andreacomo / tomcat-jwt-security Goto Github PK
View Code? Open in Web Editor NEWImplements a security valve based on JWT token: generic HMAC, RSA and OpenID Connect
License: MIT License
Implements a security valve based on JWT token: generic HMAC, RSA and OpenID Connect
License: MIT License
I think JwtTokenBuilder.java:145 should be computing the difference between the 'iat' (issuedAt) time and the 'nbf' (notBeforeTime), but it is computing the sum instead.
e.g. (using small values for the sake of clarity) if 'iat' is 1000 and 'nbf' is 900, the leeway should be 100 (issuedAt - notBefore), not 1900 (notBefore + issuedAt).
Hey Andrea,
Thanks for the valve. It's a very nice tool. I have a question.
I want to use your valve to autenticate an stateless api against an oauth2 server.
In my case, the api is under my responsibility but the oauth2 server is not under my responsibility so i can't share the secret key.
I see in the README.md some openid functionalities.
So the question is: Can I use the valve to autenticate my API against a public OAuth2 server (google or github for example)? And what are the best approach to configure the valve?
Thanks.
JwtTokenBuilder
and JwtTokenVerifier
classesThe latest version of java-jwt includes an easy to use builder to do token creation and verification. You can verify a token with:
JWTVerifier verifier = JWT.require(Algorithm.HMAC256(secret)).build();
verifier.verify(token);
And you can similarly create a token with JWT.create()
. This means JWTTokenBuilder
and JWTTokenVerifier
could be removed.
If you wish to keep the latest version backwards compatible with the existing APIs, then a bit more work would need to be done.
JwtTokenVerifier
Internally it would still hold an instance of com.auth0.jwt.JWTVerifier
, but the API has changed. It would be initialized with JWT.require(Algorithm.HMAC256(secret)).build();
. The method JWTVerifier.verify(token)
now returns a DecodedJWT
object instead of Map<String, Object>
. The DecodedJWT
object gives access to claims.
JwtTokenBuilder
JWTSigner
and Options
classes no longer exist. This means JwtTokenBuilder
would need to store the options itself, and then apply them when the build
functions is called. Using the new JWT.create()
tool, it could look something like this:
public String build() {
JWTCreator.Builder jwtBuilder = JWT.create();
Calendar calendar = Calendar.getInstance();
Date currentDate = new Date();
if (issuedAt) {
jwtBuilder.withIssuedAt(currentDate);
}
if (expirySeconds != null) {
calendar.setTime(currentDate);
calendar.add(Calendar.SECOND, expirySeconds);
jwtBuilder.withExpiresAt(calendar.getTime());
}
if (jwtId) {
jwtBuilder.withJWTId(UUID.randomUUID().toString());
}
if (notValidBeforeLeeway != null) {
calendar.setTime(currentDate);
calendar.add(Calendar.SECOND, -1 * notValidBeforeLeeway);
jwtBuilder.withNotBefore(calendar.getTime());
}
return jwtBuilder.sign(algorithm);
}
Self explanatory, current users of the library may need to update a significant portion of their code.
Could be a pain to fit the current design of tomcat-jwt-security
to fit around 3.8.1
If backwards compatibility is broken, create a new major version so people know.
I would like to contribute to this project if an agreement can be made on updating to the latest version of java-jwt
😃
First of all thanks for creating this project. It really helped me to implement Access token in tomcat.
I have some area of improvements for this. At present to implement this feature in the project, I need register valve in tomcat and then need to make update on web application to create the auth header post authentication. One problem I faced is I when used “UserDatabaseRealm” (using tomcat-user.xml) with BASIC authentication. Even thought in the in web.xml, I said basic authentication, it never showed login popup. Instead it gave me error saying please login first.
Ideally anything do we with security should be handled by servlet container Realm. We should not be writing any code in web application related to security. In our case, once user authenticate with tomcat realm, JWTValue should generate the token if it does not exists.
I have extended the JwtTokenValve class and added below code to auto generate the token if it does not exists. Let me know this enhancement is helpful. If you agree, we can update core classes.
@OverRide
public void invoke(Request request, Response response) throws IOException, ServletException {
if(getToken(request) == null) {
//if user is not logged in, propagate the request and let container authenticate
if(request.getUserPrincipal() == null) {
this.getNext().invoke(request, response);
}
//for basic authentication, there will be some back and forth. Hence check once more of user is validated by container.
if(request.getUserPrincipal() != null){
JwtTokenBuilder tokenBuilder = JwtTokenBuilder.create(secret);
String token = tokenBuilder.userId(request.getUserPrincipal().getName())
.roles(Arrays.asList("admin"))
.expirySecs(1800)
.build();
response.addHeader(JwtConstants.AUTH_HEADER, token);
}
}else {
//if token is found, validate the token
super.invoke(request, response);
}
}
pom.xml says Apache 2.0, everything else says MIT.
I would love to use this for a project, but there is no licence, so nobody has any legal right to do so.
If it is intended that people other than the author be able to use and redistribute this project, it needs a licence.
Please see https://help.github.com/articles/licensing-a-repository/
Hi.
First of all, this projects looks great!.
I am thinking in use it in my app, but i have a cuestion. I understand that i can have my custom login form that will be not protected and it must generate the x-auth header.
But if a user try to access to a protected resource without the header....
my app will show the awfull basic login popup? is it possible instead redirect to my customized login dialog ?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.