AMSTSConstants.java revision bf428bd5bd8ff463b3438964b14c7f95ee57fc8c
/*
* The contents of this file are subject to the terms of the Common Development and
* Distribution License (the License). You may not use this file except in compliance with the
* License.
*
* You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
* specific language governing permission and limitations under the License.
*
* When distributing Covered Software, include this CDDL Header Notice in each file and include
* the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
* Header, with the fields enclosed by brackets [] replaced by your own identifying
* information: "Portions Copyrighted [year] [name of copyright owner]".
*
* Copyright 2013-2015 ForgeRock AS. All rights reserved.
*/
public class AMSTSConstants {
/*
Necessary to distinguish the originator of the invocation to the Token Generation Service. Calls need to
be distinguished so that the appropriate STSInstanceConfigPersister can be referenced to pull config state for the
STS instance.
*/
/*
The namespace defined by the WS-Trust specification.
*/
public static final String WS_TRUST_NAMESPACE = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/";
/*
These constants define the QNames referencing services and ports in wsdl documents which define the semantics and
SecurityPolicy bindings of published STS instances.
*/
public static final QName UT_SYMMETRIC_STS_SERVICE = new QName(WS_TRUST_NAMESPACE, "ut_symmetric_sts_service");
public static final QName UT_SYMMETRIC_STS_SERVICE_PORT = new QName(WS_TRUST_NAMESPACE, "ut_symmetric_sts_service_port");
public static final QName UT_ASYMMETRIC_STS_SERVICE = new QName(WS_TRUST_NAMESPACE, "ut_asymmetric_sts_service");
public static final QName UT_ASYMMETRIC_STS_SERVICE_PORT = new QName(WS_TRUST_NAMESPACE, "ut_asymmetric_sts_service_port");
public static final QName UT_TRANSPORT_STS_SERVICE = new QName(WS_TRUST_NAMESPACE, "ut_transport_sts_service");
public static final QName UT_TRANSPORT_STS_SERVICE_PORT = new QName(WS_TRUST_NAMESPACE, "ut_transport_sts_service_port");
public static final QName AM_TRANSPORT_STS_SERVICE = new QName(WS_TRUST_NAMESPACE, "am_transport_sts_service");
public static final QName AM_TRANSPORT_STS_SERVICE_PORT = new QName(WS_TRUST_NAMESPACE, "am_transport_sts_service_port");
public static final QName AM_BARE_STS_SERVICE = new QName(WS_TRUST_NAMESPACE, "am_bare_sts_service");
public static final QName AM_BARE_STS_SERVICE_PORT = new QName(WS_TRUST_NAMESPACE, "am_bare_sts_service_port");
public static final QName X509_ASYMMETRIC_STS_SERVICE = new QName(WS_TRUST_NAMESPACE, "x509_asymmetric_sts_service");
public static final QName X509_ASYMMETRIC_STS_SERVICE_PORT = new QName(WS_TRUST_NAMESPACE, "x509_asymmetric_sts_service_port");
public static final QName X509_SYMMETRIC_STS_SERVICE = new QName(WS_TRUST_NAMESPACE, "x509_symmetric_sts_service");
public static final QName X509_SYMMETRIC_STS_SERVICE_PORT = new QName(WS_TRUST_NAMESPACE, "x509_symmetric_sts_service_port");
/*
Used in conjunction with com.google.inject.Names.named to distinguish e.g. a Provider of the token types for
issue operations vs. the token types for validate operations. In each case a list<TokenType> is returned, and thus
we need @Named with one of the values below for disambiguation.
*/
/*
Used in conjunction with a @Named annotation to inject a Map<String, Object> instance necessary for the CXF interceptor-set
*/
/*
The following values are used by the AMTokenValidator.
*/
/*
This constant defines the name of the OpenAM token, currently used in token validation requests;
*/
/*
The name of the DOM Element and json field used to communicate a OpenAM session identifier in the SecurityToken.
This will also be used as the local name in the soap-sts wsdl files which define the Policy for an OpenAMSessionToken
SecurityPolicy.
*/
/*
The namespace of the DOM Element used to communicate a OpenAM session identifier in the SecurityToken.
This will also be used as the namespace in the soap-sts wsdl files which define the Policy for an OpenAMSessionToken
SecurityPolicy.
*/
public static final String AM_SESSION_TOKEN_ELEMENT_NAMESPACE="http://schemas.forgerock.org/ws/securitypolicy";
/*
QName of the OpenAMSessionToken - needed in the soap-sts to create custom Assertions and the corresponding PolicyInterceptors.
*/
public static final QName AM_SESSION_TOKEN_ASSERTION_QNAME = new QName(AM_SESSION_TOKEN_ELEMENT_NAMESPACE, AM_SESSION_TOKEN_ELEMENT_NAME);
/*
ValueType in the BinarySecurityToken containing the OpenAMSessionToken
*/
public static final String AM_SESSION_TOKEN_ASSERTION_BST_VALUE_TYPE = AM_SESSION_TOKEN_ELEMENT_NAMESPACE + "#" + AM_SESSION_TOKEN_ELEMENT_NAME;
/*
Used in conjunction with a @Named annotation to inject the realm string.
*/
/*
Used in conjunction with a @Named annotation to inject the AM rest authN uri element string.
*/
/*
Used in conjunction with a @Named annotation to inject the AM rest logout uri element string.
*/
/*
Used in conjunction with a @Named annotation to inject the AM rest username from session id uri element string.
*/
/*
Used in conjunction with a @Named annotation to inject the AM rest token generation service uri element string.
*/
/*
Used in conjunction with a @Named annotation to provide the uri element corresponding to the Rest STS publish
service. Consumed by the RestSTSInstanceReconstitutionServlet to build up the uri necessary to consume this
service.
*/
/*
Used in conjunction with a @Named annotation to provide the uri element corresponding to the Rest STS publish
service. Consumed by the PublishServiceConsumerImpl to build up the uri necessary to consume this
service.
*/
/*
Used in conjunction with a @Named annotation to provide the uri element corresponding to the agents profile service.
Consumed by the SoapSTSAgentConfigAccessImpl to build up the uri necessary to obtain the profile state corresponding
to the soap-sts agent.
*/
/*
Used in conjunction with a @Named annotation to inject the url string corresponding to the AM deployment.
*/
/*
String passed to Debug.getInstance(String id).
*/
/*
String passed to Debug.getInstance(String id).
*/
/*
The sts.auth.*TokenValidator instances will be configured with state that allows the AuthenticationUriProvider to
know the module/service/? to be consumed as defined in the com.sun.identity.authentication.AuthContext.IndexType inner-class.
The AuthContext.IndexType uses old-school enums, based on strings, to define the set of possible auth index types (i.e. the
types of authentication facilities that can be invoked). These values are passed to the REST authN context, and the strings
must marshall to the enum values defined in AuthContext.IndexType. I cannot import this class directly, as this would pull
a dependency on openam-core, so I will re-define the string values here, and reference them where needed in STS code.
*/
/*
The name of the key identifying the token type in the json blob representing a token
*/
/*
The json representation of a UsernameToken will have the following key identifying the username.
*/
/*
The json representation of a UsernameToken will have the following key identifying the password.
*/
/*
The json representation of a AM Session will have the following key identifying the sessionId.
*/
/*
Used in a @Named annotation provided to the TokenTranslateOperationImpl to specify the Set<TokenTransformConfig> instances
used to define the set of supported token transformations. This set will ultimately come from the user.
*/
/*
Used in a @Named annotation provided to the TokenTranslateOperationImpl to specify the Set<CustomTokenOperation> instances
used to define the set of custom token validators. This set will ultimately come from the user.
*/
/*
Used in a @Named annotation provided to the TokenTranslateOperationImpl to specify the Set<CustomTokenOperation> instances
used to define the set of custom token providers. This set will ultimately come from the user.
*/
/*
Used in a @Named annotation provided to the TokenTranslateOperationImpl to specify the Set<TokenTransformConfig> instances
used to define the set of supported token transformations. This set will ultimately come from the user.
*/
/*
Used when creating the RestSTSInstanceConfig, to specify for which token transformation operations the interim OpenAM
session (generated after successful validation), should be invalidated.
*/
public static final boolean INVALIDATE_INTERIM_OPENAM_SESSION = true;
/*
the /json/users/?_action=idFromSession needs the iPDP value in a cookie with a name corresponding to the cookie name
in the AM deployment.
*/
/*
set to /json. In composing the authentication, idFromSession, or logout urls, the realm has to be between
e.g. authenticate and /json.
*/
/*
Used to constitute the header values POSTed to the rest authN.
*/
/*
Used to constitute the header values POSTed to the rest authN.
*/
/*
Used for marshalling between byte[] and string representations. Does not seem to be defined anywhere in the pre 1.7 JDK.
*/
/*
Used to identify the json-resource ConnectionFactory which will be bound globally to all Rest STS instances.
*/
/*
used to identify the key referencing the OIDC ID Token in both the json representation of the OIDC ID Token.
This value is also used as the local name in the AM_OPEN_ID_CONNECT_TOKEN_ASSERTION_TYPE, which is the token type
indicator set by the cxf sts client, and used by the SoapOpenIdConnectTokenProvider#canHandleToken to
indicate that it can issue a token of the specified type.
*/
/*
The namespace of the DOM Element used to communicate an OpenID Connect ID Token. When the SoapOpenIdConnectTokenProvider
issues an OIDC token, it can only be set as an xml element in the TokenProviderResponse. This constant defines the
namespace of the xml element.
*/
public static final String OPEN_ID_CONNECT_ID_TOKEN_ELEMENT_NAMESPACE="http://forgerock.org/OpenAM/tokens";
/*
The identifier of an OpenIdConnect token, as specified in the CXF STS client, as the specification of the
desired token type. SoapOpenIdConnectTokenProvider#canHandleToken will check for this constant to deterime if it can
handle the issue token request. It is also used as the ValueType in the BinarySecurityToken which will wrap the
OpenIdConnectToken returned in the TokenProviderResponse returned from SoapOpenIdConnectTokenProvider#createToken.
*/
public static final String AM_OPEN_ID_CONNECT_TOKEN_ASSERTION_TYPE = OPEN_ID_CONNECT_ID_TOKEN_ELEMENT_NAMESPACE + "#" + OPEN_ID_CONNECT_ID_TOKEN_KEY;
/*
When validating OIDC ID Tokens, the OpenAM authN module needs to be configured with the header which will reference
the Id token. This value needs to be set in the context map associated with the AuthTargetMapping corresponding to
the token transformation which takes the OIDC token as input.
*/
public static final String OPEN_ID_CONNECT_ID_TOKEN_AUTH_TARGET_HEADER_KEY = "oidc_id_token_auth_target_header_key";
/*
When validating X509Tokens, the OpenAM Certificate authN module must be configured in portal mode. This involves setting
the Trusted Remote Hosts value to something other than none, and specifying the header name which will reference the
client's x509 certificate. This header name must be configured in the AuthTargetMapping
*/
/*
Used in a @Named annotation to inject the instance id for the STS, as this is required to make invocations to the
TokenGenerationService. This state will ultimately be pulled from the STSInstanceConfig.
*/
/*
The JsonValue returned by the TokenGenerationService will have a single entry, keyed by the string below. The value
will be the generated token (now just a SAML2 assertion).
*/
/*
The name of the rest sts service, as defined in restSTS.xml. Referenced in the RestSTSInstanceConfigStore, to
write rest sts instance config state to the SMS.
*/
/*
The name of the rest sts service, as defined in soapSTS.xml. Referenced in the SoapSTSInstanceConfigStore, to
write rest sts instance config state to the SMS.
*/
/*
Corresponds to the version specified in restSTS.xml. Used to register ServiceListeners.
*/
/*
Corresponds to the version specified in soapSTS.xml. Used to register ServiceListeners.
*/
/*
The name of the json field corresponding to the deployment path of a successfully-published Rest STS instance.
*/
/*
The name of the json field in the json rest-sts publish invocation that references the field which allows the
marshalling logic in the {Rest|Soap}STSPublishServiceRequestHandler to distinguish between programmatic invocations via
the client stk classes, which will publish with state generated by calling toJson() on an instance of the {Rest|Soap}STSInstanceConfig
class, and the {Rest|Soap}SecurityTokenServiceViewBean, which will publish with state harvested from the ViewBean property
sheet, and will thus be in the format of Map<String, Set<String>>.
*/
public static final String STS_PUBLISH_INVOCATION_CONTEXT = SharedSTSConstants.STS_PUBLISH_INVOCATION_CONTEXT;
/*
Used as the value for the STS_PUBLISH_INVOCATION_CONTEXT key for invocations to the rest sts publish service
issued by the RestSecurityTokenServiceViewBean.
*/
public static final String STS_PUBLISH_INVOCATION_CONTEXT_VIEW_BEAN = SharedSTSConstants.STS_PUBLISH_INVOCATION_CONTEXT_VIEW_BEAN;
/*
Used as the value for the STS_PUBLISH_INVOCATION_CONTEXT key for invocations to the rest sts publish service
issued by the client sdk (i.e. by calling toJson() on an instance of the RestSTSInstanceConfig class).
*/
public static final String STS_PUBLISH_INVOCATION_CONTEXT_CLIENT_SDK = "invocation_context_client_sdk";
/*
Used as the key to the JsonValue corresponding to a wrapped Map<String, Set<String>> or the output of
RestSTSInstanceConfig#toJson(), depending upon the invocation context.
*/
public static final String STS_PUBLISH_INSTANCE_STATE = SharedSTSConstants.STS_PUBLISH_INSTANCE_STATE;
/**
* If a rest-sts instance is configured to support a token transformation with an x509 token as an input token type, the
* instance must be invoked via a two-way TLS exchange (i.e. where the client presents their certificate). If OpenAM
* is deployed behind a tls-offloading engine, the client certificate won't be set as a HttpServetRequest attribute
* referenced by the javax.servlet.request.X509Certificate key, but rather the rest sts instance must be configured
* with the name of the http header where the tls-offloading engine will store the client certificate prior to invoking
* OpenAM.
*/
public static final String OFFLOADED_TWO_WAY_TLS_HEADER_KEY = SharedSTSConstants.OFFLOADED_TWO_WAY_TLS_HEADER_KEY;
/**
* If a rest-sts instance is configured to support a token transformation with an x509 token as an input token type, the
* instance must be invoked via a two-way TLS exchange (i.e. where the client presents their certificate). If OpenAM
* is deployed behind a tls-offloading engine, the client certificate won't be set as a HttpServetRequest attribute
* referenced by the javax.servlet.request.X509Certificate key, but rather the rest sts instance must be configured
* with the name of the http header where the tls-offloading engine will store the client certificate prior to invoking
* OpenAM. The rest-sts instance will undertake the further check to determine if the ip address invoking the rest-sts
* corresponds to the set of IP-addresses corresponding to the TLS-offload-engine hosts.
*/
/**
* The name of the CREST header identifying the version of a targeted service.
*/
/**
* Used in context of a @Named annotation to identify the String identifying the version of targeted CREST services.
*/
/**
* Used in context of a @Named annotation to identify the String identifying the version of targeted CREST services.
*/
/**
* Used in context of a @Named annotation to identify the String identifying the version of targeted CREST services.
*/
/**
* Used in context of a @Named annotation to identify the String identifying the version of targeted CREST services.
*/
/**
* Used in context of a @Named annotation to identify the String identifying the version of targeted CREST services.
*/
public static final String CREST_VERSION_SOAP_STS_PUBLISH_SERVICE = "crest_version_soap_sts_publish_service";
/**
* Used in context of a @Named annotation to identify the String identifying the version of targeted CREST services.
*/
public static final String CREST_VERSION_AGENTS_PROFILE_SERVICE = "crest_version_agents_profile_service";
/**
* Used in context of a @Named annotation to specify the Set of TokenTypes for which token validators are plugged-into
*/
/**
* For soap-sts instance which support token delegation (ActAs/OnBehalfOf elements), users have the option to publish
* a soap-sts instance which specifies custom implementations of org.apache.cxf.sts.token.delegation.TokenDelegationHandler.
* If only such implementations are specified to validate the delegated token, this handler has to set
* the OpenAM session id corresponding to this delegated token in the additionalProperties map in the
* org.apache.cxf.sts.token.delegation.TokenDelegationResponse keyed by the string below. If this is not done,
* the token issue operation will fail, as the principal asserted by the token generation service is based upon the
* OpenAM session passed in the TGS invocation.
*/
public static final String CUSTOM_DELEGATION_HANDLER_AM_SESSION_ID = "custom_delegation_handler_am_session_id";
/**
* For soap-sts instance which support token delegation (ActAs/OnBehalfOf elements), users have the option to publish
* a soap-sts instance which specifies custom implementations of org.apache.cxf.sts.token.delegation.TokenDelegationHandler.
* If only such implementations are specified to validate the delegated token, this handler has to set
* the OpenAM session id corresponding to this delegated token in the additionalProperties map in the
* org.apache.cxf.sts.token.delegation.TokenDelegationResponse. In addition, the custom TokenDelegationHandlers can
* determine whether the interim OpenAM session, generated by the validation of the delegated token type, should be
* invalidated following the generation of the to-be-issued token. By default, this interim OpenAM session will be
* invalidated, to prevent the in-memory session table from growing (for stateless sessions). If the custom TokenDelegationHandler
* wishes to over-ride this default behavior, they can set a Boolean corresponding to the key below in the additionalProperties
* in the TokenDelegationResponse.
*/
public static final String CUSTOM_DELEGATION_HANDLER_INVALIDATE_AM_SESSION = "custom_delegation_handler_invalidate_am_session";
}