org.forgerock.jaspi.modules.session.jwt

Class AbstractJwtSessionModule<C extends JwtSessionCookie>

java.lang.Object

org.forgerock.jaspi.modules.session.jwt.AbstractJwtSessionModule<C>

Type Parameters:

C - The cookie type.

Direct Known Subclasses:

JwtSessionModule, ServletJwtSessionModule

public abstract class AbstractJwtSessionModule<C extends JwtSessionCookie>
extends Object

A JASPI Session Module which creates a JWT when securing the response from a successful authentication and sets it as a Cookie on the response. Then on subsequent requests checks for the presents of the JWT as a Cookie on the request and validates the signature and decrypts it and checks the expiration time of the JWT.

Since:

1.0.0

Field Summary

Fields

Modifier and Type	Field and Description
static String	BROWSER_SESSION_ONLY_KEY Whether the JWT should persist between browser restarts property key.
static String	COOKIE_DOMAINS_KEY The domains the cookie should be set on property key.
static String	HMAC_SIGNING_KEY HMAC signing key.
static String	HTTP_ONLY_COOKIE_KEY Whether the JWT should be Http Only, ie not accessible by client browser property key.
static String	JWT_VALIDATED_KEY The Jwt Validated configuration property key.
static String	KEY_ALIAS_KEY The Key Alias configuration property key.
static String	KEYSTORE_FILE_KEY The Keystore file path property key.
static String	KEYSTORE_PASSWORD_KEY The Keystore password configuration property key.
static String	KEYSTORE_TYPE_KEY The Keystore type configuration property key.
static String	LOGOUT_SESSION_REQUEST_ATTRIBUTE_NAME Request attribute for logout requests which will cause this module to delete the session cookie.
static String	MAX_TOKEN_LIFE_IN_MINUTES_KEY The Jwt Token Maximum life configuration property key in minutes.
static String	MAX_TOKEN_LIFE_IN_SECONDS_KEY The Jwt Token Maximum life configuration property key in seconds.
static String	PRIVATE_KEY_PASSWORD_KEY The Private Key password configuration property key.
static String	SECURE_COOKIE_KEY Whether the JWT should always be encrypted when sent to client browser property key.
static String	SESSION_COOKIE_NAME_KEY The Jwt Session Cookie Name configuration property key.
static String	TOKEN_IDLE_TIME_IN_MINUTES_CLAIM_KEY The Jwt Token Idle timeout configuration property key in minutes.
static String	TOKEN_IDLE_TIME_IN_SECONDS_CLAIM_KEY The Jwt Token Idle timeout configuration property key in seconds.

Method Summary

Modifier and Type	Method and Description
void	deleteSessionJwtCookie(javax.security.auth.message.MessageInfo messageInfo) Provides a way to delete the Jwt Session Cookie, by setting a new cookie with the same name, null value and max age 0.
Map<String,Object>	getContextMap(javax.security.auth.message.MessageInfo messageInfo) Ensures the context map exists within the messageInfo object, and then returns the context map to be used.
void	initialize(CallbackHandler handler, Map options) Initialises the module by getting the Keystore and Key alias properties out of the module configuration.
protected String	rebuildEncryptedJwt(Jwt jwt) Recreates the Encrypted Session Jwt.
javax.security.auth.message.AuthStatus	secureResponse(javax.security.auth.message.MessageInfo messageInfo) Creates a JWT after a successful authentication and sets it as a Cookie on the response.
Jwt	validateJwtSessionCookie(javax.security.auth.message.MessageInfo messageInfo) Validates if the Jwt Session Cookie is valid and the idle timeout or max life has expired.
javax.security.auth.message.AuthStatus	validateRequest(javax.security.auth.message.MessageInfo messageInfo, Subject clientSubject) Checks for the presence of the JWT as a Cookie on the request and validates the signature and decrypts it and checks the expiration time of the JWT.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

LOGOUT_SESSION_REQUEST_ATTRIBUTE_NAME

public static final String LOGOUT_SESSION_REQUEST_ATTRIBUTE_NAME

Request attribute for logout requests which will cause this module to delete the session cookie.

See Also:

Constant Field Values

KEY_ALIAS_KEY

public static final String KEY_ALIAS_KEY

The Key Alias configuration property key.

See Also:

Constant Field Values

PRIVATE_KEY_PASSWORD_KEY

public static final String PRIVATE_KEY_PASSWORD_KEY

The Private Key password configuration property key.

See Also:

Constant Field Values

KEYSTORE_TYPE_KEY

public static final String KEYSTORE_TYPE_KEY

The Keystore type configuration property key.

See Also:

Constant Field Values

KEYSTORE_FILE_KEY

public static final String KEYSTORE_FILE_KEY

The Keystore file path property key.

See Also:

Constant Field Values

KEYSTORE_PASSWORD_KEY

public static final String KEYSTORE_PASSWORD_KEY

The Keystore password configuration property key.

See Also:

Constant Field Values

SESSION_COOKIE_NAME_KEY

public static final String SESSION_COOKIE_NAME_KEY

The Jwt Session Cookie Name configuration property key.

See Also:

Constant Field Values

TOKEN_IDLE_TIME_IN_MINUTES_CLAIM_KEY

public static final String TOKEN_IDLE_TIME_IN_MINUTES_CLAIM_KEY

The Jwt Token Idle timeout configuration property key in minutes.

See Also:

Constant Field Values

MAX_TOKEN_LIFE_IN_MINUTES_KEY

public static final String MAX_TOKEN_LIFE_IN_MINUTES_KEY

The Jwt Token Maximum life configuration property key in minutes.

See Also:

Constant Field Values

TOKEN_IDLE_TIME_IN_SECONDS_CLAIM_KEY

public static final String TOKEN_IDLE_TIME_IN_SECONDS_CLAIM_KEY

The Jwt Token Idle timeout configuration property key in seconds.

See Also:

Constant Field Values

MAX_TOKEN_LIFE_IN_SECONDS_KEY

public static final String MAX_TOKEN_LIFE_IN_SECONDS_KEY

The Jwt Token Maximum life configuration property key in seconds.

See Also:

Constant Field Values

JWT_VALIDATED_KEY

public static final String JWT_VALIDATED_KEY

The Jwt Validated configuration property key.

See Also:

Constant Field Values

BROWSER_SESSION_ONLY_KEY

public static final String BROWSER_SESSION_ONLY_KEY

Whether the JWT should persist between browser restarts property key.

See Also:

Constant Field Values

HTTP_ONLY_COOKIE_KEY

public static final String HTTP_ONLY_COOKIE_KEY

Whether the JWT should be Http Only, ie not accessible by client browser property key.

See Also:

Constant Field Values

SECURE_COOKIE_KEY

public static final String SECURE_COOKIE_KEY

Whether the JWT should always be encrypted when sent to client browser property key.

See Also:

Constant Field Values

COOKIE_DOMAINS_KEY

public static final String COOKIE_DOMAINS_KEY

The domains the cookie should be set on property key.

See Also:

Constant Field Values

HMAC_SIGNING_KEY

public static final String HMAC_SIGNING_KEY

HMAC signing key.

See Also:

Constant Field Values

Method Detail

initialize

public void initialize(CallbackHandler handler,
                       Map options)
                throws AuthenticationException

Initialises the module by getting the Keystore and Key alias properties out of the module configuration.

Parameters:

handler - CallbackHandler used to request information.

options - A Map of module-specific configuration properties.

Throws:

AuthenticationException - If the options are not valid.

validateRequest

public javax.security.auth.message.AuthStatus validateRequest(javax.security.auth.message.MessageInfo messageInfo,
                                                              Subject clientSubject)
                                                       throws AuthenticationException

Checks for the presence of the JWT as a Cookie on the request and validates the signature and decrypts it and checks the expiration time of the JWT. If all these checks pass then the method return AuthStatus.SUCCESS, otherwise returns AuthStatus.SEND_FAILURE.

Parameters:

messageInfo - The message context info for this request.

clientSubject - A Subject that represents the subject of this request.

Returns:

If the Jwt is valid then AuthStatus.SUCCESS is returned, otherwise AuthStatus.SEND_FAILURE is returned.

Throws:

AuthenticationException - If there is a problem validating the request.

validateJwtSessionCookie

public Jwt validateJwtSessionCookie(javax.security.auth.message.MessageInfo messageInfo)

Validates if the Jwt Session Cookie is valid and the idle timeout or max life has expired.

Parameters:

messageInfo - The MessageInfo instance.

Returns:

The Jwt if successfully validated otherwise null.

getContextMap

public Map<String,Object> getContextMap(javax.security.auth.message.MessageInfo messageInfo)

Ensures the context map exists within the messageInfo object, and then returns the context map to be used.

Parameters:

messageInfo - The MessageInfo instance.

Returns:

The context map internal to the messageInfo's map.

rebuildEncryptedJwt

protected String rebuildEncryptedJwt(Jwt jwt)

Recreates the Encrypted Session Jwt.

Parameters:

jwt - The orginal Session Jwt.

Returns:

The Session Jwt.

secureResponse

public javax.security.auth.message.AuthStatus secureResponse(javax.security.auth.message.MessageInfo messageInfo)
                                                      throws AuthenticationException

Creates a JWT after a successful authentication and sets it as a Cookie on the response. An expiration time is included in the JWT to limit the life of the JWT.

Parameters:

messageInfo - The message context info for this request.

Returns:

AuthStatus representing the completion status of the processing. See ServerAuth.secureResponse( javax.security.auth.message.MessageInfo, Subject) for the allowed AuthStatus values. Note AuthStatus.SEND_CONTINUE is not supported by this interface

Throws:

AuthenticationException - If message processing failed without establishing a failure response message in the MessageInfo.

deleteSessionJwtCookie

public void deleteSessionJwtCookie(javax.security.auth.message.MessageInfo messageInfo)

Provides a way to delete the Jwt Session Cookie, by setting a new cookie with the same name, null value and max age 0.

Parameters:

messageInfo - The MessageInfo which contains the Response with the Jwt Session Cookie.