Module com.erudika.para.server

Package com.erudika.para.server.security

Class SecurityUtils

java.lang.Object

com.erudika.para.server.security.SecurityUtils

public final class SecurityUtils
extends Object

Utility class with helper methods for authentication.

Author:

Alex Bogdanovski [[email protected]]

Method Summary

Modifier and Type	Method	Description
static UserAuthentication	checkIfActive(UserAuthentication userAuth, com.erudika.para.core.User user, boolean throwException)	Checks if account is active.
static boolean	checkIfUserCanModifyObject(com.erudika.para.core.App app, com.erudika.para.core.ParaObject object)	Check if a user can modify an object.
static boolean	checkImplicitAppPermissions(com.erudika.para.core.App app, com.erudika.para.core.ParaObject object)	An app can edit itself or delete itself.
static void	clearSession(jakarta.servlet.http.HttpServletRequest req)	Clears the session.
static com.nimbusds.jwt.SignedJWT	generateIdToken(com.erudika.para.core.User user, com.erudika.para.core.App app)	Short-lived identity token, proving that a Para user has been successfully authenticated against an IDP.
static com.nimbusds.jwt.SignedJWT	generateJWToken(com.erudika.para.core.User user, com.erudika.para.core.App app)	Generates a new JWT token.
static com.nimbusds.jwt.SignedJWT	generateSuperJWToken(com.erudika.para.core.App app)	Generates a new "super" JWT token for apps.
static com.erudika.para.core.App	getAppFromJWTAuthentication()	getter.
static com.erudika.para.core.App	getAppFromLdapAuthentication()	getter.
static String	getAppidFromAuthRequest(jakarta.servlet.http.HttpServletRequest request)	getter.
static com.erudika.para.core.App	getAuthenticatedApp()	Extracts a App object from the security context.
static com.erudika.para.core.User	getAuthenticatedUser()	Extracts a User object from the security context.
static com.erudika.para.core.User	getAuthenticatedUser(org.springframework.security.core.Authentication auth)	Extracts a User object from the security context.
static Set<String>	getHostUrlAliasesForReturn(com.erudika.para.core.App app)	getter.
static String	getHostUrlFromQueryStringOrStateParam(Set<String> hostUrlAliases, jakarta.servlet.http.HttpServletRequest request)	getter.
static com.erudika.para.core.App	getPrincipalApp()	Returns the current authenticated App object.
static String	getRedirectUrl(jakarta.servlet.http.HttpServletRequest request)	getter.
static boolean	isNotAnApp(String type)	checker.
static boolean	isValidJWToken(String secret, com.nimbusds.jwt.SignedJWT jwt)	Validates a JWT token.
static boolean	isValidSignature(jakarta.servlet.http.HttpServletRequest incoming, String secretKey)	Validates the signature of the request.

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Details

getAuthenticatedUser

public static com.erudika.para.core.User getAuthenticatedUser()

Extracts a User object from the security context.

Returns:

an authenticated user or null if a user is not authenticated

getAuthenticatedUser

public static com.erudika.para.core.User getAuthenticatedUser(org.springframework.security.core.Authentication auth)

Extracts a User object from the security context.

Parameters:

auth - the authentication object

Returns:

an authenticated user or null if a user is not authenticated

getAuthenticatedApp

public static com.erudika.para.core.App getAuthenticatedApp()

Extracts a App object from the security context.

Returns:

an authenticated app or null if a app is not authenticated

getAppFromJWTAuthentication

public static com.erudika.para.core.App getAppFromJWTAuthentication()

getter.

Returns:

returns the current app associated with the authenticated user

getAppFromLdapAuthentication

public static com.erudika.para.core.App getAppFromLdapAuthentication()

getter.

Returns:

returns the current app associated with the authenticated user

getPrincipalApp

public static com.erudika.para.core.App getPrincipalApp()

Returns the current authenticated App object.

Returns:

an App object or null

checkImplicitAppPermissions

public static boolean checkImplicitAppPermissions(com.erudika.para.core.App app,
 com.erudika.para.core.ParaObject object)

An app can edit itself or delete itself. It can't read, edit, overwrite or delete other apps, unless it is the root app.

Parameters:

app - an app

object - another object

Returns:

true if app passes the check

isNotAnApp

public static boolean isNotAnApp(String type)

checker.

Parameters:

type - some type

Returns:

true if type of object is not "app"

checkIfUserCanModifyObject

public static boolean checkIfUserCanModifyObject(com.erudika.para.core.App app,
 com.erudika.para.core.ParaObject object)

Check if a user can modify an object. If there's no user principal found, this returns true.

Parameters:

app - app in context

object - some object

Returns:

true if user is the owner/creator of the object.

clearSession

public static void clearSession(jakarta.servlet.http.HttpServletRequest req)

Clears the session. Deletes cookies and clears the security context.

Parameters:

req - HTTP request

isValidJWToken

public static boolean isValidJWToken(String secret,
 com.nimbusds.jwt.SignedJWT jwt)

Validates a JWT token.

Parameters:

secret - secret used for generating the token

jwt - token to validate

Returns:

true if token is valid

generateSuperJWToken

public static com.nimbusds.jwt.SignedJWT generateSuperJWToken(com.erudika.para.core.App app)

Generates a new "super" JWT token for apps.

Parameters:

app - the app object

Returns:

a new JWT or null

generateJWToken

public static com.nimbusds.jwt.SignedJWT generateJWToken(com.erudika.para.core.User user,
 com.erudika.para.core.App app)

Generates a new JWT token.

Parameters:

user - a User object belonging to the app

app - the app object

Returns:

a new JWT or null

generateIdToken

public static com.nimbusds.jwt.SignedJWT generateIdToken(com.erudika.para.core.User user,
 com.erudika.para.core.App app)

Short-lived identity token, proving that a Para user has been successfully authenticated against an IDP. Works with the passwordless auth filter.

Parameters:

user - user object

app - app object

Returns:

a signed JWT or null

checkIfActive

public static UserAuthentication checkIfActive(UserAuthentication userAuth,
 com.erudika.para.core.User user,
 boolean throwException)

Checks if account is active.

Parameters:

userAuth - user authentication object

user - user object

throwException - throw or not

Returns:

the authentication object if user.active == true

isValidSignature

public static boolean isValidSignature(jakarta.servlet.http.HttpServletRequest incoming,
 String secretKey)

Validates the signature of the request.

Parameters:

incoming - the incoming HTTP request containing a signature

secretKey - the app's secret key

Returns:

true if the signature is valid

getRedirectUrl

public static String getRedirectUrl(jakarta.servlet.http.HttpServletRequest request)

getter.

Parameters:

request - HTTP request

Returns:

the URL with the correct protocol, read from X-Forwarded-Proto and CloudFront-Forwarded-Proto headers.

getAppidFromAuthRequest

public static String getAppidFromAuthRequest(jakarta.servlet.http.HttpServletRequest request)

getter.

Parameters:

request - HTTP request

Returns:

the appid if it's present in either the 'state' or 'appid' query parameters

getHostUrlAliasesForReturn

public static Set<String> getHostUrlAliasesForReturn(com.erudika.para.core.App app)

getter.

Parameters:

app - the Para app object

Returns:

a set of host URLs if found in app settings

getHostUrlFromQueryStringOrStateParam

public static String getHostUrlFromQueryStringOrStateParam(Set<String> hostUrlAliases,
 jakarta.servlet.http.HttpServletRequest request)

getter.

Parameters:

hostUrlAliases - host URL aliases

request - request

Returns:

a host URL or null