Skip to content

Commit b272805

Browse files
jzheauxBudlee
jzheaux
and
Budlee
committed
Additional Jwt Validation Debug Messages
Closes gh-8589 Co-authored-by: MattyA <[email protected]>
1 parent a32de93 commit b272805

File tree

2 files changed

+26
-16
lines changed

2 files changed

+26
-16
lines changed

oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtClaimValidator.java

+4
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,8 @@
1515
*/
1616
package org.springframework.security.oauth2.jwt;
1717

18+
import org.apache.commons.logging.Log;
19+
import org.apache.commons.logging.LogFactory;
1820
import org.springframework.security.oauth2.core.OAuth2Error;
1921
import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
2022
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
@@ -30,6 +32,7 @@
3032
* @since 5.3
3133
*/
3234
public final class JwtClaimValidator<T> implements OAuth2TokenValidator<Jwt> {
35+
private final Log logger = LogFactory.getLog(getClass());
3336

3437
private final String claim;
3538
private final Predicate<T> test;
@@ -61,6 +64,7 @@ public OAuth2TokenValidatorResult validate(Jwt token) {
6164
if (test.test(claimValue)) {
6265
return OAuth2TokenValidatorResult.success();
6366
} else {
67+
logger.debug(error.getDescription());
6468
return OAuth2TokenValidatorResult.failure(error);
6569
}
6670
}

oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtTimestampValidator.java

+22-16
Original file line numberDiff line numberDiff line change
@@ -15,17 +15,20 @@
1515
*/
1616
package org.springframework.security.oauth2.jwt;
1717

18-
import java.time.Clock;
19-
import java.time.Duration;
20-
import java.time.Instant;
21-
import java.time.temporal.ChronoUnit;
22-
18+
import org.apache.commons.logging.Log;
19+
import org.apache.commons.logging.LogFactory;
2320
import org.springframework.security.oauth2.core.OAuth2Error;
2421
import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
2522
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
2623
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
2724
import org.springframework.util.Assert;
2825

26+
import java.time.Clock;
27+
import java.time.Duration;
28+
import java.time.Instant;
29+
import java.time.format.DateTimeFormatter;
30+
import java.time.temporal.ChronoUnit;
31+
2932
/**
3033
* An implementation of {@link OAuth2TokenValidator} for verifying claims in a Jwt-based access token
3134
*
@@ -41,6 +44,8 @@
4144
* @see <a target="_blank" href="https://tools.ietf.org/html/rfc7519">JSON Web Token (JWT)</a>
4245
*/
4346
public final class JwtTimestampValidator implements OAuth2TokenValidator<Jwt> {
47+
private final Log logger = LogFactory.getLog(getClass());
48+
4449
private static final Duration DEFAULT_MAX_CLOCK_SKEW = Duration.of(60, ChronoUnit.SECONDS);
4550

4651
private final Duration clockSkew;
@@ -56,7 +61,6 @@ public JwtTimestampValidator() {
5661

5762
public JwtTimestampValidator(Duration clockSkew) {
5863
Assert.notNull(clockSkew, "clockSkew cannot be null");
59-
6064
this.clockSkew = clockSkew;
6165
}
6266

@@ -71,29 +75,31 @@ public OAuth2TokenValidatorResult validate(Jwt jwt) {
7175

7276
if (expiry != null) {
7377
if (Instant.now(this.clock).minus(clockSkew).isAfter(expiry)) {
74-
OAuth2Error error = new OAuth2Error(
75-
OAuth2ErrorCodes.INVALID_REQUEST,
76-
String.format("Jwt expired at %s", jwt.getExpiresAt()),
77-
"https://tools.ietf.org/html/rfc6750#section-3.1");
78-
return OAuth2TokenValidatorResult.failure(error);
78+
OAuth2Error oAuth2Error = createOAuth2Error(String.format("Jwt expired at %s", jwt.getExpiresAt()));
79+
return OAuth2TokenValidatorResult.failure(oAuth2Error);
7980
}
8081
}
8182

8283
Instant notBefore = jwt.getNotBefore();
8384

8485
if (notBefore != null) {
8586
if (Instant.now(this.clock).plus(clockSkew).isBefore(notBefore)) {
86-
OAuth2Error error = new OAuth2Error(
87-
OAuth2ErrorCodes.INVALID_REQUEST,
88-
String.format("Jwt used before %s", jwt.getNotBefore()),
89-
"https://tools.ietf.org/html/rfc6750#section-3.1");
90-
return OAuth2TokenValidatorResult.failure(error);
87+
OAuth2Error oAuth2Error = createOAuth2Error(String.format("Jwt used before %s", jwt.getNotBefore()));
88+
return OAuth2TokenValidatorResult.failure(oAuth2Error);
9189
}
9290
}
9391

9492
return OAuth2TokenValidatorResult.success();
9593
}
9694

95+
private OAuth2Error createOAuth2Error(String reason) {
96+
logger.debug(reason);
97+
return new OAuth2Error(
98+
OAuth2ErrorCodes.INVALID_REQUEST,
99+
reason,
100+
"https://tools.ietf.org/html/rfc6750#section-3.1");
101+
}
102+
97103
/**
98104
* '
99105
* Use this {@link Clock} with {@link Instant#now()} for assessing

0 commit comments

Comments
 (0)