com.broadleafcommerce.auth.user.session

Interface StatelessUtil

All Known Implementing Classes:

StatelessUtilImpl

public interface StatelessUtil

Utility for JWT-based cookies - specifically those intended to drive stateless behavior, such as stateless sessions.

Author:

Jeff Fischer

Method Summary

Modifier and Type	Method and Description
org.springframework.http.ResponseCookie	createSavedRequestCookie(String requestUrl, String redirectUrl) Create a cookie containing a JWT token identifying an originating request url and a redirect url.
org.springframework.http.ResponseCookie	createSavedRequestRemovalCookie() Create a cookie that can be passed to the response to clear any existing saved request cookie in the browser.
javax.servlet.http.Cookie	createSessionCookie(OAuth2SessionToken sessionToken) Deprecated. in favor of getSessionCookie(OAuth2SessionToken)
com.nimbusds.jwt.SignedJWT	generateSignedJwt(String subject, Map<String,Object> claims, Long expiresInSeconds) Generate a signed JWT with issuer and audience values as well as optional additional claims.
String	getClientId(String savedRequestToken)
Map<String,Object>	getCookieClaims(String cookieValue) Get a Map of the claims from a SignedJWT cookie.
String	getIssuer()
String	getRedirectUrl(javax.servlet.http.Cookie savedRequestCookie) Verify the JWT token contained in the cookie and then return the redirect url contained therein.
org.springframework.http.ResponseCookie	getRemovalCookie(javax.servlet.http.Cookie cookieToRemove) Returns a removal cookie for any arbitrary cookie.
javax.servlet.http.Cookie	getRemoveSavedRequestCookie() Deprecated. since 1.6, replaced by createSavedRequestRemovalCookie()
javax.servlet.http.Cookie	getRemoveSessionCookie(String clientId) Deprecated. in favor of getSessionRemovalCookie(String)
String	getRequestUrl(javax.servlet.http.Cookie savedRequestCookie) Verify the JWT token contained in the cookie and then return the original request url contained therein.
javax.servlet.http.Cookie	getSavedRequestCookie(String requestUrl, String redirectUrl) Deprecated. since 1.6, replaced by createSavedRequestCookie(String, String)
String	getSavedRequestCookieName() Get the standard name for a saved request cookie
String	getSavedRequestJwt(String requestUrl, String redirectUrl)
org.springframework.http.ResponseCookie	getSessionCookie(OAuth2SessionToken sessionToken) Gets a ResponseCookie for the OAuth2SessionToken.
String	getSessionCookieName(AuthorizedClient client, AuthorizationServer server)
String	getSessionCookieName(String clientId) Get the standard name for a session cookie
org.springframework.http.ResponseCookie	getSessionRemovalCookie(String clientId) Gets a ResponseCookie for the removal of the session cookie.
OAuth2SessionToken	getSessionToken(String clientId, String userId, String subject, Map<String,Object> additionalClaims) Creates a OAuth2SessionToken for the provided client ID and subject with the set of additional claims.
OAuth2SessionToken	refreshSessionToken(OAuth2SessionToken sessionToken) Returns a OAuth2SessionToken with a refreshed expiration time.
com.nimbusds.jwt.SignedJWT	verify(String token) Verify the signature of a signed JWT inside a cookie

Method Detail

getSessionToken

OAuth2SessionToken getSessionToken(String clientId,
                                   String userId,
                                   String subject,
                                   Map<String,Object> additionalClaims)

Creates a OAuth2SessionToken for the provided client ID and subject with the set of additional claims.

Parameters:

clientId - the client ID

userId -

subject - the user subject

additionalClaims - the additional session claims

Returns:

refreshSessionToken

OAuth2SessionToken refreshSessionToken(OAuth2SessionToken sessionToken)

Returns a OAuth2SessionToken with a refreshed expiration time.

Parameters:

sessionToken - the session token

Returns:

the refreshed session token

getRedirectUrl

String getRedirectUrl(javax.servlet.http.Cookie savedRequestCookie)

Verify the JWT token contained in the cookie and then return the redirect url contained therein.

Parameters:

savedRequestCookie - see createSavedRequestCookie(String, String)

Returns:

a decoded URL set with createSavedRequestCookie(String, String)

getRequestUrl

String getRequestUrl(javax.servlet.http.Cookie savedRequestCookie)

Verify the JWT token contained in the cookie and then return the original request url contained therein.

Parameters:

savedRequestCookie - see createSavedRequestCookie(String, String)

Returns:

a decoded URL set with createSavedRequestCookie(String, String)

getClientId

String getClientId(String savedRequestToken)

getCookieClaims

Map<String,Object> getCookieClaims(String cookieValue)

Get a Map of the claims from a SignedJWT cookie. The values of the map are Base64 encoded.

Parameters:

cookieValue -

Returns:

createSessionCookie

@Deprecated
javax.servlet.http.Cookie createSessionCookie(OAuth2SessionToken sessionToken)

Deprecated. in favor of getSessionCookie(OAuth2SessionToken)

Creates a cookie for the OAuth2SessionToken.

Parameters:

sessionToken - the session token

Returns:

the session cookie

getRemoveSessionCookie

@Deprecated
javax.servlet.http.Cookie getRemoveSessionCookie(String clientId)

Deprecated. in favor of getSessionRemovalCookie(String)

Create a cookie that can be passed to the response to clear any existing session cookie in the browser.

Parameters:

clientId -

Returns:

the newly created cookie

getSessionCookie

org.springframework.http.ResponseCookie getSessionCookie(OAuth2SessionToken sessionToken)

Gets a ResponseCookie for the OAuth2SessionToken.

Parameters:

sessionToken - the session token

Returns:

the session cookie

getSessionRemovalCookie

org.springframework.http.ResponseCookie getSessionRemovalCookie(String clientId)

Gets a ResponseCookie for the removal of the session cookie.

Parameters:

clientId - the client ID

Returns:

the session removal cookie

getSavedRequestCookie

@Deprecated
javax.servlet.http.Cookie getSavedRequestCookie(String requestUrl,
                                                            String redirectUrl)

Deprecated. since 1.6, replaced by createSavedRequestCookie(String, String)

Create a cookie containing a JWT token identifying an originating request url and a redirect url. This information is used to forward the user to an authentication url. Once authenticated, the original request is completed.

Parameters:

requestUrl - the original request (e.g. /oauth/authorize)

redirectUrl - the uri to redirect to for authentication (e.g. /login)

Returns:

a newly created session cookie

createSavedRequestCookie

org.springframework.http.ResponseCookie createSavedRequestCookie(String requestUrl,
                                                                 String redirectUrl)

Create a cookie containing a JWT token identifying an originating request url and a redirect url. This information is used to forward the user to an authentication url. Once authenticated, the original request is completed.

Parameters:

requestUrl - the original request (e.g. /oauth/authorize)

redirectUrl - the uri to redirect to for authentication (e.g. /login)

Returns:

a newly created session cookie

getSavedRequestJwt

String getSavedRequestJwt(String requestUrl,
                          String redirectUrl)

getRemoveSavedRequestCookie

@Deprecated
javax.servlet.http.Cookie getRemoveSavedRequestCookie()

Deprecated. since 1.6, replaced by createSavedRequestRemovalCookie()

Create a cookie that can be passed to the response to clear any existing saved request cookie in the browser.

Returns:

the newly created cookie

createSavedRequestRemovalCookie

org.springframework.http.ResponseCookie createSavedRequestRemovalCookie()

Create a cookie that can be passed to the response to clear any existing saved request cookie in the browser.

Returns:

the newly created cookie

See Also:

createSavedRequestCookie(String, String)

verify

com.nimbusds.jwt.SignedJWT verify(String token)

Verify the signature of a signed JWT inside a cookie

Parameters:

token - the cookie to verify

Returns:

a verified and signed JWT token, or null if the given cookie has no value

generateSignedJwt

com.nimbusds.jwt.SignedJWT generateSignedJwt(@Nullable
                                             String subject,
                                             @Nullable
                                             Map<String,Object> claims,
                                             @Nullable
                                             Long expiresInSeconds)

Generate a signed JWT with issuer and audience values as well as optional additional claims.

Parameters:

subject - The subject of the JWT

claims - Additional claims to add to the JWT

Returns:

A signed JWT

getSessionCookieName

String getSessionCookieName(String clientId)

Get the standard name for a session cookie

Parameters:

clientId -

Returns:

the cookie name used to store the session

See Also:

#getSessionCookie(String, String)

getSessionCookieName

String getSessionCookieName(AuthorizedClient client,
                            AuthorizationServer server)

getIssuer

String getIssuer()

getSavedRequestCookieName

String getSavedRequestCookieName()

Get the standard name for a saved request cookie

Returns:

the saved request cookie name

See Also:

createSavedRequestCookie(String, String)

getRemovalCookie

org.springframework.http.ResponseCookie getRemovalCookie(javax.servlet.http.Cookie cookieToRemove)

Returns a removal cookie for any arbitrary cookie.

Parameters:

cookieToRemove - The cookie to target for removal

Returns:

A cookie that may be set on an HttpServletResponse to remove the supplied cookie.