diff --git a/java-security/README.md b/java-security/README.md index e6e1cd6ce..f8f391582 100644 --- a/java-security/README.md +++ b/java-security/README.md @@ -271,22 +271,42 @@ This validator is not part of the default `CombiningValidator`, it needs to be a It can be done in the following manner: ```java JwtValidatorBuilder.getInstance(oAuth2ServiceConfiguration) - .with(new JwtX5tValidator(oAuth2ServiceConfiguration)) - .build(); + .with(new JwtX5tValidator(oAuth2ServiceConfiguration)) + .build(); +``` + +Or it can be used as a standalone `Validator`, by creating a new instance of it and +calling `JwtX5tValidator.validate(Token token)` method with the token to be validated as a method's parameter. +See [here](#retrieve-additional-information-from-token) how to get a token from `SecurityContext` + +```java +JwtX5tValidator validator=new JwtX5tValidator(oAuth2ServiceConfiguration); + ValidationResult result=validator.validate(token); ``` -Or it can be used as a standalone `Validator`, by creating a new instance of it and calling `JwtX5tValidator.validate(Token token)` method with the token to be validated as a method's parameter. See [here](#retrieve-additional-information-from-token) how to get a token from `SecurityContext` + +#### Proof Token validation + +Once enabled, it will forward the X509 client certificate from the request header `x-fowarded-client-cert` +as `x-client_cert` header to the `/oauth2/token_keys` endpoint. +To enable Proof Token validation for `JwtSignatureValidator`: + ```java -JwtX5tValidator validator = new JwtX5tValidator(oAuth2ServiceConfiguration); -ValidationResult result = validator.validate(token); +JwtValidatorBuilder.getInstance(oAuth2ServiceConfiguration) + .enableProofTokenCheck() + .build(); ``` ### `Token` usage -#### Create a Token Object -This code snippet decodes a given JSON Web Token (JWT) and extracts its JSON header and payload. The `Token` interface allows for easy access to JWT header parameters and claims. The claim constants can be found in the [`TokenClaims`](/java-api/src/main/java/com/sap/cloud/security/token/TokenClaims.java) class. + +#### Create a Token Object + +This code snippet decodes a given JSON Web Token (JWT) and extracts its JSON header and payload. The `Token` interface +allows for easy access to JWT header parameters and claims. The claim constants can be found in +the [`TokenClaims`](/java-api/src/main/java/com/sap/cloud/security/token/TokenClaims.java) class. ```java -String authorizationHeader = "Bearer eyJhbGciOiJGUzI1NiJ2.eyJhh..."; - Token token = Token.create(authorizationHeader); // compatible with tokens issued by xsuaa and ias +String authorizationHeader="Bearer eyJhbGciOiJGUzI1NiJ2.eyJhh..."; + Token token=Token.create(authorizationHeader); // compatible with tokens issued by xsuaa and ias ``` #### Retrieve additional information from Token diff --git a/java-security/src/main/java/com/sap/cloud/security/token/validation/validators/JwtValidatorBuilder.java b/java-security/src/main/java/com/sap/cloud/security/token/validation/validators/JwtValidatorBuilder.java index 38f3399c4..1a6a7a7ae 100644 --- a/java-security/src/main/java/com/sap/cloud/security/token/validation/validators/JwtValidatorBuilder.java +++ b/java-security/src/main/java/com/sap/cloud/security/token/validation/validators/JwtValidatorBuilder.java @@ -43,6 +43,7 @@ public class JwtValidatorBuilder { private Validator customAudienceValidator; private CacheConfiguration tokenKeyCacheConfiguration; private boolean isTenantIdCheckDisabled; + private boolean isProofTokenCheckEnabled; private static final Logger LOGGER = LoggerFactory.getLogger(JwtValidatorBuilder.class); @@ -190,6 +191,16 @@ public JwtValidatorBuilder disableTenantIdCheck() { return this; } + /** + * Enables proof token check for JwtSignatureValidator. This method enables the Proof Token check. + * + * @return this builder + */ + public JwtValidatorBuilder enableProofTokenCheck() { + this.isProofTokenCheckEnabled = true; + return this; + } + /** * Builds the validators with the applied parameters. * @@ -224,6 +235,9 @@ private List> createDefaultValidators() { if (isTenantIdCheckDisabled) { ((SapIdJwtSignatureValidator) signatureValidator).disableTenantIdCheck(); } + if (isProofTokenCheckEnabled) { + ((SapIdJwtSignatureValidator) signatureValidator).enableProofTokenValidationCheck(); + } } defaultValidators.add(signatureValidator);