Package uk.co.spudsoft.jwtvalidatorvertx.impl

Class AbstractTokenBuilder

java.lang.Object
uk.co.spudsoft.jwtvalidatorvertx.impl.AbstractTokenBuilder
All Implemented Interfaces:
TokenBuilder
Direct Known Subclasses:
JdkTokenBuilder
public abstract class AbstractTokenBuilder extends Object implements TokenBuilder
Abstract implementation of TokenBuilder.

The actual creation of keys is left to a subclass to implement.

This class can perform all the work of a TokenBuilder implementation apart from the generation of keys, however most methods are designed to be overrideable so that a specific implementation can do something different if that is useful.

Author:
jtalbut

  • Field Details

    • BASE64

      protected static final Base64.Encoder BASE64
      Base64 encoded that implementations may (should) use.

    • RANDOM

      protected static final SecureRandom RANDOM
      Secure random number generator that implementations may use.

    • keyCache

      protected final com.google.common.cache.Cache<String,AlgorithmAndKeyPair> keyCache
      The key cache that is shared with the JwksHandler.

      Note that it is the TokenBuilder that is responsible for causing keys to be created and cached, the JwksHandler just makes them available.

  • Constructor Details

    • AbstractTokenBuilder

      public AbstractTokenBuilder(com.google.common.cache.Cache<String,AlgorithmAndKeyPair> keyCache)
      Constructor.
      Parameters:
      keyCache - The key cache that is shared with the JwksHandler.

  • Method Details

    • setHeaderNotValidBase64

      public TokenBuilder setHeaderNotValidBase64(boolean headerNotValidBase64)
      Description copied from interface: TokenBuilder
      If set the header will not be valid base 64.
      Specified by:
      setHeaderNotValidBase64 in interface TokenBuilder
      Parameters:
      headerNotValidBase64 - If true the header will not be valid base 64 (it will have one character removed from the end).
      Returns:
      this, so that the method may be used in a fluent manner.

    • setPayloadNotValidBase64

      public TokenBuilder setPayloadNotValidBase64(boolean payloadNotValidBase64)
      Description copied from interface: TokenBuilder
      If set the payload will not be valid base 64.
      Specified by:
      setPayloadNotValidBase64 in interface TokenBuilder
      Parameters:
      payloadNotValidBase64 - If true the payload will not be valid base 64 (it will have one character removed from the end).
      Returns:
      this, so that the method may be used in a fluent manner.

    • setSignatureNotValidBase64

      public TokenBuilder setSignatureNotValidBase64(boolean signatureNotValidBase64)
      Description copied from interface: TokenBuilder
      If set the signature will not be valid base 64.
      Specified by:
      setSignatureNotValidBase64 in interface TokenBuilder
      Parameters:
      signatureNotValidBase64 - If true the signature will not be valid base 64 (it will have one character removed from the end).
      Returns:
      this, so that the method may be used in a fluent manner.

    • setHeaderNotJson

      public TokenBuilder setHeaderNotJson(boolean headerNotJson)
      Description copied from interface: TokenBuilder
      If set the header will not be valid base 64.
      Specified by:
      setHeaderNotJson in interface TokenBuilder
      Parameters:
      headerNotJson - If true the header will not be valid JSON (strings will have quotes stripped from them).
      Returns:
      this, so that the method may be used in a fluent manner.

    • setPayloadNotJson

      public TokenBuilder setPayloadNotJson(boolean payloadNotJson)
      Description copied from interface: TokenBuilder
      If set the payload will not be valid base 64.
      Specified by:
      setPayloadNotJson in interface TokenBuilder
      Parameters:
      payloadNotJson - If true the payload will not be valid JSON (strings will have quotes stripped from them).
      Returns:
      this, so that the method may be used in a fluent manner.

    • setSignatureNotValidHash

      public TokenBuilder setSignatureNotValidHash(boolean signatureNotValidHash)
      Description copied from interface: TokenBuilder
      If set the signature will not be a valid hash of the contents.
      Specified by:
      setSignatureNotValidHash in interface TokenBuilder
      Parameters:
      signatureNotValidHash - If true signature will not be a valid hash of the contents (the final byte will be stripped).
      Returns:
      this, so that the method may be used in a fluent manner.

    • setKidInvalid

      public TokenBuilder setKidInvalid(boolean kidInvalid)
      Description copied from interface: TokenBuilder
      If set the kid in the token will be set to 'INVALID'.
      Specified by:
      setKidInvalid in interface TokenBuilder
      Parameters:
      kidInvalid - If true the kid in the token will be set to 'INVALID'.
      Returns:
      this, so that the method may be used in a fluent manner.

    • buildToken

      public String buildToken(JsonWebAlgorithm jwa, String kid, String iss, String sub, List<String> aud, Long nbf, Long exp, Map<String,Object> otherClaims) throws Exception
      Description copied from interface: TokenBuilder
      Construct a JWT. If any of the testing methods are set the resulting token will be invalid.
      Specified by:
      buildToken in interface TokenBuilder
      Parameters:
      jwa - The algorithm to use to create the key if the key does not already exist in the cache. If the key is already in ths cache then the jwa is only used to set the "alg" header claim. If it permitted to use the JsonWebAlgorithm.none algorithm to generate the token, but this should only be done for testing and all validators will reject it.
      kid - The ID of the key to use to sign the token, may be null if (and only if) the jwa is JsonWebAlgorithm.none.
      iss - The issuer to put in the payload claims.
      sub - The subject to put in the payload claims.
      aud - The audience to put in the payload claims.v
      nbf - The not-before to put in the payload claims.
      exp - The expiry to put in the payload claims.
      otherClaims - Other claims to put in the payload.
      Returns:
      A fully constructed and signed JWS (that may be broken in various ways if other settings are set).
      Throws:
      Exception - If the security subsystem is unable to carry out required operations.

    • generateHeaderNode

      protected io.vertx.core.json.JsonObject generateHeaderNode(String kid, JsonWebAlgorithm algorithm)
      Helper method to generate the token header node.
      Parameters:
      kid - The key ID.
      algorithm - The algorithm.
      Returns:
      The created JsonObject header node.

    • generateClaimsNode

      protected io.vertx.core.json.JsonObject generateClaimsNode(String iss, String sub, Long exp, Long nbf, List<String> aud, Map<String,Object> otherClaims)
      Helper method to build the payload for a token.
      Parameters:
      iss - The iss (issuer) claim.
      sub - The sub (subject) claim.
      exp - The exp (expiry) claim.
      nbf - The nbf (not before) claim.
      aud - The aud (audience) claim.
      otherClaims - Map of other claims that are to be added. Any claims in otherClaims will override anything else added to the claims.
      Returns:
      a JsonObject of the payload for a token.

    • base64JSon

      protected String base64JSon(boolean notJson, boolean brokenBase64, io.vertx.core.json.JsonObject json)
      Helper method to convert a JsonObject into a base64 representation. Optionally provides two ways in which the result can be invalidated.
      Parameters:
      notJson - If the JSON should be broken before the base64 encoding.
      brokenBase64 - The the base64 encoding should be broken.
      json - The JSON to be encoded.
      Returns:
      The JSON encoded as base64 (possibly broken).

    • base64Header

      protected String base64Header(io.vertx.core.json.JsonObject header)
      Helper method to convert the header to base64, possibly breaking it. Uses the headerNotJson and headerNotValidBase64 fields to determine whether the result should be valid.
      Parameters:
      header - The header to convert.
      Returns:
      The JSON encoded as base64 (possibly broken).

    • base64Claims

      protected String base64Claims(io.vertx.core.json.JsonObject claims)
      Helper method to convert the payload to base64, possibly breaking it. Uses the payloadNotJson and payloadNotValidBase64 fields to determine whether the result should be valid.
      Parameters:
      claims - The claims to convert.
      Returns:
      The JSON encoded as base64 (possibly broken).

    • generateSignature

      protected abstract byte[] generateSignature(String kid, JsonWebAlgorithm algorithm, String headerBase64, String claimsBase64) throws Exception
      Sign the token header and claims using the specified key.
      Parameters:
      kid - The key to use to sign the header and claims, if this key is not found in the cache it will be generated.
      algorithm - The algorithm to use to generate the key, if it is not found in the cache.
      headerBase64 - The header to include in the signature.
      claimsBase64 - The claims to include in the signature.
      Returns:
      The signature of the header and claims.
      Throws:
      Exception - If the security subsystem is unable to complete the operation.

    • base64Signature

      protected String base64Signature(byte[] signature)
      Helper method to base6t4 encode the signature, possibly breaking it. Uses the signatureNotValidBase64 fields to determine whether the result should be valid.
      Parameters:
      signature - The signature of the header and payload.
      Returns:
      The base64 encoded signature.

    • constructToken

      protected String constructToken(String headerBase64, String claimsBase64, String signatureBase64)
      Helper method to concatenate the three parts of the token.
      Parameters:
      headerBase64 - The header, base 64 encoded.
      claimsBase64 - The claims, base 64 encoded.
      signatureBase64 - The signature, base 64 encoded.
      Returns:
      The final JWS.