public abstract class AbstractSTSLoginModule extends Object implements LoginModule
invokeSTS(STSClient)()
to perform their specific actions.
NameCallback
and PasswordCallback
.
<application-policy name="saml-issue-token">
<authentication>
<login-module code="org.picketlink.identity.federation.core.wstrust.auth.STSIssuingLoginModule" flag="required">
<module-option name="configFile">/sts-client.properties</module-option>
</login-module>
</authentication>
</application-policy>
2. Login module options configuration:
<application-policy name="saml-issue-token">
<authentication>
<login-module code="org.picketlink.identity.federation.core.wstrust.auth.STSIssuingLoginModule" flag="required">
<module-option name="configFile">/sts-client.properties</module-option>
<module-option name="useOptionsCredentials">true</module-option>
</login-module>
</authentication>
</application-policy>
3. Password stacking configuration:
<application-policy name="saml-issue-token">
<authentication>
<login-module code="org.picketlink.identity.federation.core.wstrust.auth.STSIssuingLoginModule" flag="required">
<module-option name="configFile">/sts-client.properties</module-option>
<module-option name="password-stacking">useFirstPass</module-option>
</login-module>
</authentication>
</application-policy>
<application-policy name="saml-issue-token">
<authentication>
<login-module code="org.picketlink.identity.federation.core.wstrust.auth.STSIssuingLoginModule" flag="required">
<module-option name="configFile">/sts-client.properties</module-option>
<module-option name="password-stacking">useFirstPass</module-option>
</login-module>
<mapping>
<mapping-module code="org.picketlink.identity.federation.bindings.jboss.auth.mapping.STSPrincipalMappingProvider"
type="principal"/>
<mapping-module code="org.picketlink.identity.federation.bindings.jboss.auth.mapping.STSGroupMappingProvider"
type="role"/>
</mapping>
</authentication>
</application-policy>
roleKey: By default, the saml attributes with key "Role" are assumed to represent user roles. You can configure a comma separated list of string values to represent the attribute names for user roles.
cache.invalidation: set it to true if you require invalidation of JBoss Auth Cache at SAML Principal expiration.
jboss.security.security_domain: name of the security domain where this login module is configured. This is only required if the cache.invalidation option is configured.
inject.callerprincipal: set it to true if you want to add a group principal called "CallerPrincipal" with the roles from the assertion, into the subject
Modifier and Type | Field and Description |
---|---|
protected CallbackHandler |
callbackHandler
Callback handler used to gather information from the caller.
|
protected boolean |
enableCacheInvalidation |
static String |
ENDPOINT_ADDRESS
Key to specify the end point address
|
static String |
INITIAL_CLIENTS_IN_POOL
Paramater name.
|
protected int |
initialClientsInPool
Number of clients initialized for in case pool is out of free clients.
|
protected boolean |
injectCallerPrincipalGroup
Should a separate Group Principal called "CallerPrincipal" be injected into subject with the roles from the assertion?
|
static String |
IS_BATCH
Key to specify whether this batch issue request
|
protected boolean |
isBatch
Value to indicate whether the RST is a batch request
|
protected static PicketLinkLogger |
logger |
protected Map<String,?> |
options
The options map passed into this login modules initalize method.
|
static String |
OPTIONS_CREDENTIALS
Options configuration name;
|
static String |
OPTIONS_PW_STACKING
Options configuration name;
|
static String |
PASSWORD_KEY
Key to specify the password
|
protected boolean |
passwordStacking
Indicates whether password stacking option was configured.
|
static String |
PORT_NAME
Key to specify the port name
|
static String |
ROLE_KEY
Attribute names indicating the user roles
|
protected String |
roleKey
Name of the saml attribute representing roles.
|
protected Element |
samlToken
WS-Trust SAML Assertion element.
|
protected String |
securityDomain |
static String |
SERVICE_NAME
Key to specify the service name
|
static String |
SHARED_TOKEN
Key used in share state map when LMs are stacked.
|
protected Map |
sharedState
The shared state map passed into this login modules initalize method.
|
static String |
STS_CONFIG_FILE
This is the required option that should identify the configuration file for WSTrustClient.
|
protected Subject |
subject
The subject to be populated.
|
protected boolean |
success
The outcome of the authentication process.
|
protected boolean |
useFirstPass
Indicates whether the password-stacking options was specifed as 'useFirstPass'.
|
protected boolean |
useOptionsCredentials
Indicates whether the 'useOptionsCredentials' was configured.
|
static String |
USERNAME_KEY
Key to specify the username
|
Constructor and Description |
---|
AbstractSTSLoginModule() |
Modifier and Type | Method and Description |
---|---|
boolean |
abort()
Called if the overall authentication failed (phase 2).
|
boolean |
commit()
Commit will package the samlToken set by the login method in a new
SamlCredential . |
protected STSClientConfig.Builder |
createBuilder()
Subclasses can override and create a preconfigured builder
|
protected STSClient |
createWSTrustClient(STSClientConfig config) |
protected CallbackHandler |
getCallbackHandler() |
protected STSClientConfig |
getConfiguration(Map<String,?> options)
This method gives users a chance to override how the
STSClientConfig is created. |
protected MappingManager |
getMappingManager() |
protected Map<String,?> |
getOptions()
Gets the options provided to this LM in it's
initialize(Subject, CallbackHandler, Map, Map) . |
protected String |
getRequiredOption(Map<String,?> options,
String optionName) |
protected char[] |
getSharedPassword() |
protected Object |
getSharedToken()
Gets Security Token from the share state map if one was made available by a previous LM in the stack.
|
protected String |
getSharedUsername() |
protected Subject |
getSubject() |
void |
initialize(Subject subject,
CallbackHandler callbackHandler,
Map<String,?> sharedState,
Map<String,?> options)
Initialized this login module.
|
abstract Element |
invokeSTS(STSClient stsclient) |
protected boolean |
isSuccess() |
protected boolean |
isUseFirstPass() |
protected boolean |
isUseOptionsConfig() |
protected boolean |
isUsePasswordStacking() |
boolean |
login()
Subclasses must implement the login to perform their specific tasks.
|
boolean |
logout() |
protected void |
populateSubject() |
static void |
removeAllSamlCredentials(Subject subject) |
protected void |
setSamlToken(Element samlToken) |
protected void |
setSharedToken(Object token) |
protected void |
setSuccess(boolean success) |
protected void |
useCredentialsFromCallback(STSClientConfig.Builder builder) |
protected void |
useCredentialsFromOptions(STSClientConfig.Builder builder,
Map<String,?> options2)
This method allows subclassed to retreive configuration options map and set on the builder.
|
protected void |
useCredentialsFromSharedState(STSClientConfig.Builder builder) |
protected static final PicketLinkLogger logger
public static final String SHARED_TOKEN
public static final String OPTIONS_CREDENTIALS
public static final String OPTIONS_PW_STACKING
public static final String STS_CONFIG_FILE
public static final String ROLE_KEY
public static final String ENDPOINT_ADDRESS
public static final String PORT_NAME
public static final String SERVICE_NAME
public static final String USERNAME_KEY
public static final String PASSWORD_KEY
public static final String IS_BATCH
public static final String INITIAL_CLIENTS_IN_POOL
protected Subject subject
protected CallbackHandler callbackHandler
protected Element samlToken
protected boolean success
protected Map<String,?> options
protected Map sharedState
protected boolean passwordStacking
protected boolean useFirstPass
protected boolean useOptionsCredentials
protected String roleKey
protected boolean enableCacheInvalidation
protected boolean injectCallerPrincipalGroup
protected String securityDomain
protected boolean isBatch
protected int initialClientsInPool
public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String,?> sharedState, Map<String,?> options)
initialize
in interface LoginModule
subject
- The subject to authenticate/populate.callbackHandler
- The callbackhandler that will gather information required by this login module.sharedState
- State that is shared with other login modules. Used when modules are chained/stacked.options
- The options that were specified for this login module.public boolean login() throws LoginException
setSamlToken(Element)
with the saml token element that should be added to the
public credentials in commit()
.login
in interface LoginModule
LoginException
- If an error occurs while trying to perform the authentication.public abstract Element invokeSTS(STSClient stsclient) throws WSTrustException, LoginException
WSTrustException
LoginException
public boolean commit() throws LoginException
SamlCredential
. This new SamlCredential will
be put into the Subject public credentials set.commit
in interface LoginModule
LoginException
public boolean abort() throws LoginException
abort
in interface LoginModule
LoginException
public boolean logout() throws LoginException
logout
in interface LoginModule
LoginException
protected STSClientConfig.Builder createBuilder()
protected void useCredentialsFromCallback(STSClientConfig.Builder builder) throws LoginException
LoginException
protected void useCredentialsFromSharedState(STSClientConfig.Builder builder)
protected void useCredentialsFromOptions(STSClientConfig.Builder builder, Map<String,?> options2)
builder
- options
- protected STSClientConfig getConfiguration(Map<String,?> options)
STSClientConfig
is created. For example some users might
perfer to not use a file containing the configuration properties, which is the default, but instead have the
configuration options in the login modules configuration directly.options
- The options passed to the initialize method.STSClientConfig
The configuration for STSClient.protected STSClient createWSTrustClient(STSClientConfig config)
protected boolean isSuccess()
protected void setSuccess(boolean success)
protected Subject getSubject()
protected CallbackHandler getCallbackHandler()
protected void setSamlToken(Element samlToken)
protected void setSharedToken(Object token)
protected Object getSharedToken()
protected Map<String,?> getOptions()
initialize(Subject, CallbackHandler, Map, Map)
.protected String getSharedUsername()
protected char[] getSharedPassword()
protected boolean isUseFirstPass()
protected boolean isUsePasswordStacking()
protected boolean isUseOptionsConfig()
public static void removeAllSamlCredentials(Subject subject)
protected void populateSubject()
protected MappingManager getMappingManager()
Copyright © 2021 JBoss by Red Hat. All rights reserved.