Package com.sun.identity.liberty.ws.security

Class SecurityTokenManagerClient

  • public final class SecurityTokenManagerClient
extends Object
    The class SecurityTokenManagerClient is a final class that provides interfaces to create, get and destroy Assertions.

    The class provides mechanisms to manage the Assertions either locally (i.e., within the same JVM process) or remotely on another instance of OpenAM. The default constructor will manage the Assertions locally if it detects SAML web services running locally, else will use on of the configured OpenAM. The constructor which accepts an URL will always use the URL to manage the assertions.

    Having obtained an instance of AssertionManagerClient, its methods can be called to create/get Assertion, and AssertionArtifact, and to obtain decision from an Query.

    • Constructor Detail

      • SecurityTokenManagerClient

        public SecurityTokenManagerClient​(Object credential)
                           throws SecurityTokenException
        Returns an instance of SecurityTokenManagerClient
        Parameters:
        credential - credential of the caller used to see if access to this security token manager client is allowed.
        Throws:
        SecurityTokenException - if unable to access the the security token manager client.

      • SecurityTokenManagerClient

        public SecurityTokenManagerClient​(String url,
                                  Object credential)
                           throws SecurityTokenException
        Returns an instance of SecurityTokenManagerClient that will use the provided URL for the management of security tokens.
        Parameters:
        url - the SecurityTokenManagerClient service URL that will be used to get BinarySecurityToken and SAMLSecurityToken.
        credential - credential of the caller used to see if access to this security token manager client is allowed.
        Throws:
        SecurityTokenException - if unable to access the the security token manager client.

    • Method Detail

      • setCertAlias

        public void setCertAlias​(String certAlias)
                  throws SecurityTokenException
        Sets the alias of the certificate used for issuing WSS token, i.e. WSS X509 Token, WSS SAML Token. If the certAlias is never set, a default certificate will be used for issuing WSS tokens.
        Parameters:
        certAlias - String alias name for the certificate.
        Throws:
        SecurityTokenException - if certificate for the certAlias could not be found in key store.

      • setCertificate

        public void setCertificate​(X509Certificate cert)
                    throws SecurityTokenException
        Sets the certificate used for issuing WSS token, i.e. WSS X509 Token, WSS SAML Token. If the certificate is never set, a default certificate will be used for issuing WSS tokens
        Parameters:
        cert - X509 certificate
        Throws:
        SecurityTokenException - if could not set Certificate.

      • getSAMLAuthorizationToken

        public SecurityAssertion getSAMLAuthorizationToken​(NameIdentifier senderIdentity,
                                                   SessionContext invocatorSession,
                                                   String resourceID,
                                                   boolean includeAuthN,
                                                   boolean includeResourceAccessStatement,
                                                   String recipientProviderID)
                                            throws SecurityTokenException,
                                                   SAMLException
        Creates a SAML Assertion for message authorization, the assertion could optionally contain an AuthenticationStatement which will be used for message authentication.
        Parameters:
        senderIdentity - name identifier of the sender.
        invocatorSession - SessionContext of the invocation identity, it is normally obtained by the credential reference in the SAML AttributeDesignator for discovery resource offering which is part of the liberty ID-FF AuthenResponse.
        resourceID - id for the resource to be accessed.
        includeAuthN - if true, include an AutheticationStatement in the Assertion which will be used for message authentication.
        includeResourceAccessStatement - if true, a ResourceAccessStatement will be included in the Assertion (for AuthorizeRequester directive). If false, a SessionContextStatement will be included in the Assertion (for AuthenticationSessionContext directive). In the case when both AuthorizeRequester and AuthenticationSessionContext directive need to be handled, use "true" as parameter here since the SessionContext will always be included in the ResourceAccessStatement.
        recipientProviderID - recipient's provider ID.
        Returns:
        the SecurityAssertion object.
        Throws:
        SecurityTokenException - if the assertion could not be obtained.
        SAMLException - if unable to generate the SAML Assertion.

      • getSAMLAuthorizationToken

        public SecurityAssertion getSAMLAuthorizationToken​(NameIdentifier senderIdentity,
                                                   SessionContext invocatorSession,
                                                   EncryptedResourceID encResourceID,
                                                   boolean includeAuthN,
                                                   boolean includeResourceAccessStatement,
                                                   String recipientProviderID)
                                            throws SecurityTokenException,
                                                   SAMLException
        Creates a SAML Assertion for message authorization, the assertion could optionally contain an AuthenticationStatement which will be used for message authentication.
        Parameters:
        senderIdentity - name identifier of the sender.
        invocatorSession - SessionContext of the invocation identity, it is normally obtained by the credential reference in the SAML AttributeDesignator for discovery resource offering which is part of the liberty ID-FF AuthenResponse.
        encResourceID - Encrypted ID for the resource to be accessed.
        includeAuthN - if true, include an AutheticationStatement in the Assertion which will be used for message authentication.
        includeResourceAccessStatement - if true, a ResourceAccessStatement will be included in the Assertion (for AuthorizeRequester directive). If false, a SessionContextStatement will be included in the Assertion (for AuthenticationSessionContext directive). In the case when both AuthorizeRequester and AuthenticationSessionContext directive need to be handled, use "true" as parameter here since the SessionContext will always be included in the ResourceAccessStatement.
        recipientProviderID - recipient's provider ID.
        Returns:
        the SecurityAssertion object.
        Throws:
        SecurityTokenException - if the assertion could not be obtained.
        SAMLException - if unable to generate the SAML Assertion.