Class JwtAuthenticator
- java.lang.Object
-
- org.apache.archiva.redback.authentication.AbstractAuthenticator
-
- org.apache.archiva.redback.authentication.jwt.JwtAuthenticator
-
- All Implemented Interfaces:
Authenticator
@Service("authenticator#jwt") public class JwtAuthenticator extends AbstractAuthenticator implements Authenticator
Authenticator for JWT tokens. This authenticator needs a secret key or keypair depending on the used algorithm for signing and verification. The key can be either volatile in memory, which means a new one is created, with each start of the service. Or it can be stored in a file. If this service is running in a cluster, you need a shared filesystem (NFS) for storing the key file otherwise different keys will be used in each instance.You can renew the used key (
renewSigningKey()
). The authenticator keeps a fixed sized list of the last keys used and stores the key identifier in the JWT header.The default algorithm used for the JWT is currently
UserConfigurationKeys.AUTHENTICATION_JWT_SIGALG_ES384
If theplainfile
keystore is used, only the most recent key is saved to the file. Not the complete list. The JWT tokens have a lifetime set (14400 seconds - 4 hours). The following configuration keys are used to setup this authenticator:- "authentication.jwt.keystoreType"
- The type of the keystore, either
"memory"
(key is lost, if the jvm stops) or"plainfile"
- "authentication.jwt.signatureAlgorithm"
- The signature algorithm for the JWT.
- HS256: HMAC using SHA-256
- HS384: HMAC using SHA-384
- HS512: HMAC using SHA-512
- ES256: ECDSA using P-256 and SHA-256
- ES384: ECDSA using P-384 and SHA-384
- ES512: ECDSA using P-521 and SHA-512
- RS256: RSASSA-PKCS-v1_5 using SHA-256
- RS384: RSASSA-PKCS-v1_5 using SHA-384
- RS512: RSASSA-PKCS-v1_5 using SHA-512
- PS256: RSASSA-PSS using SHA-256 and MGF1 with SHA-256
- PS384: RSASSA-PSS using SHA-384 and MGF1 with SHA-384
- PS512: RSASSA-PSS using SHA-512 and MGF1 with SHA-512
- "authentication.jwt.maxInMemoryKeys"
- The maximum number of signature keys to keep in memory for verification
- "authentication.jwt.keyfile"
- The key file. Either a full path to the file, or a single filename, which means it is stored in the working directory
- "authentication.jwt.lifetimeMs"
- The default token lifetime in milliseconds
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description class
JwtAuthenticator.SigningKeyResolver
-
Field Summary
Fields Modifier and Type Field Description static String
DEFAULT_KEYFILE
static String
DEFAULT_LIFETIME
static String
DEFAULT_REFRESH_LIFETIME
static String
ID
static String
PROP_KEYID
static String
PROP_PRIV_ALG
static String
PROP_PRIV_FORMAT
static String
PROP_PRIVATEKEY
static String
PROP_PUB_ALG
static String
PROP_PUB_FORMAT
static String
PROP_PUBLICKEY
-
Fields inherited from class org.apache.archiva.redback.authentication.AbstractAuthenticator
valid
-
-
Constructor Summary
Constructors Constructor Description JwtAuthenticator()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description AuthenticationResult
authenticate(AuthenticationDataSource dataSource)
AuthenticationResult
authenticate(BearerTokenAuthenticationDataSource source)
Tries to verify the represented token and returns the resultToken
generateToken(String userId)
Creates a token for the given user id.Token
generateToken(String userId, TokenType type)
Creates a token for the given user id.Long
getCurrentKeyId()
Returns the current used key identifier.int
getCurrentKeyListSize()
Returns the current size of the in memory key listString
getId()
Path
getKeystoreFilePath()
Returns the path to the keystore file ornull
, if the keystore type ismemory
String
getKeystoreType()
Returns the keystore type that is setup for the authenticatorint
getMaxInMemoryKeys()
Returns the maximum number of signature keys to store in memory for verificationString
getSignatureAlgorithm()
Returns the signature algorithm used for signing JWT tokensDuration
getTokenLifetime()
Returns the default token lifetime of generated tokens.UserConfiguration
getUserConfiguration()
void
init()
io.jsonwebtoken.Jws<io.jsonwebtoken.Claims>
parseToken(String token)
Parses the given token and returns the JWS metadata stored in the token.Token
refreshAccessToken(String refreshToken)
Allows to renew a token based on the origin token.Long
renewSigningKey()
Creates a new signing key and uses this for new tokens.void
revokeSigningKeys()
Removes all signing keys and creates a new one.void
setTokenLifetime(Duration lifetime)
Sets the default token lifetime of generated tokens.void
setUserConfiguration(UserConfiguration userConfiguration)
boolean
supportsDataSource(AuthenticationDataSource source)
Returnstrue
, if the source is a instance ofTokenBasedAuthenticationDataSource
Token
tokenFromString(String tokenData)
Returns a token object from the given token Stringboolean
usesSymmetricAlgorithm()
Returnstrue
, if the signature algorithm ist a symmetric one, otherwisefalse
String
verify(String token)
Verifies the given JWT Token and returns the stored subject, if successful If the verification failed a TokenAuthenticationException is thrown.String
verify(String token, TokenType type)
-
Methods inherited from class org.apache.archiva.redback.authentication.AbstractAuthenticator
initialize, isValid
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface org.apache.archiva.redback.authentication.Authenticator
initialize, isValid
-
-
-
-
Field Detail
-
DEFAULT_LIFETIME
public static final String DEFAULT_LIFETIME
- See Also:
- Constant Field Values
-
DEFAULT_REFRESH_LIFETIME
public static final String DEFAULT_REFRESH_LIFETIME
- See Also:
- Constant Field Values
-
DEFAULT_KEYFILE
public static final String DEFAULT_KEYFILE
- See Also:
- Constant Field Values
-
ID
public static final String ID
- See Also:
- Constant Field Values
-
PROP_PRIV_ALG
public static final String PROP_PRIV_ALG
- See Also:
- Constant Field Values
-
PROP_PRIV_FORMAT
public static final String PROP_PRIV_FORMAT
- See Also:
- Constant Field Values
-
PROP_PUB_ALG
public static final String PROP_PUB_ALG
- See Also:
- Constant Field Values
-
PROP_PUB_FORMAT
public static final String PROP_PUB_FORMAT
- See Also:
- Constant Field Values
-
PROP_PRIVATEKEY
public static final String PROP_PRIVATEKEY
- See Also:
- Constant Field Values
-
PROP_PUBLICKEY
public static final String PROP_PUBLICKEY
- See Also:
- Constant Field Values
-
PROP_KEYID
public static final String PROP_KEYID
- See Also:
- Constant Field Values
-
-
Constructor Detail
-
JwtAuthenticator
public JwtAuthenticator()
-
-
Method Detail
-
getId
public String getId()
- Specified by:
getId
in interfaceAuthenticator
-
init
@PostConstruct public void init() throws AuthenticationException
- Throws:
AuthenticationException
-
supportsDataSource
public boolean supportsDataSource(AuthenticationDataSource source)
Returnstrue
, if the source is a instance ofTokenBasedAuthenticationDataSource
- Specified by:
supportsDataSource
in interfaceAuthenticator
- Parameters:
source
- the source to check- Returns:
true
, if the given source is a instance ofTokenBasedAuthenticationDataSource
-
authenticate
public AuthenticationResult authenticate(BearerTokenAuthenticationDataSource source) throws AuthenticationException
Tries to verify the represented token and returns the result- Parameters:
source
- the authentication source, which must be aTokenBasedAuthenticationDataSource
- Returns:
- the authentication result
- Throws:
AuthenticationException
- if the source is noTokenBasedAuthenticationDataSource
-
authenticate
public AuthenticationResult authenticate(AuthenticationDataSource dataSource) throws AuthenticationException
- Specified by:
authenticate
in interfaceAuthenticator
- Throws:
AuthenticationException
-
renewSigningKey
public Long renewSigningKey()
Creates a new signing key and uses this for new tokens. It will keepmaxInMemoryKeys
keys in the list for jwt verification.
-
generateToken
public Token generateToken(String userId)
Creates a token for the given user id. The token contains the following data:- the userid as subject
- a issuer archiva.apache.org/redback
- a id header with the key id
- Parameters:
userId
- the user identifier to set as subject- Returns:
- the token string
-
generateToken
public Token generateToken(String userId, TokenType type)
Creates a token for the given user id. The token contains the following data:- the userid as subject
- a issuer archiva.apache.org/redback
- a id header with the key id
- Parameters:
userId
- the user identifier to set as subjecttype
- the token type that indicates if this token is a access or refresh token- Returns:
- the token string
-
tokenFromString
public Token tokenFromString(String tokenData)
Returns a token object from the given token String- Parameters:
tokenData
- the string representation of the token- Returns:
- the token instance
-
refreshAccessToken
public Token refreshAccessToken(String refreshToken) throws TokenAuthenticationException
Allows to renew a token based on the origin token. If the presentedorigin
is valid, a new token with refreshed expiration time will be returned.- Parameters:
refreshToken
- the refresh token- Returns:
- the newly created token
- Throws:
AuthenticationException
- if the given origin token is not validTokenAuthenticationException
-
parseToken
public io.jsonwebtoken.Jws<io.jsonwebtoken.Claims> parseToken(String token) throws io.jsonwebtoken.JwtException
Parses the given token and returns the JWS metadata stored in the token.- Parameters:
token
- the token string- Returns:
- the parsed data
- Throws:
io.jsonwebtoken.JwtException
- if the token data is not valid anymore
-
verify
public String verify(String token) throws TokenAuthenticationException
Verifies the given JWT Token and returns the stored subject, if successful If the verification failed a TokenAuthenticationException is thrown.- Parameters:
token
- the JWT representation- Returns:
- the subject of the JWT
- Throws:
TokenAuthenticationException
- if the verification failed
-
verify
public String verify(String token, TokenType type) throws TokenAuthenticationException
- Throws:
TokenAuthenticationException
-
revokeSigningKeys
public void revokeSigningKeys()
Removes all signing keys and creates a new one. If you call this method, all JWT tokens generated before, will be invalid.
-
usesSymmetricAlgorithm
public boolean usesSymmetricAlgorithm()
Returnstrue
, if the signature algorithm ist a symmetric one, otherwisefalse
- Returns:
true
, if symmetric algorithm, otherwisefalse
-
getSignatureAlgorithm
public String getSignatureAlgorithm()
Returns the signature algorithm used for signing JWT tokens- Returns:
- the string representation of the signature algorithm
-
getKeystoreType
public String getKeystoreType()
Returns the keystore type that is setup for the authenticator- Returns:
- either
memory
orplainfile
-
getKeystoreFilePath
public Path getKeystoreFilePath()
Returns the path to the keystore file ornull
, if the keystore type ismemory
- Returns:
- the path to the keystore file, or
null
-
getMaxInMemoryKeys
public int getMaxInMemoryKeys()
Returns the maximum number of signature keys to store in memory for verification- Returns:
- the maximum number of signature keys to keep in memory
-
getCurrentKeyListSize
public int getCurrentKeyListSize()
Returns the current size of the in memory key list- Returns:
- the number of memory stored signature keys
-
getCurrentKeyId
public Long getCurrentKeyId()
Returns the current used key identifier.- Returns:
- the key identifier
-
getTokenLifetime
public Duration getTokenLifetime()
Returns the default token lifetime of generated tokens.- Returns:
- the lifetime as duration
-
setTokenLifetime
public void setTokenLifetime(Duration lifetime)
Sets the default token lifetime of generated tokens.- Parameters:
lifetime
- the lifetime as duration
-
getUserConfiguration
public UserConfiguration getUserConfiguration()
-
setUserConfiguration
public void setUserConfiguration(UserConfiguration userConfiguration)
-
-