Package com.nimbusds.common.oauth2

Class SHA256BasedAccessTokenValidator

java.lang.Object
com.nimbusds.common.oauth2.SHA256BasedAccessTokenValidator
All Implemented Interfaces:
MasterAccessTokenValidator
@ThreadSafe public class SHA256BasedAccessTokenValidator extends Object
SHA-256 based access token validator. The expected access tokens are configured as their SHA-256 hashes, to prevent accidental leaks into logs, etc. Supports servlet-based and JAX-RS based web applications.

  • Field Details

    • MIN_TOKEN_LENGTH

      public static final int MIN_TOKEN_LENGTH
      The minimum acceptable access token length.
      See Also:

    • expectedTokenHashes

      protected final List<byte[]> expectedTokenHashes
      The expected access token hashes, empty list if access to the web API is disabled.

    • hashSalt

      protected byte[] hashSalt
      Optional salt for computing the SHA-256 hashes.

    • log

      protected org.apache.logging.log4j.Logger log
      Optional logger.

  • Constructor Details

    • SHA256BasedAccessTokenValidator

      public SHA256BasedAccessTokenValidator(String tokenHash)
      Creates a new access token validator.
      Parameters:
      tokenHash - The Bearer access token SHA-256 hash (in hex). If null access to the web API will be disabled.

    • SHA256BasedAccessTokenValidator

      public SHA256BasedAccessTokenValidator(String... tokenHashes)
      Creates a new access token validator.
      Parameters:
      tokenHashes - The Bearer access token SHA-256 hashes (in hex). If null access to the web API will be disabled.

    • SHA256BasedAccessTokenValidator

      public SHA256BasedAccessTokenValidator(String tokenHash, List<String> additionalTokenHashes)
      Creates a new access token validator.
      Parameters:
      tokenHash - The main Bearer access token SHA-256 hash (in hex). If null access to the web API will be disabled.
      additionalTokenHashes - Additional Bearer access token SHA-256 hashes (in hex), empty or null if none.

  • Method Details

    • from

      public static SHA256BasedAccessTokenValidator from(com.thetransactioncompany.util.PropertyRetriever pr, String propertyName, boolean propertyRequired, String additionalPropertyNamePrefix) throws com.thetransactioncompany.util.PropertyParseException
      Creates a new access token validator from the specified properties retriever.
      Parameters:
      pr - The properties retriever. Must not be null.
      propertyName - The property name for the main Bearer access token SHA-256 hash (in hex). If null access to the web API will be disabled. Must not be null.
      propertyRequired - true if the property is required, false if optional.
      additionalPropertyNamePrefix - The property name prefix for the additional Bearer access token SHA-256 hashes (in hex), null if not used.
      Returns:
      The access token validator.
      Throws:
      com.thetransactioncompany.util.PropertyParseException - If parsing failed.

    • validateBearerAccessToken

      public void validateBearerAccessToken(String authzHeader) throws jakarta.ws.rs.WebApplicationException
      Description copied from interface: MasterAccessTokenValidator
      Validates a bearer access token passed in the specified HTTP Authorization header value.
      Parameters:
      authzHeader - The HTTP Authorization header value, null if not specified.
      Throws:
      jakarta.ws.rs.WebApplicationException - If the header value is null, the web API is disabled, or the Bearer access token is missing or invalid.

    • validateBearerAccessToken

      public boolean validateBearerAccessToken(jakarta.servlet.http.HttpServletRequest servletRequest, jakarta.servlet.http.HttpServletResponse servletResponse) throws IOException
      Description copied from interface: MasterAccessTokenValidator
      Validates a bearer access token passed in the specified HTTP servlet request.
      Parameters:
      servletRequest - The HTTP servlet request. Must not be null.
      servletResponse - The HTTP servlet response. Must not be null.
      Returns:
      true if the bearer access token was successfully validated, false.
      Throws:
      IOException - If the response couldn't be written.

    • accessIsDisabled

      public boolean accessIsDisabled()
      Description copied from interface: MasterAccessTokenValidator
      Returns true if access is disabled (no access token configured).
      Specified by:
      accessIsDisabled in interface MasterAccessTokenValidator
      Returns:
      true if access is disabled, else false.

    • isValid

      public boolean isValid(com.nimbusds.oauth2.sdk.token.BearerAccessToken accessToken)
      Description copied from interface: MasterAccessTokenValidator
      Returns true if the specified bearer access token is valid.
      Specified by:
      isValid in interface MasterAccessTokenValidator
      Parameters:
      accessToken - The bearer access token to check, null if not specified.
      Returns:
      true if the specified bearer access token is valid, else false.

    • getLogger

      public org.apache.logging.log4j.Logger getLogger()
      Description copied from interface: MasterAccessTokenValidator
      Gets the optional logger.
      Specified by:
      getLogger in interface MasterAccessTokenValidator
      Returns:
      The logger, null if not specified.

    • setLogger

      public void setLogger(org.apache.logging.log4j.Logger log)
      Description copied from interface: MasterAccessTokenValidator
      Sets the optional logger.
      Specified by:
      setLogger in interface MasterAccessTokenValidator
      Parameters:
      log - The logger, null if not specified.

    • getNumberConfiguredTokens

      public int getNumberConfiguredTokens()
      Returns the number of configured tokens.
      Returns:
      The number of configured tokens, zero if none.