Annotation Interface JWT.StaticClaim

Enclosing class:
JWT

public static @interface JWT.StaticClaim
A static claim is a claim that is required to be present on the token, and have a particular value. This can be used to ensure that the token has a particular role, for example.

If the claim is not present, or does not have the expected value, then the request will be rejected with a 403 Forbidden response.

If the claim is present, but does not have the expected value, then the request will be rejected with a 403 Forbidden response.

If the claim is present, and has the expected value, then the request will be allowed to proceed. Each static claim can be configured either with a 'value' or a 'pattern' that will be matched against the value of the claim, but not both.

  • Required Element Summary

    Required Elements
    Modifier and Type
    Required Element
    Description
    The claim name needs to be a hardcoded literal (e.g.
  • Optional Element Summary

    Optional Elements
    Modifier and Type
    Optional Element
    Description
    This receives a regex expression (Java flavor) used to match on the incoming claim value.
    The value can be set as: a hardcoded literal (e.g.
  • Element Details

    • claim

      String claim
      The claim name needs to be a hardcoded literal (e.g. "role")
    • values

      String[] values
      The value can be set as: a hardcoded literal (e.g. "admin"), an ENV variable (e.g "${ENV_VAR}") or a combination of both (e.g. "${ENV_VAR}-admin"). When declaring multiple values, ALL of those will be required when validating the claim.
      Default:
      {}
    • pattern

      String pattern
      This receives a regex expression (Java flavor) used to match on the incoming claim value. Cannot be used in conjunction with value field above. It's one or the other.

      NOTE: when signing, a static claim defined with a pattern will not be included in the token.

      Usage examples:

      • claim value is not empty: "\\S+"
      • claim value has one of 2 possible values: "^(admin|manager)$"
      Default:
      ""