org.forgerock.openam.sts.soap.policy.am

Class OpenAMSessionTokenServerInterceptor

java.lang.Object

org.apache.cxf.phase.AbstractPhaseInterceptor<org.apache.cxf.binding.soap.SoapMessage>

org.apache.cxf.binding.soap.interceptor.AbstractSoapInterceptor

org.apache.cxf.ws.security.wss4j.AbstractTokenInterceptor

org.forgerock.openam.sts.soap.policy.am.AbstractOpenAMSessionTokenInterceptor

org.forgerock.openam.sts.soap.policy.am.OpenAMSessionTokenServerInterceptor

All Implemented Interfaces:

org.apache.cxf.binding.soap.interceptor.SoapInterceptor, org.apache.cxf.interceptor.Interceptor<org.apache.cxf.binding.soap.SoapMessage>, org.apache.cxf.phase.PhaseInterceptor<org.apache.cxf.binding.soap.SoapMessage>

public class OpenAMSessionTokenServerInterceptor
extends AbstractOpenAMSessionTokenInterceptor

The custom AbstractTokenInterceptor deployed with published soap-sts instances. It is responsible for validating the OpenAMSessionToken assertions, and communicating the the apache Neethi SecurityPolicy runtime that the relevant assertions have been fulfilled. Implementation modeled after org.apache.cxf.ws.security.wss4j.SamlTokenInterceptor.

Method Summary

Modifier and Type	Method and Description
protected void	addToken(org.apache.cxf.binding.soap.SoapMessage message) This method is called on the outbound client side, secure-request in JASPI terms.
protected org.apache.cxf.ws.security.policy.model.Token	assertTokens(org.apache.cxf.binding.soap.SoapMessage message) Called to assert the relevant tokens.
protected void	processToken(org.apache.cxf.binding.soap.SoapMessage message) This method is called in-bound on the server-side - validate-request in JASPI terms.

Methods inherited from class org.forgerock.openam.sts.soap.policy.am.AbstractOpenAMSessionTokenInterceptor

handleMessage, isTLSInUse

Methods inherited from class org.apache.cxf.ws.security.wss4j.AbstractTokenInterceptor

assertTokens, findSecurityHeader, getCallback, getPassword, getTokenStore, getUnderstoodHeaders, policyNotAsserted, policyNotAsserted

Methods inherited from class org.apache.cxf.binding.soap.interceptor.AbstractSoapInterceptor

getFaultCodePrefix, getRoles, prepareStackTrace

Methods inherited from class org.apache.cxf.phase.AbstractPhaseInterceptor

addAfter, addAfter, addBefore, addBefore, getAdditionalInterceptors, getAfter, getBefore, getId, getPhase, handleFault, isGET, isRequestor, setAfter, setBefore

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apache.cxf.interceptor.Interceptor

handleFault

Method Detail

processToken

protected void processToken(org.apache.cxf.binding.soap.SoapMessage message)
                     throws org.apache.cxf.interceptor.Fault

This method is called in-bound on the server-side - validate-request in JASPI terms. The method must validate the OpenAM session id with OpenAM, and, if validation is successful, populate the wss4j results with state corresponding to the token validation. It will also assert the relevant tokens, which means affirm that the assertions corresponding to the OpenAMSessionToken have been successfully fulfilled.

Specified by:

processToken in class org.apache.cxf.ws.security.wss4j.AbstractTokenInterceptor

Parameters:

message - The message encapsulating the soap invocation.

Throws:

org.apache.cxf.interceptor.Fault - if the OpenAM session in the BinarySecurityToken in invalid.

addToken

protected void addToken(org.apache.cxf.binding.soap.SoapMessage message)

This method is called on the outbound client side, secure-request in JASPI terms. In the OpenAMSessionTokenClientInterceptor, this method will add the OpenAMSessionAssertion state to the message, but in the server-side interceptor, this method should never be called.

Specified by:

addToken in class org.apache.cxf.ws.security.wss4j.AbstractTokenInterceptor

Parameters:

message - the encapsulation of the soap request.

assertTokens

protected org.apache.cxf.ws.security.policy.model.Token assertTokens(org.apache.cxf.binding.soap.SoapMessage message)

Called to assert the relevant tokens. Asserting tokens means asserting that the corresponding policy has been satisfied. This method is called outbound on the server-side, and inbound on the client side. It is also called from processTokenAbove, following successful token validation. This method will assert that the OpenAMSessionAssertion has been satisfied, and also the SupportingToken policy (the OpenAMSessionToken policy always defines a SupportingToken), and, if TLS is being used in the invocation, that the TransportPolicy has also been satisfied, as the OpenAMSessionToken SecurityPolicy binding is always deployed as part of an unprotected binding (i.e. a 'bare' OpenAMSessionToken), or as part of the Transport binding. Note that a TransportToken is the token manifestation of a TransportPolicy binding, so asserting the TransportToken will assert the TransportPolicy.

Specified by:

assertTokens in class org.apache.cxf.ws.security.wss4j.AbstractTokenInterceptor

Parameters:

message - The SoapMessage defining the invocation.

Returns:

The OpenAMSessionAssertion corresponding to the OpenAMSessionToken SecurityPolicy element protecting soap-sts instances.