JWT独立子项目

maxkey-protocols/maxkey-protocol-jwt/src/main/java/META-INF/MANIFEST.MF

@@ -0,0 +1,3 @@
+Manifest-Version: 1.0
+Class-Path: 
+

maxkey-protocols/maxkey-protocol-jwt/src/main/java/org/maxkey/authz/jwt/endpoint/adapter/JwtAdapter.java

@@ -0,0 +1,126 @@
+/*
+ * Copyright [2020] [MaxKey of copyright http://www.maxkey.top]
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+ 
+
+package org.maxkey.authz.jwt.endpoint.adapter;
+
+import java.util.Arrays;
+import java.util.Date;
+import java.util.UUID;
+
+import org.joda.time.DateTime;
+import org.maxkey.authn.SigninPrincipal;
+import org.maxkey.authz.endpoint.adapter.AbstractAuthorizeAdapter;
+import org.maxkey.configuration.oidc.OIDCProviderMetadata;
+import org.maxkey.crypto.jwt.signer.service.JwtSigningAndValidationService;
+import org.maxkey.domain.UserInfo;
+import org.maxkey.domain.apps.Apps;
+import org.maxkey.domain.apps.AppsJwtDetails;
+import org.maxkey.web.WebConstants;
+import org.maxkey.web.WebContext;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.web.servlet.ModelAndView;
+
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.JWSHeader;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.jwt.PlainJWT;
+import com.nimbusds.jwt.SignedJWT;
+
+public class JwtAdapter extends AbstractAuthorizeAdapter {
+	final static Logger _logger = LoggerFactory.getLogger(JwtAdapter.class);
+	@Override
+	public String generateInfo(SigninPrincipal authentication,UserInfo userInfo,Object app) {
+		AppsJwtDetails details=(AppsJwtDetails)app;
+	
+		
+		JwtSigningAndValidationService jwtSignerService= (JwtSigningAndValidationService)WebContext.getBean("jwtSignerValidationService");
+		OIDCProviderMetadata providerMetadata= (OIDCProviderMetadata)WebContext.getBean("oidcProviderMetadata");
+	
+		DateTime currentDateTime=DateTime.now();
+		
+		Date expirationTime=currentDateTime.plusMinutes(Integer.parseInt(details.getExpires())).toDate();
+		_logger.debug("expiration Time : "+expirationTime);
+		
+		JWTClaimsSet jwtClaims =new  JWTClaimsSet.Builder()
+				.issuer(providerMetadata.getIssuer())
+				.subject(userInfo.getUsername())
+				.audience(Arrays.asList(details.getId()))
+				.jwtID(UUID.randomUUID().toString())
+				.issueTime(currentDateTime.toDate())
+				.expirationTime(expirationTime)
+				.claim("email", userInfo.getWorkEmail())
+				.claim("name", userInfo.getUsername())
+				.claim("user_id", userInfo.getId())
+				.claim("external_id", userInfo.getId())
+				.claim("locale", userInfo.getLocale())
+				.claim(WebConstants.ONLINE_TICKET_NAME, authentication.getOnlineTicket().getTicketId())
+				.claim("kid", jwtSignerService.getDefaultSignerKeyId())
+				.build();
+		
+		_logger.debug("jwt Claims : "+jwtClaims);
+		
+		JWT jwtToken = new PlainJWT(jwtClaims);
+		
+		JWSAlgorithm signingAlg = jwtSignerService.getDefaultSigningAlgorithm();
+		
+		//get PublicKey
+		/*Map<String, JWK>  jwkMap=jwtSignerService.getAllPublicKeys();
+		
+		JWK jwk=jwkMap.get("connsec_rsa1");
+		
+		_logger.debug("isPrivate "+jwk.isPrivate());*/
+		
+		_logger.debug(" signingAlg "+signingAlg);
+		
+		jwtToken = new SignedJWT(new JWSHeader(signingAlg), jwtClaims);
+		// sign it with the server's key
+		jwtSignerService.signJwt((SignedJWT) jwtToken);
+		
+		String tokenString=jwtToken.serialize();
+		_logger.debug("jwt Token : "+tokenString);
+		
+		return tokenString;
+	}
+
+	@Override
+	public String encrypt(String data, String algorithmKey, String algorithm) {
+		return data;
+	}
+
+	@Override
+	public String sign(String data, Apps app) {
+		
+		return data;
+	}
+
+	@Override
+	public ModelAndView authorize(UserInfo userInfo, Object app, String data,ModelAndView modelAndView) {
+		modelAndView.setViewName("authorize/jwt_sso_submint");
+		AppsJwtDetails details=(AppsJwtDetails)app;
+		modelAndView.addObject("action", details.getRedirectUri());
+		_logger.debug("jwt Token data : "+data);
+		
+		modelAndView.addObject("token",data);
+		
+		//return_to
+		
+		return modelAndView;
+	}
+
+}

maxkey-protocols/maxkey-protocol-jwt/src/main/java/org/maxkey/authz/jwt/endpoint/adapter/JwtDefaultAdapter.java

@@ -0,0 +1,114 @@
+/*
+ * Copyright [2020] [MaxKey of copyright http://www.maxkey.top]
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+ 
+
+package org.maxkey.authz.jwt.endpoint.adapter;
+
+import java.util.Arrays;
+import java.util.Date;
+import java.util.UUID;
+
+import org.joda.time.DateTime;
+import org.maxkey.authn.SigninPrincipal;
+import org.maxkey.authz.endpoint.adapter.AbstractAuthorizeAdapter;
+import org.maxkey.configuration.oidc.OIDCProviderMetadata;
+import org.maxkey.crypto.jwt.signer.service.JwtSigningAndValidationService;
+import org.maxkey.domain.UserInfo;
+import org.maxkey.domain.apps.AppsJwtDetails;
+import org.maxkey.web.WebConstants;
+import org.maxkey.web.WebContext;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.web.servlet.ModelAndView;
+
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.JWSHeader;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.jwt.PlainJWT;
+import com.nimbusds.jwt.SignedJWT;
+
+public class JwtDefaultAdapter extends AbstractAuthorizeAdapter {
+	final static Logger _logger = LoggerFactory.getLogger(JwtDefaultAdapter.class);
+	@Override
+	public String generateInfo(SigninPrincipal authentication,UserInfo userInfo,Object app) {
+	    AppsJwtDetails details=(AppsJwtDetails)app;
+    
+        
+        JwtSigningAndValidationService jwtSignerService= (JwtSigningAndValidationService)WebContext.getBean("jwtSignerValidationService");
+        OIDCProviderMetadata providerMetadata= (OIDCProviderMetadata)WebContext.getBean("oidcProviderMetadata");
+    
+        DateTime currentDateTime=DateTime.now();
+        
+        Date expirationTime=currentDateTime.plusMinutes(Integer.parseInt(details.getExpires())).toDate();
+        _logger.debug("expiration Time : "+expirationTime);
+        
+        JWTClaimsSet jwtClaims =new  JWTClaimsSet.Builder()
+                .issuer(providerMetadata.getIssuer())
+                .subject(userInfo.getUsername())
+                .audience(Arrays.asList(details.getId()))
+                .jwtID(UUID.randomUUID().toString())
+                .issueTime(currentDateTime.toDate())
+                .expirationTime(expirationTime)
+                .claim("email", userInfo.getWorkEmail())
+                .claim("name", userInfo.getUsername())
+                .claim("user_id", userInfo.getId())
+                .claim("external_id", userInfo.getId())
+                .claim("locale", userInfo.getLocale())
+                .claim(WebConstants.ONLINE_TICKET_NAME, authentication.getOnlineTicket().getTicketId())
+                .claim("kid", jwtSignerService.getDefaultSignerKeyId())
+                .build();
+        
+        _logger.debug("jwt Claims : "+jwtClaims);
+        
+        JWT jwtToken = new PlainJWT(jwtClaims);
+        
+        JWSAlgorithm signingAlg = jwtSignerService.getDefaultSigningAlgorithm();
+        
+        //get PublicKey
+        /*Map<String, JWK>  jwkMap=jwtSignerService.getAllPublicKeys();
+        
+        JWK jwk=jwkMap.get("connsec_rsa1");
+        
+        _logger.debug("isPrivate "+jwk.isPrivate());*/
+        
+        _logger.debug(" signingAlg "+signingAlg);
+        
+        jwtToken = new SignedJWT(new JWSHeader(signingAlg), jwtClaims);
+        // sign it with the server's key
+        jwtSignerService.signJwt((SignedJWT) jwtToken);
+        
+        String tokenString=jwtToken.serialize();
+        _logger.debug("jwt Token : "+tokenString);
+        
+        return tokenString;
+	}
+
+	@Override
+	public String encrypt(String data, String algorithmKey, String algorithm) {
+		return super.encrypt(data, algorithmKey, algorithm);
+	}
+
+	@Override
+	public ModelAndView authorize(UserInfo userInfo, Object app, String data,ModelAndView modelAndView) {
+		modelAndView.setViewName("authorize/jwt_sso_submint");
+		AppsJwtDetails details=(AppsJwtDetails)app;
+		modelAndView.addObject("action", details.getRedirectUri());
+		
+		modelAndView.addObject("token",data );
+		return modelAndView;
+	}
+}

maxkey-protocols/maxkey-protocol-jwt/src/main/java/org/maxkey/authz/jwt/endpoint/adapter/JwtHS256Adapter.java

@@ -0,0 +1,123 @@
+/*
+ * Copyright [2020] [MaxKey of copyright http://www.maxkey.top]
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+ 
+
+package org.maxkey.authz.jwt.endpoint.adapter;
+
+import java.util.Arrays;
+import java.util.Date;
+import java.util.UUID;
+
+import org.joda.time.DateTime;
+import org.maxkey.authn.SigninPrincipal;
+import org.maxkey.authz.endpoint.adapter.AbstractAuthorizeAdapter;
+import org.maxkey.configuration.oidc.OIDCProviderMetadata;
+import org.maxkey.crypto.ReciprocalUtils;
+import org.maxkey.crypto.jwt.signer.service.JwtSigningAndValidationService;
+import org.maxkey.crypto.jwt.signer.service.impl.SymmetricSigningAndValidationServiceBuilder;
+import org.maxkey.domain.UserInfo;
+import org.maxkey.domain.apps.Apps;
+import org.maxkey.domain.apps.AppsJwtDetails;
+import org.maxkey.web.WebConstants;
+import org.maxkey.web.WebContext;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.web.servlet.ModelAndView;
+
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.JWSHeader;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.jwt.PlainJWT;
+import com.nimbusds.jwt.SignedJWT;
+
+public class JwtHS256Adapter extends AbstractAuthorizeAdapter {
+	final static Logger _logger = LoggerFactory.getLogger(JwtHS256Adapter.class);
+	private SymmetricSigningAndValidationServiceBuilder symmetricJwtSignerServiceBuilder=new SymmetricSigningAndValidationServiceBuilder();
+
+	@Override
+	public String generateInfo(SigninPrincipal authentication,UserInfo userInfo,Object app) {
+		AppsJwtDetails details=(AppsJwtDetails)app;
+		
+		OIDCProviderMetadata providerMetadata= (OIDCProviderMetadata)WebContext.getBean("oidcProviderMetadata");
+	
+		DateTime currentDateTime=DateTime.now();
+		
+		Date expirationTime=currentDateTime.plusMinutes(Integer.parseInt(details.getExpires())).toDate();
+		_logger.debug("expiration Time : "+expirationTime);
+		
+		JWTClaimsSet jwtClaims =new  JWTClaimsSet.Builder()
+				.issuer(providerMetadata.getIssuer())
+				.subject(userInfo.getUsername())
+				.audience(Arrays.asList(details.getId()))
+				.jwtID(UUID.randomUUID().toString())
+				.issueTime(currentDateTime.toDate())
+				.expirationTime(expirationTime)
+				.claim("email", userInfo.getWorkEmail())
+				.claim("name", userInfo.getUsername())
+				.claim("user_id", userInfo.getId())
+				.claim(WebConstants.ONLINE_TICKET_NAME, authentication.getOnlineTicket().getTicketId())
+				.claim("external_id", userInfo.getId())
+				.claim("locale", userInfo.getLocale())
+				.claim("kid", "SYMMETRIC-KEY")
+				.build();
+		
+		_logger.debug("jwt Claims : "+jwtClaims);
+		
+		JWT jwtToken = new PlainJWT(jwtClaims);
+		
+		String sharedSecret=ReciprocalUtils.decoder(details.getAlgorithmKey());
+		
+		_logger.debug("jwt sharedSecret : "+sharedSecret);
+		
+		JwtSigningAndValidationService symmetricJwtSignerService =symmetricJwtSignerServiceBuilder.serviceBuilder(sharedSecret);
+		if(symmetricJwtSignerService!=null){
+			jwtToken = new SignedJWT(new JWSHeader(JWSAlgorithm.HS256), jwtClaims);
+			symmetricJwtSignerService.signJwt((SignedJWT) jwtToken);
+		}
+		
+		String tokenString=jwtToken.serialize();
+		_logger.debug("jwt Token : "+tokenString);
+		
+		return tokenString;
+	}
+
+	@Override
+	public String encrypt(String data, String algorithmKey, String algorithm) {
+		return data;
+	}
+
+	@Override
+	public String sign(String data, Apps app) {
+		
+		return data;
+	}
+
+	@Override
+	public ModelAndView authorize(UserInfo userInfo, Object app, String data,ModelAndView modelAndView) {
+		modelAndView.setViewName("authorize/jwt_sso_submint");
+		AppsJwtDetails details=(AppsJwtDetails)app;
+		modelAndView.addObject("action", details.getRedirectUri());
+		_logger.debug("jwt Token data : "+data);
+		
+		modelAndView.addObject("token",data);
+		
+		//return_to
+		
+		return modelAndView;
+	}
+
+}

maxkey-protocols/maxkey-protocol-jwt/src/main/java/org/maxkey/authz/token/endpoint/JwtAuthorizeEndpoint.java

@@ -0,0 +1,140 @@
+/*
+ * Copyright [2020] [MaxKey of copyright http://www.maxkey.top]
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+ 
+
+/**
+ * 
+ */
+package org.maxkey.authz.token.endpoint;
+
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.maxkey.authn.SigninPrincipal;
+import org.maxkey.authz.endpoint.AuthorizeBaseEndpoint;
+import org.maxkey.authz.endpoint.adapter.AbstractAuthorizeAdapter;
+import org.maxkey.authz.jwt.endpoint.adapter.JwtDefaultAdapter;
+import org.maxkey.configuration.ApplicationConfig;
+import org.maxkey.constants.Boolean;
+import org.maxkey.domain.apps.Apps;
+import org.maxkey.domain.apps.AppsJwtDetails;
+import org.maxkey.persistence.service.AppsJwtDetailsService;
+import org.maxkey.util.Instance;
+import org.maxkey.web.WebContext;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.servlet.ModelAndView;
+
+/**
+ * @author Crystal.Sea
+ *
+ */
+@Controller
+public class JwtAuthorizeEndpoint  extends AuthorizeBaseEndpoint{
+
+	final static Logger _logger = LoggerFactory.getLogger(JwtAuthorizeEndpoint.class);
+	
+	@Autowired
+	AppsJwtDetailsService jwtDetailsService;
+	
+	JwtDefaultAdapter jwtDefaultAdapter=new JwtDefaultAdapter();
+	
+	@Autowired
+	ApplicationConfig applicationConfig;
+	
+	@RequestMapping("/authz/jwt/{id}")
+	public ModelAndView authorize(
+			HttpServletRequest request,
+			HttpServletResponse response,
+			@PathVariable("id") String id){
+		ModelAndView modelAndView=new ModelAndView();
+		
+		
+		AppsJwtDetails jwtDetails=null;
+		jwtDetails=jwtDetailsService.getAppDetails(id);
+		_logger.debug(""+jwtDetails);
+		
+		Apps  application= getApp(id);
+		jwtDetails.setAdapter(application.getAdapter());
+		jwtDetails.setIsAdapter(application.getIsAdapter());
+		
+		AbstractAuthorizeAdapter adapter;
+		if(Boolean.isTrue(jwtDetails.getIsAdapter())){
+			adapter =(AbstractAuthorizeAdapter)Instance.newInstance(jwtDetails.getAdapter());
+		}else{
+			adapter =(AbstractAuthorizeAdapter)jwtDefaultAdapter;
+		}
+		
+		String tokenData=adapter.generateInfo(
+		        (SigninPrincipal)WebContext.getAuthentication().getPrincipal(),
+				WebContext.getUserInfo(), 
+				jwtDetails);
+		
+		String encryptTokenData=adapter.encrypt(
+				tokenData, 
+				jwtDetails.getAlgorithmKey(), 
+				jwtDetails.getAlgorithm());
+		
+		String signTokenData=adapter.sign(
+				encryptTokenData, 
+				jwtDetails);
+		
+		if(jwtDetails.getTokenType().equalsIgnoreCase("POST")) {
+			modelAndView=adapter.authorize(
+					WebContext.getUserInfo(), 
+					jwtDetails, 
+					signTokenData, 
+					modelAndView);
+			
+			return modelAndView;
+		}else {
+			
+			String cookieValue="";
+			cookieValue=signTokenData;
+			
+			_logger.debug("Cookie Name : "+jwtDetails.getCookieName());
+			
+			Cookie cookie= new Cookie(jwtDetails.getCookieName(),cookieValue);
+			
+			Integer maxAge=Integer.parseInt(jwtDetails.getExpires())*60;
+			_logger.debug("Cookie Max Age :"+maxAge+" seconds.");
+			cookie.setMaxAge(maxAge);
+			
+			cookie.setPath("/");
+			//
+			//cookie.setDomain("."+applicationConfig.getBaseDomainName());
+			//tomcat 8.5
+			cookie.setDomain(applicationConfig.getBaseDomainName());
+			
+			_logger.debug("Sub Domain Name : "+"."+applicationConfig.getBaseDomainName());
+			response.addCookie(cookie);
+			
+			if(jwtDetails.getRedirectUri().indexOf(applicationConfig.getBaseDomainName())>-1){
+				return WebContext.redirect(jwtDetails.getRedirectUri());
+			}else{
+				_logger.error(jwtDetails.getRedirectUri()+" not in domain "+applicationConfig.getBaseDomainName());
+				return null;
+			}
+		}
+		
+	}
+
+}