public class JwtSessionManager extends Object implements SessionManager
JwtCookieSession
.
{
"name": "JwtSession",
"type": "JwtSession",
"config": {
"keystore": "Ref To A KeyStore",
"alias": "PrivateKey Alias",
"password": "KeyStore/Key Password",
"cookieName": "OpenIG",
"cookieDomain": ".example.com",
"sessionTimeout": "30 minutes",
"persistentCookie": true,
"sharedSecret": "hello=="
}
}
All the session configuration is optional: if you omit everything, the appropriate keys will be generated and the
cookie name used will be JwtCookieSession.OPENIG_JWT_SESSION
.
The keystore attribute is an optional attribute that references a KeyStore
heap object. It will
be used to obtain the required encryption keys. If omitted, the alias and password
attributes will also be ignored, and a temporary key pair will be generated.
The alias string attribute specifies the name of the private key to obtain from the KeyStore. It is only required when a keystore is specified.
The password static expression attribute specifies the password to use when reading the private key from the KeyStore. It is only required when a keystore is specified.
The cookieName optional string attribute specifies the name of the cookie used to store the encrypted JWT.
If not set, JwtCookieSession.OPENIG_JWT_SESSION
is used.
The cookieDomain optional string attribute specifies the domain of the cookie used to store the encrypted JWT. If not set, the cookie will be treated as a host-based cookie.
The sessionTimeout optional duration attribute, specifies the amount of time before the JWT session expires. If not set, a default of 30 minutes is used. A duration of 0 is not valid and it will be limited to a maximum duration of approximately 10 years.
The persistentCookie optional boolean attribute (defaults to false
), specifies whether the
supporting cookie will have an Expires attribute (persistent cookie) or not (session cookie).
The expiration value is based on the sessionTimeout value.
The sharedSecret optional string attribute, specifies the key used to sign/verify the JWTs. It is expected to be Base 64 encoded. If unspecified some random data is generated as key.
Modifier and Type | Class and Description |
---|---|
static class |
JwtSessionManager.Heaplet
Creates and initializes a jwt-session in a heap environment.
|
Modifier and Type | Field and Description |
---|---|
static String |
DEFAULT_SESSION_TIMEOUT
Default sessionTimeout duration.
|
static Duration |
MAX_SESSION_TIMEOUT
The maximum session timeout duration, allows for an expiry time of approx 10 years (does not take leap years
into consideration).
|
Constructor and Description |
---|
JwtSessionManager(KeyPair keyPair,
String cookieName,
String cookieDomain,
TimeService timeService,
Duration sessionTimeout,
boolean persistentCookie,
SigningHandler handler)
Builds a new JwtSessionManager using the given KeyPair for session encryption, storing the opaque result in a
cookie with the given name.
|
public static final String DEFAULT_SESSION_TIMEOUT
public static final Duration MAX_SESSION_TIMEOUT
public JwtSessionManager(KeyPair keyPair, String cookieName, String cookieDomain, TimeService timeService, Duration sessionTimeout, boolean persistentCookie, SigningHandler handler)
keyPair
- Private and public keys used for ciphering/deciphering.cookieName
- Name of the cookie.cookieDomain
- Domain of the cookie. If null, the cookie will be treated as a host-based cookie.timeService
- TimeService to use when dealing with JWT sessions' expiration.sessionTimeout
- The duration of the session.persistentCookie
- Issue a persistent cookie (with Expiry attribute) or a session cookie (no Expiry attribute)handler
- The JWT signing handler.public Session load(Request request)
SessionManager
Request
. The implementations
are free to keep a reference to the Request
.
The session object is scoped by the Request
's own lifecycle.
load
in interface SessionManager
request
- Request to create a session for.public void save(Session session, Response response) throws IOException
SessionManager
save
in interface SessionManager
session
- The session to save.response
- The response to save the session to.IOException
- If the session could not be saved to the
response.Copyright 2011-2015 ForgeRock AS.