org.forgerock.jaspi.modules.session.openam

Class OpenAMSessionModule

java.lang.Object

org.forgerock.jaspi.modules.session.openam.OpenAMSessionModule

All Implemented Interfaces:

AsyncServerAuthModule

public class OpenAMSessionModule
extends Object
implements AsyncServerAuthModule

A JASPI Session Module which uses OpenAM to validate SSO Tokens issued by an OpenAM instance.
Validates SSO Tokens by making REST calls to a OpenAM instance.

Since:

1.4.0

Constructor Summary

Constructors

Constructor and Description
OpenAMSessionModule() Construct OpenAMSessionModule - use default options.
OpenAMSessionModule(Options httpClientOptions) Cosntruct OpenAMSessionModule - use provide options for loading the HttpClientProvider.

Method Summary

Modifier and Type	Method and Description
Promise<Void,AuthenticationException>	cleanSubject(MessageInfoContext messageInfo, Subject clientSubject) No state to clear out from the client subject.
String	getModuleId() Gets the ID of the module to be used in creating authentication audit logs to uniquely identify the authentication module and its outcome when processing a request message.
Collection<Class<?>>	getSupportedMessageTypes() Will return an array of classes indicating that the CHF Http profile is supported.
Promise<Void,AuthenticationException>	initialize(javax.security.auth.message.MessagePolicy requestPolicy, javax.security.auth.message.MessagePolicy responsePolicy, CallbackHandler callbackHandler, Map<String,Object> options) Will initialise the module with the specified configuration properties.
Promise<javax.security.auth.message.AuthStatus,AuthenticationException>	secureResponse(MessageInfoContext messageInfo, Subject serviceSubject) No action to perform on secure response.
Promise<javax.security.auth.message.AuthStatus,AuthenticationException>	validateRequest(MessageInfoContext messageInfo, Subject clientSubject, Subject serviceSubject) Validates whether or not the request contains a valid OpenAM SSO Token Id.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.forgerock.caf.authentication.api.AsyncServerAuthModule

toString

Constructor Detail

OpenAMSessionModule

public OpenAMSessionModule()

Construct OpenAMSessionModule - use default options.

OpenAMSessionModule

public OpenAMSessionModule(Options httpClientOptions)

Cosntruct OpenAMSessionModule - use provide options for loading the HttpClientProvider.

Parameters:

httpClientOptions - The options which will be used to configure the HTTP client.

Method Detail

getModuleId

public String getModuleId()

Description copied from interface: AsyncServerAuthModule

Gets the ID of the module to be used in creating authentication audit logs to uniquely identify the authentication module and its outcome when processing a request message.

Specified by:

getModuleId in interface AsyncServerAuthModule

Returns:

The ID of the module.

initialize

public Promise<Void,AuthenticationException> initialize(javax.security.auth.message.MessagePolicy requestPolicy,
                                                        javax.security.auth.message.MessagePolicy responsePolicy,
                                                        CallbackHandler callbackHandler,
                                                        Map<String,Object> options)

Will initialise the module with the specified configuration properties.

Property	Type	Required	Default Value	Description	Example
openamDeploymentUrl	String	Yes	N/A	The fully qualified URL of the OpenAM deployment, including the context path	http://example.com:8080/openam/
openamSSOTokenCookieName	String	Yes	N/A	The name of the cookie used by OpenAM to set the SSO Token Id	iPlanetDirectoryPro
trustManagerAlgorithm	String	When useSSL is true	SunX509	Certificate algorithm for the trust manager	SunX509
truststorePath	String	When useSSL is true	N/A	The absolute path to the location of the SSL Trust Store	/opt/truststore.jks
truststoreType	String	When useSSL is true	N/A	The type of the SSL Trust Store	JKS
truststorePassword	String	When useSSL is true	N/A	The password for the SSL Trust Store	cangetin

Specified by:

initialize in interface AsyncServerAuthModule

Parameters:

requestPolicy - The request policy this module must enforce, or null.

responsePolicy - The response policy this module must enforce, or null.

callbackHandler - CallbackHandler used to request information.

options - A Map of module-specific configuration properties.

Returns:

A Promise that will be completed, as some point in the future, with either a successful value or a failure value. A successfully completed Promise will contain no value and a failed completed Promise will contain an AuthenticationException if module initialization fails, including for the case where the options argument contains elements that are not supported by the module.

Throws:

IllegalArgumentException - If any of the required configuration properties are not set.

getSupportedMessageTypes

public Collection<Class<?>> getSupportedMessageTypes()

Will return an array of classes indicating that the CHF Http profile is supported.

Specified by:

getSupportedMessageTypes in interface AsyncServerAuthModule

Returns:

An array of the Request and Response classes.

validateRequest

public Promise<javax.security.auth.message.AuthStatus,AuthenticationException> validateRequest(MessageInfoContext messageInfo,
                                                                                               Subject clientSubject,
                                                                                               Subject serviceSubject)

Validates whether or not the request contains a valid OpenAM SSO Token Id.
Attempts to get the SSO Token Id from the request, if no SSO Token Id exists on the request then SEND_FAILURE is returned. If a SSO Token Id is found a REST call is made to the configured OpenAM URL to validate that the SSO Token Id is valid and has not expired.
If the SSO Token Id is valid then SUCCESS is returned. For all other cases (i.e. invalid SSO Token Id, any exceptions) SEND_FAILURE is returned.

Specified by:

validateRequest in interface AsyncServerAuthModule

Parameters:

messageInfo - The message context info for this request.

clientSubject - A Subject that represents the subject of this request.

serviceSubject - A Subject that represents the subject for the server or null. It may be used to secure the message response.

Returns:

A Promise which will be completed with either a successful AuthStatus value or a AuthenticationException If an error occurs when setting the authenticated principal on the client subject.

See Also:

AuthStatus, ServerAuth.validateRequest( javax.security.auth.message.MessageInfo, Subject, Subject)

secureResponse

public Promise<javax.security.auth.message.AuthStatus,AuthenticationException> secureResponse(MessageInfoContext messageInfo,
                                                                                              Subject serviceSubject)

No action to perform on secure response. Will always return SEND_SUCCESS.
As this module uses OpenAM to verify whether a session is valid or not, when a session is valid the only way for the client to gain a session is to authenticate using OpenAM. This will then result in a SSOToken being set on the response as a cookie, hence doing the job of the secureResponse method.

Specified by:

secureResponse in interface AsyncServerAuthModule

Parameters:

messageInfo - The message context info for this request.

serviceSubject - A Subject that represents the subject for the server or null. It may be used to secure the message response.

Returns:

A Promise that will be completed, as some point in the future, with either a successful value or a failure value.

A successfully completed Promise will contain an AuthStatus representing the completion status of the processing. See ServerAuth.secureResponse( javax.security.auth.message.MessageInfo, Subject) for the allowed AuthStatus values. Note AuthStatus.SEND_CONTINUE is not supported by this interface

A failed completed Promise will contain an AuthenticationException when the message processing failed without establishing a failure response message in the MessageContextInfo.

See Also:

AuthStatus, ServerAuth.secureResponse( javax.security.auth.message.MessageInfo, Subject)

cleanSubject

public Promise<Void,AuthenticationException> cleanSubject(MessageInfoContext messageInfo,
                                                          Subject clientSubject)

No state to clear out from the client subject.

Specified by:

cleanSubject in interface AsyncServerAuthModule

Parameters:

messageInfo - The message context info for this request.

clientSubject - A Subject that represents the subject of this request.

Returns:

A Promise that will be completed, as some point in the future, with either a successful value or a failure value. A successfully completed Promise will contain no value and a failed completed Promise will contain an AuthenticationException if an error occurs during the Subject processing.

See Also:

ServerAuth.cleanSubject( javax.security.auth.message.MessageInfo, Subject)