new version

Author: joanluk

README.adoc

@@ -30,6 +30,6 @@ Para el ejemplo se han utilizado algoritmos tanto simétricos como asímetricos.
 - ECDSA usando P-512 and SHA-512  (ES512)
 
 Aunque realmente se podrían ampliar para permitir cualquier tipo de algoritmo con poco esfuerzo. El hecho de haber seleccionado estos es debido
-a que son los más utilziados.
+a que son los más utiliziados.
 
 

jwt-core/pom.xml

@@ -13,8 +13,8 @@
     <name>${project.artifactId}:${project.version}</name>
     <dependencies>
         <dependency>
-            <groupId>io.jsonwebtoken</groupId>
-            <artifactId>jjwt</artifactId>
+            <groupId>com.nimbusds</groupId>
+            <artifactId>nimbus-jose-jwt</artifactId>
         </dependency>
         <dependency>
             <groupId>org.springframework</groupId>

jwt-core/src/main/java/org/emaginalabs/security/jwt/JwtAuthenticationEntryPoint.java

@@ -1,7 +1,7 @@
 package org.emaginalabs.security.jwt;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
-import io.jsonwebtoken.JwtException;
+import com.nimbusds.jwt.proc.BadJWTException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.MediaType;
 import org.springframework.security.core.AuthenticationException;
@@ -34,6 +34,6 @@ public void commence(HttpServletRequest request,
         response.setContentType(MediaType.APPLICATION_JSON_VALUE);
 
         mapper.writeValue(response.getWriter(),
-                new JwtException("Access denied", authException));
+                new BadJWTException("Access denied", authException));
     }
 }

jwt-core/src/main/java/org/emaginalabs/security/jwt/claims/DefaultClaim.java

@@ -0,0 +1,5 @@
+package org.emaginalabs.security.jwt.claims;
+
+
+public class DefaultClaim extends JwtMap {
+}

jwt-core/src/main/java/org/emaginalabs/security/jwt/claims/JwtMap.java

@@ -0,0 +1,123 @@
+package org.emaginalabs.security.jwt.claims;
+
+import org.springframework.util.Assert;
+
+import java.util.Collection;
+import java.util.LinkedHashMap;
+import java.util.Map;
+import java.util.Set;
+
+public class JwtMap implements Map<String, Object> {
+
+    private final Map<String, Object> map;
+
+    public JwtMap() {
+        this.map = new LinkedHashMap<>();
+    }
+
+    public JwtMap(Map<String, Object> map) {
+        this();
+        Assert.notNull(map, "Map argument cannot be null.");
+        putAll(map);
+    }
+
+    protected String getString(String name) {
+        Object v = get(name);
+        return v != null ? String.valueOf(v) : null;
+    }
+
+
+    protected void setValue(String name, Object v) {
+        if (v == null) {
+            map.remove(name);
+        } else {
+            map.put(name, v);
+        }
+    }
+
+
+    @Override
+    public int size() {
+        return map.size();
+    }
+
+    @Override
+    public boolean isEmpty() {
+        return map.isEmpty();
+    }
+
+    @Override
+    public boolean containsKey(Object o) {
+        return map.containsKey(o);
+    }
+
+    @Override
+    public boolean containsValue(Object o) {
+        return map.containsValue(o);
+    }
+
+    @Override
+    public Object get(Object o) {
+        return map.get(o);
+    }
+
+    @Override
+    public Object put(String s, Object o) {
+        if (o == null) {
+            return map.remove(s);
+        } else {
+            return map.put(s, o);
+        }
+    }
+
+    @Override
+    public Object remove(Object o) {
+        return map.remove(o);
+    }
+
+    @SuppressWarnings("NullableProblems")
+    @Override
+    public void putAll(Map<? extends String, ?> m) {
+        if (m == null) {
+            return;
+        }
+        for (String s : m.keySet()) {
+            put(s, m.get(s));
+        }
+    }
+
+    @Override
+    public void clear() {
+        map.clear();
+    }
+
+    @Override
+    public Set<String> keySet() {
+        return map.keySet();
+    }
+
+    @Override
+    public Collection<Object> values() {
+        return map.values();
+    }
+
+    @Override
+    public Set<Entry<String, Object>> entrySet() {
+        return map.entrySet();
+    }
+
+    @Override
+    public String toString() {
+        return map.toString();
+    }
+
+    @Override
+    public int hashCode() {
+        return map.hashCode();
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        return map.equals(obj);
+    }
+}

jwt-core/src/main/java/org/emaginalabs/security/jwt/config/JwtConfiguration.java

@@ -3,16 +3,13 @@
 
 import lombok.extern.slf4j.Slf4j;
 import org.emaginalabs.security.jwt.JwtAuthenticationEntryPoint;
-import org.emaginalabs.security.jwt.JwtWebSecurityConfigurer;
 import org.emaginalabs.security.jwt.handler.JwtAuthenticationFailureHandler;
 import org.emaginalabs.security.jwt.provider.JwtAuthenticationProvider;
 import org.emaginalabs.security.jwt.token.provider.JwtTokenProvider;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.authentication.AuthenticationProvider;
-import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 
 /**
  * Configuration jwt authentication in GAIA Application
@@ -55,7 +52,7 @@ public JwtAuthenticationFailureHandler jwtAuthenticationFailureHandler() {
     }
 
     @ConditionalOnMissingBean
-    @ConditionalOnBean(AuthenticationManagerBuilder.class)
+    //@ConditionalOnBean(AuthenticationManagerBuilder.class)
     @Bean
     public JwtWebSecurityConfigurer jwtWebSecurityConfigurer() {
         return new JwtWebSecurityConfigurer(

jwt-core/src/main/java/org/emaginalabs/security/jwt/config/JwtConfigurer.java

@@ -0,0 +1,64 @@
+package org.emaginalabs.security.jwt.config;
+
+import lombok.extern.slf4j.Slf4j;
+import org.emaginalabs.security.jwt.JwtAuthenticationEntryPoint;
+import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.web.DefaultSecurityFilterChain;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.util.StringUtils;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * User: jose
+ * Date: 2019-05-30
+ * Time: 10:50
+ */
+
+@Slf4j
+public class JwtConfigurer extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> {
+
+    private static final String COMMA_SEPARATOR = ",";
+
+    private JwtWebSecurityConfigurer configurer;
+
+    public JwtConfigurer(JwtWebSecurityConfigurer jwtWebSecurityConfigurer) {
+        this.configurer = jwtWebSecurityConfigurer;
+
+    }
+
+    @Override
+    public void configure(HttpSecurity http) throws Exception {
+        log.debug("Configuring http security for jwt security...");
+        //get login path
+        String loginPath = configurer.getJwtSettings().getLoginPath();
+
+        //get paths permits
+        String permitPathsStr = configurer.getJwtSettings().getPathAllow();
+
+        List<String> permitPaths = new ArrayList<String>();
+        if (StringUtils.hasText(permitPathsStr)) {
+            Collections.addAll(Arrays.asList(permitPathsStr.split(COMMA_SEPARATOR)));
+        }
+        //add login path to exclude path filter
+        permitPaths.add(permitPaths.size(), loginPath);
+        //get path to authentication required
+        String pathSecured = configurer.getJwtSettings().getSecurePath();
+        if (configurer.getJwtSettings().isApiLoginEnabled()) {
+            //custom filter to login
+            http.addFilterBefore(configurer.buildJwtLoginProcessingFilter(loginPath), UsernamePasswordAuthenticationFilter.class);
+        }
+        http
+                // Custom filter for authenticating users using tokens
+                .addFilterAfter(configurer.buildJwtTokenAuthenticationProcessingFilter(permitPaths, pathSecured),
+                        UsernamePasswordAuthenticationFilter.class)
+                //exception handler jwt error
+                .exceptionHandling()
+                .authenticationEntryPoint(new JwtAuthenticationEntryPoint());
+    }
+
+}

jwt-core/src/main/java/org/emaginalabs/security/jwt/config/JwtSettings.java

@@ -1,11 +1,14 @@
 package org.emaginalabs.security.jwt.config;
 
-import io.jsonwebtoken.SignatureAlgorithm;
+import com.nimbusds.jose.JWEAlgorithm;
+import com.nimbusds.jose.JWSAlgorithm;
 import lombok.Data;
+import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Value;
 
 
 @Data
+@Slf4j
 public class JwtSettings {
 
     /**
@@ -14,7 +17,7 @@ public class JwtSettings {
     @Value("${app.security.jwt.token.expiration.time}")
     private Integer tokenExpirationTime = 15;
 
-    @Value("${app.security.jwt.path.login:/login}")
+    @Value("${app.security.jwt.path.login:/api/login}")
     private String loginPath;
 
     @Value("${app.security.jwt.path.secure:/**}")
@@ -26,7 +29,7 @@ public class JwtSettings {
      * Token issuer.
      */
     @Value("${app.security.jwt.token.issuer}")
-    private String tokenIssuer = "user";
+    private String tokenIssuer = "gaia-app";
 
     /**
      * Key is used to sign token
@@ -47,15 +50,33 @@ public class JwtSettings {
     @Value("${app.security.jwt.signature.algorithm}")
     private String signatureAlgorithmStr;
 
+    @Value("${app.security.jwt.encryptation.algorithm}")
+    private String encryptationAlgorithmStr;
+
+
+    @Value("${app.security.jwt.encryptation.active:false}")
+    private boolean encryptation;
 
     @Value("${app.security.jwt.token.response}")
     private String tokenResponse;
 
     @Value("${app.security.jwt.token.compresion}")
     private boolean compresion;
 
-    public SignatureAlgorithm getSignatureAlgorithm() {
-        return SignatureAlgorithm.forName(signatureAlgorithmStr);
+    @Value("${app.security.jwt.signature.validate:true}")
+    private boolean validateSigned;
+
+    @Value("${app.security.jwt.login.enabled:false}")
+    private boolean apiLoginEnabled;
+
+    public JWSAlgorithm getSignatureAlgorithm() {
+        return JWSAlgorithm.parse(signatureAlgorithmStr);
     }
 
+    public JWEAlgorithm getEncryptationAlgorithm() {
+        return JWEAlgorithm.parse(encryptationAlgorithmStr);
+    }
+
+
+
 }

jwt-core/src/main/java/org/emaginalabs/security/jwt/JwtWebSecurityConfigurer.java jwt-core/src/main/java/org/emaginalabs/security/jwt/config/JwtWebSecurityConfigurer.java

@@ -1,10 +1,10 @@
-package org.emaginalabs.security.jwt;
+package org.emaginalabs.security.jwt.config;
 
 
+import lombok.Getter;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
-import org.emaginalabs.security.jwt.config.JwtSettings;
-import org.emaginalabs.security.jwt.config.SkipPathRequestMatcher;
+import org.emaginalabs.security.jwt.JwtAuthenticationEntryPoint;
 import org.emaginalabs.security.jwt.filter.JwtLoginProcessingFilter;
 import org.emaginalabs.security.jwt.filter.JwtTokenAuthenticationProcessingFilter;
 import org.emaginalabs.security.jwt.token.provider.TokenProvider;
@@ -33,14 +33,7 @@
 public class JwtWebSecurityConfigurer implements ApplicationContextAware {
 
     private static final String COMMA_SEPARATOR = ",";
-    private static final String DEFAULT_PATH_SECURE = "/**";
-    private static final String DEFAULT_PATH_LOGIN = "/login";
-    private static final String GAIA_ENV_SECURITY_JWT_PATH_LOGIN = "gaia.env.security.jwt.path.login";
-    private static final String APP_ENV_SECURITY_JWT_PATH_LOGIN = "app.env.security.jwt.path.login";
-    private static final String APP_ENV_SECURITY_JQT_PATH_SECURE = "app.env.security.jqt.path.secure";
-    private static final String GAIA_ENV_SECURITY_JWT_PATH_SECURE = "gaia.env.security.jwt.path.secure";
-    private static final String GAIA_ENV_SECURITY_JWT_PATHS_ALLOW = "gaia.env.security.jwt.paths.allow";
-    private static final String APP_ENV_SECURITY_JWT_PATHS_ALLOW = "app.env.security.jwt.paths.allow";
+
 
     @Autowired
     private AuthenticationManagerBuilder authenticationManager;
@@ -49,19 +42,20 @@ public class JwtWebSecurityConfigurer implements ApplicationContextAware {
 
     private final TokenProvider jwtTokenProvider;
 
+    @Getter
     private final JwtSettings jwtSettings;
 
     private ApplicationContext context;
 
     private final AuthenticationProvider jwtAuthenticationProvider;
 
 
-    private JwtLoginProcessingFilter buildJwtLoginProcessingFilter(String loginEntryPoint) {
+    protected JwtLoginProcessingFilter buildJwtLoginProcessingFilter(String loginEntryPoint) {
         log.debug("Configuring JwtLoginProcessingFilter...");
         return new JwtLoginProcessingFilter(loginEntryPoint, authenticationManager.getObject(), jwtTokenProvider, jwtSettings);
     }
 
-    private JwtTokenAuthenticationProcessingFilter buildJwtTokenAuthenticationProcessingFilter(List<String> pathsToSkip, String pattern) {
+    protected JwtTokenAuthenticationProcessingFilter buildJwtTokenAuthenticationProcessingFilter(List<String> pathsToSkip, String pattern) {
         log.debug("Configuring JwtTokenAuthenticationProcessingFilter...");
         SkipPathRequestMatcher matcher = new SkipPathRequestMatcher(pathsToSkip, pattern);
         JwtTokenAuthenticationProcessingFilter filter