Package org.forgerock.http.oauth2

Class ResourceServerFilter

java.lang.Object

org.forgerock.http.oauth2.ResourceServerFilter

All Implemented Interfaces:

Filter

public class ResourceServerFilter
extends Object
implements Filter

Validates a Request that contains an OAuth 2.0 access token.

This filter expects an OAuth 2.0 token to be available in the HTTP Authorization header:

Authorization: Bearer 1fc0e143-f248-4e50-9c13-1d710360cec9

It extracts the token and validate it against the AccessTokenResolver using the provided ResourceAccess.

The provided ResourceAccess must provide the scopes required by the AccessTokenInfo to access the protected resource.

Once the AccessTokenInfo is validated, it is stored in an OAuth2Context instance which is forwarded with the Request to the next Handler. The AccessTokenInfo could be retrieved in downstream handlers with OAuth2Context.getAccessToken().

The realm constructor attribute specifies the name of the realm used in the authentication challenges returned back to the client in case of errors.

If a RequestAuditContext is present, the token's audit tracking ID is added its tracking id list.

Constructor Summary

Constructors

Constructor	Description
ResourceServerFilter(AccessTokenResolver resolver, Clock clock, ResourceAccess resourceAccess, String realm)	Deprecated. The clock attribute is not used anymore.
ResourceServerFilter(AccessTokenResolver resolver, ResourceAccess resourceAccess, String realm)	Creates a new ResourceServerFilter.

Method Summary

Modifier and Type	Method	Description
Promise<Response,NeverThrowsException>	filter(Context context, Request request, Handler next)	Filters the request and/or response of an exchange.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

ResourceServerFilter

@Deprecated
public ResourceServerFilter(AccessTokenResolver resolver,
                            Clock clock,
                            ResourceAccess resourceAccess,
                            String realm)

Deprecated.

The clock attribute is not used anymore. Use ResourceServerFilter(AccessTokenResolver, ResourceAccess, String) instead. Deprecated in 25.0.0.

Creates a new ResourceServerFilter.

Parameters:

resolver - An AccessTokenResolver instance.

clock - A Clock instance used to check if token is expired or not.

resourceAccess - A ResourceAccess instance.

realm - Name of the realm (used in authentication challenge returned in case of error).

ResourceServerFilter

public ResourceServerFilter(AccessTokenResolver resolver,
                            ResourceAccess resourceAccess,
                            String realm)

Creates a new ResourceServerFilter.

Parameters:

resolver - An AccessTokenResolver instance.

resourceAccess - A ResourceAccess instance.

realm - Name of the realm (used in authentication challenge returned in case of error).

Method Detail

filter

public Promise<Response,NeverThrowsException> filter(Context context,
                                                           Request request,
                                                           Handler next)

Description copied from interface: Filter

Filters the request and/or response of an exchange. To pass the request to the next filter or handler in the chain, the filter calls next.handle(context, request).

This method may elect not to pass the request to the next filter or handler, and instead handle the request itself. It can achieve this by merely avoiding a call to next.handle(context, request) and creating its own response object. The filter is also at liberty to replace a response with another of its own by intercepting the response returned by the next handler.

Specified by:

filter in interface Filter

Parameters:

context - The request context.

request - The request.

next - The next filter or handler in the chain to handle the request.

Returns:

A Promise representing the response to be returned to the client.