com.ibm.websphere.wssecurity.wssapi.token

Class SAMLTokenFactory

  • java.lang.Object
    • com.ibm.websphere.wssecurity.wssapi.token.SAMLTokenFactory


  • public abstract class SAMLTokenFactory
    extends java.lang.Object

    This API is used for the creation of SAML security tokens conforming the SAML v1.1 and SAML v2.0 standards (both versions of the token are supported). Subject confirmation can be based on holder of key (symmetric or public key) or bearer. Users can create and validate tokens or use them to authenticate the token holder.

    Code snippet that are shown below demonstrate how to use this API to generate and validate SAML tokens as defined in:
    OASIS Web Services Security:SAML Token Profile 1.1. In those sample codes, it is assumed that the ProviderConfig instance is created from a JVM system property, com.ibm.webservices.wssecurity.platform.SAMLIssuerConfigDataPath, in a java client environment. This JVM property specifies a property file that contains default value of ProviderConfig object. In the Application Server runtime environment, default value of ProviderConfig object is defined by a an SAMLIssuerConfig.properties file under the cell level or server level config directory.

    • $CELL/sts/SAMLIssuerConfig.properties
    • $SERVER/SAMLIssuerConfig.properties
    Refer to the "Configuration of a SAML token during token creation" Section in the WebSphere Application Server V7 InfoCenter for detail description of all the properties.
    Sample code for generating SAMLToken for SAML V2.0 Bearer assertion
            SAMLTokenFactory samlFactory = SAMLTokenFactory.getInstance(SAMLTokenFactory.WssSamlV20Token11);
            
            // 1. Create a RequesterConfig object.
            RequesterConfig reqData = samlFactory.newBearerTokenGenerateConfig();
            // Set the Authentication method that the requester authenticated with. This is an optional parameter.
            reqData.setAuthenticationMethod("Password");    
            
            // 2. Create a CredentialConfig object which contains a NameID and Attributes in the assertion.
            CredentialConfig cred = samlFactory.newCredentialConfig();  
            // Create a SAMLNameID object for the SAMLTokenFactory to generate a NameID or NameIdentifier 
            // in the assertion.
            SAMLNameID samlNameId = new SAMLNameID("alice@websphere", "urn:oasis:names:tc:SAML:1.0:assertion#emailAddress", 
                                                   null, null, null);
            cred.setSAMLNameID(samlNameId);
            // Create a SAMLAttribute object for the SAMLTokenFactory to generate an Attribute in the assertion.
            SAMLAttribute sattribute = new SAMLAttribute("Address", new String[] {"Austin, Texas"},  null,
                                                         "IBM WebSphere namespace", null,  null);
            ArrayList al = new ArrayList();
            al.add(sattribute);
            sattribute = new SAMLAttribute("Membership", new String[] {"Blue team", "Green Team"}, null, null, null, null  );
            al.add(sattribute);
            cred.setSAMLAttributes(al);             
       
            // 3. Create a ProviderConfig object which specifies the key store for SAML signing
            // and encryption, the expiration time, and issuer logic name.
            // Make sure the JVM system property com.ibm.webservices.wssecurity.platform.SAMLIssuerConfigDataPath 
            // is set in a java client environment, or the default SAMLIssuerConfig.properties is updated 
            // in the Application Server runtime environment. 
            ProviderConfig samlIssuerCfg = samlFactory.newDefaultProviderConfig("WebSphere Self Issuer"); 
            
            SecurityToken samlToken = samlFactory.newSAMLToken(cred, reqData, samlIssuerCfg);     
            
        
    Sample code for generating SAMLToken for SAML V2.0 Asymmetric holder-of-key assertion
            SAMLTokenFactory samlFactory = SAMLTokenFactory.getInstance(SAMLTokenFactory.WssSamlV20Token11);
            
            // 1. Create a RequesterConfig object.
            RequesterConfig reqData = samlFactory.newAsymmetricHolderOfKeyTokenGenerateConfig();
            // Set the Authentication method that the requester authenticated with. This is an optional parameter.
            reqData.setAuthenticationMethod("Password");    
            
            // 2. Create a CredentialConfig object which contains a NameID 
            CredentialConfig cred = samlFactory.newCredentialConfig();  
            // Create a SAMLNameID object for the SAMLTokenFactory to generate a NameID or NameIdentifier 
            // in the assertion.
            SAMLNameID samlNameId = new SAMLNameID("alice@websphere", 
                                                   "urn:oasis:names:tc:SAML:1.0:assertion#emailAddress", 
                                                    null, null, null);
            cred.setSAMLNameID(samlNameId);
       
            // 3. Create a ProviderConfig object which will specify the key store and key for 
            // signing the SAML token. The object will initialize with the settings from the 
            // SAMLIssuerConfig.properties file.  
            // The public certificate to put in the SAML HoK assertion will come from the trust store
            // configured on the trustStore property in the SAMLIssuerConfig.properties file.
            ProviderConfig samlIssuerCfg = samlFactory.newDefaultProviderConfig("WebSphere Self Issuer");
     
             // 4. (Optional) If you want to use keystore and key properties other than what 
            // is set in the SAMLIssuerConfig.properties file, reset the keystore, 
            // trust store and alias information in the ProviderConfig object.
            // Create the key information config for the private key
            KeyInformationConfig kic = samlFactory.newKeyInformationConfig("private_key", 
                                                                           "keypass", "CN=Private");
            // Create the key store config
            KeyStoreConfig ksc = samlFactory.newKeyStoreConfig("jks","/keystores/myKeystore.ks", 
                                                               "storepass");
            // Set the keystores on the saml issuer config object
            samlIssuerCfg.setKeyStoreConfig(ksc);    //keystore that holds the private key    
            samlIssuerCfg.setTrustStoreConfig(ksc);  //keystore that holds the public key
     
            // 5. In the RequesterConfig object, specify the alias for the public certificate
            // to put in the HoK assertion.  This alias must exist in the trust store configured 
            // in the previous step or in the SAMLIssuerConfig.properties file and must not 
            // require a password.  This public certificate must match the private key configured
            // in the privious step.  However, since this entry must be accessed without a password,
            // it cannot be the same alias as configured above.  It must be a separate entry in the 
            // keystore that only holds the public key information for the private key configured above.
            reqData.setKeyAliasForRequester("public_cert");
     
            // 6. Create the token
            SecurityToken samlToken = samlFactory.newSAMLToken(cred, reqData, samlIssuerCfg);     
            
            // 7. Add the private key to the token so that the token can be used to sign 
            // elements in a SOAP message.
            // Get the private key
            WSSUtilFactory wssufactory = WSSUtilFactory.getInstance();
            KeyStore ks = wssufactory.getKeyStore("jks","/keystores/myKeystore.ks",
                                                  "storepass".toCharArray());
            Key privateKey = ks.getKey("private_key", "keypass".toCharArray());
            // Add the private key to the token
            ((com.ibm.ws.wssecurity.wssapi.token.impl.SecurityTokenImpl)samlToken).
                                                        setKey(SecurityToken.SIGNING_KEY, privateKey);
            ((com.ibm.ws.wssecurity.wssapi.token.impl.SecurityTokenImpl)samlToken).
                                                        setKey(SecurityToken.DECRYPTING_KEY, privateKey);
        
    Sample code for generating SAMLToken for SAML V2.0 Bearer assertion from Subject
            SAMLTokenFactory samlFactory = SAMLTokenFactory.getInstance(SAMLTokenFactory.WssSamlV20Token11);
            
            // 1. Create a RequesterConfig object.
            RequesterConfig reqData = samlFactory.newBearerTokenGenerateConfig();
            
            // 2. Create a CredentialConfig object.
            // This step assumes a SAMLToken exists on the RunAsSubject.
            // This method call will allow the SAMLTokenFactory to copy the existing SAML NameID and 
            // attributes from a SAML token in the RunAsSubject to new SAMLToken.
            // If there is no SAMLToken in the RunAsSubject, a new SAMLToken is created using the user 
            // security identity from the WSPrincipal object in the RunAsSubject.
            CredentialConfig cred = samlFactory.newCredentialConfig(runAsSubject);
           
            // 3. Create a ProviderConfig object which specifies the key store for SAML signing
            // and encryption, the expiration time, and issuer logic name.
            // Make sure the JVM system property com.ibm.webservices.wssecurity.platform.SAMLIssuerConfigDataPath 
            // is set in a java client environment, or the default SAMLIssuerConfig.properties is updated 
            // in the Application Server runtime environment. 
            ProviderConfig samlIssuerCfg = samlFactory.newDefaultProviderConfig("Issuer name is WebSphere server"); 
                            
            SecurityToken samlToken = samlFactory.newSAMLToken(cred, reqData, samlIssuerCfg);
            
            // Get SAML assertion in XML form.        
            OMElement samlXML = ((OMStructure)samlToken.getXML()).getNode();                
        
    Sample code for generating SAMLToken for SAML V1.1 Symmetric holder-of-key assertion from Subject
            SAMLTokenFactory samlFactory = SAMLTokenFactory.getInstance(SAMLTokenFactory.WssSamlV11Token11);
            
            // 1. Create a RequesterConfig object.
            RequesterConfig reqData = samlFactory.newSymmetricHolderOfKeyTokenGenerateConfig();
            // Set the recipient's key alias, so the secret key can be encrypted for the recipient. 
            reqData.setKeyAliasForAppliesTo("SOAPRecipient");
            // Set the Authentication method that the requester authenticated with. This is an optional parameter.
            reqData.setAuthenticationMethod("Password"); 
     
            
            // 2. Create a CredentialConfig object. 
            // This step assumes a SAMLToken exists on the RunAsSubject.
            // This method call will allow the SAMLTokenFactory to copy the existing SAML NameID and 
            // attributes from a SAML token in the RunAsSubject to new SAMLToken.
            // If there is no SAMLToken in the RunAsSubject, a new SAMLToken is created using the user 
            // security identity from the WSPrincipal object in the RunAsSubject.
            CredentialConfig cred = samlFactory.newCredentialConfig(runAsSubject);
           
            // 3. Create a ProviderConfig object which specifies the key store for SAML signing
            // and encryption, the expiration time, and issuer logic name.
            // Make sure the JVM system property com.ibm.webservices.wssecurity.platform.SAMLIssuerConfigDataPath 
            // is set in a java client environment, or the default SAMLIssuerConfig.properties is updated 
            // in the Application Server runtime environment. 
            ProviderConfig samlIssuerCfg = samlFactory.newDefaultProviderConfig("Issuer name is WebSphere server");
                            
            SecurityToken samlToken = samlFactory.newSAMLToken(cred, reqData, samlIssuerCfg);
        
    Sample code for generating SAMLToken from SAML XMLStructure or InputStream
            SAMLTokenFactory samlFactory = SAMLTokenFactory.getInstance(SAMLTokenFactory.WssSamlV11Token11);
            // Create a ConsumerConfig object for SAML validation and parsing.
            ConsumerConfig samlConsumerCfg =  samlFactory.newConsumerConfig();
            // The following method calls are required if SAML tokens or embedded Keys are encrypted.     
            KeyStoreConfig tsc = SAMLTokenFactory.newKeyStoreConfig( "jceks", "recipient.jceks","storepass");
            samlConsumerCfg.setTrustStoreConfig(tsc);
            // Use one of the following statements to create the SAMLToken.
            // If you have the assertion in XMLStructure format (samlXml):
            SAMLToken samlTokenFromXML = samlFactory.newSAMLToken(samlConsumerCfg, samlXml); 
            // If you have the assertion available with an InputStream (samlInputStream):
            SAMLToken samlTokenFromInputStream = samlFactory.newSAMLToken(samlConsumerCfg,  samlInputStream ); 
        
    Sample code of re-signing a SAMLToken
            SAMLTokenFactory samlFactory = SAMLTokenFactory.getInstance(SAMLTokenFactory.WssSamlV20Token11);
     
            // 1. Create a RequesterConfig object.
            RequesterConfig reqData = samlFactory.newBearerTokenGenerateConfig();
            -or-
            RequesterConfig reqData = samlFactory.newSenderVouchesTokenGenerateConfig();
     
            // 2. Create a ProviderConfig object which will specify the key store and key for SAML 
            // signing. The object will initialize with the settings from the SAMLIssuerConfig.properties 
            // file.
            ProviderConfig samlIssuerCfg = samlFactory.newDefaultProviderConfig();
     
            // 3. (Optional) If you want to use keystore and/or key properties other than what 
            // are set in the SAMLIssuerConfig.properties file, reset the keystore and key 
            // information in the ProviderConfig object.
            KeyStoreConfig ksc = samlFactory.newKeyStoreConfig( "jks",
                                "$WAS_HOME/profiles/$PROFILE/etc/ws-security/samples/dsig-sender.ks", 
                                "client");
            samlIssuerCfg.setKeyStoreConfig(ksc);
            KeyInformationConfig kic = samlFactory.newKeyInformationConfig("soaprequester", "client", 
                                                                           "SOAPRequester");
            samlIssuerCfg.setKeyInformationConfig(kic);
     
            // 4. (Optional) If you want to use issuer name/format values other than the ones 
            // specified in SamlIssuerConfig.properties, do the following: 
            samlIssuerCfg.setIssuerURI("myIssuerURI");
            samlIssuerCfg.setIssuerFormat("myIssuerFormat");  //Only supported on SAML 2.0 tokens
     
            // 5. (Optional) If you want to ensure that the original issuer is maintained on
            // the token and that issuer does not match what is in SamlIssuerConfig.properties,
            // do the following:
            samlIssuerCfg.setIssuerURI(null);
     
            // Create a new SAML token that is a clone of the original, but a new signature
            SAMLToken resignedSamlToken = samlFactory.newSAMLToken(originalSamlToken, reqData, samlIssuerCfg); 
        
    • Field Summary

      Fields 
      Modifier and Type Field and Description
      static java.security.SecurityPermission GET_NEWCREDENTIALCONFIG_PERM 
      static java.security.SecurityPermission GET_NEWSAMLTOKEN_PERM 
      static java.security.SecurityPermission GET_NEWSUBJECT_PERM 
      static java.lang.String WssSamlV11Token11
      This is the key used by SAMLTokenFactory to create an instance of the SAML Version 1.1 token factory.
      static java.lang.String WssSamlV20Token11
      This is the key used by SAMLTokenFactory to create an instance of the SAML Version 2.0 token factory.
    • Constructor Summary

      Constructors 
      Constructor and Description
      SAMLTokenFactory() 
    • Method Summary

      Methods 
      Modifier and Type Method and Description
      static SAMLTokenFactory getInstance(java.lang.String valueType)
      Return a SAMLTokenFactory implementation that supports the specified token type (v1.1 or v2.0).
      abstract com.ibm.wsspi.wssecurity.saml.config.RequesterConfig newAsymmetricHolderOfKeyTokenGenerateConfig()
      Create a default RequesterConfig object that encapsulates attributes relating to the entity requesting a SAML token.
      abstract com.ibm.wsspi.wssecurity.saml.config.RequesterConfig newBearerTokenGenerateConfig()
      Create a default RequesterConfig object that encapsulates attributes relating to the entity requesting a SAML token that will contain bearer type of subject confirmation.
      abstract com.ibm.wsspi.wssecurity.saml.config.ConsumerConfig newConsumerConfig()
      Create an empty ConsumerConfig to validate, decrypt, and parse SAMLAssertion.
      abstract com.ibm.wsspi.wssecurity.saml.config.CredentialConfig newCredentialConfig()
      Create a CredentialConfig that encapsulates two main attributes: a SAML Name Identifier for the requester a SAML list of attributes for the requester
      abstract com.ibm.wsspi.wssecurity.saml.config.CredentialConfig newCredentialConfig(javax.security.auth.Subject subject)
      Create a CredentialConfig that encapsulates the identity of the requester and possibly its attributes.
      abstract com.ibm.wsspi.wssecurity.saml.config.ProviderConfig newDefaultProviderConfig(java.lang.String stsUri)
      Create a default ProviderConfig that encapsulates configuration attributes for the SAML token issuer .
      static com.ibm.wsspi.wssecurity.core.config.KeyInformationConfig newKeyInformationConfig(java.lang.String alias, java.lang.String keyPass, java.lang.String keyName)
      Create a KeyInformationConfig that encapsulates KeyInformation configuration attributes.
      static com.ibm.wsspi.wssecurity.core.config.KeyStoreConfig newKeyStoreConfig(java.lang.String ksRef)
      Create a KeyStoreConfig that encapsulates KeyStore configuration attributes.
      static com.ibm.wsspi.wssecurity.core.config.KeyStoreConfig newKeyStoreConfig(java.lang.String type, java.lang.String path, java.lang.String password)
      Create a KeyStoreConfig that encapsulates KeyStore configuration attributes.
      abstract SAMLToken newSAMLToken(com.ibm.wsspi.wssecurity.saml.config.ConsumerConfig consumer, java.io.InputStream in)
      Create a SAMLToken object based on an inputStream for a SAML XML document.
      abstract SAMLToken newSAMLToken(com.ibm.wsspi.wssecurity.saml.config.ConsumerConfig consumer, XMLStructure xml)
      Create a SAMLToken object based on an existing SAML XML document.
      abstract SAMLToken newSAMLToken(com.ibm.wsspi.wssecurity.saml.config.CredentialConfig cred, com.ibm.wsspi.wssecurity.saml.config.RequesterConfig request, com.ibm.wsspi.wssecurity.saml.config.ProviderConfig providerConfig)
      Create a SAMLToken object based on the passed in parameters that include the CredentialConfig, the RequesterConfig and the ProviderConfig objects (see the methods above for content details).
      abstract SAMLToken newSAMLToken(SAMLToken aSAMLToken)
      Create a SAMLToken object that is a clone of the input SAMLToken object.
      abstract SAMLToken newSAMLToken(SAMLToken aSAMLToken, com.ibm.wsspi.wssecurity.saml.config.RequesterConfig request, com.ibm.wsspi.wssecurity.saml.config.ProviderConfig providerConfig)
      Create a SAMLToken object based on the input SAMLToken and new signature data.
      abstract SAMLToken newSAMLToken(javax.security.auth.Subject subject, com.ibm.wsspi.wssecurity.saml.config.RequesterConfig request, com.ibm.wsspi.wssecurity.saml.config.ProviderConfig providerConfig)
      Create a SAMLToken object based on the passed in parameters that include a JAAS Subject and configuration objects for the requester and provider (see the methods above for content details).
      abstract com.ibm.wsspi.wssecurity.saml.config.RequesterConfig newSenderVouchesTokenGenerateConfig()
      Create a RequesterConfig .
      abstract javax.security.auth.Subject newSubject(SAMLToken aSAMLToken)
      Create a JAAS subject based on SAMLToken object principal name which is basically the NameId or NameIdentifier attribute in SAML Assertion Specification.
      abstract com.ibm.wsspi.wssecurity.saml.config.RequesterConfig newSymmetricHolderOfKeyTokenGenerateConfig()
      Create a default RequesterConfig object that encapsulates attributes relating to the entity requesting a SAML token.
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
    • Field Detail

      • GET_NEWCREDENTIALCONFIG_PERM

        public static final java.security.SecurityPermission GET_NEWCREDENTIALCONFIG_PERM
      • GET_NEWSAMLTOKEN_PERM

        public static final java.security.SecurityPermission GET_NEWSAMLTOKEN_PERM
      • GET_NEWSUBJECT_PERM

        public static final java.security.SecurityPermission GET_NEWSUBJECT_PERM
      • WssSamlV11Token11

        public static final java.lang.String WssSamlV11Token11

        This is the key used by SAMLTokenFactory to create an instance of the SAML Version 1.1 token factory. It is defined in the Web Services Security SAML Token Profile 1.1.

        See Also:
        Constant Field Values
      • WssSamlV20Token11

        public static final java.lang.String WssSamlV20Token11

        This is the key used by SAMLTokenFactory to create an instance of the SAML Version 2.0 token factory. It is defined in the Web Services Security SAML Token Profile 1.1.

        See Also:
        Constant Field Values
    • Constructor Detail

      • SAMLTokenFactory

        public SAMLTokenFactory()
    • Method Detail

      • getInstance

        public static SAMLTokenFactory getInstance(java.lang.String valueType)
                                            throws WSSException
        Return a SAMLTokenFactory implementation that supports the specified token type (v1.1 or v2.0).
        Parameters:
        valueType - a string that specifies the version level for the token. It can only have either of these values:
        • SAMLTokenFactory.WssSamlV11Token11 for SAML 1.1
        • SAMLTokenFactory.WssSamlV20Token11 for SAML 2.0
        Returns:
        a SAMLTokenFactory implementation that support the specified token type.
        Throws:
        WSSException - if there is no SAMLTokenFactory class that supports the specified token type.
        WSSException
      • newBearerTokenGenerateConfig

        public abstract com.ibm.wsspi.wssecurity.saml.config.RequesterConfig newBearerTokenGenerateConfig()
        Create a default RequesterConfig object that encapsulates attributes relating to the entity requesting a SAML token that will contain bearer type of subject confirmation. These attributes include:
        • subject confirmation type of bearer
        • version of the token to be requested (v1.1 or v2.0) for the respective token factory.
        Returns:
        a RequesterConfig object to build Bearer confirmation SAML assertion.
      • newSenderVouchesTokenGenerateConfig

        public abstract com.ibm.wsspi.wssecurity.saml.config.RequesterConfig newSenderVouchesTokenGenerateConfig()
        Create a RequesterConfig .
        Returns:
        a default RequesterConfig object to build a SAML assertion that contains Sender-Vouches as a subject confirmation. The main attributes encapsulated by this object are:
        • subject confirmation type of sender-vouches
        • version of the token to be requested (v1.1 or v2.0) for the respective token factory.
      • newSymmetricHolderOfKeyTokenGenerateConfig

        public abstract com.ibm.wsspi.wssecurity.saml.config.RequesterConfig newSymmetricHolderOfKeyTokenGenerateConfig()
        Create a default RequesterConfig object that encapsulates attributes relating to the entity requesting a SAML token. This object will contain holder of key type of subject confirmation using a secret key. It mainly contains these attributes:
        • subject confirmation type of holder-of-key
        • key type of symmetric (secret)
        • version of the token to be requested (v1.1 or v2.0) for the respective token factory.
        Returns:
        a RequesterConfig object to build Holder-of-Key SAML assertion with SymmetricKey KeyType.
      • newAsymmetricHolderOfKeyTokenGenerateConfig

        public abstract com.ibm.wsspi.wssecurity.saml.config.RequesterConfig newAsymmetricHolderOfKeyTokenGenerateConfig()
        Create a default RequesterConfig object that encapsulates attributes relating to the entity requesting a SAML token. This object will contain holder of key type of subject confirmation using a public key. It mainly contains these attributes:
        • subject confirmation type of holder-of-key
        • key type of asymmetric (public)
        • version of the token to be requested (v1.1 or v2.0) for the respective token factory.
        Returns:
        a RequesterConfig object to build Holder-of-Key SAML assertion with asymmetricKey KeyType.
      • newCredentialConfig

        public abstract com.ibm.wsspi.wssecurity.saml.config.CredentialConfig newCredentialConfig(javax.security.auth.Subject subject)
                                                                                           throws WSSException
        Create a CredentialConfig that encapsulates the identity of the requester and possibly its attributes. This object is created in preparation for using the SAML token creation methods (see below).

        This method requires the SecurityPermission("wssapi.SAMLTokenFactory.newCredentialConfig") Java Security permission.
        Parameters:
        subject - containing the principal name and possibly attributes of the requester.
        Returns:
        a CredentialConfig object that could be used to create SAML assertion. The CredentialConfig is populated with the Name Identifier of the requester and possibly SAML attributes that may exist on the SAML token that is extracted off of the Private Credential list of the subject. If subject is null, this method will return null.
        Throws:
        WSSException
      • newCredentialConfig

        public abstract com.ibm.wsspi.wssecurity.saml.config.CredentialConfig newCredentialConfig()
                                                                                           throws WSSException
        Create a CredentialConfig that encapsulates two main attributes:
        • a SAML Name Identifier for the requester
        • a SAML list of attributes for the requester
        Returns:
        a CredentialConfig object that can be used to populate the NameID and the attributes for a requester when creating a SAML token (see below).
        Throws:
        WSSException
        See Also:
        com.ibm.wsspi.wssecurity.saml.config.CredentialConfig for how to use setter methods to populate the returned object.
      • newDefaultProviderConfig

        public abstract com.ibm.wsspi.wssecurity.saml.config.ProviderConfig newDefaultProviderConfig(java.lang.String stsUri)
                                                                                              throws WSSException
        Create a default ProviderConfig that encapsulates configuration attributes for the SAML token issuer .
        Parameters:
        stsUri - is a String that represents SAML issuer in an SAML Assertion. In this case of WebSphere self issued tokens, this parameter can assume any value; e.g. WebSphereSelfIssuer.
        Returns:
        a default embedded ProviderConfig that encapsulates the following attributes:
        • the URI for the issuer from the passed input parameter. This can default to the string WebSphere.
        • time to live for the token expiration. Defaults to 3600000 milliseconds or 2 hours.
        • a KeyStoreConfig object encapsulating the key store info for the issuer including: the location, password, and type. For example in a WebSphere installation, one can set the type to PKCS12 and point to the keyStore: $WAS_HOME/profiles/$PROFILE/etc/ws-security/samples/WssIP.pfx
        • a trust store configuration possibly containing the public key certificate for the recipient. Both issuer keyStore and trustStore are used to protect the SAML token as well as for the generation of holder-of-key data in the SAML assertion (see token creation API below). Configuration items for the trustStore include: type, password, and location. For example in a WebSphere installation one might set the type to PKCS12 and point to the trustStore: $WAS_HOME/profiles/$PROFILE/etc/ws-security/samples/wssipkey.p12

          In order to change the configuration parameters for the provider in the WebSphere environment you need to edit: $WAS_HOME/profiles/$PROFILE/config/cells/$CELLNAME/sts/SAMLIssuerConfig.properties for the cell level. At the server level: $WAS_HOME/profiles/$PROFILE/config/cells/$CELLNAME/nodes/$NODENAME/servers/$SERVERNAME/SAMLIssuerConfig.properties

        • a KeyInformationConfig object encapsulating key store info for the issuer that includes: the key alias, password and key name.
        Throws:
        WSSException
      • newKeyStoreConfig

        public static com.ibm.wsspi.wssecurity.core.config.KeyStoreConfig newKeyStoreConfig(java.lang.String type,
                                                                            java.lang.String path,
                                                                            java.lang.String password)
                                                                                     throws WSSException
        Create a KeyStoreConfig that encapsulates KeyStore configuration attributes. For example in a WebSphere installation, one can set the type to JKS and point to the keyStore using parameter strings like the following: "JKS, "$WAS_HOME/profiles/$PROFILE/etc/ws-security/samples/dsig-sender.ks", "sampleapp"
        Parameters:
        type - is a String that represents type of KeyStore
        path - is a String that represents the KeyStore file name
        password - is a String that represents the KeyStore password
        Returns:
        a default embedded KeyStoreConfig that encapsulates the following attributes: the type, location, and password.
        Throws:
        WSSException
      • newKeyStoreConfig

        public static com.ibm.wsspi.wssecurity.core.config.KeyStoreConfig newKeyStoreConfig(java.lang.String ksRef)
                                                                                     throws WSSException
        Create a KeyStoreConfig that encapsulates KeyStore configuration attributes. For example in a WebSphere installation, one can use a reference to the default keystore with a parameter string like: "name=NodeDefaultKeyStore managementScope=(cell):sampleNode01Cell:(node):sampleNode01"
        Parameters:
        ksRef - is a String that represents KeyStore reference name
        Returns:
        a default embedded KeyStoreConfig that encapsulates the KeyStore reference name.
        Throws:
        WSSException
      • newSAMLToken

        public abstract SAMLToken newSAMLToken(javax.security.auth.Subject subject,
                             com.ibm.wsspi.wssecurity.saml.config.RequesterConfig request,
                             com.ibm.wsspi.wssecurity.saml.config.ProviderConfig providerConfig)
                                        throws WSSException
        Create a SAMLToken object based on the passed in parameters that include a JAAS Subject and configuration objects for the requester and provider (see the methods above for content details). This method will copy the contents from the original SAML Token, if one exists in the Subject, to the new SAML token. NameId or NameIdentifier, SAML Attributes, and AuthenticationMethod are copied to the new SAML Token. The new SAML Token namespace, issuer, signing certificate, confirmation method and encryption key, timestamp, and lifetime are determined by the ProviderConfig and RequesterConfig parameters. When the Subject does not contain an existing SAMLToken object, this method will create a new SAML Token using the WSPrincipal name as the NameId or NameIdentifier. No other attribute will be copied from the Subject to the new SAMLToken when there was no SAML token in the Subject parameter. Use the newSAMLToken( CredentialConfig cred, RequesterConfig request, ProviderConfig providerConfig ) method if you need to add SAML Attributes in the new SAMLToken.

        This method requires the SecurityPermission("wssapi.SAMLTokenFactory.newSAMLToken") Java Security permission.
        Parameters:
        subject - is mapped to NameIdentifier and attributes in an SAML Assertion.
        request - contains data that describes what kind of assertion should be created.
        providerConfig - describes issuer, like Signing KeyInfo and Encryption KeyInfo.
        Returns:
        a SAMLToken which can then be bound to a secure service request.
        Throws:
        WSSException - if required key and certificate cannot be found, or upon other configuration problems.
        WSSException
      • newSAMLToken

        public abstract SAMLToken newSAMLToken(com.ibm.wsspi.wssecurity.saml.config.CredentialConfig cred,
                             com.ibm.wsspi.wssecurity.saml.config.RequesterConfig request,
                             com.ibm.wsspi.wssecurity.saml.config.ProviderConfig providerConfig)
                                        throws WSSException
        Create a SAMLToken object based on the passed in parameters that include the CredentialConfig, the RequesterConfig and the ProviderConfig objects (see the methods above for content details).

        This method requires the SecurityPermission("wssapi.SAMLTokenFactory.newSAMLToken") Java Security permission.
        Parameters:
        cred - contains principal and attributes that will be included in SAML Assertion.
        request - contains data that describes what kind of assertion should be created.
        providerConfig - describes issuer, like Signing KeyInfo and Encryption KeyInfo.
        Returns:
        SAMLToken
        Throws:
        WSSException - if the specified SAMLToken class cannot be found, or required key and certificate cannot be found, or upon other configuration problems.
        WSSException
      • newSAMLToken

        public abstract SAMLToken newSAMLToken(com.ibm.wsspi.wssecurity.saml.config.ConsumerConfig consumer,
                             XMLStructure xml)
                                        throws WSSException
        Create a SAMLToken object based on an existing SAML XML document. This method can be used to validate the xml structure representing the SAML token.
        Parameters:
        consumer - contains key information associated with the recipient of the token. This info is used to verify and/or decrypt the SAML XML document.
        xml - is an SAML XML document.
        Returns:
        SAMLToken. That can be used to initiate service requests.
        Throws:
        WSSException - if key and certificate information cannot be found, or upon other configuration problems.
        WSSException
      • newSAMLToken

        public abstract SAMLToken newSAMLToken(com.ibm.wsspi.wssecurity.saml.config.ConsumerConfig consumer,
                             java.io.InputStream in)
                                        throws WSSException
        Create a SAMLToken object based on an inputStream for a SAML XML document. This method may be used to validate the inputStream representing the SAML token.
        Parameters:
        consumer - contains key information associated with the recipient of the token. This info is used to verify and/or decrypt the SAML XML document.
        is - an inputStream corresponding to a serialized SAML token. The programmer is responsible for closing of the stream accordingly.
        Returns:
        SAMLToken. That can be used to initiate service requests.
        Throws:
        WSSException - if key and certificate information cannot be found, or upon other configuration problems.
        WSSException
      • newSAMLToken

        public abstract SAMLToken newSAMLToken(SAMLToken aSAMLToken,
                             com.ibm.wsspi.wssecurity.saml.config.RequesterConfig request,
                             com.ibm.wsspi.wssecurity.saml.config.ProviderConfig providerConfig)
                                        throws WSSException
        Create a SAMLToken object based on the input SAMLToken and new signature data. The new token is a clone of the original token with the signature element removed and a new signature added based on the input credentials. The issuer name and format in the ProviderConfig object will default to the values in SamlIssuerConfig.properties file when the newDefaultProviderConfig method is invoked. The issuer/issuer format in the new token will be set to the values that are set in the ProviderConfig object unless the issuerURI is set to null. Setting the issuerURI to null will retain the issuer on the original token : ProviderConfig.setIssuerURI(null)

        Time-based attributes such as IssueInstant, NotBefore, and NotOnOrAfter will not be modified from the values in the original token.

        This method can be used to re-sign a signed token after modifying attributes using SAMLToken.addAttribute and SAMLToken.deleteAttribute. This method cannot be used with an encrypted SAMLToken.

        This method requires the SecurityPermission("wssapi.SAMLTokenFactory.newSAMLToken") Java Security permission.
        Parameters:
        aSAMLToken - contains the original SAMLToken to be re-signed
        request - contains data that describes what kind of assertion should be created.
        providerConfig - describes issuer, like Signing KeyInfo and Encryption KeyInfo.
        Returns:
        SAMLToken. That can be used to initiate service requests.
        Throws:
        WSSException
      • newSAMLToken

        public abstract SAMLToken newSAMLToken(SAMLToken aSAMLToken)
        Create a SAMLToken object that is a clone of the input SAMLToken object.
        Parameters:
        aSAMLToken - SAMLToken to copy
        Returns:
        SAMLToken. That can be used to initiate service requests.
      • newSubject

        public abstract javax.security.auth.Subject newSubject(SAMLToken aSAMLToken)
                                                        throws WSSException
        Create a JAAS subject based on SAMLToken object principal name which is basically the NameId or NameIdentifier attribute in SAML Assertion Specification. This method looks up user security name and group membership data from the configured user registry using the SAMLToken principal name. The SAMLToken object will be added to the Subject PrivateCredentials. None of the individual SAMLToken attributes will be copied into the new subject. The lifetime of the new subject is determined by the LTPA timeout configuration. The subject lifetime is independent from the SAMLToken lifetime.

        This method requires the SecurityPermission("wssapi.SAMLTokenFactory.newSubject") Java Security permission.
        Parameters:
        aSAMLToken - that contains a named principal and attributes.
        Returns:
        a Subject containing the principal and attributes from the input SAMLToken.
        Throws:
        WSSException
      • newConsumerConfig

        public abstract com.ibm.wsspi.wssecurity.saml.config.ConsumerConfig newConsumerConfig()
                                                                                       throws WSSException
        Create an empty ConsumerConfig to validate, decrypt, and parse SAMLAssertion.
        Returns:
        a ConsumerConfig object.
        Throws:
        WSSException
        See Also:
        com.ibm.wsspi.wssecurity.saml.config.ConsumerConfig for to how set the consumer's keyStore as well as trustStore information on the newly created ComsumerConfig object.
      • newKeyInformationConfig

        public static com.ibm.wsspi.wssecurity.core.config.KeyInformationConfig newKeyInformationConfig(java.lang.String alias,
                                                                                        java.lang.String keyPass,
                                                                                        java.lang.String keyName)
                                                                                                 throws WSSException
        Create a KeyInformationConfig that encapsulates KeyInformation configuration attributes.
        Parameters:
        alias - is a String that represents type of alias of the key
        keyPass - is a String that represents the password for the key
        keyName - is a String that represents the name for the key
        Returns:
        a default embedded KeyInformationConfig that encapsulates the following attributes: the alias, keyPass, and keyName.
        Throws:
        WSSException
IBM WebSphere Application ServerTM
Release 9.0