Author: dimuthul
Date: Sun Dec 9 22:06:45 2007
New Revision: 10760
Log:
Relying party developer guide
Modified:
trunk/solutions/identity/modules/documentation/src/site/xdoc/rp_developer_guide.xml
trunk/solutions/identity/modules/token-verifier-core/src/main/java/org/wso2/solutions/identity/relyingparty/servletfilter/RelyingPartyFilter.java
Modified:
trunk/solutions/identity/modules/documentation/src/site/xdoc/rp_developer_guide.xml
==============================================================================
---
trunk/solutions/identity/modules/documentation/src/site/xdoc/rp_developer_guide.xml
(original)
+++
trunk/solutions/identity/modules/documentation/src/site/xdoc/rp_developer_guide.xml
Sun Dec 9 22:06:45 2007
@@ -29,8 +29,8 @@
<h2>Configuration Steps</h2>
-<ul>
-<li>Step 1 : Add the servlet filter to you application</li>
+<p></p>
+<h3>Step 1 : Add the servlet filter to you application</h3>
<p>Include the following entry in the web.xml file of the application:</p>
@@ -39,10 +39,15 @@
<filter>
<filter-name>TokenValidator</filter-name>
<filter-class>org.wso2.solutions.identity.relyingparty.servletfilter.RelyingPartyFilter</filter-class>
- <init-param>
- <param-name>config-file</param-name>
- <param-value>/path/to/config.xml</param-value>
+ <init-param>
+ <param-name> ................ </param-name>
+ <param-value> ............... </param-value>
+ </init-param>
+ <init-param>
+ ......................
</init-param>
+ ......................
+ ......................
</filter>
<filter-mapping>
@@ -50,34 +55,97 @@
<url-pattern>/*</url-pattern>
</filter-mapping>
]]></pre>
-
-<li>Step 2 : Servler filter configuration file</li>
-<pre><![CDATA[
-<RPConfig>
- <ServiceKey>
- <Keystore>/path/to/keystore</Keystore>
- <StorePass>your_keystore_password</StorePass>
- <KeyAlias>alias_of_private_key</KeyAlias>
- <KeyPass>password_of_private_key</KeyPass>
- <StoreType>keystore_type_(JKS_or_PKCS12)</StoreType>
- </ServiceKey>
-
<VerifierService>http://localhost:12080/wsas/services/RelyingPartyService</VerifierService>
-</RPConfig>
-]]>
-
-</pre>
-
-In the above configuration there are two main configuration elements :
-<ol>
-<li>Private key of the web application</li>
-<li>Token verifier service endpoint address</li>
-The token verifier service is available with the identity provider of
-identity solution. Endpoint address can be found <a href="../wsas/">here</a>.
-</ol>
<br/>
+<br/>
+Add the following as init-params to the web.xml
+<br/>
+<br/>
+<table>
+ <tr>
+ <th>ParameterName</th>
+ <th>Required</th>
+ <th>Description</th>
+ </tr>
+ <tr>
+ <td>Keystore</td>
+ <td>Yes</td>
+ <td>Relative path to the keystore holding private key</td>
+ </tr>
+ <tr>
+ <td>StorePass</td>
+ <td>Yes</td>
+ <td>Password to the keystore holding private key</td>
+ </tr>
+ <tr>
+ <td>KeyAlias</td>
+ <td>Yes</td>
+ <td>Private key alias</td>
+ </tr>
+ <tr>
+ <td>KeyPass</td>
+ <td>Yes</td>
+ <td>Private key pass</td>
+ </tr>
+ <tr>
+ <td>StoreType</td>
+ <td>Yes</td>
+ <td>Store type of the keystore holding private key - e.g.
JDK</td>
+ </tr>
+ <tr>
+ <td>TrustedIdP.KeyStore</td>
+ <td></td>
+ <td>Relative path to the trusted keystore</td>
+ </tr>
+ <tr>
+ <td>TrustedIdP.StorePass</td>
+ <td>If TokenValidationPolicy is NOT Promiscuous</td>
+ <td>Trust store password</td>
+ </tr>
+ <tr>
+ <td>TrustedIdP.StoreType</td>
+ <td>If TokenValidationPolicy is NOT Promiscuous</td>
+ <td>Trust store type</td>
+ </tr>
+ <tr>
+ <td>MultiValueClaimsPolicy</td>
+ <td>No - default applied</td>
+ <td>Must be either MultiValueClaimsAllowed or
MultiValueClaimsNotAllowed. Default is MultiValueClaimsNotAllowed</td>
+ </tr>
+ <tr>
+ <td>IssuerPolicy</td>
+ <td>No - default applied</td>
+ <td>Must be one of SelfAndManaged, Self, Managed. Default is
self and managed</td>
+ </tr>
+ <tr>
+ <td>TokenValidationPolicy</td>
+ <td>No - default applied</td>
+ <td>Must be one of Promiscuous, WhiteList, BlackList,
CertValidate. Default is CertValidate. Please read more about this below.</td>
+ </tr>
+ <tr>
+ <td>WhiteList</td>
+ <td>Yes, if TokenValidationPolicy is WhiteList</td>
+ <td>This is required to indicate the list of allowed DNs. If
not specified in WhiteList mode none of the users can login</td>
+ </tr>
+ <tr>
+ <td>BlackList</td>
+ <td>Yes, if TokenValidationPolicy is BlackList</td>
+ <td>This is required to indicate the list of rejected DNs. If
not specified in BlackList mode all users who pass CertValidity can login</td>
+ </tr>
+</table>
-<li>Step 3 : Add the information card login page</li>
-
+<br/>
+<br/>
+<strong>TokenValidationPolicy</strong>
+<p>There are 4 modes of token validations.</p>
+<ul>
+ <li>Promiscuous - In this mode, all tokens that has a valid signature
are allowed</li>
+ <li>CertValidate - In this mode, all tokens that has a valid signarue
by an IDP who has a trusted certificate are allowed</li>
+ <li>WhiteList - First CertValidity checked and after that if the issuer
DN is in the white list, the token is allowed</li>
+ <li>BlackList - First CertValidity checked and after that if the issuer
DN is not listed in the BlackList, the token is allowed</li>
+</ul>
+<br/>
+<h3>Step 2 : Add the information card login page</h3>
+<br/>
The user loing page must contain a form with an <strong>object</strong> tag as
shown below:
<pre><![CDATA[
@@ -104,7 +172,7 @@
<br/>
<br/>
-<li>Step 4 : Obtain the information in the verified token and process</li>
+<h3>Step 3 : Obtain the information in the verified token and process</h3>
<p>The results of token processing will be available as attributes in the
ServletRequest object.</p>
@@ -121,7 +189,5 @@
application.</p>
-</ul>
-
</body>
-</html>
\ No newline at end of file
+</html>
Modified:
trunk/solutions/identity/modules/token-verifier-core/src/main/java/org/wso2/solutions/identity/relyingparty/servletfilter/RelyingPartyFilter.java
==============================================================================
---
trunk/solutions/identity/modules/token-verifier-core/src/main/java/org/wso2/solutions/identity/relyingparty/servletfilter/RelyingPartyFilter.java
(original)
+++
trunk/solutions/identity/modules/token-verifier-core/src/main/java/org/wso2/solutions/identity/relyingparty/servletfilter/RelyingPartyFilter.java
Sun Dec 9 22:06:45 2007
@@ -72,6 +72,8 @@
private String IdpStoreType = null;
private String validatePolicy = null;
+
+ private String issuerPolicy = null;
/**
* One array contains one DN name
@@ -167,14 +169,16 @@
String issuerName = verifier.getIssuerName();
if (IdentityConstants.SELF_ISSUED_ISSUER.equals(issuerName)) {
- String issuerPolicy = filterConfig
- .getInitParameter(TokenVerifierConstants.ISSUER_POLICY);
+
if (issuerPolicy == null
|| issuerPolicy.equals(TokenVerifierConstants.SELF_ONLY)
|| issuerPolicy
.equals(TokenVerifierConstants.SELF_AND_MANGED)) {
validated = true;
}
+ } else if(issuerPolicy.equals(TokenVerifierConstants.SELF_ONLY)){
+ //not a self issued card when self only
+ validated = false;
} else if (validatePolicy.equals(TokenVerifierConstants.PROMISCUOUS)) {
validated = true;
} else if (validatePolicy.equals(TokenVerifierConstants.BLACK_LIST)) {
@@ -320,7 +324,9 @@
.getInitParameter(TokenVerifierConstants.KEY_ALIAS);
String keyPass = filterConfig
.getInitParameter(TokenVerifierConstants.KEY_PASS);
-
+
+ issuerPolicy = filterConfig
+ .getInitParameter(TokenVerifierConstants.ISSUER_POLICY);
try {
KeyStore store = KeyStore.getInstance(storeType);
@@ -338,7 +344,7 @@
.getInitParameter(TokenVerifierConstants.TOKEN_VALIDATE_POLICY);
if (validatePolicy == null) {
- validatePolicy = TokenVerifierConstants.PROMISCUOUS;
+ validatePolicy = TokenVerifierConstants.CERT_VALIDATE;
//.PROMISCUOUS;
}
// Step 3: Reading paramters of each policy
_______________________________________________
Identity-dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/identity-dev
