scope체크로직 수정
This commit is contained in:
@@ -109,6 +109,7 @@ public class ApiAuthFilter implements HttpAdapterFilter {
|
||||
return message;
|
||||
}
|
||||
|
||||
boolean isPassScope = false;
|
||||
switch (eaiMessage.getAuthType()){
|
||||
case "oauth":
|
||||
try {
|
||||
@@ -127,10 +128,25 @@ public class ApiAuthFilter implements HttpAdapterFilter {
|
||||
|
||||
OAuth2Manager manager = OAuth2Manager.getInstance();
|
||||
HashSet<String> scopeSet = manager.getApiScopeMap().get(apiId);
|
||||
if (!verifyScope(scopeSet, signedJWT)) {
|
||||
|
||||
String[] scopeArr = signedJWT.getJWTClaimsSet().getStringArrayClaim(PAYLOAD_PARAM_NAME_SCOPE);
|
||||
if (scopeArr == null || scopeArr.length == 0) {
|
||||
throw new JwtAuthException(ERROR_AUTHORIZATION_FAIL,
|
||||
String.format("Insufficient [Scope](Allowed Scope=%s)", scopeSet.toString()));
|
||||
}
|
||||
|
||||
for (String scope : scopeArr) {
|
||||
if (StringUtils.equals(scope, "oob") || StringUtils.equals(scope, "public")) {
|
||||
isPassScope = true;
|
||||
}
|
||||
}
|
||||
|
||||
if (!isPassScope) {
|
||||
if (!verifyScope(scopeSet, signedJWT)) {
|
||||
throw new JwtAuthException(ERROR_AUTHORIZATION_FAIL,
|
||||
String.format("Insufficient [Scope](Allowed Scope=%s)", scopeSet.toString()));
|
||||
}
|
||||
}
|
||||
|
||||
// header 값으로 전송된 clientId와 토큰 소유 clientId check
|
||||
if (!verifyClientId(prop, signedJWT)) {
|
||||
@@ -144,26 +160,6 @@ public class ApiAuthFilter implements HttpAdapterFilter {
|
||||
throw new JwtAuthException(ERROR_AUTHENTICATION_FAIL, "Token invalid");
|
||||
}
|
||||
break;
|
||||
// case "bearer":
|
||||
// try {
|
||||
// String token = ApiAuthFilter.extractJWTToken(request);
|
||||
// BearerTokenInfo CATokenInfo = CATokenStore.get(token);
|
||||
//
|
||||
// if (CATokenInfo == null) {
|
||||
// throw new JwtAuthException(ERROR_AUTHENTICATION_FAIL, "Token invalid");
|
||||
// }
|
||||
//
|
||||
// if (CATokenInfo.isExpired()) {
|
||||
// throw new JwtAuthException(ERROR_TOKEN_EXPIRED, "Access token expired");
|
||||
// }
|
||||
// } catch (JwtAuthException e) {
|
||||
// logger.debug(e.getMessage());
|
||||
// throw e;
|
||||
// } catch (Exception e) {
|
||||
// logger.error(e.getMessage());
|
||||
// throw new JwtAuthException(ERROR_AUTHENTICATION_FAIL, "Token invalid");
|
||||
// }
|
||||
// break;
|
||||
case "api_key":
|
||||
String apiKeyName = PropManager.getInstance().getProperty("ApiConfig", "api.key.name", "x-api-key");
|
||||
String apiKey = request.getHeader(apiKeyName);
|
||||
@@ -171,19 +167,22 @@ public class ApiAuthFilter implements HttpAdapterFilter {
|
||||
throw new JwtAuthException(ERROR_AUTHENTICATION_FAIL, "Invalid or missing API key \""+apiKeyName+"\" in Http Header");
|
||||
}
|
||||
prop.setProperty(HttpAdapterServiceSupport.PROPERTIES_NAME_CLIENT_ID, apiKey);
|
||||
isPassScope = true;
|
||||
break;
|
||||
case "none":
|
||||
return message;
|
||||
}
|
||||
|
||||
String clientId = prop.getProperty(HttpAdapterServiceSupport.PROPERTIES_NAME_CLIENT_ID);
|
||||
ClientVO clientVO = OAuth2Manager.getInstance().getClientVO(clientId);
|
||||
if(clientVO == null){
|
||||
throw new JwtAuthException(ERROR_AUTHENTICATION_FAIL, "Unregistered APP");
|
||||
}
|
||||
if (isPassScope) {
|
||||
String clientId = prop.getProperty(HttpAdapterServiceSupport.PROPERTIES_NAME_CLIENT_ID);
|
||||
ClientVO clientVO = OAuth2Manager.getInstance().getClientVO(clientId);
|
||||
if(clientVO == null){
|
||||
throw new JwtAuthException(ERROR_AUTHENTICATION_FAIL, "Unregistered APP");
|
||||
}
|
||||
|
||||
if(clientVO.getApiMap().containsKey(eaiSvcCd) == false){
|
||||
throw new JwtAuthException(ERROR_AUTHENTICATION_FAIL, "Unregistered API ["+eaiSvcCd+"] in ["+clientVO.getClientName()+"] APP");
|
||||
if(clientVO.getApiMap().containsKey(eaiSvcCd) == false){
|
||||
throw new JwtAuthException(ERROR_AUTHENTICATION_FAIL, "Unregistered API ["+eaiSvcCd+"] in ["+clientVO.getClientName()+"] APP");
|
||||
}
|
||||
}
|
||||
|
||||
return message;
|
||||
|
||||
Reference in New Issue
Block a user