Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ignore validation options and static methods for validation of claims independent to token parsing #175

Closed
wants to merge 12 commits into from
Closed

Add ignore validation options and static methods for validation of claims independent to token parsing #175

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
1aef6ac
Code refactoring: Split huge methods into parts according clean code …
selimok Sep 27, 2016
efe3c63
Small improvements
selimok Sep 27, 2016
d004330
Add some javadocs and make a small code refactoring
selimok Sep 30, 2016
0f4a6c1
Add unit tests and fix some problems.
selimok Sep 30, 2016
e974307
Update README.md
selimok Sep 30, 2016
68ba8ff
Rewrite unit tests in groovy, remove existing java tests, implement a…
selimok Sep 30, 2016
8ebd92c
Merge branch 'master' of ssh://github.com/sandc-software/jjwt
selimok Sep 30, 2016
8ae456f
Revert to original
selimok Sep 30, 2016
735934d
Make some changes according to PR review
selimok Oct 2, 2016
80758c2
Implement unit tests for JwtParser
selimok Oct 3, 2016
a0e4b69
Remove unused interface
selimok Oct 5, 2016
e4ae4c5
Move JwsParts and JwtParts classes into impl package
selimok Oct 6, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
74 changes: 74 additions & 0 deletions src/main/java/io/jsonwebtoken/JwtParser.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -261,7 +261,27 @@ public interface JwtParser {
* otherwise.
*/
boolean isSigned(String jwt);

/**
* Do not validate the {@code exp} claim when parsing the JWT.
* <p>
* <p>Note that this circumvents security features of JWT.</p>
*
* @return the parser for method chaining.
* @see ExpiredJwtException
*/
JwtParser ignoreExpiry();

/**
* Do not validate the {@code nbf} claim when parsing the JWT.
* <p>
* <p>Note that this circumvents security features of JWT.</p>
*
* @return the parser for method chaining.
* @see PrematureJwtException
*/
JwtParser ignoreNotBefore();

/**
* Parses the specified compact serialized JWT string based on the builder's current configuration state and
* returns the resulting JWT or JWS instance.
Expand Down Expand Up @@ -338,6 +358,60 @@ public interface JwtParser {
<T> T parse(String jwt, JwtHandler<T> handler)
throws ExpiredJwtException, UnsupportedJwtException, MalformedJwtException, SignatureException, IllegalArgumentException;


/**
* Parses the header part of the specified compact serialized JWT string.
*
* <p>Note that while parsing header no validation or security check will be applied.</p>
*
* @param jwt the compact serialized JWT to parse
* @return Deserialized {@link Header} part of specified compact JWT string.
*/
Header parseHeader(String jwt);

/**
* Checks if the specified compact serialized JWT string is expired based on the builder's current configuration state.
* <p>
* <p>Note that you need this method probably only then, if the parser is configured to by pass 'expiration time' ({@code exp}) claim validation (by calling builder's {@link #ignoreExpiry()} method).</p>
*
* @param jwt the compact serialized JWT to check
* @return {@code true} if the specified JWT compact string is expired, {@code false} otherwise.
*/
boolean isExpired(String jwt);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't believe this or isPremature is necessary - just parse the JWT - if there is an exception, you know it isn't a valid JWT. Thoughts?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you mean isPremature or isExpired or both? In our use case we need really first ignore the expiration validation and then separately check if the token expired or not. I don't really know, if there are other cases for isPremature out there. From my point of view, we can kick all ignoreNotBefore, isPremature and validateNotBefore methods entirely. But why not let them there, may be some one need them for a specific use case.


/**
* Checks if the specified compact serialized JWT string is premature based on the builder's current configuration state.
* <p>
* <p>Note that you need this method probably only then, if the parser is configured to by pass 'not before' ({@code nbf}) claim validation (by calling builder's {@link #ignoreNotBefore()} method).</p>
*
* @param jwt the compact serialized JWT to check
* @return {@code true} if the specified JWT compact string is premature, {@code false} otherwise.
*/
boolean isPremature(String jwt);


/**
* Validates 'expiration time' ({@code exp}) claim of the specified compact serialized JWT string based on the builder's current configuration state.
* <p>
* <p>Note that you need this validation method probably only then, if the parser is configured to by pass 'expiration time' ({@code exp}) claim validation (by calling builder's {@link #ignoreExpiry()} method).</p>
*
* @param jwt the compact serialized JWT to check
*
* @throws ExpiredJwtException if the validation of 'expiration time' ({@code exp}) claim is failed.
*/
void validateExpiration(String jwt);
Copy link
Contributor

@lhazlewood lhazlewood Oct 5, 2016
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There could be a lot of validation scenarios - I don't feel we should represent them as individual methods on the parser. Same with validateNotBefore. What is the desire for these methods?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

isExpired method is just a wrapper on validateExpiration. I explained already above in my first comment, why we need isExpired method. So in my case again we can let validateExpiration method private. But again why to remove this method? Both validateExpiration and validateNotBefore methods was in the code already, just there was a part of the huge parse method. I only moved that parts of the code into the smaller methods and made them accessible. So the decision is up to you.


/**
* Validates 'not before' ({@code nbf}) claim of the specified compact serialized JWT string based on the builder's current configuration state.
* <p>
* <p>Note that you need this validation method probably only then, if the parser is configured to by pass 'not before' ({@code nbf}) claim (by calling builder's {@link #ignoreNotBefore()} method).</p>
*
* @param jwt the compact serialized JWT to check
*
* @throws PrematureJwtException if the validation of 'not before' ({@code nbf}) claim is failed.
*/
void validateNotBefore(String jwt);

/**
* Parses the specified compact serialized JWT string based on the builder's current configuration state and
* returns
Expand Down
Loading