Package com.broadleafcommerce.auth.user.service

Class DefaultImpersonationService

java.lang.Object

com.broadleafcommerce.auth.user.service.DefaultImpersonationService

All Implemented Interfaces:

ImpersonationService

public class DefaultImpersonationService
extends Object
implements ImpersonationService

Author:

Nick Crum (ncrum)

Field Summary

Fields

Modifier and Type	Field	Description
static final String	CSR_CLIENT_ID
static final String	CSR_ID
static final String	IMPERSONATED_CLIENT_ID
static final String	IMPERSONATED_SUB
static final String	IMPERSONATING_SELF
protected static final long	IMPERSONATION_TOKEN_EXP_TIME_SEC
static final String	REDIRECT_URI

Constructor Summary

Constructors

Constructor	Description
DefaultImpersonationService(ImpersonationClaimsEnhancer claimsEnhancer, StatelessUtil statelessUtil)

Method Summary

Modifier and Type	Method	Description
protected String	augmentRedirectUriForRefreshTokenRotationIfEnabled(@NonNull ImpersonationRequest impersonationRequest)	If refresh token rotation is enabled for the target client, then this method augments the requested redirect URI to include a parameter to indicate to the web client to redirect to login after the impersonation redirect succeeds.
protected Map<String,Object>	buildImpersonationClaims(ImpersonationRequest request, org.springframework.security.core.Authentication authentication)
ImpersonationRequestToken	consumeImpersonationToken(String token)	Validates tokens generated by ImpersonationService.generateImpersonationToken(ImpersonationRequest, Authentication) and converts them into the original ImpersonationRequest supplied before redirect.
String	generateImpersonationRedirectUrl(String redirectUrl, @NonNull com.nimbusds.jwt.SignedJWT token, @NonNull String contextPath, String clientId)	Generates a URL String containing a serialized signed JWT that should be redirected to in order to consume an impersonation token.
com.nimbusds.jwt.SignedJWT	generateImpersonationToken(ImpersonationRequest request, org.springframework.security.core.Authentication authentication)	Generates a JWT to be used during redirects when impersonating a user.
protected AuthorizedClientService<AuthorizedClient>	getAuthorizedClientService()
protected ImpersonationClaimsEnhancer	getClaimsEnhancer()
protected Object	getDetail(Map<String,Object> details, String key)
OAuth2SessionToken	getImpersonationSessionToken(ImpersonationRequestToken token, OAuth2UserDetails impersonatedUser)	Creates an OAuth2SessionToken for the validated ImpersonationRequest.
protected StatelessUtil	getStatelessUtil()
protected boolean	isUseRedirectUriToGenerateConsumeTokenUrl(String clientId)	Whether to use the ImpersonationRequest.getRedirect_uri() when building the consume-token endpoint URL.
void	setAuthorizedClientService(AuthorizedClientService<AuthorizedClient> authorizedClientService)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

IMPERSONATION_TOKEN_EXP_TIME_SEC

protected static final long IMPERSONATION_TOKEN_EXP_TIME_SEC

See Also:

• Constant Field Values

REDIRECT_URI

public static final String REDIRECT_URI

See Also:

• Constant Field Values

CSR_ID

public static final String CSR_ID

See Also:

• Constant Field Values

CSR_CLIENT_ID

public static final String CSR_CLIENT_ID

See Also:

• Constant Field Values

IMPERSONATED_SUB

public static final String IMPERSONATED_SUB

See Also:

• Constant Field Values

IMPERSONATED_CLIENT_ID

public static final String IMPERSONATED_CLIENT_ID

See Also:

• Constant Field Values

IMPERSONATING_SELF

public static final String IMPERSONATING_SELF

See Also:

• Constant Field Values

Constructor Details

DefaultImpersonationService

public DefaultImpersonationService(ImpersonationClaimsEnhancer claimsEnhancer,
 StatelessUtil statelessUtil)

Method Details

getImpersonationSessionToken

public OAuth2SessionToken getImpersonationSessionToken(ImpersonationRequestToken token,
 OAuth2UserDetails impersonatedUser)

Description copied from interface: ImpersonationService

Creates an OAuth2SessionToken for the validated ImpersonationRequest.

Specified by:

getImpersonationSessionToken in interface ImpersonationService

Parameters:

token - The impersonation request

impersonatedUser - The user to be impersonated

Returns:

A valid OAuth2SessionToken for the impersonated user with additional CSR claims.

generateImpersonationToken

public com.nimbusds.jwt.SignedJWT generateImpersonationToken(ImpersonationRequest request,
 org.springframework.security.core.Authentication authentication)

Description copied from interface: ImpersonationService

Generates a JWT to be used during redirects when impersonating a user. This allows impersonation across domains.

Specified by:

generateImpersonationToken in interface ImpersonationService

Parameters:

request - The impersonation request.

authentication - The current user's authentication

Returns:

A signed JWT to be used during a redirect to the targeted domain.

generateImpersonationRedirectUrl

public String generateImpersonationRedirectUrl(String redirectUrl,
 @NonNull
 @NonNull com.nimbusds.jwt.SignedJWT token,
 @NonNull
 @NonNull String contextPath,
 String clientId)

Description copied from interface: ImpersonationService

Generates a URL String containing a serialized signed JWT that should be redirected to in order to consume an impersonation token.

Specified by:

generateImpersonationRedirectUrl in interface ImpersonationService

Parameters:

redirectUrl - The redirect URL, typically ImpersonationRequest.getRedirect_uri()

token - The signed JWT, generated from ImpersonationService.generateImpersonationToken(ImpersonationRequest, Authentication)

contextPath - The context path of the impersonation request

clientId - Id of the AuthorizedClient to redirect to.

Returns:

A URL to consume the impersonation token.

consumeImpersonationToken

public ImpersonationRequestToken consumeImpersonationToken(String token)

Description copied from interface: ImpersonationService

Validates tokens generated by ImpersonationService.generateImpersonationToken(ImpersonationRequest, Authentication) and converts them into the original ImpersonationRequest supplied before redirect.

Specified by:

consumeImpersonationToken in interface ImpersonationService

Parameters:

token - The serialized signed JWT.

Returns:

An impersonation request.

isUseRedirectUriToGenerateConsumeTokenUrl

protected boolean isUseRedirectUriToGenerateConsumeTokenUrl(String clientId)

Whether to use the ImpersonationRequest.getRedirect_uri() when building the consume-token endpoint URL.

Parameters:

clientId - Id of the client to be redirected to after the token is consumed.

Returns:

Whether to use the ImpersonationRequest.getRedirect_uri() when building the consume-token endpoint URL.

See Also:

• AuthorizedClient.isUseRedirectUriToGenerateConsumeTokenUrl()

buildImpersonationClaims

protected Map<String,Object> buildImpersonationClaims(ImpersonationRequest request,
 org.springframework.security.core.Authentication authentication)

augmentRedirectUriForRefreshTokenRotationIfEnabled

protected String augmentRedirectUriForRefreshTokenRotationIfEnabled(@NonNull
 @NonNull ImpersonationRequest impersonationRequest)

If refresh token rotation is enabled for the target client, then this method augments the requested redirect URI to include a parameter to indicate to the web client to redirect to login after the impersonation redirect succeeds. This is only needed for refresh token rotation.

Parameters:

impersonationRequest - The request for impersonation from the CSR.

Returns:

The augmented redirect URL.

getDetail

protected Object getDetail(Map<String,Object> details,
 String key)

getClaimsEnhancer

@NonNull
protected ImpersonationClaimsEnhancer getClaimsEnhancer()

getStatelessUtil

@NonNull
protected StatelessUtil getStatelessUtil()

setAuthorizedClientService

@Autowired
public void setAuthorizedClientService(AuthorizedClientService<AuthorizedClient> authorizedClientService)

getAuthorizedClientService

protected AuthorizedClientService<AuthorizedClient> getAuthorizedClientService()