Package com.nimbusds.common.oauth2

Class SHA256BasedAccessTokenValidator

java.lang.Object

com.nimbusds.common.oauth2.SHA256BasedAccessTokenValidator

All Implemented Interfaces:

MasterAccessTokenValidator

@ThreadSafe
public class SHA256BasedAccessTokenValidator
extends Object

SHA-256 based access token validator. The expected access tokens are configured as their SHA-256 hashes, to prevent accidental leaks into logs, etc. Supports servlet-based and JAX-RS based web applications.

Nested Class Summary

Nested classes/interfaces inherited from interface com.nimbusds.common.oauth2.MasterAccessTokenValidator

MasterAccessTokenValidator.ErrorResponse

Field Summary

Fields

Modifier and Type	Field	Description
protected List<byte[]>	expectedTokenHashes	The expected access token hashes, empty list if access to the web API is disabled.
protected byte[]	hashSalt	Optional salt for computing the SHA-256 hashes.
protected org.apache.logging.log4j.Logger	log	Optional logger.
static int	MIN_TOKEN_LENGTH	The minimum acceptable access token length.

Fields inherited from interface com.nimbusds.common.oauth2.MasterAccessTokenValidator

INVALID_BEARER_TOKEN, MISSING_BEARER_TOKEN, WEB_API_DISABLED

Constructor Summary

Constructors

Constructor	Description
SHA256BasedAccessTokenValidator(String tokenHash)	Creates a new basic access token validator.
SHA256BasedAccessTokenValidator(String... tokenHashes)	Creates a new basic access token validator.

Method Summary

Modifier and Type	Method	Description
boolean	accessIsDisabled()	Returns true if access is disabled (no access token configured).
org.apache.logging.log4j.Logger	getLogger()	Gets the optional logger.
boolean	isValid(com.nimbusds.oauth2.sdk.token.BearerAccessToken accessToken)	Returns true if the specified bearer access token is valid.
void	setLogger(org.apache.logging.log4j.Logger log)	Sets the optional logger.
void	validateBearerAccessToken(String authzHeader)	Validates a bearer access token passed in the specified HTTP Authorization header value.
boolean	validateBearerAccessToken(javax.servlet.http.HttpServletRequest servletRequest, javax.servlet.http.HttpServletResponse servletResponse)	Validates a bearer access token passed in the specified HTTP servlet request.

Methods inherited from interface com.nimbusds.common.oauth2.MasterAccessTokenValidator

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

MIN_TOKEN_LENGTH

public static final int MIN_TOKEN_LENGTH

The minimum acceptable access token length.

See Also:

Constant Field Values

expectedTokenHashes

protected final List<byte[]> expectedTokenHashes

The expected access token hashes, empty list if access to the web API is disabled.

hashSalt

protected byte[] hashSalt

Optional salt for computing the SHA-256 hashes.

log

protected org.apache.logging.log4j.Logger log

Optional logger.

Constructor Detail

SHA256BasedAccessTokenValidator

public SHA256BasedAccessTokenValidator(String tokenHash)

Creates a new basic access token validator.

Parameters:

tokenHash - The Bearer access token SHA-256 hash (in hex). If null access to the web API will be disabled.

SHA256BasedAccessTokenValidator

public SHA256BasedAccessTokenValidator(String... tokenHashes)

Creates a new basic access token validator.

Parameters:

tokenHashes - The Bearer access token SHA-256 hashes (in hex). If null access to the web API will be disabled.

Method Detail

validateBearerAccessToken

public void validateBearerAccessToken(String authzHeader)
                               throws javax.ws.rs.WebApplicationException

Description copied from interface: MasterAccessTokenValidator

Validates a bearer access token passed in the specified HTTP Authorization header value.

Parameters:

authzHeader - The HTTP Authorization header value, null if not specified.

Throws:

javax.ws.rs.WebApplicationException - If the header value is null, the web API is disabled, or the Bearer access token is missing or invalid.

validateBearerAccessToken

public boolean validateBearerAccessToken(javax.servlet.http.HttpServletRequest servletRequest,
                                         javax.servlet.http.HttpServletResponse servletResponse)
                                  throws IOException

Description copied from interface: MasterAccessTokenValidator

Validates a bearer access token passed in the specified HTTP servlet request.

Parameters:

servletRequest - The HTTP servlet request. Must not be null.

servletResponse - The HTTP servlet response. Must not be null.

Returns:

true if the bearer access token was successfully validated, false.

Throws:

IOException - If the response couldn't be written.

accessIsDisabled

public boolean accessIsDisabled()

Description copied from interface: MasterAccessTokenValidator

Returns true if access is disabled (no access token configured).

Specified by:

accessIsDisabled in interface MasterAccessTokenValidator

Returns:

true if access is disabled, else false.

isValid

public boolean isValid(com.nimbusds.oauth2.sdk.token.BearerAccessToken accessToken)

Description copied from interface: MasterAccessTokenValidator

Returns true if the specified bearer access token is valid.

Specified by:

isValid in interface MasterAccessTokenValidator

Parameters:

accessToken - The bearer access token to check, null if not specified.

Returns:

true if the specified bearer access token is valid, else false.

getLogger

public org.apache.logging.log4j.Logger getLogger()

Description copied from interface: MasterAccessTokenValidator

Gets the optional logger.

Specified by:

getLogger in interface MasterAccessTokenValidator

Returns:

The logger, null if not specified.

setLogger

public void setLogger(org.apache.logging.log4j.Logger log)

Description copied from interface: MasterAccessTokenValidator

Sets the optional logger.

Specified by:

setLogger in interface MasterAccessTokenValidator

Parameters:

log - The logger, null if not specified.