a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The contents of this file are subject to the terms
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of the Common Development and Distribution License
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * (the License). You may not use this file except in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * compliance with the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * You can obtain a copy of the License at
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * See the License for the specific language governing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * permission and limitations under the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * When distributing Covered Code, include this CDDL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Header Notice in each file and include the License file
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If applicable, add the following below the CDDL Header,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * with the fields enclosed by brackets [] replaced by
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * your own identifying information:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * $Id: SecurityTokenProvider.java,v 1.3 2008/06/25 05:47:21 qcheng Exp $
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.liberty.ws.common.wsse.BinarySecurityToken;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.liberty.ws.disco.EncryptedResourceID;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.assertion.Assertion;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.assertion.NameIdentifier;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.common.SAMLException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The class <code>SecurityTokenProvider</code> is a provider interface
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * for managing <code>WSS</code> security tokens.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @supported.all.api
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Initializes the <code>SecurityTokenProvider</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param credential The credential of the caller used
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * to see if access to this security token provider is allowed.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param sigManager instance of XML digital
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * signature manager class, used for accessing the certificate
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * data store and digital signing of the assertion.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SecurityTokenException if the caller does not have
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * privilege to access the security authority manager.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public void initialize(java.lang.Object credential,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster com.sun.identity.saml.xmlsig.XMLSignatureManager sigManager)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sets the alias of the certificate used for issuing <code>WSS</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * token, i.e. <code>WSS</code> <code>X509</code> Token, <code>WSS</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * SAML Token. If the <code>certAlias</code> is never set, a default
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * certificate will be used for issuing <code>WSS</code> tokens.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param certAlias String alias name for the certificate
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SecurityTokenException if certificate for the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>certAlias</code> could not be found in key store.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public void setCertAlias(java.lang.String certAlias)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sets the certificate used for issuing <code>WSS</code> token, i.e.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>WSS X509</code> Token, <code>WSS</code> SAML Token.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If the certificate is never set, a default certificate will
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * be used for issuing <code>WSS</code> tokens.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param cert <code>X509Certificate</code> object.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SecurityTokenException if the certificate could not be set.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public void setCertificate(X509Certificate cert)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Gets the <code>X509</code> certificate Token.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return <code>X509</code> certificate Token.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SecurityTokenException if the token could not be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public BinarySecurityToken getX509CertificateToken()
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Creates a SAML Assertion for message authentication.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param senderIdentity name identifier of the sender.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return Assertion which contains an <code>AuthenticationStatement</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SecurityTokenException if the assertion could not be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAMLException
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public SecurityAssertion getSAMLAuthenticationToken(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Creates a SAML Assertion for message authorization, the assertion could
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * optionally contain an <code>AuthenticationStatement</code> which will be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * used for message authentication.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param senderIdentity name identifier of the sender.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param invocatorSession <code>SessionContext</code> of the invocation
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * identity, it is normally obtained by the credential reference in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the SAML <code>AttributeDesignator<code> for discovery resource
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * offering which is part of the liberty <code>ID-FF</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>AuthenResponse</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param resourceID id for the resource to be accessed.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param includeAuthN if true, include an
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>AutheticationStatement</code> in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the Assertion which will be used for message
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * authentication. if false, no <code>AuthenticationStatement</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * will be included.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param includeResourceAccessStatement if true, a
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>ResourceAccessStatement</code> will be included in the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Assertion (for <code>AuthorizeRequester</code> directive). If
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * false, a <code>SessionContextStatement</code> will be included in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the Assertion (for <code>AuthenticationSessionContext</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * directive). In the case when both <code>AuthorizeRequester</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * and <code>AuthenticationSessionContext</code> directive need to be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * handled, use "true" as parameter here since the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>SessionContext</code> will always be included in the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>ResourceAccessStatement</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param recipientProviderID recipient's provider ID.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return <code>SecurityAssertion</code> object.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SecurityTokenException if the assertion could not be obtained
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAMLException
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public SecurityAssertion getSAMLAuthorizationToken(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Creates a SAML Assertion for message authorization, the assertion could
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * optionally contain an <code>AuthenticationStatement</code> which will be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * used for message authentication.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param senderIdentity name identifier of the sender.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param invocatorSession <code>SessionContext</code> of the invocation
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * identity, it is normally obtained by the credential reference in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the SAML <code>AttributeDesignator</code> for discovery resource
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * offering which is part of the liberty <code>ID-FF</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>AuthenResponse</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param encResourceID Encrypted ID for the resource to be accessed.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param includeAuthN if true, include an
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>AutheticationStatement</code> in the Assertion which will be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * used for message authentication. if false, no
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>AuthenticationStatement</code> will be included.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param includeResourceAccessStatement if true, a
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>ResourceAccessStatement</code> will be included in the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Assertion (for <code>AuthorizeRequester</code> directive). If
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * false, a <code>SessionContextStatement</code> will be included i
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the Assertion (for <code>AuthenticationSessionContext</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * directive). In the case when both <code>AuthorizeRequester</code
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * and <code>AuthenticationSessionContext</code> directive need to be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * handled, use "true" as parameter here since the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>SessionContext</code> will always be included in the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>ResourceAccessStatement</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param recipientProviderID recipient's provider ID.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return <code>SecurityAssertion</code> object.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SecurityTokenException if the assertion could not be obtained
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public SecurityAssertion getSAMLAuthorizationToken(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Creates a SAML assertion. The <code>confirmationMethod</code> will be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * set to <code>urn:oasis:names:tc:SAML:1.0:cm:bearer</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param senderIdentity name identifier of the sender.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param invocatorSession <code>SessionContext</code> of the invocation
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * identity, it is normally obtained by the credential reference in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the SAML <code>AttributeDesignator</code> for discovery resource
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * offering which is part of the liberty <code>ID-FF</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>AuthenResponse</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param resourceID id for the resource to be accessed.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param includeAuthN if true, include an
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>AutheticationStatement</code> in the Assertion which will
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * be used for message authentication. if false, no
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>AuthenticationStatement</code> will be included.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param includeResourceAccessStatement if true, a
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>ResourceAccessStatement</code> will be included in the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Assertion (for <code>AuthorizeRequester</code> directive). If
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * false, a <code>SessionContextStatement</code> will be included in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the Assertion (for <code>AuthenticationSessionContext</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * directive). In the case when both <code>AuthorizeRequester</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * and <code>AuthenticationSessionContext</code> directive need to be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * handled, use "true" as parameter here since the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>SessionContext</code> will always be included in the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>ResourceAccessStatement</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param recipientProviderID recipient's provider ID.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return <code>SecurityAssertion</code> object.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SecurityTokenException if the assertion could not be obtained
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAMLException if the assertion could not be obtained
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Creates a SAML assertion. The <code>confirmationMethod</code> will be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * set to <code>urn:oasis:names:tc:SAML:1.0:cm:bearer</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param senderIdentity name identifier of the sender.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param invocatorSession <code>SessionContext</code> of the invocation
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * identity, it is normally obtained by the credential reference in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the SAML <code>AttributeDesignator</code> for discovery resource
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * offering which is part of the liberty <code>ID-FF</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>AuthenResponse</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param encResourceID Encrypted ID for the resource to be accessed.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param includeAuthN if true, include an
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>AutheticationStatement</code> in the Assertion which will
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * be used for message authentication. if false, no
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>AuthenticationStatement</code> will be included.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param includeResourceAccessStatement if true, a
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>ResourceAccessStatement</code> will be included in the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Assertion (for <code>AuthorizeRequester</code> directive). If
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * false, a <code>SessionContextStatement</code> will be included
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * in the Assertion (for <code>AuthenticationSessionContext</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * directive). In the case when both <code>AuthorizeRequester</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * and <code>AuthenticationSessionContext/code> directive need to be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * handled, use "true" as parameter here since the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>SessionContext</code> will always be included in the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * <code>ResourceAccessStatement</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param recipientProviderID recipient's provider ID.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return <code>SecurityAssertion</code> object.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SecurityTokenException if the assertion could not be obtained