public final class JwtIssuerAuthenticationManagerResolver extends java.lang.Object implements AuthenticationManagerResolver<javax.servlet.http.HttpServletRequest>
AuthenticationManagerResolver
that resolves a JWT-based
AuthenticationManager
based on the Issuer in
a signed JWT (JWS).
To use, this class must be able to determine whether or not the `iss` claim is trusted.
Recall that anyone can stand up an authorization server and issue valid tokens to a
resource server. The simplest way to achieve this is to supply a list of trusted
issuers in the constructor.
This class derives the Issuer from the `iss` claim found in the
HttpServletRequest
's
Bearer
Token.Constructor and Description |
---|
JwtIssuerAuthenticationManagerResolver(AuthenticationManagerResolver<java.lang.String> issuerAuthenticationManagerResolver)
Construct a
JwtIssuerAuthenticationManagerResolver using the provided
parameters
Note that the AuthenticationManagerResolver provided in this constructor
will need to verify that the issuer is trusted. |
JwtIssuerAuthenticationManagerResolver(java.util.Collection<java.lang.String> trustedIssuers)
Construct a
JwtIssuerAuthenticationManagerResolver using the provided
parameters |
JwtIssuerAuthenticationManagerResolver(java.lang.String... trustedIssuers)
Construct a
JwtIssuerAuthenticationManagerResolver using the provided
parameters |
Modifier and Type | Method and Description |
---|---|
AuthenticationManager |
resolve(javax.servlet.http.HttpServletRequest request)
Return an
AuthenticationManager based off of the `iss` claim found in the
request's bearer token |
public JwtIssuerAuthenticationManagerResolver(java.lang.String... trustedIssuers)
JwtIssuerAuthenticationManagerResolver
using the provided
parameterstrustedIssuers
- a list of trusted issuerspublic JwtIssuerAuthenticationManagerResolver(java.util.Collection<java.lang.String> trustedIssuers)
JwtIssuerAuthenticationManagerResolver
using the provided
parameterstrustedIssuers
- a list of trusted issuerspublic JwtIssuerAuthenticationManagerResolver(AuthenticationManagerResolver<java.lang.String> issuerAuthenticationManagerResolver)
JwtIssuerAuthenticationManagerResolver
using the provided
parameters
Note that the AuthenticationManagerResolver
provided in this constructor
will need to verify that the issuer is trusted. This should be done via an
allowlist.
One way to achieve this is with a Map
where the keys are the known issuers:
Map<String, AuthenticationManager> authenticationManagers = new HashMap<>(); authenticationManagers.put("https://issuerOne.example.org", managerOne); authenticationManagers.put("https://issuerTwo.example.org", managerTwo); JwtAuthenticationManagerResolver resolver = new JwtAuthenticationManagerResolver (authenticationManagers::get);The keys in the
Map
are the allowed issuers.issuerAuthenticationManagerResolver
- a strategy for resolving the
AuthenticationManager
by the issuerpublic AuthenticationManager resolve(javax.servlet.http.HttpServletRequest request)
AuthenticationManager
based off of the `iss` claim found in the
request's bearer tokenresolve
in interface AuthenticationManagerResolver<javax.servlet.http.HttpServletRequest>
AuthenticationManager
to useOAuth2AuthenticationException
- if the bearer token is malformed or an
AuthenticationManager
can't be derived from the issuer