All Classes and Interfaces

Class
Description
The Abandon operation allows a client to request that the server abandon an uncompleted operation.
An abstract connection whose synchronous methods are implemented in terms of asynchronous methods.
An abstract connection whose synchronous methods are implemented in terms of asynchronous methods.
This class provides a skeletal implementation of the Attribute interface, to minimize the effort required to implement this interface.
This class provides a skeletal implementation of the Connection interface, to minimize the effort required to implement this interface.
An abstract base class from which connection wrappers may be easily implemented.
An abstract base class from which connection wrappers may be easily implemented.
A base implementation of the Context interface.
An abstract node implementation for nodes that result in a simple true-false outcome.
Provides a static set of outcomes for decision nodes.
Deprecated.
Use ContentEncryptionHandler instead.
This class provides a skeletal implementation of the Entry interface, to minimize the effort required to implement this interface.
An abstract Extended request which can be used as the basis for implementing new Extended operations.
An abstract Extended result which can be used as the basis for implementing new Extended operations.
This class provides a skeletal implementation of the ExtendedResultDecoder interface, to minimize the effort required to implement this interface.
An abstract Intermediate response which can be used as the basis for implementing new Intermediate responses.
A base implementation for all JwtBuilders that provides the basis of the JWT builder methods.
A JASPI Session Module which creates a JWT when securing the response from a successful authentication and sets it as a Cookie on the response.
Base class for KBA stages.
Defines the common configurations for the KBA stages.
Abstract implementation for Map based entries.
A convenient base class for AmPlugins that provide authentication nodes.
This class implements a default ordering matching rule that matches normalized values in byte order.
Deprecated.
RequestHandler now has default methods which implement the not-supported behavior.
Abstract class that implements the RequestVisitor interface.
An abstract base class for implementing routers.
An abstract SetCookieHeader class for SetCookieHeader and SetCookie2Header.
An abstract connection whose asynchronous methods are implemented in terms of synchronous methods.
Processes the Accept-API-Version message header.
A header class representing the Accept-Language HTTP header.
Models an OAuth2 access token.
The exception thrown when creating OAuth2 token using client credential grant type.
Represents an exception whilst retrieving an OAuth2 access token.
Represents an OAuth2 Access Token.
A plugin or (extension point) that allows modification of the OAuth2 access token before the token is persisted/returned to the client.
Encapsulates all relevant data necessary to represent a request for a new access token.
Access token request builder.
 
Resolves a given token against a dedicated OAuth2 Identity Provider (OpenAM, Google, Facebook, ...).
Encapsulates the minted access token along with its contextual data.
Access token response builder.
A secret store that can obtain access tokens from an OAuth 2 provider.
Builder object for the access token secret store.
Access token service is responsible for serving up OAuth2 access tokens along with its contextual data, based on the request having been passed.
Implementations of this interface provide the means to search for and create users given a map of attributes.
This class is designed for Action element in SAML core assertion.
The Action element specifies an action on the specified resource for which permission is sought.
The Action element specifies information about the action requested in the Request context by listing a sequence of Attribute elements associated with the action.
Indicates an CREST action method on an annotated POJO.
Class that represents the Action operation type in API descriptor.
Immutable container for the result of processing a node.
Action<E extends Exception>
An Runnable functional interface which can throw a checked Exception.
Builder for the Action.
Builder class for creating the Action.
Deprecated.
As of OpenSSO Express 8.0, use com.sun.identity.entitlement instead as Entitlement has replaced Policy.
The Action element specifies information about the action requested in the Request context by listing a sequence of Attribute elements associated with the action.
An implementation specific action, or operation, upon a JSON resource.
Response object for JSON responses.
Declare an array of Action operations from a single method.
Annotation to define JSON Schema additionalProperties, which is useful when working with key/value JSON data structures.
The Add operation allows a client to request the addition of an entry into the Directory.
An address mask can be used to perform efficient comparisons against IP addresses to determine whether a particular IP address is in a given range.
The class is used to perform privileged operations using java.security.AccessController.doPrivileged() when using com.iplanet.am.util.AdminUtils to obtain Administrator DN.
The class is used to perform privileged operations using AccessController.doPrivileged() when using com.iplanet.am.util.AdminUtils to obtain Administrator passwords.
Provides a centralised method for fetching an administrator token for operations where there is no user present.
This class contains methods to retrieve Top Level Administrator information.
The persistent search request control for Active Directory as defined by Microsoft.
The Advice element contains additional information that the issuer wish to provide.
The Advice contains any additional information that the SAML authority wishes to provide.
The Advice element contains additional information that the issuer wish to provide.
A Context containing information which should be returned to the user in some appropriate form to the user.
WarningHeader implements RFC 2616 section 14.46 - Warning.
Provides JWE key encapsulation using the AES KeyWrap algorithm.
The interface for each possible algorithm that can be used to sign and/or encrypt a JWT.
The AMAuthCallBack interface should be implemented by external business logic code, in order to receive callbacks from the authentication framework when one of the following events happens : account lockout password change (via LDAP module)
The AMAuthCallBackException is used to specify an exception related to an authentication framework callback.
This class represents an Identity which needs to be managed by Access Manager.
The class AMIdentityRepository represents an object to access the repositories in which user/role/group and other identity data is configured.
An abstract class which implements JAAS LoginModule, it provides methods to access OpenAM services and the module xml configuration.
This class which contains utilities to encrypt and decrypt attribute value of password type.
Define an AM plugin.
The AMPostAuthProcessInterface interface needs to be implemented by services and applications to do post authentication processing.
Interface for classes which send emails.
Describes a service as defined by an annotated interface.
A registry for all service configuration that is defined in annotated service interfaces.
Anonymous process service progresses a chain of ProgressStage configurations, handling any required client interactions.
Utility methods for hashing and normalising answers to KBA questions.
Class that represents the ApiDescription type in API descriptor.
Builder for the ApiDescription.
Generates static AsciiDoc documentation for CREST API Descriptors.
Signals that an error occurred while generating API documentation.
Details of an error that could be returned.
Class that represents the ApiError type in API descriptor.
Builder for the ApiError.
A producer of API Descriptions.
Signals that API failed validation.
A Context which is created when a request is and has been routed based on resource API version.
Oauth 2.0 Client Implementation that supports Apple.
Configuration used for AppleClient implementation.
Builder used to create AppleClientConfiguration instance.
Utility methods to work with CHF Applications.
A utility class for dealing with CrestApplication instances.
Authenticates to Vault using the AppRole authentication backend to obtain a token that can be used for further operations.
This interface defines method to get application single sign on token.
This class represents the Artifact element in SAMLv2 protocol schema.
The ArtifactResolve message is used to request that a SAML protocol message be returned in an ArtifactResponse message by specifying an artifact that represents the SAML protocol message.
The ArtifactResopnse message has the complex type ArtifactResponseType.
Root builder for AsciiDoc markup.
Signals that an error occurred while building AsciiDoc markup.
Enumeration of AsciiDoc markup symbols.
AsciiDoc table builder [ref], which defers insertion of the table, at the end of the parent document, until AsciiDocTable.tableEnd() is called.
AsciiDoc table column-styles.
This class contains various static factory methods for creating ASN.1 readers and writers.
An interface for decoding ASN.1 elements from a data source.
Provides methods for building and analyzing ASN.1 tag bytes.
The Asn1 tag classes.
An ASN.1 encoder writes ASN.1 elements to an internal byte buffer.
This object stands for Assertion element.
The Assertion element is a package of information that supplies one or more Statement made by an issuer.
A compiled attribute value assertion.
This object stands for Assertion element.An Assertion is a package of information that supplies one or more Statement made by an issuer.
This is the factory class to obtain instances of the objects defined in assertion schema.
Thrown when the result code returned in a Result indicates that the Request failed because the filter contained in an assertion control failed to match the target entry.
This class represents the AssertionIDRef element.
AssertionIDReference element makes reference to a SAML assertion.
This class represents the AssertionIDRequestType complex type.
This interface AssertonIDRequestMapper is used by assertion ID request service to process assertion ID request.
This class provides methods to send or process AssertionIDRequest.
The assertion request control as defined in RFC 4528.
Attribute value assertion utilities.
An asynchronous Function which returns a result at some point in the future.
An asynchronous interface counterpart for the ServerAuthContext.
An asynchronous interface counterpart for the ServerAuthModule.
A session manager is responsible to create/save a new type of Session.
Atomic container for Throwables including combining and having a terminal state via ExceptionHelper.
The Attribute element specifies an attribute of the assertion subject.
The Attribute element identifies an attribute by name and optionally includes its value(s).
The Attribute element specifies information about the action/subject/resource requested in the Request context by listing a sequence of Attribute elements associated with the action.
Indicates that a method describes a configuration attribute of an SMS service.
An attribute, comprising of an attribute description and zero or more attribute values.
This interface AttributeAuthorityMapper is used by attribute authority to process attribute query.
Responsible for performing a specialised JSON compression based on the attribute name being stored in the JSON.
An attribute description as defined in RFC 4512 section 2.5.
The AttributeDesignator element identifies an attribute name within an attribute namespace.
A configurable factory for filtering the attributes exposed by an entry.
The Attribute element specifies information about the action/subject/resource requested in the Request context by listing a sequence of Attribute elements associated with the action.
Translates from a source to a map of attributes.
Defines the concerns of mapping attributes into SAML2 AttributeStatements.
A fluent API for parsing attributes as different types of object.
This class represents the AttributeQueryType complex type.
This class provides methods to send or process AttributeQuery.
This class contains methods for creating and manipulating attributes.
The class AttributeSchema provides methods to access the schema of a configuration parameter.
This enum ListOrder defines the list orders of schema attributes and provides constants for these list orders.
The class Syntax defines the syntax of the schema attributes and provides static constants for these types.
The class Type defines the types of schema attributes and provides static constants for these types.
The class UIType defines the UI types of schema attributes and provides static constants for these types.
An AttributesContext is a mechanism for transferring transient state between components when processing a single request.
The AttributeStatement element supplies a statement by the issuer that the specified subject is associated with the specified attributes.
The AttributeStatement element describes a statement by the SAML authority asserting that the assertion subject is associated with the specified attributes.
Defines the concerns of generating the AttributeStatement list to be included in the SAML2 assertion.
This class defines a data structure for storing and interacting with an attribute type, which contains information about the format of an attribute and the syntax and matching rules that should be used when interacting with it.
A fluent API for incrementally constructing attribute type.
This enumeration defines the set of possible attribute usage values that may apply to an attribute type, as defined in RFC 2252.
The AudienceRestriction specifies that the assertion is addressed to one or more specific Audiences.
This is an implementation of the abstract Condition class, which specifes that the assertion this AuthenticationCondition is part of, is addressed to one or more specific audience.
Audit API interface for auditing the result of an authentication request.
Responsible for tracking the auditing of an authentication attempt including auditing each of the modules that are executed and the overall result of the authentication.
The available types of authentication context comparison methods.
The AuthContext provides the implementation for authenticating users.
The class IndexType defines the possible kinds of "objects" or "resources" for which an authentication can be performed.
The class Status defines the possible authentication states during the login process.
The AuthContextLocal provides the implementation for authenticating users.
AsyncServerAuthContext implementations should implement this interface when the AsyncServerAuthContext has its own implementation of a AuthenticationState that it will be using to store and maintain state for a single request.
A JwtCryptographyHandler that ensures confidentiality and authenticity of data using authenticated encryption algorithms.
AuthenticationException class is for handling Exception that is thrown when the user-entered tokens cause the authentication module to be authenticated to fail.
A generic authentication exception which accepts a detail message and/or the cause.
Thrown when the result code returned in a Result indicates that the Bind Request failed due to an authentication failure.
An authentication exception which signifies that authentication of the request has failed and an appropriate unauthorized response should be returned to the client.
A HTTP Filter that will protect all downstream filters or handlers.
Builder class that configures an Authentication Framework instance.
Builder class that configures AsyncServerAuthModules and ServerAuthModules.
An authentication framework for protecting all types of resources.
Maintains state information and provides to retrieve values in a type safe manner.
An exception that is thrown during AuthenticationState operations.
The AuthenticationStatement element supplies a statement by the issuer that its subject was authenticated by a particular means at a particular time.
Defines the concern of providing the AuthnStatement list to be included in the generated SAML2 assertion.
This class is for handling message localization in LoginException.
The AuthnContext element specifies the context of an authentication event.
This class represents the AuthnQueryType complex type.
This class provides methods to send or process AuthnQuery.
The AuthnRequest interface defines methods for properties required by an authentication request.
The AuthnStatement element describes a statement by the SAML authority asserting that the assertion subject was authenticated by a particular means at a particular time.
The AuthorityBinding element may be used to indicate to a replying party receiving an AuthenticationStatement that a SAML authority may be available to provide additional information about the subject of the statement.
The AuthorityKindType is an inner class defining constants for the representing the type of SAML protocol queries to which the authority described by this element will respond.
Provides a convenience layer on top of AuthorizationContext to simplify access to particular attributes in the authorisation context.
A handler that can send an authorization code and optional PKCE verifier to the token endpoint to receive an access token.
Context to use for authorization requests.
The AuthorizationDecisionStatement element supplies a statement by the issuer that the request for access by the specified subject to the specified resource has resulted in the specified decision on the basis of some optionally specified evidence.
The AuthorizationDecisionStatement element supplies a statement by the issuer that the request for access by the specified subject to the specified resource has resulted in the specified decision on the basis of some optionally specified evidence.
The DecisionType is an inner class defining constants for the type of Decisions than can be conveyed by an AuthorizationDecisionStatement .
Represents an exception whilst performing Authorization.
Thrown when the result code returned in a Result indicates that the Request failed due to an authorization failure.
This class contains methods for creating FilterChains to protect resources by performing authorization on each incoming request.
A header class representing the Authorization HTTP header.
A factory for creating AuthorizationHeader instances.
The authorization request control as defined in RFC 3829.
The authorization response control as defined in RFC 3829.
Represents the result of the authorization of a request.
A plugin or (extension point) that allows the OAuth2 provider to return additional data from an authorization request.
Deprecated.
An authentication password, it has a storage scheme, authentication info and authentication value.
Utility class providing utility methods for determining the meaning behind each of the different AuthStatus values.
The AuthzDecisionStatement element describes a statement by the SAML authority asserting that a request for access by the assertion subject tot he specified resource has resulted in the specified authorization decision on the basis of some optionally specified evidence.
This interface defines the plug-in point for producing AuthzDecisionStatements.
An attribute value assertion (AVA) as defined in RFC 4512 section 2.3 consists of an attribute description with zero options and an attribute value.
Utility class to help with backpressure-related operations such as request aggregation.
An exception that is thrown during a operation on a resource when the requested operation is malformed.
This class provides methods for performing base64 encoding and decoding.
Provides RFC 4648 / RFC 2045 compatible Base64 encoding and decoding.
Makes use of the Base64 class to encode and decode to and from URL-safe Base64.
The BaseID is an extension point that allows applications to add new kinds of identifiers.
The BaseIDAbstract is an abstract type usable only as the base of a derived type.
Implementation of the OpenIdResolver interface.
A base implementation of QueryFilterVisitor where all methods throw an UnsupportedOperationException by default - override just the methods you need.
The interface ResourceName provides methods to determine the hierarchy of resource names.
A marker interface for types that provider secret store implementations.
A rich representation of basic credentials.
A rich representation of bearer credentials.
A BiFunction functional interface which can throw a checked Exception.
Utils to complement bit operations not covered by the BigInteger functions.
The class BinarySecurityToken provides interface to parse and create X.509 Security Token depicted by Web Service Security : X.509 Certificate Token Profile and Liberty ID-WSF Security Mechanisms specifications.
The Bind operation allows authentication information to be exchanged between the client and server.
A Bind result indicates the status of the client's request for authentication.
This class can be used for filtering string elements by using blacklists and/or whitelists.
Responsible for defining the interface of the Token Blob Strategy.
General interface contract for implementations of Bloom Filters.
Generic Bloom Filter JMX monitoring.
Operations for monitoring and management of Bloom Filter implementations.
Factory methods for creating bloom filters with various requirements.
Builder for constructing and configuring Bloom Filter implementations.
Builder pattern for Rolling Bloom Filters, which are Scalable Bloom Filters whose elements can expire allowing space to be reclaimed over time.
Builder pattern for Scalable Bloom Filters.
Provides a snapshot of the current statistics and configuration of a Bloom Filter implementation.
An input stream that can branch into separate input streams to perform divergent reads.
A dynamically growing data buffer.
An immutable sequence of bytes backed by a byte array.
A mutable sequence of bytes backed by a byte array.
An interface for iteratively reading data from a ByteString .
A CachingAccessTokenResolver is a delegating AccessTokenResolver that uses a write-through cache to enable fast AccessTokenInfo resolution.
The cancel extended request as defined in RFC 3909.
Thrown when the result code returned in a Result indicates that the Request was cancelled.
An object that registers to be notified when a cancellation request has been received and processing of the request should be aborted if possible.
Stage is responsible for captcha based security.
Configuration for the captcha stage.
An implementation of a map whose keys are case-insensitive strings.
An implementation of a set whose values are case-insensitive strings.
Generic interface for methods to verify that a caveat is satisfied.
This service provides operations for querying X509Certificates.
A key used for verifying certificate signatures.
Contains a chain of PropertyResolvers that should be used to get a token replacement property.
A request to modify the content of the Directory in some way.
An interface for reading change records from a data source, typically an LDIF file.
A visitor of ChangeRecords, in the style of the visitor design pattern.
An interface for writing change records to a data source, typically an LDIF file.
Indicates the type of change which occurred to a token, which can be understood at the CTS (above the data layer) layer.
A CharsetDecoderFlowableTransformer decodes bytes from a stream of ByteBuffer into a stream of CharBuffer using the given Charset.
Interface is to define what needs to be implemented to do the OpenID Connect check session endpoint.
Deprecated.
Will be replaced in a later release by Client.
Implementation of the Google Cloud API HttpTransport interface using CHF.
The abstract class ChoiceValues provides a mechanism for services to provide choice values for attributes dynamically instead of being statically defined in the service XML file stored in the directory.
 
Models an OpenID Connect claim that has been requested in an authorize request.
Deprecated.
use Claim
Builder to keep the Claim immutable.
Builder to keep the Claim immutable.
Models OpenID Connect claims that are requested in an authorize request.
Utility class for converting Claims and Claim objects to and from JSON.
An HTTP client which forwards requests to a wrapped Handler.
Client context gives easy access to client-related information that are available into the request.
Builder for creating ClientContext instances.
A grant type handler that can retrieve an access token using the client_credentials grant type.
Deprecated.
since 26.2.
A Filter implementation to add the credentials to request body for authenticating as per the OAuth 2.0 Authorization Framework specification.
Common utility methods for Closeables.
AsyncFunction that silently closes an input-parameter after a delegate-function's AsyncFunction.apply(Object) is completed.
Function that silently closes an input-parameter after a delegate-function's Function.apply(Object) is invoked.
For extensibility of the RecoveryCodeGenerator.
Coercions that can be applied to a given json value.
A marker annotation to indicate that the annotated class should be interpreted as an annotated CREST collection provider resource.
An implementation interface for resource providers which exposes a collection of resource instances.
Commons ForgeRock API description.
Common api errors.
Constants class for defining fields for common state shared across stages.
The Compare operation allows a client to compare an assertion value with the values of a particular attribute in a particular entry in the Directory.
An Compare result indicates the final status of an Compare operation.
An Enum of the possible compression algorithms that can be applied to the JWE payload plaintext.
The interface for CompressionHandlers for all the different compression algorithms.
A service to get the appropriate CompressionHandler for a specified Compression algorithm.
Strategy that determines how thread-safety of bloom filters should be managed.
A thread-safe implementation of a Bloom Filter that can expand over time to accommodate arbitrary numbers of elements, while also allowing old elements to be deleted after they have expired.
Deprecated.
This is an abstract class which servers as an extension point for new conditions.
The Condition serves as an extension point for new conditions.
The ConditionAbstract is abstract and is thus usable as the base of a derived class
Class to represent EntitlementCondition evaluation match result and - if applicable - its advice.
Deprecated.
As of OpenSSO Express 8.0, use com.sun.identity.entitlement instead as Entitlement has replaced Policy.
Builder to help construct decisions.
The result of a tri-state logical expression.
This Conditions is a set of Condition.
The Conditions defines the SAML constructs that place constraints on the acceptable use if SAML Assertions.
Implementations of this interface will be consulted to obtain the Conditions object included in generated SAML2 assertions.
Deprecated.
As of OpenSSO Express 8.0, use com.sun.identity.entitlement instead as Entitlement has replaced Policy.
Indicates that an interface describes the configuration of an SMS service.
The types of visibility available for a service.
Represents an identity in which annotated service configuration may have its scope bounded by.
The ConfigurationActionEvent class represents Configuration event.
An ConfigurationException is thrown when there are errors related to service configuration operations.
ConfigurationInstance is the interface that provides the operations on service configuration.
The interface ConfigurationListener needs to be implemented by applications in order to receive component data change notifications.
Utility methods for config value retrieval.
An exception that is thrown during a operation on a resource when such an operation would result in a conflict.
Thrown when addition of a schema element to a schema builder fails because the OID of the schema element conflicts with an existing schema element and the caller explicitly requested not to override existing schema elements.
A client connection to a JSON resource provider over which read and update requests may be performed.
A connection with a Directory Server over which read and update operations may be performed.
A ConnectionChangeRecordWriter is a bridge from Connections to ChangeRecordWriters.
A ConnectionEntryReader is a bridge from Connections to EntryReaders.
A ConnectionEntryWriter is a bridge from Connections to EntryWriters.
An object that registers to be notified when a connection is closed by the application, receives an unsolicited notification, or experiences a fatal error.
Deprecated.
Thrown when the result code returned in a Result indicates that the Request was unsuccessful because of a connection failure.
A connection factory provides an interface for obtaining a connection to a JSON resource provider.
A connection factory provides an interface for obtaining a connection to a Directory Server.
Processes the Connection message header.
A connection pool which maintains a cache of client sockets with a configurable core pool size, maximum size, and expiration policy.
Statistics for a connection pool.
An object that registers to be notified when a connection pool grows or shrinks.
This class contains methods for creating and manipulating LDAP clients and connections.
Indicates whether LDAP client connections should use SSL or StartTLS.
The ConsentHeader class represents Consent element defined in SOAP binding schema.
An implementation of "consistent hashing" supporting per-partition weighting.
Thrown when the result code returned in a Result indicates that the update Request failed because it would have left the Directory in an inconsistent state.
A Consumer functional interface which can throw a checked Exception.
Processes the Content-API-Version message header.
Processes the Content-Encoding message header.
Processes the Content-Length message header.
Processes the Content-Type message header.
Type-safe contextual information associated with the processing of a request in an application.
This is the factory class to obtain instances of the objects defined in xacml context schema.
An interface for listener to generic changes from a remote source.
Interface for ensuring that continuous queries can be controlled once configured.
Interface for an object that listens to changes resulting from a continuous query.
Interface by which all ContinuousWatchers ensure similar operation.
Service for setting up ContinuousWatchers and ContinuousListeners.
Controls provide a mechanism whereby the semantics and arguments of existing LDAP operations may be extended.
A factory interface for decoding a control as a control of specific type.
Utility class to resolve controls OID from aliases.
This class creates an API which bridges the differences between the Servlet 2.5 and 3.0 Cookie APIs, as the Servlet 2.5 API does not support HttpOnly cookies and provides no methods to create a HttpOnly cookie.
An HTTP cookie.
Indicates the SameSite value of the cookie.
Processes the Cookie request message header.
The OpenDJ SDK core schema contains standard LDAP RFC schema elements.
Provides a map of supported locale tags to OIDs.
Represents any configuration required for the Core Token Service.
Responsible for collecting together all constants used in the Core Token Service.
Base Core Token Service exception for all sub types.
CoreTokenField contains a mapping from the Java enumeration and the defined attributes present in the LDAP Schema for the Core Token Service.
Provides the mapping between CoreTokenFields and the type of the value that is associated to that field.
The CorrelationHeader class represents Correlation element defined in SOAP binding schema.
This filters implements the resource processing of the CORS protocol.
The CORS policy is responsible to handle both actual and preflight CORS requests and set the appropriate set of response headers based on its own configuration.
Builder for CorsPolicy instances.
A CorsPolicyProvider allows the CorsFilter to lookup its configuration at runtime, also based on contextual information.
Enum that represents the Query supported count-policy.
An enum of count policy types.
Indicates an CREST create method on an annotated POJO.
Class that represents the Create Operation type in API descriptor.
Builder for the Create.
Enum that represents the Create modes.
A specific exception for when Create is not supported, but Upsert might be being attempted so distinguish from other BadRequestExceptions.
A request to create a new JSON resource.
Types of create that might be singletons.
Credential pair implementation.
This interface is used to parse the credentials component of an Authorization HTTP header.
An extension to the Jackson AnySchema that includes the custom CREST JSON Schema attributes.
An ApiProducer implementation for CREST resources, that provides ApiDescription descriptors.
Declare a CREST Application.
An extension to the Jackson ArraySchema that includes the custom CREST JSON Schema attributes.
A CrestAuthorizationModule authorizes client REST requests asynchronously.
An extension to the Jackson BooleanSchema that includes the custom CREST JSON Schema attributes.
A JsonSchemaFactory that returns the extension schema objects rather than the default Jackson implementations.
An extension to the Jackson ObjectSchema that includes the custom CREST JSON Schema attributes.
A SchemaFactoryWrapper that adds the extra CREST schema attributes once the Jackson schema generation has been completed.
Constants for Crypto Algorithms and Json Crypto Json pointer keys.
Base class for all secrets that are used as keys for cryptographic operations.
Cryptography Service for the user self service project.
A generic filter for preventing cross-site request forgery (CSRF) attacks when using cookie-based authentication.
Builder class for the CSRF filter.
CTSOptions are intended to provide guidance to the CTS as to how it should perform the requested operation.
Persistent storage interface for the CTS (Core Token Service) provides callers with a generic way of storing and retrieving objects.
A key that is used for decrypting confidential data.
A key that is used for encrypting confidential data.
This class DataEncryptor is used to encrypt the data with symmetric and asymmetric keys.
Base Data Layer exception for all sub types.
Interface which needs to be implemented to use with OAuthClient implementations.
Exception to be used when an error has occurred while interacting with the data store.
Interface used for storing & retrieving information.
This class is to handle DataStoreProvider related exceptions.
This is a singleton class used to manage DataStore providers.
 
Deprecated.
Use Logger instead.
The Decision element is a container of one or more Decisions issued by policy decision point
The Decision element is a container of one or more Decisions issued by policy decision point
The class is used to perform privileged operations with AccessController.doPrivileged() when using com.iplanet.services.util.Crypt to decode passwords.
Thrown when data from an input source cannot be decoded, perhaps due to the data being malformed in some way.
Decode options allow applications to control how requests and responses are decoded.
Decodes an HTTP message entity input stream.
The class is used to perform privileged operation with AccessController.doPrivileged() when using com.iplanet.am.util.AMPasswordUtil to decrypt passwords.
Marker interface for all key types that can be used for decryption.
Annotation to define JSON Schema property's default-value, represented as a String.
A purpose that can fallback to a default secret ID if the first - more specific - secret ID could not be found in the secrets provider.
Default implementation for SessionPropertyUpgrader This class basically just lets the session upgrade to copy every single property into the new session.
The abstract class DefaultValues provides a mechanism for services to obtain their default values dynamically instead of being statically defined in the service XML file stored in the directory.
The default routing behaviour to use when no Accept-API-Version is set on the request.
Class that represents API descriptor Schema definitions.
Builder to help construct the Definitions.
An implementation of the CompressionHandler for DEFLATE Compressed Data Format Specification.
A route matcher that delegates to a provided route matcher.
Indicates an CREST delete method on an annotated POJO.
Class that represents the Delete operation type in API descriptor.
Builder for the Delete.
Represents a failure to delete a Token from the Core Token Service.
A request to delete a JSON resource.
The Delete operation allows a client to request the removal of an entry from the Directory.
A deployment ID, together with its password, facilitates the generation of the cryptographic keys required to protect a deployment, such as a root CA key-pair for SSL/TLS and a master key-pair for protecting symmetric keys used for data encryption.
The deployment ID information to be displayed by the deployment ID tool.
A Search operation alias dereferencing policy as defined in RFC 4511 section 4.5.1.3 is used to indicate whether alias entries (as defined in RFC 4512) are to be dereferenced during stages of a Search operation.
Utility methods for reading and writing DER-encoded values.
A routing component (a CHF Handler or CREST RequestHandler) can describe its API by implementing this interface.
Interface for listener instances.
A handler that both handles Requests, and also supports querying for API Descriptors.
An HttpApplication that produces OpenAPI API Descriptors.
Version of SynchronousRequestHandlerAdapter that exposes a described handler.
Annotation to define JSON Schema property's description.
Supports direct encryption using a shared symmetric key.
Represents the name/value pair of a HTTP header directives.
High-level interface to the WatchService API for detecting filesystem change events.
This class defines a DIT content rule, which defines the set of allowed, required, and prohibited attributes for entries with a given structural objectclass, and also indicates which auxiliary classes may be included in the entry.
A fluent API for incrementally constructing DIT content rule.
This class defines a DIT structure rule, which is used to indicate the types of children that entries may have.
A fluent API for incrementally constructing DIT structure rules.
A distinguished name (DN) as defined in RFC 4512 section 2.3 is the concatenation of its relative distinguished name (RDN) and its immediate superior's DN.
 
Validates domain
This is an implementation of the abstract Condition class, which specifes that the assertion this DoNotCacheCondition is part of, is the new element in SAML 1.1, that allows an assertion party to express that an assertion should not be cached by the relying party for future use.
Deprecated.
A CREST CollectionResourceProvider that adds queryFilter, field filtering, sorting abilities, and paging to the dropwizard json metrics data.
 
An exception that is used when trying to merge multiple descriptors but a duplicate is detected.
Represents a duration in english.
Marks an attribute as being dynamic.
Implements Elliptic Curve Diffie-Hellman (ECDH) key agreement in ephemeral-static (ECDH-ES) mode.
Deprecated.
This class implements an Elliptical Curve Json Web Key storage and manipulation class.
EC JWK builder.
This is the factory class to obtain object instances for concrete elements in the ecp schema.
The ECPRelayState interface defines methods for properties required by an ECP RelayState.
The ECPRequest interface defines methods for properties required by an ECP request.
The ECPResponse interface defines methods for properties required by an ECP response.
Deprecated.
Encapsulates common functionality for JWKs that represent elliptic curve keys: EcJWK and OkpJWK.
 
Configuration for the email based user name retrieval stage.
Stage is responsible for retrieving the user name.
Simple whitelisting interface to enforce one-time use for email verification codes.
An empty subscription that does nothing other than validates the request amount.
The class is used to perform privileged operation with AccessController.doPrivileged() when using com.iplanet.services.util.Crypt to encode passwords.
The class is used to perform privileged operation with AccessController.doPrivileged() when using com.iplanet.am.util.AMPasswordUtil to encrypt passwords.
The EncryptedAssertion represents an assertion in encrypted fashion, as defined by the XML Encryption Syntax and Processing specification [XMLEnc].
The EncryptedAttribute element represents a SAML attribute in encrypted fashion.
The EncryptedElement carries the content of an unencrypted identifier in encrypted fasion.
The EncryptedID carries the content of an unencrypted identifier in encrypted fashion.
A JWE implementation of the Jwt interface.
An implementation of a JwtBuilder that can build a JWT and encrypt it, resulting in an EncryptedJwt object.
A resolver capable of verifying encrypted ID tokens.
Factory class responsible for creating EncryptedOpenIdResolver instances.
A Filter implementation to add the client credentials to request as signed then encrypted private key jwt as per the OpenID Connect Client Authentication specification.
Builder class for creating the Encrypted PrivateKey Jwt ClientAuthentication Filter.
An implementation of a JWS with a nested JWE as its payload.
An implementation of a JwtBuilder that can build a JWT and encrypt it and nest it within another signed JWT, resulting in an SignedEncryptedJwt object.
An implementation of a JWS Header builder that provides a fluent builder pattern to create JWS headers for signed encrypted JWTs.
The interface for EncryptionHandlers for all the different encryption algorithms.
Marker interface for all key types that can be used for encryption.
A service to get the appropriate EncryptionHandler for a specified Java Cryptographic encryption algorithm.
An Enum of the possible encryption methods that can be used when encrypting a JWT.
Encapsulates a Strategy to decide if a Privilege applies to a given request.
Entitlement related exception.
Service provider interface for registering custom entitlement conditions and subjects.
Provides methods for discovering and loading entitlements conditions and subject implementations.
Encapsulates a Strategy to decide if a Privilege applies to a given Subject.
Message content.
This class contains methods for creating and manipulating entries.
Defines the available strategy to compute changes.
An Entry which implements the null object pattern.
Defines the available strategy to generate changes.
An entry, comprising of a distinguished name and zero or more attributes.
The entry change notification response control as defined in draft-ietf-ldapext-psearch.
A template driven entry generator, as used by the makeldif tool.
Thrown when the result code returned in a Result indicates that the Request failed because the target entry was not found by the Directory Server.
An interface for reading entries from a data source, typically an LDIF file.
An interface for writing entries to a data source, typically an LDIF file.
Annotation to provide a title for a given enum value.
Provides a EnumValueOfHelper.valueOf(String) method as a replacement for the implicitly declared enum function valueOf(String), which has the advantage of not throwing exceptions when the name argument is null or cannot be found in the enum's values.
The Environment element contains information about the enviroment of the Request context by listing a sequence of Attribute elements associated with the environment.
The Environment element specifies information about the environment requested in the Request context by listing a sequence of Attribute elements associated with the environment.
A property accessor that allows access to environment variables.
Class that represents API descriptor ApiError errors.
Builder to help construct the Errors.
Describes an ETag for a given Token.
The class evaluates entitlement request and provides decisions.
Exception occurs while setting an event request or when trigering the "entryChanged()" method after a persistent search results are received from the Directory Server.
The EventService is responsible for listening to and dispatching to listening objects messages returning from persistent searches running in an underlying LDAP implementation.
The Evidence element specifies an assertion either by reference or by value.
The Evidence element contains one or more assertions or assertion references that the SAML authority relied on in issuing the authorization decision.
The Evidence element specifies an assertion either by reference or by value.
This annotation marks AM APIs that are continuing to evolve and so should be expected to change, potentially in backwards-incompatible ways even in a minor release.
This annotation marks AM APIs that are continuing to evolve and so should be expected to change, potentially in backwards-incompatible ways even in a minor release.
Specify an example value for the JSON schema.
An annotation to specify an example value for the attribute.
A completion handler for consuming exceptions which occur during the execution of asynchronous tasks.
Responsible for generating ExecutorService instances which are automatically wired up to shutdown when the ShutdownListener event triggers.
An exception generated by a TokenHandler on extraction when the token is expired.
Strategy pattern for determining when elements added to a ConcurrentRollingBloomFilter should expire.
The Extended operation allows additional operations to be defined for services not already available in the protocol; for example, to implement an operation which installs transport layer security (see StartTlsExtendedRequest).
A factory interface for decoding a generic extended request as an extended request of specific type.
A Extended result indicates the status of an Extended operation and any additional information associated with the Extended operation, including the optional response name and value.
A factory interface for decoding a generic extended result as an extended result of specific type.
The interface Extensions defines methods for adding protcol message extension elements.
A service provider interface for externalizing the strategy used for wrapping individual private/secret keys.
A representation of the external HTTP request in the current tree authentication context.
A builder for ExternalRequestContext instances.
OAuth 2.0 Client Implementation that supports Facebook.
Configuration used for Facebook Client Implementation.
Builder used to create FacebookClientConfiguration instance.
A factory interface.
Wraps an existing InputStream, supporting a failed state that is checked before and after each operation.
Unable to load the JWK/x5u location points.
An AsyncServerAuthContext which manages a List of AsyncServerAuthModules that are in a desired order of preference for authenticating incoming request messages.
A cryptography handler that tries multiple JwtCryptographyHandlers in turn for decryption.
Deprecated, for removal: This API element is subject to removal in a future version.
since AM 7.3.0 Implement use-case specific FedletAdapter implementations instead.
The FedletAdapterPlugin abstract class provides methods that could be extended to perform user specific logics during SAMLv2 protocol processing on the Service Provider side.
This interface defines a field storage scheme.
A BranchingInputStream for reading from files.
A SecretStore that reads secrets from a directory with the expectation that each file contains a separate secret.
A builder for more fluently creating a FileSystemSecretStore.
Filters the request and/or response of an HTTP exchange.
An interface for implementing request handler filters.
A search filter as defined in RFC 4511.
This enumeration defines the set of possible filter types that may be used for search filters.
A chain of filters terminated by a target request handler.
A condition which controls whether or not a filter will be invoked or not.
Utility methods for creating common types of filters.
This class contains methods for creating various kinds of Filter and FilterConditions.
Deprecated.
This class is currently only used in conjunction with the PropertyResolverSecretStore and this pairing is deprecated.
 
Decodes an HTTP message entity flow.
An exception that is thrown when access to a resource is forbidden during an operation on an resource.
Represents forgotten password console configuration.
Represents forgotten username console configuration.
Form fields, a case-sensitive multi-string-valued map.
Annotation to mark a JSON Schema property's format field.
A Header representation of the Forwarded HTTP header.
This class represents a request's hop detail.
A synchronous function which returns a result immediately.
Common Function implementations which may be used when parsing attributes.
An LDAP generalized time as defined in RFC 4517.
A generic control which can be used to represent arbitrary raw request and response controls.
A generic Extended request which should be used for unsupported extended operations.
A Generic Extended result indicates the final status of an Generic Extended operation.
An undecoded HTTP message header.
A Generic Intermediate response provides a mechanism for communicating unrecognized or unsupported Intermediate responses to the client.
Validation of Open ID Connect JWTs via verification of their internals (issuer, audience, signature, etc.).
A generic secret represented as an opaque blob of bytes, such as a password or API key.
This interface contains methods for the GetComplete Element in the SAMLv2 Protocol Schema.
A partial implementation of the get effective rights request control as defined in draft-ietf-ldapext-acl-model.
This interface identifies the ServiceComponentConfig as containing configuration that is applied globally.
A Cipher implementation using Google KMS symmetric encryption/decryption.
A SecretPropertyFormat for the PropertyResolverSecretStore that can decrypt secrets using a Google KMS decryption key.
Abstract base class for keys stored in Google KMS.
Represents a private key stored in the Google Cloud Platform Key Management Service.
Provides implementations of Java Cryptography Architecture primitives that use the Google Cloud Platform Key Management Service.
A cipher implementation for RSA-OAEP based on Google Cloud KMS.
A symmetric secret key stored in Google KMS.
A secret store that can provide cryptographic keys based on the Google Cloud Platform Key Management Service.
Builder class for GoogleKmsSecretStore.
Implementation of the Java Signature SPI that delegates signature operations to the Google Cloud Platform Key Management Service.
Implements generic RSA-PSS signing.
Implements signing with the SHA-256 message digest.
Implements signing with the SHA-384 message digest.
Implements signing with the SHA-512 message digest.
A secret store that can read secrets directly from Google Secret Manager.
A builder class for configuring an instance of the GoogleSecretManagerSecretStore.
Provides support for fetching secrets from Google Secret Manager.
Identifies the OAuth2 Authorization Grant (aka OAuth2 Flow) undertaken to obtain an OAuth2 token.
Abstract base class for OAuth 2 grant type handlers for calling the token endpoint.
This class implements a parser for strings which are encoded using the Generic String Encoding Rules (GSER) defined in RFC 3641.
Details of a handler.
Asynchronously handles an HTTP Request by producing an associated Response.
Utility methods for creating common types of handlers.
This visitor detects if there is any token/placeholder inside the given Template.
An HTTP message header.
Creates instances of Header classes from String representation.
Message headers, a case-insensitive multiple-value map.
Utility class for processing values in HTTP header fields.
A RestRouteProvider that add routes for the AM health check endpoints.
Guice module for binding together AM health services and endpoints.
Routines for encoding and decoding binary data in hexadecimal format.
Implements the HKDF key deriviation function to allow a single input key to be expanded into multiple component keys.
A secret key designed to be used as the master key for HKDF key generation.
Deprecated.
A loader for the KeyStoreSecretStore that knows how to load standard PKCS#11 Hardware Security Module (HSM) providers on our supported platforms.
Configuration class to configure the HttpApplication instance.
An exception that is thrown during a Http Application start up when the start up of the application fails.
HttpCallback class implements Callback and is used by the authentication module with HTTP protocol based handshaking negotiation.
Callback handler for the JASPI runtime.
An SPI interface for HTTP Client implementations.
An HTTP client for sending requests to remote servers.
SSL host name verification policies.
Encapsulates the details of the proxy if one is required when making outgoing requests.
A provider interface for obtaining HttpClient instances.
Models the request that a script can send over a HttpClient.
Models a cookie which can be added to a HttpClientRequest.
Factory provided to hide implementation details from the scripting module.
Models the response that a script can receive from sending a HttpClientRequest over a HttpClient.
An Exception thrown by the HttpClientScriptWrapper which can be used for logging purposes in scripts.
A wrapper class to simplify sending HTTP requests in scripts.
The I18n class provides methods for applications and services to internationalize their messages.
Annotate the choice value enum constant for an Attribute with a i18nKey value property.
Deprecated.
Indicates that a method returns the identifier of a configuration set of a multiple-configuration SMS service.
 
QueryResourceHandler that searches for a specific identifier value.
Models an identity.
Service informs the caller of an identity's active status.
Exception that represents an error on looking up an identity's active status.
This interface identifies the ServiceComponentConfig as containing configuration that is applied to an identity.
Exception encapsulates an error from trying to interact with an underlying identity.
Factory that helps with the creation of Identity instances.
Exception that signifies that the requested identity was not found.
An identity service that allows performing updates to Identity instances.
A builder which allows several changes to the attributes to be combined into a single update operation per attribute type.
Interface for initializing Identity services.
Represents an identity store in which user/role/group and other identity data is configured.
Factory for creating IdentityStore instances.
Represents the event listener interface that consumers of this API should implement and register with the IdentityStore to receive notifications.
Defines the contract to generate global unique identifiers.
Default implementation of the IdGenerator that will output some ids based on the following pattern : <uuid> + '-' + an incrementing sequence.
A class providing an "openidm" object in JS scripts running within AM, which calls CRUDPAQ endpoints of the configured IDM instance.
The class IdOperation defines the types of operations supported on managed identities, and provides static constants for these operation.
The interface IDPAccountMapper is used to map the local identities to the SAML protocol objects and also the vice versa for some of the protocols for e.g.
The interface IDPAccountMapper is used to map the local identities to the SAML protocol objects and also the vice versa for some of the protocols for e.g.
This interface IDPAdapter is used to perform specific tasks in the IdP.
Provides helper functions for IDP Adapter Script Implementations.
This interface IDPAttributeMapper is used to map the authenticated user configured attributes to SAML Attributes so that the SAML framework may insert these attribute information as SAML AttributeStatements in SAML Assertion.
This interface IDPAttributeMapper is used to map the authenticated user configured attributes to SAML Attributes so that the SAML framework may insert these attribute information as SAML AttributeStatements in SAML Assertion.
This class exposes methods that are only intended to be used by IDP Attribute Mapper script types.
The interface IDPAuthenticationMethodMapper creates an IDPAuthenticationTypeInfo based on the RequestAuthnContext from the AuthnRequest sent by a Service Provider and the AuthnContext configuration at the IDP entity config.
The class IDPAuthenticationTypeInfo consists of the mapping between AuthenticationType and the actual authentication mechanism at the Identity Provider.
The class IDPAuthnContextInfo consists of the mapping between AuthnContextClassRef and the actual authentication mechanism at the Identity Provider.
The interface IDPAuthnContextMapper creates an IDPAuthnContextInfo based on the RequestAuthnContext from the AuthnRequest sent by a Service Provider and the AuthnContext configuration at the IDP entity config.
This interface IDPECPSessionMapper is used to find a valid session from HTTP servlet request on IDP with ECP profile.
This interface defines methods to set/retrieve single identity provider information trusted by the request issuer to authenticate the presenter.
This interface IDPFinder is used to find a list of preferred Identity Authenticating providers to service the authentication request.
This interface specifies the identity providers trusted by the requester to authenticate the presenter.
This interface defines the methods which need to be implemented by plugins.
 
Indicates that an interface describes the configuration of an Identity Repository.
An exception type thrown when an IdRepo is asked to create an object with a name that is already used.
Class is representing error code for different error states
The exception class whose instance is thrown if there is any error during the operation of objects of the com.sun.identity.sms package.
Factory interface for creating instances of IdRepo.
The exception class whose instance is thrown if there is any error during the operation of objects of the com.sun.identity.sms package.
Provides methods that can be called by IdRepo plugins to notify change events.
The exception class whose instance is thrown if there is any error during the operation of objects of the com.sun.identity.sms package.
This is a helper class which is used in the IdentityStore search method.
This is a helper class which can be in conjunction with the IdSearchControl class to make simple modifications to the basic search performed by each plugin.
This class IdSearchResults provides to obtain the search results.
The purpose of this interface is to allow classes that implement this interface to listen to Directory Server Events.
The class IdType defines the types of supported identities, and provides static constants for these identities.
Allows performing operations related to IdType
The class defines some static utilities used by other components like policy and auth
Deprecated.
Exception that represents an unknown stage tag.
An exception which is thrown when two incompatible RouteMatch instances are attempted to be compared.
Interface of an object that can be indexed with a unique key.
This class is registered with a Backend and it provides callbacks for indexing attribute values.
Contains options indicating how indexing must be performed.
A factory for creating arbitrarily complex index queries.
All the SAML federation plugins that need to be initialized should extend this.
This class provides utility methods for converting Java Date objects into and from IntDates.
An Intermediate response provides a general mechanism for defining single-request/multiple-response operations.
A completion handler for consuming intermediate responses returned from extended operations, or other operations for which an appropriate control was sent.
An exception that is thrown during an operation on a resource when the server encountered an unexpected condition which prevented it from fulfilling the request.
An OAuth 2.0 token abstraction for introspection.
The InvalidAttributeNameException is thrown to indicate that an invalid attribute name was used.
 
Invalid audience.
Exception thrown if a name of an object such as policy, rule or referral has invalid format
Invalid issuer.
Represents an exception that occurs when a JWT is determined as invalid.
Invalid JWT.
Exception thrown if a name of an object such as policy, rule or referral is invalid
Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method).
Exception to be used when an OAuth Request cannot be handled due to known causes.
Exception that is thrown when the user-entered password token causes the authentication module to be authenticated to fail.
Represents a request which has been received and decoded but is invalid according to the LDAP standard because of an invalid DN syntax or an invalid attribute syntax.
Thrown when the request is missing any required parameters or is otherwise malformed.
Invalid signature.
An exception generated by a TokenHandler on validation or extraction when the token is invalid.
Utility class that can stream to and from streams.
This node handles the authentication of things.
Defines the possible outcomes from this node.
Configuration for the node.
The JWT authentication method used to verify the JWT presented for authentication.
The IotGuiceModule handles all the Guice dependency injections to allow the plugin to be operational within AM.
Installs the IoT authentication nodes and services.
This node handles the registration of things.
Configuration for the node.
The JWT registration method used to verify the JWT presented for registration.
Defines the possible outcomes from this node.
IotRestRouteProvider adds the IoT routes to the CREST router.
This provider exposes the secret IDs used by the IoT component to the SecretIdRegistry.
Service interface for configuring the IoT Service.
Realm config interface holding the config for the IoT service attributes.
This class ISSecurityPermission is used to protect the Access Manager resources which should be accessed only by trusted application.
The Issuer provides information about the issuer of a SAML assertion or protocol message.
Comparators for comparing "issuer" values.
Class that represents the Items type in API descriptor.
Builder to help construct the Items.
Deprecated.
Some utilities for dealing with Jackson schemas.
Adapter class implementing methods that adapt to and from JASPI interfaces to be able to inter-op with pure JASPI implementations.
A TokenAdapter that can adapt Java bean-compliant POJOs that have been annotated with the annotations in org.forgerock.openam.tokens.
Factory interface for Guice JavaBeanAdapter instances.
Set of SecretConstraints for filtering Secrets.
Provides read and write JSON capabilities.
Jackson Module that uses a mixin to make sure that a JsonValue instance is serialized using its #getObject() value only.
Jackson Module that adds a serializer for LocalizableString.
Convenience class for constructing a set of JSON-based 1st-party caveats for use with Macaroon.addFirstPartyCaveat(JsonValue).
Implements caveats that are structured as JSON objects.
Represents a JSON $crypto object.
An exception that is thrown during JSON cryptographic operations.
An exception that is thrown during JSON cryptographic operations.
Create a new JsonValue by applying a decryptor.
Decrypts an encrypted JSON value.
Create a new JsonValue by applying an encryptor.
Encrypts a JSON value.
An exception that is thrown during JSON operations.
Processes partial modifications to JSON values.
RFC6902 expects the patch value to be a predetermined, static value to be used in the patch operation's execution.
Identifies a specific value within a JSON structure.
Responsible for serialising and deserialising objects to and from JSON.
Represents a value in a JSON object model structure.
An exception that is thrown during JSON value operations.
A QueryFilterVisitor that returns true if the provide JsonValue meets the criteria of the QueryFilter assertions and false if it does not.
This class contains the utility functions to convert a JsonValue to another type.
This class contains the utility functions to convert a JsonValue to CREST (json-resource) types.
A utility that traverses a JsonValue and does property substitution as well as type coercion.
The specification for a coercion function.
A configuration property resolver that uses a JsonValue to resolve properties.
An implementation of Function that recursively traverses the JsonValue and applies some transformation if needed.
An Enum of the possible encryption algorithms that can be used to encrypt a JWT.
An Enum of the possible types of JWE algorithms that can be used to encrypt a JWT.
Represents an exception for when compression/decompression of the plaintext fails.
This exception entirely duplicates JweDecryptionException except that it is a checked exception so that it can be used with a Promise.
Represents an exception for when decryption of the JWE fails.
This class represents the result from the encryption process of the JWT plaintext.
Represents an exception for when encryption of the JWE fails.
Represents a generic exception for JWE operations.
An implementation for the JWE Header parameters.
An implementation of a JWE Header builder that provides a fluent builder pattern to create JWE headers.
An Enum for the additional JWE Header parameter names.
The abstract base class for the 3 implementations of JWK.
JWK builder.
Exports keys in JSON Web Key (JWK) format.
Helper class to look up and return the keys from specific JWK implementation algorithm types.
This class exists to allow Open Id Providers to supply or promote a JWK exposure point for their public keys.
Decodes a JSON Web Key (JWK) as a secret.
Holds a Set of JWKs.
Provides methods to gather a JWKSet from a URL and return a map of key ids to keys as dictated by that JWKS.
A secret store that loads cryptographic keys from a local or remote JWKSet.
Store JWKs into a jwkSet from a JWKs_URI and refresh the jwkSet when necessary.
Manage the jwks store, to avoid having more than one jwks store for the same JWKs_URI unnecessary.
A base implementation class for a JSON Web object.
An Enum of the possible signing algorithms that can be used to sign a JWT.
An Enum of the possible types of JWS algorithms that can be used to sign a JWT.
Represents a generic exception for JWS operations.
An implementation for the JWS Header parameters.
An implementation of a JWS Header builder that provides a fluent builder pattern to create JWS headers.
An Enum for the JWS Header parameter names.
Represents an exception for when signing of the JWS fails.
Represents an exception for when verification of the JWS signature fails.
The interface for all types of JSON Web Tokens (JWTs).
A wrapper class to support the generation of JWT assertions within scripts.
A secret store that authenticates to Vault using a JWT.
The base interface for all JwtBuilders for each type of JWT (plaintext, signed or encrypted).
Represents an exception that occurs when creating/rebuilding JWTs.
A factory for getting builders for plaintext, signed and encrypted JWTs and reconstructing JWT strings back into their relevant JWT objects.
An implementation that holds a JWT's Claims Set.
An implementation of a JWT Claims Set builder that provides a fluent builder pattern to creating JWT Claims Sets.
An Enum for the JWT Claims Set names.
An abstraction of the cryptographic operations that the JWT session modules will need to do to create a read JWTs.
Expired JWT.
A base implementation class for JWT Headers.
A base implementation of a JWT header builder that provides a fluent builder pattern to creating JWT headers.
An Enum for the JWT Header parameter names.
A service that provides a method for reconstruct a JWT string back into its relevant JWT object, (SignedJwt, EncryptedJwt, SignedThenEncryptedJwt, EncryptedThenSignedJwt).
Represents an exception that occurs when reconstructing JWTs.
Enum denoting how the request parameter jwt would to be sent to the OIDC provider.
Represents a generic exception for JWT operations.
A base implementation for the common security header parameters shared by the JWS and JWE headers.
A base implementation of a JWT header builder, for the common security header parameters shared by the JWS and JWE headers, that provides a fluent builder pattern to creating JWT headers.
Abstraction of a cookie to allow for the CHF Cookie and the Http Cookie.
A JASPI CHF Session Module which creates a JWT when securing the response from a successful authentication and sets it as a Cookie on the response.
Deprecated.
Prefer SecretsJwtTokenHandler instead.
Configuration for a JwtTokenHandler.
A type that stores the media/jwt types for JWTs.
A wrapper class to support the validation of JWTs within scripts.
Represents a single KBA question in various Locales.
A key that is used in a key-agreement protocol (such as Diffie-Hellman) to agree another key.
A key that is used to decrypt (or "unwrap") other keys that have been encrypted with a KeyEncryptionKey.
A key that is used to encrypt ("wrap") other keys.
A format that can be used for exporting key material.
Exports a key in the PEM (Privacy Enhanced Mail) format.
Exports the raw key.
The KeyInfoConfirmationData constrains a SubjectConfirmationData element to contain one or more ds:KeyInfo elements that identify cryptographic keys that are used in some way to authenticate an attesting entity.
This class contains methods for creating common types of key manager.
Represents the Possible key operations values.
The class KeyProvider is an interface that is implemented to retrieve X509Certificates and Private Keys from user data store.
An abstraction of initialising a keystore-based BaseSecretStoreProvider.
Builder class for loading key stores.
Deprecated.
This interface allows customization of the key ID values associated with public keys stored in KeyStoreSecretStores.
A class that manages a Java Key Store and has methods for extracting out public/private keys and certificates.
Represents an exception from an operation using the KeyStoreManager class.
A service provider interface for implementing key store caches.
The parameters which configure how the LDAP key store will be accessed.
A secret store for cryptographic keys based on a standard Java KeyStore.
Specifies an alias with its validity for use in the store.
Permits to retrieve the list of usable AliasSpecs of a specific KeyStore.
Aggregates multiple AliasSpecProviders results to serve the list of AliasSpec for a KeyStore.
Serves a matching subset of the aliases present in a KeyStore based on a predicate.
An interface to allow the consuming application to provide the stable ID for the secret.
Serves a static list of AliasSpecs, without looking at the real content of a KeyStore.
Enum representing the possible KeyTypes.
Indicates the type of key.
Indicates the allowed usages for a particular key.
Represents the supported KeyUse values.
Utility methods for interacting with lambdas that throw exceptions.
A list with lazy initialization.
A map with lazy initialization.
A Supplier that lazily computes a value the first time it is accessed and then caches the result to return on subsequent requests.
This class contains various static utility methods encoding and decoding LDAP protocol elements.
An LDAP client provides an interface for obtaining a connection to a Directory Server.
This class contains methods for creating and manipulating LDAP clients and connections.
A connection with a Directory Server over which read and update operations may be performed.
A factory class which can be used to obtain connections to an LDAP Directory Server.
Thrown when the result code returned in a Result indicates that the Request was unsuccessful.
Encapsulates a ProtocolOp with LDAP specific message information.
A handle which can be used to retrieve the Result of an asynchronous Request.
Reads LDAP messages from an underlying ASN.1 reader.
A completion handler for consuming the result of an asynchronous operation or connection attempts.
An LDAP server connection listener which waits for LDAP connection requests to come in over the network and binds them to a server connection created using the provided server connection factory.
Server side representation of a connected LDAP client.
A reactive socket implementation representing a stream of LDAP messages.
An LDAP URL as defined in RFC 4516.
Utility methods to help interaction with the OpenDJ LDAP SDK.
A model object that contains the settings used for cached connection pools.
Simple failover Ldap Client.
Writes LDAP messages to an underlying ASN.1 writer.
This class contains common utility methods for creating and manipulating readers and writers.
An LDIF change record reader reads change records using the LDAP Data Interchange Format (LDIF) from a user defined source.
An LDIF change record writer writes change records using the LDAP Data Interchange Format (LDIF) to a user defined destination.
An LDIF entry reader reads attribute value records (entries) using the LDAP Data Interchange Format (LDIF) from a user defined source.
An LDIF entry writer writes attribute value records (entries) using the LDAP Data Interchange Format (LDIF) to a user defined destination.
This is a collection of identity related methods which either should not exist, or belong elsewhere.
This allows reading and writing service config which is related to a specific identity.
Exception thrown if any configured limit is exceeded
An implementation of the Attribute interface with predictable iteration order.
An implementation of the Entry interface which uses a LinkedHashMap for storing attributes.
Oauth 2.0 Client Implementation that supports LinkedIn.
Configuration used for LinkedInClient Implementation.
Builder used to create LinkedInClientConfiguration instance.
Wraps another map.
Annotated configuration classes implementing this interface will be able to have listeners registered to be invoked on configuration changes.
Builder responsible for providing fluent-like functions for building up Action instances which will respond to changes in Service configuration.
A generic listener which will respond to a configuration or schema change event.
 
Represents an event provided to a service listener.
Deprecated.
Use ListMultimap instead.
Provides helper methods for List.
This interface defines the contract for checking whether an AM service or component is alive and able to function independent of the state of any 3rd party dependencies or whether the service or component has fallen over to the point of being beyond recovery.
CHF endpoint that reports AMs liveness, pertaining to the characteristics laid out in the Kubernetes documentation for the liveness probe.
An object that registers to be notified when an LDAP client associated with a load-balancer changes state from offline to online or vice-versa.
An SPI interface for implementing alternative service loading strategies.
Provides methods for dynamically loading classes.
This class Locale.java is a utility that provides functionality for applications and services to internationalize their messages.
Utility class for Locales.
A mix-in interface which can be used to identify exceptions which support localization.
A localizable message whose String representation can be retrieved in one or more locales.
A mutable sequence of localizable messages and their parameters.
An opaque handle to a localizable message.
Subclass for creating messages with no arguments.
Subclass for creating messages with one argument.
Subclass for creating messages with two arguments.
Subclass for creating messages with three arguments.
Subclass for creating messages with four arguments.
Subclass for creating messages with five arguments.
Subclass for creating messages with six arguments.
Subclass for creating messages with seven arguments.
Subclass for creating messages with eight arguments.
Subclass for creating messages with nine arguments.
Subclass for creating messages with an any number of arguments.
Localizable Operation.
Localizable RefProperty.
Represents a String which could be localizable.
Localizable Tag.
Thrown to indicate that a method has been passed an illegal or inappropriate argument.
A localized KeyStoreException.
A logger implementation which formats and localizes messages before forwarding them to an underlying SLF4J Logger.
An implementation of SLF4J marker that contains a LocalizableMessage and does not allow to manage references to other markers.
Processes the Location message header.
A provider of commons SecretStore instances.
Deprecated.
Deprecated.
Deprecated.
Deprecated.
Deprecated.
Defines the logging categories and their associated logger.
Deprecated.
This class represents the LogoutRequest element in SAML protocol schema.
This class represents the LogoutResponse element in SAML protocol schema.
Deprecated.
Deprecated.
Deprecated.
Helper class for logging securely sensitive values.
A macaroon is a cryptographically protected token which can be attenuated by appending caveats.
Represents a caveat on a macaroon.
Indicates that a macaroon is not well-formed according to a SerializationFormat.
An OAuth2 access or refresh token that is represented as a Macaroon.
A macaroon verifier is used to verify the caveats on a Macaroon.
Indicates whether a macaroon was successfully verified or not.
Validates mail address This class is constructed using default(noarguments) constructor and mail address is passed to validate function with optional rules The passed mail address is validated for authenticity and boolean value is returned accordingly.
Constants representing the names of the mail server configuration attributes.
A RestRouteProvider that add routes for all email endpoints.
Pluggable interface for all email sending in OpenAM.
Factory interface for creating instances of MailServer.
Default MailServer implementation that sends email via the configured SMTP server.
Interface which loads MailServer.
Thrown when a header string cannot be parsed to a rich Header implementation.
The ManageDsaIT request control as defined in RFC 3296.
This class represents the ManageNameIDRequestType complex type.
This class represents the ManageNameIDResponse element declaration.
Wraps another map.
A QueryFilterVisitor that produces a Map representation of the filter tree.
Configures a keystore based on a key/value map.
The matched values request control as defined in RFC 3876.
A compiled search Filter which may be used for matching against entries.
The types of compiled matcher.
This class defines a data structure for storing and interacting with matching rules, which are used by servers to compare attribute values against assertion values when performing Search and Compare operations.
A fluent API for incrementally constructing matching rules.
Represents the types of matching rules, according to RFC 4517 section 4.1.
This interface defines the set of methods that must be implemented to define a new matching rule.
This class defines a data structure for storing and interacting with a matching rule use definition, which may be used to restrict the set of attribute types that may be used for a given matching rule.
A fluent API for incrementally constructing matching rule uses.
An implementation of Action that will preserve the SLF4J MDC.
An implementation of Consumer that will preserve the SLF4J MDC.
An implementation of Subscriber that will preserve the SLF4J MDC.
Store SLF4J Mapped Diagnosed Context (aka MDC) when tasks are submitted, and re-inject it when tasks are executed.
Store SLF4J Mapped Diagnosed Context (aka MDC) when tasks are submitted, and re-inject it when tasks are executed.
A simple in-memory collection resource provider which uses a Map to store resources.
A simple in-memory back-end which can be used for testing.
The Message class is used by web service client and server to construct request or response.
Message<M extends Message<M>>
Elements common to requests and responses.
The authentication framework uses this MessageContext to pass messages and message processing state to authentication contexts for processing by authentication modules.
An implementation of MessageContext that holds contextual information and state for a given request and response message exchange.
Abstract message base class.
The authentication framework uses this MessageContextInfo to pass messages and message processing state to authentication modules for processing of messages.
Exposes statistics on method call timings and rates to JMX monitoring.
Sends emails over REST using the OAuth2 client credentials grant type for authentication.
The StatusCode element is a container of one or more Statuss issuded by authorization authority.
A modification to be performed on an entry during a Modify operation.
A Modify operation change type as defined in RFC 4511 section 4.6 is used to specify the type of modification being performed on an attribute.
Contains equivalent values for the ModificationType values.
The Modify DN operation allows a client to change the Relative Distinguished Name (RDN) of an entry in the Directory and/or to move a subtree of entries to a new location in the Directory.
The Modify operation allows a client to request that a modification of an entry be performed on its behalf by a server.
Deprecated.
Use Multimap instead.
Thrown when the result code returned in a Result indicates that the requested single entry search operation or read operation failed because the Directory Server returned multiple matching entries (or search references) when only a single matching entry was expected.
Annotation to mark a numeric JSON Schema property's multipleOf field.
Interface defining support for multipleOf JSON Schema field.
Deprecated.
Use Multiset instead.
An unmodifiable element-count pair for a multiset.
Wraps a map for which the values are lists, providing a set of convenience methods for handling list values.
A MutableUri is a modifiable URI substitute.
Exception thrown if a name of an object such as policy, rule or referral already exists (used by another object of the same type)
This class defines a data structure for storing and interacting with a name form, which defines the attribute type(s) that must and/or may be used in the RDN of an entry with a given structural objectclass.
A fluent API for incrementally constructing name forms.
The NameID is used in various SAML assertion constructs such as Subject and SubjectConfirmation elements, and in various protocol messages.
The NameIdentifier element specifies a Subject by a combination of a name and a security domain governing the name of the Subject.
This class provides methods to send or process NameIDMappingRequest.
This class represents the ManageNameIDRequestType complex type.
This class represents the NameIDMappingResponseType complex type.
This interface defines methods to retrieve name identifier related properties.
The NameIDType is used when an element serves to represent an entity by a string-valued name.
Exception thrown if an object such as policy, rule or referral for the given name does not exist.
The NeverThrowsException class is an uninstantiable placeholder exception which should be used for indicating that a Function or AsyncFunction never throws an exception (i.e.
Java content class for NewEncryptedID element declaration.
This interface identifies the new identifier in an ManageNameIDRequest message.
A node is the core abstraction within an authentication tree.
Annotation that describes the metadata of the node.
An Exception to indicate that there was a problem processing a Node that could not be resolved to a Action.
Encapsulates all state that is provided by each node and passed between nodes on tree execution.
Allows the Caching of an object.
A NOP implementation of the Compression Handler, which will be used when no compression is to be applied.
Exception thrown if a policy operation attempted could not be done due to insufficient permissions
Deprecated.
This algorithm is inherently insecure and shouldn't be used.
Indicates that no secret was configured for the given purpose, or the named secret is not available.
An exception that is thrown when a specified resource cannot be found.
An exception that is thrown during an operation on a resource when the resource does not implement/support the feature to fulfill the request.
Deprecated.
An annotation which tags a configuration method as representing a number range.
 
OAuth2 utility class.
OAuth 2.0 Client Implementation that supports the Authorization Code Grant Flow.
Configuration used for OAuth2 Client Implementations.
Builder class for creating the OAuth2ClientConfiguration.
An OAuth2Context could be used to store and retrieve an AccessTokenInfo.
Describes an error which occurred during an OAuth 2.0 authorization request or when performing an authorized request.
An abstraction of the actual request so as to allow the core of the OAuth2 provider to be agnostic of the library used to translate the HTTP request.
OAuth2 Session Info Object used to determine if the access token expiry time has passed and to determine if a session is still active.
Information about the current user.
Generic interface for all OAuth-like clients.
Base configuration of an OAuth client.
Base builder used to create OAuthClientConfiguration instances.
Exception used when an error has occurred with an OAuth client's configuration.
An exception that is thrown when an OAuth request has failed.
This class defines a data structure for storing and interacting with an objectclass, which contains a collection of attributes that must and/or may be present in an entry with that objectclass.
A fluent API for incrementally constructing object classes.
This enumeration defines the set of possible objectclass types that may be used, as defined in RFC 2252.
Exception thrown to indicate that an object you are trying to remove is in use and therefore can not be removed.
Common utility methods for Objects.
The Obligation element is a container of one or more AttributeAssignments issuded by authorization authority.
The Obligation element is a container of one or more AttributeAssignments issuded by authorization authority.
The Obligations element is a container of one or more Obligations issuded by authorization authority.
The Obligations element is a container of one or more Obligations issuded by authorization authority.
Creates an Octet JWK.
The Octet JWK builder.
An Octet Key-Pair (OKP) JWK as defined in RFC 8037.
Builder object for Octet Key-Pair (OKP) JWKs.
The OneTimeUse indicates that the assertion should be used immediately by the relying party and must not be retained for future use.
Deprecated.
The “/oauth2/tokeninfo” endpoint was deprecated in AM 6.5.
Helper methods for applying commonly needed changes to the Swagger model.
Visits a Swagger Operation.
Transforms an ApiDescription into an OpenAPI/Swagger model.
The OpenDJ LDAP security provider which exposes an LDAP/LDIF based KeyStore service, as well as providing utility methods facilitating construction of LDAP/LDIF based key stores.
Utility methods for accessing the LDAP schema elements required in order to support the OpenDJ security provider.
OpenID Connect Client Implementation that supports the Authorization Code Grant Flow.
Configuration used for OpenID Connect Client Implementations.
Builder class for creating the OpenIDConnectClientConfiguration.
OpenID Connect module that allows access when a valid OpenID Connect JWT which our server trusts is presented in the specific header field.
OpenIDSessionInfo object used to determine if the access token or id token expiry time has passed and to determine if a session is still active.
An interface which allows soap-sts publishers to generate the amr claim for issued OpenIdConnect tokens on the basis of the validated input token.
OpenIdConnect tokens can include an Authentication Context Class Reference (acr) claim which indicates how the subject asserted by the OIDC token was authenticated.
An instance of this interface will be used to insert any custom claims into issued OpenIdConnect tokens.
OpenID Connect user information related to a users current social session.
Problem during the verification of an OpenId Connect module.
A resolver that performs validation against a supplied SignedJwt.
For producing OpenId Resolvers.
Interface through which OpenIdResolvers are obtained, and the service providing them is configured.
Implementation of the OpenIdResolverServiceConfigurator interface which applies a simple priority ordering when reading a service configuration.
Holds a copy of the current OpenID Resolvers.
The common details of an operation.
Class that represents the Operation type in API descriptor.
Builder to help construct the Operation.
A configuration option whose value can be stored in a set of Options.
A set of options which can be used for customizing the behavior of HTTP clients and servers.
Filter which handles OPTION HTTP requests to CREST resources.
A StableIdResolver that uses a version suffix and a subsequent number to determine the stableId of a Secret.
The OrganizationAlreadyExistsException is thrown if the organization already exists.
The class OrganizationConfigManager provides interfaces to manage an organization's configuration data.
Describes the outcomes for node instances.
A model object for an outcome.
An exception that is thrown if a buffer would overflow as a result of a write operation.
PagePropertiesCallback class implements Callback and used for exchanging all UI related attributes information such as template name, errorState to indicate whether a template is an error page, page header, image name , page timeout value, name of module.
Enum that represents the Query paging mode.
Ordered pair of arbitrary objects.
This interface defines constants common to all PAOS elements.
The PAOSException class represents a error while processing SOAP request and response.
The PAOSHeader class is used by a web application on HTTP server side to parse a PAOS header in an HTTP request from the user agent side.
The PAOSRequest class is used by a web application on HTTP server side to construct a PAOS request message and send it via an HTTP response to the user agent side.
The PAOSUtils contains utility methods for PAOS implementation.
A extra parameter to an operation.
Class that represents the Parameter type in API descriptor.
Builder to construct Parameter object.
Configuration for parameter passing stage.
Enum that represents where the Parameter comes from.
Captures input parameters to be passed back out at the end of the process.
Represents a partial CTS Token.
Named set of servers defining a distributed service.
A server from a partition.
An annotation which tags a configuration method as representing a "secret" value that is encrypted.
An encoded password.
The class PasswordDecoder is an interface that is implemented to decode password.
The Netscape password expired response control as defined in draft-vchu-ldap-pwd-policy.
The Netscape password expiring response control as defined in draft-vchu-ldap-pwd-policy.
The password modify extended request as defined in RFC 3062.
The password modify extended result as defined in RFC 3062.
A password policy error type as defined in draft-behera-ldap-password-policy is used to indicate problems concerning a user's account or password.
The exception class whose instance is thrown if there is any error related with password issue.
The password policy request control as defined in draft-behera-ldap-password-policy.
The password policy response control as defined in draft-behera-ldap-password-policy.
A password policy warning type as defined in draft-behera-ldap-password-policy is used to indicate the current state of a user's password.
Indicates an CREST patch method on an annotated POJO.
Class that represents the Patch operation type in API descriptor.
Builder to help construct the Patch.
Represents all Patch operations.
An individual patch operation which is to be performed against a field within a resource.
A request to update a JSON resource by applying a set of changes to its existing content.
Allocate a path to a component.
Class that represents the Paths type in API descriptor.
Utilities for manipulating paths.
Builder to help construct the Paths.
Jackson Module that adds a serializer modifier for Paths.
Utilities for working with API Description paths and path-parameters.
The interface represents the body of a JWT.
Supports decoding keys and certificates in PEM format.
PerItemEvictionStrategyCache is a thread-safe write-through cache.
An exception that indicates that a failure is permanent, i.e.
Extension filter that will be called before permission request creation.
A POJO to represent the UMA Permission Ticket.
The Microsoft defined permissive modify request control.
A persistent search change type as defined in draft-ietf-ldapext-psearch is used to indicate the type of update operation that caused an entry change notification to occur.
The persistent search request control as defined in draft-ietf-ldapext-psearch.
Represents a pipe for transferring bytes from an OutputStream to a InputStream.
Proof Key for Code Exchange (PKCE) transformation method.
An annotation which tags a configuration method as being placeholdered.
An exception for an error in plugin operation.
A collection of simple tools for interacting with the SMS (Service Management Service).
Deprecated.
As of OpenSSO Express 8.0, use Entitlement instead as Entitlement has replaced Policy.
Deprecated.
As of OpenSSO Express 8.0, use com.sun.identity.entitlement instead as Entitlement has replaced Policy.
The class PolicyEvaluationException is the exception for the error happening in policy request XML parsing and policy request evaluation.
Deprecated.
As of OpenSSO Express 8.0, use Evaluator instead as Entitlement has replaced Policy.
Deprecated.
As of OpenSSO Express 8.0, use com.sun.identity.entitlement instead as Entitlement has replaced Policy.
The class PolicyException is the basic exception for the the policy component.
This is the factory class to obtain instances of the objects defined in xacml context schema.
Deprecated.
Deprecated.
As of OpenSSO Express 8.0, use com.sun.identity.entitlement instead as Entitlement has replaced Policy.
The post-read request control as defined in RFC 4527.
The post-read response control as defined in RFC 4527.
An exception that is thrown to indicate that a resource's current version does not match the version provided.
An exception that is thrown to indicate that a resource requires a version, but no version was supplied in the request.
An interface for a basic, stand-alone predicate which can be evaluated given some JsonValue input and serialized for storage.
A Predicate functional interface which can thrown a checked Exception.
This class encapsulates an ordered list of preferred locales, and the logic to use those to retrieve i18n ResourceBundles.
The pre-read request control as defined in RFC 4527.
The pre-read response control as defined in RFC 4527.
Container for a principal and secret.
A Filter implementation for adding the client credentials to request as signed private key jwt as per the OpenID Connect Client Authentication specification.
Builder class for creating the PrivateKey Jwt ClientAuthentication Filter.
Holds the context of the policy evaluation making it available to policy conditions.
Process context represents the current state of the workflow.
Represents the configuration for an instance of the anonymous process service.
Process store is used to persist state throughout a given flow cycle.
A property accessor for product paths.
Progress stage represents a single stage within the overall advance flow.
Progress stage binder is responsible for creating bindings between the stage configs and their consuming stages.
Binds together the progress stage with its config.
Progress stage provider.
Promise<V,E extends Exception>
A Promise represents the result of an asynchronous task.
An implementation of Promise which can be used as is, or as the basis for more complex asynchronous behavior.
Utility methods for creating and composing Promises.
Ordered list of joined asynchronous results.
When issuing SAML2 Holder-of-Key assertions, the proof token is usually an X509Certificate.
Builder class for ProofTokenState
Given a file path this will load the properties within the file as a PropertyResolver.
Supported property formats for file-based and system/environment variable properties.
Decodes secrets in raw base64 format.
Annotation to provide a property order for a given object property.
An annotation to declare the policies for property access in the CREST API Descriptor schema elements.
A property resolver attempt to get the value of a given config property.
A utility class that gives access to the default property resolvers for a product.
A SecretStore implementation that resolves secrets as base64-encoded strings from an underlying PropertyResolver.
Deprecated.
As of OpenSSO Express 8.0, use com.sun.identity.entitlement instead as Entitlement has replaced Policy.
This is the factory class to obtain object instances for concrete elements in the protocol schema.
The base class of all requests and responses provides methods for querying and manipulating the set of Controls.
The proxy authorization v1 request control as defined in draft-weltman-ldapv3-proxy-04.
The proxy authorization v2 request control as defined in RFC 4370.
Deprecated.
As of OpenSSO Express 8.0, use Evaluator instead as Entitlement has replaced Policy.
Deprecated.
As of OpenSSO Express 8.0, use Evaluator instead as Entitlement has replaced Policy.
This class defines the proxy protocol header as it is described in the proxy protocol documentation.
Exposes the content of the "pp2_tlv_ssl" structure present in the ProxyProtocolHeader.PP2_TYPE_SSL TLV header.
Represents the possible values for the client property of the "pp2_tlv_ssl" structure.
Represents the possible types of the "sub_tlv" contained in the "pp2_tlv_ssl" structure present in the ProxyProtocolHeader.PP2_TYPE_SSL TLV header.
The ProxyRestriction specifies limitations that the asserting party imposes on relying parties that in turn wish to act as asserting parties and issue subsequent assertions of their own on the basis of the information contained in the original assertion.
This class exists to allow functionality for those Open ID Connect providers which supply their signatures through asymmetric key algorithms (e.g.
Purpose<T extends Secret>
A purpose encapsulates both a name for a function that requires access to secrets, together with a hint as to the intended usage of those secrets.
Functional interface for retrieving a Key based on a Purpose and a key id.
A mapping of purpose to alias with a valid-from date.
This validator makes sure that the secret mappings have both the alias and the secret ID specified, and additionally it verifies that there is no other secret mapping in the configuration already for the same secret ID.
A PushNotificationDelegate is an implementation of OpenAM's Push Notification Service PushNotificationService specific to a realm as generated by a PushNotificationDelegateFactory.
Defines how PushNotificationDelegates should be created.
Declare an array of Query operations from a single method.
Indicates an CREST query method on an annotated POJO.
Class that represents the Create Operation type in API descriptor.
Builder to help construct the Read.
Deprecated.
A filter which can be used to select resources, which is compatible with the CREST query filters.
QueryFilter constants.
A query string has the following string representation:
Convenience methods to create QueryFilter that specify fields in terms of JsonPointer instances.
A visitor of QueryFilters, in the style of the visitor design pattern.
A request to search for all JSON resources matching a user specified set of criteria.
A completion handler for consuming the results of a query request.
The final result of a query request returned after all resources matching the request have been returned.
Enum that represents the Query type.
Interface to define the resulting behavior when the session quota is exhausted.
Exposes a range of integer values as a set.
A relative distinguished name (RDN) as defined in RFC 4512 section 2.3 is the name of an entry relative to its immediate superior.
Indicates an CREST read method on an annotated POJO.
Class that represents the Read Operation type in API descriptor.
Builder to help construct the Read.
This interface defines the contract for checking whether an AM service or component is ready to service requests successfully, independent of the state of any 3rd party dependencies.
CHF endpoint that reports AMs readiness, pertaining to the characteristics laid out in the Kubernetes documentation for the readiness probe.
Annotation to mark a JSON Schema property as read-only.
Enum that represents the Schema read policies.
A request to read a single identified JSON resource.
Models a valid realm within OpenAM.
This interface identifies the ServiceComponentConfig as containing configuration that is applied to a realm.
API for looking up realms and determining if they are active or not.
Signals that the realm String used to lookup a realm failed due to it being an invalid realm identifier or the lookup operation failed.
A class to statically obtain Realm instances.
Generates codes of a specified length using a given Alphabet as valid characters.
Class that represents the Reference type in API descriptor.
Builder to help construct the Reference.
Helper that registers one or more ApiDescription instances and provides a means to resolve References.
Deprecated.
Thrown when the result code returned in a Result indicates that the Request could not be processed by the Directory Server because the target entry is located on another server.
Deprecated.
As of OpenSSO Express 8.0, use com.sun.identity.entitlement instead as Entitlement has replaced Policy.
A Header representation of the Referrer HTTP header.
A grant type handler that can obtain an access token using a previously obtained refresh token.
A input parameter-validating utility class using fluent invocation:
A listener interface which is notified whenever a change record cannot be applied to an entry.
A listener interface which is notified whenever LDIF records are skipped, malformed, or fail schema validation.
Indicates that a macaroon has been rejected by a MacaroonVerifier for a reason other than being invalid.
The internet-draft defined Relax Rules control.
Service Discovery Mechanism retrieving information from a replication topology.
The Request element is the top-level element in the XACML context scehema.
A request message.
Common attributes of all JSON resource requests.
The base class of all Requests provides methods for querying and manipulating the set of Controls included with a Request.
The type of this request.
This interface defines methods for setting and retrieving attributes and elements associated with a SAML request message used in SAML protocols.
A context for audit information for an incoming request.
Extension filter that will be called before request authorization and after request authorization.
Exposes incoming request cookies.
Java content class for RequestedAuthnContext element declaration.
This interface identifies the requester in an AuthnRequest message.
Provides the ability to terminate an asynchronous LDAP request.
A marker annotation to indicate that the annotated class should be interpreted as an annotated CREST request handler.
Represents the contract with a set of resources.
The Request element is the top-level element in the XACML context schema.
A utility class containing various factory methods for creating and manipulating requests.
This class contains various methods for creating and manipulating requests.
An enumeration whose values represent the different types of request.
A visitor of Requests, in the style of the visitor design pattern.
A visitor of Requests, in the style of the visitor design pattern.
Helper class to assist with the building of requirements.
The reset password stage.
Configuration for the password reset stage.
The Resource element specifies information about the resource to which access is requested by listing a sequence of Attribute elements associated with the resource.
Class that represents the Resource type in API descriptor.
The variant of the annotated type.
Builder to help construct the Resource.
A ResourceAccess encapsulates the logic of required scope selection.
Implementations of this interface will be responsible for maintaining the behaviour of API Version routing.
API Version routing filter which creates a ApiVersionRouterContext which contains the default routing behaviour when the Accept-API-Version header is set on the request.
API Version routing filter which creates a ApiVersionRouterContext which contains the default routing behaviour when the Accept-API-Version header is set on the request.
A Filter supporting the specification of resource API version configuration to be used when a request on a specific endpoint does not contain an Accept-API-Version header.
Handler allowing products to extend behaviour when a request has no resource API version supplied.
Class representing a mapping between a ResourcePath and a Version.
ResourceApiVersionSpecificationFilter.VersionSpecification supporting specification of a request's resource version based on its resource path.
Mechanism supporting specification of a version on the request.
Encapsulates a Strategy to derive attributes to be returned with a particular Entitlement when evaluating Privileges.
The ResourceContent element specifies information about the resource to which access is requested by listing a sequence of Attribute elements associated with the resource.
Extension filter that will be called before a resource is shared, after a resource is shared, before a shared resource is modified and on a resource no longer being shared.
An exception that is thrown during the processing of a JSON resource request.
The Resource element specifies information about the resource to which access is requested by listing a sequence of Attribute elements associated with the resource.
Deprecated.
As of OpenSSO Express 8.0, use ResourceMatch instead as Entitlement has replaced Policy.
The class ResourceMatch defines the results of a resource match with respect to Policy.
Deprecated.
The interface ResourceName provides methods to determine the hierarchy of resource names.
A grant type handler that can obtain an access token using the Resource Owner Password Credentials (ROPC) grant.
A relative path, or URL, to a resource.
Extension filter that will be called before and after resource sets are registered.
A resource, comprising of a resource ID, a revision (etag), and its JSON content.
Deprecated.
As of OpenSSO Express 8.0, use com.sun.identity.entitlement instead as Entitlement has replaced Policy.
This class contains methods for creating and manipulating connection factories and connections.
Validates a Request that contains an OAuth 2.0 access token.
Represents a resource set description created by an OAuth2 client (resource server).
The Response message element is used when a response consists of a list of zero or more assertions that satisfy the request.
The Response element is a container of one or more Results issued by policy decision point
A response message.
Common response object of all resource responses.
The base class of all Responses provides methods for querying and manipulating the set of Controls included with a Response.
Indicates whether a response can be cached and under what conditions.
An HTTP Framework Exception that can be used by filters/handlers to simplify control-flow inside async call-backs.
Deprecated.
Deprecated.
As of OpenSSO Express 8.0, use com.sun.identity.entitlement instead as Entitlement has replaced Policy.
Provide out-of-the-box, pre-configured Response objects.
A utility class containing various factory methods for creating and manipulating responses.
This class contains various methods for creating and manipulating responses.
Handles the issuing of Tokens for a response type, i.e.
Writes AuthenticationException responses for different media types.
A filter that can be applied to a CREST route in order to enter the restricted token context for a request if it contains a requester token as well as subject token.
Interface defining token creators in the rest-sts.
Parameter state passed to JsonTokenProvider instances.
Defines the contract for token validators deployed in the context of token transformation.
Defines the parameter state which needs to be passed to the RestTokenTransformValidator#validateToken instances.
The Result element is a container of one or more Results issuded by authorization authority.
A Result is used to indicate the status of an operation performed by the server.
An operation result code as defined in RFC 4511 section 4.1.9 is used to indicate the final status of an operation.
Contains equivalent values for the ResultCode values.
ResultHandler is responsible for providing a mechanism of allowing access to the result of an asynchronous operation.
A completion handler for consuming the results of asynchronous tasks.
Configuration for the retrieve email stage.
Stage is responsible for retrieving the email.
Configuration for the retrieve username stage.
Stage is responsible for retrieving the username.
An exception that indicates that a failure may be temporary, and that retrying the same request may be able to succeed in the future.
A Context which has an a globally unique ID but no parent.
The root DSE is a DSA-specific Entry (DSE) and not part of any naming context (or any subtree), and which is uniquely identified by the empty DN.
Singleton class used to manage Root URL providers.
Interface used for getting a context's root url.
To be used when an exception has occurred in a root url provider.
Contains the result of routing to a particular route.
A matcher for evaluating whether a route matches the incoming request.
A utility class that contains methods for creating route matchers.
A utility class that contains methods for creating route matchers.
A router which routes requests based on route matchers.
A router which routes requests based on route predicates.
Represents a URI template string that will be used to match and route incoming requests.
The algorithm which should be used when matching URI templates against request resource names.
Deprecated.
Use RSAEncryptionHandler and AESCBCHMACSHA2ContentEncryptionHandler instead.
Deprecated.
Use RSAEncryptionHandler and AESCBCHMACSHA2ContentEncryptionHandler instead.
Abstract base class for implementations of the RSAES-PKCS1-v1_5 and RSA-OAEP encryption schemes.
Implements a RsaJWK.
The RSA JWK builder.
Holds the other prime factors.
Deprecated.
Deprecated.
As of OpenSSO Express 8.0, use com.sun.identity.entitlement instead as Entitlement has replaced Policy.
A completion handler for consuming runtime exceptions which occur during the execution of asynchronous tasks.
Utility class for creating reactive transports and sockets.
A reactive server socket listens for incoming connections and binds them to a RxSocket.
A transport agnostic reactive socket abstraction.
Factory interface for creating reactive client and server sockets.
Constants used by the SAML2 Client implementation.
Guice module containing bindings for SAML2 client APIs.
Encapsulates the configuration state necessary to produce SAML2 assertions.
Builder used to programmatically create SAML2Config objects
This interface defines constants common to all SAMLv2 elements.
Constants for SAML2 scripted plugins
Deprecated, for removal: This API element is subject to removal in a future version.
since AM 7.3.0 Implement use-case specific IDPAdapter implementations instead.
Deprecated, for removal: This API element is subject to removal in a future version.
since AM 7.3.0 Implement use-case specific IDPFinder implementations instead.
This class is an extension point for all SAML related exceptions.
This class is an extension point for invalid usernames in the SAML flow.
The SAML2MetaUtils provides metadata related util methods.
This class contains the currently available options that can control the SAML2 flows.
Called on the way back into the SAML2 Authentication Module by the saml2AuthAssertionConsumer jsp.
Response data from SAML2 IDP, combined here for ease of access.
The SAML2SDKUtils contains utility methods for SAML 2.0 implementation.
Deprecated, for removal: This API element is subject to removal in a future version.
since AM 7.3.0 Implement use-case specific SPAdapter implementations instead.
Initiates SAML2 single sign-on on the service provider side.
An exception type that highlights that an issue has occurred during SAML2 single sign-on.
This interface exposes APIs to allow callers to initiate SAML2 Single Sign-on flows when AM acts as a service provider.
Utility methods for working with SAML2 SSO responses.
This POJO contains information collated during SAML2 response processing.
Enum defining the SAML2 SubjectConfirmation values used in the REST-STS and the TokenGenerationService.
The SAML2Utils contains utility methods for SAML 2.0 implementation.
This is a common class defining some constants common to all SAML elements.
This class is an extension point for all SAML related exceptions.
The marker interface that all the federation plugins should extend from.
This exception is thrown when the request could not be performed due to an error in the sender or in the request.
This exception is thrown when the request could not be performed due to an error at the receiving end.
This class contains some utility methods for processing SAML protocols.
This exception is thrown when the receiver could not process the request because the version was incorrect.
A reactive socket which adds SASL QOP to an underlying reactive socket..
Specify a schema for the element that is being described.
Class that represents the Schema type in API descriptor.
This class defines a data structure that holds information about the components of the LDAP schema.
A builder class for Schema instances.
Schema builders should be used for incremental construction of new schemas.
Allows to perform modifications on element's builders before adding the result to this schema builder.
Interface for schema elements.
The SchemaException is thrown if the error encountered is related to the schema.
Common options for LDAP schemas.
Schema resolvers are included with a set of DecodeOptions in order to allow application to control how Schema instances are selected when decoding requests and responses.
The class SchemaType defines the types of schema objects, and provides static constants for these schema objects.
This class provides various schema validation policy options for controlling how entries should be validated against the directory schema.
An enumeration of the possible actions which can be performed when a schema validation failure is encountered.
A plugin or (extension point) that evaluates and returns an OAuth2 access token's scope information.
A plugin or (extension point) that allows the OAuth2 provider to customise the set of requested scopes for authorize, access token, refresh token and back channel authorize requests.
Deprecated.
since 7.2.0
This interface defines methods to retrieve Identity Providers and context/limitations related to proxying of the request message.
The SCRAM credential data persisted in the server using the representation described in RFC 5803 which is a specialization of RFC 3112.
Server-side callback for obtaining the stored SCRAM credential for a given user and mechanism.
SASL/SCRAM client and server implementations as specified in RFC 5802.
A wrapper class to limit an authentication script's exposure to a AmIdentity object
A repository to retrieve user information within a scripting module's script
A wrapper around the Secrets API that allows a simplified interface to access secrets from a scripting context.
This class wraps around an EntitlementInfo object for consumption in scripts.
This class wraps around an EntitlementInfo object for consumption in scripts.
Resolver for getting properties in scripts.
The Search operation is used to request a server to return, subject to access controls and other restrictions, a set of entries matching a complex search criterion.
A Search Result Entry represents an entry found during a Search operation.
A completion handler for consuming the results of a Search operation.
A Search Result Reference represents an area not yet explored during a Search operation.
Thrown when an iteration over a set of search results using a ConnectionEntryReader encounters a SearchResultReference.
A Search operation search scope as defined in RFC 4511 section 4.5.1.2 is used to specify the scope of a Search operation.
Contains equivalent values for the SearchScope values.
Value object that models a secret as a value.
A secret is any piece of data that should be kept confidential.
Provides a uniform way for secrets providers to construct secrets and keys.
An exception that occured when reading the configuration of the secret API.
Interface for constraints on a secret that must be satisfied for a given Purpose.
Specifies how data retrieved from a SecretStore should be decoded into a secret object.
Elliptic Curve Digital Signature Algorithm (ECDSA) signing and verification.
Signing handler for Edwards Curve DSA (EdDSA) as defined in RFC 8037.
A class of exception arising from use of the secrets API.
An implementation of the SigningHandler which can sign and verify using algorithms from the HMAC family.
A ChoiceValues implementation that fetches the names of all known purposes.
This interface allows AM's modules/components to easily expose which secret IDs they are using.
An exception that occurred when initialising the secret API.
An exception that represents an inability to instantiate a secret object.
Wraps a property format that decodes raw bytes and converts it into a property format for extracting secret keys using some algorithm.
Defines the format of secrets loaded from configuration properties.
Type adapter annotation for giving information about a secret purpose.
A long-lived reference to an active or named secret.
The secret resource used for creating a Secret.
An Secret-based implementation of the SigningHandler which can sign and verify using algorithms from the RSA family.
The top-level API to obtain secrets in AM.
Provides Google SDK credentials from the secrets API.
Provides Secret-based signing and verification code base.
Token handler for creating tokens using a JWT as the store.
Builder pattern object for configuring a SecretsJwtTokenHandler.
An X509ExtendedKeyManager implementation that gets keys and certificates from a SecretsProvider.
A Java security provider that exposes a KeyStore view of a secret store.
Class used to initialise the keystore when it is initialised via the standard Java interfaces.
The secrets provider is used to get hold of active, named or valid secret objects.
A facade around SecretsProvider instances from the realm and global levels that will delegate correctly to the global provider when a secret is not found in the realm, and knows how to resolve secrets for a DefaultingPurpose.
Factory for creating instances of SecretsProviderFacade
Deprecated.
A class that can provide secret references for a given purpose.
A backend storage mechanism for certain kinds of secrets.
Encapsulates the context in which a secret store is being instantiated.
Provides an implementation of a standard Java TLS X509ExtendedTrustManager that will retrieve trusted certificates from the Secrets API.
Utility methods for dealing with secrets.
SecureAttrs class forms the core api of "Secure Attributes Exchange" (SAE) feature.
Utility Class for Security Answers.
Configuration for the KBA Security Answer Definition Stage.
Stage is responsible for supplying the KBA questions to the user and capturing the answers provided by the user.
Interface to manage security question answer match failures and subsequent lockout.
Configuration for the KBA Security Answer Verification Stage.
Stage is responsible for verifying the answers provided by the user for the KBA questions.
The SecurityAssertion class provides an extension to Assertion class to support ID-WSF ResourceAccessStatement and SessionContextStatement.
A Context containing information about the client performing the request which may be used when performing authorization decisions.
This class has common utility methods .
Denotes self service dependencies.
Defines the bases for which all self service console configuration should be built on.
A Context that indicates the request came from Self-Service.
Determines how to serialize and deserialize macaroons into a string format.
The server-side sort request control as defined in RFC 2891.
The server-side sort response control as defined in RFC 2891.
The ServiceAlreadyExistsException is thrown if the service already exists.
The interface ServiceAttributeValidator should be implemented by the services/applications if validator plugins are required.
A marker interface indicating that the sub-type defines configuration for a Service Component.
The class ServiceConfig provides interfaces to manage the configuration information of a service configuration.
An exception that indicates there was a problem when using the Service Component Config API.
A sub-exception of SMSException for the ServiceConfigValidator.
The class ServiceConfigurationManager provides interfaces to manage the service's configuration data.
Provides self service config instances based of the passed console configuration instance.
This interface provides a means to validate an entire ServiceConfig's attribute values together.
This interface provides a means to validate an entire ServiceConfig's attribute values together.
This interface defines the methods that a Service Discovery consumer should implement if it wishes to be notified of changes in the service.
Maintains a set of Partitions keeping it up to date according to a specific discovery mechanism.
A sub-exception of SMSException for the ServiceConfigValidator.
The class ServiceInstance provides methods to manage service's instance variables.
The ServiceInstanceUpdateHeader class represents ServiceInstanceUpdate element defined in SOAP binding schema.
The ServiceInstanceUpdateHeader.Credential class represents Credential element in ServiceInstanceUpdate element defined in SOAP binding schema.
The interface ServiceListener needs to be implemented by applications in order to receive service data change notifications.
The ServiceManager class provides methods to register/remove services and to list currently registered services.
The ServiceNotFoundException is thrown if the service does not exist.
Class that represents API descriptor's Service Resource definitions.
Builder to help construct the Services.
The class ServiceSchema provides interfaces to manage the schema information of a service.
The class ServiceSchemaManager provides interfaces to manage the service's schema.
An exception that is thrown during an operation on a resource when the server is temporarily unable to handle the request.
General utility class.
A JASPI Servlet API Session Module which creates a JWT when securing the response from a successful authentication and sets it as a Cookie on the response.
An interface for managing attributes across multiple requests from the same user agent.
A SessionContext is a mechanism for maintaining state between components when processing a successive requests from the same logical client or end-user.
This class is to handle Session related exceptions.
This class represents the SessionIndex element in SAML protocol schema.
SessionInfo object represents information about an Oauth session.
Interface used for session invalidation notification.
Deprecated.
This class is used in case of session upgrade for copying session properties from the old session into the new one.
Interface used for creating sessions, and for accessing session information.
Implementation of this class gets executed every time when an SSO Session times out (either idle or max timeout).
Deprecated, for removal: This API element is subject to removal in a future version.
This header is no longer supported by browsers.
Processes the Set-Cookie request message header.
Support class for generating Set-Cookie header values.
Contains another set, which is uses as its basic source of data, possibly transforming the data along the way.
This class exists to allow functionality for those Open ID Connect providers which supply their signatures through symmetric key algorithms (e.g.
Provided as an extension point to allow customised transformation of the OATH shared secret attribute.
This class represents all the constants that can be used as keys for storing values in the tree's shared state.
Any component which needs to be shut down should implement this interface and use the function to shut down the component.
Interface used by shutdown managers to allow for thread safe adding and removing of shutdown listeners.
This class defines the shutdown priorities that are consumed by com.sun.identity.common.ShutdownManager.
Utility class for signing and verifying signatures.
Deprecated.
Deprecated.
Deprecated.
A JWS implementation of the Jwt interface.
A base interface for both SignedJwtBuilder and SignedEncryptedJwtBuilder to create Signed JWTs and Signed and Encrypted JWTs.
An implementation of a JwtBuilder that can build a JWT and sign it, resulting in a SignedJwt object.
A nested signed-then-encrypted JWT.
Builder for nested signed-then-encrypted JWT.
The interface for SigningHandlers for all the different signing algorithms.
A key that is used for signing digital signatures.
A service to get the appropriate SigningHandler for a specific Java Cryptographic signing algorithm.
Decrypts a $crypto JSON object value encrypted with the x-simple-encryption type.
Encrypts a JSON value into an x-simple-encryption type $crypto JSON object.
A basic implementation of HttpClientRequest that a script can send over a HttpClient.
A basic implementation of HttpClientResponse that a script can receive from sending a HttpClientRequest over a HttpClient.
Interface to select keys from a key store.
Simple implementation for selecting keys from a provided key store.
The simple paged results request and response control as defined in RFC 2696.
Provides instances of the commons secrets SecretStore without needing references to other secrets.
Validates purpose mappings for the GoogleKeyManagementServiceSecretStore and GoogleSecretManagerSecretStoreProvider.
Abstract node for nodes that always result in the same single outcome.
Provides a static single outcome for nodes with a single outcome.
A marker annotation to indicate that the annotated class should be interpreted as an annotated CREST singleton provider resource.
An implementation interface for resource providers which exposes a single permanent resource instance.
A StableIdResolver that matches a stableId exactly to the purpose for returning only one Secret.
The exception class whose instance is thrown if there is any error during the operation of objects of the com.sun.identity.sms package.
Defines the ability to send SMS (Short Message Service) and e-mail via a gateway implementation.
The class SMSThreadPool provides interfaces to manage notification thread pools shared by idm and sm.
Callback is invoked when a new snapshot token is created just before requirements are returned to the client.
Represents the configuration for an TokenHandler.
Factory for delivering snapshot token handlers.
This class contains all the constants used by the Soapbinding classes.
The SOAPBindingException class represents a error while processing SOAP request and response.
An SOAPClientException is thrown when there are errors related to JAXRPC and SOAP methods.
An SOAPClientException is thrown when there are errors related to JAXRPC and SOAP methods.
The SOAPFault class represents a SOAP Fault element.
The SOAPFaultDetail class represents the 'Detail' child element of SOAP Fault element.
The SOAPFaultException class represents a SOAP Fault while processing SOAP request.
A sort key which can be used to specify the order in which JSON resources should be included in the results of a query request.
A search result sort key as defined in RFC 2891 is used to specify how search result entries should be ordered.
Comparator derived from a sort key which can be used to compare entries.
This comparator iterates through the provided sortKeys and finds the first comparative difference between the left and right side JsonValues.
Defines possible positions for JsonValue that wraps a null object.
The interface SPAccountMapper is used to identify the local identities that maps the SAML protocol objects such as Assertion, ManageNameIDRequest etc.
The class PartnerAccountMapper is an interface that is implemented to map partner account to user account in OpenAM.
This class is used by a service provider (SP) to process the response from an identity provider for the SP's Assertion Consumer Service.
The SPAdapterPlugin provides contracts to perform user specific logics during SAMLv2 protocol processing on the Service Provider side.
Provides helper functions for SP Adapter Script Implementations.
This interface SPAttributeMapper is used to map the SAML Attributes to the local user attributes.
This interface SPAttributeMapper is used to map the SAML Attributes to the local user attributes.
The interface SPAuthnContextMapper.java determines the Authentication Context to be set in the Authentication Request and the Auth Level of an Authentication Context.
Collection of methods for identifying whether a given String corresponds to the UniversalId or Dn of the super or special users.
This interface exposes the key components necessary to establish secure HTTPS connections.
Encapsulates options for configuring SSL based security as well as providing methods for building SSLEngines.
Represents the client authentication policy option.
A reactive socket implementation which adds SSL to an underlying reactive socket.
This SSOException is thrown when there are single sign on token operation error.
This final class SSOProviderImpl implements SSOProvider interface and provides implementation of the methods to create , destroy , check the validity of a single sign on token.
The SSOToken class represents a "single sign on"(SSO) token.
The SSOTokenEvent is an interface that represents an SSO token event.The single sign on token event represents a change in SSOToken.
The SSOTokenID is an interface that is used to identify a single sign on token object.
The SSOTokenListener interface needs to be implemented by the applications to receive SSO token events.
This SSOTokenCannotBeObservedException is thrown when calling SSOToken.addSSOTokenListener(SSOTokenListener) on an SSOToken type that does not generate lifecycle events.
SSOTokenManager is the final class that is the mediator between the SSO APIs and SSO providers.
Represents API stability.
Interface for resolving stable ids in a SecretStore.
Represents the configuration for a given progress stage.
Represents some framework error around the use of progress stages and configs.
Stage response represents a response from having invoked a progress stage.
Builder assists with the creation of StageResponse instances.
Requirements builder allows for the definition of a snapshot token callback, which gets invoked with just prior to requirements being sent to the client.
Utility class.
The start TLS extended request as defined in RFC 4511.
The start tls extended result as defined in RFC 4511.
The Statement element is an extension point that allows other assertion-based applications to reuse the SAML assertion framework.
The Statement element is an extension point that allows other assertion-based applications to reuse the SAML assertion framework.
Describes the outcomes for node instances that have static outcomes.
This mechanism only returns the list of servers in its configuration, without checking for availability.
Allows a uniform interface to statistics information in a uniform format.
This class represents the StatusType complex type in SAML protocol schema.
The Status element is a container of one or more Statuss issuded by authorization authority.
The status-code element is a three-digit integer code giving the result of the attempt to understand and satisfy the request.
The first digit of the status-code defines the class of response.
This class represents the StatusCodeType complex type in SAML protocol schema.
The StatusCode element is a container of one or more StatusCodes issuded by authorization authority.
The StatusCode element is a container of one or more StatusCodes issuded by authorization authority.
This class represents the StatusDetailType complex type in SAML protocol schema.
The StatusCode element is a container of one or more Statuss issuded by authorization authority.
The StatusCode element is a container of one or more Statuss issuded by authorization authority.
The Status element is a container of one or more Statuss issuded by authorization authority.
This class represents the StatusMessage element in SAML protocol schema.
The StatusMessage element is a container of one or more StatusMessages issuded by authorization authority.
The StatusMessage element is a container of one or more StatusMessages issuded by authorization authority.
This class represents the StatusResponseType complex type in SAML protocol schema.
Indicates whether the service should operate in stateless or stateful mode.
Utility methods for operating on IO streams.
This class provides an utility method for validating that a String is either an arbitrary string without any ":" characters or if the String does contain a ":" character then the String is a valid URI.
Common utility methods for Strings.
Indicates that a method contains rich sub-configuration(s) of the parent configuration (or sub-configuration).
The sub-entries request control as defined in RFC 3672.
Deprecated.
The Subject element specifies one or more subjects.
The Subject specifies the principal that is the subject of all of the statements in the assertion.
The Subject element specifies information about a subject of the Request context by listing a sequence of Attribute elements associated with the subject.
The SubjectConfirmation element specifies a subject by specifying data that authenticates the subject.
The SubjectConfirmation provides the means for a relying party to verify the correspondence of the subject of the assertion with the party with whom the relying party is communicating.
The SubjectConfirmationData specifies additional data that allows the subject to be confirmed or constrains the circumstances under which the act of subject confirmation can take place.
Class to represent EntitlementSubject evaluation match result and - if applicable - its advices.
The Subject element specifies information about a subject of the Request context by listing a sequence of Attribute elements associated with the subject.
The SubjectLocality element specifies the DNS domain name and IP address for the system entity that performed the authentication.
The SubjectLocality element specifies the DNS domain name and IP address for the system entity that performed the authentication.
Defines the concerns of providing the Subject to be included in the generated SAML2 assertion.
This class represents the SubjectQueryAbstractType complex type.
The SubjectStatement element is an extension point that allows other assertion-based applications to reuse the SAML assertion framework.
Deprecated.
As of OpenSSO Express 8.0, use EntitlementSubject instead as Entitlement has replaced Policy.
Sub-resources of a resource are declared here.
Builder to help construct the SubResources.
Utility methods to validate Subscriptions in the various onSubscribe calls.
A SubstitutionContext holds both runtime and config time values for the substitution process.
Exception thrown during substitution process.
Substitute tokens in the source String with their resolved value.
This visitor evaluates Templates with the help of a PropertyResolver.
The tree delete request control as defined in draft-armijo-ldap-treedelete.
An RFC 3672 subtree specification.
A refinement which uses a search filter.
Abstract interface for RFC3672 specification filter refinements.
A Supplier functional interface which can throw a checked Exception.
This annotation marks AM APIs that are considered stable and should not change in minor releases (except possibly when a security fix requires such change).
This annotation marks AM APIs that are considered stable and should not change in minor releases (except possibly when a security fix requires such change).
Enumerates all supported elliptic curve parameters for ESXXX signature formats.
Suspended text output callback extends TextOutputCallback to allow a custom message to be displayed to the user whilst informing the client that the current auth flow has been suspended.
This handler interface allows authentication nodes to suspend authentication and send a unique ID out of band to the end-user.
A reactive socket implementation which delegates to a replaceable delegate reactive socket.
An interface for implementing synchronous RequestHandlers.
Deprecated.
As of OpenSSO Express 8.0, use com.sun.identity.entitlement instead as Entitlement has replaced Policy.
This class defines a data structure for storing and interacting with an LDAP syntaxes, which constrain the structure of attribute values stored in an LDAP directory, and determine the representation of attribute and assertion values transferred in the LDAP protocol.
A fluent API for incrementally constructing syntaxes.
This interface defines the set of methods and structures that must be implemented to define a new attribute syntax.
This class provides functionality that allows single-point-of-access to all related system properties.
A SystemPropertyResolver resolves a config token using system properties.
Represents a templated string.
A template parser receives a string input source, tokenize it (honoring escaping settings) and build a Template that can be processed later on.
A TemplateVisitor represents an operation applied to a Template.
An annotation which tags a configuration method as representing a large body of text which requires a larger input.
Audit filter for capturing details about the things endpoint responses.
ThingsResource handles REST calls made to the things endpoint.
This thread pool maintains a number of threads that run the tasks from a task queue one by one.
A secret store that wraps another secret store and performs all query operations in a background thread using a thread pool.
Common utility methods for Threads.
Thrown when the result code returned in a Result indicates that the Request was aborted because it did not complete in the required time out period.
Invokes TimeoutScheduler.TimeoutEventListener at a regular interval.
Listener on timeout events.
Annotation to define JSON Schema property's title.
A simple domain value responsible for modelling a Core Token Service Token.
Models a OAuth2 token.
Describes the ability to convert from one type of object into a Token and the reverse operation of converting from a Token into the object of type T.
Responsible for selecting the appropriate algorithm for dealing with Token binary objects prior to them being stored in the data store.
Responsible for handling the encoding and decoding of the binary object format the CTS Token.
An instance of this exception is thrown for errors encountered during token creation.
Is responsible for deleting expired tokens and performing any post-processing.
Creates a Token object that can then be stored into the CTS.
Describes a collection of filters which can be applied to the CTS query function as part of a complex query.
Allows the assembly of TokenFilter instances for use with the CTSPersistentStore and other uses of the generic data layer.
Responsible for the validation, generation and parsing of tokens used for keying a JsonValue representative of some state.
An exception generated by a TokenHandler on either creation, validation, or state extraction.
In interface for objects that can generate an identifier for a token if the existing one is null.
An AccessTokenResolver which is RFC 7662 compliant.
Describes the possible modifications that can be applied as part of the CTSPersistentStore patch operation.
Contains equivalent values for the ModificationType values.
Adapts the token to some activity against the connection type.
Responsible for capturing the reason why a Token Blob Strategy failed.
Responsible for defining the available token types in the Core Token Service.
Provides an extensible means of identifying a to-be-validated or to-be-provided token type.
An instance of this exception is thrown for all errors related to token validation.
A Header representation of the Trailer HTTP response header.
TransactionId value should be unique per request coming from an external agent so that all events occurring in response to the same external stimulus can be tied together.
This context aims to hold the TransactionId.
Processes the transactionId header used mainly for audit purpose.
This filter is responsible to create the TransactionIdContext in the context's chain.
This filter aims to create a sub-transaction's id and inserts that value as a header of the request.
A reactive socket which wraps an underlying downstream reactive socket, providing opportunities to transform transferred data or provide additional functionality.
Signals that an error occurred while transforming an API Description to another format.
Iterates over each JsonValue node in the JsonValue structure and if it's a String marked for translation, It replaces the String with a LocalizableString.
A representation of the context of the current tree authentication process.
A TreeHook encapsulates some functionality that should be executed at the end of a tree, after authentication.
Annotation that describes the metadata of the node.
An implementation of the Entry interface which uses a TreeMap for storing attributes.
Meta data API to expose data concerning the evaluating tree, to nodes who care for that data.
A trusted JWT issuer for use in validating a JWT bearer grant.
This class contains methods for creating common types of trust manager.
An exception that occured when a secret reference is not available.
The Unbind operation allows a client to terminate an LDAP session.
An exception that indicates that a failure is not directly known to the system, and hence requires out-of-band knowledge or enhancements to determine if a failure should be categorized as temporary or permanent.
Annotation to mark a JSON Schema array-items as unique.
Represents a reference to an identity that is managed by AM.
Wraps a message that the LdapServer was unable to decode because it did not recognize it.
Exception thrown when a transport implementation can't be found.
Thrown when a schema query fails because the requested schema element could not be found or is ambiguous.
An marker interface for tagging collection implementations as read-only.
Indicates that the JWT had critical headers that were not recognized by the JWT library and not implemented by the application.
Indicates a 415 Unsupported Media Type response that the Content-Type of the request was not acceptable.
Indicates an CREST update method on an annotated POJO.
Class that represents the Create Operation type in API descriptor.
Builder to help construct Update.
A request to update a JSON resource by replacing its existing content with new content.
This class is an extension point for all Upgrade related exceptions.
This class contains utilities to upgrade the service schema configuration to be compatible with OpenAM.
A Context which is created when a request has been routed.
Ease UriRouterContext construction.
Utility class for performing operations on universal resource identifiers.
 
The UsageDirectiveHeader class represents 'UsageDirective' element defined in SOAP binding schema.
Generator for OAuth2 User Codes.
Configuration for the user details stage.
Stage is responsible for request a new user json representation.
An application implements a UserIDGenerator interface and registers itself to the Core Authentication service so that authentication modules can retrieve a list of auto-generated user IDs.
Each instance will return the user subject that identifies a user on an auth server as well as the entire raw profile that was retrieved when making a request to the user info endpoint.
Simple bean that contains the values of claims, and the scopes that provisioned them (if any).
A plugin or (extension point) that fetches the resource owners information based on an issued access token.
Deprecated.
This class is for handling Exception that is thrown when the user name password validation plugin is failed or any invalid characters detected in user name.
An encoded user password that contains a storage scheme and an encoded vaulue.
Configuration for the user query stage.
Stage is responsible for querying the underlying service for a user based on the supplied query fields.
Configuration for the user registration stage.
Represents user registration console configuration.
Stage is responsible for registering the user supplied data using the underlying service.
A RequestHandler that proxies user requests to update the user's KBA answers.
This class contains utility methods.
This class provides utility methods to share common behaviour.
This class provides utility functions.
Deprecated.
Use Strings, Closeables, Objects or Threads instead.
Configuration for the validate active account stage.
Stage is responsible for validating account status.
API Descriptor model-validation utilities.
A long-lived reference to a number of secrets.
Deprecated.
As of OpenSSO Express 8.0, use com.sun.identity.entitlement instead as Entitlement has replaced Policy.
Cipher implementation for the Hashicorp Vault transit backend.
Encapsulates the common configuration required for Hashicorp Vault secret backends.
Builder object for Vault configuration settings.
A secret store that can fetch fresh database credentials from the Vault Database secret engine.
A secret store that fetches secrets from a Hashicorp Vault server, using version 2 of the key-value backend.
Standard implementations of VaultKeyValueSecretStore.SecretFieldDecoder for common fields.
Determines how a field in the Vault JSON response should be decoded into one or more fields on a SecretBuilder object.
Provides HMAC support using the Hashicorp Vault transit backend.
HMAC-SHA-224.
HMAC-SHA-256.
HMAC-SHA-384.
HMAC-SHA-512.
A secret store that is able to retrieve PKI certificates and private keys from the Hashicorp Vault PKI backend.
Provides signature support using the Hashicorp Vault transit backend.
ECDSA with SHA-256.
ECDSA with SHA-384.
ECDSA with SHA-512.
Ed25519.
Generic RSA with PSS padding.
RSA with SHA-256 and PKCS#1 v1.5 padding.
RSA with SHA-384 and PKCS#1 v1.5 padding.
RSA with SHA-512 and PKCS#1 v1.5 padding.
RSA with SHA-256 and PSS padding.
RSA with SHA-384 and PSS padding.
RSA with SHA-512 and PSS padding.
Cryptographic provider that delegates cryptographic operations to the Hashicorp Vault transit backend.
Implements a store for cryptographic keys based on Vault's transit engine, which implements cryptography as a service.
A key used for verifying digital signatures.
Configuration for the email account verification stage.
Having retrieved the email address from the context or in response to the initial requirements, verifies the validity of the email address with the user who submitted the requirements via an email flow.
Represents some version in the form majorNumber.minorNumber, for instance 2.4.
Class that represents versioned Resources on an API descriptor path.
Builder to help construct the VersionedPath.
The virtual list view request control as defined in draft-ietf-ldapext-ldapv3-vlv.
The virtual list view response control as defined in draft-ietf-ldapext-ldapv3-vlv.
This annotation doesn't actually do anything, other than provide documentation of the fact that a function has either been marked public, or package private in order for a test (somewhere physically distant in the system) to compile.
Processes the Warning message header.
XMLParser provides a way for applications to handle a hook into applications and applications and its server.
This class creates JWKOpenIdResolverImpl's from a supplied well-known open id configuration url.
The who am I extended request as defined in RFC 4532.
The who am I extended result as defined in RFC 4532.
Extension for CREST and OpenAPI schemas to express an example value.
Enum that represents the Schema write policies.
This class is an extension point for all WS-Federation related exceptions.
A Header representation of the WWW-Authenticate HTTP header.
A single WWW-Authenticate challenge.
A class for building X509 certificates as described in RFC 5280.
An enumeration of extended key usages.
An enumeration of key usages.
The XACMLAuthzDecisionQuery element is a SAML Query that extends SAML Protocol schema type RequestAbstractType.
The XACMLAuthzDecisionQueryImpl is an impelmentation of XACMLAuthzDecisionQuery interface.
XACMLAuthzDecisionStatement is an extension of samlp:StatementAbstractType that is carried in a SAML Assertion to convey xacml-context:Response Schema:
This interface defines constants common to all XACML elements.
This class is an extension point for all XACML related exceptions.
This class provides methods to send or process AttributeQuery.
This class provides the public API to process XACML context Request.
The XACMLSDKUtils contains utility methods for XACML 2.0 implementation.
Utilities for handling XEC keys for X25519 and X448 ECDH key agreement.
Processes the X-Forwarded-For message header.
This is a custom XML handler to load the dtds from the classpath This should be used by all the xml parsing document builders to set the default entity resolvers.
Common super-interface for all SAML elements that can be serialized into XML.
Utility classes for handling XML.