1 /*
2 * Copyright (c) 2002-2021, City of Paris
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright notice
10 * and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright notice
13 * and the following disclaimer in the documentation and/or other materials
14 * provided with the distribution.
15 *
16 * 3. Neither the name of 'Mairie de Paris' nor 'Lutece' nor the names of its
17 * contributors may be used to endorse or promote products derived from
18 * this software without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
24 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30 * POSSIBILITY OF SUCH DAMAGE.
31 *
32 * License 1.0
33 */
34 package fr.paris.lutece.util.signrequest;
35
36 import java.time.Instant;
37 import java.util.Date;
38 import java.util.Map;
39
40 import javax.servlet.http.HttpServletRequest;
41
42 import org.apache.logging.log4j.LogManager;
43 import org.apache.logging.log4j.Logger;
44
45 import fr.paris.lutece.util.jwt.service.JWTUtil;
46
47 /**
48 * AbstractAuthenticator
49 */
50 public abstract class AbstractJWTAuthenticator extends AbstractAuthenticator
51 {
52 protected static final Logger LOGGER = LogManager.getLogger( "lutece.security.signrequest" );
53 protected Map<String, String> _mapClaimsToCheck;
54 protected String _strJWTHttpHeader;
55
56 /**
57 * Constructor
58 *
59 * @param mapClaimsToCheck
60 * The map of claims key/values to check in the JWT
61 * @param strJWTHttpHeader
62 * The name of the header which contains the JWT
63 * @param lValidityTimePeriod
64 * The validity time period
65 */
66 public AbstractJWTAuthenticator( Map<String, String> mapClaimsToCheck, String strJWTHttpHeader, long lValidityTimePeriod )
67 {
68 _mapClaimsToCheck = mapClaimsToCheck;
69 _strJWTHttpHeader = strJWTHttpHeader;
70 _lValidityTimePeriod = lValidityTimePeriod;
71 }
72
73 /**
74 * {@inheritDoc }
75 */
76 @Override
77 public boolean isRequestAuthenticated( HttpServletRequest request )
78 {
79 // Verify if the request contains at least a JWT without checking its signature
80 // Verify the expiration date in the exp claim of the JWT
81 if ( !JWTUtil.containsValidUnsafeJWT( request, _strJWTHttpHeader ) )
82 {
83 return false;
84 }
85
86 // Verify in the JWT payload, the list of key/values to check
87 if ( !JWTUtil.checkPayloadValues( request, _strJWTHttpHeader, _mapClaimsToCheck ) )
88 {
89 return false;
90 }
91
92 return true;
93 }
94
95 /**
96 * Get expiration date
97 *
98 * @return the expiration date of the JWT
99 */
100 protected Date getExpirationDate( )
101 {
102 Date expirationDate = Date.from( Instant.now( ).plusMillis( getValidityTimePeriod( ) ) );
103 return expirationDate;
104 }
105 }