public class OAuth2ResourceServerFilterHeaplet extends GenericHeaplet
Request that contains an OAuth 2.0 access token.
This filter expects an OAuth 2.0 token to be available in the HTTP Authorization header:
Authorization: Bearer 1fc0e143-f248-4e50-9c13-1d710360cec9
{
"name": "ProtectedResourceFilter",
"type": "OAuth2ResourceServerFilter",
"config": {
"scopes": [ "email", "profile" ],
"tokenInfoEndpoint": "https://openam.example.com:8443/openam/oauth2/tokeninfo",
"cacheExpiration": "2 minutes",
"requireHttps": false,
"providerHandler": "ClientHandler",
"realm": "Informative realm name",
}
}
scopes, tokenInfoEndpoint and providerHandler are the 3 only mandatory
configuration attributes.
If cacheExpiration is not set, the default is to keep the AccessTokenInfo objects for 1 minute.
cacheExpiration is expressed using natural language (use zero or none
to deactivate caching, any 0 valued duration will also deactivate it):
"cacheExpiration": "2 minutes"
"cacheExpiration": "3 days and 6 hours"
"cacheExpiration": "5m" // 5 minutes
"cacheExpiration": "10 min, 30 sec"
"cacheExpiration": "zero" // no cache
"cacheExpiration": "0 s" // no cache
providerHandler is a name reference to another handler available in the heap. It will be used to perform
access token validation against the tokenInfoEndpoint URL.
It is usually a reference to some ClientHandler.
The requireHttps optional attribute control if this filter only accepts requests targeting the HTTPS scheme. By default, it is enabled (only URI starting with https://... will be accepted, an Exception is thrown otherwise).
The realm optional attribute specifies the name of the realm used in the authentication challenges returned back to the client in case of errors.
Duration| Modifier and Type | Field and Description |
|---|---|
static String |
DEFAULT_REALM_NAME
Name of the realm when none is specified in the heaplet.
|
| Constructor and Description |
|---|
OAuth2ResourceServerFilterHeaplet() |
| Modifier and Type | Method and Description |
|---|---|
Object |
create()
Called to request the heaplet create an object.
|
void |
destroy()
Called to indicate that the object created by the heaplet is going to be dereferenced.
|
create, endpointRegistry, evaluatedWithHeapProperties, expression, startpublic static final String DEFAULT_REALM_NAME
public Object create() throws HeapException
GenericHeapletHeaplet.create(Name, JsonValue, Heap) after initializing
the protected field members. Implementations should parse configuration
but not acquire resources, start threads, or log any initialization
messages. These tasks should be performed by the GenericHeaplet.start() method.create in class GenericHeapletHeapException - if an exception occurred during creation of the heap object
or any of its dependencies.public void destroy()
Heapletdestroy in interface Heapletdestroy in class GenericHeapletCopyright © 2025 Open Identity Platform Community. All rights reserved.