Package com.broadleafcommerce.auth.user.session

Class StatelessUtilImpl

java.lang.Object
com.broadleafcommerce.auth.user.session.StatelessUtilImpl
All Implemented Interfaces:
StatelessUtil
public class StatelessUtilImpl extends Object implements StatelessUtil
Author:
Jeff Fischer
See Also:

  • Constructor Details

  • Method Details

    • getSessionToken

      public OAuth2SessionToken getSessionToken(String clientId, String userId, String subject, Map<String,Object> additionalClaims)
      Description copied from interface: StatelessUtil
      Creates a OAuth2SessionToken for the provided client ID and subject with the set of additional claims.
      Specified by:
      getSessionToken in interface StatelessUtil
      Parameters:
      clientId - the client ID
      subject - the user subject
      additionalClaims - the additional session claims
      Returns:

    • getSigner

      protected com.nimbusds.jose.JWSSigner getSigner()
      Construct new instance for each invocation, since we need the signer to be in-sync with the dynamic nature of the private key value.
      Returns:
      a new signer instance matching the most current private key value
      See Also:

    • getSessionTokenClaims

      protected com.nimbusds.jwt.JWTClaimsSet getSessionTokenClaims(String clientId, String userId, String subject, @NonNull Map<String,Object> additionalClaims)

    • refreshSessionToken

      public OAuth2SessionToken refreshSessionToken(OAuth2SessionToken sessionToken)
      Description copied from interface: StatelessUtil
      Returns a OAuth2SessionToken with a refreshed expiration time.
      Specified by:
      refreshSessionToken in interface StatelessUtil
      Parameters:
      sessionToken - the session token
      Returns:
      the refreshed session token

    • generateSignedJwt

      public com.nimbusds.jwt.SignedJWT generateSignedJwt(@Nullable String subject, @Nullable Map<String,Object> claims, @Nullable Long expiresInSeconds)
      Description copied from interface: StatelessUtil
      Generate a signed JWT with issuer and audience values as well as optional additional claims.
      Specified by:
      generateSignedJwt in interface StatelessUtil
      Parameters:
      subject - The subject of the JWT
      claims - Additional claims to add to the JWT
      Returns:
      A signed JWT

    • getRedirectUrl

      public String getRedirectUrl(jakarta.servlet.http.Cookie savedRequestCookie)
      Description copied from interface: StatelessUtil
      Verify the JWT token contained in the cookie and then return the redirect url contained therein.
      Specified by:
      getRedirectUrl in interface StatelessUtil
      Parameters:
      savedRequestCookie - see StatelessUtil.createSavedRequestCookie(String, String)
      Returns:
      a decoded URL set with StatelessUtil.createSavedRequestCookie(String, String)

    • getRequestUrl

      public String getRequestUrl(jakarta.servlet.http.Cookie savedRequestCookie)
      Description copied from interface: StatelessUtil
      Verify the JWT token contained in the cookie and then return the original request url contained therein.
      Specified by:
      getRequestUrl in interface StatelessUtil
      Parameters:
      savedRequestCookie - see StatelessUtil.createSavedRequestCookie(String, String)
      Returns:
      a decoded URL set with StatelessUtil.createSavedRequestCookie(String, String)

    • getClientId

      public String getClientId(String savedRequestToken)
      Specified by:
      getClientId in interface StatelessUtil

    • getDecodedClaim

      protected String getDecodedClaim(jakarta.servlet.http.Cookie savedRequestCookie, String claim, String errorMessage)

    • getDecodedClaim

      protected String getDecodedClaim(String token, String claim, String errorMessage)

    • getCookieClaims

      public Map<String,Object> getCookieClaims(String cookieValue)
      Description copied from interface: StatelessUtil
      Get a Map of the claims from a SignedJWT cookie. The values of the map are Base64 encoded.
      Specified by:
      getCookieClaims in interface StatelessUtil
      Returns:

    • createSessionCookie

      public jakarta.servlet.http.Cookie createSessionCookie(OAuth2SessionToken sessionToken)
      Description copied from interface: StatelessUtil
      Creates a cookie for the OAuth2SessionToken.
      Specified by:
      createSessionCookie in interface StatelessUtil
      Parameters:
      sessionToken - the session token
      Returns:
      the session cookie

    • getRemoveSessionCookie

      public jakarta.servlet.http.Cookie getRemoveSessionCookie(String clientId)
      Description copied from interface: StatelessUtil
      Create a cookie that can be passed to the response to clear any existing session cookie in the browser.
      Specified by:
      getRemoveSessionCookie in interface StatelessUtil
      Returns:
      the newly created cookie

    • getSessionCookie

      public org.springframework.http.ResponseCookie getSessionCookie(OAuth2SessionToken sessionToken)
      Description copied from interface: StatelessUtil
      Gets a ResponseCookie for the OAuth2SessionToken.
      Specified by:
      getSessionCookie in interface StatelessUtil
      Parameters:
      sessionToken - the session token
      Returns:
      the session cookie

    • getSessionRemovalCookie

      public org.springframework.http.ResponseCookie getSessionRemovalCookie(String clientId)
      Description copied from interface: StatelessUtil
      Gets a ResponseCookie for the removal of the session cookie.
      Specified by:
      getSessionRemovalCookie in interface StatelessUtil
      Parameters:
      clientId - the client ID
      Returns:
      the session removal cookie

    • getSessionSameSiteAttribute

      protected String getSessionSameSiteAttribute(AuthorizationServer authorizationServer)
      Gets the SameSite attribute value for the session cookie. This method should return one of the following values: "None", "Lax", or "Strict".

      Learn more about the SameSite attribute at: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite

      Parameters:
      authorizationServer - the authorization server
      Returns:
      the SameSite attribute value

    • getSavedRequestCookie

      public jakarta.servlet.http.Cookie getSavedRequestCookie(String requestUrl, String redirectUrl)
      Description copied from interface: StatelessUtil
      Create a cookie containing a JWT token identifying an originating request url and a redirect url. This information is used to forward the user to an authentication url. Once authenticated, the original request is completed.
      Specified by:
      getSavedRequestCookie in interface StatelessUtil
      Parameters:
      requestUrl - the original request (e.g. /oauth/authorize)
      redirectUrl - the uri to redirect to for authentication (e.g. /login)
      Returns:
      a newly created session cookie

    • createSavedRequestCookie

      public org.springframework.http.ResponseCookie createSavedRequestCookie(String requestUrl, String redirectUrl)
      Description copied from interface: StatelessUtil
      Create a cookie containing a JWT token identifying an originating request url and a redirect url. This information is used to forward the user to an authentication url. Once authenticated, the original request is completed.
      Specified by:
      createSavedRequestCookie in interface StatelessUtil
      Parameters:
      requestUrl - the original request (e.g. /oauth/authorize)
      redirectUrl - the uri to redirect to for authentication (e.g. /login)
      Returns:
      a newly created session cookie

    • getSameSiteAttributeForSavedRequestCookie

      protected String getSameSiteAttributeForSavedRequestCookie()
      Gets the SameSite attribute value to use for the saved request cookies (createSavedRequestCookie(String, String) and createSavedRequestRemovalCookie()). This method should return one of the following values: "None", "Lax", or "Strict".

      Learn more about the SameSite attribute at: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite

      Returns:
      the SameSite attribute value to use for the saved request cookies

    • getSavedRequestJwt

      public String getSavedRequestJwt(String requestUrl, String redirectUrl)
      Specified by:
      getSavedRequestJwt in interface StatelessUtil

    • getRemoveSavedRequestCookie

      public jakarta.servlet.http.Cookie getRemoveSavedRequestCookie()
      Description copied from interface: StatelessUtil
      Create a cookie that can be passed to the response to clear any existing saved request cookie in the browser.
      Specified by:
      getRemoveSavedRequestCookie in interface StatelessUtil
      Returns:
      the newly created cookie

    • createSavedRequestRemovalCookie

      public org.springframework.http.ResponseCookie createSavedRequestRemovalCookie()
      Description copied from interface: StatelessUtil
      Create a cookie that can be passed to the response to clear any existing saved request cookie in the browser.
      Specified by:
      createSavedRequestRemovalCookie in interface StatelessUtil
      Returns:
      the newly created cookie
      See Also:

    • verify

      public com.nimbusds.jwt.SignedJWT verify(String token)
      Description copied from interface: StatelessUtil
      Verify the signature of a signed JWT inside a cookie
      Specified by:
      verify in interface StatelessUtil
      Parameters:
      token - the cookie to verify
      Returns:
      a verified and signed JWT token, or null if the given cookie has no value

    • getSessionCookieName

      public String getSessionCookieName(String clientId)
      Description copied from interface: StatelessUtil
      Get the standard name for a session cookie
      Specified by:
      getSessionCookieName in interface StatelessUtil
      Returns:
      the cookie name used to store the session
      See Also:

    • getSessionCookieName

      public String getSessionCookieName(AuthorizedClient client, AuthorizationServer server)
      Specified by:
      getSessionCookieName in interface StatelessUtil

    • getIssuer

      public String getIssuer()
      Specified by:
      getIssuer in interface StatelessUtil

    • getSavedRequestCookieName

      public String getSavedRequestCookieName()
      Description copied from interface: StatelessUtil
      Get the standard name for a saved request cookie
      Specified by:
      getSavedRequestCookieName in interface StatelessUtil
      Returns:
      the saved request cookie name
      See Also:

    • getRemovalCookie

      public org.springframework.http.ResponseCookie getRemovalCookie(jakarta.servlet.http.Cookie cookieToRemove)
      Description copied from interface: StatelessUtil
      Returns a removal cookie for any arbitrary cookie.
      Specified by:
      getRemovalCookie in interface StatelessUtil
      Parameters:
      cookieToRemove - The cookie to target for removal
      Returns:
      A cookie that may be set on an HttpServletResponse to remove the supplied cookie.

    • findClient

      protected AuthorizedClient findClient(String clientId)

    • findServer

      protected AuthorizationServer findServer(AuthorizedClient client)

    • entityMissing

      protected Supplier<? extends com.broadleafcommerce.data.tracking.core.exception.EntityMissingException> entityMissing(String msg)

    • getProperties

      protected StatelessUtilProperties getProperties()

    • setProperties

      @Autowired public void setProperties(StatelessUtilProperties properties)

    • getPublicKeys

      protected List<RSAPublicKey> getPublicKeys()

    • setPublicKeys

      public void setPublicKeys(List<RSAPublicKey> publicKeys)