View Source

h2. SecurityTokenService (STS)

h4. Responsibility

{excerpt}
The scalable secure session control
{excerpt}

h6. Details

* Session state
* Usertoken generation
* Usertoken / UserTicket / user credential verification
* Application credential verification
* Application token generation

h4. Integration endpoints


*UserToken API*
{code}
@Path("/user")

@Path("/usertoken_template")
@GET
@Produces(MediaType.APPLICATION_XML)
public Response getUserTokenTemplate() {
return Response.ok(new Viewable("/usertoken.ftl", new UserToken())).build();
}

/**
*
*
* @param applicationtokenid the current application wanting to authenticate the user.
* @param appTokenXml the token representing the application the user want to access.
* @param userCredentialXml
* @return
*/
@Path("/{applicationtokenid}/usertoken")
@POST
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
@Produces(MediaType.APPLICATION_XML)
return Response.ok(new Viewable("/usertoken.ftl", token)).build();

/**
* Login in user by his/her usercredentials and register its ticket in the ticket-map for session handover
*
* @param applicationtokenid
* @param userticket
* @param appTokenXml
* @param userCredentialXml
* @return
*/
@Path("/{applicationtokenid}/{userticket}/usertoken")
@POST
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
@Produces(MediaType.APPLICATION_XML)
return Response.ok(new Viewable("/usertoken.ftl", usertoken)).build();


/**
* Verify that a usertoken and a user session is still valid. Usually used for application re-entries and before allowing
* a user important and critical processes like monetary transactions
*
*
* @param applicationtokenid
* @param userTokenXml
* @return
*/
@Path("/{applicationtokenid}/validate_usertoken")
@POST
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
return Response.ok().build();



@Path("/{applicationtokenid}/validate_usertokenid/{usertokenid}")
@GET
return Response.ok().build();

/**
* Used to create a userticket for a user to transfer a session between whydah SSO apps
*
* @param applicationtokenid
* @param appTokenXml
* @param userticket
* @param userTokenId
* @return
*/
@Path("/{applicationtokenid}/create_userticket_by_usertokenid")
@POST
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
return Response.ok(new Viewable("/usertoken.ftl", userToken)).build();


/**
* Used to get the usertoken from a usertokenid, which the application usually stores in its secure cookie
*
* @param applicationtokenid
* @param appTokenXml
* @param userTokenId
* @return
*/
@Path("/{applicationtokenid}/get_usertoken_by_usertokenid")
@POST
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
@Produces(MediaType.APPLICATION_XML)
return Response.ok(new Viewable("/usertoken.ftl", userToken)).build();

/**
* Lookup a user by a one-time userticket, usually the first thing we do after receiving a SSO redirect back to
* an application from SSOLoginWebApplication
*
*
* @param applicationtokenid
* @param appTokenXml
* @param userticket
* @return
*/
@Path("/{applicationtokenid}/get_usertoken_by_userticket")
@POST
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
return Response.ok(new Viewable("/usertoken.ftl", userToken)).build();

/**
* Force cross-applications/SSO session logout. Use with extreme care as the user's hate the resulting user experience..
*
* @param applicationtokenid
* @param userTokenID
* @return
*/
@Path("/{applicationtokenid}/release_usertoken")
@POST

/**
* This method is for elevating user access to a higher level for the receiving end of a session handover between SSO applications
*
* @param applicationtokenid
* @param userTokenXml
* @param newAppToken
* @return
*/
@Path("/{applicationtokenid}/transform_usertoken")
@POST




/**
* The SSOLoginWebApplication backend for 3rd party UserTokens. Receive a new user, create a Whydah UserIdentity with
* the corresponding defaultroles (UAS|UIB) and create a new session with a one-time userticket for handover to receiving
* SSO applications
*
* @param applicationtokenid
* @param userticket
* @param appTokenXml
* @param userCredentialXml
* @param thirdPartyUserTokenXml typically facebook user-token or other oauth2 usertoken
* @return
*/
@Path("/{applicationtokenid}/{userticket}/create_user")
@POST
{code}
-----
*ApplicationToken API*
{code}
@Path("/")
@GET
@Produces(MediaType.TEXT_HTML)
if ("enabled".equals(appConfig.getProperty("testpage"))) {
return Response.ok().entity(new Viewable("/testpage.html.ftl", model)).build();
} else {
return Response.ok().entity(new Viewable("/html/prodwelcome.html")).build();
}


@Path("/applicationtokentemplate")
@GET
@Produces(MediaType.APPLICATION_XML)
return Response.ok().entity(template.toXML()).build();

@Path("/applicationcredentialtemplate")
@GET
@Produces(MediaType.APPLICATION_XML)
return Response.ok().entity(template.toXML()).build();

@Path("/usercredentialtemplate")
@GET
@Produces(MediaType.APPLICATION_XML)
return Response.ok().entity(template.toXML()).build();

@Path("/logon")
@POST
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
@Produces(MediaType.APPLICATION_XML)
return Response.ok().entity(applicationTokenXml).build();

@Path("{applicationtokenid}/validate")
@POST
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
return Response.ok().build();

{code}
-----


h3. Configuration properties
The STS Artefact contains default properties for the different [IAM_MODE]'s being used.
<- Indicates same value as the one to the right.

||Property || Example values PROD \\Use external config \\Exists as embedded - not recommended || Default values TEST || Default values DEV || Comment ||
|*myuri*|http://myserver.net/tokenservice/ | http://localhost:9998/tokenservice/ | http://localhost:9998/tokenservice/ | The URI to this instance of STS |
|*service.port*|9998|<- | <- | Port for this service |
|*useridbackendUri*| http://myservice/uib/ | http://localhost:9995/uib/ | http://localhost:9995/uib/ | URL to useridentity backend |
|*testpage*|disabled|enabled|enabled| Whether or not to enable the testpage. The url is printed when you start the service with it enabled. |
|*logourl*|http://stocklogos.com/somelogo.png| <- | <- | A logo to display for the kicks of it |

h3. Additional info
* HazelCast + Apache mod_balance to share state.