root
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Actions 9 Packages Projects Releases Wiki Activity

Additional Jwt Validation Debug Messages 

Closes gh-8589

Co-authored-by: MattyA <mat.auburn@gmail.com>
This commit is contained in:
Josh Cummings 2020-07-30 16:21:28 -06:00
parent 0efdb2c92c
commit 2f80b8a5be
No known key found for this signature in database
GPG Key ID: 49EF60DD7FF83443
2 changed files with 28 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtIssuerValidator.java
View File

@ -15,6 +15,9 @@
*/ */
package org.springframework.security.oauth2.jwt; package org.springframework.security.oauth2.jwt;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.security.oauth2.core.OAuth2Error; import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2ErrorCodes; import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
import org.springframework.security.oauth2.core.OAuth2TokenValidator; import org.springframework.security.oauth2.core.OAuth2TokenValidator;
@ -28,6 +31,8 @@ import org.springframework.util.Assert;
* @since 5.1 * @since 5.1
*/ */
public final class JwtIssuerValidator implements OAuth2TokenValidator<Jwt> { public final class JwtIssuerValidator implements OAuth2TokenValidator<Jwt> {
private final Log logger = LogFactory.getLog(getClass());
private static OAuth2Error INVALID_ISSUER = private static OAuth2Error INVALID_ISSUER =
new OAuth2Error( new OAuth2Error(
OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ErrorCodes.INVALID_REQUEST,
@ -57,6 +62,7 @@ public final class JwtIssuerValidator implements OAuth2TokenValidator<Jwt> {
if (this.issuer.equals(tokenIssuer)) { if (this.issuer.equals(tokenIssuer)) {
return OAuth2TokenValidatorResult.success(); return OAuth2TokenValidatorResult.success();
} else { } else {
logger.debug(INVALID_ISSUER.getDescription());
return OAuth2TokenValidatorResult.failure(INVALID_ISSUER); return OAuth2TokenValidatorResult.failure(INVALID_ISSUER);
} }
} }

38
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtTimestampValidator.java
View File

@ -15,17 +15,20 @@
*/ */
package org.springframework.security.oauth2.jwt; package org.springframework.security.oauth2.jwt;
import java.time.Clock; import org.apache.commons.logging.Log;
import java.time.Duration; import org.apache.commons.logging.LogFactory;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import org.springframework.security.oauth2.core.OAuth2Error; import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2ErrorCodes; import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
import org.springframework.security.oauth2.core.OAuth2TokenValidator; import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult; import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
import org.springframework.util.Assert; import org.springframework.util.Assert;
import java.time.Clock;
import java.time.Duration;
import java.time.Instant;
import java.time.format.DateTimeFormatter;
import java.time.temporal.ChronoUnit;
/** /**
* An implementation of {@link OAuth2TokenValidator} for verifying claims in a Jwt-based access token * An implementation of {@link OAuth2TokenValidator} for verifying claims in a Jwt-based access token
* *
@ -41,6 +44,8 @@ import org.springframework.util.Assert;
* @see <a target="_blank" href="https://tools.ietf.org/html/rfc7519">JSON Web Token (JWT)</a> * @see <a target="_blank" href="https://tools.ietf.org/html/rfc7519">JSON Web Token (JWT)</a>
*/ */
public final class JwtTimestampValidator implements OAuth2TokenValidator<Jwt> { public final class JwtTimestampValidator implements OAuth2TokenValidator<Jwt> {
private final Log logger = LogFactory.getLog(getClass());
private static final Duration DEFAULT_MAX_CLOCK_SKEW = Duration.of(60, ChronoUnit.SECONDS); private static final Duration DEFAULT_MAX_CLOCK_SKEW = Duration.of(60, ChronoUnit.SECONDS);
private final Duration clockSkew; private final Duration clockSkew;
@ -56,7 +61,6 @@ public final class JwtTimestampValidator implements OAuth2TokenValidator<Jwt> {
public JwtTimestampValidator(Duration clockSkew) { public JwtTimestampValidator(Duration clockSkew) {
Assert.notNull(clockSkew, "clockSkew cannot be null"); Assert.notNull(clockSkew, "clockSkew cannot be null");
this.clockSkew = clockSkew; this.clockSkew = clockSkew;
} }
@ -71,11 +75,8 @@ public final class JwtTimestampValidator implements OAuth2TokenValidator<Jwt> {
if (expiry != null) { if (expiry != null) {
if (Instant.now(this.clock).minus(clockSkew).isAfter(expiry)) { if (Instant.now(this.clock).minus(clockSkew).isAfter(expiry)) {
OAuth2Error error = new OAuth2Error( OAuth2Error oAuth2Error = createOAuth2Error(String.format("Jwt expired at %s", jwt.getExpiresAt()));
OAuth2ErrorCodes.INVALID_REQUEST, return OAuth2TokenValidatorResult.failure(oAuth2Error);
String.format("Jwt expired at %s", jwt.getExpiresAt()),
"https://tools.ietf.org/html/rfc6750#section-3.1");
return OAuth2TokenValidatorResult.failure(error);
} }
} }
@ -83,17 +84,22 @@ public final class JwtTimestampValidator implements OAuth2TokenValidator<Jwt> {
if (notBefore != null) { if (notBefore != null) {
if (Instant.now(this.clock).plus(clockSkew).isBefore(notBefore)) { if (Instant.now(this.clock).plus(clockSkew).isBefore(notBefore)) {
OAuth2Error error = new OAuth2Error( OAuth2Error oAuth2Error = createOAuth2Error(String.format("Jwt used before %s", jwt.getNotBefore()));
OAuth2ErrorCodes.INVALID_REQUEST, return OAuth2TokenValidatorResult.failure(oAuth2Error);
String.format("Jwt used before %s", jwt.getNotBefore()),
"https://tools.ietf.org/html/rfc6750#section-3.1");
return OAuth2TokenValidatorResult.failure(error);
} }
} }
return OAuth2TokenValidatorResult.success(); return OAuth2TokenValidatorResult.success();
} }
private OAuth2Error createOAuth2Error(String reason) {
logger.debug(reason);
return new OAuth2Error(
OAuth2ErrorCodes.INVALID_REQUEST,
reason,
"https://tools.ietf.org/html/rfc6750#section-3.1");
}
/** /**
* ' * '
* Use this {@link Clock} with {@link Instant#now()} for assessing * Use this {@link Clock} with {@link Instant#now()} for assessing