Abstract JAAS LoginModule for JBoss STS (Security Token Service). Subclasses are required to implement {@link #invokeSTS(STSClient)()} to perform their specific actions.
Configuration
Concrete implementations specify from where the username and credentials should be read from.
Callback handler, {@link NameCallback} and {@link PasswordCallback}. From the login modules options configuration. From the login modules earlier in the login modules stack. Configuration example
1. Callbackhandler configuration:
{@code /sts-client.properties }
2. Login module options configuration:
{@code /sts-client.properties true }
3. Password stacking configuration:
{@code /sts-client.properties useFirstPass }
Password stacking
Password stacking can be configured which means that a Login module configured with 'password-stacking' set to 'true' will set the username and password in the shared state map. Login modules that come after can set 'password-stacking' to 'useFirstPass' which means that that login module will use the username and password from the shared map.
4. Mapping Provider configuration:
{@code /sts-client.properties useFirstPass }
Mapping Providers
Principal and Role mapping providers may be configured on subclasses of this login module and be leveraged to populate the JAAS Subject with appropriate user id and roles. The token is made available to the mapping providers so that identity information may be extracted.
Subclasses can define more configuration options by overriding initialize. Also note that subclasses are not forced to put configuration options in a file. They can all be set as options just like the 'configFile' is specified above.
Additional Configuration
roleKey: By default, the saml attributes with key "Role" are assumed to represent user roles. You can configure a comma separated list of string values to represent the attribute names for user roles.
cache.invalidation: set it to true if you require invalidation of JBoss Auth Cache at SAML Principal expiration.
jboss.security.security_domain: name of the security domain where this login module is configured. This is only required if the cache.invalidation option is configured.
inject.callerprincipal: set it to true if you want to add a group principal called "CallerPrincipal" with the roles from the assertion, into the subject
@author
Daniel Bevenius
@author Anil.Saldhana@redhat.com