test

Sun Java System Access Manager 7.1 Federation and SAML Administration Guide

Chapter 11 Application Programming Interfaces

Sun Java System Access Manager provides a framework for identity federation and creating, discovering, and consuming identity web services. This framework includes a graphical user interface for Liberty-based web services as well as application programming interfaces (APIs). This chapter provides information on the APIs that do not have a corresponding graphical user interface (GUI).

This chapter covers the following topics:

Public Interfaces

The following list describes the public APIs you can use to deploy Liberty-enabled components or extend the core services. Packages that are part of a web service that has a GUI are described in the corresponding chapters of this book. Packages that are used solely on the back end are described in this chapter. Links to those sections are also provided. For more information, including methods and their syntax and parameters, see the Java API Reference in /AccessManager-base/SUNWam/docs or on docs.sun.com.

Table 11–1 Access Manager Public APIs

Package Name 

Description 

com.sun.identity.federation.plugins

Provides interfaces which can be implemented to allow applications to customize their actions before and after invoking the federation protocols. See Chapter 3, Federation.

com.sun.identity.federation.services

Provides interfaces for writing custom plug-ins that can be used during the federation or single sign-on process. See Chapter 3, Federation.

com.sun.identity.liberty.ws.authnsvc

Provides classes to manage the Authentication Web Service. See Chapter 6, Authentication Web Service.

com.sun.identity.liberty.ws.authnsvc.mechanism

Provides an interface to process incoming Simple Authentication and Security Layer (SASL) requests and generate SASL responses for the different SASL mechanisms. See Chapter 6, Authentication Web Service.

com.sun.identity.liberty.ws.authnsvc.protocol

Provides classes to manage the Authentication Web Service protocol. See Chapter 6, Authentication Web Service.

com.sun.identity.liberty.ws.common

Defines common classes used by many of the Access Manager Liberty-based web service components. See Common Service Interfaces.

com.sun.identity.liberty.ws.common.wsse

Provides an interface to parse and create an X.509 Certificate Token Profile. See Common Service Interfaces.

com.sun.identity.liberty.ws.disco

Provides interfaces to manage the Discovery Service. See Chapter 8, Discovery Service.

com.sun.identity.liberty.ws.disco.plugins

Provides a plug-in interface for the Discovery Service. See Chapter 8, Discovery Service.

com.sun.identity.liberty.ws.dst

Provides classes to implement an identity service on top of the Access Manager framework. See Chapter 7, Data Services for information about a service built using this API.

com.sun.identity.liberty.ws.dst.service

Provides a handler class that can be used by any generic identity data service. See Chapter 7, Data Services for information on data services.

com.sun.identity.liberty.ws.idpp.plugin

Defines plug-in interfaces for the Liberty Personal Profile Service. 

com.sun.identity.liberty.ws.interaction

Provides classes to support the Liberty-based Interaction RequestRedirect Profile. See Interaction Service.

com.sun.identity.liberty.ws.interfaces

Provides interfaces common to all Access Manager Liberty-based web service components. See Chapter 7, Data Services and Chapter 8, Discovery Service for information about default implementations. See Common Service Interfaces for more general information.

com.sun.identity.liberty.ws.paos

Provides classes for web applications to construct and process PAOS requests and responses. See PAOS Binding.

com.sun.identity.liberty.ws.security

Provides an interface to manage Liberty-based web service security mechanisms. See Common Security API.

com.sun.identity.liberty.ws.soapbinding

Provides classes to construct SOAP requests and responses and to change the contact point for the SOAP binding. See Chapter 9, SOAP Binding Service.

com.sun.identity.saml

Provides an SPI in which proprietary XML signature implementations can be plugged in. See Chapter 10, SAML Administration.

com.sun.identity.saml.assertion

Provides classes that manage assertions and profiles. See Chapter 10, SAML Administration.

com.sun.identity.saml.common

Provides classes common to all SAML elements. See Chapter 10, SAML Administration.

com.sun.identity.saml.plugins

Provides SPIs to integrate SAML into custom services. See Chapter 10, SAML Administration.

com.sun.identity.saml.protocol

Provides classes that parse the XML messages used to exchange assertions and information. See Chapter 10, SAML Administration.

com.sun.identity.saml.xmlsig

Provides an SPI in which proprietary XML signature implementations can be plugged in. See Chapter 10, SAML Administration.

com.sun.liberty

Provides interfaces common to the Access Manager Federation Management module. See Chapter 3, Federation.

Common Service Interfaces

This section summarizes classes that can be used by all Liberty-based Access Manager service components, as well as interfaces common to all Liberty-based Access Manager services. The packages that contain the classes and interfaces are:

com.sun.identity.liberty.ws.common Package

This package includes classes common to all Liberty-based Access Manager service components.

Table 11–2 com.sun.identity.liberty.ws.common Classes

Class 

Description 

LogUtil

Defines methods that are used by the Liberty component of Access Manager to write logs. 

Status

Represents a common status object. 

For more information, including methods and their syntax and parameters, see the Java API Reference in /AccessManager-base/SUNWam/docs or on docs.sun.com.

com.sun.identity.liberty.ws.interfaces Package

This package includes interfaces that can be implemented to add their corresponding functionality to each Liberty-based Access Manager web service.

Table 11–3 com.sun.identity.liberty.ws.interfaces Interfaces

Interface 

Description 

Authorizer

Interface for identity service to check authorization of a WSC. 

ResourceIDMapper

Interface used to map between a user ID and the Resource ID associated with it. 

ServiceInstanceUpdate

Interface used to include a SOAP header (ServiceInstanceUpdateHeader) when sending a SOAP response.

com.sun.identity.liberty.ws.interfaces.Authorizer Interface

This interface, once implemented, can be used by each Liberty-based web service component for access control.

Note –

The com.sun.identity.liberty.ws.disco.plugins.DefaultDiscoAuthorizer class is the implementation of this interface for the Discovery Service. For more information, see Chapter 8, Discovery Service. The com.sun.identity.liberty.ws.idpp.plugin.IDPPAuthorizer class is the implementation for the Liberty Personal Profile Service. For more information, see Chapter 7, Data Services.

The Authorizer interface enables a web service to check whether a web service consumer (WSC) is allowed to access the requested resource. When a WSC contacts a web service provider (WSP), the WSC conveys a sender identity and an invocation identity. Note that the invocation identity is always the subject of the SAML assertion. These conveyances enable the WSP to make an authorization decision based on one or both identities. The Access Manager Policy Service performs the authorization based on defined policies.

Note –

See the Sun Java System Access Manager 7.1 Technical Overview for more information about policy management, single sign-on, and user sessions. See the Sun Java System Access Manager 7.1 Administration Guide for information about creating policy.

com.sun.identity.liberty.ws.interfaces.ResourceIDMapper Interface

This interface is used to map a user DN to the resource identifier associated with it. Access Manager provides implementations of this interface.

A different implementation of the interface may be developed. The implementation class should be given to the provider that hosts the Discovery Service. The mapping between the providerID and the implementation class can be configured through the Classes For ResourceIDMapper Plugin attribute.

Common Security API

The Liberty-based security APIs are included in the com.sun.identity.liberty.ws.security package and the com.sun.identity.liberty.ws.common.wsse package.

com.sun.identity.liberty.ws.security Package

The com.sun.identity.liberty.ws.security package includes the SecurityTokenProvider interface for managing Web Service Security (WSS) type tokens and the SecurityAttributePlugin interface for inserting security attributes, via an AttributeStatement, into the assertion during the Discovery Service token generation. The following table describes the classes used to manage Liberty-based security mechanisms.

Table 11–4 com.sun.identity.liberty.ws.security Classes

Class 

Description 

ProxySubject

Represents the identity of a proxy, the confirmation key, and confirmation obligation the proxy must possess and demonstrate for authentication purposes. 

ResourceAccessStatement

Conveys information regarding the accessing entities and the resource for which access is being attempted. 

SecurityAssertion

Provides an extension to the Assertion class to support ID-WSF ResourceAccessStatement and SessionContextStatement.

SecurityTokenManager

An entry class for the security package com.sun.identity.liberty.ws.security. You can call its methods to generate X.509 and SAML tokens for message authentication or authorization. It is designed as a provider model, so different implementations can be plugged in if the default implementation does not meet your requirements.

SecurityUtils

Defines methods that are used to get certificates and sign messages. 

SessionContext

Represents the session status of an entity to another system entity. 

SessionContextStatement

Conveys the session status of an entity to another system entity within the body of an <saml:assertion> element.

SessionSubject

Represents a Liberty subject with its associated session status. 

For more information, including methods and their syntax and parameters, see the Java API Reference in /AccessManager-base/SUNWam/docs or on docs.sun.com.

com.sun.identity.liberty.ws.common.wsse Package

This package includes classes for creating security tokens used for authentication and authorization in accordance with the Liberty ID-WSF Security Mechanisms. Both WSS X.509 and SAML tokens are supported.

Table 11–5 com.sun.identity.liberty.ws.common.wsse Classes

Class 

Description 

BinarySecurityToken

Provides an interface to parse and create the X.509 Security Token depicted by Web Service Security: X.509 

WSSEConstants

Defines constants used in security packages. 

For more information, including methods and their syntax and parameters, see the Java API Reference in /AccessManager-base/SUNWam/docs or on docs.sun.com.

Interaction Service

Providers of identity services often need to interact with the owner of a resource to get additional information, or to get their consent to expose data. The Liberty Alliance Project has defined the Liberty ID-WSF Interaction Service Specification to specify how these interactions can be carried out. Of the options defined in the specification, Access Manager has implemented the Interaction RequestRedirect Profile. In this profile, the WSP requests the connecting WSC to redirect the user agent (principal) to an interaction resource (URL) at the WSP. When the user agent sends an HTTP request to get the URL, the WSP has the opportunity to present one or more pages to the principal with questions for other information. After the WSP obtains the information it needs to serve the WSC, it redirects the user agent back to the WSC, which can now reissue its original request to the WSP.

Configuring the Interaction Service

While there is no XML service file for the Interaction Service, this service does have properties. The properties are configured upon installation in the AMConfig.properties file located in /AccessManager-base/SUNWam/lib and are described in the following table.

Table 11–6 Interaction Service Properties in AMConfig.properties

Property 

Description 

com.sun.identity.liberty.interaction.wspRedirectHandler

Points to the URL where the WSPRedirectHandler servlet is deployed. The servlet handles the service provider side of interactions for user redirects.

com.sun.identity.liberty.interaction.wscSpecifiedInteractionChoice

Indicates the level of interaction in which the WSC will participate if the WSC participates in user redirects. Possible values include interactIfNeeded, doNotInteract, and doNotInteractForData. The affirmative interactIfNeeded is the default.

com.sun.identity.liberty.interaction.wscWillIncludeUserInteractionHeader

Indicates whether the WSC will include a SOAP header to indicate certain preferences for interaction based on the Liberty specifications. The default value is yes.

com.sun.identity.liberty.interaction.wscWillRedirect

Indicates whether the WSC will participate in user redirections. The default value is yes.

com.sun.identity.liberty.interaction.wscSpecifiedMaxInteractionTime

Indicates the maximum length of time (in seconds) the WSC is willing to wait for the WSP to complete its portion of the interaction. The WSP will not initiate an interaction if the interaction is likely to take more time than . For example, the WSP receives a request where this property is set to a maximum 30 seconds. If the WSP property com.sun.identity.liberty.interaction.wspRedirectTime is set to 40 seconds, the WSP returns a SOAP fault (timeNotSufficient), indicating that the time is insufficient for interaction.

com.sun.identity.liberty.interaction.wscWillEnforceHttpsCheck

Indicates whether the WSC will enforce HTTPS in redirected URLs. The Liberty Alliance Project specifications state that, the value of this property is always yes, which indicates that the WSP will not redirect the user when the value of redirectURL (specified by the WSP) is not an HTTPS URL. The false value is primarily meant for ease of deployment in a phased manner.

com.sun.identity.liberty.interaction.wspWillRedirect

Initiates an interaction to get user consent for something or to collect additional data. This property indicates whether the WSP will redirect the user for consent. The default value is yes.

com.sun.identity.liberty.interaction.wspWillRedirectForData

Initiates an interaction to get user consent for something or to collect additional data. This property indicates whether the WSP will redirect the user to collect additional data. The default value is yes.

com.sun.identity.liberty.interaction.wspRedirectTime

Indicates the length of time (in seconds) that the WSP expects to take to complete an interaction and return control back to the WSC. For example, the WSP receives a request indicating that the WSC will wait a maximum 30 seconds (set in com.sun.identity.liberty.interaction.wscSpecifiedMaxInteractionTime) for interaction. If the wspRedirectTime is set to 40 seconds, the WSP returns a SOAP fault (timeNotSufficient), indicating that the time is insufficient for interaction.

com.sun.identity.liberty.interaction.wspWillEnforceHttpsCheck

Indicates whether the WSP will enforce a HTTPS returnToURL specified by the WSC. The Liberty Alliance Project specifications state that the value of this property is always yes. The false value is primarily meant for ease of deployment in a phased manner.

com.sun.identity.liberty.interaction.wspWillEnforceReturnToHostEqualsRequestHost

Indicates whether the WSP would enforce the address values of returnToHost and requestHost if they are the same. The Liberty Alliance Project specifications state that the value of this property is always yes. The false value is primarily meant for ease of deployment in a phased manner.

com.sun.identity.liberty.interaction.htmlStyleSheetLocation

Points to the location of the style sheet that is used to render the interaction page in HTML. 

com.sun.identity.liberty.interaction.wmlStyleSheetLocation

Points to the location of the style sheet that is used to render the interaction page in WML. 

Interaction Service API

The Access Manager Interaction Service includes a Java package named com.sun.identity.liberty.ws.interaction. WSCs and WSPs use the classes in this package to interact with a resource owner. The following table describes the classes.

Table 11–7 Interaction Service Classes

Class 

Description 

InteractionManager

Provides the interface and implementation for resource owner interaction. 

InteractionUtils

Provides some utility methods related to resource owner interaction. 

JAXBObjectFactory

Contains factory methods that enable you to construct new instances of the Java representation for XML content. 

For more information, including methods and their syntax and parameters, see the Java API Reference in /AccessManager-base/SUNWam/docs or on docs.sun.com.

PAOS Binding

Access Manager has implemented the optional Liberty Reverse HTTP Binding for SOAP Specification. This specification defines a message exchange protocol that permits an HTTP client to be a SOAP responder. HTTP clients are no longer necessarily equipped with HTTP servers. For example, mobile terminals and personal computers contain web browsers yet they do not operate HTTP servers. These clients, though, can use their browsers to interact with an identity service, possibly a personal profile service or a calendar service. These identity services could also be beneficial when the client devices interact with an HTTP server. The use of PAOS makes it possible to exchange information between user agent-hosted services and remote servers. This is why the reverse HTTP for SOAP binding is also known as PAOS; the spelling of SOAP is reversed.

Comparison of PAOS and SOAP

In a typical SOAP binding, an HTTP client interacts with an identity service through a client request and a server response. For example, a cell phone user (client) can contact the phone service provider (service) to retrieve stock quotes and weather information. The service verifies the user’s identity and responds with the requested information.

In a reverse HTTP for SOAP binding, the phone service provider plays the client role, and the cell phone client plays the server role. The initial SOAP request from the server is actually bound to an HTTP response. The subsequent response from the client is bound to a request.

PAOS Binding API

The Access Manager implementation of PAOS binding includes a Java package named com.sun.identity.liberty.ws.paos. This package provides classes to parse a PAOS header, make a PAOS request, and receive a PAOS response.

Note –

This API is used by PAOS clients on the HTTP server side. An API for PAOS servers on the HTTP client side would be developed by the manufacturers of the HTTP client side products, for example, cell phone manufacturers.

The following table describes the available classes in com.sun.identity.liberty.ws.paos. For more detailed API documentation, see the Java API Reference in /AccessManager-base/SUNWam/docs or on docs.sun.com.

Table 11–8 PAOS Binding Classes

Class 

Description 

PAOSHeader

Used by a web application on the HTTP server side to parse a PAOS header in an HTTP request from the user agent side. 

PAOSRequest

Used by a web application on the HTTP server side to construct a PAOS request message and send it via an HTTP response to the user agent side. 

Note –

PAOSRequest is made available in PAOSResponse to provide correlation, if needed, by API users.

PAOSResponse

Used by a web application on the HTTP server side to receive and parse a PAOS response using an HTTP request from the user agent side. 

PAOSException

Represents an error occurring while processing a SOAP request and response. 

For more information, including methods and their syntax and parameters, see the Java API Reference in /AccessManager-base/SUNWam/docs or on docs.sun.com.

PAOS Binding Sample

A sample that demonstrates PAOS service interaction between an HTTP client and server is provided in the /AccessManager-base/SUNWam/samples/phase2/paos directory. The PAOS client is a servlet, and the PAOS server is a stand-alone Java program. Instructions on how to run the sample can be found in the Readme.html or Readme.txt file. Both files are included in the paos directory. The following code example is the PAOS client servlet.

Example 11–1 PAOS Client Servlet From PAOS Sample


import java.util.*;
import java.io.*;

import javax.servlet.*;
import javax.servlet.http.*;

import com.sun.identity.liberty.ws.paos.*;

import com.sun.identity.liberty.ws.idpp.jaxb.*;

public class PAOSClientServlet extends HttpServlet {

  public void doGet(HttpServletRequest req, HttpServletResponse res)
    throws ServletException, IOException {

      PAOSHeader paosHeader = null;
      try {
    paosHeader = new PAOSHeader(req);
      } catch (PAOSException pe1) {
    pe1.printStackTrace();

    String msg = "No PAOS header\\n";
    res.setContentType("text/plain");
    res.setContentLength(1+msg.length());
    PrintWriter out = new PrintWriter(res.getOutputStream());
    out.println(msg);
    out.close();

    throw new ServletException(pe1.getMessage());
      }

      HashMap servicesAndOptions = paosHeader.getServicesAndOptions();

      Set services = servicesAndOptions.keySet();

      String thisURL = req.getRequestURL().toString();
      String[] queryItems = { "/IDPP/Demographics/Birthday" };
      PAOSRequest paosReq = null;
      try {
    paosReq = new PAOSRequest(thisURL,
                  (String)(services.iterator().next()),
                  thisURL,
                  queryItems);
      } catch (PAOSException pe2) {
    pe2.printStackTrace();
    throw new ServletException(pe2.getMessage());
      }
      System.out.println("PAOS request to User Agent side --------------->");
      System.out.println(paosReq.toString());
      paosReq.send(res, true);
  }

  public void doPost(HttpServletRequest req, HttpServletResponse res)
    throws ServletException, IOException {

      PAOSResponse paosRes = null;
      try {
    paosRes = new PAOSResponse(req);
      } catch (PAOSException pe) {
    pe.printStackTrace();
    throw new ServletException(pe.getMessage());
      }

      System.out.println("PAOS response from User Agent side -------------->");
      System.out.println(paosRes.toString());

      System.out.println("Data output after parsing -------------->");

      String dataStr = null;
      try {
    dataStr = paosRes.getPPResponseStr();
      } catch (PAOSException paose) {
    paose.printStackTrace();
    throw new ServletException(paose.getMessage());
      }
      System.out.println(dataStr);

      String msg = "Got the data: \\n" + dataStr;

      res.setContentType("text/plain");
      res.setContentLength(1+msg.length());

      PrintWriter out = new PrintWriter(res.getOutputStream());

      out.println(msg);

      out.close();
  }
}

See Appendix A, Liberty-based and SAML Samples for information about all the sample code and files included with Access Manager.