/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: SecurityTokenManagerClient.java,v 1.9 2008/08/19 19:11:09 veiming Exp $
*
* Portions Copyright 2013-2015 ForgeRock AS.
*/
/**
* The class <code>SecurityTokenManagerClient</code> is a <code>final</code>
* class that provides interfaces to create, get and destroy
* <code>Assertion</code>s.
* <p>
* The class provides mechanisms to manage the <code>Assertion</code>s either
* locally (i.e., within the same JVM process) or remotely on another instance
* of OpenAM. The default constructor will manage the <code>
* Assertion</code>s locally if it detects SAML web services running locally,
* else will use on of the configured OpenAM. The constructor which
* accepts an <code>URL</code> will always use the URL to manage the assertions.
* <p>
* Having obtained an instance of <code>AssertionManagerClient</code>, its
* <code>AssertionArtifact</code>, and to obtain decision from an
* <code>Query</code>.
*
* @supported.api
*/
public final class SecurityTokenManagerClient {
// Service name in naming
// Flag to determine if AssertionManager is local or remote
private static boolean checkedForLocal;
private static boolean isLocal;
private boolean useLocal;
// Remote JAX-RPC server for objects that use default constructor
// If local pointer to SecurityTokenManager instance
// JAX-RPC remote stub
/**
* Returns an instance of <code>SecurityTokenManagerClient</code>
*
* @param credential credential of the caller used to see
* if access to this security token manager client is allowed.
* @throws SecurityTokenException if unable to access the
* the security token manager client.
*/
throws SecurityTokenException {
if (!checkedForLocal) {
try {
// Construct the URL for local server.
if (SecurityTokenManagerImpl.isLocal) {
isLocal = true;
"STMC(): Using local service");
}
checkedForLocal = true;
} catch (Exception e) {
checkedForLocal = true;
"SecurityTokenManagerClient()Exception", e);
}
throw (new SecurityTokenException(e.getMessage()));
}
}
if (isLocal) {
useLocal = true;
} else {
// Use the remoteStub if set
stub = remoteStub;
try {
ssoToken =
} catch (Exception e) {
"SecurityTokenManagerClient()Exception", e);
}
throw (new SecurityTokenException(e.getMessage()));
}
}
}
/**
* Returns an instance of <code>SecurityTokenManagerClient</code>
* that will use the provided <code>URL</code> for the management
* of security tokens.
*
* @param url the <code>SecurityTokenManagerClient</code> service URL that
* will be used to get <code>BinarySecurityToken</code> and
* <code>SAMLSecurityToken</code>.
* @param credential credential of the caller used to see
* if access to this security token manager client is allowed.
* @throws SecurityTokenException if unable to access the
* the security token manager client.
*/
throws SecurityTokenException {
try {
// Construct the JAX-RPC stub and set the URL endpoint
useLocal = false;
} catch (Exception e) {
}
throw (new SecurityTokenException(e.getMessage()));
}
}
// Private method to get the service endpoint URL
// Obtain the URL for the service endpoint
"SecurityTokenManagerClient with URL: " + iurl);
}
return new SOAPClient(urls);
}
throws SecurityTokenException {
boolean foundServer = false;
try {
// Get the list of platform servers
// Get a server that is responding
// Check if the server is active
try {
// this call will throw an exception if server is down
"STMC(): Using the remote URL: " + u.toString());
}
foundServer = true;
"STMC:getRemoteStub: remote server being used: "
+ u.toString());
}
} catch (Exception e) {
ee = e;
"STMC:getRemoteStub: server (" +
u.toString() + ") error: ", e);
}
}
}
} catch (Exception f) {
ee = f;
"STMC:getRemoteStub: generic error: ", f);
}
}
if (!foundServer) {
// No valid server found. Return the last exception
} else {
throw (new SecurityTokenException(
}
}
return (remoteStub);
}
/**
* Sets the alias of the certificate used for issuing <code>WSS</code>
* token, i.e. <code>WSS</code> <code>X509</code> Token, <code>WSS</code>
* SAML Token. If the <code>certAlias</code> is never set, a default
* certificate will be used for issuing <code>WSS</code> tokens.
*
* @param certAlias String alias name for the certificate.
* @throws SecurityTokenException if certificate for the
* <code>certAlias</code> could not be found in key store.
*
* @supported.api
*/
throws SecurityTokenException {
if (useLocal) {
} else {
try {
} catch (Exception e) {
"STMC:setCertAlias()", e);
}
throw (new SecurityTokenException(e.getMessage()));
}
}
}
/**
* Sets the certificate used for issuing <code>WSS</code> token, i.e.
* <code>WSS</code> <code>X509</code> Token, <code>WSS</code> SAML Token.
* If the certificate is never set, a default certificate will
* be used for issuing <code>WSS</code> tokens
*
* @param cert <code>X509</code> certificate
* @throws SecurityTokenException if could not set Certificate.
*/
throws SecurityTokenException {
if (useLocal) {
} else {
try {
} catch (Exception e) {
"STMC:setCertificate()", e);
}
throw (new SecurityTokenException(e.getMessage()));
}
}
}
/**
* Gets the <code>X509</code> certificate Token.
*
* @return <code>X509</code> certificate Token.
* @throws SecurityTokenException if the binary security token could
* not be obtained.
*/
throws SecurityTokenException {
if (useLocal) {
return securityTokenManager.getX509CertificateToken();
}
try {
ssoToken);
} catch (Exception e) {
"STMC:getX509CertificateToken()", e);
}
throw (new SecurityTokenException(e.getMessage()));
}
}
/**
* Creates a SAML Assertion for message authentication.
*
* @param senderIdentity name identifier of the sender.
* @return Assertion which contains an <code>AuthenticationStatement</code>.
* @throws SecurityTokenException if the assertion could not be obtained.
* @throws SAMLException if unable to generate the SAML Assertion.
*/
throws SecurityTokenException, SAMLException {
if (useLocal) {
}
try {
"STMC:getSAMLAuthenticationToken()", re);
}
}
}
/**
* Creates a SAML Assertion for message authorization, the assertion could
* optionally contain an <code>AuthenticationStatement</code> which will be
* used for message authentication.
*
* @param senderIdentity name identifier of the sender.
* @param invocatorSession <code>SessionContext</code> of the invocation
* identity, it is normally obtained by the credential reference in
* the SAML <code>AttributeDesignator</code> for discovery resource
* offering which is part of the liberty <code>ID-FF</code>
* <code>AuthenResponse</code>.
* @param resourceID id for the resource to be accessed.
* @param includeAuthN if true, include an
* <code>AutheticationStatement</code> in the Assertion which will be
* used for message authentication.
* @param includeResourceAccessStatement if true, a
* <code>ResourceAccessStatement</code>
* will be included in the Assertion
* (for <code>AuthorizeRequester</code> directive). If false,
* a <code>SessionContextStatement</code> will be included in the
* Assertion (for <code>AuthenticationSessionContext</code>
* directive). In the case when both <code>AuthorizeRequester</code>
* and <code>AuthenticationSessionContext</code> directive need to be
* handled, use "true" as parameter here since the
* <code>SessionContext</code> will always be included in the
* <code>ResourceAccessStatement</code>.
* @param recipientProviderID recipient's provider ID.
* @return the <code>SecurityAssertion</code> object.
* @throws SecurityTokenException if the assertion could not be obtained.
* @throws SAMLException if unable to generate the SAML Assertion.
*/
boolean includeAuthN,
boolean includeResourceAccessStatement,
throws SecurityTokenException, SAMLException {
if (useLocal) {
}
try {
} catch (Exception e) {
"STMC:createAssertionArtifact:", e);
}
throw (new SecurityTokenException(e.getMessage()));
}
}
/**
* Creates a SAML Assertion for message authorization, the assertion could
* optionally contain an <code>AuthenticationStatement</code> which will be
* used for message authentication.
*
* @param senderIdentity name identifier of the sender.
* @param invocatorSession <code>SessionContext</code> of the invocation
* identity, it is normally obtained by the credential reference in
* the SAML <code>AttributeDesignator</code> for discovery resource
* offering which is part of the liberty <code>ID-FF</code>
* <code>AuthenResponse</code>.
* @param encResourceID Encrypted ID for the resource to be accessed.
* @param includeAuthN if true, include an
* <code>AutheticationStatement</code> in the
* Assertion which will be used for message authentication.
* @param includeResourceAccessStatement if true,
* a <code>ResourceAccessStatement</code> will be included in the
* Assertion (for <code>AuthorizeRequester</code> directive). If
* false, a <code>SessionContextStatement</code> will be included in
* the Assertion (for <code>AuthenticationSessionContext</code>
* directive). In the case when both <code>AuthorizeRequester</code>
* and <code>AuthenticationSessionContext</code> directive need to be
* handled, use "true" as parameter here since the
* <code>SessionContext</code> will always be included in the
* <code>ResourceAccessStatement</code>.
* @param recipientProviderID recipient's provider ID.
* @return the <code>SecurityAssertion</code> object.
* @throws SecurityTokenException if the assertion could not be obtained.
* @throws SAMLException if unable to generate the SAML Assertion.
*/
boolean includeAuthN,
boolean includeResourceAccessStatement,
throws SecurityTokenException, SAMLException {
if (useLocal) {
}
try {
} catch (Exception e) {
"STMC:getSAMLAuthorizationToken() ", e);
}
throw (new SecurityTokenException(e.getMessage()));
}
}
}