Fix/jwt claim validation (#3753)

fix: jwks JWT validation and reuse consumer

Signed-off-by: developharsh <harsh237hk@gmail.com>

Author: devlopharsh

rest/resource-server/src/main/java/org/eclipse/sw360/rest/resourceserver/security/apiToken/ApiTokenAuthenticationProvider.java

@@ -58,6 +58,7 @@ public class ApiTokenAuthenticationProvider implements AuthenticationProvider {
 
     @NotNull
     private final Sw360UserService userService;
+    private volatile JWTValidator jwtValidator;
 
     @Override
     public Authentication authenticate(Authentication authentication) throws AuthenticationException {
@@ -71,8 +72,7 @@ public Authentication authenticate(Authentication authentication) throws Authent
         String tokenFromAuthentication = (String) authentication.getCredentials();
         if (Sw360ResourceServer.IS_JWKS_VALIDATION_ENABLED && authentication instanceof ApiTokenAuthentication
                 && ((ApiTokenAuthentication) authentication).getType() == AuthType.JWKS) {
-            JWTValidator validator = new JWTValidator(Sw360ResourceServer.JWKS_ISSUER_URL,
-                    Sw360ResourceServer.JWKS_ENDPOINT_URL, Sw360ResourceServer.JWT_CLAIM_AUD);
+            JWTValidator validator = getJwtValidator();
             JwtClaims jwtClaims = null;
             try {
                 jwtClaims = validator.validateJWT(tokenFromAuthentication);
@@ -119,6 +119,21 @@ private User getUserFromTokenHash(String tokenHash) {
         }
     }
 
+    private JWTValidator getJwtValidator() {
+        JWTValidator localValidator = jwtValidator;
+        if (localValidator == null) {
+            synchronized (this) {
+                localValidator = jwtValidator;
+                if (localValidator == null) {
+                    localValidator = new JWTValidator(Sw360ResourceServer.JWKS_ISSUER_URL,
+                            Sw360ResourceServer.JWKS_ENDPOINT_URL, Sw360ResourceServer.JWT_CLAIM_AUD);
+                    jwtValidator = localValidator;
+                }
+            }
+        }
+        return localValidator;
+    }
+
     private User getUserFromClientId(String clientId) {
         try {
             return userService.getUserFromClientId(clientId);

rest/resource-server/src/main/java/org/eclipse/sw360/rest/resourceserver/security/jwksvalidation/JWTValidator.java

@@ -18,7 +18,8 @@
 import org.jose4j.keys.resolvers.HttpsJwksVerificationKeyResolver;
 
 public class JWTValidator {
-    JwtConsumer jwtConsumer;
+    private static final int ALLOWED_CLOCK_SKEW_SECONDS = 30;
+    private final JwtConsumer jwtConsumer;
 
     /**
      * Creates a validator for JWT access tokens issued by the given PF instance.
@@ -30,9 +31,10 @@ public JWTValidator(String issuerUrl, String jwksurl, String aud) {
         HttpsJwks httpsJkws = new HttpsJwks(jwksurl);
         HttpsJwksVerificationKeyResolver httpsJwksKeyResolver = new HttpsJwksVerificationKeyResolver(httpsJkws);
         JwtConsumerBuilder jwtConsumerBuilder = new JwtConsumerBuilder()
-                //TODO:Recheck
-//                .setRequireExpirationTime()
-//                .setAllowedClockSkewInSeconds(30)
+                .setRequireExpirationTime()
+                .setRequireIssuedAt()
+                .setRequireNotBefore()
+                .setAllowedClockSkewInSeconds(ALLOWED_CLOCK_SKEW_SECONDS)
                 .setExpectedIssuer(issuerUrl)
                 .setVerificationKeyResolver(httpsJwksKeyResolver);
         if (aud.isEmpty()) {