honeymoose
/
jjwt
mirror of https://github.com/jwtk/jjwt.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Issue #10 Switching Claims validation after the JWT signature was validated.

This commit is contained in:
josebarrueta 2014-11-21 21:21:05 -08:00
parent 47ec679046
commit 5699a69256
5 changed files with 113 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
src/main/java/io/jsonwebtoken/ClaimJwtException.java Normal file
View File

@ -0,0 +1,48 @@
/*
* Copyright (C) 2014 jsonwebtoken.io
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package io.jsonwebtoken;
/**
* ClaimJwtException is a subclass of the {@link JwtException} that is thrown after a validation of an JTW claim failed.
*
* @since 0.5
*/
public abstract class ClaimJwtException extends JwtException {
private final Header header;
private final Claims claims;
protected ClaimJwtException(Header header, Claims claims, String message) {
super(message);
this.header = header;
this.claims = claims;
}
protected ClaimJwtException(Header header, Claims claims, String message, Throwable cause) {
super(message, cause);
this.header = header;
this.claims = claims;
}
public Claims getClaims() {
return claims;
}
public Header getHeader() {
return header;
}
}

10
src/main/java/io/jsonwebtoken/ExpiredJwtException.java
View File

@ -20,13 +20,13 @@ package io.jsonwebtoken;
* *
* @since 0.3 * @since 0.3
*/ */
public class ExpiredJwtException extends JwtException { public class ExpiredJwtException extends ClaimJwtException {
public ExpiredJwtException(String message) { public ExpiredJwtException(Header header, Claims claims, String message) {
super(message); super(header, claims, message);
} }
public ExpiredJwtException(String message, Throwable cause) { public ExpiredJwtException(Header header, Claims claims, String message, Throwable cause) {
super(message, cause); super(header, claims, message, cause);
} }
} }

10
src/main/java/io/jsonwebtoken/PrematureJwtException.java
View File

@ -20,14 +20,14 @@ package io.jsonwebtoken;
* *
* @since 0.3 * @since 0.3
*/ */
public class PrematureJwtException extends JwtException { public class PrematureJwtException extends ClaimJwtException {
public PrematureJwtException(String message) { public PrematureJwtException(Header header, Claims claims, String message) {
super(message); super(header, claims, message);
} }
@SuppressWarnings("UnusedDeclaration") @SuppressWarnings("UnusedDeclaration")
public PrematureJwtException(String message, Throwable cause) { public PrematureJwtException(Header header, Claims claims, String message, Throwable cause) {
super(message, cause); super(header, claims, message, cause);
} }
} }

86
src/main/java/io/jsonwebtoken/impl/DefaultJwtParser.java
View File

@ -178,49 +178,6 @@ public class DefaultJwtParser implements JwtParser {
claims = new DefaultClaims(claimsMap); claims = new DefaultClaims(claimsMap);
} }
//since 0.3:
if (claims != null) {
Date now = null;
SimpleDateFormat sdf;
//https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-30#section-4.1.4
//token MUST NOT be accepted on or after any specified exp time:
Date exp = claims.getExpiration();
if (exp != null) {
now = new Date();
if (now.equals(exp) || now.after(exp)) {
sdf = new SimpleDateFormat(ISO_8601_FORMAT);
String expVal = sdf.format(exp);
String nowVal = sdf.format(now);
String msg = "JWT expired at " + expVal + ". Current time: " + nowVal;
throw new ExpiredJwtException(msg);
}
}
//https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-30#section-4.1.5
//token MUST NOT be accepted before any specified nbf time:
Date nbf = claims.getNotBefore();
if (nbf != null) {
if (now == null) {
now = new Date();
}
if (now.before(nbf)) {
sdf = new SimpleDateFormat(ISO_8601_FORMAT);
String nbfVal = sdf.format(nbf);
String nowVal = sdf.format(now);
String msg = "JWT must not be accepted before " + nbfVal + ". Current time: " + nowVal;
throw new PrematureJwtException(msg);
}
}
}
// =============== Signature ================= // =============== Signature =================
if (base64UrlEncodedDigest != null) { //it is signed - validate the signature if (base64UrlEncodedDigest != null) { //it is signed - validate the signature
@ -287,6 +244,49 @@ public class DefaultJwtParser implements JwtParser {
} }
} }
//since 0.3:
if (claims != null) {
Date now = null;
SimpleDateFormat sdf;
//https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-30#section-4.1.4
//token MUST NOT be accepted on or after any specified exp time:
Date exp = claims.getExpiration();
if (exp != null) {
now = new Date();
if (now.equals(exp) || now.after(exp)) {
sdf = new SimpleDateFormat(ISO_8601_FORMAT);
String expVal = sdf.format(exp);
String nowVal = sdf.format(now);
String msg = "JWT expired at " + expVal + ". Current time: " + nowVal;
throw new ExpiredJwtException(header, claims, msg);
}
}
//https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-30#section-4.1.5
//token MUST NOT be accepted before any specified nbf time:
Date nbf = claims.getNotBefore();
if (nbf != null) {
if (now == null) {
now = new Date();
}
if (now.before(nbf)) {
sdf = new SimpleDateFormat(ISO_8601_FORMAT);
String nbfVal = sdf.format(nbf);
String nowVal = sdf.format(now);
String msg = "JWT must not be accepted before " + nbfVal + ". Current time: " + nowVal;
throw new PrematureJwtException(header, claims, msg);
}
}
}
Object body = claims != null ? claims : payload; Object body = claims != null ? claims : payload;
if (base64UrlEncodedDigest != null) { if (base64UrlEncodedDigest != null) {

16
src/test/groovy/io/jsonwebtoken/JwtParserTest.groovy
View File

@ -421,35 +421,43 @@ class JwtParserTest {
@Test @Test
void testParseClaimsJwsWithExpiredJws() { void testParseClaimsJwsWithExpiredJws() {
String sub = 'Joe'
byte[] key = randomKey() byte[] key = randomKey()
long nowMillis = System.currentTimeMillis(); long nowMillis = System.currentTimeMillis();
//some time in the past: //some time in the past:
Date exp = new Date(nowMillis - 1000); Date exp = new Date(nowMillis - 1000);
String compact = Jwts.builder().setSubject('Joe').signWith(SignatureAlgorithm.HS256, key).setExpiration(exp).compact() String compact = Jwts.builder().setSubject(sub).signWith(SignatureAlgorithm.HS256, key).setExpiration(exp).compact()
try { try {
Jwts.parser().parseClaimsJwt(compact); Jwts.parser().setSigningKey(key).parseClaimsJwt(compact);
fail(); fail();
} catch (ExpiredJwtException e) { } catch (ExpiredJwtException e) {
assertTrue e.getMessage().startsWith('JWT expired at ') assertTrue e.getMessage().startsWith('JWT expired at ')
assertEquals e.getClaims().getSubject(), sub
assertEquals e.getHeader().getAlgorithm(), "HS256"
} }
} }
@Test @Test
void testParseClaimsJwsWithPrematureJws() { void testParseClaimsJwsWithPrematureJws() {
String sub = 'Joe'
byte[] key = randomKey() byte[] key = randomKey()
Date nbf = new Date(System.currentTimeMillis() + 100000); Date nbf = new Date(System.currentTimeMillis() + 100000);
String compact = Jwts.builder().setSubject('Joe').setNotBefore(nbf).signWith(SignatureAlgorithm.HS256, key).compact(); String compact = Jwts.builder().setSubject(sub).setNotBefore(nbf).signWith(SignatureAlgorithm.HS256, key).compact();
try { try {
Jwts.parser().parseClaimsJws(compact); Jwts.parser().setSigningKey(key).parseClaimsJws(compact);
} catch (PrematureJwtException e) { } catch (PrematureJwtException e) {
assertTrue e.getMessage().startsWith('JWT must not be accepted before ') assertTrue e.getMessage().startsWith('JWT must not be accepted before ')
assertEquals e.getClaims().getSubject(), sub
assertEquals e.getHeader().getAlgorithm(), "HS256"
} }
} }