Package org.forgerock.openam.sts.soap.policy.am

Class OpenAMSessionTokenServerInterceptor

  • All Implemented Interfaces:
    org.apache.cxf.binding.soap.interceptor.SoapInterceptor, org.apache.cxf.interceptor.Interceptor<org.apache.cxf.binding.soap.SoapMessage>, org.apache.cxf.phase.PhaseInterceptor<org.apache.cxf.binding.soap.SoapMessage>
    public class OpenAMSessionTokenServerInterceptor
extends AbstractOpenAMSessionTokenInterceptor
    The custom AbstractTokenInterceptor deployed with published soap-sts instances. It is responsible for validating the OpenAMSessionToken assertions, and communicating the the apache Neethi SecurityPolicy runtime that the relevant assertions have been fulfilled. Implementation modeled after org.apache.cxf.ws.security.wss4j.SamlTokenInterceptor.

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      protected void addToken​(org.apache.cxf.binding.soap.SoapMessage message)
      This method is called on the outbound client side, secure-request in JASPI terms.
      protected org.apache.wss4j.policy.model.AbstractToken assertTokens​(org.apache.cxf.binding.soap.SoapMessage message)
      Called to assert the relevant tokens.
      protected void processToken​(org.apache.cxf.binding.soap.SoapMessage message)
      This method is called in-bound on the server-side - validate-request in JASPI terms.

      • Methods inherited from class org.apache.cxf.ws.security.wss4j.AbstractTokenInterceptor

        assertTokens, findSecurityHeader, getPassword, getTokenStore, getUnderstoodHeaders, policyNotAsserted, policyNotAsserted

      • Methods inherited from class org.apache.cxf.binding.soap.interceptor.AbstractSoapInterceptor

        getFaultCodePrefix, getRoles, prepareStackTrace

      • Methods inherited from class org.apache.cxf.phase.AbstractPhaseInterceptor

        addAfter, addAfter, addBefore, addBefore, getAdditionalInterceptors, getAfter, getBefore, getId, getPhase, handleFault, isGET, isRequestor, setAfter, setBefore

      • Methods inherited from interface org.apache.cxf.interceptor.Interceptor

        handleFault

    • Method Detail

      • processToken

        protected void processToken​(org.apache.cxf.binding.soap.SoapMessage message)
                     throws org.apache.cxf.interceptor.Fault
        This method is called in-bound on the server-side - validate-request in JASPI terms. The method must validate the OpenAM session id with OpenAM, and, if validation is successful, populate the wss4j results with state corresponding to the token validation. It will also assert the relevant tokens, which means affirm that the assertions corresponding to the OpenAMSessionToken have been successfully fulfilled.
        Specified by:
        processToken in class org.apache.cxf.ws.security.wss4j.AbstractTokenInterceptor
        Parameters:
        message - The message encapsulating the soap invocation.
        Throws:
        org.apache.cxf.interceptor.Fault - if the OpenAM session in the BinarySecurityToken in invalid.

      • addToken

        protected void addToken​(org.apache.cxf.binding.soap.SoapMessage message)
        This method is called on the outbound client side, secure-request in JASPI terms. In the OpenAMSessionTokenClientInterceptor, this method will add the OpenAMSessionAssertion state to the message, but in the server-side interceptor, this method should never be called.
        Specified by:
        addToken in class org.apache.cxf.ws.security.wss4j.AbstractTokenInterceptor
        Parameters:
        message - the encapsulation of the soap request.

      • assertTokens

        protected org.apache.wss4j.policy.model.AbstractToken assertTokens​(org.apache.cxf.binding.soap.SoapMessage message)
        Called to assert the relevant tokens. Asserting tokens means asserting that the corresponding policy has been satisfied. This method is called outbound on the server-side, and inbound on the client side. It is also called from processTokenAbove, following successful token validation. This method will assert that the OpenAMSessionAssertion has been satisfied, and also the SupportingToken policy (the OpenAMSessionToken policy always defines a SupportingToken), and, if TLS is being used in the invocation, that the TransportPolicy has also been satisfied, as the OpenAMSessionToken SecurityPolicy binding is always deployed as part of an unprotected binding (i.e. a 'bare' OpenAMSessionToken), or as part of the Transport binding. Note that a TransportToken is the token manifestation of a TransportPolicy binding, so asserting the TransportToken will assert the TransportPolicy.
        Specified by:
        assertTokens in class org.apache.cxf.ws.security.wss4j.AbstractTokenInterceptor
        Parameters:
        message - The SoapMessage defining the invocation.
        Returns:
        The OpenAMSessionAssertion corresponding to the OpenAMSessionToken SecurityPolicy element protecting soap-sts instances.