SecurityTokenService - STS

Skip to end of metadata
Go to start of metadata

SecurityTokenService (STS)

Responsibility

The scalable secure session control

Details
  • Session state
  • Usertoken generation
  • Usertoken / UserTicket / user credential verification
  • Application credential verification
  • Application token generation

Integration endpoints

UserToken API

Unknown macro: {code}

@Path("/user")

@Path("/usertoken_template")
@GET
@Produces(MediaType.APPLICATION_XML)
public Response getUserTokenTemplate()

Unknown macro: { return Response.ok(new Viewable("/usertoken.ftl", new UserToken())).build(); }

/**
*
*

  • @param applicationtokenid the current application wanting to authenticate the user.
  • @param appTokenXml the token representing the application the user want to access.
  • @param userCredentialXml
  • @return
    */
    @Path("/
    Unknown macro: {applicationtokenid}

    /usertoken")
    @POST
    @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
    @Produces(MediaType.APPLICATION_XML)
    return Response.ok(new Viewable("/usertoken.ftl", token)).build();

    /**

    • Login in user by his/her usercredentials and register its ticket in the ticket-map for session handover
      *
    • @param applicationtokenid
    • @param userticket
    • @param appTokenXml
    • @param userCredentialXml
    • @return
      */
      @Path("/

    /

    Unknown macro: {userticket}

    /usertoken")
    @POST
    @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
    @Produces(MediaType.APPLICATION_XML)
    return Response.ok(new Viewable("/usertoken.ftl", usertoken)).build();

    /**

    • Verify that a usertoken and a user session is still valid. Usually used for application re-entries and before allowing
    • a user important and critical processes like monetary transactions
      *
      *
    • @param applicationtokenid
    • @param userTokenXml
    • @return
      */
      @Path("/
      Unknown macro: {applicationtokenid}

      /validate_usertoken")
      @POST
      @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
      return Response.ok().build();

      @Path("/

      /validate_usertokenid/

      Unknown macro: {usertokenid}

      ")
      @GET
      return Response.ok().build();

    /**

    • Used to create a userticket for a user to transfer a session between whydah SSO apps
      *
    • @param applicationtokenid
    • @param appTokenXml
    • @param userticket
    • @param userTokenId
    • @return
      */
      @Path("/
      Unknown macro: {applicationtokenid}

      /create_userticket_by_usertokenid")
      @POST
      @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
      return Response.ok(new Viewable("/usertoken.ftl", userToken)).build();

      /**

      • Used to get the usertoken from a usertokenid, which the application usually stores in its secure cookie
        *
      • @param applicationtokenid
      • @param appTokenXml
      • @param userTokenId
      • @return
        */
        @Path("/

      /get_usertoken_by_usertokenid")
      @POST
      @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
      @Produces(MediaType.APPLICATION_XML)
      return Response.ok(new Viewable("/usertoken.ftl", userToken)).build();

    /**

    • Lookup a user by a one-time userticket, usually the first thing we do after receiving a SSO redirect back to
    • an application from SSOLoginWebApplication
      *
      *
    • @param applicationtokenid
    • @param appTokenXml
    • @param userticket
    • @return
      */
      @Path("/
      Unknown macro: {applicationtokenid}

      /get_usertoken_by_userticket")
      @POST
      @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
      return Response.ok(new Viewable("/usertoken.ftl", userToken)).build();

      /**

      • Force cross-applications/SSO session logout. Use with extreme care as the user's hate the resulting user experience..
        *
      • @param applicationtokenid
      • @param userTokenID
      • @return
        */
        @Path("/

      /release_usertoken")
      @POST

    /**

    • This method is for elevating user access to a higher level for the receiving end of a session handover between SSO applications
      *
    • @param applicationtokenid
    • @param userTokenXml
    • @param newAppToken
    • @return
      */
      @Path("/
      Unknown macro: {applicationtokenid}

      /transform_usertoken")
      @POST

      /**

      • The SSOLoginWebApplication backend for 3rd party UserTokens. Receive a new user, create a Whydah UserIdentity with
      • the corresponding defaultroles (UAS|UIB) and create a new session with a one-time userticket for handover to receiving
      • SSO applications
        *
      • @param applicationtokenid
      • @param userticket
      • @param appTokenXml
      • @param userCredentialXml
      • @param thirdPartyUserTokenXml typically facebook user-token or other oauth2 usertoken
      • @return
        */
        @Path("/

      /

    /create_user")
    @POST

ApplicationToken API

Unknown macro: {code}

@Path("/")
@GET
@Produces(MediaType.TEXT_HTML)
if ("enabled".equals(appConfig.getProperty("testpage")))

Unknown macro: { return Response.ok().entity(new Viewable("/testpage.html.ftl", model)).build(); }

else

Unknown macro: { return Response.ok().entity(new Viewable("/html/prodwelcome.html")).build(); }

@Path("/applicationtokentemplate")
@GET
@Produces(MediaType.APPLICATION_XML)
return Response.ok().entity(template.toXML()).build();

@Path("/applicationcredentialtemplate")
@GET
@Produces(MediaType.APPLICATION_XML)
return Response.ok().entity(template.toXML()).build();

@Path("/usercredentialtemplate")
@GET
@Produces(MediaType.APPLICATION_XML)
return Response.ok().entity(template.toXML()).build();

@Path("/logon")
@POST
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
@Produces(MediaType.APPLICATION_XML)
return Response.ok().entity(applicationTokenXml).build();

@Path("

Unknown macro: {applicationtokenid}

/validate")
@POST
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
return Response.ok().build();

Configuration properties

The STS Artefact contains default properties for the different IAM_MODE's being used.
<- Indicates same value as the one to the right.

Property Example values PROD
Use external config
Exists as embedded - not recommended 		Default values TEST Default values DEV Comment
myuri http://myserver.net/tokenservice/ http://localhost:9998/tokenservice/ http://localhost:9998/tokenservice/ The URI to this instance of STS
service.port 9998 <- <- Port for this service
useridbackendUri http://myservice/uib/ http://localhost:9995/uib/ http://localhost:9995/uib/ URL to useridentity backend
testpage disabled enabled enabled Whether or not to enable the testpage. The url is printed when you start the service with it enabled.
logourl http://stocklogos.com/somelogo.png <- <- A logo to display for the kicks of it

Additional info

  • HazelCast + Apache mod_balance to share state.
Labels:
None
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.