Package com.sun.identity.liberty.ws.security

Class LibSecurityTokenProvider

    • Constructor Detail

      • LibSecurityTokenProvider

        public LibSecurityTokenProvider()

    • Method Detail

      • initialize

        public void initialize​(Object credential,
                       XMLSignatureManager sigManager)
                throws SecurityTokenException
        Initializes the LibSecurityTokenProvider.
        Specified by:
        initialize in interface SecurityTokenProvider
        Parameters:
        credential - The credential of the caller used to see if access to this security token provider is allowed
        sigManager - XMLSignatureManager instance of XML digital signature manager class, used for accessing the certificate datastore and digital signing of the assertion.
        Throws:
        SecurityTokenException - if the caller does not have privilege to access the security authority manager

      • setCertAlias

        public void setCertAlias​(String certAlias)
                  throws SecurityTokenException
        Sets the alias of the certificate used for issuing WSS token, i.e. WSS X509 Token, WSS SAML Token. If the certAlias is never set, a default certificate will be used for issuing WSS tokens
        Specified by:
        setCertAlias in interface SecurityTokenProvider
        Parameters:
        certAlias - String alias name for the certificate
        Throws:
        SecurityTokenException - if certificate for the certAlias could not be found in key store.

      • setCertificate

        public void setCertificate​(X509Certificate cert)
                    throws SecurityTokenException
        Sets the certificate used for issuing WSS token, i.e. WSS X509 Token, WSS SAML Token. If the certificate is never set, a default certificate will be used for issuing WSS tokens
        Specified by:
        setCertificate in interface SecurityTokenProvider
        Parameters:
        cert - X509 certificate
        Throws:
        SecurityTokenException - if could not get cert alias from corresponding Certificate.

      • getSAMLAuthorizationToken

        public SecurityAssertion getSAMLAuthorizationToken​(NameIdentifier senderIdentity,
                                                   SessionContext invocatorSession,
                                                   String resourceID,
                                                   boolean includeAuthN,
                                                   boolean includeResourceAccessStatement,
                                                   String recipientProviderID)
                                            throws SecurityTokenException
        Creates a SAML Assertion for message authorization, the assertion could optionally contain an AuthenticationStatement which will be used for message authentication.
        Specified by:
        getSAMLAuthorizationToken in interface SecurityTokenProvider
        Parameters:
        senderIdentity - name identifier of the sender.
        invocatorSession - SessionContext of the invocation identity, it is normally obtained by the credential reference in the SAML AttributeDesignator for discovery resource offering which is part of the liberty ID-FF AuthenResponse.
        resourceID - id for the resource to be accessed.
        includeAuthN - if true, include an AutheticationStatement in the Assertion which will be used for message authentication. if false, no AuthenticationStatement will be included.
        includeResourceAccessStatement - if true, a ResourceAccessStatement will be included in the Assertion (for AuthorizeRequester directive). If false, a SessionContextStatement will be included in the Assertion (for AuthenticationSessionContext directive). In the case when both AuthorizeRequester and AuthenticationSessionContext directive need to be handled, use "true" as parameter here since the SessionContext will always be included in the ResourceAccessStatement.
        recipientProviderID - recipient's provider ID.
        Returns:
        the Assertion object.
        Throws:
        SecurityTokenException - if the assertion could not be obtained.

      • getSAMLAuthorizationToken

        public SecurityAssertion getSAMLAuthorizationToken​(NameIdentifier senderIdentity,
                                                   SessionContext invocatorSession,
                                                   EncryptedResourceID encResourceID,
                                                   boolean includeAuthN,
                                                   boolean includeResourceAccessStatement,
                                                   String recipientProviderID)
                                            throws SecurityTokenException
        Creates a SAML Assertion for message authorization, the assertion could optionally contain an AuthenticationStatement which will be used for message authentication.
        Specified by:
        getSAMLAuthorizationToken in interface SecurityTokenProvider
        Parameters:
        senderIdentity - name identifier of the sender.
        invocatorSession - SessionContext of the invocation identity, it is normally obtained by the credential reference in the SAML AttributeDesignator for discovery resource offering which is part of the liberty ID-FF AuthenResponse.
        encResourceID - Encrypted ID for the resource to be accessed.
        includeAuthN - if true, include an AutheticationStatement in the Assertion which will be used for message authentication. if false, no AuthenticationStatement will be included.
        includeResourceAccessStatement - if true, a ResourceAccessStatement will be included in the Assertion (for AuthorizeRequester directive). If false, a SessionContextStatement will be included in the Assertion (for AuthenticationSessionContext directive). In the case when both AuthorizeRequester and AuthenticationSessionContext directive need to be handled, use "true" as parameter here since the SessionContext will always be included in the ResourceAccessStatement.
        recipientProviderID - recipient's provider ID.
        Returns:
        the Assertion object
        Throws:
        SecurityTokenException - if the assertion could not be obtained

      • getSAMLBearerToken

        public SecurityAssertion getSAMLBearerToken​(NameIdentifier senderIdentity,
                                            SessionContext invocatorSession,
                                            String resourceID,
                                            boolean includeAuthN,
                                            boolean includeResourceAccessStatement,
                                            String recipientProviderID)
                                     throws SecurityTokenException
        Creates a SAML assertion. The confirmationMethod will be set to "urn:oasis:names:tc:SAML:1.0:cm:bearer".
        Specified by:
        getSAMLBearerToken in interface SecurityTokenProvider
        Parameters:
        senderIdentity - name identifier of the sender.
        invocatorSession - SessionContext of the invocation identity, it is normally obtained by the credential reference in the SAML AttributeDesignator for discovery resource offering which is part of the liberty ID-FF AuthenResponse.
        resourceID - id for the resource to be accessed.
        includeAuthN - if true, include an AutheticationStatement in the Assertion which will be used for message authentication. if false, no AuthenticationStatement will be included.
        includeResourceAccessStatement - if true, a ResourceAccessStatement will be included in the Assertion (for AuthorizeRequester directive). If false, a SessionContextStatement will be included in the Assertion (for AuthenticationSessionContext directive). In the case when both AuthorizeRequester and AuthenticationSessionContext directive need to be handled, use "true" as parameter here since the SessionContext will always be included in the ResourceAccessStatement.
        recipientProviderID - recipient's provider ID.
        Returns:
        the SecurityAssertion
        Throws:
        SecurityTokenException - if the assertion could not be obtained

      • getSAMLBearerToken

        public SecurityAssertion getSAMLBearerToken​(NameIdentifier senderIdentity,
                                            SessionContext invocatorSession,
                                            EncryptedResourceID encResourceID,
                                            boolean includeAuthN,
                                            boolean includeResourceAccessStatement,
                                            String recipientProviderID)
                                     throws SecurityTokenException
        Creates a SAML assertion. The confirmationMethod will be set to "urn:oasis:names:tc:SAML:1.0:cm:bearer".
        Specified by:
        getSAMLBearerToken in interface SecurityTokenProvider
        Parameters:
        senderIdentity - name identifier of the sender.
        invocatorSession - SessionContext of the invocation identity, it is normally obtained by the credential reference in the SAML AttributeDesignator for discovery resource offering which is part of the liberty ID-FF AuthenResponse.
        encResourceID - Encrypted ID for the resource to be accessed.
        includeAuthN - if true, include an AutheticationStatement in the Assertion which will be used for message authentication. if false, no AuthenticationStatement will be included.
        includeResourceAccessStatement - if true, a ResourceAccessStatement will be included in the Assertion (for AuthorizeRequester directive). If false, a SessionContextStatement will be included in the Assertion (for AuthenticationSessionContext directive). In the case when both AuthorizeRequester and AuthenticationSessionContext directive need to be handled, use "true" as parameter here since the SessionContext will always be included in the ResourceAccessStatement.
        recipientProviderID - recipient's provider ID.
        Returns:
        the Assertion object.
        Throws:
        SecurityTokenException - if the assertion could not be obtained