001/** 002 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. 003 * 004 * Copyright (c) 2007 Sun Microsystems Inc. All Rights Reserved 005 * 006 * The contents of this file are subject to the terms 007 * of the Common Development and Distribution License 008 * (the License). You may not use this file except in 009 * compliance with the License. 010 * 011 * You can obtain a copy of the License at 012 * https://opensso.dev.java.net/public/CDDLv1.0.html or 013 * opensso/legal/CDDLv1.0.txt 014 * See the License for the specific language governing 015 * permission and limitations under the License. 016 * 017 * When distributing Covered Code, include this CDDL 018 * Header Notice in each file and include the License file 019 * at opensso/legal/CDDLv1.0.txt. 020 * If applicable, add the following below the CDDL Header, 021 * with the fields enclosed by brackets [] replaced by 022 * your own identifying information: 023 * "Portions Copyrighted [year] [name of copyright owner]" 024 * 025 * $Id: TrustAuthorityConfig.java,v 1.14 2009/02/28 00:59:42 mrudul_uchil Exp $ 026 * 027 */ 028 029package com.sun.identity.wss.provider; 030 031import java.security.AccessController; 032import java.util.List; 033 034import com.sun.identity.shared.debug.Debug; 035import com.sun.identity.common.SystemConfigurationUtil; 036import com.iplanet.sso.SSOException; 037import com.iplanet.sso.SSOToken; 038import com.iplanet.sso.SSOTokenManager; 039import com.sun.identity.security.AdminTokenAction; 040 041/** 042 * This abstract class <code>TrustAuthorityConfig</code> represents the 043 * configuration of a Trusted Authority entity. 044 * 045 * <p>The Trusted Authority configuration is used to register the provider 046 * configuration information at a Trusted Authority. 047 * 048 * <p>This class can be extended to define the trust authority config 049 * such as Discovery client configuration, WS-Trust protocol based client 050 * (STS client) configuration. 051 * 052 * <p>Pluggable implementation of this abstract class can choose to store this 053 * configuration in desired configuration store. This pluggable implementation 054 * class can be configured in client's AMConfig.properties as value of 055 * "com.sun.identity.wss.discovery.config.plugin" property for Discovery client 056 * configuration and "com.sun.identity.wss.sts.config.plugin" property 057 * for STS client configuration. 058 * 059 * Having obtained an instance of TrustAuthorityConfig, its methods can be 060 * called to create, delete, modify, retrieve WSS agent profile and 061 * configuration for Discovery client or STS client attributes 062 * (key /value pairs). 063 * 064 * <p>All the static methods in this class are for the persistent 065 * operations. 066 * @supported.all.api 067 */ 068 069public abstract class TrustAuthorityConfig { 070 071 protected String endpoint; 072 protected String privateKeyAlias = null; 073 protected String publicKeyAlias = null; 074 protected String name; 075 protected String type; 076 protected List secMech = null; 077 protected boolean isResponseSigned = false; 078 protected boolean isResponseEncrypted = false; 079 protected boolean isRequestSigned = true; 080 protected boolean isRequestEncrypted = false; 081 protected boolean isRequestHeaderEncrypted = false; 082 protected List usercredentials = null; 083 protected String encryptionAlgorithm = "DESede"; 084 protected int encryptionStrength = 0; 085 protected String signingRefType = "DirectReference"; 086 087 private static Class discoveryConfigClass; 088 private static Class stsConfigClass; 089 private static Debug debug = ProviderUtils.debug; 090 protected static SSOToken customAdminToken = null; 091 092 /** 093 * Property string for the web services discovery client configuration 094 * plugin. 095 */ 096 public static final String WSS_DISCOVERY_CONFIG_PLUGIN = 097 "com.sun.identity.wss.discovery.config.plugin"; 098 099 /** 100 * Property string for the web services STS client configuration plugin. 101 */ 102 public static final String WSS_STS_CONFIG_PLUGIN = 103 "com.sun.identity.wss.sts.config.plugin"; 104 105 /** 106 * Trusted Authority client configuration type. 107 */ 108 public static final String DISCOVERY_TRUST_AUTHORITY = "DiscoveryAgent"; 109 110 public static final String STS_TRUST_AUTHORITY = "STSAgent"; 111 112 /** 113 * Returns the trust authority name. 114 * @return the name of the trust authority. 115 */ 116 public String getName() { 117 return name; 118 } 119 120 /** 121 * Sets the trust authority name. 122 * @param name the name of the trust authority. 123 */ 124 public void setName(String name) { 125 this.name = name; 126 } 127 128 /** 129 * Returns the trust authority type. 130 * @return the type of the trust authority. 131 */ 132 public String getType() { 133 return type; 134 } 135 136 /** 137 * Sets the trust authority type. 138 * @param type the type of the trust authority. 139 */ 140 public void setType(String type) { 141 this.type = type; 142 } 143 144 /** 145 * Returns the trust authority end point. 146 * 147 * @return the endpoint of the trust authority. 148 */ 149 public String getEndpoint() { 150 return endpoint; 151 } 152 153 /** 154 * Sets the trust authority end point. 155 * 156 * @param endpoint the end point for the trust authority. 157 */ 158 public void setEndpoint(String endpoint) { 159 this.endpoint = endpoint; 160 } 161 162 /** 163 * Returns the key alias for this trust authority client. 164 * 165 * @return the key alias of the trust authority client. 166 */ 167 public String getKeyAlias() { 168 return privateKeyAlias; 169 } 170 171 /** 172 * Sets the key alias for this trust authority client. 173 * 174 * @param alias the key alias for the trust authority client. 175 */ 176 public void setKeyAlias(String alias) { 177 this.privateKeyAlias = alias; 178 } 179 180 /** 181 * Returns the Public key alias for this trust authority client's partner. 182 * 183 * @return the Public key alias of the trust authority client's partner. 184 */ 185 public String getPublicKeyAlias() { 186 return publicKeyAlias; 187 } 188 189 /** 190 * Sets the Public key alias for this trust authority client's partner. 191 * 192 * @param alias the Public key alias for this trust authority client's 193 * partner. 194 */ 195 public void setPublicKeyAlias(String alias) { 196 this.publicKeyAlias = alias; 197 } 198 199 /** 200 * Sets the list of security mechanisms that the trust authority supports. 201 * @param secMech list of security mechanisms that the trust 202 * authority supports. 203 */ 204 public void setSecurityMechs(List secMech) { 205 this.secMech = secMech; 206 } 207 208 /** 209 * Returns the list of security mechanisms that the trust authority supports. 210 */ 211 public List getSecurityMech() { 212 return secMech; 213 } 214 215 /** 216 * Checks if the response needs to be signed or not. 217 * 218 * @return true if the response needs to be signed. 219 */ 220 public boolean isResponseSignEnabled() { 221 return isResponseSigned; 222 } 223 224 /** 225 * Sets the response sign enable flag. 226 * 227 * @param enable enables the response signing. 228 */ 229 public void setResponseSignEnabled(boolean enable) { 230 isResponseSigned = enable; 231 } 232 233 /** 234 * Checks if the response needs to be encrypted or not. 235 * 236 * @return true if the response needs to be encrypted. 237 */ 238 public boolean isResponseEncryptEnabled() { 239 return isResponseEncrypted; 240 } 241 242 /** 243 * Sets the response encrypt enable flag. 244 * 245 * @param enable enables the response encryption. 246 */ 247 public void setResponseEncryptEnabled(boolean enable) { 248 isResponseEncrypted = enable; 249 } 250 251 /** 252 * Checks if the request needs to be signed or not. 253 * 254 * @return true if the request needs to be signed. 255 */ 256 public boolean isRequestSignEnabled() { 257 return isRequestSigned; 258 } 259 260 /** 261 * Sets the request sign enable flag. 262 * 263 * @param enable enables the request signing. 264 */ 265 public void setRequestSignEnabled(boolean enable) { 266 isRequestSigned = enable; 267 } 268 269 /** 270 * Checks if the request needs to be encrypted or not. 271 * 272 * @return true if the request needs to be encrypted. 273 */ 274 public boolean isRequestEncryptEnabled() { 275 return isRequestEncrypted; 276 } 277 278 /** 279 * Sets the request encrypt enable flag. 280 * 281 * @param enable enables the request encryption. 282 */ 283 public void setRequestEncryptEnabled(boolean enable) { 284 isRequestEncrypted = enable; 285 } 286 287 /** 288 * Checks if the request header needs to be encrypted or not. 289 * 290 * @return true if the request header needs to be encrypted. 291 */ 292 public boolean isRequestHeaderEncryptEnabled() { 293 return isRequestHeaderEncrypted; 294 } 295 296 /** 297 * Sets the request header encrypt enable flag. 298 * 299 * @param enable enables the request header encryption. 300 */ 301 public void setRequestHeaderEncryptEnabled(boolean enable) { 302 isRequestHeaderEncrypted = enable; 303 } 304 305 /** 306 * Sets the user credentials list. 307 * @param usercredentials list of <code>PasswordCredential</code>objects. 308 */ 309 public void setUsers(List usercredentials) { 310 this.usercredentials = usercredentials; 311 } 312 313 /** 314 * Returns the list of <code>PasswordCredential</code>s of the user. 315 * 316 * @return the list of <code>PasswordCredential</code> objects. 317 */ 318 public List getUsers() { 319 return usercredentials; 320 } 321 322 /** 323 * Returns signing reference type. 324 * @return the signing reference type. 325 */ 326 public String getSigningRefType() { 327 return signingRefType; 328 } 329 330 /** 331 * Sets the signing reference type. 332 * @param refType the signing reference type. 333 */ 334 public void setSigningRefType(String refType) { 335 this.signingRefType = refType; 336 } 337 338 /** 339 * Returns the encryption algorithm. 340 * @return the encryption algorithm 341 */ 342 public String getEncryptionAlgorithm() { 343 return encryptionAlgorithm; 344 } 345 346 /** 347 * Sets the encryption algorithm. 348 * @param encAlg the encryption algorithm. 349 */ 350 public void setEncryptionAlgorithm(String encAlg) { 351 this.encryptionAlgorithm = encAlg; 352 } 353 354 /** 355 * Returns the encryption data strength. 356 * @return the encryption data strength. 357 */ 358 public int getEncryptionStrength() { 359 return encryptionStrength; 360 } 361 362 /** 363 * Sets the encryption data strength. 364 * @param keyStrength the encryption data strength. 365 */ 366 public void setEncryptionStrength(int keyStrength) { 367 this.encryptionStrength = keyStrength; 368 } 369 370 /** 371 * Initialize the trust authority. 372 * @param name the name of the trust authority. 373 * @param type the type of the trust authority. 374 * @param ssoToken Single sign-on token. 375 * @exception ProviderException if the initialization fails. 376 */ 377 protected abstract void init(String name, String type, SSOToken ssoToken) 378 throws ProviderException; 379 380 /** 381 * Saves the trust authority configuration. 382 * @exception ProviderException if the trust authority configuration 383 * is unable to save. 384 */ 385 protected abstract void store() throws ProviderException; 386 387 /** 388 * Deletes the trust authrority configuration. 389 * @exception ProviderException 390 */ 391 protected abstract void delete() throws ProviderException; 392 393 /** 394 * Returns the trust authority configuration object. 395 * 396 * @param name the name of the trust authority. 397 * @param type the type of the trust authority. The type must have 398 * one of the following values. 399 * <p> {@link #DISCOVERY_TRUST_AUTHORITY} 400 * <p> {@link #STS_TRUST_AUTHORITY} 401 * @exception ProviderException if any failure in 402 * retrieving the trust authority configuration. 403 */ 404 public static TrustAuthorityConfig getConfig(String name, String type) 405 throws ProviderException { 406 TrustAuthorityConfig config = null; 407 408 if (DISCOVERY_TRUST_AUTHORITY.equals(type)) { 409 config = getDiscoveryConfig(); 410 config.init(name, type, getAdminToken()); 411 } else if(STS_TRUST_AUTHORITY.equals(type)) { 412 config = getSTSConfig(); 413 config.init(name, type, getAdminToken()); 414 }else { 415 throw new ProviderException( 416 ProviderUtils.bundle.getString("unsupportedConfigType")); 417 } 418 return config; 419 } 420 421 /** 422 * Saves the trust authority configuration. 423 * 424 * @param config the trust authority configuration. 425 * @exception ProviderException if any failure in 426 * saving the configuration. 427 */ 428 public static void saveConfig(TrustAuthorityConfig config) 429 throws ProviderException { 430 config.store(); 431 } 432 433 /** 434 * Deletes the trust authority configuration. 435 * 436 * @param name the name of the trust authority configuration. 437 * @param type the type of the trust authority. The type must have 438 * one of the values. 439 * <p> {@link #DISCOVERY_TRUST_AUTHORITY} 440 * <p> {@link #STS_TRUST_AUTHORITY} 441 * @exception ProviderException if any failure in 442 * deleting the trust authority configuration. 443 */ 444 public static void deleteConfig(String name, String type ) 445 throws ProviderException { 446 TrustAuthorityConfig config = getConfig(name, type); 447 config.delete(); 448 } 449 450 private static DiscoveryConfig getDiscoveryConfig() 451 throws ProviderException { 452 if (discoveryConfigClass == null) { 453 String adapterName = SystemConfigurationUtil.getProperty( 454 WSS_DISCOVERY_CONFIG_PLUGIN, 455 "com.sun.identity.wss.provider.plugins.DiscoveryAgent"); 456 try { 457 discoveryConfigClass = Class.forName(adapterName); 458 } catch (Exception ex) { 459 debug.error("TrustAuthorityConfig.getDiscoveryConfig: " + 460 " Failed in creating the discovery config class."); 461 throw new ProviderException(ex.getMessage()); 462 } 463 } 464 try { 465 return ((DiscoveryConfig) discoveryConfigClass.newInstance()); 466 } catch (Exception ex) { 467 debug.error("TrustAuthorityConfig.getDiscoveryConfig: " + 468 "Failed in initialization", ex); 469 throw new ProviderException(ex.getMessage()); 470 } 471 } 472 473 private static STSConfig getSTSConfig() throws ProviderException { 474 if (stsConfigClass == null) { 475 String adapterName = SystemConfigurationUtil.getProperty( 476 WSS_STS_CONFIG_PLUGIN, 477 "com.sun.identity.wss.provider.plugins.STSAgent"); 478 try { 479 stsConfigClass = Class.forName(adapterName); 480 } catch (Exception ex) { 481 debug.error("TrustAuthorityConfig.getSTSConfig: " + 482 " Failed in creating the STS config class."); 483 throw new ProviderException(ex.getMessage()); 484 } 485 } 486 487 try { 488 return ((STSConfig) stsConfigClass.newInstance()); 489 } catch (Exception ex) { 490 debug.error("TrustAuthorityConfig.getSTSConfig: " + 491 "Failed in initialization", ex); 492 throw new ProviderException(ex.getMessage()); 493 } 494 } 495 496 private static SSOToken getAdminToken() throws ProviderException { 497 if(customAdminToken != null) { 498 return customAdminToken; 499 } 500 SSOToken adminToken = null; 501 try { 502 adminToken = (SSOToken) AccessController.doPrivileged( 503 AdminTokenAction.getInstance()); 504 505 if(adminToken != null) { 506 if (!SSOTokenManager.getInstance().isValidToken(adminToken)) { 507 if (ProviderUtils.debug.messageEnabled()) { 508 ProviderUtils.debug.message("TrustAuthorityConfig." + 509 "getAdminToken:" + "AdminTokenAction returned " + 510 " expired or invalid token, trying again..."); 511 } 512 adminToken = (SSOToken) AccessController.doPrivileged( 513 AdminTokenAction.getInstance()); 514 } 515 } 516 } catch (SSOException se) { 517 ProviderUtils.debug.message( 518 "TrustAuthorityConfig.getAdminToken: Trying second time.."); 519 adminToken = (SSOToken) AccessController.doPrivileged( 520 AdminTokenAction.getInstance()); 521 } 522 523 return adminToken; 524 } 525 526 /** 527 * Sets the admin token. 528 * This admin token is required to be set if "create", "delete" or "save" 529 * operations are invoked on this <code>TrustAuthorityConfig</code> object. 530 * This admin token needs to be the valid SSOToken of the user who has 531 * "Agent Administrator" privileges. 532 * 533 * @param adminToken the agent admin token. 534 */ 535 public void setAdminToken(SSOToken adminToken) { 536 this.customAdminToken = adminToken; 537 } 538}