Earlier in this chapter the STS provider framework in Apache CXF was introduced. A number of interfaces were defined for each of the operations that can be invoked on the STS. Before looking at the implementations of these interfaces that ship with the STS, we will look a base class that all of the operations extend, namely the AbstractOperation class. This class defines a number of properties that are shared with any subclasses, and can be accessed via set/get methods:
STSPropertiesMBean stsProperties - A configuration MBean that holds the configuration for the STS as a whole, such as information about the private key to use to sign issued tokens, etc.
boolean encryptIssuedToken - Whether to encrypt an issued token or not. The default is false.
List<ServiceMBean> services - A list of ServiceMBean objects, which correspond to "known" services.
List<TokenProvider> - A list of TokenProvider implementations to use to issue tokens.
boolean returnReferences - Whether to return SecurityTokenReference elements to the client or not, that point to the issued token. The default is true.
TokenStore tokenStore - A cache used to store/retrieve tokens.
List<TokenValidator> tokenValidators - A list of TokenValidator implementations to use to validate tokens.
ClaimsManager claimsManager - An object that is used to handle claims.
Several of the properties refer to issuing tokens - this is because this functionality is shared between the issuing and validating operations. At least one TokenProvider implementation must be configured, if the STS is to support issuing a token. Some of these properties have been discussed previously, for example the TokenStore cache covered earlier. This cache could be shared across a number of different operations, or else kept separate. AbstractOperation also contains some common functionality to parse requests, encrypt tokens, create references to return to the client, etc.
The AbstractOperation object must be configured with an STSPropertiesMBean object. This is an interface that encapsulates some configuration common to a number of different operations of the STS:
void configureProperties()- load and process the properties
void setCallbackHandler(CallbackHandler callbackHandler)- Set a CallbackHandler object. This is used in the TokenProviders/TokenValidators to retrieve passwords for various purposes.
void setSignatureCrypto(Crypto signatureCrypto)- Set a WSS4J Crypto object to use to sign tokens, or validate signed requests, etc.
void setSignatureUsername(String signatureUsername)- Set the default signature username to use (e.g. corresponding to a keystore alias)
void setEncryptionCrypto(Crypto encryptionCrypto)- Set a WSS4J Crypto object to use to encrypt issued tokens.
void setEncryptionUsername(String encryptionUsername)- Set the default encryption username to use (e.g. corresponding to a keystore alias)
void setIssuer(String issuer)- Set the default issuer name of the STS
void setSignatureProperties(SignatureProperties signatureProperties)- Set the SignatureProperties object corresponding to the STS.
void setRealmParser(RealmParser realmParser)- Set the object used to define what realm a request is in.
void setIdentityMapper(IdentityMapper identityMapper)- Set the object used to map identities across realms.
The STS ships with a single implementation of the STSPropertiesMBean interface - StaticSTSProperties. This class has two additional methods:
void setSignaturePropertiesFile(String signaturePropertiesFile)
void setEncryptionPropertiesFile(String encryptionPropertiesFile)
If no Crypto objects are supplied to StaticSTSProperties, then it will try to locate a properties file using these values, and create a WSS4J Crypto object internally from the properties that are parsed.
A SignatureProperties object can be defined on the STSPropertiesMBean. Note that this is unrelated to the signaturePropertiesFile property of StaticSTSProperties. This class provides some configuration relating to the signing of an issued token, as well as symmetric key generation. It has the following properties:
boolean useKeyValue - Whether to use a KeyValue or not to refer to a certificate in a signature. The default is false.
long keySize - The (default) key size to use when generating a symmetric key. The default is 256 bits.
long minimumKeySize - The minimum key size to use when generating a symmetric key. The requestor can specify a KeySize value to use. The default is 128 bits.
long maximumKeySize - The maximum key size to use when generating a symmetric key. The requestor can specify a KeySize value to use. The default is 512 bits.
signatureAlgorithm - Signature algorithm preferred by the client. Default value is rsa-sha1
acceptedSignatureAlgorithms - Alternative signature algorithms that may be used by the STS.
c14nAlgorithm - Canonicalization algorithm (default c14n-excl-omit-comments) preferred by the client.
acceptedC14nAlgorithms - Alternative canonicalization algorithms that may be used by the STS.
For example, when the client sends a "KeySize" element to the STS when requesting a SAML Token (and sending a SymmetricKey KeyType URI), the SAMLTokenProvider will check that the requested keysize falls in between the minimum and maximum key sizes defined above. If it does not, then the default key size is used.