PicketLink Federation Common Server Bindings for JBoss AS 2.1.6.Final-redhat-2

org.picketlink.identity.federation.bindings.jboss.auth
Class SAMLTokenCertValidatingCommonLoginModule

java.lang.Object
  extended by org.jboss.security.auth.spi.AbstractServerLoginModule
      extended by org.picketlink.identity.federation.bindings.jboss.auth.SAMLTokenFromHttpRequestAbstractLoginModule
          extended by org.picketlink.identity.federation.bindings.jboss.auth.SAMLTokenCertValidatingCommonLoginModule
All Implemented Interfaces:
LoginModule

public abstract class SAMLTokenCertValidatingCommonLoginModule
extends SAMLTokenFromHttpRequestAbstractLoginModule

This LoginModule authenticates clients by validating their SAML assertions locally. If the supplied assertion contains roles, these roles are extracted and included in the Group returned by the getRoleSets method. The LoginModule is designed to validate SAML token using X509 certificate stored in XML signature within SAML assertion token. It validates:

  1. CertPath against specified truststore. It has to have common valid public certificate in the trusted entries.
  2. X509 certificate stored in SAML token didn't expire
  3. if signature itself is valid
  4. SAML token expiration
This module defines the following module options: roleKey: key of the attribute name that we need to use for Roles from the SAML assertion. This can be a comma-separated string values such as (Role,Membership) localValidationSecurityDomain: the security domain for the trust store information (via the JaasSecurityDomain) cache.invalidation - set it to true if you require invalidation of JBoss Auth Cache at SAML Principal expiration. jboss.security.security_domain -security domain at which Principal will expire if cache.invalidation is used. tokenEncodingType: encoding type of SAML token delivered via http request's header. Possible values are: base64 - content encoded as base64. In case of encoding will vary between base64 and gzip use base64 and LoginModule will detect gzipped data. gzip - gzipped content encoded as base64 none - content not encoded in any way samlTokenHttpHeader - name of http request header to fetch SAML token from. For example: "Authorize" samlTokenHttpHeaderRegEx - Java regular expression to be used to get SAML token from "samlTokenHttpHeader". Example: use: ."(.)".* to parse SAML token from header content like this: SAML_assertion="HHDHS=", at the same time set samlTokenHttpHeaderRegExGroup to 1. samlTokenHttpHeaderRegExGroup - Group value to be used when parsing out value of http request header specified by "samlTokenHttpHeader" using "samlTokenHttpHeaderRegEx".

Author:
Peter Skopek: pskopek at redhat dot com

Field Summary
protected  AssertionType assertion
           
protected  SamlCredential credential
           
protected  boolean enableCacheInvalidation
           
static String ENDPOINT_ADDRESS
          Key to specify the end point address
protected  boolean localTestingOnly
           
protected  String localValidationSecurityDomain
           
protected  Map<String,Object> options
          Options that are computed by this login module.
static String PASSWORD_KEY
          Key to specify the password
static String PORT_NAME
          Key to specify the port name
protected  Principal principal
           
protected  Map<String,Object> rawOptions
          Original Options that are sent by the JDK JAAS Framework
protected  String roleKey
           
protected  String securityDomain
           
static String SERVICE_NAME
          Key to specify the service name
static String STS_CONFIG_FILE
          This is an option that should identify the configuration file for WSTrustClient.
static String USERNAME_KEY
          Key to specify the username
 
Fields inherited from class org.picketlink.identity.federation.bindings.jboss.auth.SAMLTokenFromHttpRequestAbstractLoginModule
BASE64_TOKEN_ENCODING, GZIP_TOKEN_ENCODING, logger, NONE_TOKEN_ENCODING, REG_EX_GROUP_KEY, REG_EX_PATTERN_KEY, SAML_TOKEN_HTTP_HEADER_KEY, TOKEN_ENCODING_TYPE_KEY, tokenEncoding, WEB_REQUEST_KEY
 
Fields inherited from class org.jboss.security.auth.spi.AbstractServerLoginModule
callbackHandler, log, loginOk, principalClassName, sharedState, subject, unauthenticatedIdentity, useFirstPass
 
Constructor Summary
SAMLTokenCertValidatingCommonLoginModule()
           
 
Method Summary
 boolean abort()
          Called if the overall authentication failed (phase 2).
 boolean commit()
           
protected  JBossAuthCacheInvalidationFactory.TimeCacheExpiry getCacheExpiry()
           
protected  Principal getIdentity()
           
protected abstract  KeyStore getKeyStore()
          Binding dependent version of getting configured keyStore.
protected  Group[] getRoleSets()
           
 void initialize(Subject subject, CallbackHandler callbackHandler, Map<String,?> sharedState, Map<String,?> options)
           
 boolean login()
           
 boolean logout()
           
protected  void validateCertPath(X509Certificate certificate)
          Validate certificate path against keystore specified as SecurityDomain in module-option.
 
Methods inherited from class org.picketlink.identity.federation.bindings.jboss.auth.SAMLTokenFromHttpRequestAbstractLoginModule
getCredentialFromHttpRequest, getSamlTokenHttpHeader, getSamlTokenHttpHeaderRegEx, getSamlTokenHttpHeaderRegExGroup, getTokenEncoding
 
Methods inherited from class org.jboss.security.auth.spi.AbstractServerLoginModule
addValidOptions, checkOptions, createGroup, createIdentity, getCallerPrincipalGroup, getUnauthenticatedIdentity, getUseFirstPass
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

principal

protected Principal principal

credential

protected SamlCredential credential

assertion

protected AssertionType assertion

enableCacheInvalidation

protected boolean enableCacheInvalidation

securityDomain

protected String securityDomain

localValidationSecurityDomain

protected String localValidationSecurityDomain

roleKey

protected String roleKey

options

protected Map<String,Object> options
Options that are computed by this login module. Few options are removed and the rest are set in the dispatch sts call


rawOptions

protected Map<String,Object> rawOptions
Original Options that are sent by the JDK JAAS Framework


STS_CONFIG_FILE

public static final String STS_CONFIG_FILE
This is an option that should identify the configuration file for WSTrustClient.

See Also:
Constant Field Values

ENDPOINT_ADDRESS

public static final String ENDPOINT_ADDRESS
Key to specify the end point address

See Also:
Constant Field Values

PORT_NAME

public static final String PORT_NAME
Key to specify the port name

See Also:
Constant Field Values

SERVICE_NAME

public static final String SERVICE_NAME
Key to specify the service name

See Also:
Constant Field Values

USERNAME_KEY

public static final String USERNAME_KEY
Key to specify the username

See Also:
Constant Field Values

PASSWORD_KEY

public static final String PASSWORD_KEY
Key to specify the password

See Also:
Constant Field Values

localTestingOnly

protected boolean localTestingOnly
Constructor Detail

SAMLTokenCertValidatingCommonLoginModule

public SAMLTokenCertValidatingCommonLoginModule()
Method Detail

initialize

public void initialize(Subject subject,
                       CallbackHandler callbackHandler,
                       Map<String,?> sharedState,
                       Map<String,?> options)
Specified by:
initialize in interface LoginModule
Overrides:
initialize in class SAMLTokenFromHttpRequestAbstractLoginModule

login

public boolean login()
              throws LoginException
Specified by:
login in interface LoginModule
Overrides:
login in class org.jboss.security.auth.spi.AbstractServerLoginModule
Throws:
LoginException

commit

public boolean commit()
               throws LoginException
Specified by:
commit in interface LoginModule
Overrides:
commit in class org.jboss.security.auth.spi.AbstractServerLoginModule
Throws:
LoginException

abort

public boolean abort()
              throws LoginException
Called if the overall authentication failed (phase 2).

Specified by:
abort in interface LoginModule
Overrides:
abort in class org.jboss.security.auth.spi.AbstractServerLoginModule
Throws:
LoginException

logout

public boolean logout()
               throws LoginException
Specified by:
logout in interface LoginModule
Overrides:
logout in class org.jboss.security.auth.spi.AbstractServerLoginModule
Throws:
LoginException

getIdentity

protected Principal getIdentity()
Specified by:
getIdentity in class org.jboss.security.auth.spi.AbstractServerLoginModule

getRoleSets

protected Group[] getRoleSets()
                       throws LoginException
Specified by:
getRoleSets in class org.jboss.security.auth.spi.AbstractServerLoginModule
Throws:
LoginException

getCacheExpiry

protected JBossAuthCacheInvalidationFactory.TimeCacheExpiry getCacheExpiry()
                                                                    throws Exception
Throws:
Exception

validateCertPath

protected void validateCertPath(X509Certificate certificate)
                         throws LoginException
Validate certificate path against keystore specified as SecurityDomain in module-option.

Parameters:
cert -
Throws:
LoginException

getKeyStore

protected abstract KeyStore getKeyStore()
                                 throws Exception
Binding dependent version of getting configured keyStore. uses module-option: localValidationSecurityDomain.

Returns:
Throws:
Exception

PicketLink Federation Common Server Bindings for JBoss AS 2.1.6.Final-redhat-2

Copyright © 2013 JBoss by Red Hat. All Rights Reserved.