com.ibm.websphere.wssecurity.callbackhandler
Class SAMLConsumeCallback
- java.lang.Object
-
- com.ibm.websphere.wssecurity.callbackhandler.SAMLConsumeCallback
-
- All Implemented Interfaces:
- javax.security.auth.callback.Callback
public class SAMLConsumeCallback extends java.lang.Object implements javax.security.auth.callback.Callback
This is a Callback class used to collect configuration data associated with the consumer of an incoming SAML token. It is important to note that an incoming token (inbound request) is checked for expiration using the token's own expiration date and the clock skew between the sending and the receiving system. The expiration date of the token must be above the current time minus the clock skew value. The default clock skew is set to: 3 minutes.
A SAML token remains valid in the process if it was valid at the time the process received that token.- See Also:
SAMLToken
,SAMLTokenFactory
-
-
Constructor Summary
Constructors Constructor and Description SAMLConsumeCallback()
-
Method Summary
Methods Modifier and Type Method and Description boolean
enforceAudienceRestriction()
Returns the flag whether AudienceRestriction assertion validation is required.boolean
enforceOneTimeUse()
Returns the flag whether OneTimeUse or DoNotCacheCondition assertion validation is required.java.lang.String
getAlias()
Returns the alias name used by the consumer of the SAML token in its keyStore.boolean
getAllowUnencKey()
Gets setting for allowing an Unencrypted key in a Holder of Key token.long
getClockSkew()
Returns the time in milliseconds that is allowed for clock skew between the token issuer and the consumer.java.lang.String
getConfirmationMethod()
Returns the ConfirmationMethod to be used when requesting/generating a SAML token.java.util.List<java.lang.String>
getCRLPaths()
java.lang.String
getKeyName()
Returns the name of the key used by the token consumer.char[]
getKeyPassword()
Returns the password for recovering the key.char[]
getKeyStorePassword()
Returns the password for the keyStore used by the consumer of the SAML token.java.lang.String
getKeyStorePath()
Returns the file path for the keyStore used by the consumer of the SAML token.java.lang.String
getKeyStoreReference()
Returns the reference name of the keyStore used by the token consumer (e.g. a service).java.lang.String
getKeyStoreType()
Returns the type of the keyStore used by the consumer of the SAML token.com.ibm.wsspi.wssecurity.core.config.TrustedEntryConfig
getTrustedEntries()
java.util.ArrayList<java.lang.String[]>
getTrustedIssuers()
java.lang.String
getTrustedSTSAlias()
Returns the alias used to locate the key used by the SAML token issuer.char[]
getTrustStorePassword()
Returns the password for the trustStore used by the token consumer.java.lang.String
getTrustStorePath()
Returns the file path to the trustStore used by the token consumer.java.lang.String
getTrustStoreRef()
Returns the reference name of the trustStore used by the token consumer.java.lang.String
getTrustStoreType()
Returns the type of the trustStore used by the token consumer.java.util.List<java.lang.String>
getX509Paths()
Gets the set of intermediate certificate filesboolean
isSignatureRequired()
Returns the flag whether signature on the SAML token from the issuer is required.boolean
isTrustAnySigner()
Returns the flag whether to trust any SAML token issuer.void
setAlias(java.lang.String alias)
Sets the key alias name in the consumer's keyStore.void
setAllowUnencKey(boolean value)
Sets setting for allowing an Unencrypted key in a Holder of Key token.void
setClockSkew(long time)
Sets the time in milliseconds that is allowed for clock skew between the token issuer and the consumer.void
setConfirmationMethod(java.lang.String method)
Sets the type of Subject ConfirmationMethod to be used by the token requester.void
setCRLPath(java.util.List value)
Sets revoked certificate list file.void
setEnforceAudienceRestriction(boolean flag)
Set the flag whether AudienceRestriction validation is required.void
setEnforceOneTimeUse(boolean flag)
Set the flag whether OneTimeUse or DoNotCacheCondition validation is required.void
setIsSignatureRequired(boolean option)
Set the flag whether signature by the SAML token issuer is required.void
setKeyName(java.lang.String keyName)
Sets the name of the key used by the token consumer.void
setKeyPassword(char[] keyPassword)
Sets the password for recovering the key.void
setKeyStorePassword(char[] keyStorePassword)
Sets the type of the keyStore used by the consumer of the SAML token.void
setKeyStorePath(java.lang.String keyStorePath)
Sets the file path for the keyStore used by the consumer of the SAML token..void
setKeyStoreReference(java.lang.String keyStoreRef)
Sets the reference name of the keyStore used by the token consumer (e.g. a service).void
setKeyStoreType(java.lang.String keyStoreType)
Sets the type of the keyStore by the consumer of the SAML token.void
setTrustAnySigner(boolean option)
Sets the flag whether to trust any SAML token issuer.void
setTrustedEntries(com.ibm.wsspi.wssecurity.core.config.TrustedEntryConfig te)
void
setTrustedIssuers(java.util.ArrayList<java.lang.String[]> issuers)
Deprecated.void
setTrustedSTSAlias(java.lang.String alias)
Sets alias name for the key used by the SAML token issuervoid
setTrustStorePassword(char[] passwd)
Sets the password for the trustStore used by the token consumer.void
setTrustStorePath(java.lang.String path)
Sets the file path to the trustStore used by the token consumer.void
setTrustStoreRef(java.lang.String ref)
Sets the reference name of the truStstore used by the token consumer.void
setTrustStoreType(java.lang.String type)
Sets the type of the trustStore used by the token consumer.void
setX509Path(java.util.List value)
Sets intermediate certificate file list.
-
-
-
Method Detail
-
getKeyStoreReference
public java.lang.String getKeyStoreReference()
Returns the reference name of the keyStore used by the token consumer (e.g. a service).- Returns:
- reference name of the keyStore of the token consumer.
-
setKeyStoreReference
public void setKeyStoreReference(java.lang.String keyStoreRef)
Sets the reference name of the keyStore used by the token consumer (e.g. a service).- Parameters:
keyStoreRef
- string representing the reference name of the keyStore.
-
getKeyStorePath
public java.lang.String getKeyStorePath()
Returns the file path for the keyStore used by the consumer of the SAML token.- Returns:
- String that contains the path of the keyStore.
-
setKeyStorePath
public void setKeyStorePath(java.lang.String keyStorePath)
Sets the file path for the keyStore used by the consumer of the SAML token..- Parameters:
keyStorePath
- string representing the path to the keyStore.
-
getKeyStoreType
public java.lang.String getKeyStoreType()
Returns the type of the keyStore used by the consumer of the SAML token.- Returns:
- type of the keyStore
-
setKeyStoreType
public void setKeyStoreType(java.lang.String keyStoreType)
Sets the type of the keyStore by the consumer of the SAML token.- Parameters:
keyStoreType
- string representing the type of the keyStore
-
getKeyStorePassword
public char[] getKeyStorePassword()
Returns the password for the keyStore used by the consumer of the SAML token.- Returns:
- charcter array that contains the password used to check the integrity or unlock the keyStore used by the consumer of a SAML token.
-
setKeyStorePassword
public void setKeyStorePassword(char[] keyStorePassword)
Sets the type of the keyStore used by the consumer of the SAML token.- Parameters:
keyStorePassword
- character array that contains the password used to check the integrity or unlock the keyStore for the consumer of the SAML token.
-
getAlias
public java.lang.String getAlias()
Returns the alias name used by the consumer of the SAML token in its keyStore.- Returns:
- alias string representing the key alias name.
-
setAlias
public void setAlias(java.lang.String alias)
Sets the key alias name in the consumer's keyStore.- Parameters:
alias
- string representing the alias name.
-
getKeyPassword
public char[] getKeyPassword()
Returns the password for recovering the key.- Returns:
- character array that contains the password used for recovering the key.
-
setKeyPassword
public void setKeyPassword(char[] keyPassword)
Sets the password for recovering the key.- Parameters:
keyPassword
- character array that contains the password for recovering the key.
-
getKeyName
public java.lang.String getKeyName()
Returns the name of the key used by the token consumer.- Returns:
- String that contains the key.
-
setKeyName
public void setKeyName(java.lang.String keyName)
Sets the name of the key used by the token consumer.- Parameters:
keyName
- string that contains the name of the key.
-
getTrustStoreRef
public java.lang.String getTrustStoreRef()
Returns the reference name of the trustStore used by the token consumer.- Returns:
- String containing the name of the trustStore reference.
-
setTrustStoreRef
public void setTrustStoreRef(java.lang.String ref)
Sets the reference name of the truStstore used by the token consumer.- Parameters:
ref
- string that contains the reference name of the trustStore.
-
getTrustStorePath
public java.lang.String getTrustStorePath()
Returns the file path to the trustStore used by the token consumer.- Returns:
- String that contains the path to the trustStore.
-
setTrustStorePath
public void setTrustStorePath(java.lang.String path)
Sets the file path to the trustStore used by the token consumer.- Parameters:
path
- String that contains the path to the trustStore.
-
getTrustStoreType
public java.lang.String getTrustStoreType()
Returns the type of the trustStore used by the token consumer.- Returns:
- String that contains the type of the trustStore.
-
setTrustStoreType
public void setTrustStoreType(java.lang.String type)
Sets the type of the trustStore used by the token consumer.- Parameters:
type
- a string that contains the type of trustStore.
-
getTrustStorePassword
public char[] getTrustStorePassword()
Returns the password for the trustStore used by the token consumer.- Returns:
- character array that contains the password used to check the integrity of the trustStore or to unlock it.
-
setTrustStorePassword
public void setTrustStorePassword(char[] passwd)
Sets the password for the trustStore used by the token consumer.- Parameters:
storePassword
- a character array that contains the password used to check the integrity of the trustStore or to unlock it.
-
getTrustedSTSAlias
public java.lang.String getTrustedSTSAlias()
Returns the alias used to locate the key used by the SAML token issuer.- Returns:
- String that contains the alias for the key used by the issuer of the SAML token.
-
setTrustedSTSAlias
public void setTrustedSTSAlias(java.lang.String alias)
Sets alias name for the key used by the SAML token issuer- Parameters:
alias
- a string that contains the alias name.
-
isTrustAnySigner
public boolean isTrustAnySigner()
Returns the flag whether to trust any SAML token issuer.- Returns:
- boolean value indicating whether to trust any SAML issuer.
-
setTrustAnySigner
public void setTrustAnySigner(boolean option)
Sets the flag whether to trust any SAML token issuer.- Parameters:
option
- boolean for the flag whether to trust any SAML token issuer.
-
isSignatureRequired
public boolean isSignatureRequired()
Returns the flag whether signature on the SAML token from the issuer is required.- Returns:
- the flag whether SAML issuer should sign the SAML assertion. The default behavior is that Signature from SAML issuer is required.
-
setIsSignatureRequired
public void setIsSignatureRequired(boolean option)
Set the flag whether signature by the SAML token issuer is required.- Parameters:
option
- boolean flag whether the signature by the SAML token issuer is required.
-
getClockSkew
public long getClockSkew()
Returns the time in milliseconds that is allowed for clock skew between the token issuer and the consumer. The clock skew is used when checking for the expiration of the token on an Inbound request. The expiration time of the token needs to be above the current time minus the clock skew.- Returns:
- the time in milliseconds allowed for clock skew. The default clock skew is 3 minutes.
-
setClockSkew
public void setClockSkew(long time)
Sets the time in milliseconds that is allowed for clock skew between the token issuer and the consumer. The clock skew is used when checking for the expiration of the token on an Inbound request. The expiration time of the token needs to be above the current time minus the clock skew.- Parameters:
time
- a long integer representing time for the clockSkew value in milliseconds.
-
enforceOneTimeUse
public boolean enforceOneTimeUse()
Returns the flag whether OneTimeUse or DoNotCacheCondition assertion validation is required.- Returns:
- the flag whether OneTimeUse or DoNotCacheCondition assertion validation is required. The default behavior is that OneTimeUse or DoNotCacheCondition assertion validation from SAML issuer is required.
-
enforceAudienceRestriction
public boolean enforceAudienceRestriction()
Returns the flag whether AudienceRestriction assertion validation is required.- Returns:
- the flag whether AudienceRestriction assertion validation is required. The default behavior is that AudienceRestriction from SAML issuer is required.
-
setEnforceOneTimeUse
public void setEnforceOneTimeUse(boolean flag)
Set the flag whether OneTimeUse or DoNotCacheCondition validation is required.- Parameters:
option
- boolean flag whether OneTimeUse or DoNotCacheCondition validation is required.
-
setEnforceAudienceRestriction
public void setEnforceAudienceRestriction(boolean flag)
Set the flag whether AudienceRestriction validation is required.- Parameters:
option
- boolean flag whether AudienceRestriction validation is required.
-
getTrustedIssuers
public java.util.ArrayList<java.lang.String[]> getTrustedIssuers()
- Returns:
- a list of trusted SAML Issuers, each contains Issuer name and/or Signer certificate's SubjectDN
-
setTrustedIssuers
@Deprecated public void setTrustedIssuers(java.util.ArrayList<java.lang.String[]> issuers)
Deprecated.
-
getConfirmationMethod
public java.lang.String getConfirmationMethod()
Returns the ConfirmationMethod to be used when requesting/generating a SAML token.- Returns:
- the required Subject ConfirmationMethod. The valid values are "holder-of-key", "bearer", or "sender-vouches"
-
setConfirmationMethod
public void setConfirmationMethod(java.lang.String method)
Sets the type of Subject ConfirmationMethod to be used by the token requester.- Parameters:
method
- a string identifying the Subject ConfirmationMethod.
-
getCRLPaths
public java.util.List<java.lang.String> getCRLPaths()
-
getX509Paths
public java.util.List<java.lang.String> getX509Paths()
Gets the set of intermediate certificate files- Returns:
- List of X509 Certificate files
-
setX509Path
public void setX509Path(java.util.List value)
Sets intermediate certificate file list.- Parameters:
X509
- Certificate List
-
setCRLPath
public void setCRLPath(java.util.List value)
Sets revoked certificate list file.- Parameters:
revoked
- certificate list file
-
setAllowUnencKey
public void setAllowUnencKey(boolean value)
Sets setting for allowing an Unencrypted key in a Holder of Key token.- Parameters:
value
- boolean flag whether to allow an Unencrypted key in a Holder of Key token
-
getAllowUnencKey
public boolean getAllowUnencKey()
Gets setting for allowing an Unencrypted key in a Holder of Key token. Default behavior is to allow an unencrypted key.
-
setTrustedEntries
public void setTrustedEntries(com.ibm.wsspi.wssecurity.core.config.TrustedEntryConfig te)
-
getTrustedEntries
public com.ibm.wsspi.wssecurity.core.config.TrustedEntryConfig getTrustedEntries()
-
-