1 /*
2 * Copyright (c) 2002-2021, City of Paris
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright notice
10 * and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright notice
13 * and the following disclaimer in the documentation and/or other materials
14 * provided with the distribution.
15 *
16 * 3. Neither the name of 'Mairie de Paris' nor 'Lutece' nor the names of its
17 * contributors may be used to endorse or promote products derived from
18 * this software without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
24 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30 * POSSIBILITY OF SUCH DAMAGE.
31 *
32 * License 1.0
33 */
34 package fr.paris.lutece.util.signrequest;
35
36 import java.security.Key;
37 import java.util.List;
38 import java.util.Map;
39
40 import javax.servlet.http.HttpServletRequest;
41
42 import fr.paris.lutece.util.jwt.service.JWTUtil;
43
44 public class JWTSecretKeyAuthenticator extends AbstractJWTAuthenticator
45 {
46 private String _strSecretKey;
47 private String _strEncryptionAlgorythmName;
48 private final String DEFAULT_ENC_ALGO_NAME = "HS256";
49
50 /**
51 * Constructor
52 *
53 * @param mapClaimsToCheck
54 * The map of claims key/values to check in the JWT
55 * @param strJWTHttpHeader
56 * The name of the header which contains the JWT
57 * @param lValidityPeriod
58 * The validity period
59 * @param strEncryptionAlgorythmName
60 * The name of the algorithm. Values are HS256, HS384, HS512
61 * @param strSecretKey
62 * The secret key
63 */
64 public JWTSecretKeyAuthenticator( Map<String, String> mapClaimsToCheck, String strJWTHttpHeader, long lValidityPeriod, String strEncryptionAlgorythmName,
65 String strSecretKey )
66 {
67 super( mapClaimsToCheck, strJWTHttpHeader, lValidityPeriod );
68 _strSecretKey = strSecretKey;
69 _strEncryptionAlgorythmName = strEncryptionAlgorythmName;
70
71 if ( _strEncryptionAlgorythmName == null )
72 {
73 _strEncryptionAlgorythmName = DEFAULT_ENC_ALGO_NAME;
74 }
75 }
76
77 /**
78 * {@inheritDoc }
79 */
80 @Override
81 public boolean isRequestAuthenticated( HttpServletRequest request )
82 {
83 boolean isAuthenticated = super.isRequestAuthenticated( request );
84
85 if ( isAuthenticated )
86 {
87 Key key = JWTUtil.getKey( _strSecretKey, _strEncryptionAlgorythmName );
88 return JWTUtil.checkSignature( request, _strJWTHttpHeader, key );
89 }
90 return false;
91 }
92
93 /**
94 * {@inheritDoc }
95 */
96 @Override
97 public AuthenticateRequestInformations getSecurityInformations( List<String> elements )
98 {
99 Key key = JWTUtil.getKey( _strSecretKey, _strEncryptionAlgorythmName );
100
101 return new AuthenticateRequestInformations().addSecurityHeader( _strJWTHttpHeader, JWTUtil.buildBase64JWT( _mapClaimsToCheck, getExpirationDate( ), _strEncryptionAlgorythmName, key ) );
102
103 }
104 }