Security tokens are renewed in the STS via the TokenRenewer interface. It has the following methods:
void setVerifyProofOfPossession(boolean verifyProofOfPossession)- A boolean switch to enable or disable the proof of possession requirement.
void setAllowRenewalAfterExpiry(boolean allowRenewalAfterExpiry)- A switch to enable or disable the ability to renew tokens after they have expired.
boolean canHandleToken(ReceivedToken renewTarget)- Whether this TokenRenewer implementation can renew the given token.
boolean canHandleToken(ReceivedToken renewTarget, String realm)- Whether this TokenRenewer implementation can renew the given token in the given realm.
- TokenRenewerResponse renewToken(TokenRenewerParameters tokenParameters) - Renew the token using the given parameters
A client can request that the STS renew a security token by invoking the "renew" operation and supplying a token under the "RenewTarget" Element. Assuming that the client request is authenticated and well-formed, the STS will first iterate through a list of TokenValidator implementations to see if they can "handle" the received token. If they can, then the implementation is used to validate the received security token. If no TokenValidator is found that can handle the RenewTarget that was received, then an exception is thrown. Note that this means that for token renewal, it is necessary to configure both a TokenValidator and TokenRenewer implementation that can handle the given token.
After the successful validation of a token, the state of the token is checked. If the state is not valid or expired, then an exception is thrown. The STS then iterates through the configured list of TokenRenewer implementations to see which can renew the given (validated) token. The token is then renewed and returned to the client.
The TokenRenewerParameters class is nothing more than a collection of configuration properties to use in renewing the token, which are populated by the STS operations using information collated from the request, or static configuration, etc. The TokenRenewerResponse class holds the results from the (successful) token renewal, including the DOM representation of the renewed token, the token Id, the new lifetime of the renewed token, and references to the renewed token.