com.sun.identity.liberty.ws.security
Interface SecurityTokenProvider


public interface SecurityTokenProvider

The class SecurityTokenProvider is a provider interface for managing WSS security tokens.


Method Summary
 SecurityAssertion getSAMLAuthenticationToken(NameIdentifier senderIdentity)
          Creates a SAML Assertion for message authentication.
 SecurityAssertion getSAMLAuthorizationToken(NameIdentifier senderIdentity, SessionContext invocatorSession, EncryptedResourceID encResourceID, boolean includeAuthN, boolean includeResourceAccessStatement, String recipientProviderID)
          Creates a SAML Assertion for message authorization, the assertion could optionally contain an AuthenticationStatement which will be used for message authentication.
 SecurityAssertion getSAMLAuthorizationToken(NameIdentifier senderIdentity, SessionContext invocatorSession, String resourceID, boolean includeAuthN, boolean includeResourceAccessStatement, String recipientProviderID)
          Creates a SAML Assertion for message authorization, the assertion could optionally contain an AuthenticationStatement which will be used for message authentication.
 SecurityAssertion getSAMLBearerToken(NameIdentifier senderIdentity, SessionContext invocatorSession, EncryptedResourceID encResourceID, boolean includeAuthN, boolean includeResourceAccessStatement, String recipientProviderID)
          Creates a SAML assertion.
 SecurityAssertion getSAMLBearerToken(NameIdentifier senderIdentity, SessionContext invocatorSession, String resourceID, boolean includeAuthN, boolean includeResourceAccessStatement, String recipientProviderID)
          Creates a SAML assertion.
 BinarySecurityToken getX509CertificateToken()
          Gets the X509 certificate Token.
 void initialize(Object credential, XMLSignatureManager sigManager)
          Initializes the SecurityTokenProvider.
 void setCertAlias(String certAlias)
          Sets the alias of the certificate used for issuing WSS token, i.e.
 void setCertificate(X509Certificate cert)
          Sets the certificate used for issuing WSS token, i.e.
 

Method Detail

initialize

void initialize(Object credential,
                XMLSignatureManager sigManager)
                throws SecurityTokenException
Initializes the SecurityTokenProvider.

Parameters:
credential - The credential of the caller used to see if access to this security token provider is allowed.
sigManager - instance of XML digital signature manager class, used for accessing the certificate data store and digital signing of the assertion.
Throws:
SecurityTokenException - if the caller does not have privilege to access the security authority manager.

setCertAlias

void setCertAlias(String certAlias)
                  throws SecurityTokenException
Sets the alias of the certificate used for issuing WSS token, i.e. WSS X509 Token, WSS SAML Token. If the certAlias is never set, a default certificate will be used for issuing WSS tokens.

Parameters:
certAlias - String alias name for the certificate
Throws:
SecurityTokenException - if certificate for the certAlias could not be found in key store.

setCertificate

void setCertificate(X509Certificate cert)
                    throws SecurityTokenException
Sets the certificate used for issuing WSS token, i.e. WSS X509 Token, WSS SAML Token. If the certificate is never set, a default certificate will be used for issuing WSS tokens.

Parameters:
cert - X509Certificate object.
Throws:
SecurityTokenException - if the certificate could not be set.

getX509CertificateToken

BinarySecurityToken getX509CertificateToken()
                                            throws SecurityTokenException
Gets the X509 certificate Token.

Returns:
X509 certificate Token.
Throws:
SecurityTokenException - if the token could not be obtained.

getSAMLAuthenticationToken

SecurityAssertion getSAMLAuthenticationToken(NameIdentifier senderIdentity)
                                             throws SecurityTokenException,
                                                    SAMLException
Creates a SAML Assertion for message authentication.

Parameters:
senderIdentity - name identifier of the sender.
Returns:
Assertion which contains an AuthenticationStatement.
Throws:
SecurityTokenException - if the assertion could not be obtained.
SAMLException

getSAMLAuthorizationToken

SecurityAssertion getSAMLAuthorizationToken(NameIdentifier senderIdentity,
                                            SessionContext invocatorSession,
                                            String resourceID,
                                            boolean includeAuthN,
                                            boolean includeResourceAccessStatement,
                                            String recipientProviderID)
                                            throws SecurityTokenException,
                                                   SAMLException
Creates a SAML Assertion for message authorization, the assertion could optionally contain an AuthenticationStatement which will be used for message authentication.

Parameters:
senderIdentity - name identifier of the sender.
invocatorSession - SessionContext of the invocation identity, it is normally obtained by the credential reference in the SAML AttributeDesignator for discovery resource offering which is part of the liberty ID-FF AuthenResponse.
resourceID - id for the resource to be accessed.
includeAuthN - if true, include an AutheticationStatement in the Assertion which will be used for message authentication. if false, no AuthenticationStatement will be included.
includeResourceAccessStatement - if true, a ResourceAccessStatement will be included in the Assertion (for AuthorizeRequester directive). If false, a SessionContextStatement will be included in the Assertion (for AuthenticationSessionContext directive). In the case when both AuthorizeRequester and AuthenticationSessionContext directive need to be handled, use "true" as parameter here since the SessionContext will always be included in the ResourceAccessStatement.
recipientProviderID - recipient's provider ID.
Returns:
SecurityAssertion object.
Throws:
SecurityTokenException - if the assertion could not be obtained
SAMLException

getSAMLAuthorizationToken

SecurityAssertion getSAMLAuthorizationToken(NameIdentifier senderIdentity,
                                            SessionContext invocatorSession,
                                            EncryptedResourceID encResourceID,
                                            boolean includeAuthN,
                                            boolean includeResourceAccessStatement,
                                            String recipientProviderID)
                                            throws SecurityTokenException
Creates a SAML Assertion for message authorization, the assertion could optionally contain an AuthenticationStatement which will be used for message authentication.

Parameters:
senderIdentity - name identifier of the sender.
invocatorSession - SessionContext of the invocation identity, it is normally obtained by the credential reference in the SAML AttributeDesignator for discovery resource offering which is part of the liberty ID-FF AuthenResponse.
encResourceID - Encrypted ID for the resource to be accessed.
includeAuthN - if true, include an AutheticationStatement in the Assertion which will be used for message authentication. if false, no AuthenticationStatement will be included.
includeResourceAccessStatement - if true, a ResourceAccessStatement will be included in the Assertion (for AuthorizeRequester directive). If false, a SessionContextStatement will be included i the Assertion (for AuthenticationSessionContext directive). In the case when both AuthorizeRequesterAuthenticationSessionContext directive need to be handled, use "true" as parameter here since the SessionContext will always be included in the ResourceAccessStatement.
recipientProviderID - recipient's provider ID.
Returns:
SecurityAssertion object.
Throws:
SecurityTokenException - if the assertion could not be obtained

getSAMLBearerToken

SecurityAssertion getSAMLBearerToken(NameIdentifier senderIdentity,
                                     SessionContext invocatorSession,
                                     String resourceID,
                                     boolean includeAuthN,
                                     boolean includeResourceAccessStatement,
                                     String recipientProviderID)
                                     throws SecurityTokenException,
                                            SAMLException
Creates a SAML assertion. The confirmationMethod will be set to urn:oasis:names:tc:SAML:1.0:cm:bearer.

Parameters:
senderIdentity - name identifier of the sender.
invocatorSession - SessionContext of the invocation identity, it is normally obtained by the credential reference in the SAML AttributeDesignator for discovery resource offering which is part of the liberty ID-FF AuthenResponse.
resourceID - id for the resource to be accessed.
includeAuthN - if true, include an AutheticationStatement in the Assertion which will be used for message authentication. if false, no AuthenticationStatement will be included.
includeResourceAccessStatement - if true, a ResourceAccessStatement will be included in the Assertion (for AuthorizeRequester directive). If false, a SessionContextStatement will be included in the Assertion (for AuthenticationSessionContext directive). In the case when both AuthorizeRequester and AuthenticationSessionContext directive need to be handled, use "true" as parameter here since the SessionContext will always be included in the ResourceAccessStatement.
recipientProviderID - recipient's provider ID.
Returns:
SecurityAssertion object.
Throws:
SecurityTokenException - if the assertion could not be obtained
SAMLException - if the assertion could not be obtained

getSAMLBearerToken

SecurityAssertion getSAMLBearerToken(NameIdentifier senderIdentity,
                                     SessionContext invocatorSession,
                                     EncryptedResourceID encResourceID,
                                     boolean includeAuthN,
                                     boolean includeResourceAccessStatement,
                                     String recipientProviderID)
                                     throws SecurityTokenException
Creates a SAML assertion. The confirmationMethod will be set to urn:oasis:names:tc:SAML:1.0:cm:bearer.

Parameters:
senderIdentity - name identifier of the sender.
invocatorSession - SessionContext of the invocation identity, it is normally obtained by the credential reference in the SAML AttributeDesignator for discovery resource offering which is part of the liberty ID-FF AuthenResponse.
encResourceID - Encrypted ID for the resource to be accessed.
includeAuthN - if true, include an AutheticationStatement in the Assertion which will be used for message authentication. if false, no AuthenticationStatement will be included.
includeResourceAccessStatement - if true, a ResourceAccessStatement will be included in the Assertion (for AuthorizeRequester directive). If false, a SessionContextStatement will be included in the Assertion (for AuthenticationSessionContext directive). In the case when both AuthorizeRequester and AuthenticationSessionContext/code> directive need to be handled, use "true" as parameter here since the SessionContext will always be included in the ResourceAccessStatement.
recipientProviderID - recipient's provider ID.
Returns:
SecurityAssertion object.
Throws:
SecurityTokenException - if the assertion could not be obtained