Merged in feature/jwt_refresh (pull request #121)

Feature JWT Refresh
2025-11-10 23:45:44 +01:00 · 2018-12-05 09:14:16 +00:00
parent 553d564836 8aeb633337
commit 16eb433618
20 changed files with 702 additions and 84 deletions
--- a/scm-core/src/main/java/sonia/scm/security/AccessToken.java
+++ b/scm-core/src/main/java/sonia/scm/security/AccessToken.java
@@ -31,6 +31,7 @@
 package sonia.scm.security;

 import java.util.Date;
+import java.util.Map;
 import java.util.Optional;

 /**
@@ -38,70 +39,77 @@ import java.util.Optional;
 * be issued from a restful webservice endpoint by providing credentials. After the token was issued, the token must be
 * send along with every request. The token should be send in its compact representation as bearer authorization header
 * or as cookie.
- * 
+ *
 * @author Sebastian Sdorra
 * @since 2.0.0
 */
 public interface AccessToken {
-  
+
  /**
   * Returns unique id of the access token.
-   * 
+   *
   * @return unique id
   */
  String getId();
-  
+
  /**
   * Returns name of subject which identifies the principal.
-   * 
+   *
   * @return name of subject
   */
  String getSubject();
-  
+
  /**
   * Returns optional issuer. The issuer identifies the principal that issued the token.
-   * 
+   *
   * @return optional issuer
   */
  Optional<String> getIssuer();
-  
+
  /**
   * Returns time at which the token was issued.
-   * 
+   *
   * @return time at which the token was issued
   */
  Date getIssuedAt();
-  
+
  /**
   * Returns the expiration time of token.
-   * 
+   *
   * @return expiration time
   */
  Date getExpiration();
-  
+
+  Optional<Date> getRefreshExpiration();
+
  /**
-   * Returns the scope of the token. The scope is able to reduce the permissions of the subject in the context of this 
+   * Returns the scope of the token. The scope is able to reduce the permissions of the subject in the context of this
   * token. For example we could issue a token which can only be used to read a single repository. for more informations
   * please have a look at {@link Scope}.
-   * 
+   *
   * @return scope of token.
   */
  Scope getScope();
-  
+
  /**
   * Returns an optional value of a custom token field.
-   * 
+   *
   * @param <T> type of field
   * @param key key of token field
-   * 
+   *
   * @return optional value of custom field
   */
  <T> Optional<T> getCustom(String key);
-  
+
  /**
   * Returns compact representation of token.
-   * 
+   *
   * @return compact representation
   */
  String compact();
+
+  /**
+   * Returns read only map of all claim keys with their values.
+   */
+  Map<String, Object> getClaims();
 }
--- a/scm-core/src/main/java/sonia/scm/security/AccessTokenBuilder.java
+++ b/scm-core/src/main/java/sonia/scm/security/AccessTokenBuilder.java
@@ -74,11 +74,21 @@ public interface AccessTokenBuilder {
   * Sets the expiration for the token.
   * 
   * @param count expiration count
-   * @param unit expirtation unit
+   * @param unit expiration unit
   * 
   * @return {@code this}
   */
  AccessTokenBuilder expiresIn(long count, TimeUnit unit);
+
+  /**
+   * Sets the time how long this token may be refreshed. Set this to 0 (zero) to disable automatic refresh.
+   *
+   * @param count Time unit count. If set to 0, automatic refresh is disabled.
+   * @param unit time unit
+   *
+   * @return {@code this}
+   */
+  AccessTokenBuilder refreshableFor(long count, TimeUnit unit);
  
  /**
   * Reduces the permissions of the token by providing a scope.
--- a/scm-webapp/pom.xml
+++ b/scm-webapp/pom.xml
@@ -72,8 +72,18 @@
    
    <dependency>
      <groupId>io.jsonwebtoken</groupId>
-      <artifactId>jjwt</artifactId>
-      <version>0.4</version>
+      <artifactId>jjwt-impl</artifactId>
+      <version>${jjwt.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>io.jsonwebtoken</groupId>
+      <artifactId>jjwt-api</artifactId>
+      <version>${jjwt.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>io.jsonwebtoken</groupId>
+      <artifactId>jjwt-jackson</artifactId>
+      <version>${jjwt.version}</version>
    </dependency>

    <!-- json -->
@@ -540,6 +550,7 @@
    <scm.stage>DEVELOPMENT</scm.stage>
    <scm.home>target/scm-it</scm.home>
    <environment.profile>default</environment.profile>
+    <jjwt.version>0.10.5</jjwt.version>
    <selenium.version>2.53.1</selenium.version>
    <wagon.version>1.0</wagon.version>
    <mustache.version>0.8.17</mustache.version>
--- a/scm-webapp/src/main/java/sonia/scm/ScmServletModule.java
+++ b/scm-webapp/src/main/java/sonia/scm/ScmServletModule.java
@@ -83,8 +83,10 @@ import sonia.scm.security.AuthorizationChangedEventProducer;
 import sonia.scm.security.CipherHandler;
 import sonia.scm.security.CipherUtil;
 import sonia.scm.security.ConfigurableLoginAttemptHandler;
+import sonia.scm.security.DefaultJwtAccessTokenRefreshStrategy;
 import sonia.scm.security.DefaultKeyGenerator;
 import sonia.scm.security.DefaultSecuritySystem;
+import sonia.scm.security.JwtAccessTokenRefreshStrategy;
 import sonia.scm.security.KeyGenerator;
 import sonia.scm.security.LoginAttemptHandler;
 import sonia.scm.security.SecuritySystem;
--- a/scm-webapp/src/main/java/sonia/scm/security/DefaultJwtAccessTokenRefreshStrategy.java
+++ b/scm-webapp/src/main/java/sonia/scm/security/DefaultJwtAccessTokenRefreshStrategy.java
@@ -0,0 +1,10 @@
+package sonia.scm.security;
+
+import sonia.scm.plugin.Extension;
+
+@Extension
+public class DefaultJwtAccessTokenRefreshStrategy extends PercentageJwtAccessTokenRefreshStrategy {
+  public DefaultJwtAccessTokenRefreshStrategy() {
+    super(0.5F);
+  }
+}
--- a/scm-webapp/src/main/java/sonia/scm/security/JwtAccessToken.java
+++ b/scm-webapp/src/main/java/sonia/scm/security/JwtAccessToken.java
@@ -31,9 +31,14 @@
 package sonia.scm.security;

 import io.jsonwebtoken.Claims;
+
+import java.util.Collections;
 import java.util.Date;
+import java.util.Map;
 import java.util.Optional;

+import static java.util.Optional.ofNullable;
+
 /**
 * Jwt implementation of {@link AccessToken}.
 * 
@@ -41,7 +46,9 @@ import java.util.Optional;
 * @since 2.0.0
 */
 public final class JwtAccessToken implements AccessToken {
-  
+
+  public static final String REFRESHABLE_UNTIL_CLAIM_KEY = "scm-manager.refreshExpiration";
+  public static final String PARENT_TOKEN_ID_CLAIM_KEY = "scm-manager.parentTokenId";
  private final Claims claims;
  private final String compact;

@@ -75,6 +82,15 @@ public final class JwtAccessToken implements AccessToken {
    return claims.getExpiration();
  }

+  @Override
+  public Optional<Date> getRefreshExpiration() {
+    return ofNullable(claims.get(REFRESHABLE_UNTIL_CLAIM_KEY, Date.class));
+  }
+
+  public Optional<String> getParentKey() {
+    return ofNullable(claims.get(PARENT_TOKEN_ID_CLAIM_KEY).toString());
+  }
+
  @Override
  public Scope getScope() {
    return Scopes.fromClaims(claims);
@@ -90,5 +106,9 @@ public final class JwtAccessToken implements AccessToken {
  public String compact() {
    return compact;
  }
-  
+
+  @Override
+  public Map<String, Object> getClaims() {
+    return Collections.unmodifiableMap(claims);
+  }
 }
--- a/scm-webapp/src/main/java/sonia/scm/security/JwtAccessTokenBuilder.java
+++ b/scm-webapp/src/main/java/sonia/scm/security/JwtAccessTokenBuilder.java
@@ -36,10 +36,12 @@ import com.google.common.collect.Maps;
 import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.SignatureAlgorithm;
+
+import java.time.Clock;
+import java.time.Instant;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.Map;
-import java.util.Set;
 import java.util.concurrent.TimeUnit;
 import org.apache.shiro.SecurityUtils;
 import org.apache.shiro.subject.Subject;
@@ -48,7 +50,7 @@ import org.slf4j.LoggerFactory;

 /**
 * Jwt implementation of {@link AccessTokenBuilder}.
- * 
+ *
 * @author Sebastian Sdorra
 * @since 2.0.0
 */
@@ -58,21 +60,27 @@ public final class JwtAccessTokenBuilder implements AccessTokenBuilder {
   * the logger for JwtAccessTokenBuilder
   */
  private static final Logger LOG = LoggerFactory.getLogger(JwtAccessTokenBuilder.class);
-  
-  private final KeyGenerator keyGenerator; 
-  private final SecureKeyResolver keyResolver; 
-  
+
+  private final KeyGenerator keyGenerator;
+  private final SecureKeyResolver keyResolver;
+  private final Clock clock;
+
  private String subject;
  private String issuer;
-  private long expiresIn = 60l;
-  private TimeUnit expiresInUnit = TimeUnit.MINUTES;
+  private long expiresIn = 1;
+  private TimeUnit expiresInUnit = TimeUnit.HOURS;
+  private long refreshableFor = 12;
+  private TimeUnit refreshableForUnit = TimeUnit.HOURS;
+  private Instant refreshExpiration;
+  private String parentKeyId;
  private Scope scope = Scope.empty();
-  
+
  private final Map<String,Object> custom = Maps.newHashMap();
-  
-  JwtAccessTokenBuilder(KeyGenerator keyGenerator, SecureKeyResolver keyResolver)  {
+
+  JwtAccessTokenBuilder(KeyGenerator keyGenerator, SecureKeyResolver keyResolver, Clock clock)  {
    this.keyGenerator = keyGenerator;
    this.keyResolver = keyResolver;
+    this.clock = clock;
  }

  @Override
@@ -81,7 +89,7 @@ public final class JwtAccessTokenBuilder implements AccessTokenBuilder {
    this.subject = subject;
    return this;
  }
-  
+
  @Override
  public JwtAccessTokenBuilder custom(String key, Object value) {
    Preconditions.checkArgument(!Strings.isNullOrEmpty(key), "null or empty value not allowed");
@@ -92,11 +100,11 @@ public final class JwtAccessTokenBuilder implements AccessTokenBuilder {

  @Override
  public JwtAccessTokenBuilder scope(Scope scope) {
-    Preconditions.checkArgument(scope != null, "scope can not be null");
+    Preconditions.checkArgument(scope != null, "scope cannot be null");
    this.scope = scope;
    return this;
  }
-  
+
  @Override
  public JwtAccessTokenBuilder issuer(String issuer) {
    Preconditions.checkArgument(!Strings.isNullOrEmpty(issuer), "null or empty value not allowed");
@@ -106,15 +114,37 @@ public final class JwtAccessTokenBuilder implements AccessTokenBuilder {

  @Override
  public JwtAccessTokenBuilder expiresIn(long count, TimeUnit unit) {
-    Preconditions.checkArgument(count > 0, "expires in must be greater than 0");
-    Preconditions.checkArgument(unit != null, "unit can not be null");
-    
+    Preconditions.checkArgument(count > 0, "count must be greater than 0");
+    Preconditions.checkArgument(unit != null, "unit cannot be null");
+
    this.expiresIn = count;
    this.expiresInUnit = unit;
-    
+
    return this;
  }
-  
+
+  @Override
+  public JwtAccessTokenBuilder refreshableFor(long count, TimeUnit unit) {
+    Preconditions.checkArgument(count >= 0, "count must be greater or equal to 0");
+    Preconditions.checkArgument(unit != null, "unit cannot be null");
+
+    this.refreshableFor = count;
+    this.refreshableForUnit = unit;
+
+    return this;
+  }
+
+  JwtAccessTokenBuilder refreshExpiration(Instant refreshExpiration) {
+    this.refreshExpiration = refreshExpiration;
+    this.refreshableFor = 0;
+    return this;
+  }
+
+  public JwtAccessTokenBuilder parentKey(String parentKeyId) {
+    this.parentKeyId = parentKeyId;
+    return this;
+  }
+
  private String getSubject(){
    if (subject == null) {
      Subject currentSubject = SecurityUtils.getSubject();
@@ -130,35 +160,48 @@ public final class JwtAccessTokenBuilder implements AccessTokenBuilder {
    String id = keyGenerator.createKey();

    String sub = getSubject();
-    
+
    LOG.trace("create new token {} for user {}", id, subject);
    SecureKey key = keyResolver.getSecureKey(sub);
-    
+
    Map<String,Object> customClaims = new HashMap<>(custom);
-    
+
    // add scope to custom claims
    Scopes.toClaims(customClaims, scope);
-    
-    Date now = new Date();
+
+    Instant now = clock.instant();
    long expiration = expiresInUnit.toMillis(expiresIn);
-    
+
    Claims claims = Jwts.claims(customClaims)
      .setSubject(sub)
      .setId(id)
-      .setIssuedAt(now)
-      .setExpiration(new Date(now.getTime() + expiration));
-    
+      .setIssuedAt(Date.from(now))
+      .setExpiration(new Date(now.toEpochMilli() + expiration));
+
+
+    if (refreshableFor > 0) {
+      long refreshExpiration = refreshableForUnit.toMillis(refreshableFor);
+      claims.put(JwtAccessToken.REFRESHABLE_UNTIL_CLAIM_KEY, new Date(now.toEpochMilli() + refreshExpiration).getTime());
+    } else if (refreshExpiration != null) {
+      claims.put(JwtAccessToken.REFRESHABLE_UNTIL_CLAIM_KEY, Date.from(refreshExpiration));
+    }
+    if (parentKeyId == null) {
+      claims.put(JwtAccessToken.PARENT_TOKEN_ID_CLAIM_KEY, id);
+    } else {
+      claims.put(JwtAccessToken.PARENT_TOKEN_ID_CLAIM_KEY, parentKeyId);
+    }
+
    if ( issuer != null ) {
      claims.setIssuer(issuer);
    }
-    
+
    // sign token and create compact version
    String compact = Jwts.builder()
        .setClaims(claims)
        .signWith(SignatureAlgorithm.HS256, key.getBytes())
        .compact();
-    
+
    return new JwtAccessToken(claims, compact);
  }
-  
+
 }
--- a/scm-webapp/src/main/java/sonia/scm/security/JwtAccessTokenBuilderFactory.java
+++ b/scm-webapp/src/main/java/sonia/scm/security/JwtAccessTokenBuilderFactory.java
@@ -30,6 +30,7 @@
 */
 package sonia.scm.security;

+import java.time.Clock;
 import java.util.Set;
 import javax.inject.Inject;
 import sonia.scm.plugin.Extension;
@@ -46,19 +47,25 @@ public final class JwtAccessTokenBuilderFactory implements AccessTokenBuilderFac
  private final KeyGenerator keyGenerator;
  private final SecureKeyResolver keyResolver;
  private final Set<AccessTokenEnricher> enrichers;
+  private final Clock clock;

  @Inject
  public JwtAccessTokenBuilderFactory(
-    KeyGenerator keyGenerator, SecureKeyResolver keyResolver, Set<AccessTokenEnricher> enrichers
-  ) {
+    KeyGenerator keyGenerator, SecureKeyResolver keyResolver, Set<AccessTokenEnricher> enrichers) {
+    this(keyGenerator, keyResolver, enrichers, Clock.systemDefaultZone());
+  }
+
+  JwtAccessTokenBuilderFactory(
+    KeyGenerator keyGenerator, SecureKeyResolver keyResolver, Set<AccessTokenEnricher> enrichers, Clock clock) {
    this.keyGenerator = keyGenerator;
    this.keyResolver = keyResolver;
    this.enrichers = enrichers;
+    this.clock = clock;
  }

  @Override
  public JwtAccessTokenBuilder create() {
-    JwtAccessTokenBuilder builder = new JwtAccessTokenBuilder(keyGenerator, keyResolver);
+    JwtAccessTokenBuilder builder = new JwtAccessTokenBuilder(keyGenerator, keyResolver, clock);
    
    // enrich access token builder
    enrichers.forEach((enricher) -> {
--- a/scm-webapp/src/main/java/sonia/scm/security/JwtAccessTokenRefreshStrategy.java
+++ b/scm-webapp/src/main/java/sonia/scm/security/JwtAccessTokenRefreshStrategy.java
@@ -0,0 +1,8 @@
+package sonia.scm.security;
+
+import sonia.scm.plugin.ExtensionPoint;
+
+@ExtensionPoint(multi = false)
+public interface JwtAccessTokenRefreshStrategy {
+  boolean shouldBeRefreshed(JwtAccessToken oldToken);
+}
--- a/scm-webapp/src/main/java/sonia/scm/security/JwtAccessTokenRefresher.java
+++ b/scm-webapp/src/main/java/sonia/scm/security/JwtAccessTokenRefresher.java
@@ -0,0 +1,77 @@
+package sonia.scm.security;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.inject.Inject;
+import java.time.Clock;
+import java.util.Date;
+import java.util.Map;
+import java.util.Optional;
+import java.util.concurrent.TimeUnit;
+
+public class JwtAccessTokenRefresher {
+
+  private static final Logger log = LoggerFactory.getLogger(JwtAccessTokenRefresher.class);
+
+  private final JwtAccessTokenBuilderFactory builderFactory;
+  private final JwtAccessTokenRefreshStrategy refreshStrategy;
+  private final Clock clock;
+
+  @Inject
+  public JwtAccessTokenRefresher(JwtAccessTokenBuilderFactory builderFactory, JwtAccessTokenRefreshStrategy refreshStrategy) {
+    this(builderFactory, refreshStrategy, Clock.systemDefaultZone());
+  }
+
+  JwtAccessTokenRefresher(JwtAccessTokenBuilderFactory builderFactory, JwtAccessTokenRefreshStrategy refreshStrategy, Clock clock) {
+    this.builderFactory = builderFactory;
+    this.refreshStrategy = refreshStrategy;
+    this.clock = clock;
+  }
+
+  @SuppressWarnings("squid:S3655") // the refresh expiration cannot be null at the time building the new token, because
+                                   // we checked this before in tokenCanBeRefreshed
+  public Optional<JwtAccessToken> refresh(JwtAccessToken oldToken) {
+    JwtAccessTokenBuilder builder = builderFactory.create();
+    Map<String, Object> claims = oldToken.getClaims();
+    claims.forEach(builder::custom);
+
+    if (canBeRefreshed(oldToken) && shouldBeRefreshed(oldToken)) {
+      Optional<Object> parentTokenId = oldToken.getCustom("scm-manager.parentTokenId");
+      if (!parentTokenId.isPresent()) {
+        log.warn("no parent token id found in token; could not refresh");
+        return Optional.empty();
+      }
+      builder.expiresIn(computeOldExpirationInMillis(oldToken), TimeUnit.MILLISECONDS);
+      builder.parentKey(parentTokenId.get().toString());
+      builder.refreshExpiration(oldToken.getRefreshExpiration().get().toInstant());
+      return Optional.of(builder.build());
+    } else {
+      return Optional.empty();
+    }
+  }
+
+  private long computeOldExpirationInMillis(JwtAccessToken oldToken) {
+    return oldToken.getExpiration().getTime() - oldToken.getIssuedAt().getTime();
+  }
+
+  private boolean canBeRefreshed(JwtAccessToken oldToken) {
+    return tokenIsValid(oldToken) && tokenCanBeRefreshed(oldToken);
+  }
+
+  private boolean shouldBeRefreshed(JwtAccessToken oldToken) {
+    return refreshStrategy.shouldBeRefreshed(oldToken);
+  }
+
+  private boolean tokenCanBeRefreshed(JwtAccessToken oldToken) {
+    return oldToken.getRefreshExpiration().map(this::isAfterNow).orElse(false);
+  }
+
+  private boolean tokenIsValid(JwtAccessToken oldToken) {
+    return isAfterNow(oldToken.getExpiration());
+  }
+
+  private boolean isAfterNow(Date expiration) {
+    return expiration.toInstant().isAfter(clock.instant());
+  }
+}
--- a/scm-webapp/src/main/java/sonia/scm/security/PercentageJwtAccessTokenRefreshStrategy.java
+++ b/scm-webapp/src/main/java/sonia/scm/security/PercentageJwtAccessTokenRefreshStrategy.java
@@ -0,0 +1,25 @@
+package sonia.scm.security;
+
+import java.time.Clock;
+
+public class PercentageJwtAccessTokenRefreshStrategy implements JwtAccessTokenRefreshStrategy {
+
+  private final Clock clock;
+  private final float refreshPercentage;
+
+  public PercentageJwtAccessTokenRefreshStrategy(float refreshPercentage) {
+    this(Clock.systemDefaultZone(), refreshPercentage);
+  }
+
+  PercentageJwtAccessTokenRefreshStrategy(Clock clock, float refreshPercentage) {
+    this.clock = clock;
+    this.refreshPercentage = refreshPercentage;
+  }
+
+  @Override
+  public boolean shouldBeRefreshed(JwtAccessToken oldToken) {
+    long liveSpan = oldToken.getExpiration().getTime() - oldToken.getIssuedAt().getTime();
+    long age = clock.instant().toEpochMilli() - oldToken.getIssuedAt().getTime();
+    return (float)age/liveSpan > refreshPercentage;
+  }
+}
--- a/scm-webapp/src/main/java/sonia/scm/web/security/TokenRefreshFilter.java
+++ b/scm-webapp/src/main/java/sonia/scm/web/security/TokenRefreshFilter.java
@@ -0,0 +1,78 @@
+package sonia.scm.web.security;
+
+import org.apache.shiro.authc.AuthenticationToken;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import sonia.scm.Priority;
+import sonia.scm.filter.Filters;
+import sonia.scm.filter.WebElement;
+import sonia.scm.security.AccessToken;
+import sonia.scm.security.AccessTokenCookieIssuer;
+import sonia.scm.security.AccessTokenResolver;
+import sonia.scm.security.BearerToken;
+import sonia.scm.security.JwtAccessToken;
+import sonia.scm.security.JwtAccessTokenRefresher;
+import sonia.scm.web.WebTokenGenerator;
+import sonia.scm.web.filter.HttpFilter;
+
+import javax.inject.Inject;
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.Optional;
+import java.util.Set;
+
+import static java.util.Optional.empty;
+import static java.util.Optional.of;
+
+@Priority(Filters.PRIORITY_POST_AUTHENTICATION)
+@WebElement(value = Filters.PATTERN_RESTAPI,
+  morePatterns = { Filters.PATTERN_DEBUG })
+public class TokenRefreshFilter extends HttpFilter {
+
+  private static final Logger LOG = LoggerFactory.getLogger(TokenRefreshFilter.class);
+
+  private final Set<WebTokenGenerator> tokenGenerators;
+  private final JwtAccessTokenRefresher refresher;
+  private final AccessTokenResolver resolver;
+  private final AccessTokenCookieIssuer issuer;
+
+  @Inject
+  public TokenRefreshFilter(Set<WebTokenGenerator> tokenGenerators, JwtAccessTokenRefresher refresher, AccessTokenResolver resolver, AccessTokenCookieIssuer issuer) {
+    this.tokenGenerators = tokenGenerators;
+    this.refresher = refresher;
+    this.resolver = resolver;
+    this.issuer = issuer;
+  }
+
+  @Override
+  protected void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
+    extractToken(request).ifPresent(token -> examineToken(request, response, token));
+    chain.doFilter(request, response);
+  }
+
+  private Optional<BearerToken> extractToken(HttpServletRequest request) {
+    for (WebTokenGenerator generator : tokenGenerators) {
+      AuthenticationToken token = generator.createToken(request);
+      if (token instanceof BearerToken) {
+        return of((BearerToken) token);
+      }
+    }
+    return empty();
+  }
+
+  private void examineToken(HttpServletRequest request, HttpServletResponse response, BearerToken token) {
+    AccessToken accessToken = resolver.resolve(token);
+    if (accessToken instanceof JwtAccessToken) {
+      refresher.refresh((JwtAccessToken) accessToken)
+        .ifPresent(jwtAccessToken -> refreshToken(request, response, jwtAccessToken));
+    }
+  }
+
+  private void refreshToken(HttpServletRequest request, HttpServletResponse response, JwtAccessToken jwtAccessToken) {
+    LOG.debug("refreshing authentication token");
+    issuer.authenticate(request, response, jwtAccessToken);
+  }
+}
--- a/scm-webapp/src/test/java/sonia/scm/security/BearerRealmTest.java
+++ b/scm-webapp/src/test/java/sonia/scm/security/BearerRealmTest.java
@@ -61,7 +61,6 @@ import sonia.scm.user.UserDAO;
 import sonia.scm.user.UserTestData;

 import javax.crypto.spec.SecretKeySpec;
-import java.security.SecureRandom;
 import java.util.Date;
 import java.util.Set;

@@ -71,6 +70,7 @@ import static org.junit.Assert.assertThat;
 import static org.junit.Assert.assertTrue;
 import static org.mockito.Mockito.any;
 import static org.mockito.Mockito.when;
+import static sonia.scm.security.SecureKeyTestUtil.createSecureKey;

 /**
 * Unit tests for {@link BearerRealm}.
@@ -256,12 +256,6 @@ private String createCompactToken(String subject, SecureKey key) {
      .compact();
  }

-  private SecureKey createSecureKey() {
-    byte[] bytes = new byte[32];
-    random.nextBytes(bytes);
-    return new SecureKey(bytes, System.currentTimeMillis());
-  }
-
  private void resolveKey(SecureKey key) {
    when(
      keyResolver.resolveSigningKey(
@@ -272,16 +266,13 @@ private String createCompactToken(String subject, SecureKey key) {
    .thenReturn(
      new SecretKeySpec(
        key.getBytes(), 
-        SignatureAlgorithm.HS256.getValue()
+        SignatureAlgorithm.HS256.getJcaName()
      )
    );
  }

  //~--- fields ---------------------------------------------------------------
  
-  /** Field description */
-  private final SecureRandom random = new SecureRandom();
-
  @InjectMocks
  private DAORealmHelperFactory helperFactory;
  
--- a/scm-webapp/src/test/java/sonia/scm/security/JwtAccessTokenBuilderTest.java
+++ b/scm-webapp/src/test/java/sonia/scm/security/JwtAccessTokenBuilderTest.java
@@ -44,7 +44,6 @@ import org.junit.runner.RunWith;
 import org.mockito.Mock;
 import org.mockito.junit.MockitoJUnitRunner;

-import java.util.Random;
 import java.util.Set;
 import java.util.concurrent.TimeUnit;

@@ -56,6 +55,7 @@ import static org.junit.Assert.assertThat;
 import static org.junit.Assert.assertTrue;
 import static org.mockito.Mockito.anyString;
 import static org.mockito.Mockito.when;
+import static sonia.scm.security.SecureKeyTestUtil.createSecureKey;

 /**
 * Unit test for {@link JwtAccessTokenBuilder}.
@@ -162,11 +162,4 @@ public class JwtAccessTokenBuilderTest {
    assertEquals("b", token.getCustom("a").get());
    assertEquals("[\"repo:*\"]", token.getScope().toString());
  }
-  
-  private SecureKey createSecureKey() {
-    byte[] bytes = new byte[32];
-    new Random().nextBytes(bytes);
-    return new SecureKey(bytes, System.currentTimeMillis());
-  }
-
 }
--- a/scm-webapp/src/test/java/sonia/scm/security/JwtAccessTokenRefresherTest.java
+++ b/scm-webapp/src/test/java/sonia/scm/security/JwtAccessTokenRefresherTest.java
@@ -0,0 +1,152 @@
+package sonia.scm.security;
+
+import com.github.sdorra.shiro.ShiroRule;
+import com.github.sdorra.shiro.SubjectAware;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.junit.MockitoJUnitRunner;
+
+import java.sql.Date;
+import java.time.Clock;
+import java.time.Instant;
+import java.util.Collections;
+import java.util.Optional;
+
+import static java.time.Duration.ofMinutes;
+import static java.time.temporal.ChronoUnit.SECONDS;
+import static java.util.concurrent.TimeUnit.MINUTES;
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+import static sonia.scm.security.SecureKeyTestUtil.createSecureKey;
+
+@SubjectAware(
+  username = "user",
+  password = "secret",
+  configuration = "classpath:sonia/scm/repository/shiro.ini"
+)
+@RunWith(MockitoJUnitRunner.class)
+public class JwtAccessTokenRefresherTest {
+
+  private static final Instant NOW = Instant.now().truncatedTo(SECONDS);
+  private static final Instant TOKEN_CREATION = NOW.minus(ofMinutes(1));
+
+  @Rule
+  public ShiroRule shiro = new ShiroRule();
+
+  @Mock
+  private SecureKeyResolver keyResolver;
+  @Mock
+  private JwtAccessTokenRefreshStrategy refreshStrategy;
+  @Mock
+  private Clock refreshClock;
+
+  private KeyGenerator keyGenerator = () -> "key";
+
+  private JwtAccessTokenRefresher refresher;
+  private JwtAccessTokenBuilder tokenBuilder;
+
+  @Before
+  public void initKeyResolver() {
+    when(keyResolver.getSecureKey(any())).thenReturn(createSecureKey());
+
+    Clock creationClock = mock(Clock.class);
+    when(creationClock.instant()).thenReturn(TOKEN_CREATION);
+    tokenBuilder = new JwtAccessTokenBuilderFactory(keyGenerator, keyResolver, Collections.emptySet(), creationClock).create();
+
+    JwtAccessTokenBuilderFactory refreshBuilderFactory = new JwtAccessTokenBuilderFactory(keyGenerator, keyResolver, Collections.emptySet(), refreshClock);
+    refresher = new JwtAccessTokenRefresher(refreshBuilderFactory, refreshStrategy, refreshClock);
+    when(refreshClock.instant()).thenReturn(NOW);
+    when(refreshStrategy.shouldBeRefreshed(any())).thenReturn(true);
+
+    // set default expiration values
+    tokenBuilder
+      .expiresIn(5, MINUTES)
+      .refreshableFor(10, MINUTES);
+  }
+
+  @Test
+  public void shouldNotRefreshTokenWithDisabledRefresh() {
+    JwtAccessToken oldToken = tokenBuilder
+      .refreshableFor(0, MINUTES)
+      .build();
+
+    Optional<JwtAccessToken> refreshedToken = refresher.refresh(oldToken);
+
+    assertThat(refreshedToken).isEmpty();
+  }
+
+  @Test
+  public void shouldNotRefreshTokenWhenTokenExpired() {
+    Instant afterNormalExpiration = NOW.plus(ofMinutes(6));
+    when(refreshClock.instant()).thenReturn(afterNormalExpiration);
+    JwtAccessToken oldToken = tokenBuilder.build();
+
+    Optional<JwtAccessToken> refreshedToken = refresher.refresh(oldToken);
+
+    assertThat(refreshedToken).isEmpty();
+  }
+
+  @Test
+  public void shouldNotRefreshTokenWhenRefreshExpired() {
+    Instant afterRefreshExpiration = Instant.now().plus(ofMinutes(2));
+    when(refreshClock.instant()).thenReturn(afterRefreshExpiration);
+    JwtAccessToken oldToken = tokenBuilder
+      .refreshableFor(1, MINUTES)
+      .build();
+
+    Optional<JwtAccessToken> refreshedToken = refresher.refresh(oldToken);
+
+    assertThat(refreshedToken).isEmpty();
+  }
+
+  @Test
+  public void shouldNotRefreshTokenWhenStrategyDoesNotSaySo() {
+    JwtAccessToken oldToken = tokenBuilder.build();
+    when(refreshStrategy.shouldBeRefreshed(oldToken)).thenReturn(false);
+
+    Optional<JwtAccessToken> refreshedToken = refresher.refresh(oldToken);
+
+    assertThat(refreshedToken).isEmpty();
+  }
+
+  @Test
+  public void shouldRefreshTokenWithParentId() {
+    JwtAccessToken oldToken = tokenBuilder.build();
+    when(refreshStrategy.shouldBeRefreshed(oldToken)).thenReturn(true);
+
+    Optional<JwtAccessToken> refreshedTokenResult = refresher.refresh(oldToken);
+
+    assertThat(refreshedTokenResult).isNotEmpty();
+    JwtAccessToken refreshedToken = refreshedTokenResult.get();
+    assertThat(refreshedToken.getParentKey()).get().isEqualTo("key");
+  }
+
+  @Test
+  public void shouldRefreshTokenWithSameExpiration() {
+    JwtAccessToken oldToken = tokenBuilder.build();
+    when(refreshStrategy.shouldBeRefreshed(oldToken)).thenReturn(true);
+
+    Optional<JwtAccessToken> refreshedTokenResult = refresher.refresh(oldToken);
+
+    assertThat(refreshedTokenResult).isNotEmpty();
+    JwtAccessToken refreshedToken = refreshedTokenResult.get();
+    assertThat(refreshedToken.getExpiration()).isEqualTo(Date.from(NOW.plus(ofMinutes(5))));
+  }
+
+  @Test
+  public void shouldRefreshTokenWithSameRefreshExpiration() {
+    JwtAccessToken oldToken = tokenBuilder.build();
+    when(refreshStrategy.shouldBeRefreshed(oldToken)).thenReturn(true);
+
+    Optional<JwtAccessToken> refreshedTokenResult = refresher.refresh(oldToken);
+
+    assertThat(refreshedTokenResult).isNotEmpty();
+    JwtAccessToken refreshedToken = refreshedTokenResult.get();
+    assertThat(refreshedToken.getRefreshExpiration()).get().isEqualTo(Date.from(TOKEN_CREATION.plus(ofMinutes(10))));
+  }
+}
--- a/scm-webapp/src/test/java/sonia/scm/security/JwtAccessTokenResolverTest.java
+++ b/scm-webapp/src/test/java/sonia/scm/security/JwtAccessTokenResolverTest.java
@@ -56,6 +56,8 @@ import org.junit.runner.RunWith;
 import org.mockito.Mock;
 import org.mockito.Mockito;
 import static org.mockito.Mockito.*;
+import static sonia.scm.security.SecureKeyTestUtil.createSecureKey;
+
 import org.mockito.junit.MockitoJUnitRunner;

 /**
@@ -214,12 +216,6 @@ public class JwtAccessTokenResolverTest {
      .compact();
  }
  
-  private SecureKey createSecureKey() {
-    byte[] bytes = new byte[32];
-    random.nextBytes(bytes);
-    return new SecureKey(bytes, System.currentTimeMillis());
-  }
-  
  private void resolveKey(SecureKey key) {
    when(
      keyResolver.resolveSigningKey(
@@ -230,7 +226,7 @@ public class JwtAccessTokenResolverTest {
    .thenReturn(
      new SecretKeySpec(
        key.getBytes(), 
-        SignatureAlgorithm.HS256.getValue()
+        SignatureAlgorithm.HS256.getJcaName()
      )
    );
  }
--- a/scm-webapp/src/test/java/sonia/scm/security/PercentageJwtAccessTokenRefreshStrategyTest.java
+++ b/scm-webapp/src/test/java/sonia/scm/security/PercentageJwtAccessTokenRefreshStrategyTest.java
@@ -0,0 +1,67 @@
+package sonia.scm.security;
+
+import com.github.sdorra.shiro.ShiroRule;
+import com.github.sdorra.shiro.SubjectAware;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+
+import java.time.Clock;
+import java.time.Instant;
+import java.util.Collections;
+
+import static java.time.temporal.ChronoUnit.MINUTES;
+import static java.time.temporal.ChronoUnit.SECONDS;
+import static java.util.concurrent.TimeUnit.HOURS;
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+import static sonia.scm.security.SecureKeyTestUtil.createSecureKey;
+
+@SubjectAware(
+  username = "user",
+  password = "secret",
+  configuration = "classpath:sonia/scm/repository/shiro.ini"
+)
+public class PercentageJwtAccessTokenRefreshStrategyTest {
+
+  private static final Instant TOKEN_CREATION = Instant.now().truncatedTo(SECONDS);
+
+  @Rule
+  public ShiroRule shiro = new ShiroRule();
+
+  private KeyGenerator keyGenerator = () -> "key";
+
+  private Clock refreshClock = mock(Clock.class);
+
+  private JwtAccessTokenBuilder tokenBuilder;
+  private PercentageJwtAccessTokenRefreshStrategy refreshStrategy;
+
+  @Before
+  public void initToken() {
+    SecureKeyResolver keyResolver = mock(SecureKeyResolver.class);
+    when(keyResolver.getSecureKey(any())).thenReturn(createSecureKey());
+
+    Clock creationClock = mock(Clock.class);
+    when(creationClock.instant()).thenReturn(TOKEN_CREATION);
+
+    tokenBuilder = new JwtAccessTokenBuilderFactory(keyGenerator, keyResolver, Collections.emptySet(), creationClock).create();
+    tokenBuilder.expiresIn(1, HOURS);
+    tokenBuilder.refreshableFor(1, HOURS);
+
+    refreshStrategy = new PercentageJwtAccessTokenRefreshStrategy(refreshClock, 0.5F);
+  }
+
+  @Test
+  public void shouldNotRefreshWhenTokenIsYoung() {
+    when(refreshClock.instant()).thenReturn(TOKEN_CREATION.plus(29, MINUTES));
+    assertThat(refreshStrategy.shouldBeRefreshed(tokenBuilder.build())).isFalse();
+  }
+
+  @Test
+  public void shouldRefreshWhenTokenIsOld() {
+    when(refreshClock.instant()).thenReturn(TOKEN_CREATION.plus(31, MINUTES));
+    assertThat(refreshStrategy.shouldBeRefreshed(tokenBuilder.build())).isTrue();
+  }
+}
--- a/scm-webapp/src/test/java/sonia/scm/security/SecureKeyTestUtil.java
+++ b/scm-webapp/src/test/java/sonia/scm/security/SecureKeyTestUtil.java
@@ -0,0 +1,11 @@
+package sonia.scm.security;
+
+import java.security.SecureRandom;
+
+public class SecureKeyTestUtil {
+  public static SecureKey createSecureKey() {
+    byte[] bytes = new byte[32];
+    new SecureRandom().nextBytes(bytes);
+    return new SecureKey(bytes, System.currentTimeMillis());
+  }
+}
--- a/scm-webapp/src/test/java/sonia/scm/web/security/TokenRefreshFilterTest.java
+++ b/scm-webapp/src/test/java/sonia/scm/web/security/TokenRefreshFilterTest.java
@@ -0,0 +1,107 @@
+package sonia.scm.web.security;
+
+import org.apache.shiro.authc.AuthenticationToken;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import sonia.scm.security.AccessTokenCookieIssuer;
+import sonia.scm.security.AccessTokenResolver;
+import sonia.scm.security.BearerToken;
+import sonia.scm.security.JwtAccessToken;
+import sonia.scm.security.JwtAccessTokenRefresher;
+import sonia.scm.web.WebTokenGenerator;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.Set;
+
+import static java.util.Collections.singleton;
+import static java.util.Optional.of;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+@ExtendWith({MockitoExtension.class})
+class TokenRefreshFilterTest {
+
+  @Mock
+  private Set<WebTokenGenerator> tokenGenerators;
+  @Mock
+  private WebTokenGenerator tokenGenerator;
+  @Mock
+  private JwtAccessTokenRefresher refresher;
+  @Mock
+  private AccessTokenResolver resolver;
+  @Mock
+  private AccessTokenCookieIssuer issuer;
+
+  @InjectMocks
+  private TokenRefreshFilter filter;
+
+  @Mock
+  private HttpServletRequest request;
+  @Mock
+  private HttpServletResponse response;
+  @Mock
+  private FilterChain filterChain;
+
+  @BeforeEach
+  void initGenerators() {
+    when(tokenGenerators.iterator()).thenReturn(singleton(tokenGenerator).iterator());
+  }
+
+  @Test
+  void shouldContinueChain() throws IOException, ServletException {
+    filter.doFilter(request, response, filterChain);
+
+    verify(filterChain).doFilter(request, response);
+    verify(issuer, never()).authenticate(any(), any(), any());
+  }
+
+  @Test
+  void shouldNotRefreshNonBearerToken() throws IOException, ServletException {
+    AuthenticationToken token = mock(AuthenticationToken.class);
+    when(tokenGenerator.createToken(request)).thenReturn(token);
+
+    filter.doFilter(request, response, filterChain);
+
+    verify(issuer, never()).authenticate(any(), any(), any());
+    verify(filterChain).doFilter(request, response);
+  }
+
+  @Test
+  void shouldNotRefreshNonJwtToken() throws IOException, ServletException {
+    BearerToken token = mock(BearerToken.class);
+    JwtAccessToken jwtToken = mock(JwtAccessToken.class);
+    when(tokenGenerator.createToken(request)).thenReturn(token);
+    when(resolver.resolve(token)).thenReturn(jwtToken);
+
+    filter.doFilter(request, response, filterChain);
+
+    verify(issuer, never()).authenticate(any(), any(), any());
+    verify(filterChain).doFilter(request, response);
+  }
+
+  @Test
+  void shouldRefreshIfRefreshable() throws IOException, ServletException {
+    BearerToken token = mock(BearerToken.class);
+    JwtAccessToken jwtToken = mock(JwtAccessToken.class);
+    JwtAccessToken newJwtToken = mock(JwtAccessToken.class);
+    when(tokenGenerator.createToken(request)).thenReturn(token);
+    when(resolver.resolve(token)).thenReturn(jwtToken);
+    when(refresher.refresh(jwtToken)).thenReturn(of(newJwtToken));
+
+    filter.doFilter(request, response, filterChain);
+
+    verify(issuer).authenticate(request, response, newJwtToken);
+    verify(filterChain).doFilter(request, response);
+  }
+}
--- a/scm-webapp/src/test/resources/sonia/scm/repository/shiro.ini
+++ b/scm-webapp/src/test/resources/sonia/scm/repository/shiro.ini
@@ -4,6 +4,7 @@ dent = secret, creator, heartOfGold, puzzle42
 unpriv = secret
 crato = secret, creator
 community = secret, oss
+user = secret, user

 [roles]
 admin = *
@@ -11,3 +12,4 @@ creator = repository:create
 heartOfGold = "repository:read,modify,delete:hof"
 puzzle42 = "repository:read,write:p42"
 oss = "repository:pull"
+user = *