SelfValidatingAuthenticationToken

public abstract class SelfValidatingAuthenticationToken extends Principal implements AuthenticationToken

These AuthenticationTokens are characterized by the following properties:

  • date: The creation time.

  • timeout: How long this token is valid after creation.

  • checksum: The checksum is calculated from all relevant parts of the authentication token (including the salt, timeout, permissions, roles, and date) and most importantly, the pepper which serves as a randomized password of the server. The salt makes it hard to guess the pepper by creating a rainbow table with plausible values for the other properties.

  • salt: Salt for the password checksum, may be used by inheriting classes.

  • pepper: A static property, generated when class is loaded and used until the server reboots. It servers as randomized password of the server. “In cryptography, a pepper is a secret added to an input such as a password prior to being hashed with a cryptographic hash function.” (from: Pepper (cryptography), https://en.wikipedia.org/w/index.php?title=Pepper_(cryptography)&oldid=960047694 (last visited July 7, 2020)) In our case, the pepper is added to the token before hashing, but not exposed to the public, while the salt is. That also means that the resulting hash cannot be generated by any client nor be validated by any client, and that all tokens of this kind invalidate when the server reboots.

Fields

PEPPER

protected static final transient String PEPPER

checksum

protected final String checksum

date

protected final long date

permissions

protected final String[] permissions

roles

protected final String[] roles

salt

protected final String salt

timeout

protected final long timeout

Constructors

SelfValidatingAuthenticationToken

public SelfValidatingAuthenticationToken(Principal principal, long date, long timeout, String salt, String checksum, String[] permissions, String[] roles)

SelfValidatingAuthenticationToken

public SelfValidatingAuthenticationToken(Principal principal, long timeout, String[] permissions, String[] roles, Object... fields)

Methods

calcChecksum

public final String calcChecksum()

calcChecksum

public abstract String calcChecksum(String pepper)

Implementation specific version of a peppered checksum.

For secure operation, implementing classes must make sure that the pepper is actually used in calculating the checksum and that the checksum can not be used to infer information about the pepper. This can be achieved for example by using the calcChecksum(finalObject...fields) method.

calcChecksum

protected static String calcChecksum(Object... fields)

Return the hash (SHA512) of the stringified arguments.

defaultIfNull

protected static <T> T defaultIfNull(T val, T def)

getCredentials

public Object getCredentials()

No credentials (returns null), since this token is self-validating.

getExpires

public long getExpires()

getFreshSalt

public static final String getFreshSalt()

getPermissions

public Collection<String> getPermissions()

getPrincipal

public SelfValidatingAuthenticationToken getPrincipal()

No “other” identity, so this returns itself.

getRoles

public Collection<String> getRoles()

getTimeout

public long getTimeout()

isExpired

public boolean isExpired()

isHashValid

public boolean isHashValid()

Test if the hash stored in checksum is equal to the one calculated using the secret pepper.

isValid

public boolean isValid()

parse

public static SelfValidatingAuthenticationToken parse(String token)

Parse a JSON string and return the generated token. Depending on the first element of the JSON, this is either (if it is “O”) a OneTimeAuthenticationToken or (if it is “S”) a SessionToken.

Throws:

  • AuthenticationToken – if the string could not be parsed into a token.

setFields

protected abstract void setFields(Object[] fields)

Customizable customization method, will be called with the remaining constructor arguments.

toString

public abstract String toString()

toStringArray

protected static String[] toStringArray(Object[] array)