Package org.dspace.app.rest.security.jwt

Class JWTTokenHandler

  • Direct Known Subclasses:
    LoginJWTTokenHandler, ShortLivedJWTTokenHandler
    public abstract class JWTTokenHandler
extends Object
    Class responsible for creating and parsing JSON Web Tokens (JWTs), supports both JWS and JWE https://jwt.io/ . This abstract class needs to be extended with a class providing the configuration keys for the particular type of token.
    Author:
    Frederic Van Reet (frederic dot vanreet at atmire dot com), Tom Desair (tom dot desair at atmire dot com)

    • Constructor Detail

      • JWTTokenHandler

        public JWTTokenHandler()

    • Method Detail

      • getTokenSecretConfigurationKey

        protected abstract String getTokenSecretConfigurationKey()
        Get the configuration property key for the token secret.
        Returns:
        the configuration property key

      • getEncryptionSecretConfigurationKey

        protected abstract String getEncryptionSecretConfigurationKey()
        Get the configuration property key for the encryption secret.
        Returns:
        the configuration property key

      • getTokenExpirationConfigurationKey

        protected abstract String getTokenExpirationConfigurationKey()
        Get the configuration property key for the expiration time.
        Returns:
        the configuration property key

      • getEncryptionEnabledConfigurationKey

        protected abstract String getEncryptionEnabledConfigurationKey()
        Get the configuration property key for the encryption enable setting.
        Returns:
        the configuration property key

      • getCompressionEnabledConfigurationKey

        protected abstract String getCompressionEnabledConfigurationKey()
        Get the configuration property key for the compression enable setting.
        Returns:
        the configuration property key

      • parseEPersonFromToken

        public org.dspace.eperson.EPerson parseEPersonFromToken​(String token,
                                                        javax.servlet.http.HttpServletRequest request,
                                                        org.dspace.core.Context context)
                                                 throws com.nimbusds.jose.JOSEException,
                                                        ParseException,
                                                        SQLException
        Retrieve EPerson from a JSON Web Token (JWT)
        Parameters:
        token - token as a string
        request - current request
        context - current Context
        Returns:
        DSpace EPerson object parsed from the token
        Throws:
        com.nimbusds.jose.JOSEException
        ParseException
        SQLException

      • createTokenForEPerson

        public String createTokenForEPerson​(org.dspace.core.Context context,
                                    javax.servlet.http.HttpServletRequest request,
                                    Date previousLoginDate,
                                    List<org.dspace.eperson.Group> groups)
                             throws com.nimbusds.jose.JOSEException,
                                    SQLException
        Create a JWT with the EPerson details in it
        Parameters:
        context - current Context
        request - current Request
        previousLoginDate - date of last login (before this one)
        groups - List of user Groups
        Returns:
        string version of signed JWT
        Throws:
        com.nimbusds.jose.JOSEException
        SQLException

      • invalidateToken

        public void invalidateToken​(String token,
                            javax.servlet.http.HttpServletRequest request,
                            org.dspace.core.Context context)
                     throws Exception
        Invalidate the current Java Web Token (JWT) in the current request
        Parameters:
        token - current token
        request - current request
        context - current Context
        Throws:
        Exception

      • getJwtKey

        public String getJwtKey()
        Retrieve the token secret key from configuration. If not specified, generate and cache a random 32 byte key
        Returns:
        configuration value or random 32 byte key

      • getExpirationPeriod

        public long getExpirationPeriod()

      • isEncryptionEnabled

        public boolean isEncryptionEnabled()

      • getCompressionEnabled

        public boolean getCompressionEnabled()

      • getEncryptionKey

        public byte[] getEncryptionKey()
        Retrieve the encryption secret key from configuration. If not specified, generate and cache a random 32 byte key
        Returns:
        configuration value or random 32 byte key

      • isValidToken

        protected boolean isValidToken​(javax.servlet.http.HttpServletRequest request,
                               com.nimbusds.jwt.SignedJWT signedJWT,
                               com.nimbusds.jwt.JWTClaimsSet jwtClaimsSet,
                               org.dspace.eperson.EPerson ePerson)
                        throws com.nimbusds.jose.JOSEException
        Determine if current JWT is valid for the given EPerson object. To be valid, current JWT *must* have been signed by the EPerson and not be expired. If EPerson is null or does not have a known active session, false is returned immediately.
        Parameters:
        request - current request
        signedJWT - current signed JWT
        jwtClaimsSet - claims set of current JWT
        ePerson - EPerson parsed from current signed JWT
        Returns:
        true if valid, false otherwise
        Throws:
        com.nimbusds.jose.JOSEException

      • buildSigningKey

        protected String buildSigningKey​(org.dspace.eperson.EPerson ePerson)
        This returns the key used for signing the token. This key is at least 256 bits/32 bytes (server key has minimum length of 1 byte and the eperson session salt is always 32 bytes), this way the key is always long enough for the HMAC using SHA-256 algorithm. More information: https://tools.ietf.org/html/rfc7518#section-3.2
        Parameters:
        ePerson - currently authenticated EPerson
        Returns:
        signing key for token

      • updateSessionSalt

        protected org.dspace.eperson.EPerson updateSessionSalt​(org.dspace.core.Context context,
                                                       Date previousLoginDate)
                                                throws SQLException
        Update session salt information for the currently logged in user. The session salt is a random key that is saved to EPerson object (and database table) and used to validate a JWT on later requests.
        Parameters:
        context - current DSpace Context
        previousLoginDate - date of last login (prior to this one)
        Returns:
        EPerson object of current user, with an updated session salt
        Throws:
        SQLException