public class JWTRedirectAuthenticationHandler extends AltKerberosAuthenticationHandler
JWTRedirectAuthenticationHandler
extends
AltKerberosAuthenticationHandler to add WebSSO behavior for UIs. The expected
SSO token is a JsonWebToken (JWT). The supported algorithm is RS256 which
uses PKI between the token issuer and consumer. The flow requires a redirect
to a configured authentication server URL and a subsequent request with the
expected JWT token. This token is cryptographically verified and validated.
The user identity is then extracted from the token and used to create an
AuthenticationToken - as expected by the AuthenticationFilter.
The supported configuration properties are:
Modifier and Type | Field and Description |
---|---|
static String |
AUTHENTICATION_PROVIDER_URL |
static String |
EXPECTED_JWT_AUDIENCES |
static String |
JWT_COOKIE_NAME |
static String |
PUBLIC_KEY_PEM |
NON_BROWSER_USER_AGENTS, TYPE
KEYTAB, NAME_RULES, PRINCIPAL
WWW_AUTHENTICATE
Constructor and Description |
---|
JWTRedirectAuthenticationHandler() |
Modifier and Type | Method and Description |
---|---|
AuthenticationToken |
alternateAuthenticate(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Subclasses should implement this method to provide the custom
authentication to be used for browsers.
|
protected String |
constructLoginURL(javax.servlet.http.HttpServletRequest request)
Create the URL to be used for authentication of the user in the absence of
a JWT token within the incoming request.
|
protected String |
getJWTFromCookie(javax.servlet.http.HttpServletRequest req)
Encapsulate the acquisition of the JWT token from HTTP cookies within the
request.
|
void |
init(Properties config)
Initializes the authentication handler instance.
|
void |
setPublicKey(RSAPublicKey pk)
Primarily for testing, this provides a way to set the publicKey for
signature verification without needing to get a PEM encoded value.
|
protected boolean |
validateAudiences(com.nimbusds.jwt.SignedJWT jwtToken)
Validate whether any of the accepted audience claims is present in the
issued token claims list for audience.
|
protected boolean |
validateExpiration(com.nimbusds.jwt.SignedJWT jwtToken)
Validate that the expiration time of the JWT token has not been violated.
|
protected boolean |
validateSignature(com.nimbusds.jwt.SignedJWT jwtToken)
Verify the signature of the JWT token in this method.
|
protected boolean |
validateToken(com.nimbusds.jwt.SignedJWT jwtToken)
This method provides a single method for validating the JWT for use in
request processing.
|
authenticate, getType, isBrowser
destroy, getKeytab, getPrincipals, managementOperation
public static final String AUTHENTICATION_PROVIDER_URL
public static final String PUBLIC_KEY_PEM
public static final String EXPECTED_JWT_AUDIENCES
public static final String JWT_COOKIE_NAME
public void setPublicKey(RSAPublicKey pk)
pk
- publicKey for the token signtature verificationpublic void init(Properties config) throws javax.servlet.ServletException
This method is invoked by the AuthenticationFilter.init(javax.servlet.FilterConfig)
method.
init
in interface AuthenticationHandler
init
in class AltKerberosAuthenticationHandler
config
- configuration properties to initialize the handler.javax.servlet.ServletException
- thrown if the handler could not be initialized.public AuthenticationToken alternateAuthenticate(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws IOException, AuthenticationException
AltKerberosAuthenticationHandler
alternateAuthenticate
in class AltKerberosAuthenticationHandler
request
- the HTTP client request.response
- the HTTP client response.IOException
- thrown if an IO error occursAuthenticationException
- thrown if an authentication error occursprotected String getJWTFromCookie(javax.servlet.http.HttpServletRequest req)
req
- servlet request to get the JWT token fromprotected String constructLoginURL(javax.servlet.http.HttpServletRequest request)
request
- for getting the original request URLprotected boolean validateToken(com.nimbusds.jwt.SignedJWT jwtToken)
jwtToken
- the token to validateprotected boolean validateSignature(com.nimbusds.jwt.SignedJWT jwtToken)
jwtToken
- the token that contains the signature to be validatedprotected boolean validateAudiences(com.nimbusds.jwt.SignedJWT jwtToken)
jwtToken
- the JWT token where the allowed audiences will be foundprotected boolean validateExpiration(com.nimbusds.jwt.SignedJWT jwtToken)
jwtToken
- the token that contains the expiration date to validateCopyright © 2017 Apache Software Foundation. All Rights Reserved.