Skip to content

Security Options

Jump to bottom
John Ament edited this page Jul 1, 2017 · 2 revisions

Security Options

Hammock provides a few useful security hacks.

Security SPI

This provides some useful interceptor based checking to ensure that a user is in a role or is logged in to the system.

    <dependency>
        <artifactId>security-spi</artifactId>
        <groupId>ws.ament.hammock</groupId>
        <version>${hammock.version}</version>
    </dependency>

JWT Processing

You can add JWT processing in to your Hammock runtime, as a preview of Microprofile JWT RBAC. It's built on nimbus-jose-jwt. Any request that includes JWT in the Authorization header or an access_token query parameter will be processed.

Configuration Options:

  • jwt.filter.uris: The URIs to apply JWT processing to. You may want it off in some areas of your application, but by default it's bound to /*
  • jwt.header.enabled: Default to true, whether Authorization header processing should be enabled
  • jwt.query.param.enabled: Defaults to true whether query parameter process should be enabled
  • jwt.query.param.name: What the name of the query parameter to read from should be. The default is to match the OIDC spec, and use access_token
  • jwt.processor: The full class name to use as your JWT processor. The default is a SimpleJWTProcessor that just reads the JWT without doing any validation on it. This should not be used in production. There is a second built in to Hammock, ws.ament.hammock.jwt.processor.DefaultValidatingJWTProcessor, which uses the next set of properties. Otherwise you can provide your own implementation of ws.ament.hammock.jwt.processor.JWTProcessor

Options specific to DefaultValidatingJWTProcessor:

  • jwt.algorithm: The signing algorithm to use. Defaults to HS256. The valid values come from here
  • jwt.jwk.source.url: The URL to download the JWK(s) from when looking at the signed values.
  • jwt.jwk.source.file: The file to look at for the JWK(s).

Note: One of source url/file must be specified.

To add to your application use

    <dependency>
        <artifactId>security-jose</artifactId>
        <groupId>ws.ament.hammock</groupId>
        <version>${hammock.version}</version>
    </dependency>
Clone this wiki locally