org.forgerock.jaspi.modules.session.jwt

Class JwtSessionModule

java.lang.Object

org.forgerock.jaspi.modules.session.jwt.JwtSessionModule

All Implemented Interfaces:

AsyncServerAuthModule

public class JwtSessionModule
extends Object
implements AsyncServerAuthModule

A JASPI CHF Session Module which creates a JWT when securing the response from a successful authentication and sets it as a Cookie on the response. Then on subsequent requests checks for the presents of the JWT as a Cookie on the request and validates the signature and decrypts it and checks the expiration time of the JWT.

Field Summary

Fields

Modifier and Type	Field and Description
static String	BROWSER_SESSION_ONLY_KEY Whether the JWT should persist between browser restarts property key.
static String	COOKIE_DOMAINS_KEY The domains the cookie should be set on property key.
static String	HMAC_SIGNING_KEY HMAC signing key.
static String	HTTP_ONLY_COOKIE_KEY Whether the JWT should be Http Only, ie not accessible by client browser property key.
static String	JWT_VALIDATED_KEY The Jwt Validated configuration property key.
static String	KEY_ALIAS_KEY The Key Alias configuration property key.
static String	KEYSTORE_FILE_KEY The Keystore file path property key.
static String	KEYSTORE_PASSWORD_KEY The Keystore password configuration property key.
static String	KEYSTORE_TYPE_KEY The Keystore type configuration property key.
static String	LOGOUT_SESSION_REQUEST_ATTRIBUTE_NAME Request attribute for logout requests which will cause this module to delete the session cookie.
static String	MAX_TOKEN_LIFE_IN_MINUTES_KEY The Jwt Token Maximum life configuration property key in minutes.
static String	MAX_TOKEN_LIFE_IN_SECONDS_KEY The Jwt Token Maximum life configuration property key in seconds.
static String	PRIVATE_KEY_PASSWORD_KEY The Private Key password configuration property key.
static String	SECURE_COOKIE_KEY Whether the JWT should always be encrypted when sent to client browser property key.
static String	SESSION_COOKIE_NAME_KEY The Jwt Session Cookie Name configuration property key.
static String	TOKEN_IDLE_TIME_IN_MINUTES_CLAIM_KEY The Jwt Token Idle timeout configuration property key in minutes.
static String	TOKEN_IDLE_TIME_IN_SECONDS_CLAIM_KEY The Jwt Token Idle timeout configuration property key in seconds.

Constructor Summary

Constructors

Constructor and Description
JwtSessionModule() Constructs an instance of the JwtSessionModule.
JwtSessionModule(JwtBuilderFactory jwtBuilderFactory) Constructs an instance of the JwtSessionModule.

Method Summary

Modifier and Type	Method and Description
Promise<Void,AuthenticationException>	cleanSubject(MessageInfoContext messageInfo, Subject clientSubject) Removes any method specific principals and credentials from the client subject.
void	deleteSessionJwtCookie(javax.security.auth.message.MessageInfo messageInfo) Provides a way to delete the Jwt Session Cookie, by setting a new cookie with the same name, null value and max age 0.
Map<String,Object>	getContextMap(javax.security.auth.message.MessageInfo messageInfo) Ensures the context map exists within the messageInfo object, and then returns the context map to be used.
String	getModuleId() Gets the ID of the module to be used in creating authentication audit logs to uniquely identify the authentication module and its outcome when processing a request message.
Collection<Class<?>>	getSupportedMessageTypes() Gets the Collection of Class objects of the message types supported by the module.
void	initialize(CallbackHandler handler, Map options) Initialises the module by getting the Keystore and Key alias properties out of the module configuration.
Promise<Void,AuthenticationException>	initialize(javax.security.auth.message.MessagePolicy requestPolicy, javax.security.auth.message.MessagePolicy responsePolicy, CallbackHandler handler, Map<String,Object> options) Initialize this module with request and response message policies to enforce, a CallbackHandler, and any module specific configuration properties.
protected String	rebuildEncryptedJwt(Jwt jwt, Key publicKey) Recreates the Encrypted Session Jwt.
javax.security.auth.message.AuthStatus	secureResponse(javax.security.auth.message.MessageInfo messageInfo) Creates a JWT after a successful authentication and sets it as a Cookie on the response.
Promise<javax.security.auth.message.AuthStatus,AuthenticationException>	secureResponse(MessageInfoContext messageInfo, Subject serviceSubject) Secures the outgoing response message.
Jwt	validateJwtSessionCookie(javax.security.auth.message.MessageInfo messageInfo) Validates if the Jwt Session Cookie is valid and the idle timeout or max life has expired.
Promise<javax.security.auth.message.AuthStatus,AuthenticationException>	validateRequest(MessageInfoContext messageInfo, Subject clientSubject, Subject serviceSubject) Validates the incoming request message.
javax.security.auth.message.AuthStatus	validateRequest(javax.security.auth.message.MessageInfo messageInfo, Subject clientSubject) Checks for the presence of the JWT as a Cookie on the request and validates the signature and decrypts it and checks the expiration time of the JWT.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.forgerock.caf.authentication.api.AsyncServerAuthModule

toString

Field Detail

LOGOUT_SESSION_REQUEST_ATTRIBUTE_NAME

public static final String LOGOUT_SESSION_REQUEST_ATTRIBUTE_NAME

Request attribute for logout requests which will cause this module to delete the session cookie.

See Also:

Constant Field Values

KEY_ALIAS_KEY

public static final String KEY_ALIAS_KEY

The Key Alias configuration property key.

See Also:

Constant Field Values

PRIVATE_KEY_PASSWORD_KEY

public static final String PRIVATE_KEY_PASSWORD_KEY

The Private Key password configuration property key.

See Also:

Constant Field Values

KEYSTORE_TYPE_KEY

public static final String KEYSTORE_TYPE_KEY

The Keystore type configuration property key.

See Also:

Constant Field Values

KEYSTORE_FILE_KEY

public static final String KEYSTORE_FILE_KEY

The Keystore file path property key.

See Also:

Constant Field Values

KEYSTORE_PASSWORD_KEY

public static final String KEYSTORE_PASSWORD_KEY

The Keystore password configuration property key.

See Also:

Constant Field Values

SESSION_COOKIE_NAME_KEY

public static final String SESSION_COOKIE_NAME_KEY

The Jwt Session Cookie Name configuration property key.

See Also:

Constant Field Values

TOKEN_IDLE_TIME_IN_MINUTES_CLAIM_KEY

public static final String TOKEN_IDLE_TIME_IN_MINUTES_CLAIM_KEY

The Jwt Token Idle timeout configuration property key in minutes.

See Also:

Constant Field Values

MAX_TOKEN_LIFE_IN_MINUTES_KEY

public static final String MAX_TOKEN_LIFE_IN_MINUTES_KEY

The Jwt Token Maximum life configuration property key in minutes.

See Also:

Constant Field Values

TOKEN_IDLE_TIME_IN_SECONDS_CLAIM_KEY

public static final String TOKEN_IDLE_TIME_IN_SECONDS_CLAIM_KEY

The Jwt Token Idle timeout configuration property key in seconds.

See Also:

Constant Field Values

MAX_TOKEN_LIFE_IN_SECONDS_KEY

public static final String MAX_TOKEN_LIFE_IN_SECONDS_KEY

The Jwt Token Maximum life configuration property key in seconds.

See Also:

Constant Field Values

JWT_VALIDATED_KEY

public static final String JWT_VALIDATED_KEY

The Jwt Validated configuration property key.

See Also:

Constant Field Values

BROWSER_SESSION_ONLY_KEY

public static final String BROWSER_SESSION_ONLY_KEY

Whether the JWT should persist between browser restarts property key.

See Also:

Constant Field Values

HTTP_ONLY_COOKIE_KEY

public static final String HTTP_ONLY_COOKIE_KEY

Whether the JWT should be Http Only, ie not accessible by client browser property key.

See Also:

Constant Field Values

SECURE_COOKIE_KEY

public static final String SECURE_COOKIE_KEY

Whether the JWT should always be encrypted when sent to client browser property key.

See Also:

Constant Field Values

COOKIE_DOMAINS_KEY

public static final String COOKIE_DOMAINS_KEY

The domains the cookie should be set on property key.

See Also:

Constant Field Values

HMAC_SIGNING_KEY

public static final String HMAC_SIGNING_KEY

HMAC signing key.

See Also:

Constant Field Values

Constructor Detail

JwtSessionModule

public JwtSessionModule()

Constructs an instance of the JwtSessionModule.

JwtSessionModule

public JwtSessionModule(JwtBuilderFactory jwtBuilderFactory)

Constructs an instance of the JwtSessionModule.

Parameters:

jwtBuilderFactory - An instance of the jwtBuilderFactory.

Method Detail

getModuleId

public String getModuleId()

Description copied from interface: AsyncServerAuthModule

Gets the ID of the module to be used in creating authentication audit logs to uniquely identify the authentication module and its outcome when processing a request message.

Specified by:

getModuleId in interface AsyncServerAuthModule

Returns:

The ID of the module.

initialize

public Promise<Void,AuthenticationException> initialize(javax.security.auth.message.MessagePolicy requestPolicy,
                                                        javax.security.auth.message.MessagePolicy responsePolicy,
                                                        CallbackHandler handler,
                                                        Map<String,Object> options)

Description copied from interface: AsyncServerAuthModule

Initialize this module with request and response message policies to enforce, a CallbackHandler, and any module specific configuration properties.

The request policy and the response policy must not both be null.

Specified by:

initialize in interface AsyncServerAuthModule

Parameters:

requestPolicy - The request policy this module must enforce, or null.

responsePolicy - The response policy this module must enforce, or null.

handler - CallbackHandler used to request information.

options - A Map of module-specific configuration properties.

Returns:

A Promise that will be completed, as some point in the future, with either a successful value or a failure value. A successfully completed Promise will contain no value and a failed completed Promise will contain an AuthenticationException if module initialization fails, including for the case where the options argument contains elements that are not supported by the module.

getSupportedMessageTypes

public Collection<Class<?>> getSupportedMessageTypes()

Description copied from interface: AsyncServerAuthModule

Gets the Collection of Class objects of the message types supported by the module.

Specified by:

getSupportedMessageTypes in interface AsyncServerAuthModule

Returns:

A Collection of Class objects, with at least on element defining the message type(s) supported by the module.

validateRequest

public Promise<javax.security.auth.message.AuthStatus,AuthenticationException> validateRequest(MessageInfoContext messageInfo,
                                                                                               Subject clientSubject,
                                                                                               Subject serviceSubject)

Description copied from interface: AsyncServerAuthModule

Validates the incoming request message.

Specified by:

validateRequest in interface AsyncServerAuthModule

Parameters:

messageInfo - The message context info for this request.

clientSubject - A Subject that represents the subject of this request.

serviceSubject - A Subject that represents the subject for the server or null. It may be used to secure the message response.

Returns:

A Promise that will be completed, as some point in the future, with either a successful value or a failure value.

A successfully completed Promise will contain an AuthStatus representing the completion status of the message processing. See ServerAuth.validateRequest( javax.security.auth.message.MessageInfo, Subject, Subject) for the allowed AuthStatus values.

A failed completed Promise will contain an AuthenticationException when the message processing failed without establishing a failure response message in the MessageContextInfo.

See Also:

AuthStatus, ServerAuth.validateRequest( javax.security.auth.message.MessageInfo, Subject, Subject)

secureResponse

public Promise<javax.security.auth.message.AuthStatus,AuthenticationException> secureResponse(MessageInfoContext messageInfo,
                                                                                              Subject serviceSubject)

Description copied from interface: AsyncServerAuthModule

Secures the outgoing response message.

Specified by:

secureResponse in interface AsyncServerAuthModule

Parameters:

messageInfo - The message context info for this request.

serviceSubject - A Subject that represents the subject for the server or null. It may be used to secure the message response.

Returns:

A Promise that will be completed, as some point in the future, with either a successful value or a failure value.

A successfully completed Promise will contain an AuthStatus representing the completion status of the processing. See ServerAuth.secureResponse( javax.security.auth.message.MessageInfo, Subject) for the allowed AuthStatus values. Note AuthStatus.SEND_CONTINUE is not supported by this interface

A failed completed Promise will contain an AuthenticationException when the message processing failed without establishing a failure response message in the MessageContextInfo.

See Also:

AuthStatus, ServerAuth.secureResponse( javax.security.auth.message.MessageInfo, Subject)

cleanSubject

public Promise<Void,AuthenticationException> cleanSubject(MessageInfoContext messageInfo,
                                                          Subject clientSubject)

Description copied from interface: AsyncServerAuthModule

Removes any method specific principals and credentials from the client subject.

Specified by:

cleanSubject in interface AsyncServerAuthModule

Parameters:

messageInfo - The message context info for this request.

clientSubject - A Subject that represents the subject of this request.

Returns:

A Promise that will be completed, as some point in the future, with either a successful value or a failure value. A successfully completed Promise will contain no value and a failed completed Promise will contain an AuthenticationException if an error occurs during the Subject processing.

See Also:

ServerAuth.cleanSubject( javax.security.auth.message.MessageInfo, Subject)

initialize

public void initialize(CallbackHandler handler,
                       Map options)
                throws AuthenticationException

Initialises the module by getting the Keystore and Key alias properties out of the module configuration.

Parameters:

handler - CallbackHandler used to request information.

options - A Map of module-specific configuration properties.

Throws:

AuthenticationException

validateRequest

public javax.security.auth.message.AuthStatus validateRequest(javax.security.auth.message.MessageInfo messageInfo,
                                                              Subject clientSubject)
                                                       throws AuthenticationException

Checks for the presence of the JWT as a Cookie on the request and validates the signature and decrypts it and checks the expiration time of the JWT. If all these checks pass then the method return AuthStatus.SUCCESS, otherwise returns AuthStatus.SEND_FAILURE.

Parameters:

messageInfo - The message context info for this request.

clientSubject - A Subject that represents the subject of this request.

Returns:

If the Jwt is valid then AuthStatus.SUCCESS is returned, otherwise AuthStatus.SEND_FAILURE is returned.

Throws:

AuthenticationException - If there is a problem validating the request.

validateJwtSessionCookie

public Jwt validateJwtSessionCookie(javax.security.auth.message.MessageInfo messageInfo)

Validates if the Jwt Session Cookie is valid and the idle timeout or max life has expired.

Parameters:

messageInfo - The MessageInfo instance.

Returns:

The Jwt if successfully validated otherwise null.

getContextMap

public Map<String,Object> getContextMap(javax.security.auth.message.MessageInfo messageInfo)

Ensures the context map exists within the messageInfo object, and then returns the context map to be used.

Parameters:

messageInfo - The MessageInfo instance.

Returns:

The context map internal to the messageInfo's map.

rebuildEncryptedJwt

protected String rebuildEncryptedJwt(Jwt jwt,
                                     Key publicKey)

Recreates the Encrypted Session Jwt.

Parameters:

jwt - The orginal Session Jwt.

publicKey - The public key.

Returns:

The Session Jwt.

secureResponse

public javax.security.auth.message.AuthStatus secureResponse(javax.security.auth.message.MessageInfo messageInfo)
                                                      throws AuthenticationException

Creates a JWT after a successful authentication and sets it as a Cookie on the response. An expiration time is included in the JWT to limit the life of the JWT.

Parameters:

messageInfo - The message context info for this request.

Returns:

AuthStatus representing the completion status of the processing. See ServerAuth.secureResponse( javax.security.auth.message.MessageInfo, Subject) for the allowed AuthStatus values. Note AuthStatus.SEND_CONTINUE is not supported by this interface

Throws:

AuthenticationException - If message processing failed without establishing a failure response message in the MessageInfo.

deleteSessionJwtCookie

public void deleteSessionJwtCookie(javax.security.auth.message.MessageInfo messageInfo)

Provides a way to delete the Jwt Session Cookie, by setting a new cookie with the same name, null value and max age 0.

Parameters:

messageInfo - The MessageInfo which contains the Response with the Jwt Session Cookie.