public class JWTRedirectAuthenticationHandler extends AltKerberosAuthenticationHandler
JWTRedirectAuthenticationHandler extends
 AltKerberosAuthenticationHandler to add WebSSO behavior for UIs. The expected
 SSO token is a JsonWebToken (JWT). The supported algorithm is RS256 which
 uses PKI between the token issuer and consumer. The flow requires a redirect
 to a configured authentication server URL and a subsequent request with the
 expected JWT token. This token is cryptographically verified and validated.
 The user identity is then extracted from the token and used to create an
 AuthenticationToken - as expected by the AuthenticationFilter.
 The supported configuration properties are:
| Modifier and Type | Field and Description | 
|---|---|
| static String | AUTHENTICATION_PROVIDER_URL | 
| static String | EXPECTED_JWT_AUDIENCES | 
| static String | JWT_COOKIE_NAME | 
| static String | PUBLIC_KEY_PEM | 
NON_BROWSER_USER_AGENTS, TYPEKEYTAB, NAME_RULES, PRINCIPAL, RULE_MECHANISMWWW_AUTHENTICATE| Constructor and Description | 
|---|
| JWTRedirectAuthenticationHandler() | 
| Modifier and Type | Method and Description | 
|---|---|
| AuthenticationToken | alternateAuthenticate(javax.servlet.http.HttpServletRequest request,
                     javax.servlet.http.HttpServletResponse response)Subclasses should implement this method to provide the custom
 authentication to be used for browsers. | 
| protected String | getJWTFromCookie(javax.servlet.http.HttpServletRequest req)Encapsulate the acquisition of the JWT token from HTTP cookies within the
 request. | 
| void | init(Properties config)Initializes the authentication handler instance. | 
| void | setPublicKey(RSAPublicKey pk)Primarily for testing, this provides a way to set the publicKey for
 signature verification without needing to get a PEM encoded value. | 
| protected boolean | validateAudiences(com.nimbusds.jwt.SignedJWT jwtToken)Validate whether any of the accepted audience claims is present in the
 issued token claims list for audience. | 
| protected boolean | validateExpiration(com.nimbusds.jwt.SignedJWT jwtToken)Validate that the expiration time of the JWT token has not been violated. | 
| protected boolean | validateSignature(com.nimbusds.jwt.SignedJWT jwtToken)Verify the signature of the JWT token in this method. | 
| protected boolean | validateToken(com.nimbusds.jwt.SignedJWT jwtToken)This method provides a single method for validating the JWT for use in
 request processing. | 
authenticate, getType, isBrowserdestroy, getKeytab, getPrincipals, managementOperationpublic static final String AUTHENTICATION_PROVIDER_URL
public static final String PUBLIC_KEY_PEM
public static final String EXPECTED_JWT_AUDIENCES
public static final String JWT_COOKIE_NAME
public void setPublicKey(RSAPublicKey pk)
pk - publicKey for the token signtature verificationpublic void init(Properties config) throws javax.servlet.ServletException
 This method is invoked by the AuthenticationFilter.init(javax.servlet.FilterConfig) method.
 
init in interface AuthenticationHandlerinit in class AltKerberosAuthenticationHandlerconfig - configuration properties to initialize the handler.javax.servlet.ServletException - thrown if the handler could not be initialized.public AuthenticationToken alternateAuthenticate(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response) throws IOException, AuthenticationException
AltKerberosAuthenticationHandleralternateAuthenticate in class AltKerberosAuthenticationHandlerrequest - the HTTP client request.response - the HTTP client response.IOException - thrown if an IO error occursAuthenticationException - thrown if an authentication error occursprotected String getJWTFromCookie(javax.servlet.http.HttpServletRequest req)
req - servlet request to get the JWT token fromprotected boolean validateToken(com.nimbusds.jwt.SignedJWT jwtToken)
jwtToken - the token to validateprotected boolean validateSignature(com.nimbusds.jwt.SignedJWT jwtToken)
jwtToken - the token that contains the signature to be validatedprotected boolean validateAudiences(com.nimbusds.jwt.SignedJWT jwtToken)
jwtToken - the JWT token where the allowed audiences will be foundprotected boolean validateExpiration(com.nimbusds.jwt.SignedJWT jwtToken)
jwtToken - the token that contains the expiration date to validateCopyright © 2008–2023 Apache Software Foundation. All rights reserved.