From 093e06205a837f6faff65186016311d0ffb34746 Mon Sep 17 00:00:00 2001
From: "michael.breu" <michael.breu@uibk.ac.at>
Date: Fri, 22 Jan 2021 13:49:59 +0100
Subject: [PATCH] refreshToken is now secured by preToken-Flag
---
.../gitsearch/security/jwt/TokenProvider.java | 24 ++++++++++++++-----
...nticationSuccessHandlerWithJWTSupport.java | 4 ++--
.../gitsearch/web/rest/UserJWTController.java | 8 ++++++-
3 files changed, 27 insertions(+), 9 deletions(-)
diff --git a/src/main/java/at/ac/uibk/gitsearch/security/jwt/TokenProvider.java b/src/main/java/at/ac/uibk/gitsearch/security/jwt/TokenProvider.java
index 048611239..570804172 100644
--- a/src/main/java/at/ac/uibk/gitsearch/security/jwt/TokenProvider.java
+++ b/src/main/java/at/ac/uibk/gitsearch/security/jwt/TokenProvider.java
@@ -24,7 +24,9 @@ import io.jsonwebtoken.security.Keys;
@Component
public class TokenProvider {
- private final Logger log = LoggerFactory.getLogger(TokenProvider.class);
+ public static final String PRE_TOKEN_CLAIM = "preToken";
+
+ private final Logger log = LoggerFactory.getLogger(TokenProvider.class);
private static final String AUTHORITIES_KEY = "auth";
@@ -71,16 +73,17 @@ public class TokenProvider {
?tokenValidityInMillisecondsForRememberMe
:tokenValidityInMilliseconds;
- return createToken(authentication, validity);
+ return createToken(authentication, validity, false);
}
/**
* creates a token from authentication given by validity (im msec)
* @param authentication the authentication
* @param validity validity in msec
+ * @param preToken include hint that this token entitles for a long term token
* @return
*/
- public String createToken(Authentication authentication, long validity) {
+ public String createToken(Authentication authentication, long validity, boolean preToken) {
Date endTime = new Date(System.currentTimeMillis() + validity);
String authorities = authentication.getAuthorities().stream()
@@ -88,9 +91,12 @@ public class TokenProvider {
.collect(Collectors.joining(","));
- return Jwts.builder()
+ JwtBuilder jwtBuilder = Jwts.builder()
.setSubject(authentication.getName())
- .claim(AUTHORITIES_KEY, authorities)
+ .claim(AUTHORITIES_KEY, authorities);
+ if(preToken)
+ jwtBuilder = jwtBuilder.claim(PRE_TOKEN_CLAIM, PRE_TOKEN_CLAIM);
+ return jwtBuilder
.signWith(key, SignatureAlgorithm.HS512)
.setExpiration(endTime)
.compact();
@@ -107,10 +113,16 @@ public class TokenProvider {
Arrays.stream(claims.get(AUTHORITIES_KEY).toString().split(","))
.map(SimpleGrantedAuthority::new)
.collect(Collectors.toList());
+ String preTokenFlag = (String) claims.get(PRE_TOKEN_CLAIM);
User principal = new User(claims.getSubject(), "", authorities);
- return new UsernamePasswordAuthenticationToken(principal, token, authorities);
+
+ final UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(principal, token, authorities);
+ if(preTokenFlag !=null) {
+ authentication.setDetails(Collections.singletonMap(TokenProvider.PRE_TOKEN_CLAIM, preTokenFlag));
+ }
+ return authentication;
}
public boolean validateToken(String authToken) {
diff --git a/src/main/java/at/ac/uibk/gitsearch/security/oauth2/SavedRequestAwareAuthenticationSuccessHandlerWithJWTSupport.java b/src/main/java/at/ac/uibk/gitsearch/security/oauth2/SavedRequestAwareAuthenticationSuccessHandlerWithJWTSupport.java
index 132173a83..3f933b2b0 100644
--- a/src/main/java/at/ac/uibk/gitsearch/security/oauth2/SavedRequestAwareAuthenticationSuccessHandlerWithJWTSupport.java
+++ b/src/main/java/at/ac/uibk/gitsearch/security/oauth2/SavedRequestAwareAuthenticationSuccessHandlerWithJWTSupport.java
@@ -36,7 +36,7 @@ public class SavedRequestAwareAuthenticationSuccessHandlerWithJWTSupport extends
}
- private static int REQUEST_TOKEN_LIVETIME = 200; // seconds
+ private static int REQUEST_TOKEN_LIVETIME = 10; // seconds
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) throws ServletException, IOException {
@@ -54,7 +54,7 @@ public class SavedRequestAwareAuthenticationSuccessHandlerWithJWTSupport extends
authenticationForToken = new SimpleAuthentication(new SimplePrincipal(mail), roles);
authenticationForToken.setAuthenticated(authentication.isAuthenticated());
}
- String token = tokenProvider.createToken(authenticationForToken, REQUEST_TOKEN_LIVETIME *1000L); // 200 secs (for Debugging)
+ String token = tokenProvider.createToken(authenticationForToken, REQUEST_TOKEN_LIVETIME *1000L, true /* preToken */); // 200 secs (for Debugging)
Cookie tempTokenCookie = new Cookie("tempRequestToken", token);
tempTokenCookie.setMaxAge(REQUEST_TOKEN_LIVETIME);
diff --git a/src/main/java/at/ac/uibk/gitsearch/web/rest/UserJWTController.java b/src/main/java/at/ac/uibk/gitsearch/web/rest/UserJWTController.java
index b209d27ca..3adc22792 100644
--- a/src/main/java/at/ac/uibk/gitsearch/web/rest/UserJWTController.java
+++ b/src/main/java/at/ac/uibk/gitsearch/web/rest/UserJWTController.java
@@ -15,6 +15,8 @@ import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.bind.annotation.*;
+import java.util.Map;
+
import javax.validation.Valid;
/**
@@ -49,11 +51,15 @@ public class UserJWTController {
}
@PostMapping("/refreshToken")
- public ResponseEntity<JWTToken> authorize(@RequestParam("token") String token) {
+ public ResponseEntity<JWTToken> refreshToken(@RequestParam("token") String token) {
if(!tokenProvider.validateToken(token)) {
return new ResponseEntity<>(null, HttpStatus.UNAUTHORIZED);
} else {
Authentication authentication = tokenProvider.getAuthentication(token);
+ Map<String, String> details = (Map<String, String>) authentication.getDetails();
+ if(!details.containsKey(TokenProvider.PRE_TOKEN_CLAIM)) {
+ return new ResponseEntity<>(null, HttpStatus.UNAUTHORIZED);
+ }
SecurityContextHolder.getContext().setAuthentication(authentication);
String jwt = tokenProvider.createToken(authentication, false);
HttpHeaders httpHeaders = new HttpHeaders();
--
GitLab