Light Dark Auto

JWT Security

On incoming requests, the gm-jwt-security filter communicates with the gm-jwt-security service /policies endpoint, and creates a JWT token. A USER_DN must be set.

This filter is usually set after the Inheaders filter, and can only be used with TLS.

Filter Configuration Options

  • jwtHeaderName(String, default: "jwt") - Header in which the jwt token is put.
  • useTls(Boolean, default: false) - Should the filter use certs in connecting to gm-jwt-security?
  • certPath(String, default: "./certs/server.crt") - Certificate path
  • keyPath(String, default: "./certs/server.key") - Keyfile path
  • caPath(String, default: "./certs/intermediate.crt") - Certificate authority or intermediate certificate path.
  • insecureSkipVerify(Boolean, default: false) - Should calls to gm-jwt-security require hostname verification in certs? Should be used only for testing. See go docs for more information.
  • timeoutMs(Integer, default: 1000ms) - Timeout in milliseconds for the connection between gm-proxy and gm-jwt-security service. Set to a negative number to disable timeouts completely, though this is not advised as it can cause an infinite hang in the sidecar.
  • maxRetries(Integer, default: 0) - Number of retries after failed connection between gm-proxy and gm-jwt-security service.
  • retryDelayMs(Integer, default: 0) - Amount of time in milliseconds between each unsuccessful retry.
  • cacheLimit(Integer, default: 100) - Maximum number of tokens held in cache. If negative, caching is disabled, must be > 0 to enable caching.
  • cachedTokenExp(Integer, default: 10m) - Time in minutes to hold tokens in the cache. If negative, caching is disabled, must be > 0 to enable caching.