Class JwtAuthenticator
- java.lang.Object
-
- org.apache.archiva.redback.authentication.AbstractAuthenticator
-
- org.apache.archiva.redback.authentication.jwt.JwtAuthenticator
-
- All Implemented Interfaces:
Authenticator
@Service("authenticator#jwt") public class JwtAuthenticator extends AbstractAuthenticator implements AuthenticatorAuthenticator for JWT tokens. This authenticator needs a secret key or keypair depending on the used algorithm for signing and verification. The key can be either volatile in memory, which means a new one is created, with each start of the service. Or it can be stored in a file. If this service is running in a cluster, you need a shared filesystem (NFS) for storing the key file otherwise different keys will be used in each instance.You can renew the used key (
renewSigningKey()). The authenticator keeps a fixed sized list of the last keys used and stores the key identifier in the JWT header.The default algorithm used for the JWT is currently
UserConfigurationKeys.AUTHENTICATION_JWT_SIGALG_ES384If theplainfilekeystore is used, only the most recent key is saved to the file. Not the complete list. The JWT tokens have a lifetime set (14400 seconds - 4 hours). The following configuration keys are used to setup this authenticator:- "authentication.jwt.keystoreType"
- The type of the keystore, either
"memory"(key is lost, if the jvm stops) or"plainfile" - "authentication.jwt.signatureAlgorithm"
- The signature algorithm for the JWT.
- HS256: HMAC using SHA-256
- HS384: HMAC using SHA-384
- HS512: HMAC using SHA-512
- ES256: ECDSA using P-256 and SHA-256
- ES384: ECDSA using P-384 and SHA-384
- ES512: ECDSA using P-521 and SHA-512
- RS256: RSASSA-PKCS-v1_5 using SHA-256
- RS384: RSASSA-PKCS-v1_5 using SHA-384
- RS512: RSASSA-PKCS-v1_5 using SHA-512
- PS256: RSASSA-PSS using SHA-256 and MGF1 with SHA-256
- PS384: RSASSA-PSS using SHA-384 and MGF1 with SHA-384
- PS512: RSASSA-PSS using SHA-512 and MGF1 with SHA-512
- "authentication.jwt.maxInMemoryKeys"
- The maximum number of signature keys to keep in memory for verification
- "authentication.jwt.keyfile"
- The key file. Either a full path to the file, or a single filename, which means it is stored in the working directory
- "authentication.jwt.lifetimeMs"
- The default token lifetime in milliseconds
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description classJwtAuthenticator.SigningKeyResolver
-
Field Summary
Fields Modifier and Type Field Description static StringDEFAULT_KEYFILEstatic StringDEFAULT_LIFETIMEstatic StringDEFAULT_REFRESH_LIFETIMEstatic StringIDstatic StringPROP_KEYIDstatic StringPROP_PRIV_ALGstatic StringPROP_PRIV_FORMATstatic StringPROP_PRIVATEKEYstatic StringPROP_PUB_ALGstatic StringPROP_PUB_FORMATstatic StringPROP_PUBLICKEY-
Fields inherited from class org.apache.archiva.redback.authentication.AbstractAuthenticator
valid
-
-
Constructor Summary
Constructors Constructor Description JwtAuthenticator()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description AuthenticationResultauthenticate(AuthenticationDataSource dataSource)AuthenticationResultauthenticate(BearerTokenAuthenticationDataSource source)Tries to verify the represented token and returns the resultTokengenerateToken(String userId)Creates a token for the given user id.TokengenerateToken(String userId, TokenType type)Creates a token for the given user id.LonggetCurrentKeyId()Returns the current used key identifier.intgetCurrentKeyListSize()Returns the current size of the in memory key listStringgetId()PathgetKeystoreFilePath()Returns the path to the keystore file ornull, if the keystore type ismemoryStringgetKeystoreType()Returns the keystore type that is setup for the authenticatorintgetMaxInMemoryKeys()Returns the maximum number of signature keys to store in memory for verificationStringgetSignatureAlgorithm()Returns the signature algorithm used for signing JWT tokensDurationgetTokenLifetime()Returns the default token lifetime of generated tokens.UserConfigurationgetUserConfiguration()voidinit()io.jsonwebtoken.Jws<io.jsonwebtoken.Claims>parseToken(String token)Parses the given token and returns the JWS metadata stored in the token.TokenrefreshAccessToken(String refreshToken)Allows to renew a token based on the origin token.LongrenewSigningKey()Creates a new signing key and uses this for new tokens.voidrevokeSigningKeys()Removes all signing keys and creates a new one.voidsetTokenLifetime(Duration lifetime)Sets the default token lifetime of generated tokens.voidsetUserConfiguration(UserConfiguration userConfiguration)booleansupportsDataSource(AuthenticationDataSource source)Returnstrue, if the source is a instance ofTokenBasedAuthenticationDataSourceTokentokenFromString(String tokenData)Returns a token object from the given token StringbooleanusesSymmetricAlgorithm()Returnstrue, if the signature algorithm ist a symmetric one, otherwisefalseStringverify(String token)Verifies the given JWT Token and returns the stored subject, if successful If the verification failed a TokenAuthenticationException is thrown.Stringverify(String token, TokenType type)-
Methods inherited from class org.apache.archiva.redback.authentication.AbstractAuthenticator
initialize, isValid
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface org.apache.archiva.redback.authentication.Authenticator
initialize, isValid
-
-
-
-
Field Detail
-
DEFAULT_LIFETIME
public static final String DEFAULT_LIFETIME
- See Also:
- Constant Field Values
-
DEFAULT_REFRESH_LIFETIME
public static final String DEFAULT_REFRESH_LIFETIME
- See Also:
- Constant Field Values
-
DEFAULT_KEYFILE
public static final String DEFAULT_KEYFILE
- See Also:
- Constant Field Values
-
ID
public static final String ID
- See Also:
- Constant Field Values
-
PROP_PRIV_ALG
public static final String PROP_PRIV_ALG
- See Also:
- Constant Field Values
-
PROP_PRIV_FORMAT
public static final String PROP_PRIV_FORMAT
- See Also:
- Constant Field Values
-
PROP_PUB_ALG
public static final String PROP_PUB_ALG
- See Also:
- Constant Field Values
-
PROP_PUB_FORMAT
public static final String PROP_PUB_FORMAT
- See Also:
- Constant Field Values
-
PROP_PRIVATEKEY
public static final String PROP_PRIVATEKEY
- See Also:
- Constant Field Values
-
PROP_PUBLICKEY
public static final String PROP_PUBLICKEY
- See Also:
- Constant Field Values
-
PROP_KEYID
public static final String PROP_KEYID
- See Also:
- Constant Field Values
-
-
Constructor Detail
-
JwtAuthenticator
public JwtAuthenticator()
-
-
Method Detail
-
getId
public String getId()
- Specified by:
getIdin interfaceAuthenticator
-
init
@PostConstruct public void init() throws AuthenticationException
- Throws:
AuthenticationException
-
supportsDataSource
public boolean supportsDataSource(AuthenticationDataSource source)
Returnstrue, if the source is a instance ofTokenBasedAuthenticationDataSource- Specified by:
supportsDataSourcein interfaceAuthenticator- Parameters:
source- the source to check- Returns:
true, if the given source is a instance ofTokenBasedAuthenticationDataSource
-
authenticate
public AuthenticationResult authenticate(BearerTokenAuthenticationDataSource source) throws AuthenticationException
Tries to verify the represented token and returns the result- Parameters:
source- the authentication source, which must be aTokenBasedAuthenticationDataSource- Returns:
- the authentication result
- Throws:
AuthenticationException- if the source is noTokenBasedAuthenticationDataSource
-
authenticate
public AuthenticationResult authenticate(AuthenticationDataSource dataSource) throws AuthenticationException
- Specified by:
authenticatein interfaceAuthenticator- Throws:
AuthenticationException
-
renewSigningKey
public Long renewSigningKey()
Creates a new signing key and uses this for new tokens. It will keepmaxInMemoryKeyskeys in the list for jwt verification.
-
generateToken
public Token generateToken(String userId)
Creates a token for the given user id. The token contains the following data:- the userid as subject
- a issuer archiva.apache.org/redback
- a id header with the key id
- Parameters:
userId- the user identifier to set as subject- Returns:
- the token string
-
generateToken
public Token generateToken(String userId, TokenType type)
Creates a token for the given user id. The token contains the following data:- the userid as subject
- a issuer archiva.apache.org/redback
- a id header with the key id
- Parameters:
userId- the user identifier to set as subjecttype- the token type that indicates if this token is a access or refresh token- Returns:
- the token string
-
tokenFromString
public Token tokenFromString(String tokenData)
Returns a token object from the given token String- Parameters:
tokenData- the string representation of the token- Returns:
- the token instance
-
refreshAccessToken
public Token refreshAccessToken(String refreshToken) throws TokenAuthenticationException
Allows to renew a token based on the origin token. If the presentedoriginis valid, a new token with refreshed expiration time will be returned.- Parameters:
refreshToken- the refresh token- Returns:
- the newly created token
- Throws:
AuthenticationException- if the given origin token is not validTokenAuthenticationException
-
parseToken
public io.jsonwebtoken.Jws<io.jsonwebtoken.Claims> parseToken(String token) throws io.jsonwebtoken.JwtException
Parses the given token and returns the JWS metadata stored in the token.- Parameters:
token- the token string- Returns:
- the parsed data
- Throws:
io.jsonwebtoken.JwtException- if the token data is not valid anymore
-
verify
public String verify(String token) throws TokenAuthenticationException
Verifies the given JWT Token and returns the stored subject, if successful If the verification failed a TokenAuthenticationException is thrown.- Parameters:
token- the JWT representation- Returns:
- the subject of the JWT
- Throws:
TokenAuthenticationException- if the verification failed
-
verify
public String verify(String token, TokenType type) throws TokenAuthenticationException
- Throws:
TokenAuthenticationException
-
revokeSigningKeys
public void revokeSigningKeys()
Removes all signing keys and creates a new one. If you call this method, all JWT tokens generated before, will be invalid.
-
usesSymmetricAlgorithm
public boolean usesSymmetricAlgorithm()
Returnstrue, if the signature algorithm ist a symmetric one, otherwisefalse- Returns:
true, if symmetric algorithm, otherwisefalse
-
getSignatureAlgorithm
public String getSignatureAlgorithm()
Returns the signature algorithm used for signing JWT tokens- Returns:
- the string representation of the signature algorithm
-
getKeystoreType
public String getKeystoreType()
Returns the keystore type that is setup for the authenticator- Returns:
- either
memoryorplainfile
-
getKeystoreFilePath
public Path getKeystoreFilePath()
Returns the path to the keystore file ornull, if the keystore type ismemory- Returns:
- the path to the keystore file, or
null
-
getMaxInMemoryKeys
public int getMaxInMemoryKeys()
Returns the maximum number of signature keys to store in memory for verification- Returns:
- the maximum number of signature keys to keep in memory
-
getCurrentKeyListSize
public int getCurrentKeyListSize()
Returns the current size of the in memory key list- Returns:
- the number of memory stored signature keys
-
getCurrentKeyId
public Long getCurrentKeyId()
Returns the current used key identifier.- Returns:
- the key identifier
-
getTokenLifetime
public Duration getTokenLifetime()
Returns the default token lifetime of generated tokens.- Returns:
- the lifetime as duration
-
setTokenLifetime
public void setTokenLifetime(Duration lifetime)
Sets the default token lifetime of generated tokens.- Parameters:
lifetime- the lifetime as duration
-
getUserConfiguration
public UserConfiguration getUserConfiguration()
-
setUserConfiguration
public void setUserConfiguration(UserConfiguration userConfiguration)
-
-