alternative group claim

Author: dabloem

src/main/java/org/apache/geronimo/microprofile/impl/jwtauth/servlet/GeronimoJwtAuthFilter.java

@@ -41,6 +41,7 @@
 public class GeronimoJwtAuthFilter implements Filter {
     private String headerName;
     private String cookieName;
+    private String groupsName;
     private String prefix;
     private JwtParser service;
     private GeronimoJwtAuthExtension extension;
@@ -55,6 +56,7 @@ public void init(final FilterConfig filterConfig) {
         final GeronimoJwtAuthConfig config = current.select(GeronimoJwtAuthConfig.class).get();
         headerName = config.read("header.name", "Authorization");
         cookieName = config.read("cookie.name", "Bearer");
+        groupsName = config.read("groups.name",  "");
         prefix = Optional.of(config.read("header.prefix", "bearer"))
                 .filter(s -> !s.isEmpty()).map(s -> s + " ")
                 .orElse("");
@@ -81,7 +83,7 @@ public void doFilter(final ServletRequest request, final ServletResponse respons
         }
 
         try {
-            final JwtRequest req = new JwtRequest(service, headerName, cookieName, prefix, httpServletRequest);
+            final JwtRequest req = new JwtRequest(service, headerName, cookieName, groupsName, prefix, httpServletRequest);
             extension.execute(req.asTokenAccessor(), () -> chain.doFilter(req, response));
         } catch (final Exception e) { // when not used with JAX-RS but directly Servlet
             final HttpServletResponse httpServletResponse = HttpServletResponse.class.cast(response);

src/main/java/org/apache/geronimo/microprofile/impl/jwtauth/servlet/JwtRequest.java

@@ -18,15 +18,20 @@
 
 import static java.util.Collections.emptySet;
 import static java.util.stream.Collectors.toList;
+import static java.util.stream.Collectors.toSet;
 
 import java.security.Principal;
+import java.util.Collections;
 import java.util.LinkedHashSet;
 import java.util.Locale;
 import java.util.Set;
 import java.util.concurrent.Callable;
 import java.util.function.Supplier;
 import java.util.stream.Stream;
 
+import javax.json.JsonArray;
+import javax.json.JsonString;
+import javax.json.JsonValue;
 import javax.security.auth.Subject;
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
@@ -40,12 +45,14 @@
 public class JwtRequest extends HttpServletRequestWrapper implements TokenAccessor {
     private final Supplier<JsonWebToken> tokenExtractor;
     private final String headerName;
+    private final String groupsName;
     private volatile JsonWebToken token; // cache for perf reasons
 
-    public JwtRequest(final JwtParser service, final String header, final String cookie,
+    public JwtRequest(final JwtParser service, final String header, final String cookie, final String groupsName,
                       final String prefix, final HttpServletRequest request) {
         super(request);
         this.headerName = header;
+        this.groupsName = groupsName;
 
         this.tokenExtractor = () -> {
             if (token != null) {
@@ -132,6 +139,20 @@ public Principal getUserPrincipal() {
 
     @Override
     public boolean isUserInRole(final String role) {
+        if (tokenExtractor.get().containsClaim(groupsName)) {
+            JsonValue jsonValue = tokenExtractor.get().getClaim(groupsName);
+            Set<String> groups = Collections.EMPTY_SET;
+            if (jsonValue.getValueType() == JsonValue.ValueType.ARRAY) {
+                groups = JsonArray.class.cast(jsonValue).stream()
+                        .map(grp -> ((JsonString)grp).getString())
+                        .collect(toSet());
+            } else if (jsonValue.getValueType() == JsonValue.ValueType.STRING){
+                groups = Stream.of(JsonString.class.cast(jsonValue).getString().split(","))
+                        .collect(toSet());
+            }
+            return groups.stream().anyMatch(v -> v.equals(role));
+        }
+
         return tokenExtractor.get().getGroups().contains(role);
     }