org.picketlink.identity.federation.bindings.jboss.auth
Class SAMLTokenCertValidatingLoginModule
java.lang.Object
org.jboss.security.auth.spi.AbstractServerLoginModule
org.picketlink.identity.federation.bindings.jboss.auth.SAMLTokenFromHttpRequestAbstractLoginModule
org.picketlink.identity.federation.bindings.jboss.auth.SAMLTokenCertValidatingCommonLoginModule
org.picketlink.identity.federation.bindings.jboss.auth.SAMLTokenCertValidatingLoginModule
- All Implemented Interfaces:
- LoginModule
public class SAMLTokenCertValidatingLoginModule
- extends SAMLTokenCertValidatingCommonLoginModule
This LoginModule authenticates clients by validating their SAML assertions
locally. If the supplied assertion contains roles, these roles are extracted
and included in the Group returned by the getRoleSets method. The LoginModule
is designed to validate SAML token using X509 certificate stored in XML
signature within SAML assertion token.
It validates:
- CertPath against specified truststore. It has to have common valid public
certificate in the trusted entries.
- X509 certificate stored in SAML token didn't expire
- if signature itself is valid
- SAML token expiration
This module defines the following module options:
roleKey: key of the attribute name that we need to use for Roles from the
SAML assertion. This can be a comma-separated string values such as
(Role,Membership) localValidationSecurityDomain: the security domain for the
trust store information (via the JaasSecurityDomain) cache.invalidation - set
it to true if you require invalidation of JBoss Auth Cache at SAML Principal
expiration. jboss.security.security_domain -security domain at which
Principal will expire if cache.invalidation is used. tokenEncodingType:
encoding type of SAML token delivered via http request's header. Possible
values are: base64 - content encoded as base64. In case of encoding will vary
between base64 and gzip use base64 and LoginModule will detect gzipped data.
gzip - gzipped content encoded as base64 none - content not encoded in any
way samlTokenHttpHeader - name of http request header to fetch SAML token
from. For example: "Authorize" samlTokenHttpHeaderRegEx - Java regular
expression to be used to get SAML token from "samlTokenHttpHeader". Example:
use: ."(.)".* to parse SAML token from header content like this:
SAML_assertion="HHDHS=", at the same time set samlTokenHttpHeaderRegExGroup
to 1. samlTokenHttpHeaderRegExGroup - Group value to be used when parsing out
value of http request header specified by "samlTokenHttpHeader" using
"samlTokenHttpHeaderRegEx".
- Author:
- Peter Skopek: pskopek at redhat dot com
Fields inherited from class org.picketlink.identity.federation.bindings.jboss.auth.SAMLTokenCertValidatingCommonLoginModule |
assertion, credential, enableCacheInvalidation, ENDPOINT_ADDRESS, localTestingOnly, localValidationSecurityDomain, options, PASSWORD_KEY, PORT_NAME, principal, rawOptions, roleKey, securityDomain, SERVICE_NAME, STS_CONFIG_FILE, USERNAME_KEY |
Fields inherited from class org.jboss.security.auth.spi.AbstractServerLoginModule |
callbackHandler, log, loginOk, principalClassName, sharedState, subject, unauthenticatedIdentity, useFirstPass |
Methods inherited from class org.jboss.security.auth.spi.AbstractServerLoginModule |
addValidOptions, checkOptions, createGroup, createIdentity, getCallerPrincipalGroup, getUnauthenticatedIdentity, getUseFirstPass |
Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
SAMLTokenCertValidatingLoginModule
public SAMLTokenCertValidatingLoginModule()
getKeyStore
protected KeyStore getKeyStore()
throws Exception
- AS7/EAP6 way of getting configured keyStore.
uses module-option: localValidationSecurityDomain.
- Specified by:
getKeyStore
in class SAMLTokenCertValidatingCommonLoginModule
- Returns:
-
- Throws:
Exception
Copyright © 2013 JBoss by Red Hat. All Rights Reserved.