org.openid4java.server
Class ServerManager

java.lang.Object
  org.openid4java.server.ServerManager

public class ServerManager
extends java.lang.Object

Manages OpenID communications with an OpenID Relying Party (Consumer).

Author:

Marius Scurtescu, Johnny Bufu

Field Summary

private boolean	_enforceRpId Flag that instructs the realm verifier to enforce validation of the return URL agains the endpoints discovered from the RP's realm.
private int	_expireIn Expiration time (in seconds) for associations.
private static org.apache.commons.logging.Log	_log
private AssociationSessionType	_minAssocSessEnc The lowest encryption level session accepted for association sessions
private NonceGenerator	_nonceGenerator Nonce generator implementation.
private java.lang.String	_opEndpointUrl The OpenID Provider's endpoint URL, where it accepts OpenID authentication requests.
private AssociationSessionType	_prefAssocSessEnc The preferred association session type; will be attempted first.
private ServerAssociationStore	_privateAssociations Keeps track of private (internal) associations created for signing authentication responses for stateless consumer sites.
private RealmVerifier	_realmVerifier Used to perform verify realms against return_to URLs.
private ServerAssociationStore	_sharedAssociations Keeps track of the associations established with consumer sites.
private java.lang.String[]	_signExtensions Array of extension namespace URIs that the consumer manager will sign, if present in auth responses.
private java.lang.String	_signFields List of coma-separated fields to be signed in authentication responses.
private java.lang.String	_userSetupUrl In OpenID 1.x compatibility mode, the URL at the OpenID Provider where the user should be directed when a immediate authentication request fails.
private static boolean	DEBUG

Constructor Summary

ServerManager()
Constructs a ServerManager with default settings.

Method Summary

Message	associationResponse(ParameterList requestParams) Processes a Association Request and returns a Association Response message, according to the request parameters and the preferences configured for the OpenID Provider
Message	authResponse(ParameterList requestParams, java.lang.String userSelId, java.lang.String userSelClaimed, boolean authenticatedAndApproved) Processes a Authentication Request received from a consumer site.
Message	authResponse(ParameterList requestParams, java.lang.String userSelId, java.lang.String userSelClaimed, boolean authenticatedAndApproved, boolean signNow) Processes a Authentication Request received from a consumer site.
Message	authResponse(ParameterList requestParams, java.lang.String userSelId, java.lang.String userSelClaimed, boolean authenticatedAndApproved, java.lang.String opEndpoint) Processes a Authentication Request received from a consumer site.
Message	authResponse(ParameterList requestParams, java.lang.String userSelId, java.lang.String userSelClaimed, boolean authenticatedAndApproved, java.lang.String opEndpoint, boolean signNow) Processes a Authentication Request received from a consumer site.
boolean	getEnforceRpId() Gets the flag that instructs the realm verifier to enforce validation of the return URL agains the endpoints discovered from the RP's realm.
int	getExpireIn() Gets the expiration time (in seconds) for the generated associations
AssociationSessionType	getMinAssocSessEnc() Gets the minimum level of encryption configured for association sessions.
NonceGenerator	getNonceGenerator() Gets the NonceGenerator used for generating nonce tokens to uniquely identify authentication responses.
java.lang.String	getOPEndpointUrl() Gets OpenID Provider's endpoint URL, where it accepts OpenID authentication requests.
AssociationSessionType	getPrefAssocSessEnc() Gets the preferred association / session type.
ServerAssociationStore	getPrivateAssociations() Gets the store implementation used for keeping track of the generated private associations (used for signing responses to stateless consumer sites).
RealmVerifier	getRealmVerifier() Gets the RealmVerifier used to verify realms against return_to URLs.
ServerAssociationStore	getSharedAssociations() Gets the store implementation used for keeping track of the generated associations established with consumer sites.
java.lang.String[]	getSignExtensions()
java.lang.String	getSignFields() Gets the list of parameters that the OpenID Provider will sign when generating authentication responses.
java.lang.String	getUserSetupUrl() Gets the URL at the OpenID Provider where the user should be directed when a immediate authentication request fails.
void	setEnforceRpId(boolean enforceRpId) Sets the flag that instructs the realm verifier to enforce validation of the return URL agains the endpoints discovered from the RP's realm.
void	setExpireIn(int _expireIn) Sets the expiration time (in seconds) for the generated associations
void	setMinAssocSessEnc(AssociationSessionType minAssocSessEnc) Configures the minimum level of encryption accepted for association sessions.
void	setNonceGenerator(NonceGenerator nonceGenerator) Sets the NonceGenerator implementation that will be used to generate nonce tokens to uniquely identify authentication responses.
void	setOPEndpointUrl(java.lang.String opEndpointUrl) Sets the OpenID Provider's endpoint URL, where it accepts OpenID authentication requests.
void	setPrefAssocSessEnc(AssociationSessionType type) Sets the preferred association / session type.
void	setPrivateAssociations(ServerAssociationStore privateAssociations) Sets the store implementation that will be used for keeping track of the generated private associations (used for signing responses to stateless consumer sites).
void	setRealmVerifier(RealmVerifier realmVerifier) Sets the RealmVerifier used to verify realms against return_to URLs.
void	setSharedAssociations(ServerAssociationStore sharedAssociations) Sets the store implementation that will be used for keeping track of the generated associations established with consumer sites.
void	setSignExtensions(java.lang.String[] extensins)
void	setSignFields(java.lang.String signFields) Sets the list of parameters that the OpenID Provider will sign when generating authentication responses.
void	setUserSetupUrl(java.lang.String userSetupUrl) Sets the URL at the OpenID Provider where the user should be directed when a immediate authentication request fails.
void	sign(AuthSuccess authSuccess) Signs an AuthSuccess message, using the association identified by the handle specified within the message.
Message	verify(ParameterList requestParams) Responds to a verification request from the consumer.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

_log

private static org.apache.commons.logging.Log _log

DEBUG

private static final boolean DEBUG

_sharedAssociations

private ServerAssociationStore _sharedAssociations

Keeps track of the associations established with consumer sites.

_privateAssociations

private ServerAssociationStore _privateAssociations

Keeps track of private (internal) associations created for signing authentication responses for stateless consumer sites.

_nonceGenerator

private NonceGenerator _nonceGenerator

Nonce generator implementation.

_minAssocSessEnc

private AssociationSessionType _minAssocSessEnc

The lowest encryption level session accepted for association sessions

_prefAssocSessEnc

private AssociationSessionType _prefAssocSessEnc

The preferred association session type; will be attempted first.

_expireIn

private int _expireIn

Expiration time (in seconds) for associations.

_userSetupUrl

private java.lang.String _userSetupUrl

In OpenID 1.x compatibility mode, the URL at the OpenID Provider where the user should be directed when a immediate authentication request fails.

MUST be configured in order for the OpenID provider to be able to respond correctly with AuthImmediateFailure messages in compatibility mode.

_signFields

private java.lang.String _signFields

List of coma-separated fields to be signed in authentication responses.

_signExtensions

private java.lang.String[] _signExtensions

Array of extension namespace URIs that the consumer manager will sign, if present in auth responses.

_realmVerifier

private RealmVerifier _realmVerifier

Used to perform verify realms against return_to URLs.

_enforceRpId

private boolean _enforceRpId

Flag that instructs the realm verifier to enforce validation of the return URL agains the endpoints discovered from the RP's realm. Default false (don't enforce).

_opEndpointUrl

private java.lang.String _opEndpointUrl

The OpenID Provider's endpoint URL, where it accepts OpenID authentication requests.

This is a global setting for the ServerManager; can also be set on a per message basis.

See Also:

authResponse(org.openid4java.message.ParameterList, String, String, boolean, String)

Constructor Detail

ServerManager

public ServerManager()

Constructs a ServerManager with default settings.

Method Detail

getSharedAssociations

public ServerAssociationStore getSharedAssociations()

Gets the store implementation used for keeping track of the generated associations established with consumer sites.

See Also:

ServerAssociationStore

setSharedAssociations

public void setSharedAssociations(ServerAssociationStore sharedAssociations)

Sets the store implementation that will be used for keeping track of the generated associations established with consumer sites.

Parameters:

sharedAssociations - ServerAssociationStore implementation

See Also:

ServerAssociationStore

getPrivateAssociations

public ServerAssociationStore getPrivateAssociations()

Gets the store implementation used for keeping track of the generated private associations (used for signing responses to stateless consumer sites).

See Also:

ServerAssociationStore

setPrivateAssociations

public void setPrivateAssociations(ServerAssociationStore privateAssociations)

Sets the store implementation that will be used for keeping track of the generated private associations (used for signing responses to stateless consumer sites).

Parameters:

privateAssociations - ServerAssociationStore implementation

See Also:

ServerAssociationStore

getMinAssocSessEnc

public AssociationSessionType getMinAssocSessEnc()

Gets the minimum level of encryption configured for association sessions.

Default: no-encryption session, SHA1 MAC association

getNonceGenerator

public NonceGenerator getNonceGenerator()

Gets the NonceGenerator used for generating nonce tokens to uniquely identify authentication responses.

See Also:

NonceGenerator

setNonceGenerator

public void setNonceGenerator(NonceGenerator nonceGenerator)

Sets the NonceGenerator implementation that will be used to generate nonce tokens to uniquely identify authentication responses.

See Also:

NonceGenerator

setMinAssocSessEnc

public void setMinAssocSessEnc(AssociationSessionType minAssocSessEnc)

Configures the minimum level of encryption accepted for association sessions.

Default: no-encryption session, SHA1 MAC association

getPrefAssocSessEnc

public AssociationSessionType getPrefAssocSessEnc()

Gets the preferred association / session type.

setPrefAssocSessEnc

public void setPrefAssocSessEnc(AssociationSessionType type)
                         throws ServerException

Sets the preferred association / session type.

Throws:

ServerException

See Also:

AssociationSessionType

getExpireIn

public int getExpireIn()

Gets the expiration time (in seconds) for the generated associations

setExpireIn

public void setExpireIn(int _expireIn)

Sets the expiration time (in seconds) for the generated associations

getUserSetupUrl

public java.lang.String getUserSetupUrl()

Gets the URL at the OpenID Provider where the user should be directed when a immediate authentication request fails.

setUserSetupUrl

public void setUserSetupUrl(java.lang.String userSetupUrl)

Sets the URL at the OpenID Provider where the user should be directed when a immediate authentication request fails.

setSignFields

public void setSignFields(java.lang.String signFields)

Sets the list of parameters that the OpenID Provider will sign when generating authentication responses.

The fields in the list must be coma-separated and must not include the 'openid.' prefix. Fields that are required to be signed are automatically added by the underlying logic, so that a valid message is generated, regardles if they are included in the user-supplied list or not.

getSignFields

public java.lang.String getSignFields()

Gets the list of parameters that the OpenID Provider will sign when generating authentication responses.

Coma-separated list.

setSignExtensions

public void setSignExtensions(java.lang.String[] extensins)

getSignExtensions

public java.lang.String[] getSignExtensions()

getRealmVerifier

public RealmVerifier getRealmVerifier()

Gets the RealmVerifier used to verify realms against return_to URLs.

setRealmVerifier

public void setRealmVerifier(RealmVerifier realmVerifier)

Sets the RealmVerifier used to verify realms against return_to URLs.

getEnforceRpId

public boolean getEnforceRpId()

Gets the flag that instructs the realm verifier to enforce validation of the return URL agains the endpoints discovered from the RP's realm.

setEnforceRpId

public void setEnforceRpId(boolean enforceRpId)

Sets the flag that instructs the realm verifier to enforce validation of the return URL agains the endpoints discovered from the RP's realm.

getOPEndpointUrl

public java.lang.String getOPEndpointUrl()

Gets OpenID Provider's endpoint URL, where it accepts OpenID authentication requests.

This is a global setting for the ServerManager; can also be set on a per message basis.

See Also:

authResponse(org.openid4java.message.ParameterList, String, String, boolean, String)

setOPEndpointUrl

public void setOPEndpointUrl(java.lang.String opEndpointUrl)

Sets the OpenID Provider's endpoint URL, where it accepts OpenID authentication requests.

This is a global setting for the ServerManager; can also be set on a per message basis.

See Also:

authResponse(org.openid4java.message.ParameterList, String, String, boolean, String)

associationResponse

public Message associationResponse(ParameterList requestParams)

Processes a Association Request and returns a Association Response message, according to the request parameters and the preferences configured for the OpenID Provider

Returns:

AssociationResponse upon successfull association, or AssociationError if no association was established

authResponse

public Message authResponse(ParameterList requestParams,
                            java.lang.String userSelId,
                            java.lang.String userSelClaimed,
                            boolean authenticatedAndApproved)

Processes a Authentication Request received from a consumer site.

Uses ServerManager's global OpenID Provider endpoint URL.

Returns:

An signed positive Authentication Response if successfull, or an IndirectError / DirectError message.

See Also:

authResponse(org.openid4java.message.ParameterList, String, String, boolean, String, boolean)

authResponse

public Message authResponse(ParameterList requestParams,
                            java.lang.String userSelId,
                            java.lang.String userSelClaimed,
                            boolean authenticatedAndApproved,
                            boolean signNow)

Processes a Authentication Request received from a consumer site.

Uses ServerManager's global OpenID Provider endpoint URL.

Returns:

A positive Authentication Response if successfull, or an IndirectError / DirectError message.

See Also:

authResponse(org.openid4java.message.ParameterList, String, String, boolean, String, boolean)

authResponse

public Message authResponse(ParameterList requestParams,
                            java.lang.String userSelId,
                            java.lang.String userSelClaimed,
                            boolean authenticatedAndApproved,
                            java.lang.String opEndpoint)

Processes a Authentication Request received from a consumer site.

Returns:

An signed positive Authentication Response if successfull, or an IndirectError / DirectError message.

See Also:

authResponse(org.openid4java.message.ParameterList, String, String, boolean, String, boolean)

authResponse

public Message authResponse(ParameterList requestParams,
                            java.lang.String userSelId,
                            java.lang.String userSelClaimed,
                            boolean authenticatedAndApproved,
                            java.lang.String opEndpoint,
                            boolean signNow)

Processes a Authentication Request received from a consumer site.

Parameters:

opEndpoint - The endpoint URL where the OP accepts OpenID authentication requests.

requestParams - The parameters contained in the authentication request message received from a consumer site.

userSelId - OP-specific Identifier selected by the user at the OpenID Provider; if present it will override the one received in the authentication request.

userSelClaimed - Claimed Identifier selected by the user at the OpenID Provider; if present it will override the one received in the authentication request.

authenticatedAndApproved - Flag indicating that the OP has authenticated the user and the user has approved the authentication transaction

signNow - If true, the returned AuthSuccess will be signed. If false, the signature will not be computed and set - this will have to be performed later, using #sign(org.openid4java.message.Message).

Returns:

• AuthSuccess, if authenticatedAndApproved
• AuthFailure (negative response) if either of authenticatedAndApproved is false;
• A IndirectError or DirectError message if the authentication could not be performed, or
• Null if there was no return_to parameter specified in the AuthRequest.

sign

public void sign(AuthSuccess authSuccess)
          throws ServerException,
                 AssociationException

Signs an AuthSuccess message, using the association identified by the handle specified within the message.

Parameters:

authSuccess - The Authentication Success message to be signed.

Throws:

ServerException - If the Association corresponding to the handle in the @authSuccess cannot be retrieved from the store.

AssociationException - If the signature cannot be computed.

verify

public Message verify(ParameterList requestParams)

Responds to a verification request from the consumer.

Parameters:

requestParams - ParameterList containing the parameters received in a verification request from a consumer site.

Returns:

VerificationResponse to be sent back to the consumer site.