org.forgerock.jaspi.modules.session.jwt

Class JwtSessionModule

java.lang.Object

org.forgerock.jaspi.modules.session.jwt.AbstractJwtSessionModule<org.forgerock.jaspi.modules.session.jwt.CookieWrapper>

org.forgerock.jaspi.modules.session.jwt.JwtSessionModule

All Implemented Interfaces:

AsyncServerAuthModule

public class JwtSessionModule
extends AbstractJwtSessionModule<org.forgerock.jaspi.modules.session.jwt.CookieWrapper>
implements AsyncServerAuthModule

A JASPI CHF Session Module which creates a JWT when securing the response from a successful authentication and sets it as a Cookie on the response. Then on subsequent requests checks for the presents of the JWT as a Cookie on the request and validates the signature and decrypts it and checks the expiration time of the JWT.

Field Summary

Fields inherited from class org.forgerock.jaspi.modules.session.jwt.AbstractJwtSessionModule

BROWSER_SESSION_ONLY_KEY, COOKIE_DOMAINS_KEY, HMAC_SIGNING_KEY, HTTP_ONLY_COOKIE_KEY, JWT_VALIDATED_KEY, KEY_ALIAS_KEY, KEYSTORE_FILE_KEY, KEYSTORE_PASSWORD_KEY, KEYSTORE_TYPE_KEY, LOGOUT_SESSION_REQUEST_ATTRIBUTE_NAME, MAX_TOKEN_LIFE_IN_MINUTES_KEY, MAX_TOKEN_LIFE_IN_SECONDS_KEY, PRIVATE_KEY_PASSWORD_KEY, SECURE_COOKIE_KEY, SESSION_COOKIE_NAME_KEY, TOKEN_IDLE_TIME_IN_MINUTES_CLAIM_KEY, TOKEN_IDLE_TIME_IN_SECONDS_CLAIM_KEY

Constructor Summary

Constructors

Constructor and Description
JwtSessionModule() Constructs an instance of the JwtSessionModule.
JwtSessionModule(JwtBuilderFactory jwtBuilderFactory) Constructs an instance of the JwtSessionModule.
JwtSessionModule(JwtBuilderFactory jwtBuilderFactory, JwtCryptographyHandler jwtCryptographyHandler) Constructs an instance of the JwtSessionModule.
JwtSessionModule(JwtCryptographyHandler jwtCryptographyHandler) Constructs an instance of the JwtSessionModule.

Method Summary

Modifier and Type	Method and Description
Promise<Void,AuthenticationException>	cleanSubject(MessageInfoContext messageInfo, Subject clientSubject) Removes any method specific principals and credentials from the client subject.
String	getModuleId() Gets the ID of the module to be used in creating authentication audit logs to uniquely identify the authentication module and its outcome when processing a request message.
Collection<Class<?>>	getSupportedMessageTypes() Gets the Collection of Class objects of the message types supported by the module.
void	initialize(javax.security.auth.message.MessagePolicy requestPolicy, javax.security.auth.message.MessagePolicy responsePolicy, CallbackHandler handler, Map<String,Object> options) Initialize this module with request and response message policies to enforce, a CallbackHandler, and any module specific configuration properties.
Promise<javax.security.auth.message.AuthStatus,AuthenticationException>	secureResponse(MessageInfoContext messageInfo, Subject serviceSubject) Secures the outgoing response message.
Promise<javax.security.auth.message.AuthStatus,AuthenticationException>	validateRequest(MessageInfoContext messageInfo, Subject clientSubject, Subject serviceSubject) Validates the incoming request message.

Methods inherited from class org.forgerock.jaspi.modules.session.jwt.AbstractJwtSessionModule

deleteSessionJwtCookie, getContextMap, initialize, rebuildEncryptedJwt, secureResponse, validateJwtSessionCookie, validateRequest

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.forgerock.caf.authentication.api.AsyncServerAuthModule

toString

Constructor Detail

JwtSessionModule

public JwtSessionModule()

Constructs an instance of the JwtSessionModule.

JwtSessionModule

public JwtSessionModule(JwtBuilderFactory jwtBuilderFactory)

Constructs an instance of the JwtSessionModule.

Parameters:

jwtBuilderFactory - An instance of the jwtBuilderFactory.

JwtSessionModule

public JwtSessionModule(JwtCryptographyHandler jwtCryptographyHandler)

Constructs an instance of the JwtSessionModule.

Parameters:

jwtCryptographyHandler - The JwtCryptographyHandler to use.

JwtSessionModule

public JwtSessionModule(JwtBuilderFactory jwtBuilderFactory,
                        JwtCryptographyHandler jwtCryptographyHandler)

Constructs an instance of the JwtSessionModule.

Parameters:

jwtBuilderFactory - An instance of the jwtBuilderFactory.

jwtCryptographyHandler - The JwtCryptographyHandler to use.

Method Detail

getModuleId

public String getModuleId()

Description copied from interface: AsyncServerAuthModule

Gets the ID of the module to be used in creating authentication audit logs to uniquely identify the authentication module and its outcome when processing a request message.

Specified by:

getModuleId in interface AsyncServerAuthModule

Returns:

The ID of the module.

initialize

public void initialize(javax.security.auth.message.MessagePolicy requestPolicy,
                       javax.security.auth.message.MessagePolicy responsePolicy,
                       CallbackHandler handler,
                       Map<String,Object> options)
                throws AuthenticationException

Description copied from interface: AsyncServerAuthModule

Initialize this module with request and response message policies to enforce, a CallbackHandler, and any module specific configuration properties.

The request policy and the response policy must not both be null.

Specified by:

initialize in interface AsyncServerAuthModule

Parameters:

requestPolicy - The request policy this module must enforce, or null.

responsePolicy - The response policy this module must enforce, or null.

handler - CallbackHandler used to request information.

options - A Map of module-specific configuration properties.

Throws:

AuthenticationException - when module initialization fails, including for the case where the options argument contains elements that are not supported by the module.

getSupportedMessageTypes

public Collection<Class<?>> getSupportedMessageTypes()

Description copied from interface: AsyncServerAuthModule

Gets the Collection of Class objects of the message types supported by the module.

Specified by:

getSupportedMessageTypes in interface AsyncServerAuthModule

Returns:

A Collection of Class objects, with at least on element defining the message type(s) supported by the module.

validateRequest

public Promise<javax.security.auth.message.AuthStatus,AuthenticationException> validateRequest(MessageInfoContext messageInfo,
                                                                                               Subject clientSubject,
                                                                                               Subject serviceSubject)

Description copied from interface: AsyncServerAuthModule

Validates the incoming request message.

Specified by:

validateRequest in interface AsyncServerAuthModule

Parameters:

messageInfo - The message context info for this request.

clientSubject - A Subject that represents the subject of this request.

serviceSubject - A Subject that represents the subject for the server or null. It may be used to secure the message response.

Returns:

A Promise that will be completed, as some point in the future, with either a successful value or a failure value.

A successfully completed Promise will contain an AuthStatus representing the completion status of the message processing. See ServerAuth.validateRequest( javax.security.auth.message.MessageInfo, Subject, Subject) for the allowed AuthStatus values.

A failed completed Promise will contain an AuthenticationException when the message processing failed without establishing a failure response message in the MessageContextInfo.

See Also:

AuthStatus, ServerAuth.validateRequest( javax.security.auth.message.MessageInfo, Subject, Subject)

secureResponse

public Promise<javax.security.auth.message.AuthStatus,AuthenticationException> secureResponse(MessageInfoContext messageInfo,
                                                                                              Subject serviceSubject)

Description copied from interface: AsyncServerAuthModule

Secures the outgoing response message.

Specified by:

secureResponse in interface AsyncServerAuthModule

Parameters:

messageInfo - The message context info for this request.

serviceSubject - A Subject that represents the subject for the server or null. It may be used to secure the message response.

Returns:

A Promise that will be completed, as some point in the future, with either a successful value or a failure value.

A successfully completed Promise will contain an AuthStatus representing the completion status of the processing. See ServerAuth.secureResponse( javax.security.auth.message.MessageInfo, Subject) for the allowed AuthStatus values. Note AuthStatus.SEND_CONTINUE is not supported by this interface

A failed completed Promise will contain an AuthenticationException when the message processing failed without establishing a failure response message in the MessageContextInfo.

See Also:

AuthStatus, ServerAuth.secureResponse( javax.security.auth.message.MessageInfo, Subject)

cleanSubject

public Promise<Void,AuthenticationException> cleanSubject(MessageInfoContext messageInfo,
                                                          Subject clientSubject)

Description copied from interface: AsyncServerAuthModule

Removes any method specific principals and credentials from the client subject.

Specified by:

cleanSubject in interface AsyncServerAuthModule

Parameters:

messageInfo - The message context info for this request.

clientSubject - A Subject that represents the subject of this request.

Returns:

A Promise that will be completed, as some point in the future, with either a successful value or a failure value. A successfully completed Promise will contain no value and a failed completed Promise will contain an AuthenticationException if an error occurs during the Subject processing.

See Also:

ServerAuth.cleanSubject( javax.security.auth.message.MessageInfo, Subject)