Package org.forgerock.openam.sts.rest.token.validator

Token validation occurs in three contexts in the sts: 1. soap-sts SecurityPolicy binding enforcement: here a org.apache.ws.security.validate.Validator implementation must be plugged-into the cxf wss4j runtime to validate tokens of a particular type 2. soap-sts token validation: org.apache.cxf.sts.token.validator.TokenValidator implementations are responsible for validating tokens as part of the WS-Trust defined Validate operation, and as part of delegated tokens (ActAs/OnBehalfOf) tokens encapsulated in the RequestSecurityToken request targeting the WS-Trust defined issue operation.

See: Description

Interface Summary

Interface	Description
RestIssuedTokenValidator<T>	Inteface defining the concerns of validating tokens issued by the rest-sts.
RestIssuedTokenValidatorParameters<T>	Defines the parameters passed to RestIssuedTokenValidator#validateToken invocations.
RestTokenTransformValidator<T>	Defines the contract for token validators deployed in the context of token transformation.
RestTokenTransformValidatorParameters<T>	Defines the parameter state which needs to be passed to the RestTokenTransformValidator#validateToken instances.

Class Summary

Class	Description
OpenIdConnectIdTokenTransformValidator	The RestTokenTransformValidator implementation responsible for dispatching OpenID Connect ID Tokens to the OpenAM Rest authN context.
RestAMTokenTransformValidator	Validates OpenAM session tokens in the rest context.
RestCertificateTokenTransformValidator	This class is a RestTokenTransformValidator responsible for validating X509 Certificates.
RestOpenIdConnectIssuedTokenValidator	Responsible for validating the OpenIdConnectTokens issued by the sts.
RestSAML2IssuedTokenValidator	RestIssuedTokenValidator implementation responsible for validating SAML2 assertions issued by the rest-sts.
RestTokenTransformValidatorResult	Class defining state returned a successful invocation of RestTokenTransformValidator#validateToken (failed validation will throw a TokenValidationException).
RestUsernameTokenTransformValidator	Responsible for validating RestUsernameToken instances, which is simply a combination.

Package org.forgerock.openam.sts.rest.token.validator Description

Token validation occurs in three contexts in the sts: 1. soap-sts SecurityPolicy binding enforcement: here a org.apache.ws.security.validate.Validator implementation must be plugged-into the cxf wss4j runtime to validate tokens of a particular type 2. soap-sts token validation: org.apache.cxf.sts.token.validator.TokenValidator implementations are responsible for validating tokens as part of the WS-Trust defined Validate operation, and as part of delegated tokens (ActAs/OnBehalfOf) tokens encapsulated in the RequestSecurityToken request targeting the WS-Trust defined issue operation. Note that the org.apache.cxf.sts.token.validator.TokenValidator implementations will commonly delegate actual token validation to wss4j org.apache.ws.security.validate.Validator implementations. 3. rest-sts token validation: org.forgerock.openam.sts.rest.RestTokenTransformValidator implementations which validate the input token specified in a token transformation (current implementation), and the input token specified in a validate operation (future feature). In all three cases, the org.forgerock.openam.sts.token.validator.AuthenticationHandler<T>, where T is a particular token type, are plugged into all three contexts to actual perform the token validation against the OpenAM rest authN context. Each sts instance is published with AuthTargetMapping instances, which specify the rest authN target for each supported token type. The act of consuming the OpenAM rest authN context boils down to 1. obtaining the appropriate rest authN url, using the AuthTargetMapping state for the sts instance, functionality defined in the org.forgerock.openam.sts.token.validator.url package and 2. actually POSTing the token state against the rest authN url, functionality defined by the org.forgerock.openam.sts.token.validator.disp.TokenAuthenticationRequestDispatcher<T> interface. Implementations of this interface know how to post specific token state against the rest authN url. Thus, in all three cases, the org.forgerock.openam.sts.token.validator.AuthenticationHandler<T>, org.forgerock.openam.sts.token.validator.disp.TokenAuthenticationRequestDispatcher<T> are bound for the set of supported token types, and plugged-in as the ultimate foundation of token validation in all three contexts. The org.forgerock.openam.sts.token.validator.AuthenticationHandler<T> interface specifies that the OpenAM session id corresponding to the successfully-authentication token be returned, as it will be referenced by all token providers to form the basis of the subject of any to-be-generated token, as well as the basis for any attributes included in the to-be-generated token. The classes in this package are the interfaces and implementations specific to the rest-sts context.