View Javadoc

1   package com.atlassian.asap.core.server.filter;
2   
3   import com.atlassian.asap.api.Jwt;
4   import com.google.common.collect.ImmutableSet;
5   
6   import javax.servlet.http.HttpServletRequest;
7   import java.util.Set;
8   
9   /**
10   * Implements {@link AbstractRequestAuthorizationFilter} by using two whitelists of authorized subjects and
11   * issuers.
12   */
13  public class WhitelistRequestAuthorizationFilter extends AbstractRequestAuthorizationFilter {
14      private final Set<String> authorizedSubjects;
15      private final Set<String> authorizedIssuers;
16  
17      /**
18       * Constructs an authorization filter that only accepts tokens where the effective subject and the issuer
19       * belong to the respective whitelists.
20       *
21       * @param authorizedSubjects effective subjects must belong to this set to be authorized
22       * @param authorizedIssuers  issuers must belong to this set to be authorized
23       */
24      public WhitelistRequestAuthorizationFilter(Set<String> authorizedSubjects, Set<String> authorizedIssuers) {
25          this.authorizedSubjects = ImmutableSet.copyOf(authorizedSubjects);
26          this.authorizedIssuers = ImmutableSet.copyOf(authorizedIssuers);
27      }
28  
29      /**
30       * Constructs an authorization filter that only accepts tokens where the issuer and effective subject are in the
31       * given set.
32       *
33       * <p>There is no guarantee that the subject and the issuer are the same, just that they are both in the set. If you
34       * want to allow only self-signed JWTs from a known set of issuers, consider using
35       * {@link IssuerAndSubjectAwareRequestAuthorizationFilter#issuers(Set)} instead.
36       *
37       * @param authorizedSubjects issuers and effective subjects must belong to this set to be authorized
38       * @deprecated This constructor has been deprecated because the behaviour is misleading. Please use
39       * {@link IssuerAndSubjectAwareRequestAuthorizationFilter#issuers(Set)} instead.
40       */
41      @Deprecated
42      public WhitelistRequestAuthorizationFilter(Set<String> authorizedSubjects) {
43          this(authorizedSubjects, authorizedSubjects);
44      }
45  
46      @Override
47      protected boolean isAuthorized(HttpServletRequest request, Jwt jwt) {
48          // authorize issuer
49          boolean issuerIsAuthorized = authorizedIssuers.contains(jwt.getClaims().getIssuer());
50  
51          // authorize subject
52          String effectiveSubject = jwt.getClaims().getSubject().orElse(jwt.getClaims().getIssuer());
53          boolean subjectIsAuthorized = authorizedSubjects.contains(effectiveSubject);
54  
55          return issuerIsAuthorized && subjectIsAuthorized;
56      }
57  }