directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From plusplusjia...@apache.org
Subject [38/48] directory-kerby git commit: DIRKRB-436 KDC accepts an unsigned JWT token.
Date Wed, 04 Nov 2015 08:26:04 GMT
DIRKRB-436 KDC accepts an unsigned JWT token.


Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/23eee00f
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/23eee00f
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/23eee00f

Branch: refs/heads/pkinit-support
Commit: 23eee00f8e320559d45a9285a9983610aaad146f
Parents: e567dfd
Author: plusplus_jiajia <jiajia.li@intel.com>
Authored: Fri Oct 23 15:41:23 2015 +0800
Committer: plusplus_jiajia <jiajia.li@intel.com>
Committed: Fri Oct 23 15:41:23 2015 +0800

----------------------------------------------------------------------
 .../org/apache/kerby/kerberos/kdc/WithAccessTokenKdcTest.java | 4 +---
 .../apache/kerby/kerberos/kdc/WithIdentityTokenKdcTest.java   | 4 +---
 .../kerberos/kerb/server/preauth/token/TokenPreauth.java      | 3 +++
 .../apache/kerby/kerberos/provider/token/JwtTokenDecoder.java | 7 +++++++
 4 files changed, 12 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/23eee00f/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithAccessTokenKdcTest.java
----------------------------------------------------------------------
diff --git a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithAccessTokenKdcTest.java
b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithAccessTokenKdcTest.java
index 6c8020e..3a2d4ff 100644
--- a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithAccessTokenKdcTest.java
+++ b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithAccessTokenKdcTest.java
@@ -71,10 +71,8 @@ public class WithAccessTokenKdcTest extends WithTokenKdcTestBase {
             Assert.assertTrue(ex instanceof KrbException);
         }
     }
-    
-    // TODO - not failing yet.
+
     @Test
-    @org.junit.Ignore
     public void testUnsignedToken() throws Exception {
         prepareToken(getServerPrincipal(), ISSUER, AUDIENCE, null, null);
         

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/23eee00f/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithIdentityTokenKdcTest.java
----------------------------------------------------------------------
diff --git a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithIdentityTokenKdcTest.java
b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithIdentityTokenKdcTest.java
index b0dd04d..3c0895f 100644
--- a/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithIdentityTokenKdcTest.java
+++ b/kerby-kdc-test/src/test/java/org/apache/kerby/kerberos/kdc/WithIdentityTokenKdcTest.java
@@ -73,10 +73,8 @@ public class WithIdentityTokenKdcTest extends WithTokenKdcTestBase {
             Assert.assertTrue(ex instanceof KrbException);
         }
     }
-    
-    // TODO - not failing yet.
+
     @Test
-    @org.junit.Ignore
     public void testUnsignedToken() throws Exception {
         prepareToken(null, ISSUER, "krbtgt2@EXAMPLE.COM", null, null);
         

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/23eee00f/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
----------------------------------------------------------------------
diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
index f3c8741..a2c57d6 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.java
@@ -88,6 +88,9 @@ public class TokenPreauth extends AbstractPreauthPlugin {
             AuthToken authToken = null;
             try {
                 authToken = tokenDecoder.decodeFromBytes(token.getTokenValue());
+                if (!((JwtTokenDecoder) tokenDecoder).isSigned()) {
+                    throw new KrbException("Token should be signed.");
+                }
             } catch (IOException e) {
                 throw new KrbException("Decoding failed", e);
             }

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/23eee00f/kerby-provider/token-provider/src/main/java/org/apache/kerby/kerberos/provider/token/JwtTokenDecoder.java
----------------------------------------------------------------------
diff --git a/kerby-provider/token-provider/src/main/java/org/apache/kerby/kerberos/provider/token/JwtTokenDecoder.java
b/kerby-provider/token-provider/src/main/java/org/apache/kerby/kerberos/provider/token/JwtTokenDecoder.java
index 50a2ece..b42dd86 100644
--- a/kerby-provider/token-provider/src/main/java/org/apache/kerby/kerberos/provider/token/JwtTokenDecoder.java
+++ b/kerby-provider/token-provider/src/main/java/org/apache/kerby/kerberos/provider/token/JwtTokenDecoder.java
@@ -55,6 +55,7 @@ public class JwtTokenDecoder implements TokenDecoder {
     private Object decryptionKey;
     private Object verifyKey;
     private List<String> audiences = null;
+    private boolean signed = false;
 
     /**
      * {@inheritDoc}
@@ -100,6 +101,7 @@ public class JwtTokenDecoder implements TokenDecoder {
                 boolean success = verifySignedJWT(signedJWT) && verifyToken(signedJWT);
                 if (success) {
                     try {
+                        signed = true;
                         return new JwtAuthToken(signedJWT.getJWTClaimsSet());
                     } catch (ParseException e) {
                         throw new IOException("Failed to get JWT claims set", e);
@@ -123,6 +125,7 @@ public class JwtTokenDecoder implements TokenDecoder {
             boolean success = verifySignedJWT(signedJWT) && verifyToken(signedJWT);
             if (success) {
                 try {
+                    signed = true;
                     return new JwtAuthToken(signedJWT.getJWTClaimsSet());
                 } catch (ParseException e) {
                     throw new IOException("Failed to get JWT claims set", e);
@@ -274,4 +277,8 @@ public class JwtTokenDecoder implements TokenDecoder {
         }
         return valid;
     }
+
+    public boolean isSigned() {
+        return signed;
+    }
 }


Mime
View raw message