From 38e829ef35a09e705c95c639da6410a157b90fdc Mon Sep 17 00:00:00 2001 From: Micah Silverman Date: Mon, 27 Jun 2016 18:51:07 -0400 Subject: [PATCH] Added JWT CSRF expired handling. --- .../jjwtfun/config/CSRFConfig.java | 5 -- .../config/JWTCsrfTokenRepository.java | 6 +- .../jjwtfun/config/WebSecurityConfig.java | 57 +++++++++++++++++-- .../jjwtfun/controller/FormController.java | 7 ++- .../main/resources/templates/expired-jwt.html | 17 ++++++ .../resources/templates/fragments/head.html | 11 ++++ .../templates/jwt-csrf-form-result.html | 2 +- .../resources/templates/jwt-csrf-form.html | 2 +- 8 files changed, 91 insertions(+), 16 deletions(-) create mode 100644 jjwt/src/main/resources/templates/expired-jwt.html diff --git a/jjwt/src/main/java/io/jsonwebtoken/jjwtfun/config/CSRFConfig.java b/jjwt/src/main/java/io/jsonwebtoken/jjwtfun/config/CSRFConfig.java index 1a8f05359c..b3d3bdedfd 100644 --- a/jjwt/src/main/java/io/jsonwebtoken/jjwtfun/config/CSRFConfig.java +++ b/jjwt/src/main/java/io/jsonwebtoken/jjwtfun/config/CSRFConfig.java @@ -1,7 +1,5 @@ package io.jsonwebtoken.jjwtfun.config; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Value; import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; import org.springframework.context.annotation.Bean; @@ -11,9 +9,6 @@ import org.springframework.security.web.csrf.CsrfTokenRepository; @Configuration public class CSRFConfig { - - private static final Logger log = LoggerFactory.getLogger(CSRFConfig.class); - @Value("#{ @environment['jjwtfun.secret'] ?: 'secret' }") String secret; diff --git a/jjwt/src/main/java/io/jsonwebtoken/jjwtfun/config/JWTCsrfTokenRepository.java b/jjwt/src/main/java/io/jsonwebtoken/jjwtfun/config/JWTCsrfTokenRepository.java index 2489beb76e..0a68e4624d 100644 --- a/jjwt/src/main/java/io/jsonwebtoken/jjwtfun/config/JWTCsrfTokenRepository.java +++ b/jjwt/src/main/java/io/jsonwebtoken/jjwtfun/config/JWTCsrfTokenRepository.java @@ -17,9 +17,9 @@ import java.util.UUID; public class JWTCsrfTokenRepository implements CsrfTokenRepository { - private static final Logger log = LoggerFactory.getLogger(JWTCsrfTokenRepository.class); private static final String DEFAULT_CSRF_TOKEN_ATTR_NAME = CSRFConfig.class.getName().concat(".CSRF_TOKEN"); + private static final Logger log = LoggerFactory.getLogger(JWTCsrfTokenRepository.class); private String secret; public JWTCsrfTokenRepository(String secret) { @@ -32,7 +32,7 @@ public class JWTCsrfTokenRepository implements CsrfTokenRepository { String id = UUID.randomUUID().toString().replace("-", ""); Date now = new Date(); - Date exp = new Date(System.currentTimeMillis() + (1000*60)); // 1 minute + Date exp = new Date(System.currentTimeMillis() + (1000*30)); // 30 seconds String token; try { @@ -68,7 +68,7 @@ public class JWTCsrfTokenRepository implements CsrfTokenRepository { @Override public CsrfToken loadToken(HttpServletRequest request) { HttpSession session = request.getSession(false); - if (session == null) { + if (session == null || "GET".equals(request.getMethod())) { return null; } return (CsrfToken) session.getAttribute(DEFAULT_CSRF_TOKEN_ATTR_NAME); diff --git a/jjwt/src/main/java/io/jsonwebtoken/jjwtfun/config/WebSecurityConfig.java b/jjwt/src/main/java/io/jsonwebtoken/jjwtfun/config/WebSecurityConfig.java index 2715990d38..c09e8cd179 100644 --- a/jjwt/src/main/java/io/jsonwebtoken/jjwtfun/config/WebSecurityConfig.java +++ b/jjwt/src/main/java/io/jsonwebtoken/jjwtfun/config/WebSecurityConfig.java @@ -1,23 +1,72 @@ package io.jsonwebtoken.jjwtfun.config; +import io.jsonwebtoken.JwtException; +import io.jsonwebtoken.Jwts; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.beans.factory.annotation.Qualifier; +import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.web.csrf.CsrfFilter; +import org.springframework.security.web.csrf.CsrfToken; import org.springframework.security.web.csrf.CsrfTokenRepository; +import org.springframework.web.filter.OncePerRequestFilter; + +import javax.servlet.FilterChain; +import javax.servlet.RequestDispatcher; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; @Configuration public class WebSecurityConfig extends WebSecurityConfigurerAdapter { + @Value("#{ @environment['jjwtfun.secret'] ?: 'secret' }") + String secret; + @Autowired CsrfTokenRepository jwtCsrfTokenRepository; @Override protected void configure(HttpSecurity http) throws Exception { http - .csrf().csrfTokenRepository(jwtCsrfTokenRepository).and() - .authorizeRequests() - .antMatchers("/**") - .permitAll(); + .addFilterAfter(new JwtCsrfValidatorFilter(), CsrfFilter.class) + .csrf() + .csrfTokenRepository(jwtCsrfTokenRepository) + .ignoringAntMatchers("/dynamic-builder-general") + .ignoringAntMatchers("/dynamic-builder-specific") + .and().authorizeRequests() + .antMatchers("/**") + .permitAll(); + } + + private class JwtCsrfValidatorFilter extends OncePerRequestFilter { + + @Override + protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { + // NOTE: A real implementation should have a nonce cache so the token cannot be reused + + CsrfToken token = (CsrfToken) request.getAttribute("_csrf"); + + // CsrfFilter already made sure the token matched. + // Here, we'll make sure it's not expired + if ("POST".equals(request.getMethod()) && token != null) { + try { + Jwts.parser() + .setSigningKey(secret.getBytes("UTF-8")) + .parseClaimsJws(token.getToken()); + } catch (JwtException e) { + // most likely an ExpiredJwtException, but this will handle any + request.setAttribute("exception", e); + response.setStatus(HttpServletResponse.SC_BAD_REQUEST); + RequestDispatcher dispatcher = request.getRequestDispatcher("expired-jwt"); + dispatcher.forward(request, response); + } + } + + filterChain.doFilter(request, response); + } } } diff --git a/jjwt/src/main/java/io/jsonwebtoken/jjwtfun/controller/FormController.java b/jjwt/src/main/java/io/jsonwebtoken/jjwtfun/controller/FormController.java index 178af2f48d..54123c63cb 100644 --- a/jjwt/src/main/java/io/jsonwebtoken/jjwtfun/controller/FormController.java +++ b/jjwt/src/main/java/io/jsonwebtoken/jjwtfun/controller/FormController.java @@ -18,9 +18,12 @@ public class FormController { @RequestMapping(value = "/jwt-csrf-form", method = POST) public String csrfFormPost(@RequestParam(name = "_csrf") String csrf, Model model) { - model.addAttribute("csrf", csrf); - return "jwt-csrf-form-result"; } + + @RequestMapping("/expired-jwt") + public String expiredJwt() { + return "expired-jwt"; + } } diff --git a/jjwt/src/main/resources/templates/expired-jwt.html b/jjwt/src/main/resources/templates/expired-jwt.html new file mode 100644 index 0000000000..7bf9ff258e --- /dev/null +++ b/jjwt/src/main/resources/templates/expired-jwt.html @@ -0,0 +1,17 @@ + + + + + +
+
+
+

JWT CSRF Token expired

+

+ + Back +
+
+
+ + \ No newline at end of file diff --git a/jjwt/src/main/resources/templates/fragments/head.html b/jjwt/src/main/resources/templates/fragments/head.html index ce76b0e655..2d5f54e5a0 100644 --- a/jjwt/src/main/resources/templates/fragments/head.html +++ b/jjwt/src/main/resources/templates/fragments/head.html @@ -8,6 +8,17 @@ + +