From 822e32f030f2fedfa4ed52d357f4328e963da886 Mon Sep 17 00:00:00 2001 From: Enrique Gonzalez Martinez Date: Wed, 6 Mar 2024 11:27:06 +0100 Subject: [PATCH 1/4] [incubator-kie-issues-994] kafka auth feature with message header records --- .../java/org/kie/server/jms/KieServerMDB.java | 8 +++--- ...dapter.java => BrokerSecurityAdapter.java} | 5 ++-- .../services/jbpm/JbpmKieServerExtension.java | 6 ++--- ...apter.java => BrokerUserGroupAdapter.java} | 6 ++--- .../jbpm/kafka/KafkaServerConsumer.java | 26 ++++++++++++++----- 5 files changed, 33 insertions(+), 18 deletions(-) rename kie-server-parent/kie-server-services/kie-server-services-common/src/main/java/org/kie/server/services/impl/security/adapters/{JMSSecurityAdapter.java => BrokerSecurityAdapter.java} (98%) rename kie-server-parent/kie-server-services/kie-server-services-jbpm/src/main/java/org/kie/server/services/jbpm/security/{JMSUserGroupAdapter.java => BrokerUserGroupAdapter.java} (81%) diff --git a/kie-server-parent/kie-server-remote/kie-server-jms/src/main/java/org/kie/server/jms/KieServerMDB.java b/kie-server-parent/kie-server-remote/kie-server-jms/src/main/java/org/kie/server/jms/KieServerMDB.java index a3ff0d9316..f6f9ab2416 100644 --- a/kie-server-parent/kie-server-remote/kie-server-jms/src/main/java/org/kie/server/jms/KieServerMDB.java +++ b/kie-server-parent/kie-server-remote/kie-server-jms/src/main/java/org/kie/server/jms/KieServerMDB.java @@ -51,7 +51,7 @@ import org.kie.server.services.api.KieServerExtension; import org.kie.server.services.impl.KieServerImpl; import org.kie.server.services.impl.KieServerLocator; -import org.kie.server.services.impl.security.adapters.JMSSecurityAdapter; +import org.kie.server.services.impl.security.adapters.BrokerSecurityAdapter; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -208,7 +208,7 @@ public void onMessage(Message message) { logger.warn("Unable to retrieve user name and/or password, from message"); } if (username != null && password != null) { - JMSSecurityAdapter.login(username, password); + BrokerSecurityAdapter.login(username, password); } else { logger.warn("Unable to login to JMSSecurityAdapter, user name and/or password missing"); } @@ -320,10 +320,10 @@ public void onMessage(Message message) { } catch (JMSRuntimeException runtimeException) { logger.error("Error while attempting to close connection/session",runtimeException); } finally { - JMSSecurityAdapter.logout(); + BrokerSecurityAdapter.logout(); } } else { - JMSSecurityAdapter.logout(); + BrokerSecurityAdapter.logout(); } } diff --git a/kie-server-parent/kie-server-services/kie-server-services-common/src/main/java/org/kie/server/services/impl/security/adapters/JMSSecurityAdapter.java b/kie-server-parent/kie-server-services/kie-server-services-common/src/main/java/org/kie/server/services/impl/security/adapters/BrokerSecurityAdapter.java similarity index 98% rename from kie-server-parent/kie-server-services/kie-server-services-common/src/main/java/org/kie/server/services/impl/security/adapters/JMSSecurityAdapter.java rename to kie-server-parent/kie-server-services/kie-server-services-common/src/main/java/org/kie/server/services/impl/security/adapters/BrokerSecurityAdapter.java index 323476676d..7de7e14b03 100644 --- a/kie-server-parent/kie-server-services/kie-server-services-common/src/main/java/org/kie/server/services/impl/security/adapters/JMSSecurityAdapter.java +++ b/kie-server-parent/kie-server-services/kie-server-services-common/src/main/java/org/kie/server/services/impl/security/adapters/BrokerSecurityAdapter.java @@ -43,8 +43,9 @@ import org.wildfly.security.auth.server.SecurityIdentity; import org.wildfly.security.evidence.Evidence; -public class JMSSecurityAdapter implements SecurityAdapter { - private static final Logger logger = LoggerFactory.getLogger(JMSSecurityAdapter.class); +public class BrokerSecurityAdapter implements SecurityAdapter { + + private static final Logger logger = LoggerFactory.getLogger(BrokerSecurityAdapter.class); private static final ServiceLoader securityAdapters = ServiceLoader.load(SecurityAdapter.class); private static List adapters = new ArrayList<>(); diff --git a/kie-server-parent/kie-server-services/kie-server-services-jbpm/src/main/java/org/kie/server/services/jbpm/JbpmKieServerExtension.java b/kie-server-parent/kie-server-services/kie-server-services-jbpm/src/main/java/org/kie/server/services/jbpm/JbpmKieServerExtension.java index 16b047ef55..c8db43c821 100644 --- a/kie-server-parent/kie-server-services/kie-server-services-jbpm/src/main/java/org/kie/server/services/jbpm/JbpmKieServerExtension.java +++ b/kie-server-parent/kie-server-services/kie-server-services-jbpm/src/main/java/org/kie/server/services/jbpm/JbpmKieServerExtension.java @@ -128,7 +128,7 @@ import org.kie.server.services.jbpm.jpa.PersistenceUnitInfoImpl; import org.kie.server.services.jbpm.jpa.PersistenceUnitInfoLoader; import org.kie.server.services.jbpm.security.ElytronUserGroupCallbackImpl; -import org.kie.server.services.jbpm.security.JMSUserGroupAdapter; +import org.kie.server.services.jbpm.security.BrokerUserGroupAdapter; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -226,11 +226,11 @@ protected void configureServices(KieServerImpl kieServer, KieServerRegistry regi if (ElytronIdentityProvider.available()) { System.setProperty(KieServerConstants.CFG_HT_CALLBACK, "custom"); String name = ElytronUserGroupCallbackImpl.class.getName(); - ElytronUserGroupCallbackImpl.addExternalUserGroupAdapter(new JMSUserGroupAdapter()); + ElytronUserGroupCallbackImpl.addExternalUserGroupAdapter(new BrokerUserGroupAdapter()); System.setProperty(KieServerConstants.CFG_HT_CALLBACK_CLASS, name); } else { System.setProperty(KieServerConstants.CFG_HT_CALLBACK, "jaas"); - JAASUserGroupCallbackImpl.addExternalUserGroupAdapter(new JMSUserGroupAdapter()); + JAASUserGroupCallbackImpl.addExternalUserGroupAdapter(new BrokerUserGroupAdapter()); } } diff --git a/kie-server-parent/kie-server-services/kie-server-services-jbpm/src/main/java/org/kie/server/services/jbpm/security/JMSUserGroupAdapter.java b/kie-server-parent/kie-server-services/kie-server-services-jbpm/src/main/java/org/kie/server/services/jbpm/security/BrokerUserGroupAdapter.java similarity index 81% rename from kie-server-parent/kie-server-services/kie-server-services-jbpm/src/main/java/org/kie/server/services/jbpm/security/JMSUserGroupAdapter.java rename to kie-server-parent/kie-server-services/kie-server-services-jbpm/src/main/java/org/kie/server/services/jbpm/security/BrokerUserGroupAdapter.java index b3f0fee0f3..7c94da3584 100644 --- a/kie-server-parent/kie-server-services/kie-server-services-jbpm/src/main/java/org/kie/server/services/jbpm/security/JMSUserGroupAdapter.java +++ b/kie-server-parent/kie-server-services/kie-server-services-jbpm/src/main/java/org/kie/server/services/jbpm/security/BrokerUserGroupAdapter.java @@ -19,11 +19,11 @@ import java.util.List; import org.jbpm.services.task.identity.adapter.UserGroupAdapter; -import org.kie.server.services.impl.security.adapters.JMSSecurityAdapter; +import org.kie.server.services.impl.security.adapters.BrokerSecurityAdapter; -public class JMSUserGroupAdapter implements UserGroupAdapter { +public class BrokerUserGroupAdapter implements UserGroupAdapter { - private JMSSecurityAdapter jmsSecurityAdapter = new JMSSecurityAdapter(); + private BrokerSecurityAdapter jmsSecurityAdapter = new BrokerSecurityAdapter(); @Override public List getGroupsForUser(String userId) { diff --git a/kie-server-parent/kie-server-services/kie-server-services-kafka/src/main/java/org/kie/server/services/jbpm/kafka/KafkaServerConsumer.java b/kie-server-parent/kie-server-services/kie-server-services-kafka/src/main/java/org/kie/server/services/jbpm/kafka/KafkaServerConsumer.java index d0e22d3fe0..7964dd4618 100644 --- a/kie-server-parent/kie-server-services/kie-server-services-kafka/src/main/java/org/kie/server/services/jbpm/kafka/KafkaServerConsumer.java +++ b/kie-server-parent/kie-server-services/kie-server-services-kafka/src/main/java/org/kie/server/services/jbpm/kafka/KafkaServerConsumer.java @@ -14,19 +14,13 @@ */ package org.kie.server.services.jbpm.kafka; -import static org.kie.server.services.jbpm.kafka.KafkaServerUtils.KAFKA_EXTENSION_PREFIX; - import java.io.IOException; import java.time.Duration; -import java.util.HashMap; import java.util.Map; import java.util.Set; import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.ExecutorService; import java.util.concurrent.Executors; -import java.util.concurrent.LinkedBlockingQueue; -import java.util.concurrent.ThreadPoolExecutor; -import java.util.concurrent.TimeUnit; import java.util.concurrent.atomic.AtomicReference; import java.util.concurrent.locks.Condition; import java.util.concurrent.locks.Lock; @@ -37,15 +31,21 @@ import org.apache.kafka.clients.consumer.ConsumerRecord; import org.apache.kafka.clients.consumer.ConsumerRecords; import org.apache.kafka.common.errors.WakeupException; +import org.apache.kafka.common.header.Header; import org.jbpm.kie.services.impl.KModuleDeploymentUnit; import org.jbpm.services.api.DeploymentEvent; import org.jbpm.services.api.ProcessService; import org.jbpm.services.api.model.MessageDesc; import org.jbpm.services.api.model.SignalDesc; import org.jbpm.services.api.model.SignalDescBase; +import org.kie.server.services.impl.security.adapters.BrokerSecurityAdapter; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import static org.kie.server.api.jms.JMSConstants.PASSWRD_PROPERTY_NAME; +import static org.kie.server.api.jms.JMSConstants.USER_PROPERTY_NAME; +import static org.kie.server.services.jbpm.kafka.KafkaServerUtils.KAFKA_EXTENSION_PREFIX; + class KafkaServerConsumer implements Runnable { private static final Logger logger = LoggerFactory.getLogger(KafkaServerConsumer.class); @@ -232,10 +232,24 @@ private void processMessage(ConsumerRecord event, processEvent(event, deploymentId, message, messageSignaller); } + private String getValue(Header header) { + return header != null && header.value() != null ? new String(header.value()) : ""; + } + private void processEvent(ConsumerRecord event, String deploymentId, SignalDescBase signal, Signaller signaller) { + + String username = getValue(event.headers().lastHeader(USER_PROPERTY_NAME)); + String password = getValue(event.headers().lastHeader(PASSWRD_PROPERTY_NAME)); + + if (username != null && password != null) { + BrokerSecurityAdapter.login(username, password); + } else { + logger.debug("Unable to login to JMSSecurityAdapter, user name and/or password missing for user{}", username); + } + try { String signalName = signal.getName(); ClassLoader cl = classLoaders.get(deploymentId); From 8b0d55eb3cb3aad1cbc27216441ffe56c1ad42d6 Mon Sep 17 00:00:00 2001 From: Enrique Gonzalez Martinez Date: Wed, 13 Mar 2024 12:35:53 +0100 Subject: [PATCH 2/4] integration java-jwt --- .../org/kie/server/api/jms/JMSConstants.java | 1 + .../kie-server-services-common/pom.xml | 5 + .../security/adapters/JwtSecurityAdaptor.java | 39 ++++++ .../server/services/impl/util/JwtService.java | 98 +++++++++++++++ .../services/impl/util/JwtUserDetails.java | 46 +++++++ ...rg.kie.server.api.security.SecurityAdapter | 3 +- .../services/impl/util/JwtUtilTest.java | 115 ++++++++++++++++++ .../jbpm/kafka/KafkaServerConsumer.java | 15 ++- 8 files changed, 320 insertions(+), 2 deletions(-) create mode 100644 kie-server-parent/kie-server-services/kie-server-services-common/src/main/java/org/kie/server/services/impl/security/adapters/JwtSecurityAdaptor.java create mode 100644 kie-server-parent/kie-server-services/kie-server-services-common/src/main/java/org/kie/server/services/impl/util/JwtService.java create mode 100644 kie-server-parent/kie-server-services/kie-server-services-common/src/main/java/org/kie/server/services/impl/util/JwtUserDetails.java create mode 100644 kie-server-parent/kie-server-services/kie-server-services-common/src/test/java/org/kie/server/services/impl/util/JwtUtilTest.java diff --git a/kie-server-parent/kie-server-api/src/main/java/org/kie/server/api/jms/JMSConstants.java b/kie-server-parent/kie-server-api/src/main/java/org/kie/server/api/jms/JMSConstants.java index beaa60b74e..40d4d19863 100644 --- a/kie-server-parent/kie-server-api/src/main/java/org/kie/server/api/jms/JMSConstants.java +++ b/kie-server-parent/kie-server-api/src/main/java/org/kie/server/api/jms/JMSConstants.java @@ -27,6 +27,7 @@ public class JMSConstants { public static final String TARGET_CAPABILITY_PROPERTY_NAME = "kie_target_capability"; public static final String USER_PROPERTY_NAME = "kie_user"; public static final String PASSWRD_PROPERTY_NAME = "kie_password"; + public static final String ASSERTION_PROPERTY_NAME = "kie_token"; public static final String INTERACTION_PATTERN_PROPERTY_NAME = "kie_interaction_pattern"; diff --git a/kie-server-parent/kie-server-services/kie-server-services-common/pom.xml b/kie-server-parent/kie-server-services/kie-server-services-common/pom.xml index a8300cbdd5..70d4e92b6f 100644 --- a/kie-server-parent/kie-server-services/kie-server-services-common/pom.xml +++ b/kie-server-parent/kie-server-services/kie-server-services-common/pom.xml @@ -203,6 +203,11 @@ test + + com.auth0 + java-jwt + + org.glassfish.jaxb jaxb-runtime diff --git a/kie-server-parent/kie-server-services/kie-server-services-common/src/main/java/org/kie/server/services/impl/security/adapters/JwtSecurityAdaptor.java b/kie-server-parent/kie-server-services/kie-server-services-common/src/main/java/org/kie/server/services/impl/security/adapters/JwtSecurityAdaptor.java new file mode 100644 index 0000000000..19a07d6dd3 --- /dev/null +++ b/kie-server-parent/kie-server-services/kie-server-services-common/src/main/java/org/kie/server/services/impl/security/adapters/JwtSecurityAdaptor.java @@ -0,0 +1,39 @@ +package org.kie.server.services.impl.security.adapters; + +import java.util.List; + +import org.kie.server.api.security.SecurityAdapter; +import org.kie.server.services.impl.util.JwtUserDetails; + +public class JwtSecurityAdaptor implements SecurityAdapter { + + private static ThreadLocal threadLocal = new ThreadLocal() { + @Override + public JwtUserDetails initialValue() { + return new JwtUserDetails(); + } + }; + + public static void login(JwtUserDetails userDetails) { + threadLocal.set(userDetails); + } + + @Override + public String getUser(Object... params) { + JwtUserDetails userDetails = threadLocal.get(); + if (!userDetails.isLogged()) { + return null; + } + return userDetails.getUser(); + } + + @Override + public List getRoles(Object... params) { + return threadLocal.get().getRoles(); + } + + public static void logout() { + threadLocal.set(null); + } + +} diff --git a/kie-server-parent/kie-server-services/kie-server-services-common/src/main/java/org/kie/server/services/impl/util/JwtService.java b/kie-server-parent/kie-server-services/kie-server-services-common/src/main/java/org/kie/server/services/impl/util/JwtService.java new file mode 100644 index 0000000000..e7bef3e902 --- /dev/null +++ b/kie-server-parent/kie-server-services/kie-server-services-common/src/main/java/org/kie/server/services/impl/util/JwtService.java @@ -0,0 +1,98 @@ +/* + * Copyright 2024 Red Hat, Inc. and/or its affiliates. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. +*/ + +package org.kie.server.services.impl.util; + +import java.security.interfaces.RSAPrivateKey; +import java.security.interfaces.RSAPublicKey; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; + +import com.auth0.jwt.JWT; +import com.auth0.jwt.algorithms.Algorithm; +import com.auth0.jwt.exceptions.JWTVerificationException; +import com.auth0.jwt.interfaces.Claim; +import com.auth0.jwt.interfaces.DecodedJWT; +import com.auth0.jwt.interfaces.JWTVerifier; + +public class JwtService { + + private JWTVerifier verifier; + + private Algorithm algorithm; + private String issuer; + + private JwtService() { + this(Algorithm.none()); + } + + private JwtService(Algorithm algorithm) { + this(algorithm, "jBPM"); + } + + private JwtService(Algorithm algorithm, String issuer) { + this.issuer = issuer; + this.algorithm = algorithm; + this.verifier = JWT.require(algorithm) + .withIssuer(issuer) + .build(); + } + + public String getIssuer() { + return issuer; + } + + public String token(String user, String ...roles) { + return JWT.create().withIssuer(this.issuer).withSubject(user).withClaim("roles", Arrays.asList(roles)).sign(algorithm); + } + + public static JwtServiceBuilder newJwtServiceBuilder() { + return new JwtServiceBuilder(); + } + + public static class JwtServiceBuilder { + Algorithm algorithm; + String issuer; + + public JwtServiceBuilder keys(RSAPublicKey publicKey, RSAPrivateKey privateKey) { + this.algorithm = Algorithm.RSA256(publicKey, privateKey); + return this; + } + + public JwtServiceBuilder issuer(String issuer) { + this.issuer = issuer; + return this; + } + + public JwtService build() { + return new JwtService(algorithm != null ? algorithm : Algorithm.none(), issuer != null ? issuer : "jBPM"); + } + + } + + public JwtUserDetails decodeUserDetails(String token) { + try { + DecodedJWT decodedJWT = verifier.verify(token); + String user = decodedJWT.getSubject(); + Claim rolesClaim = decodedJWT.getClaim("roles"); + List roles = rolesClaim.asList(String.class); + return new JwtUserDetails(user, roles != null ? roles : new ArrayList<>()); + } catch (JWTVerificationException exception) { + throw new IllegalArgumentException(exception); + } + } + +} diff --git a/kie-server-parent/kie-server-services/kie-server-services-common/src/main/java/org/kie/server/services/impl/util/JwtUserDetails.java b/kie-server-parent/kie-server-services/kie-server-services-common/src/main/java/org/kie/server/services/impl/util/JwtUserDetails.java new file mode 100644 index 0000000000..277bcabd54 --- /dev/null +++ b/kie-server-parent/kie-server-services/kie-server-services-common/src/main/java/org/kie/server/services/impl/util/JwtUserDetails.java @@ -0,0 +1,46 @@ +/* + * Copyright 2024 Red Hat, Inc. and/or its affiliates. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. +*/ +package org.kie.server.services.impl.util; + +import java.util.ArrayList; +import java.util.List; + +public class JwtUserDetails { + String user; + List roles; + + public JwtUserDetails() { + this.user = null; + this.roles = new ArrayList<>(); + } + + public JwtUserDetails(String user, List roles) { + this.user = user; + this.roles = roles; + } + + public List getRoles() { + return roles; + } + + public String getUser() { + return user; + } + + public boolean isLogged() { + return user != null; + } + +} \ No newline at end of file diff --git a/kie-server-parent/kie-server-services/kie-server-services-common/src/main/resources/META-INF/services/org.kie.server.api.security.SecurityAdapter b/kie-server-parent/kie-server-services/kie-server-services-common/src/main/resources/META-INF/services/org.kie.server.api.security.SecurityAdapter index c600341695..75a44eb4cd 100644 --- a/kie-server-parent/kie-server-services/kie-server-services-common/src/main/resources/META-INF/services/org.kie.server.api.security.SecurityAdapter +++ b/kie-server-parent/kie-server-services/kie-server-services-common/src/main/resources/META-INF/services/org.kie.server.api.security.SecurityAdapter @@ -1,4 +1,5 @@ org.kie.server.services.impl.security.adapters.TomcatSecurityAdapter org.kie.server.services.impl.security.adapters.JMSSecurityAdapter org.kie.server.services.impl.security.adapters.WeblogicSecurityAdapter -org.kie.server.services.impl.security.adapters.WebSphereSecurityAdapter \ No newline at end of file +org.kie.server.services.impl.security.adapters.WebSphereSecurityAdapter +org.kie.server.services.impl.security.adapters.JwtSecurityAdaptor \ No newline at end of file diff --git a/kie-server-parent/kie-server-services/kie-server-services-common/src/test/java/org/kie/server/services/impl/util/JwtUtilTest.java b/kie-server-parent/kie-server-services/kie-server-services-common/src/test/java/org/kie/server/services/impl/util/JwtUtilTest.java new file mode 100644 index 0000000000..b142e97b41 --- /dev/null +++ b/kie-server-parent/kie-server-services/kie-server-services-common/src/test/java/org/kie/server/services/impl/util/JwtUtilTest.java @@ -0,0 +1,115 @@ +package org.kie.server.services.impl.util; + +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.interfaces.RSAPrivateKey; +import java.security.interfaces.RSAPublicKey; +import java.util.Arrays; + +import org.assertj.core.api.Assertions; +import org.junit.Test; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import com.auth0.jwt.JWT; +import com.auth0.jwt.algorithms.Algorithm; + +public class JwtUtilTest { + + private static Logger LOGGER = LoggerFactory.getLogger(JwtUtilTest.class); + + @Test + public void testJwtSigned() throws Exception { + + KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA"); + KeyPair keyPair = kpg.generateKeyPair(); + + JwtService service = JwtService.newJwtServiceBuilder() + .keys((RSAPublicKey) keyPair.getPublic(), (RSAPrivateKey) keyPair.getPrivate()) + .issuer("jBPM") + .build(); + + String token = service.token("myUser", "role1", "role2"); + + JwtUserDetails user = service.decodeUserDetails(token); + Assertions.assertThat(user.getUser()).isEqualTo("myUser"); + Assertions.assertThat(user.getRoles()).containsExactly("role1", "role2"); + } + + @Test(expected = IllegalArgumentException.class) + public void testJwtBadSigned() throws Exception { + + KeyPairGenerator kpgIn = KeyPairGenerator.getInstance("RSA"); + KeyPair keyPairIn = kpgIn.generateKeyPair(); + + JwtService serviceInput = JwtService.newJwtServiceBuilder() + .keys((RSAPublicKey) keyPairIn.getPublic(), (RSAPrivateKey) keyPairIn.getPrivate()) + .issuer("jBPM") + .build(); + + String token = serviceInput.token("myUser", "role1", "role2"); + + KeyPairGenerator kpgOut = KeyPairGenerator.getInstance("RSA"); + KeyPair keyPairOut = kpgOut.generateKeyPair(); + + JwtService serviceOutput = JwtService.newJwtServiceBuilder() + .keys((RSAPublicKey) keyPairOut.getPublic(), (RSAPrivateKey) keyPairOut.getPrivate()) + .issuer("jBPM") + .build(); + + serviceOutput.decodeUserDetails(token); + } + + @Test + public void testJwtNotSigned() throws Exception { + JwtService service = JwtService.newJwtServiceBuilder() + .issuer("jBPM") + .build(); + + String token = service.token("myUser", "role1", "role2"); + LOGGER.info(token); + + JwtUserDetails user = service.decodeUserDetails(token); + Assertions.assertThat(user.getUser()).isEqualTo("myUser"); + Assertions.assertThat(user.getRoles()).containsExactly("role1", "role2"); + } + + @Test + public void testJwtMissingSubjectInfo() throws Exception { + String token = JWT.create().withIssuer("jBPM").withClaim("roles", Arrays.asList("role1")).sign(Algorithm.none()); + LOGGER.info(token); + + JwtService service = JwtService.newJwtServiceBuilder() + .issuer("jBPM") + .build(); + JwtUserDetails user = service.decodeUserDetails(token); + Assertions.assertThat(user.getUser()).isNull(); + Assertions.assertThat(user.getRoles()).containsExactly("role1"); + } + + @Test + public void testJwtMissingRolesInfo() throws Exception { + String token = JWT.create().withIssuer("jBPM").withSubject("myUser").sign(Algorithm.none()); + LOGGER.info(token); + + JwtService service = JwtService.newJwtServiceBuilder() + .issuer("jBPM") + .build(); + JwtUserDetails user = service.decodeUserDetails(token); + Assertions.assertThat(user.getUser()).isEqualTo("myUser"); + Assertions.assertThat(user.getRoles()).isEmpty(); + } + + @Test + public void testJwtEmptyToken() throws Exception { + String token = JWT.create().withIssuer("jBPM").sign(Algorithm.none()); + LOGGER.info(token); + + JwtService service = JwtService.newJwtServiceBuilder() + .issuer("jBPM") + .build(); + JwtUserDetails user = service.decodeUserDetails(token); + Assertions.assertThat(user.getUser()).isNull(); + Assertions.assertThat(user.getRoles()).isEmpty(); + } +} diff --git a/kie-server-parent/kie-server-services/kie-server-services-kafka/src/main/java/org/kie/server/services/jbpm/kafka/KafkaServerConsumer.java b/kie-server-parent/kie-server-services/kie-server-services-kafka/src/main/java/org/kie/server/services/jbpm/kafka/KafkaServerConsumer.java index 7964dd4618..190a4896f2 100644 --- a/kie-server-parent/kie-server-services/kie-server-services-kafka/src/main/java/org/kie/server/services/jbpm/kafka/KafkaServerConsumer.java +++ b/kie-server-parent/kie-server-services/kie-server-services-kafka/src/main/java/org/kie/server/services/jbpm/kafka/KafkaServerConsumer.java @@ -38,6 +38,9 @@ import org.jbpm.services.api.model.MessageDesc; import org.jbpm.services.api.model.SignalDesc; import org.jbpm.services.api.model.SignalDescBase; +import org.kie.server.api.jms.JMSConstants; +import org.kie.server.services.impl.security.adapters.JwtSecurityAdaptor; +import org.kie.server.services.impl.util.JwtService; import org.kie.server.services.impl.security.adapters.BrokerSecurityAdapter; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -67,11 +70,14 @@ class KafkaServerConsumer implements Runnable { private Supplier> consumerSupplier; private KafkaEventProcessorFactory factory; + private JwtService jwtService; + public KafkaServerConsumer(KafkaEventProcessorFactory factory, Supplier> consumerSupplier, ProcessService processService) { this.factory = factory; this.consumerSupplier = consumerSupplier; this.processService = processService; + this.jwtService = JwtService.newJwtServiceBuilder().build(); } void addRegistration(DeploymentEvent event) { @@ -243,7 +249,7 @@ private void processEvent(ConsumerRecord event, String username = getValue(event.headers().lastHeader(USER_PROPERTY_NAME)); String password = getValue(event.headers().lastHeader(PASSWRD_PROPERTY_NAME)); - + String token = getValue(event.headers().lastHeader(JMSConstants.ASSERTION_PROPERTY_NAME)); if (username != null && password != null) { BrokerSecurityAdapter.login(username, password); } else { @@ -251,6 +257,9 @@ private void processEvent(ConsumerRecord event, } try { + if (token != null) { + JwtSecurityAdaptor.login(jwtService.decodeUserDetails(token)); + } String signalName = signal.getName(); ClassLoader cl = classLoaders.get(deploymentId); Class valueType = Object.class; @@ -267,8 +276,12 @@ private void processEvent(ConsumerRecord event, deploymentId, value); } catch (ClassNotFoundException ex) { logger.error("Class not found in deployment id {}", deploymentId, ex); + } catch (IllegalArgumentException e) { + logger.error("Exception token login {}", token, e); } catch (RuntimeException | IOException ex) { logger.error("Exception deserializing event", ex); + } finally { + JwtSecurityAdaptor.logout(); } } } From 64a821a081d102d15f8f62e4bf195b72c28e9463 Mon Sep 17 00:00:00 2001 From: Enrique Gonzalez Martinez Date: Thu, 14 Mar 2024 10:13:42 +0100 Subject: [PATCH 3/4] add security and integration check with RSA --- .../kie/server/api/KieServerConstants.java | 1 + .../kie/server/common/KeyStoreHelperUtil.java | 39 ++++++++++++- .../server/common/KeyStoreHelperUtilTest.java | 57 ++++++++++++++++++- .../server/services/impl/util/JwtService.java | 10 +++- ...rg.kie.server.api.security.SecurityAdapter | 2 +- ...ces.task.identity.adapter.UserGroupAdapter | 2 +- .../jbpm/kafka/KafkaServerConsumer.java | 33 +++++++---- 7 files changed, 127 insertions(+), 17 deletions(-) diff --git a/kie-server-parent/kie-server-api/src/main/java/org/kie/server/api/KieServerConstants.java b/kie-server-parent/kie-server-api/src/main/java/org/kie/server/api/KieServerConstants.java index ce2bf88373..692061fb76 100644 --- a/kie-server-parent/kie-server-api/src/main/java/org/kie/server/api/KieServerConstants.java +++ b/kie-server-parent/kie-server-api/src/main/java/org/kie/server/api/KieServerConstants.java @@ -86,6 +86,7 @@ public class KieServerConstants { public static final String CFG_KIE_USER = "org.kie.server.user"; public static final String CFG_KIE_PASSWORD = "org.kie.server.pwd"; public static final String CFG_KIE_TOKEN = "org.kie.server.token"; + public static final String CFG_KIE_ISSUER = "org.kie.server.issuer"; /** * Security settings used to connect to KIE Server Controller diff --git a/kie-server-parent/kie-server-common/src/main/java/org/kie/server/common/KeyStoreHelperUtil.java b/kie-server-parent/kie-server-common/src/main/java/org/kie/server/common/KeyStoreHelperUtil.java index 999234ff06..ec0b0a09b9 100644 --- a/kie-server-parent/kie-server-common/src/main/java/org/kie/server/common/KeyStoreHelperUtil.java +++ b/kie-server-parent/kie-server-common/src/main/java/org/kie/server/common/KeyStoreHelperUtil.java @@ -1,8 +1,18 @@ package org.kie.server.common; +import java.security.Key; +import java.security.KeyPair; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.UnrecoverableKeyException; +import java.security.cert.Certificate; import java.util.HashSet; import java.util.Set; +import org.drools.core.util.KeyStoreConstants; import org.drools.core.util.KeyStoreHelper; import org.kie.server.api.KieServerConstants; import org.kie.server.api.model.KieServerConfig; @@ -16,7 +26,10 @@ public class KeyStoreHelperUtil { private static final String PROP_PWD_SERVER_PWD = "kie.keystore.key.server.pwd"; // the private key identifier for controller - private static final String PROP_PWD_CTRL_ALIAS = "kie.keystore.key.ctrl.alias"; + public static final String PROP_PWD_JWT_ALIAS = "kie.keystore.key.jwt.alias"; + + // the private key identifier for controller + private static final String PROP_PWD_CTRL_ALIAS = "kie.keystore.key.ctrl.alias"; // the private key identifier for controller private static final String PROP_PWD_CTRL_PWD = "kie.keystore.key.ctrl.pwd"; @@ -37,6 +50,30 @@ public static String loadControllerPassword(final String defaultPassword) { return loadPasswordKey(PROP_PWD_CTRL_ALIAS, PROP_PWD_CTRL_PWD, defaultPassword); } + public static KeyPair getJwtKeyPair() { + String pwdKeyAlias = System.getProperty(PROP_PWD_JWT_ALIAS, ""); + String pwdKeyPassword = System.getProperty(KeyStoreConstants.PROP_PVT_KS_PWD, ""); + return getJwtKeyPair(pwdKeyAlias, pwdKeyPassword); + } + + public static KeyPair getJwtKeyPair(String pwdKeyAlias, String pwdKeyPassword) { + try { + KeyStoreHelper keyStoreHelper = KeyStoreHelper.get(); + KeyStore keystore = keyStoreHelper.getPvtKeyStore(); + Key key = (PrivateKey) keystore.getKey(pwdKeyAlias, pwdKeyPassword.toCharArray()); + if (key instanceof PrivateKey) { + // Get certificate of public key + Certificate cert = keystore.getCertificate(pwdKeyAlias); + PublicKey publicKey = cert.getPublicKey(); + return new KeyPair(publicKey, (PrivateKey) key); + } + return null; + } catch (RuntimeException | UnrecoverableKeyException | KeyStoreException | NoSuchAlgorithmException re) { + logger.warn("Unable to load key store. Using password from configuration"); + } + return null; + } + public static String loadPasswordKey(String pwdKeyAliasProperty, String pwdKeyPasswordProperty, String defaultPassword) { String passwordKey; KeyStoreHelper keyStoreHelper = KeyStoreHelper.get(); diff --git a/kie-server-parent/kie-server-common/src/test/java/org/kie/server/common/KeyStoreHelperUtilTest.java b/kie-server-parent/kie-server-common/src/test/java/org/kie/server/common/KeyStoreHelperUtilTest.java index 22ca79afcc..8166479b70 100644 --- a/kie-server-parent/kie-server-common/src/test/java/org/kie/server/common/KeyStoreHelperUtilTest.java +++ b/kie-server-parent/kie-server-common/src/test/java/org/kie/server/common/KeyStoreHelperUtilTest.java @@ -16,32 +16,83 @@ package org.kie.server.common; +import java.net.URI; +import java.nio.file.Paths; + +import org.drools.core.util.KeyStoreConstants; +import org.drools.core.util.KeyStoreHelper; +import org.junit.BeforeClass; import org.junit.Test; import org.kie.server.api.KieServerConstants; import org.kie.server.api.model.KieServerConfig; import org.kie.server.api.model.KieServerConfigItem; import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertNotNull; import static org.kie.server.common.KeyStoreHelperUtil.loadControllerPassword; public class KeyStoreHelperUtilTest { + private static final String KEYSTORE_PATH = "target/keystore.jks"; + private static final String KEYSTORE_PWD = "password"; + private static final String KEYSTORE_ALIAS = "selfsigned"; + + @BeforeClass + public static void init() throws Exception { + // generate self signed certificate + String[] cmd = { "keytool", "-genkey", + "-keyalg", "RSA", + "-alias", KEYSTORE_ALIAS, + "-keystore", KEYSTORE_PATH, + "-storepass", KEYSTORE_PWD, + "-validity", "360", + "-keysize", "1024", + "-dname", "CN=root, OU=root, O=root, L=root, ST=root, C=root" + }; + + ProcessBuilder builder = new ProcessBuilder(); + builder.command(cmd); + Process p = builder.start(); + p.waitFor(); + } + + @Test + public void testKeyPairReading() throws Exception { + try { + // this test if we can read our own keys properly + URI uri = Paths.get(KEYSTORE_PATH).toAbsolutePath().toUri(); + System.setProperty(KeyStoreConstants.PROP_PVT_KS_URL, uri.toURL().toExternalForm()); + System.setProperty(KeyStoreConstants.PROP_PVT_KS_PWD, KEYSTORE_PWD); + System.setProperty(KeyStoreHelperUtil.PROP_PWD_JWT_ALIAS, KEYSTORE_ALIAS); + + KeyStoreHelper.reInit(); + + assertNotNull(KeyStoreHelperUtil.getJwtKeyPair()); + + } finally { + System.clearProperty(KeyStoreConstants.PROP_PVT_KS_URL); + System.clearProperty(KeyStoreConstants.PROP_PVT_KS_PWD); + System.clearProperty(KeyStoreHelperUtil.PROP_PWD_JWT_ALIAS); + } + + } + @Test - public void testDefaultPassword(){ + public void testDefaultPassword() { final String defaultPassword = "default"; final String password = loadControllerPassword(defaultPassword); assertEquals(defaultPassword, password); } @Test - public void testConfigDefaultPassword(){ + public void testConfigDefaultPassword() { final KieServerConfig serverConfig = new KieServerConfig(); final String password = loadControllerPassword(serverConfig); assertEquals("kieserver1!", password); } @Test - public void testConfigPassword(){ + public void testConfigPassword() { final KieServerConfig serverConfig = new KieServerConfig(); final String defaultPassword = "default"; serverConfig.addConfigItem(new KieServerConfigItem(KieServerConstants.CFG_KIE_CONTROLLER_PASSWORD, defaultPassword, null)); diff --git a/kie-server-parent/kie-server-services/kie-server-services-common/src/main/java/org/kie/server/services/impl/util/JwtService.java b/kie-server-parent/kie-server-services/kie-server-services-common/src/main/java/org/kie/server/services/impl/util/JwtService.java index e7bef3e902..9370ba5c7a 100644 --- a/kie-server-parent/kie-server-services/kie-server-services-common/src/main/java/org/kie/server/services/impl/util/JwtService.java +++ b/kie-server-parent/kie-server-services/kie-server-services-common/src/main/java/org/kie/server/services/impl/util/JwtService.java @@ -15,6 +15,7 @@ package org.kie.server.services.impl.util; +import java.security.KeyPair; import java.security.interfaces.RSAPrivateKey; import java.security.interfaces.RSAPublicKey; import java.util.ArrayList; @@ -55,7 +56,7 @@ public String getIssuer() { return issuer; } - public String token(String user, String ...roles) { + public String token(String user, String... roles) { return JWT.create().withIssuer(this.issuer).withSubject(user).withClaim("roles", Arrays.asList(roles)).sign(algorithm); } @@ -81,6 +82,13 @@ public JwtService build() { return new JwtService(algorithm != null ? algorithm : Algorithm.none(), issuer != null ? issuer : "jBPM"); } + public JwtServiceBuilder keyPair(KeyPair keyPair) { + if (keyPair != null) { + this.algorithm = Algorithm.RSA256((RSAPublicKey) keyPair.getPublic(), (RSAPrivateKey) keyPair.getPrivate()); + } + return this; + } + } public JwtUserDetails decodeUserDetails(String token) { diff --git a/kie-server-parent/kie-server-services/kie-server-services-common/src/main/resources/META-INF/services/org.kie.server.api.security.SecurityAdapter b/kie-server-parent/kie-server-services/kie-server-services-common/src/main/resources/META-INF/services/org.kie.server.api.security.SecurityAdapter index 75a44eb4cd..e885d97d66 100644 --- a/kie-server-parent/kie-server-services/kie-server-services-common/src/main/resources/META-INF/services/org.kie.server.api.security.SecurityAdapter +++ b/kie-server-parent/kie-server-services/kie-server-services-common/src/main/resources/META-INF/services/org.kie.server.api.security.SecurityAdapter @@ -1,5 +1,5 @@ org.kie.server.services.impl.security.adapters.TomcatSecurityAdapter -org.kie.server.services.impl.security.adapters.JMSSecurityAdapter +org.kie.server.services.impl.security.adapters.BrokerSecurityAdapter org.kie.server.services.impl.security.adapters.WeblogicSecurityAdapter org.kie.server.services.impl.security.adapters.WebSphereSecurityAdapter org.kie.server.services.impl.security.adapters.JwtSecurityAdaptor \ No newline at end of file diff --git a/kie-server-parent/kie-server-services/kie-server-services-jbpm/src/main/resources/META-INF/services/org.jbpm.services.task.identity.adapter.UserGroupAdapter b/kie-server-parent/kie-server-services/kie-server-services-jbpm/src/main/resources/META-INF/services/org.jbpm.services.task.identity.adapter.UserGroupAdapter index 4b3040d57b..882bcf1a03 100644 --- a/kie-server-parent/kie-server-services/kie-server-services-jbpm/src/main/resources/META-INF/services/org.jbpm.services.task.identity.adapter.UserGroupAdapter +++ b/kie-server-parent/kie-server-services/kie-server-services-jbpm/src/main/resources/META-INF/services/org.jbpm.services.task.identity.adapter.UserGroupAdapter @@ -1,3 +1,3 @@ -org.kie.server.services.jbpm.security.JMSUserGroupAdapter +org.kie.server.services.jbpm.security.BrokerUserGroupAdapter org.kie.server.services.jbpm.security.TomcatUserGroupAdapter org.kie.server.services.jbpm.security.ElytronUserGroupAdapter \ No newline at end of file diff --git a/kie-server-parent/kie-server-services/kie-server-services-kafka/src/main/java/org/kie/server/services/jbpm/kafka/KafkaServerConsumer.java b/kie-server-parent/kie-server-services/kie-server-services-kafka/src/main/java/org/kie/server/services/jbpm/kafka/KafkaServerConsumer.java index 190a4896f2..90cc45ddb6 100644 --- a/kie-server-parent/kie-server-services/kie-server-services-kafka/src/main/java/org/kie/server/services/jbpm/kafka/KafkaServerConsumer.java +++ b/kie-server-parent/kie-server-services/kie-server-services-kafka/src/main/java/org/kie/server/services/jbpm/kafka/KafkaServerConsumer.java @@ -15,6 +15,7 @@ package org.kie.server.services.jbpm.kafka; import java.io.IOException; +import java.security.KeyPair; import java.time.Duration; import java.util.Map; import java.util.Set; @@ -38,7 +39,9 @@ import org.jbpm.services.api.model.MessageDesc; import org.jbpm.services.api.model.SignalDesc; import org.jbpm.services.api.model.SignalDescBase; +import org.kie.server.api.KieServerConstants; import org.kie.server.api.jms.JMSConstants; +import org.kie.server.common.KeyStoreHelperUtil; import org.kie.server.services.impl.security.adapters.JwtSecurityAdaptor; import org.kie.server.services.impl.util.JwtService; import org.kie.server.services.impl.security.adapters.BrokerSecurityAdapter; @@ -77,7 +80,11 @@ public KafkaServerConsumer(KafkaEventProcessorFactory factory, Supplier event, } private String getValue(Header header) { - return header != null && header.value() != null ? new String(header.value()) : ""; + return header != null && header.value() != null ? new String(header.value()) : null; } private void processEvent(ConsumerRecord event, @@ -249,17 +256,23 @@ private void processEvent(ConsumerRecord event, String username = getValue(event.headers().lastHeader(USER_PROPERTY_NAME)); String password = getValue(event.headers().lastHeader(PASSWRD_PROPERTY_NAME)); - String token = getValue(event.headers().lastHeader(JMSConstants.ASSERTION_PROPERTY_NAME)); + if (username != null && password != null) { BrokerSecurityAdapter.login(username, password); } else { - logger.debug("Unable to login to JMSSecurityAdapter, user name and/or password missing for user{}", username); + logger.debug("Unable to login to BrokerSecurityAdapter, user name and/or password missing for user{}", username); } - try { - if (token != null) { + String token = getValue(event.headers().lastHeader(JMSConstants.ASSERTION_PROPERTY_NAME)); + if (token != null) { + try { JwtSecurityAdaptor.login(jwtService.decodeUserDetails(token)); - } + }catch (IllegalArgumentException e) { + logger.debug("Unable to login to JwtSecurityAdaptor, user name and/or password missing for token {}", token, e); + } + } + + try { String signalName = signal.getName(); ClassLoader cl = classLoaders.get(deploymentId); Class valueType = Object.class; @@ -276,12 +289,12 @@ private void processEvent(ConsumerRecord event, deploymentId, value); } catch (ClassNotFoundException ex) { logger.error("Class not found in deployment id {}", deploymentId, ex); - } catch (IllegalArgumentException e) { - logger.error("Exception token login {}", token, e); } catch (RuntimeException | IOException ex) { logger.error("Exception deserializing event", ex); } finally { - JwtSecurityAdaptor.logout(); + if (token != null) { + JwtSecurityAdaptor.logout(); + } } } } From 3aa19f2d430f0f32aff8065e65f586705d4efd77 Mon Sep 17 00:00:00 2001 From: Enrique Gonzalez Martinez Date: Fri, 15 Mar 2024 09:36:21 +0100 Subject: [PATCH 4/4] fix keypass in keystore helpers --- .../kie/server/common/KeyStoreHelperUtil.java | 5 +++-- .../server/common/KeyStoreHelperUtilTest.java | 17 +++++++++++++---- 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/kie-server-parent/kie-server-common/src/main/java/org/kie/server/common/KeyStoreHelperUtil.java b/kie-server-parent/kie-server-common/src/main/java/org/kie/server/common/KeyStoreHelperUtil.java index ec0b0a09b9..fdc757e418 100644 --- a/kie-server-parent/kie-server-common/src/main/java/org/kie/server/common/KeyStoreHelperUtil.java +++ b/kie-server-parent/kie-server-common/src/main/java/org/kie/server/common/KeyStoreHelperUtil.java @@ -27,7 +27,8 @@ public class KeyStoreHelperUtil { // the private key identifier for controller public static final String PROP_PWD_JWT_ALIAS = "kie.keystore.key.jwt.alias"; - + public static final String PROP_PWD_JWT_PWD = "kie.keystore.key.jwt.pwd"; + // the private key identifier for controller private static final String PROP_PWD_CTRL_ALIAS = "kie.keystore.key.ctrl.alias"; // the private key identifier for controller @@ -52,7 +53,7 @@ public static String loadControllerPassword(final String defaultPassword) { public static KeyPair getJwtKeyPair() { String pwdKeyAlias = System.getProperty(PROP_PWD_JWT_ALIAS, ""); - String pwdKeyPassword = System.getProperty(KeyStoreConstants.PROP_PVT_KS_PWD, ""); + String pwdKeyPassword = System.getProperty(PROP_PWD_JWT_PWD, ""); return getJwtKeyPair(pwdKeyAlias, pwdKeyPassword); } diff --git a/kie-server-parent/kie-server-common/src/test/java/org/kie/server/common/KeyStoreHelperUtilTest.java b/kie-server-parent/kie-server-common/src/test/java/org/kie/server/common/KeyStoreHelperUtilTest.java index 8166479b70..38ec454f61 100644 --- a/kie-server-parent/kie-server-common/src/test/java/org/kie/server/common/KeyStoreHelperUtilTest.java +++ b/kie-server-parent/kie-server-common/src/test/java/org/kie/server/common/KeyStoreHelperUtilTest.java @@ -16,8 +16,10 @@ package org.kie.server.common; +import java.io.File; import java.net.URI; import java.nio.file.Paths; +import java.util.concurrent.TimeUnit; import org.drools.core.util.KeyStoreConstants; import org.drools.core.util.KeyStoreHelper; @@ -35,25 +37,30 @@ public class KeyStoreHelperUtilTest { private static final String KEYSTORE_PATH = "target/keystore.jks"; private static final String KEYSTORE_PWD = "password"; - private static final String KEYSTORE_ALIAS = "selfsigned"; + private static final String KEYSTORE_KEY_ALIAS = "selfsigned"; + private static final String KEYSTORE_KEY_PWD = "password"; @BeforeClass public static void init() throws Exception { + File file = new File(KEYSTORE_PATH); + file.delete(); + // generate self signed certificate String[] cmd = { "keytool", "-genkey", "-keyalg", "RSA", - "-alias", KEYSTORE_ALIAS, + "-alias", KEYSTORE_KEY_ALIAS, "-keystore", KEYSTORE_PATH, "-storepass", KEYSTORE_PWD, "-validity", "360", "-keysize", "1024", + "-keypass", KEYSTORE_KEY_PWD, "-dname", "CN=root, OU=root, O=root, L=root, ST=root, C=root" }; ProcessBuilder builder = new ProcessBuilder(); builder.command(cmd); Process p = builder.start(); - p.waitFor(); + p.waitFor(10, TimeUnit.SECONDS); } @Test @@ -63,7 +70,8 @@ public void testKeyPairReading() throws Exception { URI uri = Paths.get(KEYSTORE_PATH).toAbsolutePath().toUri(); System.setProperty(KeyStoreConstants.PROP_PVT_KS_URL, uri.toURL().toExternalForm()); System.setProperty(KeyStoreConstants.PROP_PVT_KS_PWD, KEYSTORE_PWD); - System.setProperty(KeyStoreHelperUtil.PROP_PWD_JWT_ALIAS, KEYSTORE_ALIAS); + System.setProperty(KeyStoreHelperUtil.PROP_PWD_JWT_ALIAS, KEYSTORE_KEY_ALIAS); + System.setProperty(KeyStoreHelperUtil.PROP_PWD_JWT_PWD, KEYSTORE_KEY_PWD); KeyStoreHelper.reInit(); @@ -73,6 +81,7 @@ public void testKeyPairReading() throws Exception { System.clearProperty(KeyStoreConstants.PROP_PVT_KS_URL); System.clearProperty(KeyStoreConstants.PROP_PVT_KS_PWD); System.clearProperty(KeyStoreHelperUtil.PROP_PWD_JWT_ALIAS); + System.clearProperty(KeyStoreHelperUtil.PROP_PWD_JWT_PWD); } }