All Downloads are FREE. Search and download functionalities are using the official Maven repository.

acscommons.io.jsonwebtoken.JwtParserBuilder Maven / Gradle / Ivy

There is a newer version: 6.9.4
Show newest version
/*
 * Copyright (C) 2019 jsonwebtoken.io
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package acscommons.io.jsonwebtoken;

import acscommons.io.jsonwebtoken.io.Decoder;
import acscommons.io.jsonwebtoken.io.Deserializer;

import java.security.Key;
import java.util.Date;
import java.util.Map;

/**
 * A builder to construct a {@link JwtParser}. Example usage:
 * 
{@code
 *     Jwts.parserBuilder()
 *         .setSigningKey(...)
 *         .requireIssuer("https://issuer.example.com")
 *         .build()
 *         .parse(jwtString)
 * }
* * @since 0.11.0 */ @SuppressWarnings("JavadocLinkAsPlainText") public interface JwtParserBuilder { /** * Ensures that the specified {@code jti} exists in the parsed JWT. If missing or if the parsed * value does not equal the specified value, an exception will be thrown indicating that the * JWT is invalid and may not be used. * * @param id the required value of the {@code jti} header parameter. * @return the parser builder for method chaining. * @see MissingClaimException * @see IncorrectClaimException */ JwtParserBuilder requireId(String id); /** * Ensures that the specified {@code sub} exists in the parsed JWT. If missing or if the parsed * value does not equal the specified value, an exception will be thrown indicating that the * JWT is invalid and may not be used. * * @param subject the required value of the {@code sub} header parameter. * @return the parser builder for method chaining. * @see MissingClaimException * @see IncorrectClaimException */ JwtParserBuilder requireSubject(String subject); /** * Ensures that the specified {@code aud} exists in the parsed JWT. If missing or if the parsed * value does not equal the specified value, an exception will be thrown indicating that the * JWT is invalid and may not be used. * * @param audience the required value of the {@code aud} header parameter. * @return the parser builder for method chaining. * @see MissingClaimException * @see IncorrectClaimException */ JwtParserBuilder requireAudience(String audience); /** * Ensures that the specified {@code iss} exists in the parsed JWT. If missing or if the parsed * value does not equal the specified value, an exception will be thrown indicating that the * JWT is invalid and may not be used. * * @param issuer the required value of the {@code iss} header parameter. * @return the parser builder for method chaining. * @see MissingClaimException * @see IncorrectClaimException */ JwtParserBuilder requireIssuer(String issuer); /** * Ensures that the specified {@code iat} exists in the parsed JWT. If missing or if the parsed * value does not equal the specified value, an exception will be thrown indicating that the * JWT is invalid and may not be used. * * @param issuedAt the required value of the {@code iat} header parameter. * @return the parser builder for method chaining. * @see MissingClaimException * @see IncorrectClaimException */ JwtParserBuilder requireIssuedAt(Date issuedAt); /** * Ensures that the specified {@code exp} exists in the parsed JWT. If missing or if the parsed * value does not equal the specified value, an exception will be thrown indicating that the * JWT is invalid and may not be used. * * @param expiration the required value of the {@code exp} header parameter. * @return the parser builder for method chaining. * @see MissingClaimException * @see IncorrectClaimException */ JwtParserBuilder requireExpiration(Date expiration); /** * Ensures that the specified {@code nbf} exists in the parsed JWT. If missing or if the parsed * value does not equal the specified value, an exception will be thrown indicating that the * JWT is invalid and may not be used. * * @param notBefore the required value of the {@code npf} header parameter. * @return the parser builder for method chaining * @see MissingClaimException * @see IncorrectClaimException */ JwtParserBuilder requireNotBefore(Date notBefore); /** * Ensures that the specified {@code claimName} exists in the parsed JWT. If missing or if the parsed * value does not equal the specified value, an exception will be thrown indicating that the * JWT is invalid and may not be used. * * @param claimName the name of a claim that must exist * @param value the required value of the specified {@code claimName} * @return the parser builder for method chaining. * @see MissingClaimException * @see IncorrectClaimException */ JwtParserBuilder require(String claimName, Object value); /** * Sets the {@link Clock} that determines the timestamp to use when validating the parsed JWT. * The parser uses a default Clock implementation that simply returns {@code new Date()} when called. * * @param clock a {@code Clock} object to return the timestamp to use when validating the parsed JWT. * @return the parser builder for method chaining. */ JwtParserBuilder setClock(Clock clock); /** * Sets the amount of clock skew in seconds to tolerate when verifying the local time against the {@code exp} * and {@code nbf} claims. * * @param seconds the number of seconds to tolerate for clock skew when verifying {@code exp} or {@code nbf} claims. * @return the parser builder for method chaining. * @throws IllegalArgumentException if {@code seconds} is a value greater than {@code Long.MAX_VALUE / 1000} as * any such value would cause numeric overflow when multiplying by 1000 to obtain * a millisecond value. */ JwtParserBuilder setAllowedClockSkewSeconds(long seconds) throws IllegalArgumentException; /** * Sets the signing key used to verify any discovered JWS digital signature. If the specified JWT string is not * a JWS (no signature), this key is not used. * *

Note that this key MUST be a valid key for the signature algorithm found in the JWT header * (as the {@code alg} header parameter).

* *

This method overwrites any previously set key.

* * @param key the algorithm-specific signature verification key used to validate any discovered JWS digital * signature. * @return the parser builder for method chaining. */ JwtParserBuilder setSigningKey(byte[] key); /** * Sets the signing key used to verify any discovered JWS digital signature. If the specified JWT string is not * a JWS (no signature), this key is not used. * *

Note that this key MUST be a valid key for the signature algorithm found in the JWT header * (as the {@code alg} header parameter).

* *

This method overwrites any previously set key.

* *

This is a convenience method: the string argument is first BASE64-decoded to a byte array and this resulting * byte array is used to invoke {@link #setSigningKey(byte[])}.

* *

Deprecation Notice: Deprecated as of 0.10.0, will be removed in 1.0.0

* *

This method has been deprecated because the {@code key} argument for this method can be confusing: keys for * cryptographic operations are always binary (byte arrays), and many people were confused as to how bytes were * obtained from the String argument.

* *

This method always expected a String argument that was effectively the same as the result of the following * (pseudocode):

* *

{@code String base64EncodedSecretKey = base64Encode(secretKeyBytes);}

* *

However, a non-trivial number of JJWT users were confused by the method signature and attempted to * use raw password strings as the key argument - for example {@code setSigningKey(myPassword)} - which is * almost always incorrect for cryptographic hashes and can produce erroneous or insecure results.

* *

See this * * StackOverflow answer explaining why raw (non-base64-encoded) strings are almost always incorrect for * signature operations.

* *

Finally, please use the {@link #setSigningKey(Key) setSigningKey(Key)} instead, as this method (and likely the * {@code byte[]} variant) will be removed before the 1.0.0 release.

* * @param base64EncodedSecretKey the BASE64-encoded algorithm-specific signature verification key to use to validate * any discovered JWS digital signature. * @return the parser builder for method chaining. * @deprecated in favor of {@link #setSigningKey(Key)} as explained in the above Deprecation Notice, * and will be removed in 1.0.0. */ @Deprecated JwtParserBuilder setSigningKey(String base64EncodedSecretKey); /** * Sets the signing key used to verify any discovered JWS digital signature. If the specified JWT string is not * a JWS (no signature), this key is not used. * *

Note that this key MUST be a valid key for the signature algorithm found in the JWT header * (as the {@code alg} header parameter).

* *

This method overwrites any previously set key.

* * @param key the algorithm-specific signature verification key to use to validate any discovered JWS digital * signature. * @return the parser builder for method chaining. */ JwtParserBuilder setSigningKey(Key key); /** * Sets the {@link SigningKeyResolver} used to acquire the signing key that should be used to verify * a JWS's signature. If the parsed String is not a JWS (no signature), this resolver is not used. * *

Specifying a {@code SigningKeyResolver} is necessary when the signing key is not already known before parsing * the JWT and the JWT header or payload (plaintext body or Claims) must be inspected first to determine how to * look up the signing key. Once returned by the resolver, the JwtParser will then verify the JWS signature with the * returned key. For example:

* *
     * Jws<Claims> jws = Jwts.parser().setSigningKeyResolver(new SigningKeyResolverAdapter() {
     *         @Override
     *         public byte[] resolveSigningKeyBytes(JwsHeader header, Claims claims) {
     *             //inspect the header or claims, lookup and return the signing key
     *             return getSigningKey(header, claims); //implement me
     *         }})
     *     .parseClaimsJws(compact);
     * 
* *

A {@code SigningKeyResolver} is invoked once during parsing before the signature is verified.

* *

This method should only be used if a signing key is not provided by the other {@code setSigningKey*} builder * methods.

* * @param signingKeyResolver the signing key resolver used to retrieve the signing key. * @return the parser builder for method chaining. */ JwtParserBuilder setSigningKeyResolver(SigningKeyResolver signingKeyResolver); /** * Sets the {@link CompressionCodecResolver} used to acquire the {@link CompressionCodec} that should be used to * decompress the JWT body. If the parsed JWT is not compressed, this resolver is not used. * *

NOTE: Compression is not defined by the JWT Specification, and it is not expected that other libraries * (including JJWT versions < 0.6.0) are able to consume a compressed JWT body correctly. This method is only * useful if the compact JWT was compressed with JJWT >= 0.6.0 or another library that you know implements * the same behavior.

* *

Default Support

* *

JJWT's default {@link JwtParser} implementation supports both the * {@link CompressionCodecs#DEFLATE DEFLATE} * and {@link CompressionCodecs#GZIP GZIP} algorithms by default - you do not need to * specify a {@code CompressionCodecResolver} in these cases.

* *

However, if you want to use a compression algorithm other than {@code DEF} or {@code GZIP}, you must implement * your own {@link CompressionCodecResolver} and specify that via this method and also when * {@link acscommons.io.jsonwebtoken.JwtBuilder#compressWith(CompressionCodec) building} JWTs.

* * @param compressionCodecResolver the compression codec resolver used to decompress the JWT body. * @return the parser builder for method chaining. */ JwtParserBuilder setCompressionCodecResolver(CompressionCodecResolver compressionCodecResolver); /** * Perform Base64Url decoding with the specified Decoder * *

JJWT uses a spec-compliant decoder that works on all supported JDK versions, but you may call this method * to specify a different decoder if you desire.

* * @param base64UrlDecoder the decoder to use when Base64Url-decoding * @return the parser builder for method chaining. */ JwtParserBuilder base64UrlDecodeWith(Decoder base64UrlDecoder); /** * Uses the specified deserializer to convert JSON Strings (UTF-8 byte arrays) into Java Map objects. This is * used by the parser after Base64Url-decoding to convert JWT/JWS/JWT JSON headers and claims into Java Map * objects. * *

If this method is not called, JJWT will use whatever deserializer it can find at runtime, checking for the * presence of well-known implementations such Jackson, Gson, and org.json. If one of these is not found * in the runtime classpath, an exception will be thrown when one of the various {@code parse}* methods is * invoked.

* * @param deserializer the deserializer to use when converting JSON Strings (UTF-8 byte arrays) into Map objects. * @return the builder for method chaining. */ JwtParserBuilder deserializeJsonWith(Deserializer> deserializer); /** * Returns an immutable/thread-safe {@link JwtParser} created from the configuration from this JwtParserBuilder. * * @return an immutable/thread-safe JwtParser created from the configuration from this JwtParserBuilder. */ JwtParser build(); }




© 2015 - 2024 Weber Informatics LLC | Privacy Policy