Package org.forgerock.macaroons

Interface CaveatVerifier

All Known Implementing Classes:

JsonCaveatVerifier

Functional Interface:

This is a functional interface and can therefore be used as the assignment target for a lambda expression or method reference.

@FunctionalInterface
public interface CaveatVerifier

Generic interface for methods to verify that a caveat is satisfied.

Method Summary

Modifier and Type	Method	Description
boolean	isSatisfied(Macaroon.Caveat caveat, Macaroon macaroon)	Checks whether the given caveat is satisfied.

Method Details

isSatisfied

boolean isSatisfied(Macaroon.Caveat caveat,
 Macaroon macaroon)

Checks whether the given caveat is satisfied. Caveat verifiers should be quick to evaluate (ideally constant-time), as a macaroon may have a large number of caveats, as may any discharge macaroons. If caveat verifiers take a long time to run then an attacker may be able to use this as a denial of service attack vector by sending macaroons with a large number of expensive caveats. Where a potentially expensive operation is required, consider making it a 3rd-party caveat to offload the processing to a separate service with a simple discharge macaroon used to prove that it has been satisfied.

Parameters:

caveat - the caveat to verify.

macaroon - the macaroon that the caveat is attached to.

Returns:

true if the caveat is satisfied, otherwise false.