Merge pull request #15 from kimble/cookie-token

JWTAuthFilter will (if configured to do so) look through the cookies …

Author: ToastShaman

src/main/java/com/github/toastshaman/dropwizard/auth/jwt/JWTAuthFilter.java

@@ -15,10 +15,13 @@
 import javax.ws.rs.Priorities;
 import javax.ws.rs.WebApplicationException;
 import javax.ws.rs.container.ContainerRequestContext;
+import javax.ws.rs.core.Cookie;
 import javax.ws.rs.core.HttpHeaders;
+import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.core.SecurityContext;
 import java.io.IOException;
 import java.security.Principal;
+import java.util.Map;
 
 @Priority(Priorities.AUTHENTICATION)
 public class JWTAuthFilter<P extends Principal> extends AuthFilter<JsonWebToken, P> {
@@ -27,62 +30,114 @@ public class JWTAuthFilter<P extends Principal> extends AuthFilter<JsonWebToken,
 
     private final JsonWebTokenVerifier tokenVerifier;
     private final JsonWebTokenParser tokenParser;
+    private final String cookieName;
 
-    private JWTAuthFilter(JsonWebTokenParser tokenParser, JsonWebTokenVerifier tokenVerifier) {
+    private JWTAuthFilter(JsonWebTokenParser tokenParser, JsonWebTokenVerifier tokenVerifier, String cookieName) {
         this.tokenParser = tokenParser;
         this.tokenVerifier = tokenVerifier;
+        this.cookieName = cookieName;
     }
 
     @Override
     public void filter(final ContainerRequestContext requestContext) throws IOException {
-        final String header = requestContext.getHeaders().getFirst(HttpHeaders.AUTHORIZATION);
+        Optional<String> optionalToken = getTokenFromCookieOrHeader(requestContext);
+
+        if (optionalToken.isPresent()) {
+            try {
+                final JsonWebToken token = verifiedToken(optionalToken);
+                final Optional<P> principal = authenticator.authenticate(token);
+
+                if (principal.isPresent()) {
+                    requestContext.setSecurityContext(new SecurityContext() {
+
+                        @Override
+                        public Principal getUserPrincipal() {
+                            return principal.get();
+                        }
+
+                        @Override
+                        public boolean isUserInRole(String role) {
+                            return authorizer.authorize(principal.get(), role);
+                        }
+
+                        @Override
+                        public boolean isSecure() {
+                            return requestContext.getSecurityContext().isSecure();
+                        }
+
+                        @Override
+                        public String getAuthenticationScheme() {
+                            return SecurityContext.BASIC_AUTH;
+                        }
+
+                    });
+                    return;
+                }
+            }
+            catch (JsonWebTokenException ex) {
+                LOGGER.warn("Error decoding credentials: " + ex.getMessage(), ex);
+            }
+            catch (AuthenticationException ex) {
+                LOGGER.warn("Error authenticating credentials", ex);
+                throw new InternalServerErrorException();
+            }
+        }
+
+        throw new WebApplicationException(unauthorizedHandler.buildResponse(prefix, realm));
+    }
+
+    private JsonWebToken verifiedToken(Optional<String> optionalToken) {
+        final String rawToken = optionalToken.get();
+        final JsonWebToken token = tokenParser.parse(rawToken);
+        tokenVerifier.verifySignature(token);
+        return token;
+    }
+
+    public Optional<String> getTokenFromCookieOrHeader(ContainerRequestContext requestContext) {
+        Optional<String> headerToken = getTokenFromHeader(requestContext.getHeaders());
+
+        if (headerToken.isPresent()) {
+            return headerToken;
+        }
+        else {
+            Optional<String> cookieToken = getTokenFromCookie(requestContext);
+
+            if (cookieToken.isPresent()) {
+                return cookieToken;
+            }
+            else {
+                return Optional.absent();
+            }
+        }
+    }
+
+    private Optional<String> getTokenFromHeader(MultivaluedMap<String, String> headers) {
+        String header = headers.getFirst(HttpHeaders.AUTHORIZATION);
         if (header != null) {
-            final int space = header.indexOf(' ');
+            int space = header.indexOf(' ');
             if (space > 0) {
-                final String method = header.substring(0, space);
+                String method = header.substring(0, space);
                 if (prefix.equalsIgnoreCase(method)) {
-                    try {
-                        final String rawToken = header.substring(space + 1);
-                        final JsonWebToken token = tokenParser.parse(rawToken);
-
-                        tokenVerifier.verifySignature(token);
-
-                        final Optional<P> principal = authenticator.authenticate(token);
-                        if (principal.isPresent()) {
-                            requestContext.setSecurityContext(new SecurityContext() {
-                                @Override
-                                public Principal getUserPrincipal() {
-                                    return principal.get();
-                                }
-
-                                @Override
-                                public boolean isUserInRole(String role) {
-                                    return authorizer.authorize(principal.get(), role);
-                                }
-
-                                @Override
-                                public boolean isSecure() {
-                                    return requestContext.getSecurityContext().isSecure();
-                                }
-
-                                @Override
-                                public String getAuthenticationScheme() {
-                                    return SecurityContext.BASIC_AUTH;
-                                }
-                            });
-                            return;
-                        }
-                    } catch (JsonWebTokenException e) {
-                        LOGGER.warn("Error decoding credentials: " + e.getMessage(), e);
-                    } catch (AuthenticationException e) {
-                        LOGGER.warn("Error authenticating credentials", e);
-                        throw new InternalServerErrorException();
-                    }
+                    String rawToken = header.substring(space + 1);
+                    return Optional.of(rawToken);
                 }
             }
         }
 
-        throw new WebApplicationException(unauthorizedHandler.buildResponse(prefix, realm));
+        return Optional.absent();
+    }
+
+    public Optional<String> getTokenFromCookie(ContainerRequestContext requestContext) {
+        Map<String, Cookie> cookies = requestContext.getCookies();
+
+        if (cookieName != null && cookies.containsKey(cookieName)) {
+            Cookie tokenCookie = cookies.get(cookieName);
+            String rawToken = tokenCookie.getValue();
+
+            return Optional.of(rawToken);
+        }
+
+        return Optional.absent();
     }
 
     /**
@@ -95,6 +150,7 @@ public static class Builder<P extends Principal> extends AuthFilterBuilder<JsonW
 
         private JsonWebTokenParser parser;
         private JsonWebTokenVerifier verifier;
+        private String cookieName;
 
         public Builder<P> setTokenParser(JsonWebTokenParser parser) {
             this.parser = parser;
@@ -106,11 +162,17 @@ public Builder<P> setTokenVerifier(JsonWebTokenVerifier verifier) {
             return this;
         }
 
+        public Builder<P> setCookieName(String cookieName) {
+            this.cookieName = cookieName;
+            return this;
+        }
+
         @Override
         protected JWTAuthFilter<P> newInstance() {
             Preconditions.checkArgument(parser != null, "JsonWebTokenParser is not set");
             Preconditions.checkArgument(verifier != null, "JsonWebTokenVerifier is not set");
-            return new JWTAuthFilter<>(parser, verifier);
+            return new JWTAuthFilter<>(parser, verifier, cookieName);
         }
     }
+
 }

src/test/java/com/github/toastshaman/dropwizard/auth/jwt/AuthBaseTest.java

@@ -25,6 +25,7 @@ public abstract class AuthBaseTest<T extends DropwizardResourceConfig> extends J
     protected static final String ORDINARY_USER = "ordinary-guy";
     protected static final String BADGUY_USER = "bad-guy";
     protected static final String BEARER_PREFIX = "Bearer";
+    protected static final String COOKIE_NAME = "jwt-token";
 
     static {
         BootstrapLogging.bootstrap();
@@ -137,6 +138,14 @@ public void transformsCredentialsToPrincipals() throws Exception {
                 .isEqualTo("'" + ADMIN_USER + "' has admin privileges");
     }
 
+    @Test
+    public void transformsCredentialsToPrincipalsWithCookie() throws Exception {
+        assertThat(target("/test/admin").request()
+                .cookie(COOKIE_NAME, getGoodGuyValidToken())
+                .get(String.class))
+                .isEqualTo("'" + ADMIN_USER + "' has admin privileges");
+    }
+
     @Test
     public void transformsCredentialsToPrincipalsWhenAuthAnnotationExistsWithoutMethodAnnotation() throws Exception {
         assertThat(target("/test/implicit-permitall").request()

src/test/java/com/github/toastshaman/dropwizard/auth/jwt/JWTAuthProviderTest.java

@@ -26,6 +26,7 @@ public class JWTAuthProviderTest extends AuthBaseTest<JWTAuthProviderTest.JWTAut
     public static class JWTAuthTestResourceConfig extends AuthBaseResourceConfig {
         protected ContainerRequestFilter getAuthFilter() {
             return new JWTAuthFilter.Builder<>()
+                    .setCookieName(COOKIE_NAME)
                     .setTokenParser(new DefaultJsonWebTokenParser())
                     .setTokenVerifier(new HmacSHA512Verifier(SECRET_KEY))
                     .setPrefix(BEARER_PREFIX)