Package org.picketlink.identity.federation.bindings.jboss.auth

Source Code of org.picketlink.identity.federation.bindings.jboss.auth.SAMLTokenCertValidatingLoginModule

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
/*
* JBoss, Home of Professional Open Source.
* Copyright 2012, Red Hat, Inc., and individual contributors
* as indicated by the @author tags. See the copyright.txt file in the
* distribution for a full listing of individual contributors.
*
* This is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* This software is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this software; if not, write to the Free
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
*/

package org.picketlink.identity.federation.bindings.jboss.auth;

import java.security.KeyStore;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorResult;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXParameters;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Enumeration;
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.security.auth.login.LoginException;
import org.jboss.security.plugins.JaasSecurityDomain;

/**
* This LoginModule authenticates clients by validating their SAML assertions
* locally. If the supplied assertion contains roles, these roles are extracted
* and included in the Group returned by the getRoleSets method. The LoginModule
* is designed to validate SAML token using X509 certificate stored in XML
* signature within SAML assertion token.
*
* It validates:
* <ol>
* <li>CertPath against specified truststore. It has to have common valid public
* certificate in the trusted entries.</li>
* <li>X509 certificate stored in SAML token didn't expire</li>
* <li>if signature itself is valid</li>
* <li>SAML token expiration</li>
* </ol>
*
* This module defines the following module options:
*
* roleKey: key of the attribute name that we need to use for Roles from the
* SAML assertion. This can be a comma-separated string values such as
* (Role,Membership) localValidationSecurityDomain: the security domain for the
* trust store information (via the JaasSecurityDomain) cache.invalidation - set
* it to true if you require invalidation of JBoss Auth Cache at SAML Principal
* expiration. jboss.security.security_domain -security domain at which
* Principal will expire if cache.invalidation is used. tokenEncodingType:
* encoding type of SAML token delivered via http request's header. Possible
* values are: base64 - content encoded as base64. In case of encoding will vary
* between base64 and gzip use base64 and LoginModule will detect gzipped data.
* gzip - gzipped content encoded as base64 none - content not encoded in any
* way samlTokenHttpHeader - name of http request header to fetch SAML token
* from. For example: "Authorize" samlTokenHttpHeaderRegEx - Java regular
* expression to be used to get SAML token from "samlTokenHttpHeader". Example:
* use: ."(.)".* to parse SAML token from header content like this:
* SAML_assertion="HHDHS=", at the same time set samlTokenHttpHeaderRegExGroup
* to 1. samlTokenHttpHeaderRegExGroup - Group value to be used when parsing out
* value of http request header specified by "samlTokenHttpHeader" using
* "samlTokenHttpHeaderRegEx".
*
* @author Peter Skopek: pskopek at redhat dot com
*
*/
public class SAMLTokenCertValidatingLoginModule extends
        SAMLTokenCertValidatingCommonLoginModule {

   
    /**
     * AS5/AS6/EAP5 way of getting configured keyStore.
     * uses module-option: localValidationSecurityDomain.
     * 
     * @return
     * @throws Exception
     */
    protected KeyStore getKeyStore() throws Exception {
        // get keystore
        Context ctx = new InitialContext();
        JaasSecurityDomain sd = (JaasSecurityDomain) ctx
                .lookup(localValidationSecurityDomain);
        return sd.getTrustStore();
    }
   
}
TOP

Related Classes of org.picketlink.identity.federation.bindings.jboss.auth.SAMLTokenCertValidatingLoginModule

  • org.jboss.security.JBossJSSESecurityDomain
  • org.jboss.security.plugins.JaasSecurityDomain
  • java.security.KeyStore
  • javax.naming.Context
  • javax.naming.InitialContext
    • TOP
    Copyright © 2018 www.massapi.com. All rights reserved.
    All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.