com.nimbusds.jwt.proc

Class DefaultJWTClaimsVerifier<C extends SecurityContext>

java.lang.Object

com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier<C>

All Implemented Interfaces:

ClockSkewAware, JWTClaimsSetVerifier<C>, JWTClaimsVerifier

@ThreadSafe
public class DefaultJWTClaimsVerifier<C extends SecurityContext>
extends Object
implements JWTClaimsSetVerifier<C>, JWTClaimsVerifier, ClockSkewAware

JWT claims verifier implementation. This class is thread-safe.

Performs the following checks:

1. If an expiration time (exp) claim is present, makes sure it is ahead of the current time, else the JWT claims set is rejected.
2. If a not-before-time (nbf) claim is present, makes sure it is before the current time, else the JWT claims set is rejected.

This class may be extended to perform additional checks.

Version:

2019-10-17

Author:

Vladimir Dzhuvinov

Field Summary

Fields

Modifier and Type	Field and Description
static int	DEFAULT_MAX_CLOCK_SKEW_SECONDS The default maximum acceptable clock skew, in seconds (60).

Constructor Summary

Constructors

Constructor and Description
DefaultJWTClaimsVerifier() Creates a new JWT claims verifier.
DefaultJWTClaimsVerifier(JWTClaimsSet exactMatchClaims, Set<String> requiredClaims) Creates a new JWT claims verifier.
DefaultJWTClaimsVerifier(Set<String> acceptedAudience, JWTClaimsSet exactMatchClaims, Set<String> requiredClaims, Set<String> prohibitedClaims) Creates new default JWT claims verifier.
DefaultJWTClaimsVerifier(String requiredAudience, JWTClaimsSet exactMatchClaims, Set<String> requiredClaims) Creates new default JWT claims verifier.

Method Summary

Modifier and Type	Method and Description
Set<String>	getAcceptedAudienceValues() Returns the accepted audience values.
JWTClaimsSet	getExactMatchClaims() Returns the JWT claims that must match exactly.
int	getMaxClockSkew() Gets the maximum acceptable clock skew.
Set<String>	getProhibitedClaims() Returns the names of the JWT claims that must not be present.
Set<String>	getRequiredClaims() Returns the names of the JWT claims that must be present, including the name of those that must match exactly.
void	setMaxClockSkew(int maxClockSkewSeconds) Sets the maximum acceptable clock skew.
void	verify(JWTClaimsSet claimsSet) Performs verification of selected or all claims in the specified JWT claims set.
void	verify(JWTClaimsSet claimsSet, C context) Verifies selected or all claims from the specified JWT claims set.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

DEFAULT_MAX_CLOCK_SKEW_SECONDS

public static final int DEFAULT_MAX_CLOCK_SKEW_SECONDS

The default maximum acceptable clock skew, in seconds (60).

See Also:

Constant Field Values

Constructor Detail

DefaultJWTClaimsVerifier

public DefaultJWTClaimsVerifier()

Creates a new JWT claims verifier. No audience ("aud"), required and prohibited claims are specified. Will check the expiration ("exp") and not-before ("nbf") times if present.

DefaultJWTClaimsVerifier

public DefaultJWTClaimsVerifier(JWTClaimsSet exactMatchClaims,
                                Set<String> requiredClaims)

Creates a new JWT claims verifier. Allows any audience ("aud") unless an exact match is specified. Will check the expiration ("exp") and not-before ("nbf") times if present.

Parameters:

exactMatchClaims - The JWT claims that must match exactly, null if none.

requiredClaims - The names of the JWT claims that must be present, empty set or null if none.

DefaultJWTClaimsVerifier

public DefaultJWTClaimsVerifier(String requiredAudience,
                                JWTClaimsSet exactMatchClaims,
                                Set<String> requiredClaims)

Creates new default JWT claims verifier.

Parameters:

requiredAudience - The required JWT audience, null if not specified.

exactMatchClaims - The JWT claims that must match exactly, null if none.

requiredClaims - The names of the JWT claims that must be present, empty set or null if none.

DefaultJWTClaimsVerifier

public DefaultJWTClaimsVerifier(Set<String> acceptedAudience,
                                JWTClaimsSet exactMatchClaims,
                                Set<String> requiredClaims,
                                Set<String> prohibitedClaims)

Creates new default JWT claims verifier.

Parameters:

acceptedAudience - The accepted JWT audience values, null if not specified. A null value in the set allows JWTs with no audience.

exactMatchClaims - The JWT claims that must match exactly, null if none.

requiredClaims - The names of the JWT claims that must be present, empty set or null if none.

prohibitedClaims - The names of the JWT claims that must not be present, empty set or null if none.

Method Detail

getAcceptedAudienceValues

public Set<String> getAcceptedAudienceValues()

Returns the accepted audience values.

Returns:

The accepted JWT audience values, null if not specified. A null value in the set allows JWTs with no audience.

getExactMatchClaims

public JWTClaimsSet getExactMatchClaims()

Returns the JWT claims that must match exactly.

Returns:

The JWT claims that must match exactly, empty set if none.

getRequiredClaims

public Set<String> getRequiredClaims()

Returns the names of the JWT claims that must be present, including the name of those that must match exactly.

Returns:

The names of the JWT claims that must be present, empty set if none.

getProhibitedClaims

public Set<String> getProhibitedClaims()

Returns the names of the JWT claims that must not be present.

Returns:

The names of the JWT claims that must not be present, empty set if none.

getMaxClockSkew

public int getMaxClockSkew()

Description copied from interface: ClockSkewAware

Gets the maximum acceptable clock skew.

Specified by:

getMaxClockSkew in interface ClockSkewAware

Returns:

The maximum acceptable clock skew, in seconds. Zero if none.

setMaxClockSkew

public void setMaxClockSkew(int maxClockSkewSeconds)

Description copied from interface: ClockSkewAware

Sets the maximum acceptable clock skew.

Specified by:

setMaxClockSkew in interface ClockSkewAware

Parameters:

maxClockSkewSeconds - The maximum acceptable clock skew, in seconds. Zero if none.

verify

public void verify(JWTClaimsSet claimsSet)
            throws BadJWTException

Description copied from interface: JWTClaimsVerifier

Performs verification of selected or all claims in the specified JWT claims set.

Specified by:

verify in interface JWTClaimsVerifier

Parameters:

claimsSet - The JWT claims set. Not null.

Throws:

BadJWTException - If the JWT claims set is rejected.

verify

public void verify(JWTClaimsSet claimsSet,
                   C context)
            throws BadJWTException

Description copied from interface: JWTClaimsSetVerifier

Verifies selected or all claims from the specified JWT claims set.

Specified by:

verify in interface JWTClaimsSetVerifier<C extends SecurityContext>

Parameters:

claimsSet - The JWT claims set. Not null.

context - Optional context, null if not required.

Throws:

BadJWTException - If the JWT claims set is rejected.