Package org.forgerock.jaspi.modules.session.jwt

Class ServletJwtSessionModule

  • All Implemented Interfaces:
    javax.security.auth.message.module.ServerAuthModule, javax.security.auth.message.ServerAuth
    public class ServletJwtSessionModule
extends AbstractJwtSessionModule<Cookie>
implements javax.security.auth.message.module.ServerAuthModule
    A JASPI Servlet API Session Module which creates a JWT when securing the response from a successful authentication and sets it as a Cookie on the response. Then on subsequent requests checks for the presents of the JWT as a Cookie on the request and validates the signature and decrypts it and checks the expiration time of the JWT.

    • Constructor Detail

      • ServletJwtSessionModule

        public ServletJwtSessionModule()
        Constructs an instance of the ServletJwtSessionModule.

      • ServletJwtSessionModule

        public ServletJwtSessionModule​(JwtBuilderFactory jwtBuilderFactory)
        Constructs an instance of the ServletJwtSessionModule.
        Parameters:
        jwtBuilderFactory - An instance of the jwtBuilderFactory.

      • ServletJwtSessionModule

        public ServletJwtSessionModule​(JwtCryptographyHandler jwtCryptographyHandler)
        Constructs an instance of the ServletJwtSessionModule.
        Parameters:
        jwtCryptographyHandler - The JwtCryptographyHandler to use.

      • ServletJwtSessionModule

        public ServletJwtSessionModule​(JwtBuilderFactory jwtBuilderFactory,
                               JwtCryptographyHandler jwtCryptographyHandler)
        Constructs an instance of the ServletJwtSessionModule.
        Parameters:
        jwtBuilderFactory - An instance of the jwtBuilderFactory.
        jwtCryptographyHandler - The JwtCryptographyHandler to use.

    • Method Detail

      • initialize

        public void initialize​(javax.security.auth.message.MessagePolicy requestPolicy,
                       javax.security.auth.message.MessagePolicy responsePolicy,
                       CallbackHandler callbackHandler,
                       Map options)
                throws javax.security.auth.message.AuthException
        Specified by:
        initialize in interface javax.security.auth.message.module.ServerAuthModule
        Throws:
        javax.security.auth.message.AuthException

      • getSupportedMessageTypes

        public Class[] getSupportedMessageTypes()
        Specified by:
        getSupportedMessageTypes in interface javax.security.auth.message.module.ServerAuthModule

      • validateRequest

        public javax.security.auth.message.AuthStatus validateRequest​(javax.security.auth.message.MessageInfo messageInfo,
                                                              Subject clientSubject,
                                                              Subject serviceSubject)
                                                       throws javax.security.auth.message.AuthException
        Specified by:
        validateRequest in interface javax.security.auth.message.ServerAuth
        Throws:
        javax.security.auth.message.AuthException

      • validateJwtSessionCookie

        public Jwt validateJwtSessionCookie​(javax.security.auth.message.MessageInfo messageInfo)
        Description copied from class: AbstractJwtSessionModule
        Validates if the Jwt Session Cookie is valid and the idle timeout or max life has expired.
        Overrides:
        validateJwtSessionCookie in class AbstractJwtSessionModule<Cookie>
        Parameters:
        messageInfo - The MessageInfo instance.
        Returns:
        The Jwt if successfully validated otherwise null.

      • findJwtSessionCookie

        public Cookie findJwtSessionCookie​(javax.security.auth.message.MessageInfo messageInfo)
        Find a session cookie in the given message info.
        Parameters:
        messageInfo - The message info.
        Returns:
        The cookie, or null.

      • secureResponse

        public javax.security.auth.message.AuthStatus secureResponse​(javax.security.auth.message.MessageInfo messageInfo,
                                                             Subject subject)
                                                      throws javax.security.auth.message.AuthException
        Specified by:
        secureResponse in interface javax.security.auth.message.ServerAuth
        Throws:
        javax.security.auth.message.AuthException

      • cleanSubject

        public void cleanSubject​(javax.security.auth.message.MessageInfo messageInfo,
                         Subject subject)
        Specified by:
        cleanSubject in interface javax.security.auth.message.ServerAuth