Class JwtSessionConfigurator

java.lang.Object
org.kawanfw.sql.api.server.session.JwtSessionConfigurator
All Implemented Interfaces:
SessionConfigurator

public class JwtSessionConfigurator
extends Object
implements SessionConfigurator
Session management using self-contained JWT (JSON Web Token).
See https://jwt.io for more info on JWT.

Advantage of JWT is that no session info is stored on the server.
Disadvantage of JWT is that the token are much longer and thus generate more HTTP traffic and are less convenient to use "manually" (with cURL, etc.)

Implementation is coded with the java-jwt library.

Note that:
Author:
Nicolas de Pomereu
  • Constructor Details

    • JwtSessionConfigurator

      public JwtSessionConfigurator()
  • Method Details

    • generateSessionId

      public String generateSessionId​(String username, String database) throws IOException
      Generates a self contained JWT that stores the username and the database.
      Specified by:
      generateSessionId in interface SessionConfigurator
      Parameters:
      username - the username to store for the passed session id
      database - the database to store for the passed session id
      Returns:
      a unique session id for the (username, database) couple.
      Throws:
      IOException - if any I/O error occurs
    • getUsername

      public String getUsername​(String sessionId)
      Extracts the username from the decoded JWT.
      Specified by:
      getUsername in interface SessionConfigurator
      Parameters:
      sessionId - the session id
      Returns:
      the username stored for the passed session Id
    • getDatabase

      public String getDatabase​(String sessionId)
      Extracts the Database from the decoded JWT.
      Specified by:
      getDatabase in interface SessionConfigurator
      Parameters:
      sessionId - the session id
      Returns:
      the database stored for the passed session Id
    • remove

      public void remove​(String sessionId)
      Description copied from interface: SessionConfigurator
      Removes storage for the passed session Id. Method is called by AceQL when client side calls logout
      Specified by:
      remove in interface SessionConfigurator
      Parameters:
      sessionId - the session id
    • verifySessionId

      public boolean verifySessionId​(String sessionId) throws IOException
      Performs the verification against the given JWT Token, using any previous configured options.
      Also verifies that the token is not expired, i.e. its lifetime is shorter than getSessionTimelife()
      Specified by:
      verifySessionId in interface SessionConfigurator
      Parameters:
      sessionId - the session id to verify
      Returns:
      true if the sessionId is valid
      Throws:
      IOException - if an IOException occurs
    • getSessionTimelifeMinutes

      public int getSessionTimelifeMinutes() throws IOException
      Specified by:
      getSessionTimelifeMinutes in interface SessionConfigurator
      Returns:
      the sessions lifetime in minutes
      Throws:
      IOException - if an IOException occurs