Open swapndeh opened 3 years ago
Hi, There is no code to write or deploy (unless you want to write your own token system).
Just go to your aceql-server.properties file and:
sessionConfiguratorClassName=DefaultSessionConfigurator
#sessionConfiguratorClassName=JwtSessionConfigurator
#jwtSessionConfiguratorSecret=changeit
Then change the changeit
password with your own secret value, and restart the AceQL Server.
You're done!
Hi, I don't understand what is specific to your need, as this tight and strict user control is already done with default JWT implementation in AceQL.
The generated JWT token is per user: client user_2
can not use the JWT token belonging to user_1
in order to impersonate or steal the session id
See implementation and how independent JWT tokens per user are generated in generateSessionId
method:
https://bit.ly/2TRoA8y:
Algorithm algorithm = Algorithm.HMAC256(secret);
Builder builder = JWT.create();
builder.withClaim("usr", username);
builder.withClaim("dbn", database);
builder.withIssuedAt(new Date());
if (getSessionTimelife() != 0) {
Date expiresAt = new Date(System.currentTimeMillis() + (getSessionTimelife() * 60 * 1000));
builder.withExpiresAt(expiresAt);
}
String token = builder.sign(algorithm);
return token;
As i checked, to validate jwt token we need to write java classes on aceql server side. But can we validate jwt token (passed as a header) on aceql server without writing java classes? Is there any built in functionality for the same?