Source code

001/*
002 * nimbus-jose-jwt
003 *
004 * Copyright 2012-2016, Connect2id Ltd.
005 *
006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
007 * this file except in compliance with the License. You may obtain a copy of the
008 * License at
009 *
010 *    http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software distributed
013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the
015 * specific language governing permissions and limitations under the License.
016 */
017
018package com.nimbusds.jwt.proc;
019
020
021import java.util.Date;
022
023import com.nimbusds.jose.proc.SecurityContext;
024import com.nimbusds.jwt.JWTClaimsSet;
025import com.nimbusds.jwt.util.DateUtils;
026import net.jcip.annotations.ThreadSafe;
027
028
029/**
030 * Default JWT claims verifier. This class is thread-safe.
031 *
032 * <p>Performs the following checks:
033 *
034 * <ol>
035 *     <li>If an expiration time (exp) claim is present, makes sure it is
036 *         ahead of the current time, else the JWT claims set is rejected.
037 *     <li>If a not-before-time (nbf) claim is present, makes sure it is
038 *         before the current time, else the JWT claims set is rejected.
039 * </ol>
040 *
041 * <p>This class may be extended to perform additional checks.
042 *
043 * @author Vladimir Dzhuvinov
044 * @version 2016-07-25
045 */
046@ThreadSafe
047public class DefaultJWTClaimsVerifier <C extends SecurityContext> implements JWTClaimsSetVerifier<C>, JWTClaimsVerifier, ClockSkewAware {
048
049
050        /**
051         * The default maximum acceptable clock skew, in seconds (60).
052         */
053        public static final int DEFAULT_MAX_CLOCK_SKEW_SECONDS = 60;
054
055
056        // Cache exceptions
057
058
059        /**
060         * Expired JWT.
061         */
062        private static final BadJWTException EXPIRED_JWT_EXCEPTION = new BadJWTException("Expired JWT");
063
064
065        /**
066         * JWT before use time.
067         */
068        private static final BadJWTException JWT_BEFORE_USE_EXCEPTION = new BadJWTException("JWT before use time");
069
070
071        /**
072         * The maximum acceptable clock skew, in seconds.
073         */
074        private int maxClockSkew = DEFAULT_MAX_CLOCK_SKEW_SECONDS;
075
076
077        @Override
078        public int getMaxClockSkew() {
079                return maxClockSkew;
080        }
081
082
083        @Override
084        public void setMaxClockSkew(int maxClockSkewSeconds) {
085                maxClockSkew = maxClockSkewSeconds;
086        }
087
088
089        @Override
090        public void verify(final JWTClaimsSet claimsSet)
091                throws BadJWTException {
092
093                verify(claimsSet, null);
094        }
095        
096        
097        @Override
098        public void verify(final JWTClaimsSet claimsSet, final C context)
099                throws BadJWTException {
100                
101                final Date now = new Date();
102                
103                final Date exp = claimsSet.getExpirationTime();
104                
105                if (exp != null) {
106                        
107                        if (! DateUtils.isAfter(exp, now, maxClockSkew)) {
108                                throw EXPIRED_JWT_EXCEPTION;
109                        }
110                }
111                
112                final Date nbf = claimsSet.getNotBeforeTime();
113                
114                if (nbf != null) {
115                        
116                        if (! DateUtils.isBefore(nbf, now, maxClockSkew)) {
117                                throw JWT_BEFORE_USE_EXCEPTION;
118                        }
119                }
120        }
121}