Class JwtSessionManagerHeaplet
- java.lang.Object
-
- org.forgerock.openig.heap.GenericHeaplet
-
- org.forgerock.openig.session.jwt.JwtSessionManagerHeaplet
-
- All Implemented Interfaces:
Heaplet
public class JwtSessionManagerHeaplet extends GenericHeaplet
A JwtSessionManagerHeaplet is responsible for configuring and creating aJwtSession.
Example:{ "type": "JwtSession", "config": { "cookie": { object [OPTIONAL - structure describing the properties of the JWT session cookie: ] "name": expression<String> [OPTIONAL - Name of cookie containing the IG JWT session. Defaults to {@link JwtSession#IG_JWT_SESSION }. "domain": expression<String> [OPTIONAL - Domain that cookie is applicable to. If not set, the cookie will be treated as a host-based cookie "path": expression<String> [OPTIONAL - Path to apply to the cookie. Defaults to {@literal "/" } "secure": expression<boolean> [OPTIONAL - Determines if the cookie should be set to be secure. Defaults to {@code false}. "httpOnly": expression<boolean> [OPTIONAL - httpOnly flag. Defaults to {@code true}. "sameSite": expression<enum> [OPTIONAL - STRICT or LAX. Defaults to {@code null}. } "sessionTimeout": duration [OPTIONAL - amount of time before the JWT session expires. Defaults to 30min. A duration of 0 is not valid, and it will be limited to a max of ~ 10 years.] "persistentCookie": expression<boolean> [OPTIONAL - specifies whether the supporting cookie will have an {@literal Expires} attribute (persistent cookie) or not (session cookie). The expiration value is based on the {@literal sessionTimeout} value. Defaults to {@code false}.] "authenticatedEncryptionSecretId": [OPTIONAL - The secret ID of the encryption key expression<secret-id> used to perform authenticated encryption on the JWT. If not set, a key is generated automatically.] "encryptionMethod": String [OPTIONAL - The standard names of the encryption algorithm to use with Authenticated Encryption. See RFC 7518#section-5.1 See (1). Defaults to A256GCM.] "skewAllowance": expression<duration> [OPTIONAL - The skew allowance to use for temporal validation on the {@link JwtSession}.] "useCompression": boolean [OPTIONAL - Set to true to use compression during the building of the JWT. Compression can help to reduce the size of the final cookie value when the session is used to store large items such as tokens. Defaults to {@code true}.] } }
All the session configuration is optional: if you omit everything, the appropriate keys will be generated and the cookie name used will be{ "name": "JwtSession", "type": "JwtSession", "config": { "cookie": { "name": "IG", "domain": ".example.com", "path": "/", "secure": false, "httpOnly": true } "sessionTimeout": "30 minutes", "persistentCookie": true, "useCompression": true, "authenticatedEncryptionSecretId": "encryption.key.id" } }JwtSession.IG_JWT_SESSION. The passwordSecretId is the label of aPurposeusing Commons Secrets API, used to specifies the password to use when reading the private key from the KeyStore. It is only required when a keystore is specified. [Deprecated since 7.0]Or:
The password [Deprecated since 6.5 in favor of passwordSecretId]. password is a static expression attribute specifies the password to use when reading the private key from the KeyStore. It is only required when a keystore is specified. NOTE: If both password and passwordSecretId are provided, the passwordSecretId has precedence.
The authenticatedEncryptionSecretId is the label of a
Purposeusing Commons Secrets API, the secret which specifies the key used to perform authenticated encryption on the JWT. This attribute takes precedence other the "encryptionSecretId"/"alias"/"signatureSecretId"The encryptionSecretId is the label of a
Purposeusing Commons Secrets API, the secret which specifies the key used to encrypt the JWT. [Deprecated in 7.0 - use authenticatedEncryptionSecretId]OR if not use:
The alias string attribute specifies the name of the private key to obtain from the KeyStore. It is only required when a keystore is specified.[Deprecated in 7.0 - use authenticatedEncryptionSecretId]
The signatureSecretId is the label of a
Purposeusing Commons Secrets API, the secret which specifies the key used to sign/verify the JWTs. It is expected to be Base64 encoded. If unspecified some random data is generated as key. (Always signed). [Deprecated in 7.0 - use authenticatedEncryptionSecretId]The cookieName [Deprecated since 7.0 in favor of cookie] optional string attribute specifies the name of the cookie used to store the encrypted JWT.
The cookieDomain [Deprecated since 7.0 in favor of cookie] optional string attribute specifies the domain of the cookie used to store the encrypted JWT. If not set, the cookie will be treated as a host-based cookie.
The encryptionMethod should be one of the six standard encryption methods available: (1) @See JWE Encryption Methods
- Since:
- 3.1
-
-
Field Summary
Fields Modifier and Type Field Description static StringDEFAULT_SESSION_TIMEOUTDefault sessionTimeout duration.
-
Constructor Summary
Constructors Constructor Description JwtSessionManagerHeaplet()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description Objectcreate()Called to request the heaplet create an object.-
Methods inherited from class org.forgerock.openig.heap.GenericHeaplet
create, destroy, endpointRegistry, evaluatedWithHeapProperties, expression, getConfig, getHeap, getSecretService, getType, meterRegistryHolder, start
-
-
-
-
Field Detail
-
DEFAULT_SESSION_TIMEOUT
public static final String DEFAULT_SESSION_TIMEOUT
Default sessionTimeout duration.- See Also:
- Constant Field Values
-
-
Method Detail
-
create
public Object create() throws HeapException
Description copied from class:GenericHeapletCalled to request the heaplet create an object. Called byHeaplet.create(Name, JsonValue, Heap)after initializing the protected field members. Implementations should parse configuration but not acquire resources, start threads, or log any initialization messages. These tasks should be performed by theGenericHeaplet.start()method.- Specified by:
createin classGenericHeaplet- Returns:
- The created object.
- Throws:
HeapException- if an exception occurred during creation of the heap object or any of its dependencies.
-
-