JWT token validation

[swapndeh]

As i checked, to validate jwt token we need to write java classes on aceql server side. But can we validate jwt token (passed as a header) on aceql server without writing java classes? Is there any built in functionality for the same?

[ndepomereu]

Hi, There is no code to write or deploy (unless you want to write your own token system).

Just go to your aceql-server.properties file and:

• comment line sessionConfiguratorClassName=DefaultSessionConfigurator
• uncomment line #sessionConfiguratorClassName=JwtSessionConfigurator
• uncomment line #jwtSessionConfiguratorSecret=changeit

Then change the changeitpassword with your own secret value, and restart the AceQL Server. You're done!

[ndepomereu]

Hi, I don't understand what is specific to your need, as this tight and strict user control is already done with default JWT implementation in AceQL.

The generated JWT token is per user: client user_2can not use the JWT token belonging to user_1in order to impersonate or steal the session id

See implementation and how independent JWT tokens per user are generated in generateSessionId method: https://bit.ly/2TRoA8y:

        Algorithm algorithm = Algorithm.HMAC256(secret);

        Builder builder = JWT.create();
        builder.withClaim("usr", username);
        builder.withClaim("dbn", database);
        builder.withIssuedAt(new Date());

        if (getSessionTimelife() != 0) {
        Date expiresAt = new Date(System.currentTimeMillis() + (getSessionTimelife() * 60 * 1000));
        builder.withExpiresAt(expiresAt);
        }

        String token = builder.sign(algorithm);
        return token;