Package com.nimbusds.jwt.proc
Class DefaultJWTProcessor<C extends SecurityContext>
java.lang.Object
com.nimbusds.jwt.proc.DefaultJWTProcessor<C>
- All Implemented Interfaces:
JOSEProcessorConfiguration<C>,ConfigurableJWTProcessor<C>,JWTProcessor<C>,JWTProcessorConfiguration<C>
public class DefaultJWTProcessor<C extends SecurityContext>
extends Object
implements ConfigurableJWTProcessor<C>
Default processor of
unsecured (plain),
signed and
encrypted JSON Web Tokens (JWTs).
Must be configured with the following:
- To process signed JWTs: A
JWS key selectorusing the header or theheader and claims setto suggest key candidate(s) for the signature verification. The key selection procedure is application-specific and may involve key ID lookup, a certificate check and / or somecontext. - To process encrypted JWTs: A
JWE key selectorusing the header to suggest key candidate(s) for decryption. The key selection procedure is application-specific and may involve key ID lookup, a certificate check and / or somecontext.
An optional context parameter is available to
facilitate passing of additional data between the caller and the underlying
selector of key candidates (in both directions).
See sections 6 of RFC 7515 (JWS) and RFC 7516 (JWE) for guidelines on key selection.
This processor is configured with a standard header "typ" (type)
parameter verifier which expects
the signed, encrypted and plain (unsecured) JWTs to have the type header
omitted or set to JWT. To accept other "typ"
values pass an appropriately configured JWS and / or JWE
type verifier.
This processor comes with the default JWS verifier factory and the default JWE decrypter factory; they can construct verifiers / decrypters for all
standard JOSE algorithms implemented by the library.
Note that for security reasons this processor is hardwired to reject
unsecured (plain) JWTs. Override the process(PlainJWT, SecurityContext)
if you need to handle plain JWTs.
A default JWT claims verifier is
provided, to perform a minimal check of the claims after a successful JWS
verification / JWE decryption. It checks the token expiration (exp) and
not-before (nbf) timestamps if these are present. The default JWT claims
verifier may be extended to perform additional checks, such as issuer and
subject acceptance.
To process generic JOSE objects (with arbitrary payloads) use the
DefaultJOSEProcessor class.
- Version:
- 2024-01-15
- Author:
- Vladimir Dzhuvinov, Misagh Moayyed
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionprotected JWTClaimsSetextractJWTClaimsSet(JWT jwt) Extracts the claims set from the specified JWT.Gets the factory for creating JWE decrypter instances.Gets the JWE key selector.Gets the JWE header "typ" (type) parameter verifier.Gets the JWS key selector.Gets the JWS header "typ" (type) parameter verifier.Gets the factory for creating JWS verifier instances.Gets the JWT claims set aware JWS key selector.Gets the optional JWT claims set verifier.process(EncryptedJWT encryptedJWT, C context) Processes the specified encrypted JWT by decrypting it.Processes the specified JWT (unsecured, signed or encrypted).Processes the specified unsecured (plain) JWT, typically by checking its context.Processes the specified signed JWT by verifying its signature.Parses and processes the specified JWT (unsecured, signed or encrypted).selectKeys(JWSHeader header, JWTClaimsSet claimsSet, C context) Selects key candidates for verifying a signed JWT.voidSets the factory for creating JWE decrypter instances.voidsetJWEKeySelector(JWEKeySelector<C> jweKeySelector) Sets the JWE key selector.voidsetJWETypeVerifier(JOSEObjectTypeVerifier<C> jweTypeVerifier) Sets the JWE header "typ" (type) parameter verifier.voidsetJWSKeySelector(JWSKeySelector<C> jwsKeySelector) Sets the JWS key selector.voidsetJWSTypeVerifier(JOSEObjectTypeVerifier<C> jwsTypeVerifier) Sets the JWS header "typ" (type) parameter verifier.voidsetJWSVerifierFactory(JWSVerifierFactory factory) Sets the factory for creating JWS verifier instances.voidsetJWTClaimsSetAwareJWSKeySelector(JWTClaimsSetAwareJWSKeySelector<C> jwsKeySelector) Sets the JWT claims set aware JWS key selector.voidsetJWTClaimsSetVerifier(JWTClaimsSetVerifier<C> claimsVerifier) Sets the optional JWT claims set verifier.protected JWTClaimsSetverifyJWTClaimsSet(JWTClaimsSet claimsSet, C context) Verifies the specified JWT claims set.
-
Constructor Details
-
DefaultJWTProcessor
public DefaultJWTProcessor()
-
-
Method Details
-
getJWSTypeVerifier
Description copied from interface:JOSEProcessorConfigurationGets the JWS header "typ" (type) parameter verifier. This verifier is also applied to plain (unsecured) JOSE objects. If none JWS and plain objects will be rejected.- Specified by:
getJWSTypeVerifierin interfaceJOSEProcessorConfiguration<C extends SecurityContext>- Returns:
- The JWS type verifier,
nullif not specified.
-
setJWSTypeVerifier
Description copied from interface:JOSEProcessorConfigurationSets the JWS header "typ" (type) parameter verifier. This verifier is also applied to plain (unsecured) JOSE objects. If none JWS and plain objects will be rejected.- Specified by:
setJWSTypeVerifierin interfaceJOSEProcessorConfiguration<C extends SecurityContext>- Parameters:
jwsTypeVerifier- The JWS type verifier,nullif not specified.
-
getJWSKeySelector
Description copied from interface:JOSEProcessorConfigurationGets the JWS key selector. If none JWS objects will be rejected.- Specified by:
getJWSKeySelectorin interfaceJOSEProcessorConfiguration<C extends SecurityContext>- Returns:
- The JWS key selector,
nullif not specified.
-
setJWSKeySelector
Description copied from interface:JOSEProcessorConfigurationSets the JWS key selector. If none JWS objects will be rejected.- Specified by:
setJWSKeySelectorin interfaceJOSEProcessorConfiguration<C extends SecurityContext>- Parameters:
jwsKeySelector- The JWS key selector,nullif not specified.
-
getJWTClaimsSetAwareJWSKeySelector
Description copied from interface:JWTProcessorConfigurationGets the JWT claims set aware JWS key selector.- Specified by:
getJWTClaimsSetAwareJWSKeySelectorin interfaceJWTProcessorConfiguration<C extends SecurityContext>- Returns:
- The JWT claims set aware JWS key selector,
nullif not specified.
-
setJWTClaimsSetAwareJWSKeySelector
Description copied from interface:JWTProcessorConfigurationSets the JWT claims set aware JWS key selector.- Specified by:
setJWTClaimsSetAwareJWSKeySelectorin interfaceJWTProcessorConfiguration<C extends SecurityContext>- Parameters:
jwsKeySelector- The JWT claims set aware JWS key selector,nullif not specified.
-
getJWETypeVerifier
Description copied from interface:JOSEProcessorConfigurationGets the JWE header "typ" (type) parameter verifier. If none JWE objects will be rejected.- Specified by:
getJWETypeVerifierin interfaceJOSEProcessorConfiguration<C extends SecurityContext>- Returns:
- The JWE verifier,
nullif not specified.
-
setJWETypeVerifier
Description copied from interface:JOSEProcessorConfigurationSets the JWE header "typ" (type) parameter verifier. If none JWE objects will be rejected.- Specified by:
setJWETypeVerifierin interfaceJOSEProcessorConfiguration<C extends SecurityContext>- Parameters:
jweTypeVerifier- The JWE type verifier,nullif not specified.
-
getJWEKeySelector
Description copied from interface:JOSEProcessorConfigurationGets the JWE key selector. If none JWE objects will be rejected.- Specified by:
getJWEKeySelectorin interfaceJOSEProcessorConfiguration<C extends SecurityContext>- Returns:
- The JWE key selector,
nullif not specified.
-
setJWEKeySelector
Description copied from interface:JOSEProcessorConfigurationSets the JWE key selector. If none JWE objects will be rejected.- Specified by:
setJWEKeySelectorin interfaceJOSEProcessorConfiguration<C extends SecurityContext>- Parameters:
jweKeySelector- The JWE key selector,nullif not specified.
-
getJWSVerifierFactory
Description copied from interface:JOSEProcessorConfigurationGets the factory for creating JWS verifier instances. If none JWS objects will be rejected.- Specified by:
getJWSVerifierFactoryin interfaceJOSEProcessorConfiguration<C extends SecurityContext>- Returns:
- The JWS verifier factory,
nullif not specified.
-
setJWSVerifierFactory
Description copied from interface:JOSEProcessorConfigurationSets the factory for creating JWS verifier instances. If none JWS objects will be rejected.- Specified by:
setJWSVerifierFactoryin interfaceJOSEProcessorConfiguration<C extends SecurityContext>- Parameters:
factory- The JWS verifier factory,nullif not specified.
-
getJWEDecrypterFactory
Description copied from interface:JOSEProcessorConfigurationGets the factory for creating JWE decrypter instances. If none JWE objects will be rejected.- Specified by:
getJWEDecrypterFactoryin interfaceJOSEProcessorConfiguration<C extends SecurityContext>- Returns:
- The JWE decrypter factory,
nullif not specified.
-
setJWEDecrypterFactory
Description copied from interface:JOSEProcessorConfigurationSets the factory for creating JWE decrypter instances. If none JWE objects will be rejected.- Specified by:
setJWEDecrypterFactoryin interfaceJOSEProcessorConfiguration<C extends SecurityContext>- Parameters:
factory- The JWE decrypter factory,nullif not specified.
-
getJWTClaimsSetVerifier
Description copied from interface:JWTProcessorConfigurationGets the optional JWT claims set verifier. Ensures that the claims set of a JWT complies with an application's requirements.- Specified by:
getJWTClaimsSetVerifierin interfaceJWTProcessorConfiguration<C extends SecurityContext>- Returns:
- The JWT claims set verifier,
nullif not specified.
-
setJWTClaimsSetVerifier
Description copied from interface:JWTProcessorConfigurationSets the optional JWT claims set verifier. Ensures that the claims set of a JWT complies with an application's requirements.- Specified by:
setJWTClaimsSetVerifierin interfaceJWTProcessorConfiguration<C extends SecurityContext>- Parameters:
claimsVerifier- The JWT claims set verifier,nullif not specified.
-
extractJWTClaimsSet
Extracts the claims set from the specified JWT.- Parameters:
jwt- The JWT. Must not benull.- Returns:
- The JWT claims set.
- Throws:
BadJWTException- If the payload of the JWT doesn't represent a valid JSON object and a JWT claims set.
-
verifyJWTClaimsSet
Verifies the specified JWT claims set.- Parameters:
claimsSet- The JWT claims set. Must not benull.context- Optional context,nullif not required.- Returns:
- The verified JWT claims set.
- Throws:
BadJWTException- If the JWT claims set is rejected.
-
selectKeys
protected List<? extends Key> selectKeys(JWSHeader header, JWTClaimsSet claimsSet, C context) throws KeySourceException, BadJOSEException Selects key candidates for verifying a signed JWT.- Parameters:
header- The JWS header. Must not benull.claimsSet- The JWT claims set (not verified). Must not benull.context- Optional context,nullif not required.- Returns:
- The key candidates in trial order, empty list if none.
- Throws:
KeySourceException- If a key sourcing exception is encountered, e.g. on remote JWK retrieval.BadJOSEException- If an internal processing exception is encountered.
-
process
public JWTClaimsSet process(String jwtString, C context) throws ParseException, BadJOSEException, JOSEException Description copied from interface:JWTProcessorParses and processes the specified JWT (unsecured, signed or encrypted).- Specified by:
processin interfaceJWTProcessor<C extends SecurityContext>- Parameters:
jwtString- The JWT, compact-encoded to a URL-safe string. Must not benull.context- Optional context,nullif not required.- Returns:
- The JWT claims set on success.
- Throws:
ParseException- If the string couldn't be parsed to a valid JWT.BadJOSEException- If the JWT is rejected.JOSEException- If an internal processing exception is encountered.
-
process
Description copied from interface:JWTProcessorProcesses the specified JWT (unsecured, signed or encrypted).- Specified by:
processin interfaceJWTProcessor<C extends SecurityContext>- Parameters:
jwt- The JWT. Must not benull.context- Optional context,nullif not required.- Returns:
- The JWT claims set on success.
- Throws:
BadJOSEException- If the JWT is rejected.JOSEException- If an internal processing exception is encountered.
-
process
Description copied from interface:JWTProcessorProcesses the specified unsecured (plain) JWT, typically by checking its context.- Specified by:
processin interfaceJWTProcessor<C extends SecurityContext>- Parameters:
plainJWT- The unsecured (plain) JWT. Notnull.context- Optional context,nullif not required.- Returns:
- The JWT claims set on success.
- Throws:
BadJOSEException- If the unsecured (plain) JWT is rejected, after examining the context or due to the payload not being a JSON object.JOSEException- If an internal processing exception is encountered.
-
process
Description copied from interface:JWTProcessorProcesses the specified signed JWT by verifying its signature. The key candidate(s) are selected by examining the JWS header and / or the message context.- Specified by:
processin interfaceJWTProcessor<C extends SecurityContext>- Parameters:
signedJWT- The signed JWT. Notnull.context- Optional context,nullif not required.- Returns:
- The JWT claims set on success.
- Throws:
BadJOSEException- If the signed JWT is rejected, typically due to a bad signature or the payload not being a JSON object.JOSEException- If an internal processing exception is encountered.
-
process
public JWTClaimsSet process(EncryptedJWT encryptedJWT, C context) throws BadJOSEException, JOSEException Description copied from interface:JWTProcessorProcesses the specified encrypted JWT by decrypting it. The key candidate(s) are selected by examining the JWS header and / or the message context.- Specified by:
processin interfaceJWTProcessor<C extends SecurityContext>- Parameters:
encryptedJWT- The encrypted JWT. Notnull.context- Optional context,nullif not required.- Returns:
- The JWT claims set on success.
- Throws:
BadJOSEException- If the encrypted JWT is rejected, typically due to failed decryption or the payload not being a JSON object.JOSEException- If an internal processing exception is encountered.
-