Class JwtSessionConfigurator
java.lang.Object
org.kawanfw.sql.api.server.session.JwtSessionConfigurator
- All Implemented Interfaces:
SessionConfigurator
public class JwtSessionConfigurator extends Object implements SessionConfigurator
Session management using self-contained JWT (JSON Web Token).
See https://jwt.io for more info on JWT.
Advantage of JWT is that no session info is stored on the server.
Disadvantage of JWT is that the token are much longer and thus generate more HTTP traffic and are less convenient to use "manually" (with cURL, etc.)
Implementation is coded with the java-jwt library.
Note that:
See https://jwt.io for more info on JWT.
Advantage of JWT is that no session info is stored on the server.
Disadvantage of JWT is that the token are much longer and thus generate more HTTP traffic and are less convenient to use "manually" (with cURL, etc.)
Implementation is coded with the java-jwt library.
Note that:
- A secret valued must be defined using the
jwtSessionConfiguratorSecretproperty inaceql-server.properties. - The JWT lifetime value used is
DefaultSessionConfigurator.getSessionTimelifeMinutes()value.
- Author:
- Nicolas de Pomereu
-
Constructor Summary
Constructors Constructor Description JwtSessionConfigurator() -
Method Summary
Modifier and Type Method Description StringgenerateSessionId(String username, String database)Generates a self contained JWT that stores the username and the database.StringgetDatabase(String sessionId)Extracts the Database from the decoded JWT.intgetSessionTimelifeMinutes()Returns same asDefaultSessionConfigurator.getSessionTimelifeMinutes()value.StringgetUsername(String sessionId)Extracts the username from the decoded JWT.voidremove(String sessionId)Removes storage for the passed session Id.booleanverifySessionId(String sessionId)Performs the verification against the given JWT Token, using any previous configured options.
-
Constructor Details
-
JwtSessionConfigurator
public JwtSessionConfigurator()
-
-
Method Details
-
generateSessionId
Generates a self contained JWT that stores the username and the database.- Specified by:
generateSessionIdin interfaceSessionConfigurator- Parameters:
username- the username to store for the passed session iddatabase- the database to store for the passed session id- Returns:
- a unique session id for the (username, database) couple.
- Throws:
IOException- if any I/O error occurs
-
getUsername
Extracts the username from the decoded JWT.- Specified by:
getUsernamein interfaceSessionConfigurator- Parameters:
sessionId- the session id- Returns:
- the username stored for the passed session Id
-
getDatabase
Extracts the Database from the decoded JWT.- Specified by:
getDatabasein interfaceSessionConfigurator- Parameters:
sessionId- the session id- Returns:
- the database stored for the passed session Id
-
remove
Description copied from interface:SessionConfiguratorRemoves storage for the passed session Id. Method is called by AceQL when client side callslogout- Specified by:
removein interfaceSessionConfigurator- Parameters:
sessionId- the session id
-
verifySessionId
Performs the verification against the given JWT Token, using any previous configured options.
Also verifies that the token is not expired, i.e. its lifetime is shorter thangetSessionTimelife()- Specified by:
verifySessionIdin interfaceSessionConfigurator- Parameters:
sessionId- the session id to verify- Returns:
- true if the sessionId is valid
- Throws:
IOException- if an IOException occurs
-
getSessionTimelifeMinutes
Returns same asDefaultSessionConfigurator.getSessionTimelifeMinutes()value.- Specified by:
getSessionTimelifeMinutesin interfaceSessionConfigurator- Returns:
- the sessions lifetime in minutes
- Throws:
IOException- if an IOException occurs
-