Package org.forgerock.openam.sts.soap.token.validator

Token validation occurs in three contexts in the sts: 1. soap-sts SecurityPolicy binding enforcement: here a org.apache.ws.security.validate.Validator implementation must be plugged-into the cxf wss4j runtime to validate tokens of a particular type 2. soap-sts token validation: org.apache.cxf.sts.token.validator.TokenValidator implementations are responsible for validating tokens as part of the WS-Trust defined Validate operation, and as part of delegated tokens (ActAs/OnBehalfOf) tokens encapsulated in the RequestSecurityToken request targeting the WS-Trust defined issue operation.

See: Description

Class Summary

Class	Description
SimpleOpenIdConnectTokenValidator	TokenValidator implementation for OpenIdConnect tokens issued by the sts.
SimpleSAML2TokenValidator	TokenValidator implementation for SAML2 tokens issued by the sts.
SimpleTokenValidatorBase	Base class for the TokenValidator instances plugged into the TokenValidateOperation.
SoapAMTokenValidator	Instances of this class will be deployed in a published soap-sts instance when the soap-sts instance is configured to support delegated token relationships (ActAs/OnBehalfOf) and OpenAM token types are configured as one of the validated delegated token types.

Package org.forgerock.openam.sts.soap.token.validator Description

Token validation occurs in three contexts in the sts: 1. soap-sts SecurityPolicy binding enforcement: here a org.apache.ws.security.validate.Validator implementation must be plugged-into the cxf wss4j runtime to validate tokens of a particular type 2. soap-sts token validation: org.apache.cxf.sts.token.validator.TokenValidator implementations are responsible for validating tokens as part of the WS-Trust defined Validate operation, and as part of delegated tokens (ActAs/OnBehalfOf) tokens encapsulated in the RequestSecurityToken request targeting the WS-Trust defined issue operation. Note that the org.apache.cxf.sts.token.validator.TokenValidator implementations will commonly delegate actual token validation to wss4j org.apache.ws.security.validate.Validator implementations. 3. rest-sts token validation: org.forgerock.openam.sts.rest.RestTokenValidator implementations which validate the input token specified in a token transformation (current implementation), and the input token specified in a validate operation (future feature). In all three cases, the org.forgerock.openam.sts.token.validator.AuthenticationHandler<T>, where T is a particular token type, are plugged into all three contexts to actual perform the token validation against the OpenAM rest authN context. Each sts instance is published with AuthTargetMapping instances, which specify the rest authN target for each supported token type. The act of consuming the OpenAM rest authN context boils down to 1. obtaining the appropriate rest authN url, using the AuthTargetMapping state for the sts instance, functionality defined in the org.forgerock.openam.sts.token.validator.url package and 2. actually POSTing the token state against the rest authN url, functionality defined by the org.forgerock.openam.sts.token.validator.disp.TokenAuthenticationRequestDispatcher<T> interface. Implementations of this interface know how to post specific token state against the rest authN url. Thus, in all three cases, the org.forgerock.openam.sts.token.validator.AuthenticationHandler<T>, org.forgerock.openam.sts.token.validator.disp.TokenAuthenticationRequestDispatcher<T> are bound for the set of supported token types, and plugged-in as the ultimate foundation of token validation in all three contexts. The org.forgerock.openam.sts.token.validator.AuthenticationHandler<T> interface specifies that the OpenAM session id corresponding to the successfully-authentication token be returned, as it will be referenced by all token providers to form the basis of the subject of any to-be-generated token, as well as the basis for any attributes included in the to-be-generated token. The classes in this package are the interfaces and implementations specific to the soap-sts context.