Package org.forgerock.jaspi.modules.session.jwt

Class AbstractJwtSessionModule<C extends JwtSessionCookie>

java.lang.Object
org.forgerock.jaspi.modules.session.jwt.AbstractJwtSessionModule<C>
Type Parameters:
C - The cookie type.
Direct Known Subclasses:
JwtSessionModule, ServletJwtSessionModule
public abstract class AbstractJwtSessionModule<C extends JwtSessionCookie> extends Object
A JASPI Session Module which creates a JWT when securing the response from a successful authentication and sets it as a Cookie on the response. Then on subsequent requests checks for the presents of the JWT as a Cookie on the request and validates the signature and decrypts it and checks the expiration time of the JWT.
Since:
1.0.0

  • Field Details

    • LOGOUT_SESSION_REQUEST_ATTRIBUTE_NAME

      public static final String LOGOUT_SESSION_REQUEST_ATTRIBUTE_NAME
      Request attribute for logout requests which will cause this module to delete the session cookie.
      See Also:

    • KEY_ALIAS_KEY

      public static final String KEY_ALIAS_KEY
      The Key Alias configuration property key.
      See Also:

    • PRIVATE_KEY_PASSWORD_KEY

      public static final String PRIVATE_KEY_PASSWORD_KEY
      The Private Key password configuration property key.
      See Also:

    • KEYSTORE_TYPE_KEY

      public static final String KEYSTORE_TYPE_KEY
      The Keystore type configuration property key.
      See Also:

    • KEYSTORE_FILE_KEY

      public static final String KEYSTORE_FILE_KEY
      The Keystore file path property key.
      See Also:

    • KEYSTORE_PASSWORD_KEY

      public static final String KEYSTORE_PASSWORD_KEY
      The Keystore password configuration property key.
      See Also:

    • TOKEN_IDLE_TIME_IN_MINUTES_CLAIM_KEY

      public static final String TOKEN_IDLE_TIME_IN_MINUTES_CLAIM_KEY
      The Jwt Token Idle timeout configuration property key in minutes.
      See Also:

    • MAX_TOKEN_LIFE_IN_MINUTES_KEY

      public static final String MAX_TOKEN_LIFE_IN_MINUTES_KEY
      The Jwt Token Maximum life configuration property key in minutes.
      See Also:

    • TOKEN_IDLE_TIME_IN_SECONDS_CLAIM_KEY

      public static final String TOKEN_IDLE_TIME_IN_SECONDS_CLAIM_KEY
      The Jwt Token Idle timeout configuration property key in seconds.
      See Also:

    • MAX_TOKEN_LIFE_IN_SECONDS_KEY

      public static final String MAX_TOKEN_LIFE_IN_SECONDS_KEY
      The Jwt Token Maximum life configuration property key in seconds.
      See Also:

    • JWT_VALIDATED_KEY

      public static final String JWT_VALIDATED_KEY
      The Jwt Validated configuration property key.
      See Also:

    • BROWSER_SESSION_ONLY_KEY

      public static final String BROWSER_SESSION_ONLY_KEY
      Whether the JWT should persist between browser restarts property key.
      See Also:

    • HMAC_SIGNING_KEY

      public static final String HMAC_SIGNING_KEY
      HMAC signing key.
      See Also:

    • JWT_ISSUER

      public static final String JWT_ISSUER
      Issuer (iss) claim value to add to the JWT and check for.
      See Also:

  • Method Details

    • initialize

      public void initialize(CallbackHandler handler, Map options) throws AuthenticationException
      Initialises the module by getting the Keystore and Key alias properties out of the module configuration.
      Parameters:
      handler - CallbackHandler used to request information.
      options - A Map of module-specific configuration properties.
      Throws:
      AuthenticationException - If the options are not valid.

    • validateRequest

      public javax.security.auth.message.AuthStatus validateRequest(javax.security.auth.message.MessageInfo messageInfo, Subject clientSubject) throws AuthenticationException
      Checks for the presence of the JWT as a Cookie on the request and validates the signature and decrypts it and checks the expiration time of the JWT. If all these checks pass then the method return AuthStatus.SUCCESS, otherwise returns AuthStatus.SEND_FAILURE.
      Parameters:
      messageInfo - The message context info for this request.
      clientSubject - A Subject that represents the subject of this request.
      Returns:
      If the Jwt is valid then AuthStatus.SUCCESS is returned, otherwise AuthStatus.SEND_FAILURE is returned.
      Throws:
      AuthenticationException - If there is a problem validating the request.

    • validateJwtSessionCookie

      public Jwt validateJwtSessionCookie(javax.security.auth.message.MessageInfo messageInfo)
      Validates if the Jwt Session Cookie is valid and the idle timeout or max life has expired.
      Parameters:
      messageInfo - The MessageInfo instance.
      Returns:
      The Jwt if successfully validated otherwise null.

    • getContextMap

      public Map<String,Object> getContextMap(javax.security.auth.message.MessageInfo messageInfo)
      Ensures the context map exists within the messageInfo object, and then returns the context map to be used.
      Parameters:
      messageInfo - The MessageInfo instance.
      Returns:
      The context map internal to the messageInfo's map.

    • rebuildEncryptedJwt

      protected String rebuildEncryptedJwt(Jwt jwt)
      Recreates the Encrypted Session Jwt.
      Parameters:
      jwt - The orginal Session Jwt.
      Returns:
      The Session Jwt.

    • secureResponse

      public javax.security.auth.message.AuthStatus secureResponse(javax.security.auth.message.MessageInfo messageInfo) throws AuthenticationException
      Creates a JWT after a successful authentication and sets it as a Cookie on the response. An expiration time is included in the JWT to limit the life of the JWT.
      Parameters:
      messageInfo - The message context info for this request.
      Returns:
      AuthStatus representing the completion status of the processing. See ServerAuth.secureResponse(javax.security.auth.message.MessageInfo, Subject) for the allowed AuthStatus values. Note AuthStatus.SEND_CONTINUE is not supported by this interface
      Throws:
      AuthenticationException - If message processing failed without establishing a failure response message in the MessageInfo.

    • deleteSessionJwtCookie

      public void deleteSessionJwtCookie(javax.security.auth.message.MessageInfo messageInfo)
      Provides a way to delete the Jwt Session Cookie, by setting a new cookie with the same name, null value and max age 0.
      Parameters:
      messageInfo - The MessageInfo which contains the Response with the Jwt Session Cookie.