5272N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. 5272N/A * Copyright (c) 2007 Sun Microsystems Inc. All Rights Reserved 5272N/A * The contents of this file are subject to the terms 5272N/A * of the Common Development and Distribution License 5272N/A * (the License). You may not use this file except in 5272N/A * compliance with the License. 5272N/A * You can obtain a copy of the License at 5272N/A * See the License for the specific language governing 5272N/A * permission and limitations under the License. 5272N/A * When distributing Covered Code, include this CDDL 5272N/A * Header Notice in each file and include the License file 5272N/A * If applicable, add the following below the CDDL Header, 5272N/A * with the fields enclosed by brackets [] replaced by 5272N/A * your own identifying information: * "Portions Copyrighted [year] [name of copyright owner]" * The class <code>LibSecurityTokenProvider</code> is an default * implementation for <code>SecurityTokenProvider</code>. // default certificate for the WSC "com.sun.identity.liberty.ws.wsc.certalias";
// cert alias for trusted authority, this is used for SAML token signing "com.sun.identity.liberty.ws.ta.certalias";
"com.sun.identity.liberty.ws.security.keyinfotype";
* Key name for the webservices security attribute mapper. "com.sun.identity.liberty.ws.attributeplugin";
* Initializes the <code>LibSecurityTokenProvider</code>. * @param credential The credential of the caller used to see if * access to this security token provider is allowed * @param sigManager XMLSignatureManager instance of XML digital * signature manager class, used for accessing the certificate * datastore and digital signing of the assertion. * @throws SecurityTokenException if the caller does not have * privilege to access the security authority manager // check null for signature manager // TODO : privilege checking for the ssoToken, how?? // maybe a relation between the principal of the SSO and the // certificate? super admin shall be allowed without checking * Sets the alias of the certificate used for issuing WSS token, i.e. * WSS X509 Token, WSS SAML Token. * If the certAlias is never set, a default certificate will * be used for issuing WSS tokens * @param certAlias String alias name for the certificate * Sets the certificate used for issuing WSS token, i.e. * WSS X509 Token, WSS SAML Token. * If the certificate is never set, a default certificate will * be used for issuing WSS tokens * @param cert X509 certificate * @throws SecurityTokenException if could not get cert alias from * corresponding Certificate. * Gets X509 certificate from key store based on the certAlias * @return the <code>X509Certificate<code> in the keystore. * @throws SecurityTokenException if there is an error retrieving // retrieve default certAlias from properties // retrieve the cert from the keystore // the cert does not exists in the keystore * Gets the X509 certificate Token * @return the BinarySecurityToken object. * @throws SecurityTokenException if the token could not be obtained . // return base 64 encoded binary & X509v3 * Creates a SAML Assertion for message authentication. * @param senderIdentity name identifier of the sender. * @return Assertion which contains an AuthenticationStatement * @throws SecurityTokenException if the assertion could not be obtained * Creates a SAML Assertion for message authorization, the assertion could * optionally contain an AuthenticationStatement which will be used for * message authentication. * @param senderIdentity name identifier of the sender. * @param invocatorSession SessionContext of the invocation identity, it * is normally obtained by the credential reference in * the SAML AttributeDesignator for discovery resource * offering which is part of the liberty ID-FF * @param resourceID id for the resource to be accessed. * @param includeAuthN if true, include an AutheticationStatement in * the Assertion which will be used for message * authentication. if false, no AuthenticationStatement * @param includeResourceAccessStatement if true, a ResourceAccessStatement * will be included in the Assertion (for * AuthorizeRequester directive). If false, a * SessionContextStatement will be included in the * Assertion (for AuthenticationSessionContext directive). * In the case when both AuthorizeRequester and * AuthenticationSessionContext directive need to be * handled, use "true" as parameter here since the * SessionContext will always be included in the * ResourceAccessStatement. * @param recipientProviderID recipient's provider ID. * @return the <code>Assertion</code> object. * @throws SecurityTokenException if the assertion could not be obtained. * Creates a SAML Assertion for message authorization, the assertion could * optionally contain an AuthenticationStatement which will be used for * message authentication. * @param senderIdentity name identifier of the sender. * @param invocatorSession SessionContext of the invocation identity, it * is normally obtained by the credential reference in the * SAML AttributeDesignator for discovery resource offering * which is part of the liberty ID-FF AuthenResponse. * @param encResourceID Encrypted ID for the resource to be accessed. * @param includeAuthN if true, include an AutheticationStatement in the * Assertion which will be used for message authentication. * if false, no AuthenticationStatement will be included. * @param includeResourceAccessStatement if true, a ResourceAccessStatement * will be included in the Assertion (for * AuthorizeRequester directive). If false, a * SessionContextStatement will be included in the * Assertion (for AuthenticationSessionContext directive). * In the case when both AuthorizeRequester and * AuthenticationSessionContext directive need to be * handled, use "true" as parameter here since the * SessionContext will always be included in the * ResourceAccessStatement. * @param recipientProviderID recipient's provider ID. * @return the <code>Assertion</code> object * @throws SecurityTokenException if the assertion could not be obtained * Creates a SAML assertion. The confirmationMethod will be set to * "urn:oasis:names:tc:SAML:1.0:cm:bearer". * @param senderIdentity name identifier of the sender. * @param invocatorSession SessionContext of the invocation identity, it * is normally obtained by the credential reference in the * SAML AttributeDesignator for discovery resource * offering which is part of the liberty ID-FF * @param resourceID id for the resource to be accessed. * @param includeAuthN if true, include an AutheticationStatement in the * Assertion which will be used for message * authentication. if false, no AuthenticationStatement * @param includeResourceAccessStatement if true, a ResourceAccessStatement * will be included in the Assertion (for * AuthorizeRequester directive). If false, a * SessionContextStatement will be included in the * Assertion (for AuthenticationSessionContext directive). * In the case when both AuthorizeRequester and * AuthenticationSessionContext directive need to be * handled, use "true" as parameter here since the * SessionContext will always be included in the * ResourceAccessStatement. * @param recipientProviderID recipient's provider ID. * @return the <code>SecurityAssertion</code> * @throws SecurityTokenException if the assertion could not be obtained * Creates a SAML assertion. The confirmationMethod will be set to * "urn:oasis:names:tc:SAML:1.0:cm:bearer". * @param senderIdentity name identifier of the sender. * @param invocatorSession SessionContext of the invocation identity, it * is normally obtained by the credential reference in the * SAML AttributeDesignator for discovery resource * offering which is part of the liberty ID-FF * @param encResourceID Encrypted ID for the resource to be accessed. * @param includeAuthN if true, include an AutheticationStatement in the * Assertion which will be used for message * authentication. if false, no AuthenticationStatement * @param includeResourceAccessStatement if true, a ResourceAccessStatement * will be included in the Assertion (for * AuthorizeRequester directive). If false, a * SessionContextStatement will be included in the * Assertion (for AuthenticationSessionContext directive). * In the case when both AuthorizeRequester and * AuthenticationSessionContext directive need to be * handled, use "true" as parameter here since the * SessionContext will always be included in the * ResourceAccessStatement. * @param recipientProviderID recipient's provider ID. * @return the <code>Assertion</code> object. * @throws SecurityTokenException if the assertion could not be obtained * Returns the Security Assertion. "LibSecurityTokenProvider.getSAMLToken:senderIdentity is null");
// make sure the statements is not empty debug.
error(
"getSAMLAuthorizationToken: SAML statement should " +
//Check for the attribute statements. * Creates Authentication Statement for the name identifier. debug.
error(
"createAuthenticationStatement: ", e);
* Creates <code>ResourceAccessStatement</code> object. "createResourceAccessStatement: resourceID class = " +
"createResourceAccessStatement: ras = " +
ras);
debug.
error(
"createResourceAccessStatement: ", e);
* Returns a list of Subjects. * Creates the <code>SessionContextStatement</code> object. debug.
error(
"createSessionContextStatement: ", e);
* Creates a <code>ProxySubject</code> object. * Returns the <code>KeyInfo</code> object as a Document Element. //put Certificate in KeyInfo }
else {
//put public key in keyinfo "getAttributePlugin: Exception",
ex);