james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From matth...@apache.org
Subject svn commit: r1727285 - in /james/project/trunk/server/protocols/jmap/src: main/java/org/apache/james/jmap/crypto/JwtTokenVerifier.java test/java/org/apache/james/jmap/crypto/JwtTokenVerifierTest.java
Date Thu, 28 Jan 2016 09:12:10 GMT
Author: matthieu
Date: Thu Jan 28 09:12:10 2016
New Revision: 1727285

URL: http://svn.apache.org/viewvc?rev=1727285&view=rev
Log:
JAMES-1672 Check validity of JWT token payload before using it

Modified:
    james/project/trunk/server/protocols/jmap/src/main/java/org/apache/james/jmap/crypto/JwtTokenVerifier.java
    james/project/trunk/server/protocols/jmap/src/test/java/org/apache/james/jmap/crypto/JwtTokenVerifierTest.java

Modified: james/project/trunk/server/protocols/jmap/src/main/java/org/apache/james/jmap/crypto/JwtTokenVerifier.java
URL: http://svn.apache.org/viewvc/james/project/trunk/server/protocols/jmap/src/main/java/org/apache/james/jmap/crypto/JwtTokenVerifier.java?rev=1727285&r1=1727284&r2=1727285&view=diff
==============================================================================
--- james/project/trunk/server/protocols/jmap/src/main/java/org/apache/james/jmap/crypto/JwtTokenVerifier.java
(original)
+++ james/project/trunk/server/protocols/jmap/src/main/java/org/apache/james/jmap/crypto/JwtTokenVerifier.java
Thu Jan 28 09:12:10 2016
@@ -21,15 +21,13 @@ package org.apache.james.jmap.crypto;
 import javax.inject.Inject;
 
 import com.google.common.annotations.VisibleForTesting;
+import com.google.common.base.Strings;
 
 import io.jsonwebtoken.Claims;
-import io.jsonwebtoken.ExpiredJwtException;
 import io.jsonwebtoken.Jws;
 import io.jsonwebtoken.JwtException;
 import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.MalformedJwtException;
-import io.jsonwebtoken.SignatureException;
-import io.jsonwebtoken.UnsupportedJwtException;
 
 public class JwtTokenVerifier {
 
@@ -42,7 +40,10 @@ public class JwtTokenVerifier {
     }
 
     public boolean verify(String token) throws JwtException {
-        parseToken(token);
+        String subject = extractLogin(token);
+        if (Strings.isNullOrEmpty(subject)) {
+            throw new MalformedJwtException("'subject' field in token is mandatory");
+        }
         return true;
     }
 

Modified: james/project/trunk/server/protocols/jmap/src/test/java/org/apache/james/jmap/crypto/JwtTokenVerifierTest.java
URL: http://svn.apache.org/viewvc/james/project/trunk/server/protocols/jmap/src/test/java/org/apache/james/jmap/crypto/JwtTokenVerifierTest.java?rev=1727285&r1=1727284&r2=1727285&view=diff
==============================================================================
--- james/project/trunk/server/protocols/jmap/src/test/java/org/apache/james/jmap/crypto/JwtTokenVerifierTest.java
(original)
+++ james/project/trunk/server/protocols/jmap/src/test/java/org/apache/james/jmap/crypto/JwtTokenVerifierTest.java
Thu Jan 28 09:12:10 2016
@@ -30,6 +30,7 @@ import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.Test;
 
+import io.jsonwebtoken.MalformedJwtException;
 import io.jsonwebtoken.SignatureException;
 
 public class JwtTokenVerifierTest {
@@ -43,6 +44,7 @@ public class JwtTokenVerifierTest {
             "U1LZUUbJW9/CH45YXz82CYqkrfbnQxqRb2iVbVjs/sHopHd1NTiCfUtwvcYJiBVj\n" +
             "kwIDAQAB\n" +
             "-----END PUBLIC KEY-----";
+    
     private static final String VALID_TOKEN = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIn0.T04BTk"
+
             "LXkJj24coSZkK13RfG25lpvmSl2MJ7N10KpBk9_-95EGYZdog-BDAn3PJzqVw52z-Bwjh4VOj1-j7cURu0cT4jXehhUrlCxS4n7QHZD"
+
             "N_bsEYGu7KzjWTpTsUiHe-rN7izXVFxDGG1TGwlmBCBnPW-EFCf9ylUsJi0r2BKNdaaPRfMIrHptH1zJBkkUziWpBN1RNLjmvlAUf49"
+
@@ -79,15 +81,41 @@ public class JwtTokenVerifierTest {
 
     @Test
     public void shouldThrowOnMismatchingSigningKey() {
-        String token = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIn0.Pd6t82"
+
+        String invalidToken = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIn0.Pd6t82"
+
                 "tPL3EZdkeYxw_DV2KimE1U2FvuLHmfR_mimJ5US3JFU4J2Gd94O7rwpSTGN1B9h-_lsTebo4ua4xHsTtmczZ9xa8a_kWKaSkqFjNFa"
+
                 "Fp6zcoD6ivCu03SlRqsQzSRHXo6TKbnqOt9D6Y2rNa3C4igSwoS0jUE4BgpXbc0";
 
-        assertThatThrownBy(() -> sut.verify(token))
+        assertThatThrownBy(() -> sut.verify(invalidToken))
             .isInstanceOf(SignatureException.class);
     }
 
     @Test
+    public void verifyShouldThrowWhenSubjectIsNull() {
+        String tokenWithNullSubject = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOm51bGwsIm5hbWUiOiJKb2huIERvZSJ9.EB"
+
+                "_1grWDy_kFelXs3AQeiP13ay4eG_134dWB9XPRSeWsuPs8Mz2UY-VHDxLGD-fAqv-xKXr4QFEnS7iZkdpe0tPLNSwIjqeqkC6KqQln"
+
+                "oC1okqWVWBDOcf7Acp1Jzp_cFTUhL5LkHvZDsyCdq5T9OOVVkzO4A9RrzIUsTrYPtRCBuYJ3ggR33cKpw191PulPGNH70rZqpUfDXe"
+
+                "VPY3q15vWzZH9O9IJzB2KdHRMPxl2luRjzDbh4DLp56NhZuLX_2a9UAlmbV8MQX4Z_04ybhAYrcBfxR3MgJyr0jlxSibqSbXrkXuo-"
+
+                "PyybfZCIhK_qXUlO5OS6sO7AQhKZO9p0MQ";
+
+        assertThatThrownBy(() -> sut.verify(tokenWithNullSubject))
+            .isInstanceOf(MalformedJwtException.class)
+            .hasMessage("'subject' field in token is mandatory");
+    }
+    
+    @Test
+    public void verifyShouldThrowWhenEmptySubject() {
+        String tokenWithEmptySubject = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIiLCJuYW1lIjoiSm9obiBEb2UifQ.UdY"
+
+                "s2PPzFCegUYspoDCnlJR_bJm8_z1InOv4v3tq8SJETQUarOXlhb_n6y6ujVvmJiSx9dI24Hc3Czi3RGUOXbnBDj1WPfd0aVSiUSqZr"
+
+                "MCHBt5vjCYqAseDaP3w4aiiFb6EV3tteJFeBLZx8XlKPYxlzRLLUADDyDSQvrFBBPxfsvCETZovKdo9ofIN64o-yx23ss63yE6oIOd"
+
+                "zJZ1Id40KSR2d7l3kIQJPLKUWJDnro5RAh4DOGOWNSq0JSbMhk7Zn3cXIBUpv3R8p79tui1UQpzwHMC0e6OSuWEDNQHtq-Cz85u8GG"
+
+                "sUSbogmgObA_BimNtUq_Q1p0SGtIYBXmQ";
+
+        assertThatThrownBy(() -> sut.verify(tokenWithEmptySubject))
+            .isInstanceOf(MalformedJwtException.class)
+            .hasMessage("'subject' field in token is mandatory");
+    }
+
+    @Test
     public void shouldReturnUserLoginFromValidToken() {
 
         assertThat(sut.extractLogin(VALID_TOKEN)).isEqualTo("1234567890");



---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org


Mime
View raw message