com.broadleafcommerce.auth.user.session

Class StatelessUtilImpl

java.lang.Object

com.broadleafcommerce.auth.user.session.StatelessUtilImpl

All Implemented Interfaces:

StatelessUtil

public class StatelessUtilImpl
extends Object
implements StatelessUtil

Author:

Jeff Fischer

See Also:

StatelessUtil

Constructor Summary

Constructors

Constructor and Description
StatelessUtilImpl(AuthorizedClientService<AuthorizedClient> clientService, AuthorizationServerService<AuthorizationServer> serverService, String encodedPrivateKey, String encodedPublicKey, String issuer)

Method Summary

Modifier and Type	Method and Description
org.springframework.http.ResponseCookie	createSavedRequestCookie(String requestUrl, String redirectUrl) Create a cookie containing a JWT token identifying an originating request url and a redirect url.
org.springframework.http.ResponseCookie	createSavedRequestRemovalCookie() Create a cookie that can be passed to the response to clear any existing saved request cookie in the browser.
javax.servlet.http.Cookie	createSessionCookie(OAuth2SessionToken sessionToken) Creates a cookie for the OAuth2SessionToken.
protected Supplier<? extends com.broadleafcommerce.data.tracking.core.exception.EntityMissingException>	entityMissing(String msg)
protected AuthorizedClient	findClient(String clientId)
protected AuthorizationServer	findServer(AuthorizedClient client)
com.nimbusds.jwt.SignedJWT	generateSignedJwt(String subject, Map<String,Object> claims, Long expiresInSeconds) Generate a signed JWT with issuer and audience values as well as optional additional claims.
String	getClientId(String savedRequestToken)
Map<String,Object>	getCookieClaims(String cookieValue) Get a Map of the claims from a SignedJWT cookie.
protected String	getDecodedClaim(javax.servlet.http.Cookie savedRequestCookie, String claim, String errorMessage)
protected String	getDecodedClaim(String token, String claim, String errorMessage)
String	getIssuer()
protected StatelessUtilProperties	getProperties()
String	getRedirectUrl(javax.servlet.http.Cookie savedRequestCookie) Verify the JWT token contained in the cookie and then return the redirect url contained therein.
org.springframework.http.ResponseCookie	getRemovalCookie(javax.servlet.http.Cookie cookieToRemove) Returns a removal cookie for any arbitrary cookie.
javax.servlet.http.Cookie	getRemoveSavedRequestCookie() Create a cookie that can be passed to the response to clear any existing saved request cookie in the browser.
javax.servlet.http.Cookie	getRemoveSessionCookie(String clientId) Create a cookie that can be passed to the response to clear any existing session cookie in the browser.
String	getRequestUrl(javax.servlet.http.Cookie savedRequestCookie) Verify the JWT token contained in the cookie and then return the original request url contained therein.
protected String	getSameSiteAttributeForSavedRequestCookie() Gets the SameSite attribute value to use for the saved request cookies (createSavedRequestCookie(String, String) and createSavedRequestRemovalCookie()).
javax.servlet.http.Cookie	getSavedRequestCookie(String requestUrl, String redirectUrl) Create a cookie containing a JWT token identifying an originating request url and a redirect url.
String	getSavedRequestCookieName() Get the standard name for a saved request cookie
String	getSavedRequestJwt(String requestUrl, String redirectUrl)
org.springframework.http.ResponseCookie	getSessionCookie(OAuth2SessionToken sessionToken) Gets a ResponseCookie for the OAuth2SessionToken.
String	getSessionCookieName(AuthorizedClient client, AuthorizationServer server)
String	getSessionCookieName(String clientId) Get the standard name for a session cookie
org.springframework.http.ResponseCookie	getSessionRemovalCookie(String clientId) Gets a ResponseCookie for the removal of the session cookie.
protected String	getSessionSameSiteAttribute(AuthorizationServer authorizationServer) Gets the SameSite attribute value for the session cookie.
OAuth2SessionToken	getSessionToken(String clientId, String userId, String subject, Map<String,Object> additionalClaims) Creates a OAuth2SessionToken for the provided client ID and subject with the set of additional claims.
protected com.nimbusds.jwt.JWTClaimsSet	getSessionTokenClaims(String clientId, String userId, String subject, Map<String,Object> additionalClaims)
OAuth2SessionToken	refreshSessionToken(OAuth2SessionToken sessionToken) Returns a OAuth2SessionToken with a refreshed expiration time.
void	setProperties(StatelessUtilProperties properties)
com.nimbusds.jwt.SignedJWT	verify(String token) Verify the signature of a signed JWT inside a cookie

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

StatelessUtilImpl

public StatelessUtilImpl(AuthorizedClientService<AuthorizedClient> clientService,
                         AuthorizationServerService<AuthorizationServer> serverService,
                         @NonNull
                         String encodedPrivateKey,
                         @NonNull
                         String encodedPublicKey,
                         String issuer)

Method Detail

getSessionToken

public OAuth2SessionToken getSessionToken(String clientId,
                                          String userId,
                                          String subject,
                                          Map<String,Object> additionalClaims)

Description copied from interface: StatelessUtil

Creates a OAuth2SessionToken for the provided client ID and subject with the set of additional claims.

Specified by:

getSessionToken in interface StatelessUtil

Parameters:

clientId - the client ID

subject - the user subject

additionalClaims - the additional session claims

Returns:

getSessionTokenClaims

protected com.nimbusds.jwt.JWTClaimsSet getSessionTokenClaims(String clientId,
                                                              String userId,
                                                              String subject,
                                                              @NonNull
                                                              Map<String,Object> additionalClaims)

refreshSessionToken

public OAuth2SessionToken refreshSessionToken(OAuth2SessionToken sessionToken)

Description copied from interface: StatelessUtil

Returns a OAuth2SessionToken with a refreshed expiration time.

Specified by:

refreshSessionToken in interface StatelessUtil

Parameters:

sessionToken - the session token

Returns:

the refreshed session token

generateSignedJwt

public com.nimbusds.jwt.SignedJWT generateSignedJwt(@Nullable
                                                    String subject,
                                                    @Nullable
                                                    Map<String,Object> claims,
                                                    @Nullable
                                                    Long expiresInSeconds)

Description copied from interface: StatelessUtil

Generate a signed JWT with issuer and audience values as well as optional additional claims.

Specified by:

generateSignedJwt in interface StatelessUtil

Parameters:

subject - The subject of the JWT

claims - Additional claims to add to the JWT

Returns:

A signed JWT

getRedirectUrl

public String getRedirectUrl(javax.servlet.http.Cookie savedRequestCookie)

Description copied from interface: StatelessUtil

Verify the JWT token contained in the cookie and then return the redirect url contained therein.

Specified by:

getRedirectUrl in interface StatelessUtil

Parameters:

savedRequestCookie - see StatelessUtil.createSavedRequestCookie(String, String)

Returns:

a decoded URL set with StatelessUtil.createSavedRequestCookie(String, String)

getRequestUrl

public String getRequestUrl(javax.servlet.http.Cookie savedRequestCookie)

Description copied from interface: StatelessUtil

Verify the JWT token contained in the cookie and then return the original request url contained therein.

Specified by:

getRequestUrl in interface StatelessUtil

Parameters:

savedRequestCookie - see StatelessUtil.createSavedRequestCookie(String, String)

Returns:

a decoded URL set with StatelessUtil.createSavedRequestCookie(String, String)

getClientId

public String getClientId(String savedRequestToken)

Specified by:

getClientId in interface StatelessUtil

getDecodedClaim

protected String getDecodedClaim(javax.servlet.http.Cookie savedRequestCookie,
                                 String claim,
                                 String errorMessage)

getDecodedClaim

protected String getDecodedClaim(String token,
                                 String claim,
                                 String errorMessage)

getCookieClaims

public Map<String,Object> getCookieClaims(String cookieValue)

Description copied from interface: StatelessUtil

Get a Map of the claims from a SignedJWT cookie. The values of the map are Base64 encoded.

Specified by:

getCookieClaims in interface StatelessUtil

Returns:

createSessionCookie

public javax.servlet.http.Cookie createSessionCookie(OAuth2SessionToken sessionToken)

Description copied from interface: StatelessUtil

Creates a cookie for the OAuth2SessionToken.

Specified by:

createSessionCookie in interface StatelessUtil

Parameters:

sessionToken - the session token

Returns:

the session cookie

getRemoveSessionCookie

public javax.servlet.http.Cookie getRemoveSessionCookie(String clientId)

Description copied from interface: StatelessUtil

Create a cookie that can be passed to the response to clear any existing session cookie in the browser.

Specified by:

getRemoveSessionCookie in interface StatelessUtil

Returns:

the newly created cookie

getSessionCookie

public org.springframework.http.ResponseCookie getSessionCookie(OAuth2SessionToken sessionToken)

Description copied from interface: StatelessUtil

Gets a ResponseCookie for the OAuth2SessionToken.

Specified by:

getSessionCookie in interface StatelessUtil

Parameters:

sessionToken - the session token

Returns:

the session cookie

getSessionRemovalCookie

public org.springframework.http.ResponseCookie getSessionRemovalCookie(String clientId)

Description copied from interface: StatelessUtil

Gets a ResponseCookie for the removal of the session cookie.

Specified by:

getSessionRemovalCookie in interface StatelessUtil

Parameters:

clientId - the client ID

Returns:

the session removal cookie

getSessionSameSiteAttribute

protected String getSessionSameSiteAttribute(AuthorizationServer authorizationServer)

Gets the SameSite attribute value for the session cookie. This method should return one of the following values: "None", "Lax", or "Strict".

Learn more about the SameSite attribute at: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite

Parameters:

authorizationServer - the authorization server

Returns:

the SameSite attribute value

getSavedRequestCookie

public javax.servlet.http.Cookie getSavedRequestCookie(String requestUrl,
                                                       String redirectUrl)

Description copied from interface: StatelessUtil

Create a cookie containing a JWT token identifying an originating request url and a redirect url. This information is used to forward the user to an authentication url. Once authenticated, the original request is completed.

Specified by:

getSavedRequestCookie in interface StatelessUtil

Parameters:

requestUrl - the original request (e.g. /oauth/authorize)

redirectUrl - the uri to redirect to for authentication (e.g. /login)

Returns:

a newly created session cookie

createSavedRequestCookie

public org.springframework.http.ResponseCookie createSavedRequestCookie(String requestUrl,
                                                                        String redirectUrl)

Description copied from interface: StatelessUtil

Create a cookie containing a JWT token identifying an originating request url and a redirect url. This information is used to forward the user to an authentication url. Once authenticated, the original request is completed.

Specified by:

createSavedRequestCookie in interface StatelessUtil

Parameters:

requestUrl - the original request (e.g. /oauth/authorize)

redirectUrl - the uri to redirect to for authentication (e.g. /login)

Returns:

a newly created session cookie

getSameSiteAttributeForSavedRequestCookie

protected String getSameSiteAttributeForSavedRequestCookie()

Gets the SameSite attribute value to use for the saved request cookies (createSavedRequestCookie(String, String) and createSavedRequestRemovalCookie()). This method should return one of the following values: "None", "Lax", or "Strict".

Learn more about the SameSite attribute at: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite

Returns:

the SameSite attribute value to use for the saved request cookies

getSavedRequestJwt

public String getSavedRequestJwt(String requestUrl,
                                 String redirectUrl)

Specified by:

getSavedRequestJwt in interface StatelessUtil

getRemoveSavedRequestCookie

public javax.servlet.http.Cookie getRemoveSavedRequestCookie()

Description copied from interface: StatelessUtil

Create a cookie that can be passed to the response to clear any existing saved request cookie in the browser.

Specified by:

getRemoveSavedRequestCookie in interface StatelessUtil

Returns:

the newly created cookie

createSavedRequestRemovalCookie

public org.springframework.http.ResponseCookie createSavedRequestRemovalCookie()

Description copied from interface: StatelessUtil

Create a cookie that can be passed to the response to clear any existing saved request cookie in the browser.

Specified by:

createSavedRequestRemovalCookie in interface StatelessUtil

Returns:

the newly created cookie

See Also:

StatelessUtil.createSavedRequestCookie(String, String)

verify

public com.nimbusds.jwt.SignedJWT verify(String token)

Description copied from interface: StatelessUtil

Verify the signature of a signed JWT inside a cookie

Specified by:

verify in interface StatelessUtil

Parameters:

token - the cookie to verify

Returns:

a verified and signed JWT token, or null if the given cookie has no value

getSessionCookieName

public String getSessionCookieName(String clientId)

Description copied from interface: StatelessUtil

Get the standard name for a session cookie

Specified by:

getSessionCookieName in interface StatelessUtil

Returns:

the cookie name used to store the session

See Also:

#getSessionCookie(String, String)

getSessionCookieName

public String getSessionCookieName(AuthorizedClient client,
                                   AuthorizationServer server)

Specified by:

getSessionCookieName in interface StatelessUtil

getIssuer

public String getIssuer()

Specified by:

getIssuer in interface StatelessUtil

getSavedRequestCookieName

public String getSavedRequestCookieName()

Description copied from interface: StatelessUtil

Get the standard name for a saved request cookie

Specified by:

getSavedRequestCookieName in interface StatelessUtil

Returns:

the saved request cookie name

See Also:

StatelessUtil.createSavedRequestCookie(String, String)

getRemovalCookie

public org.springframework.http.ResponseCookie getRemovalCookie(javax.servlet.http.Cookie cookieToRemove)

Description copied from interface: StatelessUtil

Returns a removal cookie for any arbitrary cookie.

Specified by:

getRemovalCookie in interface StatelessUtil

Parameters:

cookieToRemove - The cookie to target for removal

Returns:

A cookie that may be set on an HttpServletResponse to remove the supplied cookie.

findClient

protected AuthorizedClient findClient(String clientId)

findServer

protected AuthorizationServer findServer(AuthorizedClient client)

entityMissing

protected Supplier<? extends com.broadleafcommerce.data.tracking.core.exception.EntityMissingException> entityMissing(String msg)

getProperties

protected StatelessUtilProperties getProperties()

setProperties

@Autowired
public void setProperties(StatelessUtilProperties properties)