afs commented on code in PR #1341:
URL: https://github.com/apache/jena/pull/1341#discussion_r884242396
##########
jena-fuseki2/jena-fuseki-main/src/main/java/org/apache/jena/fuseki/main/auth/AuthBearerFilter.java:
##########
@@ -34,36 +37,129 @@
import org.slf4j.Logger;
/**
- * Process an "Authorization: Bearer" header.
- * If present, extract as JWT
+ * Process an {@code Authorization: Bearer <token>} header. If present,
extract {@code <token>} as JWT and try to verify
+ * with a configurable user verifier function.
+ * <h3>User Verifier Function</h3>
+ * <p>
+ * The user verifier function has the signature of {@code Function<String,
String>} where the input is the raw base64
+ * encoded JWT as obtained from the {@code Authorization} header. If your
function considers the token valid then it
+ * <strong>MUST</strong> return the username for the user, if it considers the
token invalid then it
+ * <strong>MUST</strong> return {@code null} to indicate this. Your function
<strong>MUST NOT</strong> throw any
+ * exceptions, however you may wish to log the reason for considering a token
invalid to the server logs.
+ * </p>
+ * <h3>Programmatic Usage</h3>
+ * <p>
+ * For programmatic server building the verification function can be provided
directly to the constructor.
+ * </p>
+ * <h3>Servlet Configuration Usage</h3>
+ * <p>
+ * For use in {@code web.xml} or other Java servlet based environments the
filter can configure itself automatically. It
+ * first looks for a function from the servlet context attribute (defined by
the static field
+ * {@link AuthBearerFilter#USER_VERIFIER_FUNCTION_ATTRIBUTE}) and if that is a
valid function uses that. This allows
+ * for deployments to use a {@link ServletContextListener} or similar servlet
lifecycle mechanism to construct and
+ * inject their desired function programmatically at runtime and have the
filter honour it.
+ * </p>
+ * <p>
+ * If the function to use can be statically configured then you can use the
+ * {@link AuthBearerFilter#USER_VERIFIER_FUNCTION_ATTRIBUTE} parameters as an
{@code <init-param>}'s to specify the
+ * class and method of the function to use in the {@code <filter>} definition
e.g.
+ * </p>
+ * <pre>
+ * <filter>
+ * <filter-name>BearerAuthFilter</filter-name>
+ *
<filter-class>org.apache.jena.fuseki.main.auth.AuthBearerFilter</filter-class>
+ * <init-param>
+ *
<param-name>org.apache.jena.fuseki.main.auth.AuthBearerFilter.userVerifier</param-name>
+ * <param-value>your.package.SomeClass.SomeMethod</param-value>
+ * </init-param>
+ * </filter>
+ * </pre>
+ * <p>
+ * In this scenario {@code your.package.SomeClass} must be a valid Java class
and {@code SomeMethod} a static method on
+ * that class that conforms to the
+ * </p>
*/
public class AuthBearerFilter implements Filter {
private static Logger log = Fuseki.serverLog;
- private final Function<String, String> verifiedUser;
+ private Function<String, String> userVerifier;
+
+ public static final String USER_VERIFIER_FUNCTION_ATTRIBUTE =
+ AuthBearerFilter.class.getCanonicalName() + ".userVerifier";
@Override
- public void init(FilterConfig filterConfig) {}
+ public void init(FilterConfig filterConfig) {
+ // For web.xml usage allow initializing in the following ways:
Review Comment:
Fuseki main does not use web.xml. It does not run webapps. It is a pure
servlet filter stack with the static assets servlet to serve content requests.
`AuthBearerFilter` is added as a Fuseki server is built.
The code injection is by Fuseki module. They avoid the need to package
Fuseki as distributed just to custom code.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
