/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* https://opensso.dev.java.net/public/CDDLv1.0.html or
* opensso/legal/CDDLv1.0.txt
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: SecurityTokenProvider.java,v 1.3 2008/06/25 05:47:21 qcheng Exp $
*
*/
package com.sun.identity.liberty.ws.security;
import com.sun.identity.liberty.ws.common.wsse.BinarySecurityToken;
import com.sun.identity.liberty.ws.disco.EncryptedResourceID;
import com.sun.identity.saml.assertion.Assertion;
import com.sun.identity.saml.assertion.NameIdentifier;
import com.sun.identity.saml.common.SAMLException;
import java.security.cert.X509Certificate;
/**
* The class SecurityTokenProvider is a provider interface
* for managing WSS security tokens.
*
* @supported.all.api
*/
public interface SecurityTokenProvider {
/**
* Initializes the SecurityTokenProvider.
*
* @param credential The credential of the caller used
* to see if access to this security token provider is allowed.
* @param sigManager instance of XML digital
* signature manager class, used for accessing the certificate
* data store and digital signing of the assertion.
* @throws SecurityTokenException if the caller does not have
* privilege to access the security authority manager.
*/
public void initialize(java.lang.Object credential,
com.sun.identity.saml.xmlsig.XMLSignatureManager sigManager)
throws SecurityTokenException;
/**
* Sets the alias of the certificate used for issuing WSS
* token, i.e. WSS X509 Token, WSS
* SAML Token. If the certAlias is never set, a default
* certificate will be used for issuing WSS tokens.
*
* @param certAlias String alias name for the certificate
* @throws SecurityTokenException if certificate for the
* certAlias could not be found in key store.
*/
public void setCertAlias(java.lang.String certAlias)
throws SecurityTokenException;
/**
* Sets the certificate used for issuing WSS token, i.e.
* WSS X509 Token, WSS SAML Token.
* If the certificate is never set, a default certificate will
* be used for issuing WSS tokens.
*
* @param cert X509Certificate object.
* @throws SecurityTokenException if the certificate could not be set.
*/
public void setCertificate(X509Certificate cert)
throws SecurityTokenException;
/**
* Gets the X509 certificate Token.
*
* @return X509 certificate Token.
* @throws SecurityTokenException if the token could not be
* obtained.
*/
public BinarySecurityToken getX509CertificateToken()
throws SecurityTokenException;
/**
* Creates a SAML Assertion for message authentication.
*
* @param senderIdentity name identifier of the sender.
* @return Assertion which contains an AuthenticationStatement.
* @throws SecurityTokenException if the assertion could not be
* obtained.
* @throws SAMLException
*/
public SecurityAssertion getSAMLAuthenticationToken(
NameIdentifier senderIdentity)
throws SecurityTokenException, SAMLException;
/**
* Creates a SAML Assertion for message authorization, the assertion could
* optionally contain an AuthenticationStatement which will be
* used for message authentication.
*
* @param senderIdentity name identifier of the sender.
* @param invocatorSession SessionContext of the invocation
* identity, it is normally obtained by the credential reference in
* the SAML AttributeDesignator for discovery resource
* offering which is part of the liberty ID-FF
* AuthenResponse.
* @param resourceID id for the resource to be accessed.
* @param includeAuthN if true, include an
* AutheticationStatement in
* the Assertion which will be used for message
* authentication. if false, no AuthenticationStatement
* will be included.
* @param includeResourceAccessStatement if true, a
* ResourceAccessStatement will be included in the
* Assertion (for AuthorizeRequester directive). If
* false, a SessionContextStatement will be included in
* the Assertion (for AuthenticationSessionContext
* directive). In the case when both AuthorizeRequester
* and AuthenticationSessionContext directive need to be
* handled, use "true" as parameter here since the
* SessionContext will always be included in the
* ResourceAccessStatement.
* @param recipientProviderID recipient's provider ID.
* @return SecurityAssertion object.
* @throws SecurityTokenException if the assertion could not be obtained
* @throws SAMLException
*/
public SecurityAssertion getSAMLAuthorizationToken(
NameIdentifier senderIdentity,
SessionContext invocatorSession,
String resourceID,
boolean includeAuthN,
boolean includeResourceAccessStatement,
String recipientProviderID)
throws SecurityTokenException, SAMLException;
/**
* Creates a SAML Assertion for message authorization, the assertion could
* optionally contain an AuthenticationStatement which will be
* used for message authentication.
*
* @param senderIdentity name identifier of the sender.
* @param invocatorSession SessionContext of the invocation
* identity, it is normally obtained by the credential reference in
* the SAML AttributeDesignator for discovery resource
* offering which is part of the liberty ID-FF
* AuthenResponse.
* @param encResourceID Encrypted ID for the resource to be accessed.
* @param includeAuthN if true, include an
* AutheticationStatement in the Assertion which will be
* used for message authentication. if false, no
* AuthenticationStatement will be included.
* @param includeResourceAccessStatement if true, a
* ResourceAccessStatement will be included in the
* Assertion (for AuthorizeRequester directive). If
* false, a SessionContextStatement will be included i
* the Assertion (for AuthenticationSessionContext
* directive). In the case when both AuthorizeRequesterAuthenticationSessionContext directive need to be
* handled, use "true" as parameter here since the
* SessionContext will always be included in the
* ResourceAccessStatement.
* @param recipientProviderID recipient's provider ID.
* @return SecurityAssertion object.
* @throws SecurityTokenException if the assertion could not be obtained
*/
public SecurityAssertion getSAMLAuthorizationToken(
NameIdentifier senderIdentity,
SessionContext invocatorSession,
EncryptedResourceID encResourceID,
boolean includeAuthN,
boolean includeResourceAccessStatement,
String recipientProviderID)
throws SecurityTokenException;
/**
* Creates a SAML assertion. The confirmationMethod will be
* set to urn:oasis:names:tc:SAML:1.0:cm:bearer.
*
* @param senderIdentity name identifier of the sender.
* @param invocatorSession SessionContext of the invocation
* identity, it is normally obtained by the credential reference in
* the SAML AttributeDesignator for discovery resource
* offering which is part of the liberty ID-FF
* AuthenResponse.
* @param resourceID id for the resource to be accessed.
* @param includeAuthN if true, include an
* AutheticationStatement in the Assertion which will
* be used for message authentication. if false, no
* AuthenticationStatement will be included.
* @param includeResourceAccessStatement if true, a
* ResourceAccessStatement will be included in the
* Assertion (for AuthorizeRequester directive). If
* false, a SessionContextStatement will be included in
* the Assertion (for AuthenticationSessionContext
* directive). In the case when both AuthorizeRequester
* and AuthenticationSessionContext directive need to be
* handled, use "true" as parameter here since the
* SessionContext will always be included in the
* ResourceAccessStatement.
* @param recipientProviderID recipient's provider ID.
* @return SecurityAssertion object.
* @throws SecurityTokenException if the assertion could not be obtained
* @throws SAMLException if the assertion could not be obtained
*/
public SecurityAssertion getSAMLBearerToken(
NameIdentifier senderIdentity,
SessionContext invocatorSession,
String resourceID,
boolean includeAuthN,
boolean includeResourceAccessStatement,
String recipientProviderID)
throws SecurityTokenException, SAMLException;
/**
* Creates a SAML assertion. The confirmationMethod will be
* set to urn:oasis:names:tc:SAML:1.0:cm:bearer.
*
* @param senderIdentity name identifier of the sender.
* @param invocatorSession SessionContext of the invocation
* identity, it is normally obtained by the credential reference in
* the SAML AttributeDesignator for discovery resource
* offering which is part of the liberty ID-FF
* AuthenResponse.
* @param encResourceID Encrypted ID for the resource to be accessed.
* @param includeAuthN if true, include an
* AutheticationStatement in the Assertion which will
* be used for message authentication. if false, no
* AuthenticationStatement will be included.
* @param includeResourceAccessStatement if true, a
* ResourceAccessStatement will be included in the
* Assertion (for AuthorizeRequester directive). If
* false, a SessionContextStatement will be included
* in the Assertion (for AuthenticationSessionContext
* directive). In the case when both AuthorizeRequester
* and AuthenticationSessionContext/code> directive need to be
* handled, use "true" as parameter here since the
* SessionContext will always be included in the
* ResourceAccessStatement.
* @param recipientProviderID recipient's provider ID.
* @return SecurityAssertion object.
* @throws SecurityTokenException if the assertion could not be obtained
*/
public SecurityAssertion getSAMLBearerToken(
NameIdentifier senderIdentity,
SessionContext invocatorSession,
EncryptedResourceID encResourceID,
boolean includeAuthN,
boolean includeResourceAccessStatement,
String recipientProviderID)
throws SecurityTokenException;
}