Package com.nimbusds.common.oauth2
Class SHA256BasedAccessTokenValidator
- java.lang.Object
-
- com.nimbusds.common.oauth2.SHA256BasedAccessTokenValidator
-
- All Implemented Interfaces:
MasterAccessTokenValidator
@ThreadSafe public class SHA256BasedAccessTokenValidator extends Object
SHA-256 based access token validator. The expected access tokens are configured as their SHA-256 hashes, to prevent accidental leaks into logs, etc. Supports servlet-based and JAX-RS based web applications.
-
-
Nested Class Summary
-
Nested classes/interfaces inherited from interface com.nimbusds.common.oauth2.MasterAccessTokenValidator
MasterAccessTokenValidator.ErrorResponse
-
-
Field Summary
Fields Modifier and Type Field Description protected List<byte[]>
expectedTokenHashes
The expected access token hashes, empty list if access to the web API is disabled.protected byte[]
hashSalt
Optional salt for computing the SHA-256 hashes.protected org.apache.logging.log4j.Logger
log
Optional logger.static int
MIN_TOKEN_LENGTH
The minimum acceptable access token length.-
Fields inherited from interface com.nimbusds.common.oauth2.MasterAccessTokenValidator
INVALID_BEARER_TOKEN, MISSING_BEARER_TOKEN, WEB_API_DISABLED
-
-
Constructor Summary
Constructors Constructor Description SHA256BasedAccessTokenValidator(String tokenHash)
Creates a new access token validator.SHA256BasedAccessTokenValidator(String... tokenHashes)
Creates a new access token validator.SHA256BasedAccessTokenValidator(String tokenHash, List<String> additionalTokenHashes)
Creates a new access token validator.
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description boolean
accessIsDisabled()
Returnstrue
if access is disabled (no access token configured).static SHA256BasedAccessTokenValidator
from(com.thetransactioncompany.util.PropertyRetriever pr, String propertyName, boolean propertyRequired, String additionalPropertyNamePrefix)
Creates a new access token validator from the specified properties retriever.org.apache.logging.log4j.Logger
getLogger()
Gets the optional logger.int
getNumberConfiguredTokens()
Returns the number of configured tokens.boolean
isValid(com.nimbusds.oauth2.sdk.token.BearerAccessToken accessToken)
Returnstrue
if the specified bearer access token is valid.void
setLogger(org.apache.logging.log4j.Logger log)
Sets the optional logger.void
validateBearerAccessToken(String authzHeader)
Validates a bearer access token passed in the specified HTTP Authorization header value.boolean
validateBearerAccessToken(javax.servlet.http.HttpServletRequest servletRequest, javax.servlet.http.HttpServletResponse servletResponse)
Validates a bearer access token passed in the specified HTTP servlet request.
-
-
-
Field Detail
-
MIN_TOKEN_LENGTH
public static final int MIN_TOKEN_LENGTH
The minimum acceptable access token length.- See Also:
- Constant Field Values
-
expectedTokenHashes
protected final List<byte[]> expectedTokenHashes
The expected access token hashes, empty list if access to the web API is disabled.
-
hashSalt
protected byte[] hashSalt
Optional salt for computing the SHA-256 hashes.
-
log
protected org.apache.logging.log4j.Logger log
Optional logger.
-
-
Constructor Detail
-
SHA256BasedAccessTokenValidator
public SHA256BasedAccessTokenValidator(String tokenHash)
Creates a new access token validator.- Parameters:
tokenHash
- The Bearer access token SHA-256 hash (in hex). Ifnull
access to the web API will be disabled.
-
SHA256BasedAccessTokenValidator
public SHA256BasedAccessTokenValidator(String... tokenHashes)
Creates a new access token validator.- Parameters:
tokenHashes
- The Bearer access token SHA-256 hashes (in hex). Ifnull
access to the web API will be disabled.
-
SHA256BasedAccessTokenValidator
public SHA256BasedAccessTokenValidator(String tokenHash, List<String> additionalTokenHashes)
Creates a new access token validator.- Parameters:
tokenHash
- The main Bearer access token SHA-256 hash (in hex). Ifnull
access to the web API will be disabled.additionalTokenHashes
- Additional Bearer access token SHA-256 hashes (in hex), empty ornull
if none.
-
-
Method Detail
-
from
public static SHA256BasedAccessTokenValidator from(com.thetransactioncompany.util.PropertyRetriever pr, String propertyName, boolean propertyRequired, String additionalPropertyNamePrefix) throws com.thetransactioncompany.util.PropertyParseException
Creates a new access token validator from the specified properties retriever.- Parameters:
pr
- The properties retriever. Must not benull
.propertyName
- The property name for the main Bearer access token SHA-256 hash (in hex). Ifnull
access to the web API will be disabled. Must not benull
.propertyRequired
-true
if the property is required,false
if optional.additionalPropertyNamePrefix
- The property name prefix for the additional Bearer access token SHA-256 hashes (in hex),null
if not used.- Returns:
- The access token validator.
- Throws:
com.thetransactioncompany.util.PropertyParseException
- If parsing failed.
-
validateBearerAccessToken
public void validateBearerAccessToken(String authzHeader) throws javax.ws.rs.WebApplicationException
Description copied from interface:MasterAccessTokenValidator
Validates a bearer access token passed in the specified HTTP Authorization header value.- Parameters:
authzHeader
- The HTTP Authorization header value,null
if not specified.- Throws:
javax.ws.rs.WebApplicationException
- If the header value isnull
, the web API is disabled, or the Bearer access token is missing or invalid.
-
validateBearerAccessToken
public boolean validateBearerAccessToken(javax.servlet.http.HttpServletRequest servletRequest, javax.servlet.http.HttpServletResponse servletResponse) throws IOException
Description copied from interface:MasterAccessTokenValidator
Validates a bearer access token passed in the specified HTTP servlet request.- Parameters:
servletRequest
- The HTTP servlet request. Must not benull
.servletResponse
- The HTTP servlet response. Must not benull
.- Returns:
true
if the bearer access token was successfully validated,false
.- Throws:
IOException
- If the response couldn't be written.
-
accessIsDisabled
public boolean accessIsDisabled()
Description copied from interface:MasterAccessTokenValidator
Returnstrue
if access is disabled (no access token configured).- Specified by:
accessIsDisabled
in interfaceMasterAccessTokenValidator
- Returns:
true
if access is disabled, elsefalse
.
-
isValid
public boolean isValid(com.nimbusds.oauth2.sdk.token.BearerAccessToken accessToken)
Description copied from interface:MasterAccessTokenValidator
Returnstrue
if the specified bearer access token is valid.- Specified by:
isValid
in interfaceMasterAccessTokenValidator
- Parameters:
accessToken
- The bearer access token to check,null
if not specified.- Returns:
true
if the specified bearer access token is valid, elsefalse
.
-
getLogger
public org.apache.logging.log4j.Logger getLogger()
Description copied from interface:MasterAccessTokenValidator
Gets the optional logger.- Specified by:
getLogger
in interfaceMasterAccessTokenValidator
- Returns:
- The logger,
null
if not specified.
-
setLogger
public void setLogger(org.apache.logging.log4j.Logger log)
Description copied from interface:MasterAccessTokenValidator
Sets the optional logger.- Specified by:
setLogger
in interfaceMasterAccessTokenValidator
- Parameters:
log
- The logger,null
if not specified.
-
getNumberConfiguredTokens
public int getNumberConfiguredTokens()
Returns the number of configured tokens.- Returns:
- The number of configured tokens, zero if none.
-
-