|
IBM WebSphere Application ServerTM Release 7 |
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Objectcom.ibm.websphere.wssecurity.wssapi.token.SAMLTokenFactory
public abstract class SAMLTokenFactory
This API is used for the creation of SAML security tokens conforming the SAML v1.1
and SAML v2.0 standards (both versions of the token are supported). Subject confirmation can be based
on holder of key (symmetric or public key) or bearer. Users can create and validate tokens or use
them to authenticate the token holder.
Code snippet that are shown below demonstrate how to use this API to generate and validate SAML tokens
as defined in:
OASIS Web Services Security:SAML Token Profile 1.1.
In those sample codes, it is assumed that the ProviderConfig instance is created from a JVM system property,
com.ibm.webservices.wssecurity.platform.SAMLIssuerConfigDataPath, in a java client environment.
This JVM property specifies a property file that contains default value of ProviderConfig object.
In the Application Server runtime environment, default value of ProviderConfig object is defined by a
an SAMLIssuerConfig.properties file under the cell level or server level config directory.
SAMLTokenFactory samlFactory = SAMLTokenFactory.getInstance(SAMLTokenFactory.WssSamlV11Token11); // 1. Create RequesterConfig object. RequesterConfig reqData = samlFactory.newSymmetricHolderOfKeyTokenGenerateConfig(); // Set recipient's key alias, so the secret key could be encrypted for the recipient. reqData.setKeyAliasForAppliesTo("SOAPRecipient"); // Set authentication method that the requester was authenticated with. This is an optional parameter. reqData.setAuthenticationMethod("Password"); // 2. Create CredentialConfig object. // This step assumes that an SAMLToken exists in a RunAsSubject. You can use WSSUbject API to get RunAsSubject.. // This method allows SAMLTokenFactory copies SAMLToken's NameID or NameIdentifier and Attributes to the new SAMLToken. // If there were no SAMLToken in the RunAsSubject, a new SAMLToken is created using the user security identity from // the WSPrincipal object in the RunAsSubject. CredentialConfig cred = samlFactory.newCredentialConfig(runAsSubject); // 3. Create ProviderConfig object which specifies key store for SAML signing and encryption, expiration time, and issuer logical name. // Make sure the JVM system property com.ibm.webservices.wssecurity.platform.SAMLIssuerConfigDataPath is set in a java client environment, // or the default SAMLIssuerConfig.properties file is updated in the Application Server runtime environment. ProviderConfig samlIssuerCfg = samlFactory.newDefaultProviderConfig("Issuer name is WebSphere server"); SecurityToken samlToken = samlFactory.newSAMLToken(cred, reqData, samlIssuerCfg);
SAMLTokenFactory samlFactory = SAMLTokenFactory.getInstance(SAMLTokenFactory.WssSamlV20Token11); // 1. Create RequesterConfig object. RequesterConfig reqData = samlFactory.newBearerTokenGenerateConfig(); // 2. Create CredentialConfig object. // This step assumes an SAMLToken existing in an RunAsSubject, and you first get an RunAsSubject. // This method call will allow SAMLTokenFactory to copy existing SAML NameID and attributes in RunAsSubject to new SAMLToken. // If there were no SAMLToken in the RunAsSubject, a new SAMLToken is created using the user security identity from // the WSPrincipal object in the RunAsSubject. CredentialConfig cred = samlFactory.newCredentialConfig(runAsSubject); // 3. Create ProviderConfig object which specifies key store for SAML signing and encryption, expiration time, and issuer logical name. // Make sure the JVM system property com.ibm.webservices.wssecurity.platform.SAMLIssuerConfigDataPath is set in a java client environment, // or the default SAMLIssuerConfig.properties is updated in the Application Server runtime environment. ProviderConfig samlIssuerCfg = samlFactory.newDefaultProviderConfig("Issuer name is WebSphere server"); SecurityToken samlToken = samlFactory.newSAMLToken(cred, reqData, samlIssuerCfg); // Get SAML assertion in XML form. OMElement samlXML = ((OMStructure)samlToken.getXML()).getNode();
SAMLTokenFactory samlFactory = SAMLTokenFactory.getInstance(SAMLTokenFactory.WssSamlV20Token11); // 1. Create RequesterConfig object. RequesterConfig reqData = samlFactory.newBearerTokenGenerateConfig(); // Set Authentication method that the requester was authenticated with. This is an optional parameter. reqData.setAuthenticationMethod("Password"); // 2. Create CredentialConfig object which contains NameID and Attributes Assertion. CredentialConfig cred = samlFactory.newCredentialConfig(); // Create SAMLNameID object for SAMLTokenFactory to generate NameID or NameIdentifier assertion. SAMLNameID samlNameId = new SAMLNameID("alice@websphere", "urn:oasis:names:tc:SAML:1.0:assertion#emailAddress", null, null, null); cred.setSAMLNameID(samlNameId); // Create SAMLAttribute object for SAMLTokenFactory to generate Attribute assertion. SAMLAttribute sattribute = new SAMLAttribute("Address", new String[] {"Austin, Texas"}, null, "IBM WebSphere namespace", null, null); ArrayListal = new ArrayList (); al.add(sattribute); sattribute = new SAMLAttribute("Membership", new String[] {"Blue team", "Green Team"}, null, null, null, null ); al.add(sattribute); cred.setSAMLAttributes(al); // 3. Create ProviderConfig object which specifies key store for SAML signing and encryption, expiration time, and issuer logic name. // Make sure the JVM system property com.ibm.webservices.wssecurity.platform.SAMLIssuerConfigDataPath is set in a java client environment, // or the default SAMLIssuerConfig.properties is updated in the Application Server runtime environment. ProviderConfig samlIssuerCfg = samlFactory.newDefaultProviderConfig("WebSphere Self Issuer"); SecurityToken samlToken = samlFactory.newSAMLToken(cred, reqData, samlIssuerCfg);
SAMLTokenFactory samlFactory = SAMLTokenFactory.getInstance(SAMLTokenFactory.WssSamlV11Token11); // Create ConsumerConfig object for SAML validation and parsing. ConsumerConfig samlConsumerCfg = samlFactory.newConsumerConfig(); // The following method calls are required if SAML tokens or embedded Keys are encrypted. KeyStoreConfig tsc = new KeyStoreConfigImpl( "jceks", "recipient.jceks","storepass", null ); samlConsumerCfg.setTrustStoreConfig(tsc); // Use one of the following statement to create SAMLToken. SAMLToken samlTokenFromXML = samlFactory.newSAMLToken(samlConsumerCfg, samlXml); //samlXml is SAML in XMLStructure format. SAMLToken samlTokenFromInputStream = samlFactory.newSAMLToken(samlConsumerCfg, samlInputStream ); // samlInputStream is SAML in InputStream.
Field Summary | |
---|---|
protected static java.security.SecurityPermission |
GET_NEWCREDENTIALCONFIG_PERM
|
protected static java.security.SecurityPermission |
GET_NEWSAMLTOKEN_PERM
|
protected static java.security.SecurityPermission |
GET_NEWSUBJECT_PERM
|
static java.lang.String |
WssSamlV11Token11
This is the key used by SAMLTokenFactory to create an instance of the SAML Version 1.1 token factory. |
static java.lang.String |
WssSamlV20Token11
This is the key used by SAMLTokenFactory to create an instance of the SAML Version 2.0 token factory. |
Constructor Summary | |
---|---|
SAMLTokenFactory()
|
Method Summary | |
---|---|
static SAMLTokenFactory |
getInstance(java.lang.String valueType)
Return a SAMLTokenFactory implementation that supports the specified token type (v1.1 or v2.0). |
abstract com.ibm.wsspi.wssecurity.saml.config.RequesterConfig |
newAsymmetricHolderOfKeyTokenGenerateConfig()
Create a default RequesterConfig object that encapsulates attributes
relating to the entity requesting a SAML token. |
abstract com.ibm.wsspi.wssecurity.saml.config.RequesterConfig |
newBearerTokenGenerateConfig()
Create a default RequesterConfig object that encapsulates attributes
relating to the entity requesting a SAML token that will contain
bearer type of subject confirmation. |
abstract com.ibm.wsspi.wssecurity.saml.config.ConsumerConfig |
newConsumerConfig()
Create an empty ConsumerConfig to validate, decrypt, and parse SAMLAssertion. |
abstract com.ibm.wsspi.wssecurity.saml.config.CredentialConfig |
newCredentialConfig()
Create a CredentialConfig that encapsulates two main attributes:
a SAML Name Identifier for the requester
a SAML list of attributes for the requester
|
abstract com.ibm.wsspi.wssecurity.saml.config.CredentialConfig |
newCredentialConfig(javax.security.auth.Subject subject)
Create a CredentialConfig that encapsulates the identity of the requester
and possibly its attributes. |
abstract com.ibm.wsspi.wssecurity.saml.config.ProviderConfig |
newDefaultProviderConfig(java.lang.String stsUri)
Create a default ProviderConfig that encapsulates configuration attributes
for the SAML token issuer . |
abstract SAMLToken |
newSAMLToken(com.ibm.wsspi.wssecurity.saml.config.ConsumerConfig consumer,
java.io.InputStream in)
Create a SAMLToken object based on an inputStream for a SAML XML document. |
abstract SAMLToken |
newSAMLToken(com.ibm.wsspi.wssecurity.saml.config.ConsumerConfig consumer,
XMLStructure xml)
Create a SAMLToken object based on an existing SAML XML document. |
abstract SAMLToken |
newSAMLToken(com.ibm.wsspi.wssecurity.saml.config.CredentialConfig cred,
com.ibm.wsspi.wssecurity.saml.config.RequesterConfig request,
com.ibm.wsspi.wssecurity.saml.config.ProviderConfig providerConfig)
Create a SAMLToken object based on the passed in parameters that include the
CredentialConfig, the RequesterConfig and the ProviderConfig objects (see the methods above for content details). |
abstract SAMLToken |
newSAMLToken(javax.security.auth.Subject subject,
com.ibm.wsspi.wssecurity.saml.config.RequesterConfig request,
com.ibm.wsspi.wssecurity.saml.config.ProviderConfig providerConfig)
Create a SAMLToken object based on the passed in parameters that include a JAAS Subject
and configuration objects for the requester and provider (see the methods above for content details). |
abstract com.ibm.wsspi.wssecurity.saml.config.RequesterConfig |
newSenderVouchesTokenGenerateConfig()
Create a RequesterConfig . |
abstract javax.security.auth.Subject |
newSubject(SAMLToken aSAMLToken)
Create a JAAS subject based on SAMLToken object principal name which is basically
the NameId or NameIdentifier attribute in SAML Assertion Specification. |
abstract com.ibm.wsspi.wssecurity.saml.config.RequesterConfig |
newSymmetricHolderOfKeyTokenGenerateConfig()
Create a default RequesterConfig object that encapsulates attributes
relating to the entity requesting a SAML token. |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Field Detail |
---|
protected static final java.security.SecurityPermission GET_NEWCREDENTIALCONFIG_PERM
protected static final java.security.SecurityPermission GET_NEWSAMLTOKEN_PERM
protected static final java.security.SecurityPermission GET_NEWSUBJECT_PERM
public static final java.lang.String WssSamlV11Token11
This is the key used by SAMLTokenFactory to create an instance of the SAML Version 1.1 token factory. It is defined in the Web Services Security SAML Token Profile 1.1.
public static final java.lang.String WssSamlV20Token11
This is the key used by SAMLTokenFactory to create an instance of the SAML Version 2.0 token factory. It is defined in the Web Services Security SAML Token Profile 1.1.
Constructor Detail |
---|
public SAMLTokenFactory()
Method Detail |
---|
public static SAMLTokenFactory getInstance(java.lang.String valueType) throws WSSException
SAMLTokenFactory
implementation that supports the specified token type (v1.1 or v2.0).
valueType
- a string that specifies the version level for the token. It can only have either of these values:
SAMLTokenFactory
implementation that support the specified token type.
WSSException
- if there is no SAMLTokenFactory
class that
supports the specified token type.
WSSException
public abstract com.ibm.wsspi.wssecurity.saml.config.RequesterConfig newBearerTokenGenerateConfig()
RequesterConfig
object that encapsulates attributes
relating to the entity requesting a SAML token that will contain
bearer type of subject confirmation. These attributes include:
RequesterConfig
object to build Bearer confirmation SAML assertion.RequesterConfig
public abstract com.ibm.wsspi.wssecurity.saml.config.RequesterConfig newSenderVouchesTokenGenerateConfig()
RequesterConfig
.
RequesterConfig
object to build a SAML assertion that contains
Sender-Vouches as a subject confirmation. The main attributes encapsulated by this object are:
WSSException
RequesterConfig
public abstract com.ibm.wsspi.wssecurity.saml.config.RequesterConfig newSymmetricHolderOfKeyTokenGenerateConfig()
RequesterConfig
object that encapsulates attributes
relating to the entity requesting a SAML token. This object will contain
holder of key type of subject confirmation using a secret key. It mainly contains these attributes:
RequesterConfig
object to build Holder-of-Key SAML assertion with SymmetricKey KeyType.RequesterConfig
public abstract com.ibm.wsspi.wssecurity.saml.config.RequesterConfig newAsymmetricHolderOfKeyTokenGenerateConfig()
RequesterConfig
object that encapsulates attributes
relating to the entity requesting a SAML token. This object will contain
holder of key type of subject confirmation using a public key. It mainly contains these attributes:
RequesterConfig
object to build Holder-of-Key SAML assertion with asymmetricKey KeyType.RequesterConfig
public abstract com.ibm.wsspi.wssecurity.saml.config.CredentialConfig newCredentialConfig(javax.security.auth.Subject subject) throws WSSException
CredentialConfig
that encapsulates the identity of the requester
and possibly its attributes. This object is created in preparation for using the SAML
token creation methods (see below).
This method requires the SecurityPermission("wssapi.SAMLTokenFactory.newCredentialConfig") Java Security permission.
subject
- containing the principal name and possibly attributes of the requester.
CredentialConfig
object that could be used to create SAML assertion.
The CredentialConfig is populated with the Name Identifier of the requester and possibly SAML attributes
that may exist on the SAML token that is extracted off of the Private Credential list
of the subject.
If subject is null, this method will return null.
WSSException
WSSException
CredentialConfig
public abstract com.ibm.wsspi.wssecurity.saml.config.CredentialConfig newCredentialConfig() throws WSSException
CredentialConfig
that encapsulates two main attributes:
CredentialConfig
object that can be used to populate the NameID and the attributes
for a requester when creating a SAML token (see below).
WSSException
WSSException
how to use setter methods to populate the returned object.
public abstract com.ibm.wsspi.wssecurity.saml.config.ProviderConfig newDefaultProviderConfig(java.lang.String stsUri) throws WSSException
ProviderConfig
that encapsulates configuration attributes
for the SAML token issuer .
stsUri
- is a String that represents SAML issuer in an SAML Assertion.
In this case of WebSphere self issued tokens, this parameter can assume any value; e.g.
WebSphereSelfIssuer.
ProviderConfig
that encapsulates the following attributes:
In order to change the configuration parameters for the provider in the WebSphere environment you need to edit: $WAS_HOME/profiles/$PROFILE/config/cells/$CELLNAME/sts/SAMLIssuerConfig.properties for the cell level. At the server level: $WAS_HOME/profiles/$PROFILE/config/cells/$CELLNAME/nodes/$NODENAME/servers/$SERVERNAME/SAMLIssuerConfig.properties
WSSException
WSSException
public abstract SAMLToken newSAMLToken(javax.security.auth.Subject subject, com.ibm.wsspi.wssecurity.saml.config.RequesterConfig request, com.ibm.wsspi.wssecurity.saml.config.ProviderConfig providerConfig) throws WSSException
SAMLToken
object based on the passed in parameters that include a JAAS Subject
and configuration objects for the requester and provider (see the methods above for content details).
This method will copy the contents from the original SAML Token, if one exists in the Subject, to the new SAML token.
NameId or NameIdentifier, SAML Attributes, and AuthenticationMethod are copied to the new SAML Token.
The new SAML Token namespace, issuer, signing certificate,
confirmation method and encryption key, timestamp, and lifetime are determined by the ProviderConfig and RequesterConfig parameters.
When the Subject does not contain an existing SAMLToken object, this method will create a new SAML Token using
the WSPrincipal name as the NameId or NameIdentifier. No other attribute will be copied from the Subject to the new SAMLToken when there
was no SAML token in the Subject parameter.
Use the newSAMLToken( CredentialConfig cred, RequesterConfig request, ProviderConfig providerConfig )
method if you need to add SAML Attributes in the new SAMLToken
.
This method requires the SecurityPermission("wssapi.SAMLTokenFactory.newSAMLToken") Java Security permission.
subject
- is mapped to NameIdentifier and attributes in an SAML Assertion.request
- contains data that describes what kind of assertion should be created.providerConfig
- describes issuer, like Signing KeyInfo and Encryption KeyInfo.
SAMLToken
which can then be bound to a secure service request.
WSSException
- if required key and certificate cannot be found,
or upon other configuration problems.
WSSException
ProviderConfig
,
RequesterConfig
public abstract SAMLToken newSAMLToken(com.ibm.wsspi.wssecurity.saml.config.CredentialConfig cred, com.ibm.wsspi.wssecurity.saml.config.RequesterConfig request, com.ibm.wsspi.wssecurity.saml.config.ProviderConfig providerConfig) throws WSSException
SAMLToken
object based on the passed in parameters that include the
CredentialConfig, the RequesterConfig and the ProviderConfig objects (see the methods above for content details).
This method requires the SecurityPermission("wssapi.SAMLTokenFactory.newSAMLToken") Java Security permission.
cred
- contains principal and attributes that will be included in SAML Assertion.request
- contains data that describes what kind of assertion should be created.providerConfig
- describes issuer, like Signing KeyInfo and Encryption KeyInfo.
SAMLToken
WSSException
- if the specified SAMLToken class cannot be found,
or required key and certificate cannot be found, or upon other configuration problems.
WSSException
ProviderConfig
,
RequesterConfig
,
CredentialConfig
public abstract SAMLToken newSAMLToken(com.ibm.wsspi.wssecurity.saml.config.ConsumerConfig consumer, XMLStructure xml) throws WSSException
SAMLToken
object based on an existing SAML XML document.
This method can be used to validate the xml structure representing the SAML token.
consumer
- contains key information associated with the recipient of the token.
This info is used to verify and/or decrypt the SAML XML document.xml
- is an SAML XML document.
SAMLToken
. That can be used to initiate service requests.
WSSException
- if key and certificate information cannot be found, or upon other configuration problems.
WSSException
ConsumerConfig
public abstract SAMLToken newSAMLToken(com.ibm.wsspi.wssecurity.saml.config.ConsumerConfig consumer, java.io.InputStream in) throws WSSException
SAMLToken
object based on an inputStream for a SAML XML document.
This method may be used to validate the inputStream representing the SAML token.
consumer
- contains key information associated with the recipient of the token.
This info is used to verify and/or decrypt the SAML XML document.in
- an inputStream corresponding to a serialized SAML token. The programmer is
responsible for closing of the stream accordingly.
SAMLToken
. That can be used to initiate service requests.
WSSException
- if key and certificate information cannot be found, or upon other configuration problems.
WSSException
ConsumerConfig
public abstract javax.security.auth.Subject newSubject(SAMLToken aSAMLToken) throws WSSException
SAMLToken
object principal name which is basically
the NameId or NameIdentifier attribute in SAML Assertion Specification.
This method looks up user security name and group membership data from the configured user registry using the
SAMLToken
principal name. The SAMLToken
object will be added to the Subject PrivateCredentials
.
None of the individual SAMLToken
attributes will be copied into the new subject.
The lifetime of the new subject is determined by the LTPA timeout configuration.
The subject lifetime is independent from the SAMLToken
lifetime.
This method requires the SecurityPermission("wssapi.SAMLTokenFactory.newSubject") Java Security permission.
aSAMLToken
- that contains a named principal and attributes.
WSSException
.
WSSException
public abstract com.ibm.wsspi.wssecurity.saml.config.ConsumerConfig newConsumerConfig() throws WSSException
-
- throws WSSException
.
WSSException
for how set the
consumer's keyStore as well as trustStore information on the newly created ComsumerConfig
object.
|
IBM WebSphere Application ServerTM Release 7 |
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |