diff --git a/openapi-security/src/main/java/com/networknt/openapi/UnifiedPathPrefixAuth.java b/openapi-security/src/main/java/com/networknt/openapi/UnifiedPathPrefixAuth.java index 834a9ba5..3660b261 100644 --- a/openapi-security/src/main/java/com/networknt/openapi/UnifiedPathPrefixAuth.java +++ b/openapi-security/src/main/java/com/networknt/openapi/UnifiedPathPrefixAuth.java @@ -9,6 +9,7 @@ public class UnifiedPathPrefixAuth { boolean swt; boolean apikey; List jwkServiceIds; + List swtServiceIds; public String getPathPrefix() { return pathPrefix; @@ -57,4 +58,12 @@ public List getJwkServiceIds() { public void setJwkServiceIds(List jwkServiceIds) { this.jwkServiceIds = jwkServiceIds; } + + public List getSwtServiceIds() { + return swtServiceIds; + } + + public void setSwtServiceIds(List swtServiceIds) { + this.swtServiceIds = swtServiceIds; + } } diff --git a/openapi-security/src/main/java/com/networknt/openapi/UnifiedSecurityConfig.java b/openapi-security/src/main/java/com/networknt/openapi/UnifiedSecurityConfig.java index d57b107b..df6177e6 100644 --- a/openapi-security/src/main/java/com/networknt/openapi/UnifiedSecurityConfig.java +++ b/openapi-security/src/main/java/com/networknt/openapi/UnifiedSecurityConfig.java @@ -23,7 +23,7 @@ public class UnifiedSecurityConfig { public static final String SWT = "swt"; public static final String APIKEY = "apikey"; public static final String JWK_SERVICE_IDS = "jwkServiceIds"; - + public static final String SWT_SERVICE_IDS = "swtServiceIds"; boolean enabled; List anonymousPrefixes; List pathPrefixAuths; @@ -150,8 +150,8 @@ private void setConfigList() { unifiedPathPrefixAuth.setJwt(value.get(JWT) == null ? false : (Boolean)value.get(JWT)); unifiedPathPrefixAuth.setSwt(value.get(SWT) == null ? false : (Boolean)value.get(SWT)); unifiedPathPrefixAuth.setApikey(value.get(APIKEY) == null ? false : (Boolean)value.get(APIKEY)); - Object ids = value.get(JWK_SERVICE_IDS); - if(ids instanceof String) { + Object jwkIds = value.get(JWK_SERVICE_IDS); + if(jwkIds instanceof String) { String s = (String)value.get(JWK_SERVICE_IDS); if(s.startsWith("[")) { // json format @@ -164,9 +164,27 @@ private void setConfigList() { // comma separated unifiedPathPrefixAuth.setJwkServiceIds(Arrays.asList(s.split("\\s*,\\s*"))); } - } else if(ids instanceof List ) { + } else if(jwkIds instanceof List ) { + // it must be a json array. + unifiedPathPrefixAuth.setJwkServiceIds((List)jwkIds); + } + Object swtIds = value.get(SWT_SERVICE_IDS); + if(swtIds instanceof String) { + String s = (String)value.get(SWT_SERVICE_IDS); + if(s.startsWith("[")) { + // json format + try { + unifiedPathPrefixAuth.setSwtServiceIds(Config.getInstance().getMapper().readValue(s, new TypeReference>() {})); + } catch (Exception e) { + throw new ConfigException("could not parse the swtServiceIds json with a list of strings."); + } + } else { + // comma separated + unifiedPathPrefixAuth.setSwtServiceIds(Arrays.asList(s.split("\\s*,\\s*"))); + } + } else if(swtIds instanceof List ) { // it must be a json array. - unifiedPathPrefixAuth.setJwkServiceIds((List)ids); + unifiedPathPrefixAuth.setSwtServiceIds((List)swtIds); } pathPrefixAuths.add(unifiedPathPrefixAuth); } diff --git a/openapi-security/src/main/java/com/networknt/openapi/UnifiedSecurityHandler.java b/openapi-security/src/main/java/com/networknt/openapi/UnifiedSecurityHandler.java index e4af7351..4a58cace 100644 --- a/openapi-security/src/main/java/com/networknt/openapi/UnifiedSecurityHandler.java +++ b/openapi-security/src/main/java/com/networknt/openapi/UnifiedSecurityHandler.java @@ -6,6 +6,7 @@ import com.networknt.handler.Handler; import com.networknt.handler.MiddlewareHandler; import com.networknt.utility.ModuleRegistry; +import com.networknt.utility.StringUtils; import io.undertow.Handlers; import io.undertow.server.HttpHandler; import io.undertow.server.HttpServerExchange; @@ -99,8 +100,50 @@ public void handleRequest(HttpServerExchange exchange) throws Exception { } } } else if (BEARER_PREFIX.equalsIgnoreCase(authorization.substring(0, 6))) { + // in the case that a bearer token is used, there are three scenarios: both jwt and swt are true, only jwt is true and only swt is true + // in the first case, we need to identify if the token is jwt or swt before calling the right handler to verify it. Map handlers = Handler.getHandlers(); - if(pathPrefixAuth.isJwt()) { + if(pathPrefixAuth.isJwt() && pathPrefixAuth.isSwt()) { + // both jwt and swt are enabled. + boolean isJwt = StringUtils.isJwtToken(authorization); + if(logger.isTraceEnabled()) logger.trace("Both jwt and swt are true and check token is jwt = {}", isJwt); + if(isJwt) { + JwtVerifyHandler handler = (JwtVerifyHandler) handlers.get(JWT); + if (handler == null) { + logger.error("Cannot find JwtVerifyHandler with alias name jwt."); + setExchangeStatus(exchange, HANDLER_NOT_FOUND, "com.networknt.openapi.JwtVerifyHandler@jwt"); + exchange.endExchange(); + return; + } else { + // get the jwkServiceIds list. + if (handler.handleJwt(exchange, pathPrefixAuth.getPathPrefix(), reqPath, pathPrefixAuth.getJwkServiceIds())) { + // verification is passed, go to the next handler in the chain. + break; + } else { + // verification is not passed and an error is returned. Don't call the next handler. + return; + } + } + } else { + SwtVerifyHandler handler = (SwtVerifyHandler) handlers.get(SWT); + if (handler == null) { + logger.error("Cannot find SwtVerifyHandler with alias name swt."); + setExchangeStatus(exchange, HANDLER_NOT_FOUND, "com.networknt.openapi.SwtVerifyHandler@swt"); + exchange.endExchange(); + return; + } else { + // get the jwkServiceIds list. + if (handler.handleSwt(exchange, reqPath, pathPrefixAuth.getSwtServiceIds())) { + // verification is passed, go to the next handler in the chain. + break; + } else { + // verification is not passed and an error is returned. Don't call the next handler. + return; + } + } + } + } else if(pathPrefixAuth.isJwt()) { + // only jwt is enabled JwtVerifyHandler handler = (JwtVerifyHandler) handlers.get(JWT); if (handler == null) { logger.error("Cannot find JwtVerifyHandler with alias name jwt."); @@ -118,7 +161,7 @@ public void handleRequest(HttpServerExchange exchange) throws Exception { } } } else { - // this must be swt token + // only swt is enabled SwtVerifyHandler handler = (SwtVerifyHandler) handlers.get(SWT); if (handler == null) { logger.error("Cannot find SwtVerifyHandler with alias name swt."); @@ -127,7 +170,7 @@ public void handleRequest(HttpServerExchange exchange) throws Exception { return; } else { // get the jwkServiceIds list. - if (handler.handleSwt(exchange, reqPath, pathPrefixAuth.getJwkServiceIds())) { + if (handler.handleSwt(exchange, reqPath, pathPrefixAuth.getSwtServiceIds())) { // verification is passed, go to the next handler in the chain. break; } else { @@ -184,6 +227,7 @@ public void handleRequest(HttpServerExchange exchange) throws Exception { Handler.next(exchange, next); } + @Override public HttpHandler getNext() { return next;