PicketLink Federation Server Bindings for JBoss AS7.x 2.1.6.Final-redhat-2

org.picketlink.identity.federation.bindings.jboss.auth
Class SAMLTokenCertValidatingLoginModule

java.lang.Object
  extended by org.jboss.security.auth.spi.AbstractServerLoginModule
      extended by org.picketlink.identity.federation.bindings.jboss.auth.SAMLTokenFromHttpRequestAbstractLoginModule
          extended by org.picketlink.identity.federation.bindings.jboss.auth.SAMLTokenCertValidatingCommonLoginModule
              extended by org.picketlink.identity.federation.bindings.jboss.auth.SAMLTokenCertValidatingLoginModule
All Implemented Interfaces:
LoginModule

public class SAMLTokenCertValidatingLoginModule
extends SAMLTokenCertValidatingCommonLoginModule

This LoginModule authenticates clients by validating their SAML assertions locally. If the supplied assertion contains roles, these roles are extracted and included in the Group returned by the getRoleSets method. The LoginModule is designed to validate SAML token using X509 certificate stored in XML signature within SAML assertion token. It validates:

  1. CertPath against specified truststore. It has to have common valid public certificate in the trusted entries.
  2. X509 certificate stored in SAML token didn't expire
  3. if signature itself is valid
  4. SAML token expiration
This module defines the following module options: roleKey: key of the attribute name that we need to use for Roles from the SAML assertion. This can be a comma-separated string values such as (Role,Membership) localValidationSecurityDomain: the security domain for the trust store information (via the JaasSecurityDomain) cache.invalidation - set it to true if you require invalidation of JBoss Auth Cache at SAML Principal expiration. jboss.security.security_domain -security domain at which Principal will expire if cache.invalidation is used. tokenEncodingType: encoding type of SAML token delivered via http request's header. Possible values are: base64 - content encoded as base64. In case of encoding will vary between base64 and gzip use base64 and LoginModule will detect gzipped data. gzip - gzipped content encoded as base64 none - content not encoded in any way samlTokenHttpHeader - name of http request header to fetch SAML token from. For example: "Authorize" samlTokenHttpHeaderRegEx - Java regular expression to be used to get SAML token from "samlTokenHttpHeader". Example: use: ."(.)".* to parse SAML token from header content like this: SAML_assertion="HHDHS=", at the same time set samlTokenHttpHeaderRegExGroup to 1. samlTokenHttpHeaderRegExGroup - Group value to be used when parsing out value of http request header specified by "samlTokenHttpHeader" using "samlTokenHttpHeaderRegEx".

Author:
Peter Skopek: pskopek at redhat dot com

Field Summary
 
Fields inherited from class org.picketlink.identity.federation.bindings.jboss.auth.SAMLTokenCertValidatingCommonLoginModule
assertion, credential, enableCacheInvalidation, ENDPOINT_ADDRESS, localTestingOnly, localValidationSecurityDomain, options, PASSWORD_KEY, PORT_NAME, principal, rawOptions, roleKey, securityDomain, SERVICE_NAME, STS_CONFIG_FILE, USERNAME_KEY
 
Fields inherited from class org.picketlink.identity.federation.bindings.jboss.auth.SAMLTokenFromHttpRequestAbstractLoginModule
BASE64_TOKEN_ENCODING, GZIP_TOKEN_ENCODING, logger, NONE_TOKEN_ENCODING, REG_EX_GROUP_KEY, REG_EX_PATTERN_KEY, SAML_TOKEN_HTTP_HEADER_KEY, TOKEN_ENCODING_TYPE_KEY, tokenEncoding, WEB_REQUEST_KEY
 
Fields inherited from class org.jboss.security.auth.spi.AbstractServerLoginModule
callbackHandler, log, loginOk, principalClassName, sharedState, subject, unauthenticatedIdentity, useFirstPass
 
Constructor Summary
SAMLTokenCertValidatingLoginModule()
           
 
Method Summary
protected  KeyStore getKeyStore()
          AS7/EAP6 way of getting configured keyStore.
 
Methods inherited from class org.picketlink.identity.federation.bindings.jboss.auth.SAMLTokenCertValidatingCommonLoginModule
abort, commit, getCacheExpiry, getIdentity, getRoleSets, initialize, login, logout, validateCertPath
 
Methods inherited from class org.picketlink.identity.federation.bindings.jboss.auth.SAMLTokenFromHttpRequestAbstractLoginModule
getCredentialFromHttpRequest, getSamlTokenHttpHeader, getSamlTokenHttpHeaderRegEx, getSamlTokenHttpHeaderRegExGroup, getTokenEncoding
 
Methods inherited from class org.jboss.security.auth.spi.AbstractServerLoginModule
addValidOptions, checkOptions, createGroup, createIdentity, getCallerPrincipalGroup, getUnauthenticatedIdentity, getUseFirstPass
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

SAMLTokenCertValidatingLoginModule

public SAMLTokenCertValidatingLoginModule()
Method Detail

getKeyStore

protected KeyStore getKeyStore()
                        throws Exception
AS7/EAP6 way of getting configured keyStore. uses module-option: localValidationSecurityDomain.

Specified by:
getKeyStore in class SAMLTokenCertValidatingCommonLoginModule
Returns:
Throws:
Exception

PicketLink Federation Server Bindings for JBoss AS7.x 2.1.6.Final-redhat-2

Copyright © 2013 JBoss by Red Hat. All Rights Reserved.