org.frankframework.lifecycle.servlets.AbstractServletAuthenticator

org.frankframework.lifecycle.servlets.BearerOnlyAuthenticator

All Implemented Interfaces:: IAuthenticator, org.springframework.beans.factory.Aware, org.springframework.context.ApplicationContextAware

public class BearerOnlyAuthenticator extends AbstractServletAuthenticator

Authenticator for bearer-only SSO authentication. This means that the application will not handle user login or logout, but expects the user to be authenticated by an external identity provider (IdP) using a JWT token. This has to be provided in the HTTP Authorization header as a Bearer token.

This authenticator should be configured by setting type to 'BEARER_ONLY' and have a issuerUri or jwkSetUri defined, for example:

application.security.console.authentication.type=BEARER_ONLY
application.security.console.authentication.issuerUri=https://example.com/realms/myrealm

Possibly, other optional settings might need to be applied as well. For example, when using Keycloak as IdP, the following settings are common:

application.security.console.authentication.userNameAttributeName=preferred_username
application.security.console.authentication.authoritiesClaimName=realm_access.roles

Author:: evandongen

Field Summary

Fields inherited from class AbstractServletAuthenticator
ALLOW_FORWARDED_HEADERS_PASSTHROUGH_REQUESTS_KEY, ALLOW_OPTIONS_REQUESTS_KEY, DEFAULT_IBIS_ROLES, DEFAULT_ROLE_PREFIX, log
Constructor Summary

Constructors

Constructor

Description

BearerOnlyAuthenticator()
Method Summary

Modifier and Type

Method

Description

org.springframework.security.web.SecurityFilterChain

configure(org.springframework.security.config.annotation.web.builders.HttpSecurity http)

Before building, configure the FilterChain.

protected org.springframework.security.authentication.AbstractAuthenticationToken

jwtAuthenticationTokenConverter(org.springframework.security.oauth2.jwt.Jwt jwt)

Our own implementation similar to Spring's JwtAuthenticationConverter.

Methods inherited from class AbstractServletAuthenticator
build, configureHttpSecurity, getAuthorizationManager, getEnvironmentProperties, getPrivateEndpoints, registerServlet, setApplicationContext

Methods inherited from class Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details
- BearerOnlyAuthenticator
  
  public BearerOnlyAuthenticator()
Method Details
- configure
  
  public org.springframework.security.web.SecurityFilterChain configure(org.springframework.security.config.annotation.web.builders.HttpSecurity http) throws Exception
  
  Description copied from class: AbstractServletAuthenticator
  
  Before building, configure the FilterChain.
  
  Specified by:
  
  configure in class AbstractServletAuthenticator
  
  Throws:
  
  Exception
- jwtAuthenticationTokenConverter
  protected org.springframework.security.authentication.AbstractAuthenticationToken jwtAuthenticationTokenConverter(org.springframework.security.oauth2.jwt.Jwt jwt)
  
  Our own implementation similar to Spring's JwtAuthenticationConverter. Unlike Spring's Converter this one is capable of:
  
  Enriching the JWT claimset by calling the 'UserInfo' endpoint.
  
  Splitting nested roles, eg. realm_access.roles.
  
  Splitting a claim String on both `comma's` and `spaces`.
  
  Splitting a single entry Claim list on both `comma's` and `spaces`.
  
  Validating if the found Authorities may access the target resource.

Class BearerOnlyAuthenticator

Field Summary

Fields inherited from class AbstractServletAuthenticator

Constructor Summary

Method Summary

Methods inherited from class AbstractServletAuthenticator

Methods inherited from class Object

Constructor Details

BearerOnlyAuthenticator

Method Details

configure

jwtAuthenticationTokenConverter