Package org.forgerock.openig.filter.jwt

Class JwtValidationFilter

java.lang.Object

org.forgerock.openig.filter.jwt.JwtValidationFilter

All Implemented Interfaces:

Filter

public class JwtValidationFilter
extends Object
implements Filter

A JwtValidationFilter validates the given JWT according to the provided configuration. If the Jwt is verified, the chain of execution continues, with a JwtValidationContext provided. If the Jwt is not valid, this filter directly exits the chain by returning either a 403 Forbidden response (by default) or the response built by the given failure handler. In case of errors, a JwtValidationErrorContext is provided.

Configuration options:

  
  {
      "jwt"                    : runtime expression      [REQUIRED - the location of the JWT.]
      "failureHandler"         : handler                 [OPTIONAL - the failure handler - default is FORBIDDEN.]
      "skewAllowance"          : expression<duration>    [OPTIONAL - the skew allowance - defaults to zero.]
      "verificationSecretId"   : expression<Secret ID>   [OPTIONAL - to verify the signature of the JWT.]
      "decryptionSecretId"     : expression<Secret ID>   [OPTIONAL - to verify the encryption of the JWT.]
      "secretsProvider"        : SecretsProvider         [OPTIONAL - secrets provider used to obtain secrets. REQUIRED
                                                                     if 'verificationSecretId' or
                                                                     'decryptionSecretId' is used.]
      "customizer"             : JwtValidatorCustomizer  [OPTIONAL - to add special claim checks.]
  }
  
  

Example of use for a plain JWT:

  
  {
     "type": "JwtValidationFilter",
     "config": {
          "jwt": "${request.headers['myToken'][0]}"
      }
  }
  
  

Example of use for a signed JWT:

  
  {
     "type": "JwtValidationFilter",
     "config": {
          "jwt": "${request.headers['myToken'][0]}",
          "verificationSecretId": "signature.verification.secret.id",
          "secretsProvider": "mySecretsProvider"
      }
  }
  
  

Example of use for an encrypted JWT:

  
  {
     "type": "JwtValidationFilter",
     "config": {
          "jwt": "${request.headers['myToken'][0]}",
          "decryptionSecretId": "decryption.secret.id",
          "secretsProvider": "mySecretsProvider"
      }
  }
  
  

Example of use for a signed and encrypted JWT. This is not dependant of the order the operation happened:

  
  {
     "type": "JwtValidationFilter",
     "config": {
          "jwt": "${request.headers['myToken'][0]}",
          "decryptionSecretId": "decryption.secret.id",
          "verificationSecretId": "signature.verification.secret.id",
          "secretsProvider": "mySecretsProvider"
      }
  }
  
  

Example of use for a plain JWT with custom claims validation:

  
  {
      "type": "JwtValidationFilter",
      "config": {
          "jwt": "${request.headers['myToken'][0]}"
          "customizer": {
              "type": "ScriptableJwtValidatorCustomizer",
              "config": {
                  "type": "application/x-groovy",
                  "source": [
                      "builder.claim('myClaim', JsonValue::asString, isEqualTo('foobar'))"
                  ]
              }
          }
      }
  }
  
  

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	JwtValidationFilter.Heaplet	Creates and initializes a JwtValidationFilter in a heap environment.

Constructor Summary

Constructors

Constructor	Description
JwtValidationFilter(Expression<String> jwtResolver, JwtValidator validator, Handler failureHandler)	Constructs a JwtValidationFilter.

Method Summary

Modifier and Type	Method	Description
Promise<Response,NeverThrowsException>	filter(Context context, Request request, Handler next)	Filters the request and/or response of an exchange.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

JwtValidationFilter

public JwtValidationFilter(Expression<String> jwtResolver,
 JwtValidator validator,
 Handler failureHandler)

Constructs a JwtValidationFilter. This filter verifies, if a SigningHandler is provided, the signature of the JWT, then it provides the unpacked JWT in a JwtValidationContext accessible through the context chain for downstream components.

Parameters:

jwtResolver - The JWT as an Expression, not null.

validator - The validator that will execute all the required checks on the JWT, not null.

failureHandler - The Handler to dispatch to if the JWT validation fails, not null.

Method Details

filter

public Promise<Response,NeverThrowsException> filter(Context context,
 Request request,
 Handler next)

Description copied from interface: Filter

Filters the request and/or response of an exchange. To pass the request to the next filter or handler in the chain, the filter calls next.handle(context, request).

This method may elect not to pass the request to the next filter or handler, and instead handle the request itself. It can achieve this by merely avoiding a call to next.handle(context, request) and creating its own response object. The filter is also at liberty to replace a response with another of its own by intercepting the response returned by the next handler.

Specified by:

filter in interface Filter

Parameters:

context - The request context.

request - The request.

next - The next filter or handler in the chain to handle the request.

Returns:

A Promise representing the response to be returned to the client.