I think JwtTokenBuilder.java:145 should be computing the difference between the 'iat' (issuedAt) time and the 'nbf' (notBeforeTime), but it is computing the sum instead.

e.g. (using small values for the sake of clarity) if 'iat' is 1000 and 'nbf' is 900, the leeway should be 100 (issuedAt - notBefore), not 1900 (notBefore + issuedAt).

Hey Andrea,

Thanks for the valve. It's a very nice tool. I have a question.

I want to use your valve to autenticate an stateless api against an oauth2 server.
In my case, the api is under my responsibility but the oauth2 server is not under my responsibility so i can't share the secret key.

I see in the README.md some openid functionalities.
So the question is: Can I use the valve to autenticate my API against a public OAuth2 server (google or github for example)? And what are the best approach to configure the valve?

Thanks.

Summary

Update java-jwt to 3.8.1

Motivation

• We would like to use this library for JWT authentication on our Tomcat server and we would like to use java-jwt to read custom claims, but the latest version is incompatible with 2.3.0
• 3.8.1 uses a cleaner API and could possibly eliminate the need for the JwtTokenBuilder and JwtTokenVerifier classes
• 3.8.1 fixes security issues and has performance enhancements
• java-jwt v2.x.x was last updated over two years ago

Detailed design

Break Backwards Compatibility

The latest version of java-jwt includes an easy to use builder to do token creation and verification. You can verify a token with:

JWTVerifier verifier = JWT.require(Algorithm.HMAC256(secret)).build();
verifier.verify(token);

example

And you can similarly create a token with JWT.create(). This means JWTTokenBuilder and JWTTokenVerifier could be removed.

Keeping Backwards Compatibility

If you wish to keep the latest version backwards compatible with the existing APIs, then a bit more work would need to be done.

JwtTokenVerifier
Internally it would still hold an instance of com.auth0.jwt.JWTVerifier, but the API has changed. It would be initialized with JWT.require(Algorithm.HMAC256(secret)).build();. The method JWTVerifier.verify(token) now returns a DecodedJWT object instead of Map<String, Object>. The DecodedJWT object gives access to claims.

JwtTokenBuilder
JWTSigner and Options classes no longer exist. This means JwtTokenBuilder would need to store the options itself, and then apply them when the build functions is called. Using the new JWT.create() tool, it could look something like this:

public String build() {
        JWTCreator.Builder jwtBuilder = JWT.create();
	Calendar calendar = Calendar.getInstance();
	Date currentDate = new Date();
	if (issuedAt) {
		jwtBuilder.withIssuedAt(currentDate);
	}
	if (expirySeconds != null) {
		calendar.setTime(currentDate);
		calendar.add(Calendar.SECOND, expirySeconds);
		jwtBuilder.withExpiresAt(calendar.getTime());
	}
	if (jwtId) {
		jwtBuilder.withJWTId(UUID.randomUUID().toString());
	}
	if (notValidBeforeLeeway != null) {
		calendar.setTime(currentDate);
		calendar.add(Calendar.SECOND, -1 * notValidBeforeLeeway);
		jwtBuilder.withNotBefore(calendar.getTime());
	}
	return jwtBuilder.sign(algorithm);
}

Drawbacks

Break Backwards Compatibility

Self explanatory, current users of the library may need to update a significant portion of their code.

Keeping Backwards Compatibility

Could be a pain to fit the current design of tomcat-jwt-security to fit around 3.8.1

Adoption strategy

If backwards compatibility is broken, create a new major version so people know.

Implementation

I would like to contribute to this project if an agreement can be made on updating to the latest version of java-jwt 😃

First of all thanks for creating this project. It really helped me to implement Access token in tomcat.

I have some area of improvements for this. At present to implement this feature in the project, I need register valve in tomcat and then need to make update on web application to create the auth header post authentication. One problem I faced is I when used “UserDatabaseRealm” (using tomcat-user.xml) with BASIC authentication. Even thought in the in web.xml, I said basic authentication, it never showed login popup. Instead it gave me error saying please login first.

Ideally anything do we with security should be handled by servlet container Realm. We should not be writing any code in web application related to security. In our case, once user authenticate with tomcat realm, JWTValue should generate the token if it does not exists.

I have extended the JwtTokenValve class and added below code to auto generate the token if it does not exists. Let me know this enhancement is helpful. If you agree, we can update core classes.

@OverRide
public void invoke(Request request, Response response) throws IOException, ServletException {
if(getToken(request) == null) {
//if user is not logged in, propagate the request and let container authenticate
if(request.getUserPrincipal() == null) {
this.getNext().invoke(request, response);
}
//for basic authentication, there will be some back and forth. Hence check once more of user is validated by container.
if(request.getUserPrincipal() != null){
JwtTokenBuilder tokenBuilder = JwtTokenBuilder.create(secret);
String token = tokenBuilder.userId(request.getUserPrincipal().getName())
.roles(Arrays.asList("admin"))
.expirySecs(1800)
.build();
response.addHeader(JwtConstants.AUTH_HEADER, token);
}
}else {
//if token is found, validate the token
super.invoke(request, response);
}
}

Hi. I've followed all the steps in readme.md, but am still unable to run my app. This is the stacktrace

pom.xml says Apache 2.0, everything else says MIT.

I would love to use this for a project, but there is no licence, so nobody has any legal right to do so.

If it is intended that people other than the author be able to use and redistribute this project, it needs a licence.

Please see https://help.github.com/articles/licensing-a-repository/

Hi.

First of all, this projects looks great!.

I am thinking in use it in my app, but i have a cuestion. I understand that i can have my custom login form that will be not protected and it must generate the x-auth header.

But if a user try to access to a protected resource without the header....
my app will show the awfull basic login popup? is it possible instead redirect to my customized login dialog ?