com.atlassian.asap.core.server.filter

Class WhitelistRequestAuthorizationFilter

java.lang.Object

com.atlassian.asap.core.server.filter.AbstractRequestAuthorizationFilter

com.atlassian.asap.core.server.filter.WhitelistRequestAuthorizationFilter

All Implemented Interfaces:

javax.servlet.Filter

public class WhitelistRequestAuthorizationFilter
extends AbstractRequestAuthorizationFilter

Implements AbstractRequestAuthorizationFilter by using two whitelists of authorized subjects and issuers.

Constructor Summary

Constructors

Constructor and Description
WhitelistRequestAuthorizationFilter(Set<String> authorizedSubjects) Deprecated. This constructor has been deprecated because the behaviour is misleading. Please use IssuerAndSubjectAwareRequestAuthorizationFilter.issuers(Set) instead.
WhitelistRequestAuthorizationFilter(Set<String> authorizedSubjects, Set<String> authorizedIssuers) Constructs an authorization filter that only accepts tokens where the effective subject and the issuer belong to the respective whitelists.

Method Summary

Modifier and Type	Method and Description
protected boolean	isAuthorized(javax.servlet.http.HttpServletRequest request, Jwt jwt) Decides if the token is authorized for the request.

Methods inherited from class com.atlassian.asap.core.server.filter.AbstractRequestAuthorizationFilter

destroy, doFilter, init, onAuthorizationFailure, onAuthorizationSuccess, onTokenNotFound

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

WhitelistRequestAuthorizationFilter

public WhitelistRequestAuthorizationFilter(Set<String> authorizedSubjects,
                                           Set<String> authorizedIssuers)

Constructs an authorization filter that only accepts tokens where the effective subject and the issuer belong to the respective whitelists.

Parameters:

authorizedSubjects - effective subjects must belong to this set to be authorized

authorizedIssuers - issuers must belong to this set to be authorized

WhitelistRequestAuthorizationFilter

@Deprecated
public WhitelistRequestAuthorizationFilter(Set<String> authorizedSubjects)

Deprecated. This constructor has been deprecated because the behaviour is misleading. Please use IssuerAndSubjectAwareRequestAuthorizationFilter.issuers(Set) instead.

Constructs an authorization filter that only accepts tokens where the issuer and effective subject are in the given set.

There is no guarantee that the subject and the issuer are the same, just that they are both in the set. If you want to allow only self-signed JWTs from a known set of issuers, consider using IssuerAndSubjectAwareRequestAuthorizationFilter.issuers(Set) instead.

Parameters:

authorizedSubjects - issuers and effective subjects must belong to this set to be authorized

Method Detail

isAuthorized

protected boolean isAuthorized(javax.servlet.http.HttpServletRequest request,
                               Jwt jwt)

Description copied from class: AbstractRequestAuthorizationFilter

Decides if the token is authorized for the request.

Specified by:

isAuthorized in class AbstractRequestAuthorizationFilter

Parameters:

request - HTTP request received

jwt - Authentic and valid JWT token extracted from the request

Returns:

true if the token is authorized for the request