Request Parsing - 7.0

Talend ESB STS User Guide

EnrichVersion
7.0
EnrichProdName
Talend Data Fabric
Talend Data Services Platform
Talend ESB
Talend MDM Platform
Talend Open Studio for ESB
Talend Real-Time Big Data Platform
task
Design and Development
Installation and Upgrade
EnrichPlatform
Talend ESB

The first thing any of the AbstractOperation implementations do on receiving a request is to call some functionality in AbstractOperation to parse the request. This parsing is done by the RequestParser object, which iterates through the objects of the JAXB RequestSecurityTokenType. The request is parsed into two components, TokenRequirements and KeyRequirements, which are available on the RequestParser object and are subsequently passed to the desired TokenProvider/TokenValidator/etc objects.

TokenRequirements

The TokenRequirements class holds a set of properties that have been extracted and parsed by RequestParser. These properties loosely relate to the token itself, rather than anything to do with keys. The properties that can be set by RequestParser are:

  • String tokenType - The desired TokenType URI. This is required if a token is to be issued.

  • Element appliesTo - The AppliesTo element that was received in the request. This normally holds a URL that indicates who the recipient of the issued token will be.

  • String context - The context attribute of the request.

  • ReceivedToken validateTarget - This object holds the contents of a received "ValidateTarget" element, i.e. a token to validate.

  • ReceivedToken onBehalfOf - This object holds the contents of a received "OnBehalfOf" element.

  • ReceivedToken actAs - This object holds the contents of a received "ActAs" element.

  • ReceivedToken cancelTarget - This object holds the contents of a received "CancelTarget" element, i.e. a token to cancel.

  • Lifetime lifetime - The requested lifetime of the issued token. This just holds created and expires Strings, that are parsed from the request.

  • RequestClaimCollection claims - A collection of requested claims that are parsed from the request.

  • Renewing renewing - Holds the wst:Renewing semantics that were received (if any) as part of the request.

The ReceivedToken class mentioned above parses a received token object, which can be a JAXBElement<?> or a DOM Element. If it is a JAXBElement then it must be either a UsernameToken, SecurityTokenReference, or BinarySecurityToken. If it is a reference to a security token in the security header of the request, then this token is retrieved and set as the ReceivedToken instead.

KeyRequirements

The KeyRequirements class holds a set of properties that have been extracted and parsed by RequestParser. These properties contain everything to do with key handling or creation. The properties that can be set by RequestParser are:

  • String authenticationType - An optional authentication type URI. This is currently not used in the STS.

  • String keyType - The desired KeyType URI.

  • long keySize - The requested KeySize to use when generating symmetric keys.

  • String signatureAlgorithm - The requested signature algorithm to use when signing an issued token.

  • String encryptionAlgorithm - The requested encryption algorithm to use when encrypting an issued token.

  • String c14nAlgorithm - The requested canonicalization algorithm to use when signing an issued token.

  • String computedKeyAlgorithm - The computed key algorithm to use when creating a symmetric key.

  • String keywrapAlgorithm - The requested KeyWrap algorithm to use when encrypting a symmetric key.

  • X509Certificate certificate - A certificate that has been extracted from a "UseKey" element, for use in the SAML case when a PublicKey KeyType URI is specified.

  • Entropy entropy - This object holds entropy information extracted from the client request for use in generating a symmetric key. Only BinarySecret elements are currently supported.

SecondaryParameters

RequestParser also supports parsing a "SecondaryParameters" element that might be in the request. This could be extracted from the WSDL of a service provider that specifies an IssuedToken policy by the client and sent to the STS as part of the RequestSecurityToken request. Only KeySize, TokenType, KeyType and Claims child elements are currently parsed.