Example 1 with TokenValidationConfig
use of org.forgerock.openam.sts.soap.config.user.TokenValidationConfig in project OpenAM by OpenRock.
the class SoapSTSInstanceModule method processSecurityPolicyTokenValidatorConfiguration.
/*
This method will plug-in the set of TokenValidator for the SupportingTokens specified in the SecurityPolicy bindings
specified for this sts instance. These configurations are achieved by plugging-in object instances corresponding to
specific keys in the webServicesProperties map.
Note that the set of TokenValidators plugged-in to handle the authN of the SupportingTokens defined in any SecurityPolicy
bindings will be determined by the SoapSTSInstanceConfig#getSecurityPolicyValidatedTokenConfiguration. Note however, that the
cxf/wss4j support for plugging-in custom assertions requires that the context validating the OpenAM session tokens
must be plugged-in at the bus level, which happens globally for all soap-sts instances for a given realm. See
SoapSTSLifecycleImpl#registerCustomPolicyInterceptors for details. This means that the OPENAM tokens will not be
handled in this method, as they are registered globally.
*/
private void processSecurityPolicyTokenValidatorConfiguration(Map<String, Object> webServiceProperties, WSSValidatorFactory wssValidatorFactory, Logger logger) throws WSSecurityException {
for (TokenValidationConfig tokenValidationConfig : stsInstanceConfig.getSecurityPolicyValidatedTokenConfiguration()) {
TokenType tokenType = tokenValidationConfig.getValidatedTokenType();
switch(tokenType) {
case USERNAME:
webServiceProperties.put(SecurityConstants.USERNAME_TOKEN_VALIDATOR, wssValidatorFactory.getValidator(TokenType.USERNAME, ValidationInvocationContext.SOAP_SECURITY_POLICY, tokenValidationConfig.invalidateInterimOpenAMSession()));
break;
case X509:
webServiceProperties.put(SecurityConstants.SIGNATURE_TOKEN_VALIDATOR, wssValidatorFactory.getValidator(TokenType.X509, ValidationInvocationContext.SOAP_SECURITY_POLICY, tokenValidationConfig.invalidateInterimOpenAMSession()));
break;
case OPENAM:
//OPENAM session tokens are handled by the PolicyInterceptors registered with the cxf bus.
break;
default:
String message = "Unexpected TokenType in processSecurityPolicyTokenValidatorConfiguration: " + tokenType;
logger.error(message);
throw new WSSecurityException(message);
}
}
/*
By default, if the sts did not specify an X500 token in the ValidatedTokenConfiguration, the
org.apache.ws.security.validate.SignatureTrustValidator will be the default SecurityConstants.SIGNATURE_TOKEN_VALIDATOR
Validator instance. If the user does specify x509 tokens as part of the ValidatedTokenConfiguration, the
SoapCertificateTokenValidator will be plugged in as the SecurityConstants.SIGNATURE_TOKEN_VALIDATOR (in the X509 case above).
Note that this class extends the SignatureTrustValidator. It is not clear whether symmetric and asymmetric binding
enforcement requires the SignatureTrustValidator. TODO - investigate and determine.
See comments in the SoapCertificateTokenValidator for details.
*/
}
Also used :
TokenType(org.forgerock.openam.sts.TokenType)
WSSecurityException(org.apache.ws.security.WSSecurityException)
TokenValidationConfig(org.forgerock.openam.sts.soap.config.user.TokenValidationConfig)
Aggregations
WSSecurityException (org.apache.ws.security.WSSecurityException)1
TokenType (org.forgerock.openam.sts.TokenType)1
TokenValidationConfig (org.forgerock.openam.sts.soap.config.user.TokenValidationConfig)1
