a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The contents of this file are subject to the terms
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of the Common Development and Distribution License
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * (the License). You may not use this file except in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * compliance with the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * You can obtain a copy of the License at
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * See the License for the specific language governing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * permission and limitations under the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * When distributing Covered Code, include this CDDL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Header Notice in each file and include the License file
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If applicable, add the following below the CDDL Header,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * with the fields enclosed by brackets [] replaced by
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * your own identifying information:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * $Id: SecurityTokenManagerClient.java,v 1.9 2008/08/19 19:11:09 veiming Exp $
a4544a5a0e622ef69e38641f87ab1b5685e05911Phill Cunnington * Portions Copyright 2013-2015 ForgeRock AS.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.shared.configuration.SystemPropertiesManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.common.SystemConfigurationUtil;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.liberty.ws.common.wsse.BinarySecurityToken;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.liberty.ws.disco.EncryptedResourceID;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.session.SessionManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.assertion.Assertion;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.assertion.AssertionIDReference;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.assertion.Attribute;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.assertion.NameIdentifier;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.common.SAMLConstants;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.common.SAMLException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.shared.jaxrpc.SOAPClient;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.protocol.AssertionArtifact;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The class <code>SecurityTokenManagerClient</code> is a <code>final</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * class that provides interfaces to create, get and destroy
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>Assertion</code>s.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The class provides mechanisms to manage the <code>Assertion</code>s either
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * locally (i.e., within the same JVM process) or remotely on another instance
8d3140b524c0e28c0a49dc7c7d481123ef3cfe11Chris Lee * of OpenAM. The default constructor will manage the <code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Assertion</code>s locally if it detects SAML web services running locally,
8d3140b524c0e28c0a49dc7c7d481123ef3cfe11Chris Lee * else will use on of the configured OpenAM. The constructor which
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * accepts an <code>URL</code> will always use the URL to manage the assertions.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Having obtained an instance of <code>AssertionManagerClient</code>, its
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * methods can be called to create/get <code>Assertion</code>, and
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>AssertionArtifact</code>, and to obtain decision from an
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>Query</code>.
91cb2bef1c88e70b5d433c2a34bca110a35786ceMark Craig * @supported.api
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Service name in naming
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static String SERVICE_NAME = "securitytokenmanager";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Flag to determine if AssertionManager is local or remote
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Remote JAX-RPC server for objects that use default constructor
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // If local pointer to SecurityTokenManager instance
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private SecurityTokenManager securityTokenManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // JAX-RPC remote stub
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Locale.getInstallResourceBundle("libLibertySecurity");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns an instance of <code>SecurityTokenManagerClient</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param credential credential of the caller used to see
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * if access to this security token manager client is allowed.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SecurityTokenException if unable to access the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the security token manager client.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public SecurityTokenManagerClient(Object credential)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Construct the URL for local server.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SystemPropertiesManager.get(SAMLConstants.SERVER_PROTOCOL),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SystemPropertiesManager.get(SAMLConstants.SERVER_HOST),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SystemPropertiesManager.get(SAMLConstants.SERVER_PORT),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SystemPropertiesManager.get(SAMLConstants.SERVER_URI));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster remoteStub.send("checkForLocal", null, null, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "STMC(): Using local service");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster securityTokenManager = new SecurityTokenManager(credential);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SecurityTokenManager.debug.warningEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "SecurityTokenManagerClient()Exception", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw (new SecurityTokenException(e.getMessage()));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Use the remoteStub if set
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SessionManager.getProvider().getSessionID(credential);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster stub.send("initialization", ssoToken, null, ssoToken);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SecurityTokenManager.debug.warningEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "SecurityTokenManagerClient()Exception", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw (new SecurityTokenException(e.getMessage()));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns an instance of <code>SecurityTokenManagerClient</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * that will use the provided <code>URL</code> for the management
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of security tokens.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param url the <code>SecurityTokenManagerClient</code> service URL that
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * will be used to get <code>BinarySecurityToken</code> and
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>SAMLSecurityToken</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param credential credential of the caller used to see
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * if access to this security token manager client is allowed.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SecurityTokenException if unable to access the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the security token manager client.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public SecurityTokenManagerClient(String url, Object credential)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Construct the JAX-RPC stub and set the URL endpoint
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ssoToken = SessionManager.getProvider().getSessionID(credential);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster stub.send("initialization", ssoToken, null, ssoToken);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SecurityTokenManager.debug.warningEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SecurityTokenManager.debug.warning("STMC() Exception", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw (new SecurityTokenException(e.getMessage()));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Private method to get the service endpoint URL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static SOAPClient getServiceEndPoint(String protocol,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String hostname, String port, String uri) throws Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Obtain the URL for the service endpoint
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster URL weburl = SystemConfigurationUtil.getServiceURL(SERVICE_NAME,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SecurityTokenManager.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "SecurityTokenManagerClient with URL: " + iurl);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean foundServer = false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Get the list of platform servers
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SystemConfigurationUtil.getServerList().iterator();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Get a server that is responding
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster remoteStub = getServiceEndPoint(u.getProtocol(), u.getHost(),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Check if the server is active
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // this call will throw an exception if server is down
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster remoteStub.send("checkForLocal", null, null, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SecurityTokenManager.debug.messageEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "STMC(): Using the remote URL: " + u.toString());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SecurityTokenManager.debug.warningEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "STMC:getRemoteStub: remote server being used: "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SecurityTokenManager.debug.warningEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "STMC:getRemoteStub: server (" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SecurityTokenManager.debug.warningEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "STMC:getRemoteStub: generic error: ", f);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // No valid server found. Return the last exception
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw (new SecurityTokenException(ee.getMessage()));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sets the alias of the certificate used for issuing <code>WSS</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * token, i.e. <code>WSS</code> <code>X509</code> Token, <code>WSS</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * SAML Token. If the <code>certAlias</code> is never set, a default
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * certificate will be used for issuing <code>WSS</code> tokens.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param certAlias String alias name for the certificate.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SecurityTokenException if certificate for the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>certAlias</code> could not be found in key store.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @supported.api
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public void setCertAlias(java.lang.String certAlias)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster stub.send("setCertificate", obj, null, ssoToken);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SecurityTokenManager.debug.warningEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "STMC:setCertAlias()", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw (new SecurityTokenException(e.getMessage()));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sets the certificate used for issuing <code>WSS</code> token, i.e.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>WSS</code> <code>X509</code> Token, <code>WSS</code> SAML Token.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If the certificate is never set, a default certificate will
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * be used for issuing <code>WSS</code> tokens
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param cert <code>X509</code> certificate
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SecurityTokenException if could not set Certificate.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public void setCertificate(X509Certificate cert)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String certString = Base64.encode(cert.getEncoded());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster stub.send("setCertificate", obj, null, ssoToken);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SecurityTokenManager.debug.warningEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "STMC:setCertificate()", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw (new SecurityTokenException(e.getMessage()));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Gets the <code>X509</code> certificate Token.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return <code>X509</code> certificate Token.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SecurityTokenException if the binary security token could
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * not be obtained.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public BinarySecurityToken getX509CertificateToken()
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return securityTokenManager.getX509CertificateToken();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster bst = (String) stub.send("getX509CertificateToken", null, null,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return (new BinarySecurityToken(XMLUtils.toDOMDocument(bst,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SecurityTokenManager.debug).getDocumentElement()));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SecurityTokenManager.debug.warningEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "STMC:getX509CertificateToken()", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw (new SecurityTokenException(e.getMessage()));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Creates a SAML Assertion for message authentication.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param senderIdentity name identifier of the sender.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return Assertion which contains an <code>AuthenticationStatement</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SecurityTokenException if the assertion could not be obtained.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAMLException if unable to generate the SAML Assertion.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public SecurityAssertion getSAMLAuthenticationToken(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return (securityTokenManager.getSAMLAuthenticationToken(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String ni = senderIdentity.toString(true, true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String assertion = (String) stub.send("getSAMLAuthenticationToken",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return (new SecurityAssertion(XMLUtils.toDOMDocument(assertion,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SecurityTokenManager.debug).getDocumentElement()));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SecurityTokenManager.debug.warningEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Creates a SAML Assertion for message authorization, the assertion could
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * optionally contain an <code>AuthenticationStatement</code> which will be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * used for message authentication.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param senderIdentity name identifier of the sender.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param invocatorSession <code>SessionContext</code> of the invocation
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * identity, it is normally obtained by the credential reference in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the SAML <code>AttributeDesignator</code> for discovery resource
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * offering which is part of the liberty <code>ID-FF</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>AuthenResponse</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param resourceID id for the resource to be accessed.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param includeAuthN if true, include an
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>AutheticationStatement</code> in the Assertion which will be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * used for message authentication.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param includeResourceAccessStatement if true, a
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>ResourceAccessStatement</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * will be included in the Assertion
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * (for <code>AuthorizeRequester</code> directive). If false,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * a <code>SessionContextStatement</code> will be included in the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Assertion (for <code>AuthenticationSessionContext</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * directive). In the case when both <code>AuthorizeRequester</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * and <code>AuthenticationSessionContext</code> directive need to be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * handled, use "true" as parameter here since the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>SessionContext</code> will always be included in the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>ResourceAccessStatement</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param recipientProviderID recipient's provider ID.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return the <code>SecurityAssertion</code> object.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SecurityTokenException if the assertion could not be obtained.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAMLException if unable to generate the SAML Assertion.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public SecurityAssertion getSAMLAuthorizationToken(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return (securityTokenManager.getSAMLAuthorizationToken(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String ni = senderIdentity.toString(true, true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String sc = invocatorSession.toXMLString(true, true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Object[] obj = {ni, sc, resourceID, Boolean.FALSE,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Boolean.valueOf(includeResourceAccessStatement),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String assertion = (String) stub.send("getSAMLAuthorizationToken",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return (new SecurityAssertion(XMLUtils.toDOMDocument(assertion,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SecurityTokenManager.debug).getDocumentElement()));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SecurityTokenManager.debug.warningEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "STMC:createAssertionArtifact:", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw (new SecurityTokenException(e.getMessage()));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Creates a SAML Assertion for message authorization, the assertion could
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * optionally contain an <code>AuthenticationStatement</code> which will be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * used for message authentication.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param senderIdentity name identifier of the sender.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param invocatorSession <code>SessionContext</code> of the invocation
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * identity, it is normally obtained by the credential reference in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the SAML <code>AttributeDesignator</code> for discovery resource
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * offering which is part of the liberty <code>ID-FF</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>AuthenResponse</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param encResourceID Encrypted ID for the resource to be accessed.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param includeAuthN if true, include an
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>AutheticationStatement</code> in the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Assertion which will be used for message authentication.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param includeResourceAccessStatement if true,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * a <code>ResourceAccessStatement</code> will be included in the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Assertion (for <code>AuthorizeRequester</code> directive). If
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * false, a <code>SessionContextStatement</code> will be included in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the Assertion (for <code>AuthenticationSessionContext</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * directive). In the case when both <code>AuthorizeRequester</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * and <code>AuthenticationSessionContext</code> directive need to be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * handled, use "true" as parameter here since the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>SessionContext</code> will always be included in the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>ResourceAccessStatement</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param recipientProviderID recipient's provider ID.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return the <code>SecurityAssertion</code> object.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SecurityTokenException if the assertion could not be obtained.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAMLException if unable to generate the SAML Assertion.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public SecurityAssertion getSAMLAuthorizationToken(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return (securityTokenManager.getSAMLAuthorizationToken(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster senderIdentity, invocatorSession, encResourceID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String ni = senderIdentity.toString(true, true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String sc = invocatorSession.toXMLString(true, true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Object[] obj = {ni, sc, resourceID, Boolean.TRUE,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Boolean.valueOf(includeResourceAccessStatement),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertion = (String) stub.send("getSAMLAuthorizationToken",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return (new SecurityAssertion(XMLUtils.toDOMDocument(assertion,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SecurityTokenManager.debug).getDocumentElement()));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (SecurityTokenManager.debug.warningEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "STMC:getSAMLAuthorizationToken() ", e);