Package com.nimbusds.common.oauth2
Class SHA256BasedAccessTokenValidator
java.lang.Object
com.nimbusds.common.oauth2.SHA256BasedAccessTokenValidator
- All Implemented Interfaces:
MasterAccessTokenValidator
SHA-256 based access token validator. The expected access tokens are
configured as their SHA-256 hashes, to prevent accidental leaks into logs,
etc. Supports servlet-based and JAX-RS based web applications.
-
Nested Class Summary
Nested classes/interfaces inherited from interface com.nimbusds.common.oauth2.MasterAccessTokenValidator
MasterAccessTokenValidator.ErrorResponse
-
Field Summary
Modifier and TypeFieldDescriptionprotected final List<byte[]>
The expected access token hashes, empty list if access to the web API is disabled.protected byte[]
Optional salt for computing the SHA-256 hashes.protected org.apache.logging.log4j.Logger
Optional logger.static final int
The minimum acceptable access token length.Fields inherited from interface com.nimbusds.common.oauth2.MasterAccessTokenValidator
INVALID_BEARER_TOKEN, MISSING_BEARER_TOKEN, WEB_API_DISABLED
-
Constructor Summary
ConstructorDescriptionSHA256BasedAccessTokenValidator
(String tokenHash) Creates a new access token validator.SHA256BasedAccessTokenValidator
(String... tokenHashes) Creates a new access token validator.SHA256BasedAccessTokenValidator
(String tokenHash, List<String> additionalTokenHashes) Creates a new access token validator. -
Method Summary
Modifier and TypeMethodDescriptionboolean
Returnstrue
if access is disabled (no access token configured).from
(com.thetransactioncompany.util.PropertyRetriever pr, String propertyName, boolean propertyRequired, String additionalPropertyNamePrefix) Creates a new access token validator from the specified properties retriever.org.apache.logging.log4j.Logger
Gets the optional logger.int
Returns the number of configured tokens.boolean
isValid
(com.nimbusds.oauth2.sdk.token.BearerAccessToken accessToken) Returnstrue
if the specified bearer access token is valid.void
setLogger
(org.apache.logging.log4j.Logger log) Sets the optional logger.boolean
validateBearerAccessToken
(jakarta.servlet.http.HttpServletRequest servletRequest, jakarta.servlet.http.HttpServletResponse servletResponse) Validates a bearer access token passed in the specified HTTP servlet request.void
validateBearerAccessToken
(String authzHeader) Validates a bearer access token passed in the specified HTTP Authorization header value.
-
Field Details
-
MIN_TOKEN_LENGTH
The minimum acceptable access token length.- See Also:
-
expectedTokenHashes
The expected access token hashes, empty list if access to the web API is disabled. -
hashSalt
protected byte[] hashSaltOptional salt for computing the SHA-256 hashes. -
log
protected org.apache.logging.log4j.Logger logOptional logger.
-
-
Constructor Details
-
SHA256BasedAccessTokenValidator
Creates a new access token validator.- Parameters:
tokenHash
- The Bearer access token SHA-256 hash (in hex). Ifnull
access to the web API will be disabled.
-
SHA256BasedAccessTokenValidator
Creates a new access token validator.- Parameters:
tokenHashes
- The Bearer access token SHA-256 hashes (in hex). Ifnull
access to the web API will be disabled.
-
SHA256BasedAccessTokenValidator
Creates a new access token validator.- Parameters:
tokenHash
- The main Bearer access token SHA-256 hash (in hex). Ifnull
access to the web API will be disabled.additionalTokenHashes
- Additional Bearer access token SHA-256 hashes (in hex), empty ornull
if none.
-
-
Method Details
-
from
public static SHA256BasedAccessTokenValidator from(com.thetransactioncompany.util.PropertyRetriever pr, String propertyName, boolean propertyRequired, String additionalPropertyNamePrefix) throws com.thetransactioncompany.util.PropertyParseException Creates a new access token validator from the specified properties retriever.- Parameters:
pr
- The properties retriever. Must not benull
.propertyName
- The property name for the main Bearer access token SHA-256 hash (in hex). Ifnull
access to the web API will be disabled. Must not benull
.propertyRequired
-true
if the property is required,false
if optional.additionalPropertyNamePrefix
- The property name prefix for the additional Bearer access token SHA-256 hashes (in hex),null
if not used.- Returns:
- The access token validator.
- Throws:
com.thetransactioncompany.util.PropertyParseException
- If parsing failed.
-
validateBearerAccessToken
public void validateBearerAccessToken(String authzHeader) throws jakarta.ws.rs.WebApplicationException Description copied from interface:MasterAccessTokenValidator
Validates a bearer access token passed in the specified HTTP Authorization header value.- Parameters:
authzHeader
- The HTTP Authorization header value,null
if not specified.- Throws:
jakarta.ws.rs.WebApplicationException
- If the header value isnull
, the web API is disabled, or the Bearer access token is missing or invalid.
-
validateBearerAccessToken
public boolean validateBearerAccessToken(jakarta.servlet.http.HttpServletRequest servletRequest, jakarta.servlet.http.HttpServletResponse servletResponse) throws IOException Description copied from interface:MasterAccessTokenValidator
Validates a bearer access token passed in the specified HTTP servlet request.- Parameters:
servletRequest
- The HTTP servlet request. Must not benull
.servletResponse
- The HTTP servlet response. Must not benull
.- Returns:
true
if the bearer access token was successfully validated,false
.- Throws:
IOException
- If the response couldn't be written.
-
accessIsDisabled
public boolean accessIsDisabled()Description copied from interface:MasterAccessTokenValidator
Returnstrue
if access is disabled (no access token configured).- Specified by:
accessIsDisabled
in interfaceMasterAccessTokenValidator
- Returns:
true
if access is disabled, elsefalse
.
-
isValid
public boolean isValid(com.nimbusds.oauth2.sdk.token.BearerAccessToken accessToken) Description copied from interface:MasterAccessTokenValidator
Returnstrue
if the specified bearer access token is valid.- Specified by:
isValid
in interfaceMasterAccessTokenValidator
- Parameters:
accessToken
- The bearer access token to check,null
if not specified.- Returns:
true
if the specified bearer access token is valid, elsefalse
.
-
getLogger
public org.apache.logging.log4j.Logger getLogger()Description copied from interface:MasterAccessTokenValidator
Gets the optional logger.- Specified by:
getLogger
in interfaceMasterAccessTokenValidator
- Returns:
- The logger,
null
if not specified.
-
setLogger
public void setLogger(org.apache.logging.log4j.Logger log) Description copied from interface:MasterAccessTokenValidator
Sets the optional logger.- Specified by:
setLogger
in interfaceMasterAccessTokenValidator
- Parameters:
log
- The logger,null
if not specified.
-
getNumberConfiguredTokens
public int getNumberConfiguredTokens()Returns the number of configured tokens.- Returns:
- The number of configured tokens, zero if none.
-