Package org.apache.cxf.ws.security.trust
Class STSLoginModule
java.lang.Object
org.apache.cxf.ws.security.trust.STSLoginModule
- All Implemented Interfaces:
LoginModule
A JAAS LoginModule for authenticating a Username/Password to the STS. It can be configured
either by specifying the various options (documented below) in the JAAS configuration, or
else by picking up a CXF STSClient from the CXF bus (either the default one, or else one
that has the same QName as the service name).
-
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final StringThe location of a Spring configuration file that can be used to configure the STS client (for example, to configure the TrustStore if TLS is used).static final StringWhether to disable caching of validated credentials or not.static final StringWhether to disable passing Username + Password credentials via "OnBehalfOf".static final StringThe Endpoint QName of the STSstatic final StringThe default key size to use if using the SymmetricKey KeyType.static final StringThe key type to use.static final StringWhether we require roles or not from the STS.static final StringThe Service QName of the STSstatic final StringThe token type to use.static final StringThe WS-Trust namespace to use.static final StringThe WSDL Location of the STS -
Constructor Summary
Constructors -
Method Summary
-
Field Details
-
REQUIRE_ROLES
Whether we require roles or not from the STS. If this is not set then the WS-Trust validate binding is used. If it is set then the issue binding is used, where the Username + Password credentials are passed via "OnBehalfOf" (unless the DISABLE_ON_BEHALF_OF property is set to "true", see below). In addition, claims are added to the request for the standard "role" ClaimType.- See Also:
-
DISABLE_ON_BEHALF_OF
Whether to disable passing Username + Password credentials via "OnBehalfOf". If the REQUIRE_ROLES property (see above) is set to "true", then the Issue Binding is used and the credentials are passed via OnBehalfOf. If this (DISABLE_ON_BEHALF_OF) property is set to "true", then the credentials instead are passed through to the WS-SecurityPolicy layer and used depending on the security policy of the STS endpoint. For example, if the STS endpoint requires a WS-Security UsernameToken, then the credentials are inserted here.- See Also:
-
DISABLE_CACHING
Whether to disable caching of validated credentials or not. The default is "false", meaning that caching is enabled. However, caching only applies when token transformation takes place, i.e. when the "require.roles" property is set to "true".- See Also:
-
WSDL_LOCATION
The WSDL Location of the STS- See Also:
-
SERVICE_NAME
The Service QName of the STS- See Also:
-
ENDPOINT_NAME
The Endpoint QName of the STS- See Also:
-
KEY_SIZE
The default key size to use if using the SymmetricKey KeyType. Defaults to 256.- See Also:
-
KEY_TYPE
The key type to use. The default is the standard "Bearer" URI.- See Also:
-
TOKEN_TYPE
The token type to use. The default is the standard SAML 2.0 URI.- See Also:
-
WS_TRUST_NAMESPACE
The WS-Trust namespace to use. The default is the WS-Trust 1.3 namespace.- See Also:
-
CXF_SPRING_CFG
The location of a Spring configuration file that can be used to configure the STS client (for example, to configure the TrustStore if TLS is used). This is designed to be used if the service that is being secured is not CXF-based.- See Also:
-
-
Constructor Details
-
STSLoginModule
public STSLoginModule()
-
-
Method Details
-
initialize
public void initialize(Subject subj, CallbackHandler cbHandler, Map<String, ?> sharedState, Map<String, ?> options) - Specified by:
initializein interfaceLoginModule
-
login
- Specified by:
loginin interfaceLoginModule- Throws:
LoginException
-
commit
- Specified by:
commitin interfaceLoginModule- Throws:
LoginException
-
abort
- Specified by:
abortin interfaceLoginModule- Throws:
LoginException
-
logout
- Specified by:
logoutin interfaceLoginModule- Throws:
LoginException
-