Package org.forgerock.openig.jwt

Class JwtSessionManager

  • All Implemented Interfaces:
    org.forgerock.http.session.SessionManager
    public class JwtSessionManager
extends Object
implements org.forgerock.http.session.SessionManager
    A JwtSessionManager is responsible to configure and create a JwtCookieSession. 
         
     {
         "name": "JwtSession",
         "type": "JwtSession",
         "config": {
             "keystore": "Ref To A KeyStore",
             "alias": "PrivateKey Alias",
             "password": "KeyStore/Key Password",
             "cookieName": "OpenIG",
             "cookieDomain": ".example.com",
             "sessionTimeout": "30 minutes",
             "sharedSecret": "hello=="
         }
     }
    All the session configuration is optional: if you omit everything, the appropriate keys will be generated and the cookie name used will be JwtCookieSession.OPENIG_JWT_SESSION.

    The keystore attribute is an optional attribute that references a KeyStore heap object. It will be used to obtain the required encryption keys. If omitted, the alias and password attributes will also be ignored, and a temporary key pair will be generated.

    The alias string attribute specifies the name of the private key to obtain from the KeyStore. It is only required when a keystore is specified.

    The password static expression attribute specifies the password to use when reading the private key from the KeyStore. It is only required when a keystore is specified.

    The cookieName optional string attribute specifies the name of the cookie used to store the encrypted JWT. If not set, JwtCookieSession.OPENIG_JWT_SESSION is used.

    The cookieDomain optional string attribute specifies the domain of the cookie used to store the encrypted JWT. If not set, the cookie will be treated as a host-based cookie.

    The sessionTimeout optional duration attribute, specifies the amount of time before the cookie session expires. If not set, a default of 30 minutes is used. A duration of 0 is not valid and it will be limited to a maximum duration of approximately 10 years.

    The sharedSecret optional string attribute, specifies the key used to sign/verify the JWTs. It is expected to be Base 64 encoded. If unspecified some random data is generated as key.

    Since:
    3.1

    • Nested Class Summary

      Nested Classes 
      Modifier and Type Class Description
      static class  JwtSessionManager.Heaplet
      Creates and initializes a jwt-session in a heap environment.

    • Field Summary

      Fields 
      Modifier and Type Field Description
      static String DEFAULT_SESSION_TIMEOUT
      Default sessionTimeout duration.
      static org.forgerock.util.time.Duration MAX_SESSION_TIMEOUT
      The maximum session timeout duration, allows for an expiry time of approx 10 years (does not take leap years into consideration).

    • Constructor Summary

      Constructors 
      Constructor Description
      JwtSessionManager​(KeyPair keyPair, String cookieName, String cookieDomain, org.forgerock.util.time.TimeService timeService, org.forgerock.util.time.Duration sessionTimeout, org.forgerock.json.jose.jws.handlers.SigningHandler handler)
      Builds a new JwtSessionManager using the given KeyPair for session encryption, storing the opaque result in a cookie with the given name.

    • Field Detail

      • DEFAULT_SESSION_TIMEOUT

        public static final String DEFAULT_SESSION_TIMEOUT
        Default sessionTimeout duration.
        See Also:
        Constant Field Values

      • MAX_SESSION_TIMEOUT

        public static final org.forgerock.util.time.Duration MAX_SESSION_TIMEOUT
        The maximum session timeout duration, allows for an expiry time of approx 10 years (does not take leap years into consideration).

    • Constructor Detail

      • JwtSessionManager

        public JwtSessionManager​(KeyPair keyPair,
                         String cookieName,
                         String cookieDomain,
                         org.forgerock.util.time.TimeService timeService,
                         org.forgerock.util.time.Duration sessionTimeout,
                         org.forgerock.json.jose.jws.handlers.SigningHandler handler)
        Builds a new JwtSessionManager using the given KeyPair for session encryption, storing the opaque result in a cookie with the given name.
        Parameters:
        keyPair - Private and public keys used for ciphering/deciphering.
        cookieName - Name of the cookie.
        cookieDomain - Domain of the cookie. If null, the cookie will be treated as a host-based cookie.
        timeService - TimeService to use when dealing with cookie sessions.
        sessionTimeout - The duration of the cookie session.
        handler - The JWT signing handler.

    • Method Detail

      • load

        public org.forgerock.http.session.Session load​(org.forgerock.http.protocol.Request request)
        Specified by:
        load in interface org.forgerock.http.session.SessionManager

      • save

        public void save​(org.forgerock.http.session.Session session,
                 org.forgerock.http.protocol.Response response)
          throws IOException
        Specified by:
        save in interface org.forgerock.http.session.SessionManager
        Throws:
        IOException