseClaimsJwsWithPrematureJws() {
String sub = 'Joe'
byte[] key = randomKey()
Date nbf = new Date(System.currentTimeMillis() + 100000);
String compact = Jwts.builder().setSubject('Joe').setNotBefore(nbf).signWith(SignatureAlgorithm.HS256, key).compact();
String compact = Jwts.builder().setSubject(sub).setNotBefore(nbf).signWith(SignatureAlgorithm.HS256, key).compact();
try {
Jwts.parser().parseClaimsJws(compact);
Jwts.parser().setSigningKey(key).parseClaimsJws(compact);
} catch (PrematureJwtException e) {
assertTrue e.getMessage().startsWith('JWT must not be accepted before ')
assertEquals e.getClaims().getSubject(), sub
assertEquals e.getHeader().getAlgorithm(), "HS256"
}
}