@ThreadSafe public class DefaultJWTClaimsVerifier<C extends SecurityContext> extends Object implements JWTClaimsSetVerifier<C>, ClockSkewAware
JWT claims verifier
implementation.
Configurable checks:
Performs the following time validity checks:
Note, to enforce a time validity check the claim ("exp" and / or "nbf" ) must be set as required.
Example verifier with exact matches for "iss" and "aud", and setting the "exp", "nbf" and "jti" claims as required to be present:
DefaultJWTClaimsVerifier<?> verifier = new DefaultJWTClaimsVerifier<>( new JWTClaimsSet.Builder() .issuer("https://issuer.example.com") .audience("https://client.example.com") .build(), new HashSet<>(Arrays.asList("exp", "nbf", "jti"))); verifier.verify(jwtClaimsSet, null);
The currentTime()
method can be overridden to use an alternative
time provider for the "exp" (expiration time) and "nbf" (not-before time)
verification, or to disable "exp" and "nbf" verification entirely.
This class may be extended to perform additional checks.
This class is thread-safe.
Modifier and Type | Field and Description |
---|---|
static int |
DEFAULT_MAX_CLOCK_SKEW_SECONDS
The default maximum acceptable clock skew, in seconds (60).
|
Constructor and Description |
---|
DefaultJWTClaimsVerifier()
Deprecated.
Use a more specific constructor that at least specifies
a list of required JWT claims.
|
DefaultJWTClaimsVerifier(JWTClaimsSet exactMatchClaims,
Set<String> requiredClaims)
Creates a new JWT claims verifier.
|
DefaultJWTClaimsVerifier(Set<String> acceptedAudience,
JWTClaimsSet exactMatchClaims,
Set<String> requiredClaims,
Set<String> prohibitedClaims)
Creates new default JWT claims verifier.
|
DefaultJWTClaimsVerifier(String requiredAudience,
JWTClaimsSet exactMatchClaims,
Set<String> requiredClaims)
Creates new default JWT claims verifier.
|
Modifier and Type | Method and Description |
---|---|
protected Date |
currentTime()
Returns the current time for the purpose of "exp" (expiration time)
and "nbf" (not-before time) claim verification.
|
Set<String> |
getAcceptedAudienceValues()
Returns the accepted audience values.
|
JWTClaimsSet |
getExactMatchClaims()
Returns the JWT claims that must match exactly.
|
int |
getMaxClockSkew()
Gets the maximum acceptable clock skew.
|
Set<String> |
getProhibitedClaims()
Returns the names of the JWT claims that must not be present.
|
Set<String> |
getRequiredClaims()
Returns the names of the JWT claims that must be present, including
the name of those that must match exactly.
|
void |
setMaxClockSkew(int maxClockSkewSeconds)
Sets the maximum acceptable clock skew.
|
void |
verify(JWTClaimsSet claimsSet,
C context)
Verifies selected or all claims from the specified JWT claims set.
|
public static final int DEFAULT_MAX_CLOCK_SKEW_SECONDS
@Deprecated public DefaultJWTClaimsVerifier()
public DefaultJWTClaimsVerifier(JWTClaimsSet exactMatchClaims, Set<String> requiredClaims)
exactMatchClaims
- The JWT claims that must match exactly,
null
if none.requiredClaims
- The names of the JWT claims that must be
present, empty set or null
if none.public DefaultJWTClaimsVerifier(String requiredAudience, JWTClaimsSet exactMatchClaims, Set<String> requiredClaims)
requiredAudience
- The required JWT audience, null
if
not specified.exactMatchClaims
- The JWT claims that must match exactly,
null
if none.requiredClaims
- The names of the JWT claims that must be
present, empty set or null
if none.public DefaultJWTClaimsVerifier(Set<String> acceptedAudience, JWTClaimsSet exactMatchClaims, Set<String> requiredClaims, Set<String> prohibitedClaims)
acceptedAudience
- The accepted JWT audience values,
null
if not specified. A
null
value in the set allows JWTs
with no audience.exactMatchClaims
- The JWT claims that must match exactly,
null
if none.requiredClaims
- The names of the JWT claims that must be
present, empty set or null
if none.prohibitedClaims
- The names of the JWT claims that must not be
present, empty set or null
if none.public Set<String> getAcceptedAudienceValues()
null
if not
specified. A null
value in the set allows JWTs with
no audience.public JWTClaimsSet getExactMatchClaims()
public Set<String> getRequiredClaims()
public Set<String> getProhibitedClaims()
public int getMaxClockSkew()
ClockSkewAware
getMaxClockSkew
in interface ClockSkewAware
public void setMaxClockSkew(int maxClockSkewSeconds)
ClockSkewAware
setMaxClockSkew
in interface ClockSkewAware
maxClockSkewSeconds
- The maximum acceptable clock skew, in
seconds. Zero if none.public void verify(JWTClaimsSet claimsSet, C context) throws BadJWTException
JWTClaimsSetVerifier
verify
in interface JWTClaimsSetVerifier<C extends SecurityContext>
claimsSet
- The JWT claims set. Not null
.context
- Optional context, null
if not required.BadJWTException
- If the JWT claims set is rejected.protected Date currentTime()
null
to disable "exp" and "nbf"
claim verification entirely.Copyright © 2021 Connect2id Ltd.. All rights reserved.