hazza/DSpace
1
0
Fork 0
mirror of https://github.com/DSpace/DSpace.git synced 2025-10-07 18:14:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

DS-3542: invalided sessions with salt

Browse Source
This commit is contained in:
frederic
2017-10-11 11:17:25 +02:00
committed by Tom Desair
parent da3a941e0a
commit 3e366bf442
3 changed files with 35 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
dspace-api/src/main/java/org/dspace/eperson/EPerson.java
View File

@@ -65,6 +65,9 @@ public class EPerson extends DSpaceObject implements DSpaceObjectLegacySupport
@Column(name="salt", length = 32) @Column(name="salt", length = 32)
private String salt; private String salt;
@Column(name="jwt_salt", length = 16)
private String jwtSalt;
@Column(name="digest_algorithm", length = 16) @Column(name="digest_algorithm", length = 16)
private String digestAlgorithm; private String digestAlgorithm;
@@ -433,4 +436,12 @@ public class EPerson extends DSpaceObject implements DSpaceObjectLegacySupport
} }
return ePersonService; return ePersonService;
} }
public String getJwtSalt() {
return jwtSalt;
}
public void setJwtSalt(String jwtSalt) {
this.jwtSalt = jwtSalt;
}
} }

26
dspace-spring-rest/src/main/java/org/dspace/app/rest/security/JWTTokenHandler.java
View File

@@ -11,6 +11,9 @@ import org.dspace.core.Context;
import org.dspace.eperson.EPerson; import org.dspace.eperson.EPerson;
import org.dspace.eperson.Group; import org.dspace.eperson.Group;
import org.dspace.eperson.factory.EPersonServiceFactory; import org.dspace.eperson.factory.EPersonServiceFactory;
import org.dspace.eperson.service.EPersonService;
import org.springframework.security.crypto.keygen.KeyGenerators;
import org.springframework.security.crypto.keygen.StringKeyGenerator;
import java.sql.SQLException; import java.sql.SQLException;
import java.text.ParseException; import java.text.ParseException;
@@ -21,25 +24,36 @@ import java.util.stream.Collectors;
public class JWTTokenHandler { public class JWTTokenHandler {
private static String jwtKey = "testtesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttest";
private AuthenticationService authenticationService = AuthenticateServiceFactory.getInstance().getAuthenticationService(); private AuthenticationService authenticationService = AuthenticateServiceFactory.getInstance().getAuthenticationService();
private EPersonService ePersonService = EPersonServiceFactory.getInstance().getEPersonService();
public EPerson parseEPersonFromToken(String token) throws JOSEException, ParseException, SQLException { public EPerson parseEPersonFromToken(String token) throws JOSEException, ParseException, SQLException {
JWSVerifier verifier = new MACVerifier("testtesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttest");
SignedJWT signedJWT = SignedJWT.parse(token); SignedJWT signedJWT = SignedJWT.parse(token);
if (signedJWT.verify(verifier)) {
Context context = new Context(); Context context = new Context();
return EPersonServiceFactory.getInstance().getEPersonService().find(context, UUID.fromString(signedJWT.getJWTClaimsSet().getClaim("EPersonID").toString())); EPerson ePerson = ePersonService.find(context, UUID.fromString(signedJWT.getJWTClaimsSet().getClaim("EPersonID").toString()));
JWSVerifier verifier = new MACVerifier(jwtKey + ePerson.getJwtSalt());
if (signedJWT.verify(verifier)) {
return ePerson;
} else { } else {
return null; return null;
} }
} }
public String createTokenForEPerson(EPerson ePerson, List<Group> groups) throws JOSEException { public String createTokenForEPerson(Context context, EPerson ePerson, List<Group> groups) throws JOSEException {
JWSSigner signer = new MACSigner("testtesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttest"); StringKeyGenerator stringKeyGenerator = KeyGenerators.string();
String salt = stringKeyGenerator.generateKey();
JWSSigner signer = new MACSigner(jwtKey + salt);
List<Integer> groupIds = groups.stream().map(Group::getLegacyId).collect(Collectors.toList()); List<Integer> groupIds = groups.stream().map(Group::getLegacyId).collect(Collectors.toList());
ePerson.setJwtSalt(salt);
try {
context.commit();
} catch (SQLException e) {
e.printStackTrace();
}
JWTClaimsSet claimsSet = new JWTClaimsSet.Builder() JWTClaimsSet claimsSet = new JWTClaimsSet.Builder()
.claim("EPersonID", ePerson.getID().toString()) .claim("EPersonID", ePerson.getID().toString())

6
dspace-spring-rest/src/main/java/org/dspace/app/rest/security/TokenAuthenticationService.java
View File

@@ -4,6 +4,7 @@ import com.nimbusds.jose.JOSEException;
import org.dspace.app.rest.utils.ContextUtil; import org.dspace.app.rest.utils.ContextUtil;
import org.dspace.authenticate.factory.AuthenticateServiceFactory; import org.dspace.authenticate.factory.AuthenticateServiceFactory;
import org.dspace.authenticate.service.AuthenticationService; import org.dspace.authenticate.service.AuthenticationService;
import org.dspace.core.Context;
import org.dspace.eperson.EPerson; import org.dspace.eperson.EPerson;
import org.dspace.eperson.Group; import org.dspace.eperson.Group;
import org.dspace.eperson.factory.EPersonServiceFactory; import org.dspace.eperson.factory.EPersonServiceFactory;
@@ -32,8 +33,9 @@ public class TokenAuthenticationService {
public void addAuthentication(HttpServletRequest request, HttpServletResponse response, String email) { public void addAuthentication(HttpServletRequest request, HttpServletResponse response, String email) {
try { try {
EPerson ePerson = ePersonService.findByEmail(ContextUtil.obtainContext(request), email); EPerson ePerson = ePersonService.findByEmail(ContextUtil.obtainContext(request), email);
List<Group> groups = authenticationService.getSpecialGroups(ContextUtil.obtainContext(request), request); Context context = ContextUtil.obtainContext(request);
String token = jwtTokenHandler.createTokenForEPerson(ePerson, groups); List<Group> groups = authenticationService.getSpecialGroups(context, request);
String token = jwtTokenHandler.createTokenForEPerson(context, ePerson, groups);
Cookie cookie = new Cookie("access_token", token); Cookie cookie = new Cookie("access_token", token);
response.addCookie(cookie); response.addCookie(cookie);
} catch (JOSEException e) { } catch (JOSEException e) {