Package org.dspace.app.rest.security.jwt

Class JWTTokenHandler

java.lang.Object
org.dspace.app.rest.security.jwt.JWTTokenHandler
Direct Known Subclasses:
LoginJWTTokenHandler, ShortLivedJWTTokenHandler
public abstract class JWTTokenHandler extends Object
Class responsible for creating and parsing JSON Web Tokens (JWTs), supports both JWS and JWE https://jwt.io/ . This abstract class needs to be extended with a class providing the configuration keys for the particular type of token.
Author:
Frederic Van Reet (frederic dot vanreet at atmire dot com), Tom Desair (tom dot desair at atmire dot com)

  • Constructor Details

    • JWTTokenHandler

      public JWTTokenHandler()

  • Method Details

    • getTokenSecretConfigurationKey

      protected abstract String getTokenSecretConfigurationKey()
      Get the configuration property key for the token secret.
      Returns:
      the configuration property key

    • getEncryptionSecretConfigurationKey

      protected abstract String getEncryptionSecretConfigurationKey()
      Get the configuration property key for the encryption secret.
      Returns:
      the configuration property key

    • getTokenExpirationConfigurationKey

      protected abstract String getTokenExpirationConfigurationKey()
      Get the configuration property key for the expiration time.
      Returns:
      the configuration property key

    • getEncryptionEnabledConfigurationKey

      protected abstract String getEncryptionEnabledConfigurationKey()
      Get the configuration property key for the encryption enable setting.
      Returns:
      the configuration property key

    • getCompressionEnabledConfigurationKey

      protected abstract String getCompressionEnabledConfigurationKey()
      Get the configuration property key for the compression enable setting.
      Returns:
      the configuration property key

    • parseEPersonFromToken

      public EPerson parseEPersonFromToken(String token, jakarta.servlet.http.HttpServletRequest request, Context context) throws com.nimbusds.jose.JOSEException, ParseException, SQLException
      Retrieve EPerson from a JSON Web Token (JWT)
      Parameters:
      token - token as a string
      request - current request
      context - current Context
      Returns:
      DSpace EPerson object parsed from the token
      Throws:
      com.nimbusds.jose.JOSEException
      ParseException
      SQLException

    • createTokenForEPerson

      public String createTokenForEPerson(Context context, jakarta.servlet.http.HttpServletRequest request, Instant previousLoginDate) throws com.nimbusds.jose.JOSEException, SQLException
      Create a JWT with the EPerson details in it
      Parameters:
      context - current Context
      request - current Request
      previousLoginDate - date of last login (before this one)
      Returns:
      string version of signed JWT
      Throws:
      com.nimbusds.jose.JOSEException - passed through.
      SQLException - passed through.

    • invalidateToken

      public void invalidateToken(String token, jakarta.servlet.http.HttpServletRequest request, Context context) throws Exception
      Invalidate the current Java Web Token (JWT) in the current request
      Parameters:
      token - current token
      request - current request
      context - current Context
      Throws:
      Exception

    • getJwtKey

      public String getJwtKey()
      Retrieve the token secret key from configuration. If not specified, generate and cache a random 32 byte key
      Returns:
      configuration value or random 32 byte key

    • getExpirationPeriod

      public long getExpirationPeriod()

    • isEncryptionEnabled

      public boolean isEncryptionEnabled()

    • getCompressionEnabled

      public boolean getCompressionEnabled()

    • getEncryptionKey

      public byte[] getEncryptionKey()
      Retrieve the encryption secret key from configuration. If not specified, generate and cache a random 32 byte key
      Returns:
      configuration value or random 32 byte key

    • isValidToken

      protected boolean isValidToken(jakarta.servlet.http.HttpServletRequest request, com.nimbusds.jwt.SignedJWT signedJWT, com.nimbusds.jwt.JWTClaimsSet jwtClaimsSet, EPerson ePerson) throws com.nimbusds.jose.JOSEException
      Determine if current JWT is valid for the given EPerson object. To be valid, current JWT *must* have been signed by the EPerson and not be expired. If EPerson is null or does not have a known active session, false is returned immediately.
      Parameters:
      request - current request
      signedJWT - current signed JWT
      jwtClaimsSet - claims set of current JWT
      ePerson - EPerson parsed from current signed JWT
      Returns:
      true if valid, false otherwise
      Throws:
      com.nimbusds.jose.JOSEException

    • buildSigningKey

      protected String buildSigningKey(EPerson ePerson)
      This returns the key used for signing the token. This key is at least 256 bits/32 bytes (server key has minimum length of 1 byte and the eperson session salt is always 32 bytes), this way the key is always long enough for the HMAC using SHA-256 algorithm. More information: https://tools.ietf.org/html/rfc7518#section-3.2
      Parameters:
      ePerson - currently authenticated EPerson
      Returns:
      signing key for token

    • updateSessionSalt

      protected EPerson updateSessionSalt(Context context, Instant previousLoginDate) throws SQLException
      Update session salt information for the currently logged in user. The session salt is a random key that is saved to EPerson object (and database table) and used to validate a JWT on later requests.
      Parameters:
      context - current DSpace Context
      previousLoginDate - date of last login (prior to this one)
      Returns:
      EPerson object of current user, with an updated session salt
      Throws:
      SQLException