org.forgerock.openig.jwt

Class JwtSessionManager

java.lang.Object

org.forgerock.openig.jwt.JwtSessionManager

All Implemented Interfaces:

org.forgerock.http.session.SessionManager

public class JwtSessionManager
extends Object
implements org.forgerock.http.session.SessionManager

A JwtSessionManager is responsible to configure and create a JwtCookieSession.

     
     {
         "name": "JwtSession",
         "type": "JwtSession",
         "config": {
             "keystore": "Ref To A KeyStore",
             "alias": "PrivateKey Alias",
             "password": "KeyStore/Key Password",
             "cookieName": "OpenIG",
             "cookieDomain": ".example.com",
             "sessionTimeout": "30 minutes",
             "sharedSecret": "hello=="
         }
     }
     
 

All the session configuration is optional: if you omit everything, the appropriate keys will be generated and the cookie name used will be JwtCookieSession.OPENIG_JWT_SESSION.

The keystore attribute is an optional attribute that references a KeyStore heap object. It will be used to obtain the required encryption keys. If omitted, the alias and password attributes will also be ignored, and a temporary key pair will be generated.

The alias string attribute specifies the name of the private key to obtain from the KeyStore. It is only required when a keystore is specified.

The password static expression attribute specifies the password to use when reading the private key from the KeyStore. It is only required when a keystore is specified.

The cookieName optional string attribute specifies the name of the cookie used to store the encrypted JWT. If not set, JwtCookieSession.OPENIG_JWT_SESSION is used.

The cookieDomain optional string attribute specifies the domain of the cookie used to store the encrypted JWT. If not set, the cookie will be treated as a host-based cookie.

The sessionTimeout optional duration attribute, specifies the amount of time before the cookie session expires. If not set, a default of 30 minutes is used. A duration of 0 is not valid and it will be limited to a maximum duration of approximately 10 years.

The sharedSecret optional string attribute, specifies the key used to sign/verify the JWTs. It is expected to be Base 64 encoded. If unspecified some random data is generated as key.

Since:

3.1

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	JwtSessionManager.Heaplet Creates and initializes a jwt-session in a heap environment.

Field Summary

Fields

Modifier and Type	Field and Description
static String	DEFAULT_SESSION_TIMEOUT Default sessionTimeout duration.
static org.forgerock.util.time.Duration	MAX_SESSION_TIMEOUT The maximum session timeout duration, allows for an expiry time of approx 10 years (does not take leap years into consideration).

Constructor Summary

Constructors

Constructor and Description
JwtSessionManager(KeyPair keyPair, String cookieName, String cookieDomain, org.forgerock.util.time.TimeService timeService, org.forgerock.util.time.Duration sessionTimeout, org.forgerock.json.jose.jws.handlers.SigningHandler handler) Builds a new JwtSessionManager using the given KeyPair for session encryption, storing the opaque result in a cookie with the given name.

Method Summary

Modifier and Type	Method and Description
org.forgerock.http.session.Session	load(org.forgerock.http.protocol.Request request)
void	save(org.forgerock.http.session.Session session, org.forgerock.http.protocol.Response response)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

DEFAULT_SESSION_TIMEOUT

public static final String DEFAULT_SESSION_TIMEOUT

Default sessionTimeout duration.

See Also:

Constant Field Values

MAX_SESSION_TIMEOUT

public static final org.forgerock.util.time.Duration MAX_SESSION_TIMEOUT

The maximum session timeout duration, allows for an expiry time of approx 10 years (does not take leap years into consideration).

Constructor Detail

JwtSessionManager

public JwtSessionManager(KeyPair keyPair,
                         String cookieName,
                         String cookieDomain,
                         org.forgerock.util.time.TimeService timeService,
                         org.forgerock.util.time.Duration sessionTimeout,
                         org.forgerock.json.jose.jws.handlers.SigningHandler handler)

Builds a new JwtSessionManager using the given KeyPair for session encryption, storing the opaque result in a cookie with the given name.

Parameters:

keyPair - Private and public keys used for ciphering/deciphering.

cookieName - Name of the cookie.

cookieDomain - Domain of the cookie. If null, the cookie will be treated as a host-based cookie.

timeService - TimeService to use when dealing with cookie sessions.

sessionTimeout - The duration of the cookie session.

handler - The JWT signing handler.

Method Detail

load

public org.forgerock.http.session.Session load(org.forgerock.http.protocol.Request request)

Specified by:

load in interface org.forgerock.http.session.SessionManager

save

public void save(org.forgerock.http.session.Session session,
                 org.forgerock.http.protocol.Response response)
          throws IOException

Specified by:

save in interface org.forgerock.http.session.SessionManager

Throws:

IOException