integratedmodelling
diff --git a/‎api/org.integratedmodelling.klab.api/src/org/integratedmodelling/klab/api/API.java‎
Lines changed: 10 additions & 1 deletion b/‎api/org.integratedmodelling.klab.api/src/org/integratedmodelling/klab/api/API.java‎
Lines changed: 10 additions & 1 deletion
diff --git a/‎klab.authentication/src/main/java/org/integratedmodelling/klab/auth/Role.java‎
Lines changed: 1 addition & 1 deletion b/‎klab.authentication/src/main/java/org/integratedmodelling/klab/auth/Role.java‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎klab.hub/src/main/java/org/integratedmodelling/klab/hub/licenses/dto/JwtToken.java‎
Lines changed: 2 additions & 2 deletions b/‎klab.hub/src/main/java/org/integratedmodelling/klab/hub/licenses/dto/JwtToken.java‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎klab.hub/src/main/java/org/integratedmodelling/klab/hub/security/KeyManager.java‎
Lines changed: 0 additions & 196 deletions b/‎klab.hub/src/main/java/org/integratedmodelling/klab/hub/security/KeyManager.java‎
Lines changed: 0 additions & 196 deletions
diff --git a/‎klab.hub/src/main/java/org/integratedmodelling/klab/hub/security/KlabJWTAuthentication.java‎
Lines changed: 92 additions & 0 deletions b/‎klab.hub/src/main/java/org/integratedmodelling/klab/hub/security/KlabJWTAuthentication.java‎
Lines changed: 92 additions & 0 deletions
@@ -332,6 +332,14 @@ public static interface HUB {
          * Base URL path for user resources on the hub with no authentication.
          */
         public static final String USER_BASE_ID_NOAUTH = USER_BASE_NOAUTH + "/{id}";
+        /**
+         * Base URL path for user resources on the hub for services
+         */
+        public static final String USER_BASE_SERVICES = USER_BASE + "/services";
+        /**
+         * Base URL path for user resources on the hub with no authentication.
+         */
+        public static final String USER_BASE_ID_SERVICES = USER_BASE_SERVICES + "/{id}";
         /**
          * Base URL path for user resources on the hub.
          */
@@ -586,9 +594,10 @@ public static interface PARAMETERS {
 
         public static interface LABELS {
             /**
-             * Label for authorization HEADER
+             * Label for authorization and Authentication HEADER
              */
             public static final String AUTHORIZATION = "Authorization";
+            public static final String AUTHENTICATION = "Authentication";
         }
 
         public static interface CUSTOM_PROPERTY_KEYS {
 
@@ -41,7 +41,7 @@ public enum Role implements GrantedAuthority {
 
     public static final String NODE = "ROLE_TEMPORARY";
 
-    public static final String SERVICE = "ROLE_TEMPORARY";
+    public static final String SERVICE = "ROLE_SERVICE";
 
     @Override
     public String getAuthority() {
 
@@ -25,7 +25,7 @@ public class JwtToken {
 
 	private static final String JWT_CLAIM_KEY_PERMISSIONS = "perms";
 	private static final String ENGINE_AUDIENCE = "engine";
-	private static final String SERVICE_AUDIENCE = "engine";
+	private static final String SERVICE_AUDIENCE = "service";
 	private static final int EXPIRATION_DAYS = 10;
 	private static final String JWT_CLAIM_KEY_ROLES = "roles";
 
@@ -71,7 +71,7 @@ public String createServiceJwtToken(INodeIdentity service, Set<Group> groups) {
         JwtClaims claims = new JwtClaims();
         Hub hub = Authentication.INSTANCE.getAuthenticatedIdentity(Hub.class);
         claims.setIssuer(hub.getName());
-        claims.setSubject(service.getId());
+        claims.setSubject(service.getName());
         claims.setAudience(SERVICE_AUDIENCE);
         claims.setIssuedAtToNow();
         claims.setExpirationTimeMinutesInTheFuture(60 * 24 * EXPIRATION_DAYS);
 
@@ -0,0 +1,92 @@
+package org.integratedmodelling.klab.hub.security;
+
+import java.security.KeyFactory;
+import java.security.PublicKey;
+import java.security.spec.X509EncodedKeySpec;
+import java.util.Base64;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.integratedmodelling.klab.api.API;
+import org.integratedmodelling.klab.exceptions.KlabAuthorizationException;
+import org.jose4j.jwt.JwtClaims;
+import org.jose4j.jwt.MalformedClaimException;
+import org.jose4j.jwt.NumericDate;
+import org.jose4j.jwt.consumer.InvalidJwtException;
+import org.jose4j.jwt.consumer.JwtConsumer;
+import org.jose4j.jwt.consumer.JwtConsumerBuilder;
+import org.springframework.http.HttpStatus;
+import org.springframework.web.client.HttpClientErrorException;
+
+public enum KlabJWTAuthentication {
+    
+    INSTANCE;
+    
+    private static final int ALLOWED_CLOCK_SKEW_MS = 30000;
+    
+    public void checkKlabJWT(HttpServletRequest req) throws KlabAuthorizationException {
+ 
+        String token = req.getHeader(API.HUB.LABELS.AUTHORIZATION);
+        // we are not entering via Keycloack Beader Token, check our own JWT
+        if (token == null) {
+            /*
+             * Check own jwtToken
+             */
+            
+            String jwtToken =req.getHeader(API.HUB.LABELS.AUTHENTICATION);
+            
+            if (jwtToken == null) {
+                throw new HttpClientErrorException(HttpStatus.UNAUTHORIZED, "Not authenticated");
+            }
+            
+            PublicKey publicKey = null;
+
+            try {
+                byte publicKeyData[] = Base64.getDecoder().decode(NetworkKeyManager.INSTANCE.getEncodedPublicKey());
+                X509EncodedKeySpec spec = new X509EncodedKeySpec(publicKeyData);
+                KeyFactory kf = KeyFactory.getInstance("RSA");
+                publicKey = kf.generatePublic(spec);
+            } catch (Exception e) {
+                throw new KlabAuthorizationException("invalid public key");
+            }
+            
+            /*
+            * Build a verifier for the token coming from any engine that has validated with
+            * the authenticating hub.
+            */
+
+            /*
+             * Build a verifier for the token coming from any engine that has validated with
+             * the authenticating hub.
+             */
+
+            JwtConsumer jwtVerifier = new JwtConsumerBuilder().setSkipDefaultAudienceValidation()
+                    .setAllowedClockSkewInSeconds(ALLOWED_CLOCK_SKEW_MS / 1000).setVerificationKey(publicKey).build();
+
+            try {
+
+                JwtClaims claims = jwtVerifier.processToClaims(jwtToken);
+                String username = claims.getSubject();
+
+                /*
+                 * Expiration time (exp) - The "exp" (expiration time) claim identifies the
+                 * expiration time on or after which the JWT must not be accepted for
+                 * processing. The value should be in NumericDate[10][11] format.
+                 */
+                NumericDate expirationTime = claims.getExpirationTime();
+                long now = System.currentTimeMillis();
+                if (expirationTime.isBefore(NumericDate.fromMilliseconds(now - ALLOWED_CLOCK_SKEW_MS))) {
+                    throw new KlabAuthorizationException("User " + username + " is using an expired authorization");
+                }
+
+
+            } catch (MalformedClaimException | InvalidJwtException e) {
+                e.printStackTrace();
+                throw new KlabAuthorizationException("JWT error", e);
+            } catch (Exception e) {
+                throw new KlabAuthorizationException("Error validating JWT", e);
+            }
+        }
+    }
+    
+}