public final class JwtIssuerAuthenticationManagerResolver extends java.lang.Object implements AuthenticationManagerResolver<javax.servlet.http.HttpServletRequest>
AuthenticationManagerResolver
that resolves a JWT-based AuthenticationManager
based on the Issuer in a
signed JWT (JWS).
To use, this class must be able to determine whether or not the `iss` claim is trusted. Recall that
anyone can stand up an authorization server and issue valid tokens to a resource server. The simplest way
to achieve this is to supply a list of trusted issuers in the constructor.
This class derives the Issuer from the `iss` claim found in the HttpServletRequest
's
Bearer Token.Constructor and Description |
---|
JwtIssuerAuthenticationManagerResolver(AuthenticationManagerResolver<java.lang.String> issuerAuthenticationManagerResolver)
Construct a
JwtIssuerAuthenticationManagerResolver using the provided parameters
Note that the AuthenticationManagerResolver provided in this constructor will need to
verify that the issuer is trusted. |
JwtIssuerAuthenticationManagerResolver(java.util.Collection<java.lang.String> trustedIssuers)
Construct a
JwtIssuerAuthenticationManagerResolver using the provided parameters |
JwtIssuerAuthenticationManagerResolver(java.lang.String... trustedIssuers)
Construct a
JwtIssuerAuthenticationManagerResolver using the provided parameters |
Modifier and Type | Method and Description |
---|---|
AuthenticationManager |
resolve(javax.servlet.http.HttpServletRequest request)
Return an
AuthenticationManager based off of the `iss` claim found in the request's bearer token |
public JwtIssuerAuthenticationManagerResolver(java.lang.String... trustedIssuers)
JwtIssuerAuthenticationManagerResolver
using the provided parameterstrustedIssuers
- a list of trusted issuerspublic JwtIssuerAuthenticationManagerResolver(java.util.Collection<java.lang.String> trustedIssuers)
JwtIssuerAuthenticationManagerResolver
using the provided parameterstrustedIssuers
- a list of trusted issuerspublic JwtIssuerAuthenticationManagerResolver(AuthenticationManagerResolver<java.lang.String> issuerAuthenticationManagerResolver)
JwtIssuerAuthenticationManagerResolver
using the provided parameters
Note that the AuthenticationManagerResolver
provided in this constructor will need to
verify that the issuer is trusted. This should be done via an allowlist.
One way to achieve this is with a Map
where the keys are the known issuers:
Map<String, AuthenticationManager> authenticationManagers = new HashMap<>(); authenticationManagers.put("https://issuerOne.example.org", managerOne); authenticationManagers.put("https://issuerTwo.example.org", managerTwo); JwtAuthenticationManagerResolver resolver = new JwtAuthenticationManagerResolver (authenticationManagers::get);The keys in the
Map
are the allowed issuers.issuerAuthenticationManagerResolver
- a strategy for resolving the AuthenticationManager
by the issuerpublic AuthenticationManager resolve(javax.servlet.http.HttpServletRequest request)
AuthenticationManager
based off of the `iss` claim found in the request's bearer tokenresolve
in interface AuthenticationManagerResolver<javax.servlet.http.HttpServletRequest>
AuthenticationManager
to useOAuth2AuthenticationException
- if the bearer token is malformed or an AuthenticationManager
can't be derived from the issuer