chore: update jjwt to 12.3 to address org.json library's CVE-2023-5072 vulnerability. spring-boot 3.1.4

osahner · osahner · commit 180c89cc90a9 · 2023-10-19T09:11:52.000+02:00
diff --git a/contributed/requests/address.http b/contributed/requests/address.http
@@ -30,7 +30,7 @@ Content-Type: application/json
 {
   "username": "john.doe",
   "password": "test1234",
-  "verificationCode": "479346"
+  "verificationCode": "650364"
 }
 
 > {%
diff --git a/pom.xml b/pom.xml
@@ -5,13 +5,13 @@
   <parent>
     <groupId>org.springframework.boot</groupId>
     <artifactId>spring-boot-starter-parent</artifactId>
-    <version>3.1.0</version>
+    <version>3.1.4</version>
     <relativePath/> <!-- lookup parent from repository -->
   </parent>
 
   <groupId>osahner</groupId>
   <artifactId>kotlin-spring-boot-rest-jpa-jwt-starter</artifactId>
-  <version>0.10.0-SNAPSHOT</version>
+  <version>0.10.1-SNAPSHOT</version>
   <packaging>jar</packaging>
 
   <name>kotlin spring-boot 2 rest/jpa/jwt starter</name>
@@ -22,15 +22,15 @@
     <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
 
     <java.version>17</java.version>
-    <kotlin.version>1.8.21</kotlin.version>
+    <kotlin.version>1.9.10</kotlin.version>
 
     <jacoco-maven-plugin.version>0.8.10</jacoco-maven-plugin.version>
 
-    <jjwt.version>0.11.5</jjwt.version>
-    <poi.version>5.2.3</poi.version>
+    <jjwt.version>0.12.3</jjwt.version>
+    <poi.version>5.2.4</poi.version>
     <jasypt.version>1.9.3</jasypt.version>
-    <opencsv.version>5.7.1</opencsv.version>
-    <commons-io.version>2.11.0</commons-io.version>
+    <opencsv.version>5.8</opencsv.version>
+    <commons-io.version>2.14.0</commons-io.version>
     <aerogear-otp-java.version>1.0.0</aerogear-otp-java.version>
   </properties>
 
@@ -277,26 +277,4 @@
     </plugins>
   </build>
 
-  <repositories>
-    <repository>
-      <id>spring-milestones</id>
-      <name>Spring Milestones</name>
-      <url>https://repo.spring.io/milestone</url>
-      <snapshots>
-        <enabled>false</enabled>
-      </snapshots>
-    </repository>
-  </repositories>
-
-  <pluginRepositories>
-    <pluginRepository>
-      <id>spring-milestones</id>
-      <name>Spring Milestones</name>
-      <url>https://repo.spring.io/milestone</url>
-      <snapshots>
-        <enabled>false</enabled>
-      </snapshots>
-    </pluginRepository>
-  </pluginRepositories>
-
 </project>
diff --git a/src/main/kotlin/osahner/security/JWTAuthorizationFilter.kt b/src/main/kotlin/osahner/security/JWTAuthorizationFilter.kt
@@ -28,7 +28,7 @@ class JWTAuthorizationFilter(
       chain.doFilter(req, res)
       return
     }
-    tokenProvider.getAuthentication(header)?.also { authentication ->
+    tokenProvider.getAuthentication(header)?.let { authentication ->
       SecurityContextHolder.getContext().authentication = authentication
     }
     chain.doFilter(req, res)
diff --git a/src/main/kotlin/osahner/security/TokenProvider.kt b/src/main/kotlin/osahner/security/TokenProvider.kt
@@ -1,7 +1,6 @@
 package osahner.security
 
 import io.jsonwebtoken.Jwts
-import io.jsonwebtoken.SignatureAlgorithm
 import io.jsonwebtoken.security.Keys
 import jakarta.annotation.PostConstruct
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken
@@ -11,15 +10,16 @@ import org.springframework.stereotype.Component
 import osahner.add
 import osahner.config.SecurityProperties
 import osahner.service.AppUserDetailsService
-import java.security.Key
 import java.util.*
+import javax.crypto.SecretKey
+
 
 @Component
 class TokenProvider(
   private val securityProperties: SecurityProperties,
   private val userDetailsService: AppUserDetailsService,
 ) {
-  private var key: Key? = null
+  private var key: SecretKey? = null
   private var tokenValidity: Date? = null
 
   @PostConstruct
@@ -35,20 +35,23 @@ class TokenProvider(
     }
 
     return Jwts.builder()
-      .setSubject(authentication.name)
+      .subject(authentication.name)
       .claim("auth", authClaims)
-      .setExpiration(tokenValidity)
-      .signWith(key, SignatureAlgorithm.HS512)
+      .expiration(tokenValidity)
+      .signWith(key)
       .compact()
   }
 
   fun getAuthentication(token: String): Authentication? {
+    // val jwk = Jwks.parser().build().parse(securityProperties.secret)
+
     return try {
-      val claims = Jwts.parserBuilder()
-        .setSigningKey(key)
+      val claims = Jwts.parser()
+        .verifyWith(key)
+        .clockSkewSeconds(3 * 60)
         .build()
-        .parseClaimsJws(token.replace(securityProperties.tokenPrefix, ""))
-      val userDetail = userDetailsService.loadUserByUsername(claims.body.subject)
+        .parseSignedClaims(token.replace(securityProperties.tokenPrefix, ""))
+      val userDetail = userDetailsService.loadUserByUsername(claims.payload.subject)
       val principal = User(userDetail.username, "", userDetail.authorities)
       UsernamePasswordAuthenticationToken(principal, token, userDetail.authorities)
     } catch (e: Exception) {

Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,7 @@ Content-Type: application/json`
`30`	`30`	`{`
`31`	`31`	`"username": "john.doe",`
`32`	`32`	`"password": "test1234",`
`33`		`- "verificationCode": "479346"`
	`33`	`+ "verificationCode": "650364"`
`34`	`34`	`}`
`35`	`35`
`36`	`36`	`> {%`
Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@ class JWTAuthorizationFilter(`
`28`	`28`	`chain.doFilter(req, res)`
`29`	`29`	`return`
`30`	`30`	`}`
`31`		`- tokenProvider.getAuthentication(header)?.also { authentication ->`
	`31`	`+ tokenProvider.getAuthentication(header)?.let { authentication ->`
`32`	`32`	`SecurityContextHolder.getContext().authentication = authentication`
`33`	`33`	`}`
`34`	`34`	`chain.doFilter(req, res)`