Source code

001package com.nimbusds.jwt.proc;
002
003
004import java.util.Date;
005
006import com.nimbusds.jose.util.DateUtils;
007import net.jcip.annotations.ThreadSafe;
008
009import com.nimbusds.jwt.JWTClaimsSet;
010
011
012/**
013 * Default JWT claims verifier. This class is thread-safe.
014 *
015 * <p>Performs the following checks:
016 *
017 * <ol>
018 *     <li>If an expiration time (exp) claim is present, makes sure it is
019 *         ahead of the current time, else the JWT claims set is rejected.
020 *     <li>If a not-before-time (nbf) claim is present, makes sure it is
021 *         before the current time, else the JWT claims set is rejected.
022 * </ol>
023 *
024 * <p>This class may be extended to perform additional checks.
025 *
026 * @author Vladimir Dzhuvinov
027 * @version 2015-12-13
028 */
029@ThreadSafe
030public class DefaultJWTClaimsVerifier implements JWTClaimsVerifier, ClockSkewAware {
031
032
033        /**
034         * The default maximum acceptable clock skew, in seconds (60).
035         */
036        public static final int DEFAULT_MAX_CLOCK_SKEW_SECONDS = 60;
037
038
039        // Cache exceptions
040
041
042        /**
043         * Expired JWT.
044         */
045        private static final BadJWTException EXPIRED_JWT_EXCEPTION = new BadJWTException("Expired JWT");
046
047
048        /**
049         * JWT before use time.
050         */
051        private static final BadJWTException JWT_BEFORE_USE_EXCEPTION = new BadJWTException("JWT before use time");
052
053
054        /**
055         * The maximum acceptable clock skew, in seconds.
056         */
057        private int maxClockSkew = DEFAULT_MAX_CLOCK_SKEW_SECONDS;
058
059
060        @Override
061        public int getMaxClockSkew() {
062                return maxClockSkew;
063        }
064
065
066        @Override
067        public void setMaxClockSkew(int maxClockSkewSeconds) {
068                maxClockSkew = maxClockSkewSeconds;
069        }
070
071
072        @Override
073        public void verify(final JWTClaimsSet claimsSet)
074                throws BadJWTException {
075
076                final Date now = new Date();
077
078                final Date exp = claimsSet.getExpirationTime();
079
080                if (exp != null) {
081
082                        if (! DateUtils.isAfter(exp, now, maxClockSkew)) {
083                                throw EXPIRED_JWT_EXCEPTION;
084                        }
085                }
086
087                final Date nbf = claimsSet.getNotBeforeTime();
088
089                if (nbf != null) {
090
091                        if (! DateUtils.isBefore(nbf, now, maxClockSkew)) {
092                                throw JWT_BEFORE_USE_EXCEPTION;
093                        }
094                }
095        }
096}