diff --git a/src/main/java/org/apache/geronimo/microprofile/impl/jwtauth/servlet/GeronimoJwtAuthFilter.java b/src/main/java/org/apache/geronimo/microprofile/impl/jwtauth/servlet/GeronimoJwtAuthFilter.java index 343bd57..c0a97b5 100644 --- a/src/main/java/org/apache/geronimo/microprofile/impl/jwtauth/servlet/GeronimoJwtAuthFilter.java +++ b/src/main/java/org/apache/geronimo/microprofile/impl/jwtauth/servlet/GeronimoJwtAuthFilter.java @@ -41,6 +41,7 @@ public class GeronimoJwtAuthFilter implements Filter { private String headerName; private String cookieName; + private String groupsName; private String prefix; private JwtParser service; private GeronimoJwtAuthExtension extension; @@ -55,6 +56,7 @@ public void init(final FilterConfig filterConfig) { final GeronimoJwtAuthConfig config = current.select(GeronimoJwtAuthConfig.class).get(); headerName = config.read("header.name", "Authorization"); cookieName = config.read("cookie.name", "Bearer"); + groupsName = config.read("groups.name", ""); prefix = Optional.of(config.read("header.prefix", "bearer")) .filter(s -> !s.isEmpty()).map(s -> s + " ") .orElse(""); @@ -81,7 +83,7 @@ public void doFilter(final ServletRequest request, final ServletResponse respons } try { - final JwtRequest req = new JwtRequest(service, headerName, cookieName, prefix, httpServletRequest); + final JwtRequest req = new JwtRequest(service, headerName, cookieName, groupsName, prefix, httpServletRequest); extension.execute(req.asTokenAccessor(), () -> chain.doFilter(req, response)); } catch (final Exception e) { // when not used with JAX-RS but directly Servlet final HttpServletResponse httpServletResponse = HttpServletResponse.class.cast(response); diff --git a/src/main/java/org/apache/geronimo/microprofile/impl/jwtauth/servlet/JwtRequest.java b/src/main/java/org/apache/geronimo/microprofile/impl/jwtauth/servlet/JwtRequest.java index 3e82ffc..86ef7ea 100644 --- a/src/main/java/org/apache/geronimo/microprofile/impl/jwtauth/servlet/JwtRequest.java +++ b/src/main/java/org/apache/geronimo/microprofile/impl/jwtauth/servlet/JwtRequest.java @@ -18,15 +18,16 @@ import static java.util.Collections.emptySet; import static java.util.stream.Collectors.toList; +import static java.util.stream.Collectors.toSet; import java.security.Principal; -import java.util.LinkedHashSet; -import java.util.Locale; -import java.util.Set; +import java.util.*; import java.util.concurrent.Callable; import java.util.function.Supplier; import java.util.stream.Stream; +import javax.json.JsonString; +import javax.json.JsonValue; import javax.security.auth.Subject; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; @@ -40,12 +41,14 @@ public class JwtRequest extends HttpServletRequestWrapper implements TokenAccessor { private final Supplier tokenExtractor; private final String headerName; + private final String groupsName; private volatile JsonWebToken token; // cache for perf reasons - public JwtRequest(final JwtParser service, final String header, final String cookie, + public JwtRequest(final JwtParser service, final String header, final String cookie, final String groupsName, final String prefix, final HttpServletRequest request) { super(request); this.headerName = header; + this.groupsName = groupsName; this.tokenExtractor = () -> { if (token != null) { @@ -132,7 +135,20 @@ public Principal getUserPrincipal() { @Override public boolean isUserInRole(final String role) { - return tokenExtractor.get().getGroups().contains(role); + final Set groups = new HashSet<>(); + Optional.ofNullable(tokenExtractor.get().getClaim(groupsName)) + .ifPresent(c -> { + if (c.getValueType() == JsonValue.ValueType.ARRAY) { + groups.addAll(c.asJsonArray().stream() + .map(grp -> ((JsonString) grp).getString()) + .collect(toSet())); + } else if (c.getValueType() == JsonValue.ValueType.STRING) { + groups.addAll(Stream.of(JsonString.class.cast(c).getString().split(",")) + .collect(toSet())); + } + }); + + return (groups.isEmpty() ? tokenExtractor.get().getGroups().contains(role) : groups.contains(role)); } @Override