Class DefaultImpersonationService
java.lang.Object
com.broadleafcommerce.auth.user.service.DefaultImpersonationService
- All Implemented Interfaces:
ImpersonationService
- Author:
- Nick Crum (ncrum)
-
Field Summary
-
Constructor Summary
ConstructorDescriptionDefaultImpersonationService
(ImpersonationClaimsEnhancer claimsEnhancer, StatelessUtil statelessUtil) -
Method Summary
Modifier and TypeMethodDescriptionprotected String
augmentRedirectUriForRefreshTokenRotationIfEnabled
(@NonNull ImpersonationRequest impersonationRequest) If refresh token rotation is enabled for the target client, then this method augments the requested redirect URI to include a parameter to indicate to the web client to redirect to login after the impersonation redirect succeeds.buildImpersonationClaims
(ImpersonationRequest request, org.springframework.security.core.Authentication authentication) consumeImpersonationToken
(String token) Validates tokens generated byImpersonationService.generateImpersonationToken(ImpersonationRequest, Authentication)
and converts them into the originalImpersonationRequest
supplied before redirect.generateImpersonationRedirectUrl
(String redirectUrl, @NonNull com.nimbusds.jwt.SignedJWT token, @NonNull String contextPath, String clientId) Generates a URL String containing a serialized signed JWT that should be redirected to in order to consume an impersonation token.com.nimbusds.jwt.SignedJWT
generateImpersonationToken
(ImpersonationRequest request, org.springframework.security.core.Authentication authentication) Generates a JWT to be used during redirects when impersonating a user.protected AuthorizedClientService<AuthorizedClient>
protected ImpersonationClaimsEnhancer
protected Object
getImpersonationSessionToken
(ImpersonationRequestToken token, OAuth2UserDetails impersonatedUser) Creates anOAuth2SessionToken
for the validatedImpersonationRequest
.protected StatelessUtil
protected boolean
Whether to use theImpersonationRequest.getRedirect_uri()
when building the consume-token endpoint URL.void
setAuthorizedClientService
(AuthorizedClientService<AuthorizedClient> authorizedClientService)
-
Field Details
-
IMPERSONATION_TOKEN_EXP_TIME_SEC
protected static final long IMPERSONATION_TOKEN_EXP_TIME_SEC- See Also:
-
REDIRECT_URI
- See Also:
-
CSR_ID
- See Also:
-
CSR_CLIENT_ID
- See Also:
-
IMPERSONATED_SUB
- See Also:
-
IMPERSONATED_CLIENT_ID
- See Also:
-
IMPERSONATING_SELF
- See Also:
-
-
Constructor Details
-
DefaultImpersonationService
public DefaultImpersonationService(ImpersonationClaimsEnhancer claimsEnhancer, StatelessUtil statelessUtil)
-
-
Method Details
-
getImpersonationSessionToken
public OAuth2SessionToken getImpersonationSessionToken(ImpersonationRequestToken token, OAuth2UserDetails impersonatedUser) Description copied from interface:ImpersonationService
Creates anOAuth2SessionToken
for the validatedImpersonationRequest
.- Specified by:
getImpersonationSessionToken
in interfaceImpersonationService
- Parameters:
token
- The impersonation requestimpersonatedUser
- The user to be impersonated- Returns:
- A valid
OAuth2SessionToken
for the impersonated user with additional CSR claims.
-
generateImpersonationToken
public com.nimbusds.jwt.SignedJWT generateImpersonationToken(ImpersonationRequest request, org.springframework.security.core.Authentication authentication) Description copied from interface:ImpersonationService
Generates a JWT to be used during redirects when impersonating a user. This allows impersonation across domains.- Specified by:
generateImpersonationToken
in interfaceImpersonationService
- Parameters:
request
- The impersonation request.authentication
- The current user's authentication- Returns:
- A signed JWT to be used during a redirect to the targeted domain.
-
generateImpersonationRedirectUrl
public String generateImpersonationRedirectUrl(String redirectUrl, @NonNull @NonNull com.nimbusds.jwt.SignedJWT token, @NonNull @NonNull String contextPath, String clientId) Description copied from interface:ImpersonationService
Generates a URL String containing a serialized signed JWT that should be redirected to in order to consume an impersonation token.- Specified by:
generateImpersonationRedirectUrl
in interfaceImpersonationService
- Parameters:
redirectUrl
- The redirect URL, typicallyImpersonationRequest.getRedirect_uri()
token
- The signed JWT, generated fromImpersonationService.generateImpersonationToken(ImpersonationRequest, Authentication)
contextPath
- The context path of the impersonation requestclientId
- Id of theAuthorizedClient
to redirect to.- Returns:
- A URL to consume the impersonation token.
-
consumeImpersonationToken
Description copied from interface:ImpersonationService
Validates tokens generated byImpersonationService.generateImpersonationToken(ImpersonationRequest, Authentication)
and converts them into the originalImpersonationRequest
supplied before redirect.- Specified by:
consumeImpersonationToken
in interfaceImpersonationService
- Parameters:
token
- The serialized signed JWT.- Returns:
- An impersonation request.
-
isUseRedirectUriToGenerateConsumeTokenUrl
Whether to use theImpersonationRequest.getRedirect_uri()
when building the consume-token endpoint URL.- Parameters:
clientId
- Id of the client to be redirected to after the token is consumed.- Returns:
- Whether to use the
ImpersonationRequest.getRedirect_uri()
when building the consume-token endpoint URL. - See Also:
-
buildImpersonationClaims
protected Map<String,Object> buildImpersonationClaims(ImpersonationRequest request, org.springframework.security.core.Authentication authentication) -
augmentRedirectUriForRefreshTokenRotationIfEnabled
protected String augmentRedirectUriForRefreshTokenRotationIfEnabled(@NonNull @NonNull ImpersonationRequest impersonationRequest) If refresh token rotation is enabled for the target client, then this method augments the requested redirect URI to include a parameter to indicate to the web client to redirect to login after the impersonation redirect succeeds. This is only needed for refresh token rotation.- Parameters:
impersonationRequest
- The request for impersonation from the CSR.- Returns:
- The augmented redirect URL.
-
getDetail
-
getClaimsEnhancer
-
getStatelessUtil
-
setAuthorizedClientService
@Autowired public void setAuthorizedClientService(AuthorizedClientService<AuthorizedClient> authorizedClientService) -
getAuthorizedClientService
-