ForgeRock JASPI (JSR-196) JWT Session Module 2.0.0-SNAPSHOT Documentation

org.forgerock.jaspi.modules.session.jwt
Class JwtSessionModule

java.lang.Object
  extended by org.forgerock.jaspi.modules.session.jwt.JwtSessionModule
All Implemented Interfaces:
javax.security.auth.message.module.ServerAuthModule, javax.security.auth.message.ServerAuth

public class JwtSessionModule
extends Object
implements javax.security.auth.message.module.ServerAuthModule

A JASPI Session Module which creates a JWT when securing the response from a successful authentication and sets it as a Cookie on the response. Then on subsequent requests checks for the presents of the JWT as a Cookie on the request and validates the signature and decrypts it and checks the expiration time of the JWT.

Since:
1.0.0

Field Summary
static String BROWSER_SESSION_ONLY_KEY
          Whether the JWT should persist between browser restarts property key.
static String COOKIE_DOMAINS_KEY
          The domains the cookie should be set on property key.
static String HTTP_ONLY_COOKIE_KEY
          Whether the JWT should be Http Only, ie not accessible by client browser property key.
static String JWT_VALIDATED_KEY
          The Jwt Validated configuration property key.
static String KEY_ALIAS_KEY
          The Key Alias configuration property key.
static String KEYSTORE_FILE_KEY
          The Keystore file path property key.
static String KEYSTORE_PASSWORD_KEY
          The Keystore password configuration property key.
static String KEYSTORE_TYPE_KEY
          The Keystore type configuration property key.
static String MAX_TOKEN_LIFE_IN_MINUTES_KEY
          The Jwt Token Maximum life configuration property key in minutes.
static String MAX_TOKEN_LIFE_IN_SECONDS_KEY
          The Jwt Token Maximum life configuration property key in seconds.
static String PRIVATE_KEY_PASSWORD_KEY
          The Private Key password configuration property key.
static String SECURE_COOKIE_KEY
          Whether the JWT should always be encrypted when sent to client browser property key.
static String SESSION_COOKIE_NAME_KEY
          The Jwt Session Cookie Name configuration property key.
static String TOKEN_IDLE_TIME_IN_MINUTES_CLAIM_KEY
          The Jwt Token Idle timeout configuration property key in minutes.
static String TOKEN_IDLE_TIME_IN_SECONDS_CLAIM_KEY
          The Jwt Token Idle timeout configuration property key in seconds.
 
Constructor Summary
JwtSessionModule()
          Constructs an instance of the JwtSessionModule.
JwtSessionModule(org.forgerock.json.jose.builders.JwtBuilderFactory jwtBuilderFactory)
          Constructs an instance of the JwtSessionModule.
 
Method Summary
 void cleanSubject(javax.security.auth.message.MessageInfo messageInfo, Subject subject)
          No cleaning for the Subject is required for this module.
 void deleteSessionJwtCookie(javax.servlet.http.HttpServletResponse response)
          Provides a way to delete the Jwt Session Cookie, by setting a new cookie with the same name, null value and max age 0.
 Map<String,Object> getContextMap(javax.security.auth.message.MessageInfo messageInfo)
          Ensures the context map exists within the messageInfo object, and then returns the context map to be used
 Class[] getSupportedMessageTypes()
          
 void initialize(javax.security.auth.message.MessagePolicy requestPolicy, javax.security.auth.message.MessagePolicy responsePolicy, CallbackHandler handler, Map options)
          Initialises the module by getting the Keystore and Key alias properties out of the module configuration.
protected  String rebuildEncryptedJwt(org.forgerock.json.jose.jwe.EncryptedJwt jwt, RSAPublicKey publicKey)
          Recreates the Encrypted Session Jwt.
 javax.security.auth.message.AuthStatus secureResponse(javax.security.auth.message.MessageInfo messageInfo, Subject serviceSubject)
          Creates a JWT after a successful authentication and sets it as a Cookie on the response.
 org.forgerock.json.jose.jwt.Jwt validateJwtSessionCookie(javax.security.auth.message.MessageInfo messageInfo)
          Validates if the Jwt Session Cookie is valid and the idle timeout or max life has expired.
 javax.security.auth.message.AuthStatus validateRequest(javax.security.auth.message.MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject)
          Checks for the presence of the JWT as a Cookie on the request and validates the signature and decrypts it and checks the expiration time of the JWT.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

KEY_ALIAS_KEY

public static final String KEY_ALIAS_KEY
The Key Alias configuration property key.

See Also:
Constant Field Values

PRIVATE_KEY_PASSWORD_KEY

public static final String PRIVATE_KEY_PASSWORD_KEY
The Private Key password configuration property key.

See Also:
Constant Field Values

KEYSTORE_TYPE_KEY

public static final String KEYSTORE_TYPE_KEY
The Keystore type configuration property key.

See Also:
Constant Field Values

KEYSTORE_FILE_KEY

public static final String KEYSTORE_FILE_KEY
The Keystore file path property key.

See Also:
Constant Field Values

KEYSTORE_PASSWORD_KEY

public static final String KEYSTORE_PASSWORD_KEY
The Keystore password configuration property key.

See Also:
Constant Field Values

SESSION_COOKIE_NAME_KEY

public static final String SESSION_COOKIE_NAME_KEY
The Jwt Session Cookie Name configuration property key.

See Also:
Constant Field Values

TOKEN_IDLE_TIME_IN_MINUTES_CLAIM_KEY

public static final String TOKEN_IDLE_TIME_IN_MINUTES_CLAIM_KEY
The Jwt Token Idle timeout configuration property key in minutes.

See Also:
Constant Field Values

MAX_TOKEN_LIFE_IN_MINUTES_KEY

public static final String MAX_TOKEN_LIFE_IN_MINUTES_KEY
The Jwt Token Maximum life configuration property key in minutes.

See Also:
Constant Field Values

TOKEN_IDLE_TIME_IN_SECONDS_CLAIM_KEY

public static final String TOKEN_IDLE_TIME_IN_SECONDS_CLAIM_KEY
The Jwt Token Idle timeout configuration property key in seconds.

See Also:
Constant Field Values

MAX_TOKEN_LIFE_IN_SECONDS_KEY

public static final String MAX_TOKEN_LIFE_IN_SECONDS_KEY
The Jwt Token Maximum life configuration property key in seconds.

See Also:
Constant Field Values

JWT_VALIDATED_KEY

public static final String JWT_VALIDATED_KEY
The Jwt Validated configuration property key.

See Also:
Constant Field Values

BROWSER_SESSION_ONLY_KEY

public static final String BROWSER_SESSION_ONLY_KEY
Whether the JWT should persist between browser restarts property key.

See Also:
Constant Field Values

HTTP_ONLY_COOKIE_KEY

public static final String HTTP_ONLY_COOKIE_KEY
Whether the JWT should be Http Only, ie not accessible by client browser property key.

See Also:
Constant Field Values

SECURE_COOKIE_KEY

public static final String SECURE_COOKIE_KEY
Whether the JWT should always be encrypted when sent to client browser property key.

See Also:
Constant Field Values

COOKIE_DOMAINS_KEY

public static final String COOKIE_DOMAINS_KEY
The domains the cookie should be set on property key.

See Also:
Constant Field Values
Constructor Detail

JwtSessionModule

public JwtSessionModule()
Constructs an instance of the JwtSessionModule.


JwtSessionModule

public JwtSessionModule(org.forgerock.json.jose.builders.JwtBuilderFactory jwtBuilderFactory)
Constructs an instance of the JwtSessionModule.

Parameters:
jwtBuilderFactory - An instance of the jwtBuilderFactory.
Method Detail

initialize

public void initialize(javax.security.auth.message.MessagePolicy requestPolicy,
                       javax.security.auth.message.MessagePolicy responsePolicy,
                       CallbackHandler handler,
                       Map options)
                throws javax.security.auth.message.AuthException
Initialises the module by getting the Keystore and Key alias properties out of the module configuration.

Specified by:
initialize in interface javax.security.auth.message.module.ServerAuthModule
Parameters:
requestPolicy -
responsePolicy -
handler -
options -
Throws:
javax.security.auth.message.AuthException

getSupportedMessageTypes

public Class[] getSupportedMessageTypes()

Specified by:
getSupportedMessageTypes in interface javax.security.auth.message.module.ServerAuthModule

validateRequest

public javax.security.auth.message.AuthStatus validateRequest(javax.security.auth.message.MessageInfo messageInfo,
                                                              Subject clientSubject,
                                                              Subject serviceSubject)
                                                       throws javax.security.auth.message.AuthException
Checks for the presence of the JWT as a Cookie on the request and validates the signature and decrypts it and checks the expiration time of the JWT. If all these checks pass then the method return AuthStatus.SUCCESS, otherwise returns AuthStatus.SEND_FAILURE.

Specified by:
validateRequest in interface javax.security.auth.message.ServerAuth
Parameters:
messageInfo -
clientSubject -
serviceSubject -
Returns:
If the Jwt is valid then AuthStatus.SUCCESS is returned, otherwise AuthStatus.SEND_FAILURE is returned.
Throws:
javax.security.auth.message.AuthException - If there is a problem validating the request.

validateJwtSessionCookie

public org.forgerock.json.jose.jwt.Jwt validateJwtSessionCookie(javax.security.auth.message.MessageInfo messageInfo)
Validates if the Jwt Session Cookie is valid and the idle timeout or max life has expired.

Parameters:
messageInfo - The MessageInfo instance.
Returns:
The Jwt if successfully validated otherwise null.

getContextMap

public Map<String,Object> getContextMap(javax.security.auth.message.MessageInfo messageInfo)
Ensures the context map exists within the messageInfo object, and then returns the context map to be used

Parameters:
messageInfo - The MessageInfo instance.
Returns:
The context map internal to the messageInfo's map.

rebuildEncryptedJwt

protected String rebuildEncryptedJwt(org.forgerock.json.jose.jwe.EncryptedJwt jwt,
                                     RSAPublicKey publicKey)
Recreates the Encrypted Session Jwt.

Parameters:
jwt - The orginal Session Jwt.
publicKey - The public key.
Returns:
The Session Jwt.

secureResponse

public javax.security.auth.message.AuthStatus secureResponse(javax.security.auth.message.MessageInfo messageInfo,
                                                             Subject serviceSubject)
                                                      throws javax.security.auth.message.AuthException
Creates a JWT after a successful authentication and sets it as a Cookie on the response. An expiration time is included in the JWT to limit the life of the JWT.

Specified by:
secureResponse in interface javax.security.auth.message.ServerAuth
Parameters:
messageInfo -
serviceSubject -
Returns:
Throws:
javax.security.auth.message.AuthException

deleteSessionJwtCookie

public void deleteSessionJwtCookie(javax.servlet.http.HttpServletResponse response)
Provides a way to delete the Jwt Session Cookie, by setting a new cookie with the same name, null value and max age 0.

Parameters:
response - The HttpServletResponse with the Jwt Session Cookie.

cleanSubject

public void cleanSubject(javax.security.auth.message.MessageInfo messageInfo,
                         Subject subject)
                  throws javax.security.auth.message.AuthException
No cleaning for the Subject is required for this module.

Specified by:
cleanSubject in interface javax.security.auth.message.ServerAuth
Parameters:
messageInfo -
subject -
Throws:
javax.security.auth.message.AuthException

ForgeRock JASPI (JSR-196) JWT Session Module 2.0.0-SNAPSHOT Documentation

Copyright © 2015 ForgeRock AS. All Rights Reserved.