HS256 secret use b64 encoding

Author: deedee

src/java/main/com/topcoder/direct/services/view/interceptors/AuthenticationInterceptor.java

@@ -292,7 +292,8 @@ public String intercept(ActionInvocation invocation) throws Exception {
 
         JWTToken jwtToken = null;
         try {
-            jwtToken = new JWTToken(jwtCookie.getValue(),DirectProperties.CLIENT_SECRET_AUTH0, DirectProperties.JWT_VALID_ISSUERS);
+            jwtToken = new JWTToken(jwtCookie.getValue(),DirectProperties.CLIENT_SECRET_AUTH0,
+                    DirectProperties.JWT_VALID_ISSUERS, new JWTToken.Base64SecretEncoder());
         } catch (TokenExpiredException e) {
             //refresh token here
             //redirect to loginpage for now

src/java/main/com/topcoder/direct/services/view/processor/security/LoginProcessor.java

@@ -11,6 +11,7 @@
 import com.topcoder.direct.services.view.util.DirectProperties;
 import com.topcoder.direct.services.view.util.DirectUtils;
 import com.topcoder.direct.services.view.util.jwt.DirectJWTSigner;
+import com.topcoder.direct.services.view.util.jwt.JWTToken;
 import com.topcoder.security.TCSubject;
 import com.topcoder.security.login.AuthenticationException;
 import com.topcoder.security.login.LoginRemote;
@@ -75,7 +76,6 @@ public class LoginProcessor implements RequestProcessor<LoginAction> {
 
     static {
         JWT_OPTIONS = new DirectJWTSigner.Options();
-        JWT_OPTIONS.setAlgorithm(Algorithm.HMAC256(DirectProperties.CLIENT_SECRET_AUTH0.getBytes()));
         JWT_OPTIONS.setExpirySeconds(DirectProperties.JWT_EXPIRATION_SECONDS);
         JWT_OPTIONS.setIssuedAt(true);
     }

src/java/main/com/topcoder/direct/services/view/processor/security/MockLoginProcessor.java

@@ -11,6 +11,7 @@
 import com.topcoder.direct.services.view.util.DirectProperties;
 import com.topcoder.direct.services.view.util.DirectUtils;
 import com.topcoder.direct.services.view.util.jwt.DirectJWTSigner;
+import com.topcoder.direct.services.view.util.jwt.JWTToken;
 import com.topcoder.security.RolePrincipal;
 import com.topcoder.security.TCPrincipal;
 import com.topcoder.security.TCSubject;
@@ -99,7 +100,6 @@ public class MockLoginProcessor implements RequestProcessor<LoginAction> {
 
     static {
         JWT_OPTIONS = new DirectJWTSigner.Options();
-        JWT_OPTIONS.setAlgorithm(Algorithm.HMAC256(DirectProperties.CLIENT_SECRET_AUTH0.getBytes()));
         JWT_OPTIONS.setExpirySeconds(DirectProperties.JWT_EXPIRATION_SECONDS);
         JWT_OPTIONS.setIssuedAt(true);
     }

src/java/main/com/topcoder/direct/services/view/util/jwt/DirectJWTSigner.java

@@ -36,12 +36,30 @@ public class DirectJWTSigner {
     private final String secret;
 
     /**
-     * Create the JWT signer with the base64 encoded secret.
+     * Secret encoder
+     */
+    private JWTToken.SecretEncoder secretEncoder = new JWTToken.Base64SecretEncoder();
+
+    /**
+     * Create the JWT signer
      *
-     * @param secret the base64 encoded secret.
+     * @param secret  secret.
      */
     public DirectJWTSigner(String secret) {
+        this(secret, null);
+    }
+
+    /**
+     * Create the JWT signer with specific encoder
+     *
+     * @param secret secret
+     * @param secretEncoder secret encoder
+     */
+    public DirectJWTSigner(String secret, JWTToken.SecretEncoder secretEncoder) {
         this.secret = secret;
+        if (secretEncoder != null) {
+            this.secretEncoder = secretEncoder;
+        }
     }
 
     /**
@@ -62,7 +80,7 @@ public DirectJWTSigner(String secret) {
      * @param options Allow choosing the signing algorithm, and automatic setting of some registered claims.
      */
     public String sign(Map<String, Object> claims, Options options) throws Exception{
-        Algorithm algorithm = Algorithm.HMAC256(secret);
+        Algorithm algorithm = Algorithm.HMAC256(secretEncoder.encode(secret));
         if (options != null && options.algorithm != null) {
             algorithm = options.algorithm;
         }

src/java/main/com/topcoder/direct/services/view/util/jwt/JWTToken.java

@@ -67,17 +67,18 @@ public class JWTToken {
 
     private String algorithmName = "HS256";
 
-    protected SecretEncoder encoder = new SecretEncoder();
+    protected SecretEncoder encoder = new Base64SecretEncoder();
 
     /**
      * Constructor
      *
      * @param token token
      * @param secret secret, if algorithm required it
      * @param knownIssuers  comma separate known issuers
+     * @param secretEncoder encoder of secret
      * @throws JWTException
      */
-    public JWTToken(String token, String secret, String knownIssuers) throws JWTException{
+    public JWTToken(String token, String secret, String knownIssuers, SecretEncoder secretEncoder) throws JWTException{
         if (token == null) {
             logger.error("token can not be null");
             throw new IllegalArgumentException("token can not be null");
@@ -87,10 +88,14 @@ public JWTToken(String token, String secret, String knownIssuers) throws JWTExce
             throw new IllegalArgumentException("issuers can not be null");
         }
 
+        if (secretEncoder != null)
+            this.encoder = secretEncoder;
+
         for (String issuer : knownIssuers.split("\\s*,\\s*")) {
             this.knownIssuers.add(issuer.trim());
         }
 
+
         setTokenAndSecret(token, secret);
     }