org.openid4java.server
Class ServerManager

java.lang.Object
  extended by org.openid4java.server.ServerManager

public class ServerManager
extends java.lang.Object

Manages OpenID communications with an OpenID Relying Party (Consumer).

Author:
Marius Scurtescu, Johnny Bufu

Field Summary
private  int _expireIn
          Expiration time (in seconds) for associations.
private static org.apache.commons.logging.Log _log
           
private  AssociationSessionType _minAssocSessEnc
          The lowest encryption level session accepted for association sessions
private  NonceGenerator _nonceGenerator
          Nonce generator implementation.
private  java.lang.String _opEndpointUrl
          The OpenID Provider's endpoint URL, where it accepts OpenID authentication requests.
private  AssociationSessionType _prefAssocSessEnc
          The preferred association session type; will be attempted first.
private  ServerAssociationStore _privateAssociations
          Keeps track of private (internal) associations created for signing authentication responses for stateless consumer sites.
private  RealmVerifier _realmVerifier
          Used to perform verify realms against return_to URLs.
private  ServerAssociationStore _sharedAssociations
          Keeps track of the associations established with consumer sites.
private  java.lang.String[] _signExtensions
          Array of extension namespace URIs that the consumer manager will sign, if present in auth responses.
private  java.lang.String _signFields
          List of coma-separated fields to be signed in authentication responses.
private  java.lang.String _userSetupUrl
          In OpenID 1.x compatibility mode, the URL at the OpenID Provider where the user should be directed when a immediate authentication request fails.
private static boolean DEBUG
           
 
Constructor Summary
ServerManager()
          Constructs a ServerManager with default settings.
ServerManager(RealmVerifierFactory factory)
           
 
Method Summary
 Message associationResponse(ParameterList requestParams)
          Processes a Association Request and returns a Association Response message, according to the request parameters and the preferences configured for the OpenID Provider
 Message authResponse(AuthRequest authReq, java.lang.String userSelId, java.lang.String userSelClaimed, boolean authenticatedAndApproved)
          Processes a Authentication Request received from a consumer site.
 Message authResponse(AuthRequest authReq, java.lang.String userSelId, java.lang.String userSelClaimed, boolean authenticatedAndApproved, boolean signNow)
          Processes a Authentication Request received from a consumer site.
 Message authResponse(AuthRequest auhtReq, java.lang.String userSelId, java.lang.String userSelClaimed, boolean authenticatedAndApproved, java.lang.String opEndpoint)
          Processes a Authentication Request received from a consumer site.
 Message authResponse(AuthRequest authReq, java.lang.String userSelId, java.lang.String userSelClaimed, boolean authenticatedAndApproved, java.lang.String opEndpoint, boolean signNow)
          Processes a Authentication Request received from a consumer site.
 Message authResponse(ParameterList requestParams, java.lang.String userSelId, java.lang.String userSelClaimed, boolean authenticatedAndApproved)
          Processes a Authentication Request received from a consumer site.
 Message authResponse(ParameterList requestParams, java.lang.String userSelId, java.lang.String userSelClaimed, boolean authenticatedAndApproved, boolean signNow)
          Processes a Authentication Request received from a consumer site.
 Message authResponse(ParameterList requestParams, java.lang.String userSelId, java.lang.String userSelClaimed, boolean authenticatedAndApproved, java.lang.String opEndpoint)
          Processes a Authentication Request received from a consumer site.
 Message authResponse(ParameterList requestParams, java.lang.String userSelId, java.lang.String userSelClaimed, boolean authenticatedAndApproved, java.lang.String opEndpoint, boolean signNow)
          Processes a Authentication Request received from a consumer site, after parsing the request parameters into a valid AuthRequest.
 boolean getEnforceRpId()
          Gets the flag that instructs the realm verifier to enforce validation of the return URL agains the endpoints discovered from the RP's realm.
 int getExpireIn()
          Gets the expiration time (in seconds) for the generated associations
 AssociationSessionType getMinAssocSessEnc()
          Gets the minimum level of encryption configured for association sessions.
 NonceGenerator getNonceGenerator()
          Gets the NonceGenerator used for generating nonce tokens to uniquely identify authentication responses.
 java.lang.String getOPEndpointUrl()
          Gets OpenID Provider's endpoint URL, where it accepts OpenID authentication requests.
 AssociationSessionType getPrefAssocSessEnc()
          Gets the preferred association / session type.
 ServerAssociationStore getPrivateAssociations()
          Gets the store implementation used for keeping track of the generated private associations (used for signing responses to stateless consumer sites).
 RealmVerifier getRealmVerifier()
          Gets the RealmVerifier used to verify realms against return_to URLs.
 ServerAssociationStore getSharedAssociations()
          Gets the store implementation used for keeping track of the generated associations established with consumer sites.
 java.lang.String[] getSignExtensions()
           
 java.lang.String getSignFields()
          Gets the list of parameters that the OpenID Provider will sign when generating authentication responses.
 java.lang.String getUserSetupUrl()
          Gets the URL at the OpenID Provider where the user should be directed when a immediate authentication request fails.
 void setEnforceRpId(boolean enforceRpId)
          Sets the flag that instructs the realm verifier to enforce validation of the return URL agains the endpoints discovered from the RP's realm.
 void setExpireIn(int _expireIn)
          Sets the expiration time (in seconds) for the generated associations
 void setMinAssocSessEnc(AssociationSessionType minAssocSessEnc)
          Configures the minimum level of encryption accepted for association sessions.
 void setNonceGenerator(NonceGenerator nonceGenerator)
          Sets the NonceGenerator implementation that will be used to generate nonce tokens to uniquely identify authentication responses.
 void setOPEndpointUrl(java.lang.String opEndpointUrl)
          Sets the OpenID Provider's endpoint URL, where it accepts OpenID authentication requests.
 void setPrefAssocSessEnc(AssociationSessionType type)
          Sets the preferred association / session type.
 void setPrivateAssociations(ServerAssociationStore privateAssociations)
          Sets the store implementation that will be used for keeping track of the generated private associations (used for signing responses to stateless consumer sites).
 void setRealmVerifier(RealmVerifier realmVerifier)
          Sets the RealmVerifier used to verify realms against return_to URLs.
 void setSharedAssociations(ServerAssociationStore sharedAssociations)
          Sets the store implementation that will be used for keeping track of the generated associations established with consumer sites.
 void setSignExtensions(java.lang.String[] extensins)
           
 void setSignFields(java.lang.String signFields)
          Sets the list of parameters that the OpenID Provider will sign when generating authentication responses.
 void setUserSetupUrl(java.lang.String userSetupUrl)
          Sets the URL at the OpenID Provider where the user should be directed when a immediate authentication request fails.
 void sign(AuthSuccess authSuccess)
          Signs an AuthSuccess message, using the association identified by the handle specified within the message.
 Message verify(ParameterList requestParams)
          Responds to a verification request from the consumer.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

_log

private static org.apache.commons.logging.Log _log

DEBUG

private static final boolean DEBUG

_sharedAssociations

private ServerAssociationStore _sharedAssociations
Keeps track of the associations established with consumer sites.


_privateAssociations

private ServerAssociationStore _privateAssociations
Keeps track of private (internal) associations created for signing authentication responses for stateless consumer sites.


_nonceGenerator

private NonceGenerator _nonceGenerator
Nonce generator implementation.


_minAssocSessEnc

private AssociationSessionType _minAssocSessEnc
The lowest encryption level session accepted for association sessions


_prefAssocSessEnc

private AssociationSessionType _prefAssocSessEnc
The preferred association session type; will be attempted first.


_expireIn

private int _expireIn
Expiration time (in seconds) for associations.


_userSetupUrl

private java.lang.String _userSetupUrl
In OpenID 1.x compatibility mode, the URL at the OpenID Provider where the user should be directed when a immediate authentication request fails.

MUST be configured in order for the OpenID provider to be able to respond correctly with AuthImmediateFailure messages in compatibility mode.


_signFields

private java.lang.String _signFields
List of coma-separated fields to be signed in authentication responses.


_signExtensions

private java.lang.String[] _signExtensions
Array of extension namespace URIs that the consumer manager will sign, if present in auth responses.


_realmVerifier

private RealmVerifier _realmVerifier
Used to perform verify realms against return_to URLs.


_opEndpointUrl

private java.lang.String _opEndpointUrl
The OpenID Provider's endpoint URL, where it accepts OpenID authentication requests.

This is a global setting for the ServerManager; can also be set on a per message basis.

See Also:
authResponse(org.openid4java.message.ParameterList, String, String, boolean, String)
Constructor Detail

ServerManager

public ServerManager()
Constructs a ServerManager with default settings.


ServerManager

@Inject
public ServerManager(RealmVerifierFactory factory)
Method Detail

getSharedAssociations

public ServerAssociationStore getSharedAssociations()
Gets the store implementation used for keeping track of the generated associations established with consumer sites.

See Also:
ServerAssociationStore

setSharedAssociations

public void setSharedAssociations(ServerAssociationStore sharedAssociations)
Sets the store implementation that will be used for keeping track of the generated associations established with consumer sites.

Parameters:
sharedAssociations - ServerAssociationStore implementation
See Also:
ServerAssociationStore

getPrivateAssociations

public ServerAssociationStore getPrivateAssociations()
Gets the store implementation used for keeping track of the generated private associations (used for signing responses to stateless consumer sites).

See Also:
ServerAssociationStore

setPrivateAssociations

public void setPrivateAssociations(ServerAssociationStore privateAssociations)
Sets the store implementation that will be used for keeping track of the generated private associations (used for signing responses to stateless consumer sites).

Parameters:
privateAssociations - ServerAssociationStore implementation
See Also:
ServerAssociationStore

getMinAssocSessEnc

public AssociationSessionType getMinAssocSessEnc()
Gets the minimum level of encryption configured for association sessions.

Default: no-encryption session, SHA1 MAC association


getNonceGenerator

public NonceGenerator getNonceGenerator()
Gets the NonceGenerator used for generating nonce tokens to uniquely identify authentication responses.

See Also:
NonceGenerator

setNonceGenerator

public void setNonceGenerator(NonceGenerator nonceGenerator)
Sets the NonceGenerator implementation that will be used to generate nonce tokens to uniquely identify authentication responses.

See Also:
NonceGenerator

setMinAssocSessEnc

public void setMinAssocSessEnc(AssociationSessionType minAssocSessEnc)
Configures the minimum level of encryption accepted for association sessions.

Default: no-encryption session, SHA1 MAC association


getPrefAssocSessEnc

public AssociationSessionType getPrefAssocSessEnc()
Gets the preferred association / session type.


setPrefAssocSessEnc

public void setPrefAssocSessEnc(AssociationSessionType type)
                         throws ServerException
Sets the preferred association / session type.

Throws:
ServerException
See Also:
AssociationSessionType

getExpireIn

public int getExpireIn()
Gets the expiration time (in seconds) for the generated associations


setExpireIn

public void setExpireIn(int _expireIn)
Sets the expiration time (in seconds) for the generated associations


getUserSetupUrl

public java.lang.String getUserSetupUrl()
Gets the URL at the OpenID Provider where the user should be directed when a immediate authentication request fails.


setUserSetupUrl

public void setUserSetupUrl(java.lang.String userSetupUrl)
Sets the URL at the OpenID Provider where the user should be directed when a immediate authentication request fails.


setSignFields

public void setSignFields(java.lang.String signFields)
Sets the list of parameters that the OpenID Provider will sign when generating authentication responses.

The fields in the list must be coma-separated and must not include the 'openid.' prefix. Fields that are required to be signed are automatically added by the underlying logic, so that a valid message is generated, regardles if they are included in the user-supplied list or not.


getSignFields

public java.lang.String getSignFields()
Gets the list of parameters that the OpenID Provider will sign when generating authentication responses.

Coma-separated list.


setSignExtensions

public void setSignExtensions(java.lang.String[] extensins)

getSignExtensions

public java.lang.String[] getSignExtensions()

getRealmVerifier

public RealmVerifier getRealmVerifier()
Gets the RealmVerifier used to verify realms against return_to URLs.


setRealmVerifier

public void setRealmVerifier(RealmVerifier realmVerifier)
Sets the RealmVerifier used to verify realms against return_to URLs.


getEnforceRpId

public boolean getEnforceRpId()
Gets the flag that instructs the realm verifier to enforce validation of the return URL agains the endpoints discovered from the RP's realm.


setEnforceRpId

public void setEnforceRpId(boolean enforceRpId)
Sets the flag that instructs the realm verifier to enforce validation of the return URL agains the endpoints discovered from the RP's realm.


getOPEndpointUrl

public java.lang.String getOPEndpointUrl()
Gets OpenID Provider's endpoint URL, where it accepts OpenID authentication requests.

This is a global setting for the ServerManager; can also be set on a per message basis.

See Also:
authResponse(org.openid4java.message.ParameterList, String, String, boolean, String)

setOPEndpointUrl

public void setOPEndpointUrl(java.lang.String opEndpointUrl)
Sets the OpenID Provider's endpoint URL, where it accepts OpenID authentication requests.

This is a global setting for the ServerManager; can also be set on a per message basis.

See Also:
authResponse(org.openid4java.message.ParameterList, String, String, boolean, String)

associationResponse

public Message associationResponse(ParameterList requestParams)
Processes a Association Request and returns a Association Response message, according to the request parameters and the preferences configured for the OpenID Provider

Returns:
AssociationResponse upon successfull association, or AssociationError if no association was established

authResponse

public Message authResponse(ParameterList requestParams,
                            java.lang.String userSelId,
                            java.lang.String userSelClaimed,
                            boolean authenticatedAndApproved)
Processes a Authentication Request received from a consumer site.

Uses ServerManager's global OpenID Provider endpoint URL.

Returns:
An signed positive Authentication Response if successfull, or an IndirectError / DirectError message.
See Also:
authResponse(org.openid4java.message.ParameterList, String, String, boolean, String, boolean)

authResponse

public Message authResponse(AuthRequest authReq,
                            java.lang.String userSelId,
                            java.lang.String userSelClaimed,
                            boolean authenticatedAndApproved)
Processes a Authentication Request received from a consumer site.

Uses ServerManager's global OpenID Provider endpoint URL.

Returns:
A signed positive Authentication Response if successfull, or an IndirectError / DirectError message.
See Also:
authResponse(org.openid4java.message.AuthRequest, String, String, boolean, String, boolean)

authResponse

public Message authResponse(ParameterList requestParams,
                            java.lang.String userSelId,
                            java.lang.String userSelClaimed,
                            boolean authenticatedAndApproved,
                            boolean signNow)
Processes a Authentication Request received from a consumer site.

Uses ServerManager's global OpenID Provider endpoint URL.

Returns:
A positive Authentication Response if successfull, or an IndirectError / DirectError message.
See Also:
authResponse(org.openid4java.message.ParameterList, String, String, boolean, String, boolean)

authResponse

public Message authResponse(AuthRequest authReq,
                            java.lang.String userSelId,
                            java.lang.String userSelClaimed,
                            boolean authenticatedAndApproved,
                            boolean signNow)
Processes a Authentication Request received from a consumer site.

Uses ServerManager's global OpenID Provider endpoint URL.

Returns:
A positive Authentication Response if successfull, or an IndirectError / DirectError message.
See Also:
authResponse(org.openid4java.message.AuthRequest, String, String, boolean, String, boolean)

authResponse

public Message authResponse(ParameterList requestParams,
                            java.lang.String userSelId,
                            java.lang.String userSelClaimed,
                            boolean authenticatedAndApproved,
                            java.lang.String opEndpoint)
Processes a Authentication Request received from a consumer site.

Returns:
A signed positive Authentication Response if successfull, or an IndirectError / DirectError message.
See Also:
authResponse(org.openid4java.message.ParameterList, String, String, boolean, String, boolean)

authResponse

public Message authResponse(AuthRequest auhtReq,
                            java.lang.String userSelId,
                            java.lang.String userSelClaimed,
                            boolean authenticatedAndApproved,
                            java.lang.String opEndpoint)
Processes a Authentication Request received from a consumer site.

Returns:
A signed positive Authentication Response if successfull, or an IndirectError / DirectError message.
See Also:
authResponse(org.openid4java.message.AuthRequest, String, String, boolean, String, boolean)

authResponse

public Message authResponse(ParameterList requestParams,
                            java.lang.String userSelId,
                            java.lang.String userSelClaimed,
                            boolean authenticatedAndApproved,
                            java.lang.String opEndpoint,
                            boolean signNow)
Processes a Authentication Request received from a consumer site, after parsing the request parameters into a valid AuthRequest.

Returns:
A signed positive Authentication Response if successfull, or an IndirectError / DirectError message.
See Also:
authResponse(org.openid4java.message.AuthRequest, String, String, boolean, String, boolean)

authResponse

public Message authResponse(AuthRequest authReq,
                            java.lang.String userSelId,
                            java.lang.String userSelClaimed,
                            boolean authenticatedAndApproved,
                            java.lang.String opEndpoint,
                            boolean signNow)
Processes a Authentication Request received from a consumer site.

Parameters:
opEndpoint - The endpoint URL where the OP accepts OpenID authentication requests.
authReq - A valid authentication request.
userSelId - OP-specific Identifier selected by the user at the OpenID Provider; if present it will override the one received in the authentication request.
userSelClaimed - Claimed Identifier selected by the user at the OpenID Provider; if present it will override the one received in the authentication request.
authenticatedAndApproved - Flag indicating that the OP has authenticated the user and the user has approved the authentication transaction
signNow - If true, the returned AuthSuccess will be signed. If false, the signature will not be computed and set - this will have to be performed later, using #sign(org.openid4java.message.Message).
Returns:
  • AuthSuccess, if authenticatedAndApproved
  • AuthFailure (negative response) if either of authenticatedAndApproved is false;
  • A IndirectError or DirectError message if the authentication could not be performed, or
  • Null if there was no return_to parameter specified in the AuthRequest.

sign

public void sign(AuthSuccess authSuccess)
          throws ServerException,
                 AssociationException
Signs an AuthSuccess message, using the association identified by the handle specified within the message.

Parameters:
authSuccess - The Authentication Success message to be signed.
Throws:
ServerException - If the Association corresponding to the handle in the @authSuccess cannot be retrieved from the store.
AssociationException - If the signature cannot be computed.

verify

public Message verify(ParameterList requestParams)
Responds to a verification request from the consumer.

Parameters:
requestParams - ParameterList containing the parameters received in a verification request from a consumer site.
Returns:
VerificationResponse to be sent back to the consumer site.


Copyright 2006-2008 Sxip Identity Corporation