Package com.nimbusds.common.oauth2

Class SHA256BasedAccessTokenValidator

  • All Implemented Interfaces:
    MasterAccessTokenValidator
    @ThreadSafe
public class SHA256BasedAccessTokenValidator
extends Object
    SHA-256 based access token validator. The expected access tokens are configured as their SHA-256 hashes, to prevent accidental leaks into logs, etc. Supports servlet-based and JAX-RS based web applications.

    • Field Detail

      • expectedTokenHashes

        protected final List<byte[]> expectedTokenHashes
        The expected access token hashes, empty list if access to the web API is disabled.

      • hashSalt

        protected byte[] hashSalt
        Optional salt for computing the SHA-256 hashes.

      • log

        protected org.apache.logging.log4j.Logger log
        Optional logger.

    • Constructor Detail

      • SHA256BasedAccessTokenValidator

        public SHA256BasedAccessTokenValidator​(String tokenHash)
        Creates a new access token validator.
        Parameters:
        tokenHash - The Bearer access token SHA-256 hash (in hex). If null access to the web API will be disabled.

      • SHA256BasedAccessTokenValidator

        public SHA256BasedAccessTokenValidator​(String... tokenHashes)
        Creates a new access token validator.
        Parameters:
        tokenHashes - The Bearer access token SHA-256 hashes (in hex). If null access to the web API will be disabled.

      • SHA256BasedAccessTokenValidator

        public SHA256BasedAccessTokenValidator​(String tokenHash,
                                       List<String> additionalTokenHashes)
        Creates a new access token validator.
        Parameters:
        tokenHash - The main Bearer access token SHA-256 hash (in hex). If null access to the web API will be disabled.
        additionalTokenHashes - Additional Bearer access token SHA-256 hashes (in hex), empty or null if none.

    • Method Detail

      • from

        public static SHA256BasedAccessTokenValidator from​(com.thetransactioncompany.util.PropertyRetriever pr,
                                                   String propertyName,
                                                   boolean propertyRequired,
                                                   String additionalPropertyNamePrefix)
                                            throws com.thetransactioncompany.util.PropertyParseException
        Creates a new access token validator from the specified properties retriever.
        Parameters:
        pr - The properties retriever. Must not be null.
        propertyName - The property name for the main Bearer access token SHA-256 hash (in hex). If null access to the web API will be disabled. Must not be null.
        propertyRequired - true if the property is required, false if optional.
        additionalPropertyNamePrefix - The property name prefix for the additional Bearer access token SHA-256 hashes (in hex), null if not used.
        Returns:
        The access token validator.
        Throws:
        com.thetransactioncompany.util.PropertyParseException - If parsing failed.

      • validateBearerAccessToken

        public void validateBearerAccessToken​(String authzHeader)
                               throws javax.ws.rs.WebApplicationException
        Description copied from interface: MasterAccessTokenValidator
        Validates a bearer access token passed in the specified HTTP Authorization header value.
        Parameters:
        authzHeader - The HTTP Authorization header value, null if not specified.
        Throws:
        javax.ws.rs.WebApplicationException - If the header value is null, the web API is disabled, or the Bearer access token is missing or invalid.

      • validateBearerAccessToken

        public boolean validateBearerAccessToken​(javax.servlet.http.HttpServletRequest servletRequest,
                                         javax.servlet.http.HttpServletResponse servletResponse)
                                  throws IOException
        Description copied from interface: MasterAccessTokenValidator
        Validates a bearer access token passed in the specified HTTP servlet request.
        Parameters:
        servletRequest - The HTTP servlet request. Must not be null.
        servletResponse - The HTTP servlet response. Must not be null.
        Returns:
        true if the bearer access token was successfully validated, false.
        Throws:
        IOException - If the response couldn't be written.

      • isValid

        public boolean isValid​(com.nimbusds.oauth2.sdk.token.BearerAccessToken accessToken)
        Description copied from interface: MasterAccessTokenValidator
        Returns true if the specified bearer access token is valid.
        Specified by:
        isValid in interface MasterAccessTokenValidator
        Parameters:
        accessToken - The bearer access token to check, null if not specified.
        Returns:
        true if the specified bearer access token is valid, else false.

      • getNumberConfiguredTokens

        public int getNumberConfiguredTokens()
        Returns the number of configured tokens.
        Returns:
        The number of configured tokens, zero if none.