SecurityTokens are validated in the STS via the TokenValidator interface. It is very similar to the TokenProvider interface. It has three methods:
-
boolean canHandleToken(ReceivedToken validateTarget)- Whether this TokenValidator implementation can validate the given token -
boolean canHandleToken(ReceivedToken validateTarget, String realm)- Whether this TokenValidator implementation can validate the given token in the given realm -
TokenValidatorResponse validateToken(TokenValidatorParameters tvp)- Validate a token using the given parameters.
A client can validate a security token via the STS by invoking the "validate" operation. Assuming that the client request is authenticated and well-formed, the STS will iterate through a list of TokenValidator implementations to see if one can "handle" the received token. If one can, then that implementation is used to validate the received security token, and the validation result is returned to the client. The second "canHandleToken" method also takes a "realm" parameter.
So to support the validation of a particular token type in an STS deployment, it is necessary to specify a TokenValidator implementation that can handle that token. The STS currently ships with four TokenValidator implementations, to validate SecurityContextTokens, SAML Assertions, UsernameTokens, and BinarySecurityTokens. Before we look at these implementations, let's take a look at the "validateToken" operation in more detail. This method takes a TokenValidatorParameters instance.