Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add ignore validation options and static methods for validation of claims independent to token parsing #175

Closed
wants to merge 12 commits into from
Closed

Add ignore validation options and static methods for validation of claims independent to token parsing #175

Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
1aef6ac
Code refactoring: Split huge methods into parts according clean code …
selimok Sep 27, 2016
efe3c63
Small improvements
selimok Sep 27, 2016
d004330
Add some javadocs and make a small code refactoring
selimok Sep 30, 2016
0f4a6c1
Add unit tests and fix some problems.
selimok Sep 30, 2016
e974307
Update README.md
selimok Sep 30, 2016
68ba8ff
Rewrite unit tests in groovy, remove existing java tests, implement a…
selimok Sep 30, 2016
8ebd92c
Merge branch 'master' of ssh://github.com/sandc-software/jjwt
selimok Sep 30, 2016
8ae456f
Revert to original
selimok Sep 30, 2016
735934d
Make some changes according to PR review
selimok Oct 2, 2016
80758c2
Implement unit tests for JwtParser
selimok Oct 3, 2016
a0e4b69
Remove unused interface
selimok Oct 5, 2016
e4ae4c5
Move JwsParts and JwtParts classes into impl package
selimok Oct 6, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 29 additions & 0 deletions src/main/java/io/jsonwebtoken/JwtParser.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -261,7 +261,36 @@ public interface JwtParser {
* otherwise.
*/
boolean isSigned(String jwt);

/**
* Do not validate the {@code exp} claim when parsing the JWT.
* <p>
* <p>Note that this circumvents security features of JWT.</p>
*
* @return the parser for method chaining.
* @see ExpiredJwtException
*/
JwtParser ignoreExpiry();

/**
* Do not validate the {@code nbf} claim when parsing the JWT.
* <p>
* <p>Note that this circumvents security features of JWT.</p>
* @return the parser for method chaining.
* @see PrematureJwtException
*/
JwtParser ignoreNotBefore();

/**
* Do not validate the JWS digital signature.
* <p>
* <p>Note that this circumvents security features of JWT and JWS.</p>
*
* @return the parser for method chaining.
* @see SignatureException
*/
JwtParser ignoreSignature();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure we want to allow this - it is not good for a spec-compliant parser to allow avoiding mandated security rules. It's probably better to catch the exception and then ignore it if you want to - otherwise it is not obvious in code that you're ignoring security checks.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok we can remove this method. Security comes first. :)


/**
* Parses the specified compact serialized JWT string based on the builder's current configuration state and
* returns the resulting JWT or JWS instance.
Expand Down
72 changes: 72 additions & 0 deletions src/main/java/io/jsonwebtoken/JwtParts.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
package io.jsonwebtoken;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

io.jsonwebtoken.impl


/**
* Container class which contains encoded header, payload and signature parts of
* the token.
*
* @since 0.8
*/
public class JwtParts {
Copy link
Contributor

@lhazlewood lhazlewood Oct 1, 2016
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not entirely correct. A JWT can be a JWS or JWE, and they have different numbers of 'parts' (Unsecured JWT = 2 parts, JWS = 3, JWE = 5). Whatever implementation we'd have around that needs to account for any/all 3 of these scenarios, and probably typed accordingly, e.g. JwsParts extends JwtParts and JweParts extends JwtParts.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because JWE is being implemented in the jwe branch, you might not need to worry about jwe parts yet, but whatever implementation we create should be extensible enough to support that upcoming feature/release.


private String base64UrlEncodedHeader;
private String base64UrlEncodedPayload;
private String base64UrlEncodedSignature;

/**
* Get Base64 URL encoded header.
*
* @return Base64 URL encoded header as String.
*/
public String getBase64UrlEncodedHeader() {
return base64UrlEncodedHeader;
}

/**
* Set Base64 URL encoded header.
*
* @param base64UrlEncodedHeader
* Base64 URL encoded header as String.
*/
public void setBase64UrlEncodedHeader(String base64UrlEncodedHeader) {
this.base64UrlEncodedHeader = base64UrlEncodedHeader;
}

/**
* Get Base64 URL encoded payload.
*
* @return Base64 URL encoded payload as String.
*/
public String getBase64UrlEncodedPayload() {
return base64UrlEncodedPayload;
}

/**
* Set Base64 URL encoded payload.
*
* @param base64UrlEncodedPayload
* Base64 URL encoded payload as String.
*/
public void setBase64UrlEncodedPayload(String base64UrlEncodedPayload) {
this.base64UrlEncodedPayload = base64UrlEncodedPayload;
}

/**
* Get Base64 URL encoded signature.
*
* @return Base64 URL encoded signature as String.
*/
public String getBase64UrlEncodedSignature() {
return base64UrlEncodedSignature;
}

/**
* Set Base64 URL encoded signature.
*
* @param base64UrlEncodedSignature
* Base64 URL encoded signature as String.
*/
public void setBase64UrlEncodedSignature(String base64UrlEncodedSignature) {
this.base64UrlEncodedSignature = base64UrlEncodedSignature;
}

}
Loading