/*
* Copyright (c) 2016, Inversoft Inc., All Rights Reserved
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
* either express or implied. See the License for the specific
* language governing permissions and limitations under the License.
*/
package org.primeframework.mvc.security;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.google.inject.Inject;
/**
* Default JWT Extractor. Assumes the Authorization header looks like the following:
* <pre>
* Authorization: JWT "XXXXXXXXXX.YYYYYYYYYY.ZZZZZZZZZZ"
* </pre>
* <p>
* If an <code>Authorization</code> header is not found in the request next we'll look for a Cookie with a name of
* <code>access_token</code>.
* <p/>
* If you expect the JWT in a different authorization scheme, or a different Cookie name, etc you should bind a different Extractor.
*
* @author Daniel DeGroff
*/
public class DefaultJWTRequestAdapter implements JWTRequestAdapter {
protected final HttpServletRequest request;
protected final HttpServletResponse response;
@Inject
public DefaultJWTRequestAdapter(HttpServletRequest request, HttpServletResponse response) {
this.request = request;
this.response = response;
}
@Override
public String getEncodedJWT() {
String authorization = request.getHeader("Authorization");
if (authorization != null && authorization.startsWith("JWT ")) {
return authorization.substring("JWT ".length());
}
Cookie[] cookies = request.getCookies();
if (cookies != null) {
for (Cookie cookie : cookies) {
if (cookie.getName().equals("access_token")) {
return cookie.getValue();
}
}
}
return null;
}
/**
* If we're using a JWT Cookie, attempt to get the browser to remove the cookie.
*/
@Override
public String invalidateJWT() {
Cookie[] cookies = request.getCookies();
if (cookies != null) {
for (Cookie cookie : cookies) {
if (cookie.getName().equals("access_token")) {
String token = cookie.getValue();
cookie.setValue(null);
cookie.setMaxAge(0);
response.addCookie(cookie);
return token;
}
}
}
return null;
}
@Override
public boolean requestContainsJWT() {
return getEncodedJWT() != null;
}
}