Package com.sap.cloud.security.xsuaa.token

Class XsuaaToken

java.lang.Object
org.springframework.security.oauth2.core.AbstractOAuth2Token
org.springframework.security.oauth2.jwt.Jwt
com.sap.cloud.security.xsuaa.token.XsuaaToken
All Implemented Interfaces:
Token, Serializable, org.springframework.security.core.userdetails.UserDetails, org.springframework.security.oauth2.core.ClaimAccessor, org.springframework.security.oauth2.core.OAuth2Token, org.springframework.security.oauth2.jwt.JwtClaimAccessor
public class XsuaaToken extends org.springframework.security.oauth2.jwt.Jwt implements Token
Custom XSUAA token implementation.

This class inherits Spring Security's standard Jwt implementation and can be used interchangeably with it.

See Also:

  • Nested Class Summary

    Nested classes/interfaces inherited from class org.springframework.security.oauth2.jwt.Jwt

    org.springframework.security.oauth2.jwt.Jwt.Builder

  • Constructor Summary

    Constructors
    Modifier
    Constructor
    Description
    protected
    XsuaaToken(org.springframework.security.oauth2.jwt.Jwt jwt)
     

  • Method Summary

    Modifier and Type
    Method
    Description
    String
    getAdditionalAuthAttribute(String attributeName)
    Additional custom authentication attributes included by the OAuth client component.
    String
    getAppToken()
    Get the encoded authentication token, e.g.
    Collection<? extends org.springframework.security.core.GrantedAuthority>
    getAuthorities()
    Returns by default list of scopes Token.getScopes().
    String
    getClientId()
    Returns the OAuth2 client identifier of the authentication token if present.
    String
    getCloneServiceInstanceId()
    Returns the XSUAA clone instance ID, if present.
    String
    getEmail()
    Returns the email address of the user, if present.
    Instant
    getExpiration()
    Returns the moment in time when the token will be expired.
    String
    getFamilyName()
    Returns the family name of the user if present.
    String
    getGivenName()
    Returns the given name of the user if present.
    String
    getGrantType()
    Returns the OAuth2.0 grant type used for retrieving / creating this token.
    String
    getLogonName()
    convenient access to other claims
    String
    getOrigin()
    Returns the user origin.
    String
    getPassword()
     
    Collection<String>
    getScopes()
    Returns list of scopes with appId prefix, e.g.
    String
    getSubaccountId()
    Return subaccount identifier which is in most cases same like the identity zone.
    String
    getSubdomain()
    Returns the subdomain of the calling tenant's subaccount.
    static String
    getUniquePrincipalName(String origin, String userLoginName)
    Get unique principal name of a user.
    String
    getUsername()
     
    String[]
    getXSUserAttribute(String attributeName)
    Returns the value of an attribute from the 'xs.user.attributes' claim.
    String
    getZoneId()
    Return zone identifier which should be used as tenant discriminator (tenant id).
    boolean
    isAccountNonExpired()
     
    boolean
    isAccountNonLocked()
     
    boolean
    isCredentialsNonExpired()
     
    boolean
    isEnabled()
     
    String
    toString()
     

    Methods inherited from class org.springframework.security.oauth2.jwt.Jwt

    getClaims, getHeaders, withTokenValue

    Methods inherited from class org.springframework.security.oauth2.core.AbstractOAuth2Token

    equals, getExpiresAt, getIssuedAt, getTokenValue, hashCode

    Methods inherited from class java.lang.Object

    clone, finalize, getClass, notify, notifyAll, wait, wait, wait

    Methods inherited from interface org.springframework.security.oauth2.core.ClaimAccessor

    getClaim, getClaimAsBoolean, getClaimAsInstant, getClaimAsMap, getClaimAsString, getClaimAsStringList, getClaimAsURL, hasClaim

    Methods inherited from interface org.springframework.security.oauth2.jwt.JwtClaimAccessor

    getAudience, getExpiresAt, getId, getIssuedAt, getIssuer, getNotBefore, getSubject

  • Constructor Details

    • XsuaaToken

      protected XsuaaToken(org.springframework.security.oauth2.jwt.Jwt jwt)
      Parameters:
      jwt - token

  • Method Details

    • getAuthorities

      public Collection<? extends org.springframework.security.core.GrantedAuthority> getAuthorities()
      Description copied from interface: Token
      Returns by default list of scopes Token.getScopes().

      The default behavior can be adapted as part of TokenAuthenticationConverter class

      Specified by:
      getAuthorities in interface Token
      Specified by:
      getAuthorities in interface org.springframework.security.core.userdetails.UserDetails
      Returns:
      all authorities such as scopes or an empty list

    • getExpiration

      public Instant getExpiration()
      Description copied from interface: Token
      Returns the moment in time when the token will be expired.
      Specified by:
      getExpiration in interface Token
      Returns:
      the expiration point in time if present.

    • getPassword

      public String getPassword()
      Specified by:
      getPassword in interface org.springframework.security.core.userdetails.UserDetails

    • getUsername

      public String getUsername()
      Specified by:
      getUsername in interface org.springframework.security.core.userdetails.UserDetails

    • isAccountNonExpired

      public boolean isAccountNonExpired()
      Specified by:
      isAccountNonExpired in interface org.springframework.security.core.userdetails.UserDetails

    • isAccountNonLocked

      public boolean isAccountNonLocked()
      Specified by:
      isAccountNonLocked in interface org.springframework.security.core.userdetails.UserDetails

    • isCredentialsNonExpired

      public boolean isCredentialsNonExpired()
      Specified by:
      isCredentialsNonExpired in interface org.springframework.security.core.userdetails.UserDetails

    • isEnabled

      public boolean isEnabled()
      Specified by:
      isEnabled in interface org.springframework.security.core.userdetails.UserDetails

    • getUniquePrincipalName

      @Nullable public static String getUniquePrincipalName(String origin, String userLoginName)
      Get unique principal name of a user.
      Parameters:
      origin - of the access token
      userLoginName - of the access token
      Returns:
      unique principal name

    • getLogonName

      @Nullable public String getLogonName()
      convenient access to other claims
      Specified by:
      getLogonName in interface Token
      Returns:
      unique principal name or null if it can not be determined.

    • getClientId

      @Nullable public String getClientId()
      Description copied from interface: Token
      Returns the OAuth2 client identifier of the authentication token if present. Following OpenID Connect 1.0 standard specifications, client identifier is obtained from "azp" claim if present or when "azp" is not present from "aud" claim, but only in case there is one audience.
      Specified by:
      getClientId in interface Token
      Returns:
      the OAuth client ID.

    • getGivenName

      public String getGivenName()
      Description copied from interface: Token
      Returns the given name of the user if present. Will try to find it first in the ext_attr.given_name claim before trying to find a given_name claim.
      Specified by:
      getGivenName in interface Token
      Returns:
      the given name if present.

    • getFamilyName

      @Nullable public String getFamilyName()
      Description copied from interface: Token
      Returns the family name of the user if present. Will try to find it first in the ext_attr.family_name claim before trying to find a family_name claim.
      Specified by:
      getFamilyName in interface Token
      Returns:
      the family name if present.

    • getEmail

      public String getEmail()
      Description copied from interface: Token
      Returns the email address of the user, if present.
      Specified by:
      getEmail in interface Token
      Returns:
      The email address if present.

    • getOrigin

      public String getOrigin()
      Description copied from interface: Token
      Returns the user origin. The origin is an alias that refers to a user store in which the user is persisted. For example, users that are authenticated by the UAA itself with a username / password combination have their origin set to the value "uaa".

      May be null in case this JWT was not created with OAuth 2.0 client credentials flow.

      Specified by:
      getOrigin in interface Token
      Returns:
      the user origin if present.

    • getGrantType

      public String getGrantType()
      Description copied from interface: Token
      Returns the OAuth2.0 grant type used for retrieving / creating this token.
      Specified by:
      getGrantType in interface Token
      Returns:
      the grant type

    • getSubaccountId

      public String getSubaccountId()
      Description copied from interface: Token
      Return subaccount identifier which is in most cases same like the identity zone. DO only use this for metering purposes. DO NOT longer use this method to get the unique tenant id! For that use Token.getZoneId().
      Specified by:
      getSubaccountId in interface Token
      Returns:
      the subaccount identifier.

    • getZoneId

      public String getZoneId()
      Description copied from interface: Token
      Return zone identifier which should be used as tenant discriminator (tenant id). For most of the old subaccounts this matches the id returned by Token.getSubaccountId().
      Specified by:
      getZoneId in interface Token
      Returns:
      the zone identifier.

    • getSubdomain

      public String getSubdomain()
      Description copied from interface: Token
      Returns the subdomain of the calling tenant's subaccount.
      Specified by:
      getSubdomain in interface Token
      Returns:
      the subdomain of the tenant the JWT belongs to.

    • toString

      public String toString()
      Overrides:
      toString in class Object

    • getXSUserAttribute

      @Nullable public String[] getXSUserAttribute(String attributeName)
      Description copied from interface: Token
      Returns the value of an attribute from the 'xs.user.attributes' claim. Will first try to find the attribute in 'ext_ctx' claim.
      Specified by:
      getXSUserAttribute in interface Token
      Parameters:
      attributeName - name of the attribute inside 'ext_ctx' or 'xs.user.attributes'.
      Returns:
      the attribute values array or null if there exists no such attribute.

    • getAdditionalAuthAttribute

      public String getAdditionalAuthAttribute(String attributeName)
      Description copied from interface: Token
      Additional custom authentication attributes included by the OAuth client component. Note: this is data controlled by the requester of a token. Might be not trustworthy.
      Specified by:
      getAdditionalAuthAttribute in interface Token
      Parameters:
      attributeName - name of the authentication attribute
      Returns:
      additional attribute value if present.

    • getCloneServiceInstanceId

      public String getCloneServiceInstanceId()
      Description copied from interface: Token
      Returns the XSUAA clone instance ID, if present. This will only be set for tokens that were issued by an XSUAA with plan broker. Contains the service instance id if present.
      Specified by:
      getCloneServiceInstanceId in interface Token
      Returns:
      the XSUAA clone service instance id if present.

    • getAppToken

      public String getAppToken()
      Description copied from interface: Token
      Get the encoded authentication token, e.g. for token forwarding to another app.

      Never expose this token via log or via HTTP.

      Specified by:
      getAppToken in interface Token
      Returns:
      token

    • getScopes

      public Collection<String> getScopes()
      Description copied from interface: Token
      Returns list of scopes with appId prefix, e.g. "<my-app!t123>.Display".
      Specified by:
      getScopes in interface Token
      Returns:
      all scopes