JWT token validation

[swapndeh]

As i checked, to validate jwt token we need to write java classes on aceql server side. But can we validate jwt token (passed as a header) on aceql server without writing java classes? Is there any built in functionality for the same?

[ndepomereu]

Hi,
There is no code to write or deploy (unless you want to write your own token system).

Just go to your aceql-server.properties file and:

• comment line sessionConfiguratorClassName=DefaultSessionConfigurator
• uncomment line #sessionConfiguratorClassName=JwtSessionConfigurator
• uncomment line #jwtSessionConfiguratorSecret=changeit

Then change the changeit password with your own secret value, and restart the AceQL Server.
You're done!

[ndepomereu]

Hi,
I don't understand what is specific to your need, as this tight and strict user control is already done with default JWT implementation in AceQL.

The generated JWT token is per user: client user_2 can not use the JWT token belonging to user_1 in order to impersonate or steal the session id

See implementation and how independent JWT tokens per user are generated in generateSessionId method:
https://bit.ly/2TRoA8y:

	    Algorithm algorithm = Algorithm.HMAC256(secret);

	    Builder builder = JWT.create();
	    builder.withClaim("usr", username);
	    builder.withClaim("dbn", database);
	    builder.withIssuedAt(new Date());

	    if (getSessionTimelife() != 0) {
		Date expiresAt = new Date(System.currentTimeMillis() + (getSessionTimelife() * 60 * 1000));
		builder.withExpiresAt(expiresAt);
	    }

	    String token = builder.sign(algorithm);
	    return token;