Package org.forgerock.jaspi.modules.session.jwt

Class AbstractJwtSessionModule<C extends JwtSessionCookie>

  • Type Parameters:
    C - The cookie type.
    Direct Known Subclasses:
    JwtSessionModule, ServletJwtSessionModule
    public abstract class AbstractJwtSessionModule<C extends JwtSessionCookie>
extends Object
    A JASPI Session Module which creates a JWT when securing the response from a successful authentication and sets it as a Cookie on the response. Then on subsequent requests checks for the presents of the JWT as a Cookie on the request and validates the signature and decrypts it and checks the expiration time of the JWT.
    Since:
    1.0.0

    • Field Detail

      • LOGOUT_SESSION_REQUEST_ATTRIBUTE_NAME

        public static final String LOGOUT_SESSION_REQUEST_ATTRIBUTE_NAME
        Request attribute for logout requests which will cause this module to delete the session cookie.
        See Also:
        Constant Field Values

      • PRIVATE_KEY_PASSWORD_KEY

        public static final String PRIVATE_KEY_PASSWORD_KEY
        The Private Key password configuration property key.
        See Also:
        Constant Field Values

      • KEYSTORE_TYPE_KEY

        public static final String KEYSTORE_TYPE_KEY
        The Keystore type configuration property key.
        See Also:
        Constant Field Values

      • KEYSTORE_PASSWORD_KEY

        public static final String KEYSTORE_PASSWORD_KEY
        The Keystore password configuration property key.
        See Also:
        Constant Field Values

      • SESSION_COOKIE_NAME_KEY

        public static final String SESSION_COOKIE_NAME_KEY
        The Jwt Session Cookie Name configuration property key.
        See Also:
        Constant Field Values

      • TOKEN_IDLE_TIME_IN_MINUTES_CLAIM_KEY

        public static final String TOKEN_IDLE_TIME_IN_MINUTES_CLAIM_KEY
        The Jwt Token Idle timeout configuration property key in minutes.
        See Also:
        Constant Field Values

      • MAX_TOKEN_LIFE_IN_MINUTES_KEY

        public static final String MAX_TOKEN_LIFE_IN_MINUTES_KEY
        The Jwt Token Maximum life configuration property key in minutes.
        See Also:
        Constant Field Values

      • TOKEN_IDLE_TIME_IN_SECONDS_CLAIM_KEY

        public static final String TOKEN_IDLE_TIME_IN_SECONDS_CLAIM_KEY
        The Jwt Token Idle timeout configuration property key in seconds.
        See Also:
        Constant Field Values

      • MAX_TOKEN_LIFE_IN_SECONDS_KEY

        public static final String MAX_TOKEN_LIFE_IN_SECONDS_KEY
        The Jwt Token Maximum life configuration property key in seconds.
        See Also:
        Constant Field Values

      • JWT_VALIDATED_KEY

        public static final String JWT_VALIDATED_KEY
        The Jwt Validated configuration property key.
        See Also:
        Constant Field Values

      • BROWSER_SESSION_ONLY_KEY

        public static final String BROWSER_SESSION_ONLY_KEY
        Whether the JWT should persist between browser restarts property key.
        See Also:
        Constant Field Values

      • HTTP_ONLY_COOKIE_KEY

        public static final String HTTP_ONLY_COOKIE_KEY
        Whether the JWT should be Http Only, ie not accessible by client browser property key.
        See Also:
        Constant Field Values

      • SECURE_COOKIE_KEY

        public static final String SECURE_COOKIE_KEY
        Whether the JWT should always be encrypted when sent to client browser property key.
        See Also:
        Constant Field Values

      • COOKIE_DOMAINS_KEY

        public static final String COOKIE_DOMAINS_KEY
        The domains the cookie should be set on property key.
        See Also:
        Constant Field Values

      • JWT_ISSUER

        public static final String JWT_ISSUER
        Issuer (iss) claim value to add to the JWT and check for.
        See Also:
        Constant Field Values

    • Method Detail

      • initialize

        public void initialize​(CallbackHandler handler,
                       Map options)
                throws AuthenticationException
        Initialises the module by getting the Keystore and Key alias properties out of the module configuration.
        Parameters:
        handler - CallbackHandler used to request information.
        options - A Map of module-specific configuration properties.
        Throws:
        AuthenticationException - If the options are not valid.

      • validateRequest

        public javax.security.auth.message.AuthStatus validateRequest​(javax.security.auth.message.MessageInfo messageInfo,
                                                              Subject clientSubject)
                                                       throws AuthenticationException
        Checks for the presence of the JWT as a Cookie on the request and validates the signature and decrypts it and checks the expiration time of the JWT. If all these checks pass then the method return AuthStatus.SUCCESS, otherwise returns AuthStatus.SEND_FAILURE.
        Parameters:
        messageInfo - The message context info for this request.
        clientSubject - A Subject that represents the subject of this request.
        Returns:
        If the Jwt is valid then AuthStatus.SUCCESS is returned, otherwise AuthStatus.SEND_FAILURE is returned.
        Throws:
        AuthenticationException - If there is a problem validating the request.

      • validateJwtSessionCookie

        public Jwt validateJwtSessionCookie​(javax.security.auth.message.MessageInfo messageInfo)
        Validates if the Jwt Session Cookie is valid and the idle timeout or max life has expired.
        Parameters:
        messageInfo - The MessageInfo instance.
        Returns:
        The Jwt if successfully validated otherwise null.

      • getContextMap

        public Map<String,​Object> getContextMap​(javax.security.auth.message.MessageInfo messageInfo)
        Ensures the context map exists within the messageInfo object, and then returns the context map to be used.
        Parameters:
        messageInfo - The MessageInfo instance.
        Returns:
        The context map internal to the messageInfo's map.

      • rebuildEncryptedJwt

        protected String rebuildEncryptedJwt​(Jwt jwt)
        Recreates the Encrypted Session Jwt.
        Parameters:
        jwt - The orginal Session Jwt.
        Returns:
        The Session Jwt.

      • secureResponse

        public javax.security.auth.message.AuthStatus secureResponse​(javax.security.auth.message.MessageInfo messageInfo)
                                                      throws AuthenticationException
        Creates a JWT after a successful authentication and sets it as a Cookie on the response. An expiration time is included in the JWT to limit the life of the JWT.
        Parameters:
        messageInfo - The message context info for this request.
        Returns:
        AuthStatus representing the completion status of the processing. See ServerAuth.secureResponse( javax.security.auth.message.MessageInfo, Subject) for the allowed AuthStatus values. Note AuthStatus.SEND_CONTINUE is not supported by this interface
        Throws:
        AuthenticationException - If message processing failed without establishing a failure response message in the MessageInfo.

      • deleteSessionJwtCookie

        public void deleteSessionJwtCookie​(javax.security.auth.message.MessageInfo messageInfo)
        Provides a way to delete the Jwt Session Cookie, by setting a new cookie with the same name, null value and max age 0.
        Parameters:
        messageInfo - The MessageInfo which contains the Response with the Jwt Session Cookie.