diff --git a/sts-spring/src/main/java/de/adorsys/sts/filter/JWTAuthenticationFilter.java b/sts-spring/src/main/java/de/adorsys/sts/filter/JWTAuthenticationFilter.java index f118725e..4a2de0ea 100644 --- a/sts-spring/src/main/java/de/adorsys/sts/filter/JWTAuthenticationFilter.java +++ b/sts-spring/src/main/java/de/adorsys/sts/filter/JWTAuthenticationFilter.java @@ -35,7 +35,9 @@ public void doFilterInternal(@Nonnull HttpServletRequest request, @Nonnull HttpS try { authentication = tokenAuthenticationService.getAuthentication(request); } catch (BadJOSEException e) { - response.sendError(HttpServletResponse.SC_FORBIDDEN, "Unauthorized"); + response.setHeader("X-B3-TraceId", request.getHeader("X-B3-TraceId")); + response.setHeader("X-B3-SpanId", request.getHeader("X-B3-SpanId")); + response.sendError(HttpServletResponse.SC_FORBIDDEN, "Invalid token - Token expired"); } SecurityContextHolder.getContext().setAuthentication(authentication); diff --git a/sts-spring/src/main/java/de/adorsys/sts/token/tokenexchange/server/TokenExchangeController.java b/sts-spring/src/main/java/de/adorsys/sts/token/tokenexchange/server/TokenExchangeController.java index 2d71e8dc..9e1459c5 100644 --- a/sts-spring/src/main/java/de/adorsys/sts/token/tokenexchange/server/TokenExchangeController.java +++ b/sts-spring/src/main/java/de/adorsys/sts/token/tokenexchange/server/TokenExchangeController.java @@ -31,13 +31,14 @@ public class TokenExchangeController { private final TokenExchangeService tokenExchangeService; - @PostMapping(consumes = {MediaType.APPLICATION_FORM_URLENCODED_VALUE}, produces = {MediaType.APPLICATION_JSON_VALUE}) + @PostMapping(consumes = { MediaType.APPLICATION_FORM_URLENCODED_VALUE }, produces = { MediaType.APPLICATION_JSON_VALUE }) @Operation(summary = "Exchange Token", description = "Create an access or refresh token given a valide subject token.", responses = { @ApiResponse(responseCode = "200", description = "Ok", content = @Content(mediaType = "application/json", schema = @Schema(implementation = TokenResponse.class))), - @ApiResponse(responseCode = "400", description = "Bad request", headers = @Header(name = "error", description = "invalid request")) - }) - public ResponseEntity tokenExchange(@RequestBody @ModelAttribute TokenRequestForm tokenRequestForm, HttpServletRequest servletRequest) { - if (log.isTraceEnabled()) log.trace("POST tokenExchange started..."); + @ApiResponse(responseCode = "400", description = "Bad request", headers = @Header(name = "error", description = "invalid request")) }) + public ResponseEntity tokenExchange(@RequestBody @ModelAttribute TokenRequestForm tokenRequestForm, + HttpServletRequest servletRequest) { + if (log.isTraceEnabled()) + log.trace("POST tokenExchange started..."); TokenExchangeRequest tokenExchange = getTokenExchangeRequest(tokenRequestForm, servletRequest); @@ -56,24 +57,20 @@ public ResponseEntity tokenExchange(@RequestBody @ModelAttribute TokenRe ResponseEntity errorData = ResponseUtils.invalidParam(e.getMessage()); return ResponseEntity.badRequest().body(errorData); } catch (BadJOSEException e) { - return ResponseEntity.status(HttpStatus.FORBIDDEN).header("source", "sts").body(e.getMessage()); + return ResponseEntity.status(HttpStatus.FORBIDDEN).header("source", "sts") + .header("X-B3-TraceId", servletRequest.getHeader("X-B3-TraceId")) + .header("X-B3-SpanId", servletRequest.getHeader("X-B3-SpanId")).body(e.getMessage()); } finally { - if (log.isTraceEnabled()) log.trace("POST tokenExchange finished: {}", errorMessage); + if (log.isTraceEnabled()) + log.trace("POST tokenExchange finished: {}", errorMessage); } } private static TokenExchangeRequest getTokenExchangeRequest(TokenRequestForm tokenRequestForm, HttpServletRequest servletRequest) { - return TokenExchangeRequest.builder() - .grantType(tokenRequestForm.getGrantType()) - .resources(tokenRequestForm.getResources()) - .subjectToken(tokenRequestForm.getSubjectToken()) - .subjectTokenType(tokenRequestForm.getSubjectTokenType()) - .actorToken(tokenRequestForm.getActorToken()) - .actorTokenType(tokenRequestForm.getActorTokenType()) - .issuer(ResponseUtils.getIssuer(servletRequest)) - .scope(tokenRequestForm.getScope()) - .requestedTokenType(tokenRequestForm.getRequestedTokenType()) - .audiences(tokenRequestForm.getAudiences()) - .build(); + return TokenExchangeRequest.builder().grantType(tokenRequestForm.getGrantType()).resources(tokenRequestForm.getResources()) + .subjectToken(tokenRequestForm.getSubjectToken()).subjectTokenType(tokenRequestForm.getSubjectTokenType()) + .actorToken(tokenRequestForm.getActorToken()).actorTokenType(tokenRequestForm.getActorTokenType()) + .issuer(ResponseUtils.getIssuer(servletRequest)).scope(tokenRequestForm.getScope()) + .requestedTokenType(tokenRequestForm.getRequestedTokenType()).audiences(tokenRequestForm.getAudiences()).build(); } } diff --git a/sts-token-auth/src/test/java/de/adorsys/sts/tokenauth/JWTClaimsSetVerifierWithLogsTest.java b/sts-token-auth/src/test/java/de/adorsys/sts/tokenauth/JWTClaimsSetVerifierWithLogsTest.java index 82c6aaef..716949d4 100644 --- a/sts-token-auth/src/test/java/de/adorsys/sts/tokenauth/JWTClaimsSetVerifierWithLogsTest.java +++ b/sts-token-auth/src/test/java/de/adorsys/sts/tokenauth/JWTClaimsSetVerifierWithLogsTest.java @@ -11,6 +11,8 @@ import java.time.Clock; import java.time.Instant; +import java.time.LocalDate; +import java.time.LocalDateTime; import java.util.Date; import static org.junit.jupiter.api.Assertions.*; @@ -47,7 +49,8 @@ public void testVerify_throwsBadJWTException_whenJWTIsExpired() { @Test public void testVerify_throwsBadJWTException_whenJWTIsNotBeforeNow() { - JWTClaimsSet claimsSet = new JWTClaimsSet.Builder().notBeforeTime(new Date(System.currentTimeMillis() + 60000)).build(); + JWTClaimsSet claimsSet = + new JWTClaimsSet.Builder().notBeforeTime(new Date(System.currentTimeMillis() + 600000000)).issueTime(new Date()).build(); when(clock.instant()).thenReturn(Instant.now()); assertThrows(BadJWTException.class, () -> { underTest.verify(claimsSet, null);