refreshToken is now secured by preToken-Flag

093e0620 · Michael Breu · 465cec3d · 093e0620 · 093e0620 · 093e0620
Commit 093e0620 authored 4 years ago by Michael Breu
--- a/src/main/java/at/ac/uibk/gitsearch/security/jwt/TokenProvider.java
+++ b/src/main/java/at/ac/uibk/gitsearch/security/jwt/TokenProvider.java
@@ -24,7 +24,9 @@ import io.jsonwebtoken.security.Keys;
 @Component
 public class TokenProvider {
-    private final Logger log = LoggerFactory.getLogger(TokenProvider.class);
+    public static final String PRE_TOKEN_CLAIM = "preToken";
+	private final Logger log = LoggerFactory.getLogger(TokenProvider.class);
    private static final String AUTHORITIES_KEY = "auth";
@@ -71,16 +73,17 @@ public class TokenProvider {
        		?tokenValidityInMillisecondsForRememberMe
        		:tokenValidityInMilliseconds;
-        return createToken(authentication, validity);
+        return createToken(authentication, validity, false);
    }
    /**
     * creates a token from authentication given by validity (im msec)
     * @param authentication the authentication
     * @param validity validity in msec
+     * @param preToken include hint that this token entitles for a long term token
     * @return
     */
-	public String createToken(Authentication authentication, long validity) {
+	public String createToken(Authentication authentication, long validity, boolean preToken) {
        Date endTime = new Date(System.currentTimeMillis() + validity);
 		String authorities = authentication.getAuthorities().stream()
@@ -88,9 +91,12 @@ public class TokenProvider {
            .collect(Collectors.joining(","));
-        return Jwts.builder()
+		JwtBuilder jwtBuilder = Jwts.builder()
            .setSubject(authentication.getName())
-            .claim(AUTHORITIES_KEY, authorities)
+            .claim(AUTHORITIES_KEY, authorities);
+        if(preToken)
+        	jwtBuilder = jwtBuilder.claim(PRE_TOKEN_CLAIM, PRE_TOKEN_CLAIM);
+		return jwtBuilder
            .signWith(key, SignatureAlgorithm.HS512)
            .setExpiration(endTime)
            .compact();
@@ -107,10 +113,16 @@ public class TokenProvider {
            Arrays.stream(claims.get(AUTHORITIES_KEY).toString().split(","))
                .map(SimpleGrantedAuthority::new)
                .collect(Collectors.toList());
+        String preTokenFlag = (String) claims.get(PRE_TOKEN_CLAIM);
        User principal = new User(claims.getSubject(), "", authorities);
-        return new UsernamePasswordAuthenticationToken(principal, token, authorities);
+        final UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(principal, token, authorities);
+        if(preTokenFlag !=null) {
+        	authentication.setDetails(Collections.singletonMap(TokenProvider.PRE_TOKEN_CLAIM, preTokenFlag));
+        }
+		return authentication;
    }
    public boolean validateToken(String authToken) {

--- a/src/main/java/at/ac/uibk/gitsearch/security/oauth2/SavedRequestAwareAuthenticationSuccessHandlerWithJWTSupport.java
+++ b/src/main/java/at/ac/uibk/gitsearch/security/oauth2/SavedRequestAwareAuthenticationSuccessHandlerWithJWTSupport.java
@@ -36,7 +36,7 @@ public class SavedRequestAwareAuthenticationSuccessHandlerWithJWTSupport extends
 	}
-	private static int REQUEST_TOKEN_LIVETIME = 200; // seconds
+	private static int REQUEST_TOKEN_LIVETIME = 10; // seconds
 	@Override
 	public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
 			Authentication authentication) throws ServletException, IOException {
@@ -54,7 +54,7 @@ public class SavedRequestAwareAuthenticationSuccessHandlerWithJWTSupport extends
 			authenticationForToken = new SimpleAuthentication(new SimplePrincipal(mail), roles);
 			authenticationForToken.setAuthenticated(authentication.isAuthenticated());
 		}
-		String token = tokenProvider.createToken(authenticationForToken, REQUEST_TOKEN_LIVETIME *1000L); // 200 secs (for Debugging)
+		String token = tokenProvider.createToken(authenticationForToken, REQUEST_TOKEN_LIVETIME *1000L, true /* preToken */); // 200 secs (for Debugging)
 		Cookie tempTokenCookie = new Cookie("tempRequestToken", token);
 		tempTokenCookie.setMaxAge(REQUEST_TOKEN_LIVETIME);

--- a/src/main/java/at/ac/uibk/gitsearch/web/rest/UserJWTController.java
+++ b/src/main/java/at/ac/uibk/gitsearch/web/rest/UserJWTController.java
@@ -15,6 +15,8 @@ import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.web.bind.annotation.*;
+import java.util.Map;
 import javax.validation.Valid;
 /**
@@ -49,11 +51,15 @@ public class UserJWTController {
    }
    @PostMapping("/refreshToken")
-    public ResponseEntity<JWTToken> authorize(@RequestParam("token") String token) {
+    public ResponseEntity<JWTToken> refreshToken(@RequestParam("token") String token) {
    	if(!tokenProvider.validateToken(token)) {
    		return new ResponseEntity<>(null, HttpStatus.UNAUTHORIZED);
    	} else {
    		 Authentication authentication = tokenProvider.getAuthentication(token);
+    		 Map<String, String> details = (Map<String, String>) authentication.getDetails();
+    		 if(!details.containsKey(TokenProvider.PRE_TOKEN_CLAIM)) {
+    	    		return new ResponseEntity<>(null, HttpStatus.UNAUTHORIZED);
+    		 }
   	         SecurityContextHolder.getContext().setAuthentication(authentication);
   	        String jwt = tokenProvider.createToken(authentication, false);
   	        HttpHeaders httpHeaders = new HttpHeaders();