public abstract class SAML2STSCommonLoginModule extends SAMLTokenFromHttpRequestAbstractLoginModule
This LoginModule
authenticates clients by validating their SAML assertions with an external security token service
(such as PicketLinkSTS). If the supplied assertion contains roles, these roles are extracted and included in the
Group
returned by the getRoleSets
method.
This module defines the following module options:
Any properties specified besides the above properties are assumed to be used to configure how the STSClient
will
connect to the STS. For example, the JBossWS StubExt.PROPERTY_SOCKET_FACTORY
can be specified in order to inform the
socket factory that must be used to connect to the STS. All properties will be set in the request context of the
Dispatch
instance used by the STSClient
to send requests to the STS.
An example of a configFile
can be seen bellow:
serviceName=PicketLinkSTS portName=PicketLinkSTSPort endpointAddress=http://localhost:8080/picketlink-sts/PicketLinkSTS username=JBoss password=JBossThe first three properties specify the STS endpoint URL, service name, and port name. The last two properties specify the username and password that are to be used by the application server to authenticate to the STS and have the SAML assertions validated.
NOTE: Sub-classes can use getSTSClient()
method to customize the STSClient
class to make calls to
STS/
Modifier and Type | Field and Description |
---|---|
protected AssertionType |
assertion |
protected SamlCredential |
credential |
protected boolean |
enableCacheInvalidation |
static String |
ENDPOINT_ADDRESS
Key to specify the end point address
|
static String |
INITIAL_CLIENTS_IN_POOL
Paramater name.
|
protected int |
initialClientsInPool
Maximal number of clients in the STS Client Pool.
|
protected boolean |
localTestingOnly |
protected boolean |
localValidation |
protected String |
localValidationSecurityDomain |
protected Map<String,Object> |
options
Options that are computed by this login module.
|
static String |
PASSWORD_KEY
Key to specify the password
|
static String |
PORT_NAME
Key to specify the port name
|
protected Principal |
principal |
protected Map<String,Object> |
rawOptions
Original Options that are sent by the JDK JAAS Framework
|
protected String |
roleKey |
protected String |
securityDomain |
static String |
SERVICE_NAME
Key to specify the service name
|
static String |
STS_CONFIG_FILE
This is an option that should identify the configuration file for WSTrustClient.
|
protected String |
stsConfigurationFile |
static String |
USERNAME_KEY
Key to specify the username
|
BASE64_TOKEN_ENCODING, GZIP_TOKEN_ENCODING, logger, NONE_TOKEN_ENCODING, REG_EX_GROUP_KEY, REG_EX_PATTERN_KEY, SAML_TOKEN_HTTP_HEADER_KEY, TOKEN_ENCODING_TYPE_KEY, tokenEncoding, WEB_REQUEST_KEY
callbackHandler, jbossModuleName, log, loginOk, principalClassModuleName, principalClassName, sharedState, subject, unauthenticatedIdentity, useFirstPass
Constructor and Description |
---|
SAML2STSCommonLoginModule() |
Modifier and Type | Method and Description |
---|---|
boolean |
abort()
Called if the overall authentication failed (phase 2).
|
boolean |
commit()
Method to commit the authentication process (phase 2).
|
protected abstract JBossAuthCacheInvalidationFactory.TimeCacheExpiry |
getCacheExpiry() |
protected Principal |
getIdentity()
Overriden by subclasses to return the Principal that corresponds to
the user primary identity.
|
protected Group[] |
getRoleSets()
Overriden by subclasses to return the Groups that correspond to the
to the role sets assigned to the user.
|
protected STSClient |
getSTSClient()
Get the
STSClient object with which we can make calls to the STS |
void |
initialize(Subject subject,
CallbackHandler callbackHandler,
Map<String,?> sharedState,
Map<String,?> options)
Initialize the login module.
|
protected abstract boolean |
localValidation(Element assertionElement)
Locally validate the SAML Assertion element
|
boolean |
login()
Looks for javax.security.auth.login.name and javax.security.auth.login.password
values in the sharedState map if the useFirstPass option was true and returns
true if they exist.
|
boolean |
logout()
Remove the user identity and roles added to the Subject during commit.
|
getCredentialFromHttpRequest, getSamlTokenHttpHeader, getSamlTokenHttpHeaderRegEx, getSamlTokenHttpHeaderRegExGroup, getTokenEncoding
addValidOptions, checkOptions, createGroup, createIdentity, getCallerPrincipalGroup, getUnauthenticatedIdentity, getUseFirstPass
protected String stsConfigurationFile
protected Principal principal
protected SamlCredential credential
protected AssertionType assertion
protected boolean enableCacheInvalidation
protected String securityDomain
protected boolean localValidation
protected String localValidationSecurityDomain
protected String roleKey
protected int initialClientsInPool
protected Map<String,Object> options
protected Map<String,Object> rawOptions
public static final String STS_CONFIG_FILE
public static final String ENDPOINT_ADDRESS
public static final String PORT_NAME
public static final String SERVICE_NAME
public static final String USERNAME_KEY
public static final String PASSWORD_KEY
protected boolean localTestingOnly
public static final String INITIAL_CLIENTS_IN_POOL
public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String,?> sharedState, Map<String,?> options)
AbstractServerLoginModule
initialize
in interface LoginModule
initialize
in class SAMLTokenFromHttpRequestAbstractLoginModule
subject
- the Subject to update after a successful login.callbackHandler
- the CallbackHandler that will be used to obtain the
the user identity and credentials.sharedState
- a Map shared between all configured login module instancesoptions
- the parameters passed to the login module.public boolean login() throws LoginException
AbstractServerLoginModule
login
in interface LoginModule
login
in class AbstractServerLoginModule
LoginException
public boolean commit() throws LoginException
AbstractServerLoginModule
commit
in interface LoginModule
commit
in class AbstractServerLoginModule
LoginException
Subject;
,
Group;
public boolean abort() throws LoginException
abort
in interface LoginModule
abort
in class AbstractServerLoginModule
LoginException
public boolean logout() throws LoginException
AbstractServerLoginModule
logout
in interface LoginModule
logout
in class AbstractServerLoginModule
LoginException
protected Principal getIdentity()
AbstractServerLoginModule
getIdentity
in class AbstractServerLoginModule
protected Group[] getRoleSets() throws LoginException
AbstractServerLoginModule
getRoleSets
in class AbstractServerLoginModule
LoginException
protected STSClient getSTSClient()
STSClient
object with which we can make calls to the STSprotected abstract boolean localValidation(Element assertionElement) throws Exception
assertionElement
- Exception
protected abstract JBossAuthCacheInvalidationFactory.TimeCacheExpiry getCacheExpiry() throws Exception
Exception
Copyright © 2021 JBoss by Red Hat. All rights reserved.