All Classes and Interfaces
Class
Description
An abstract connection whose synchronous methods are implemented in terms of
asynchronous methods.
Abstract
AuditEvents
base class providing audit events lookup support.Abstract
Filter
base class providing policy condition advice support.An abstract base class from which connection wrappers may be easily
implemented.
A base implementation of the
Context
interface.This class provides a logger for decorators, according to the pattern:
<decoratorClassname>.<decoratorName>.<decoratedObjectName>.
Deprecated.
Deprecated.
in 7.1, use
AbstractDecorator
as a replacement along with the class service/factory.A base implementation for all JwtBuilders that provides the basis of the JWT builder methods.
Deprecated.
RequestHandler
now has default methods which implement the not-supported behavior.An abstract base class for implementing routers.
The base class for both the filter and handler heaplet implementations.
A scriptable heap object acts as a simple wrapper around the scripting engine.
Creates and initializes a scriptable heap object in a heap environment.
Base
TypeDefinitionProvider
for any scriptable components.An abstract SetCookieHeader class for
SetCookieHeader
and SetCookie2Header
.Processes the
Accept-API-Version
message header.A header class representing the Accept-Language HTTP header.
Builder for audit access events.
The status of the access request.
Represents an exception whilst retrieving an OAuth2 access token.
Represents an OAuth2 Access Token.
Resolves a given token against a dedicated OAuth2 Identity Provider (OpenAM, Google, Facebook, ...).
A secret store that can obtain access tokens from an OAuth 2 provider.
Builder object for the access token secret store.
An
Runnable
functional interface which can throw a checked Exception.An implementation specific action, or operation, upon a JSON resource.
Response object for JSON responses.
Builder for audit activity events.
Configuration class for the Identity Gateway Administration.
A
Context
containing information which should be returned to the user in some
appropriate form to the user.WarningHeader implements RFC 2616 section 14.46 - Warning.
Provides JWE key encapsulation using the AES KeyWrap algorithm.
The interface for each possible algorithm that can be used to sign and/or encrypt a JWT.
This filter authorizes a request to continue processing if any of the declared rules is satisfied (logical or).
Creates an
AllowOnlyFilter
in a Heap
environment.Represents a link to AM notification service.
A supplier of AM Link.
A supplier of Resilient AM Link.
Represent a listener willing to be notified upon
AmLink
events.Represent a listener capable of handling reopening signals.
Creates a configuration class for AM.
Builder of
AmService
.A pre-builder class used to discover AM details such as its version and expected cookie name.
This heaplet represents an instance of an
AmService
that can shared amongst AM
related filters such as the SingleSignOnFilter
and the PolicyEnforcementFilter
.Provide
AmServiceHeaplet
's TypeDefinition
.This filter will track the AM sessions (stateless or stateful) and will revoke them if their idle timeout goes
over a defined limit.
This class is responsible of creating the
AmSessionIdleTimeoutFilter
heap object.Provide
AmSessionIdleTimeoutFilter
's TypeDefinition
.Normalized AM version.
A producer of API Descriptions.
This filter overrides the protocol version in Accept-Api-Version header.
A
Context
which is created when a request is and has been routed
based on resource API version.Utility methods to work with CHF Applications.
A utility class for dealing with
CrestApplication
instances.Resolves native arrays of objects.
Register all the aliases supported by the openig-identity-assertion module.
Conditionally assigns values to expressions before and after the request is handled.
Creates and initializes an assignment filter in a heap environment.
An asynchronous
Function
which returns a result at some point in the
future.Collection of
AsyncFunction
utilities.A Text Writer which writes log records asynchronously to character-based stream.
This utility class supports a lock-downgrading strategy to make sure that 2 concurrent calls to compute
the "cached" value will result in a single computation.
A session manager is responsible to create/save a new type of
Session
.An
AttributesContext
is a mechanism for transferring transient state between components when processing a
single request.Denotes audit dependencies.
Represents an audit event.
Root builder for all audit events.
The interface for an AuditEventHandler.
Abstract AuditEventHandler class.
Factory interface for creating instances of
AuditEventHandler
.Helper methods for AuditEvents.
Audit events interface.
Stores the state of the details sent to
AuditEventHandler.publishEvent(Context, String, JsonValue)
.Root class of all exceptions in the Commons Audit Framework.
A Context used when auditing over the router.
Utility class to facilitate creation and configuration of audit service and audit event handlers
through JSON.
CREST
RequestHandler
responsible for storing and retrieving audit events.Builder for AuditService.
Configuration of the audit service.
Creates and initializes an AuditService in a heap environment.
AuditService proxy that allows products to implement threadsafe hot-swappable configuration updates.
General utilities for commons audit.
Builder for audit authentication events.
Defines a fixed set of authentication statuses that can be logged.
Represents an authentication error or failure.
Asynchronous AM authentication service delivering
SsoToken
.Provides an implementation of the
AuthenticationService
using a Authenticator
plugin.A handler that can send an authorization code and optional PKCE verifier to the token endpoint to receive an
access token.
A header class representing the
Authorization
HTTP header.A factory for creating
AuthorizationHeader
instances.Used by the
FragmentFilter
and the DataPreservationFilter
to know if a filter has attempted an
impending IG redirection.Restart an
AmLink
automatically upon disconnection.A helper class to ease readability.
An exception that is thrown during a operation on a resource when the
requested operation is malformed.
Provides RFC 4648 / RFC 2045 compatible Base64 encoding and decoding.
A
Base64EncodedSecretStore
stores secret values (such as password or
simple shared secrets) in a base64-encoded form in memory.Creates and initializes a
Base64EncodedSecretStore
in a heap environment.Provide the
Base64EncodedSecretStore
's TypeDefinition
.A
SecretPropertyFormat
for a BASE64 format.Makes use of the
Base64
class to encode and decode to and from URL-safe Base64.Configuration class for the Identity Gateway Administration.
A base implementation of
QueryFilterVisitor
where
all methods throw an UnsupportedOperationException
by default -
override just the methods you need.Creates and initializes a baseUri in a heap environment.
A factory for the
BaseUriDecorator
.Utility to help with baseUri expressions.
A rich representation of basic credentials.
Implementation is responsible for being able to build up a batch payload and to publish that payload.
Indicates failure during a batch operation.
Implementations of
BatchPublisher
are able to consume multiple audit events
and build batches out of them.Batch publisher factory provides new instances of
BatchPublisher
.Basic batch publisher factory implementation.
Resolves Java Beans objects.
A rich representation of bearer credentials.
A
BiFunction
functional interface which can throw a checked Exception.Utils to complement bit operations not covered by the BigInteger functions.
Bindings represents the Expression bindings used during evaluation and assignation.
This class can be used for filtering string elements by using blacklists and/or whitelists.
An input stream that can branch into separate input streams to perform
divergent reads.
A dynamically growing data buffer.
Buffers audit events to a bounded queue, periodically flushing the queue to a provided
BatchConsumer
.Builder used to construct a new
BufferedBatchPublisher
.Provide a
TypeDefinitionProvider
for
CacheAccessTokenResolver.A CREST
Filter
that caches policy decisions.Create a CacheSessionService which is responsible to manage the cache for the
SessionInfo
.Create a CacheUserProfileService which is responsible for managing the
UserProfile
cache.A
CachingAccessTokenResolver
is a delegating AccessTokenResolver
that uses a write-through cache
to enable fast AccessTokenInfo
resolution.A
CaffeineCacheAccessTokenResolver
is a delegating AccessTokenResolver
that uses a write-through
Caffeine
cache to enable fast AccessTokenInfo
resolution.Builder of
CaffeineCacheAccessTokenResolver
.Creates and initializes an
CaffeineCacheAccessTokenResolver
in the heap environment.Utility class for Caffeine-related workarounds.
Creates and initializes a CaptureDecorator in a heap environment.
A
CapturedUserPasswordContext
to store the user's decrypted password.The
CapturedUserPasswordFilter
is responsible for retrieving the user password from
AM and to decrypt it.Creates and initializes the filter in a heap environment.
A factory for the
CaptureDecorator
.Specify where the message capture takes place.
An implementation of a map whose keys are case-insensitive strings.
An implementation of a set whose values are case-insensitive strings.
This filter handles any condition advices returned from AM during a policy evaluation, which one will depend on
the policy.
Context
implementation to maintain cross-domain SSO properties.Context
implementation to hold error details, should an error occur during cross-domain SSO authentication.A filter that evaluates a required EL expression to establish the client certificate from both context and
request, then calculates the thumbprint for that certificate (sha-256 hash and base64 url encoding) before
storing it in the attributes context for later retrieval in downstream components.
Creates and initializes a certificate thumbprint filter in a heap environment.
A key used for verifying certificate signatures.
Allow to build a chain of filters as one filter.
A chain of zero or more filters and one handler.
Provide the HTTP Filter's Chain
TypeDefinition
.Transforms a
Flowable
of CharBuffer
into a Flowable of String
, by splitting on EOL chars
('\r' and '\n').A
CharsetDecoderFlowableTransformer
decodes bytes from a stream of ByteBuffer
into
a stream of CharBuffer
using the given Charset
.Just enough of a HttpServletRequest wrapper around a CHF
Request
to keep the
AM SAML2 components happy.Just enough of a HttpServletResponse wrapper around a CHF
Response
to keep the
AM SAML2 components happy.Filter implementing the Circuit Breaker pattern to avoid cascading failures.
The Heaplet used to create a
CircuitBreakerFilter
heap object.The
TypeDefinitionProvider
of the CircuitBreakerFilter
.This interface has to be implemented by each Identity Gateway module that wants to register new class aliases.
An HTTP client which forwards requests to a wrapped
Handler
.Represents a ClientAuthenticationException when the client fails to authenticate.
Client context gives easy access to client-related information that are available into the request.
Builder for creating
ClientContext
instances.Verifies a certificate thumbprint by computing a digest of the client certificate (found in
ClientContext
)
and comparing the result with the base64-url-encoded value provided within the confirmation key node.A grant type handler that can retrieve an access token using the client_credentials grant type.
Creates and initializes a
Filter
supporting the transformation of client credentials to an access_token.The
TypeDefinitionProvider
of the ClientCredentialsOAuth2ClientFilterHeaplet
.Creates and initializes a
ClientHandler
in a heap environment.Provide
ClientHandler
's TypeDefinition
.A configuration for an OpenID Connect Provider.
Creates and initializes a Client Registration object in a heap environment.
The client registration filter is the way to dynamically register an OpenID
Connect Relying Party with the End-User's OpenID Provider.
Strategy supporting different client registration mechanisms.
Deprecated.
since 26.2.
Heaplet supporting creation of a client-secret-basic authentication
Filter
.A
Filter
implementation to add the credentials to request body for authenticating as per
the OAuth 2.0 Authorization
Framework specification.Heaplet supporting creation of a client-secret-post authentication
Filter
.Extension to
TlsOptions
to support changing the behaviour of how hostname verification is enforced.Creates and initializes client-side TLS options in a heap environment.
Provide
ClientTlsOptionsHeaplet
's TypeDefinition
.Common utility methods for Closeables.
AsyncFunction
that silently closes an input-parameter after
a delegate-function's AsyncFunction.apply(Object)
is completed.Function
that silently closes an input-parameter after a delegate-function's Function.apply(Object)
is invoked.An implementation interface for resource providers which exposes a collection
of resource instances.
This class stores the common audit logging batch process configurations.
Expose Caffeine's
StatsCounter
in our own MeterRegistry
.An Enum of the possible compression algorithms that can be applied to the JWE payload plaintext.
The interface for CompressionHandlers for all the different compression algorithms.
A service to get the appropriate CompressionHandler for a specified Compression algorithm.
This filter conditionally executes a delegate Filter given the result of a 'condition' function.
Creates a
ConditionalFilter
into a Heap
environment.An
ConditionEnforcementFilter
makes sure that the handled Request
verifies
a condition.Creates and initializes an ConditionEnforcementFilter in a heap environment.
Builder for audit config events.
A
ConfirmationKeyVerifier
is responsible to verify a confirmation key node.A
ConfirmationKeyVerifierAccessTokenResolver
is responsible of validating
confirmation keys bound to the access_token (such as certificate thumbprint).Creates and initializes a Confirmation Key Verifier access_token resolver in the heap environment.
An exception that is thrown during a operation on a resource when such an
operation would result in a conflict.
A client connection to a JSON resource provider over which read and update
requests may be performed.
Describes if the event is a connection event or a disconnection event.
A connection factory provides an interface for obtaining a connection to a
JSON resource provider.
Processes the
Connection
message header.Constraints
defined for JWT validation.A
Consumer
functional interface which can throw a checked Exception.Processes the
Content-API-Version
message header.Processes the
Content-Encoding
message header.Processes the
Content-Length
message header.Processes the
Content-Type
message header.A decoration
Context
is a way to provide the decorator(s) all of the available
information about the instance to decorate.Type-safe contextual information associated with the processing of a request in an application.
An HTTP cookie.
Indicates the SameSite
value of the cookie.
An implementation of
AsyncSessionManager
storing sessions in memory.Suppresses, relays and manages cookies.
Action to be performed for a cookie.
Creates and initializes a cookie filter in a heap environment.
Processes the
Cookie
request message header.Register all the aliases supported by the openig-core module.
Core default declarations to add in Heap.
This filters implements the resource processing of the CORS protocol.
A
CorsFilterHeaplet
configures a CorsFilter
in a heap environment.The CORS policy is responsible to handle both actual and preflight CORS requests
and set the appropriate set of response headers based on its own configuration.
Builder for
CorsPolicy
instances.A
CorsPolicyProvider
allows the CorsFilter
to lookup its configuration at runtime,
also based on contextual information.An enum of count policy types.
A specific exception for when Create is not supported, but Upsert might be being attempted so distinguish from
other
BadRequestException
s.A request to create a new JSON resource.
Credential pair implementation.
This interface is used to parse the credentials component of an
Authorization
HTTP header.Declare a CREST Application.
A CREST HTTP utility class which creates instances of the
HttpAdapter
to handle CREST HTTP requests.The
CrestSessionService
is responsible for performing interactions with the AM sessions endpoint.Builder of the
CrestSessionService
.The
CrestUserProfileService
is responsible for interactions with AM users endpoint
using resource version 3.0; since AM v13.CREST utility class.
This filter verifies the presence of a JWT authentication token in the configured cookie name:
If the JWT is present then its validity is checked and the request is forwarded to the next handler.
If the JWT is not present, then the user-agent is redirected to Access Management via its OAuth2
authorization endpoint, to obtain user authentication.
Creates and initialises an authentication filter in a heap environment.
Constants for Crypto Algorithms and Json Crypto Json pointer keys.
Base class for all secrets that are used as keys for cryptographic operations.
A generic filter for preventing cross-site request forgery (CSRF) attacks when using cookie-based authentication.
Builder class for the CSRF filter.
Creates and initializes a
CsrfFilter
supporting the injection and validation of an anti-CSRF token
in the request header.Handles AuditEvents by writing them to a CSV file.
A configuration for CSV audit event handler.
Contains the csv writer configuration parameters.
Contains the configuration parameters to configure tamper evident logging.
Configuration of event buffering.
Command line interface for verifying an archived set of tamper evident CSV audit log files for a particular topic.
A
ProxyOptions
representing custom proxy settings.Creates and initializes a
CustomProxyOptions
in a heap environment.Provide the
CustomProxyOptions
's TypeDefinition
.A key that is used for decrypting confidential data.
A key that is used for encrypting confidential data.
The
DataPreservationFilter
supports preserving POSTed data from a request that triggers a login redirect.Create a
DataPreservationFilter
heap object.A
TypeDefinitionProvider
for DataPreservationFilter
.This filter inserts a Date header into the response if it is not present.
Creates and initializes a DateHeaderFilter in a heap environment.
Decodes an HTTP message entity input stream.
A DecorationHandle is handle to get the decorated object and being able to notify the decoration to stop.
A Decorator is responsible for decorating existing object's instances.
A base class for decorator heaplets.
Marker interface for all key types that can be used for decryption.
This interface has to be implemented by each Identity Gateway module that wants to register new default heaplet
declaration to put in the Gateway heap.
A Heaplet declaration definition.
Reify the normal environment structure with pre-configured shortcuts.
Default implementation of
KeyStoreHandlerProvider
.Default implementation of
LocalHostNameProvider
using InetAddress
to lookup host name of local host.A
DefaultRateThrottlingPolicy
is a delegating ThrottlingPolicy
that ensures the returned
ThrottlingRate
is never null.Creates and initializes a
DefaultRateThrottlingPolicy
in a heap environment.Default implementation of
ScriptFactoryManager
supporting dynamic registration
and un-registration of ScriptFactory
.Default implementation of
SecureStorageProvider
.The default routing behaviour to use when no Accept-API-Version
is set on the request.
An implementation of the CompressionHandler for DEFLATE Compressed Data Format Specification.
This heaplet aims to be be a placeholder so you can decorate the delegate object with any decorators.
Provide the Delegate's
TypeDefinition
.A route matcher that delegates to a provided route matcher.
A request to delete a JSON resource.
Configuration wrapper for JMS
DeliveryMode
persistence constants.An interface for a simple dependency provider.
AuditEventFactory capable of performing construction injection by resolving dependencies using a DependencyProvider.
Base DependencyProvider that has provides no dependencies.
Utility methods for reading and writing DER-encoded values.
A routing component (a CHF
Handler
or CREST RequestHandler
) can describe its API
by implementing this interface.Interface for listener instances.
A handler that both handles
Request
s, and also supports querying for API Descriptors.An
HttpApplication
that produces OpenAPI API Descriptors.Version of
SynchronousRequestHandlerAdapter
that exposes a described handler.Manage the
WebSocketAdapter
and run subscribe and unsubscribe operations on it.Supports direct encryption using a shared symmetric key.
Represents the name/value pair of a HTTP header directives.
High-level interface to the
WatchService
API for detecting filesystem change events.A
Collection
decorator that notifies the provided DirtyListener
when one ore more elements are
removed.An
Iterator
decorator that notifies the provided DirtyListener
when one element is removed.Enable observers to be notified when one or more element are removed from a Map.
A
Set
decorator that notifies the provided DirtyListener
when one ore more elements are removed.The different behaviours that can be applied in case of notifications disconnections.
Represents an exception whilst performing OpenID discovery.
In order for an OpenID Connect Relying Party to utilize OpenID Connect
services for an End-User, the RP needs to know where the OpenID Provider is.
A
RetentionPolicy
that will retain/delete log files based off the total disk space used.Dispatches to one of a list of handlers.
Creates and initializes a dispatch handler in a heap environment.
Provide
DispatchHandler
's TypeDefinition
.Represents a duration in english.
Implements Elliptic Curve Diffie-Hellman (ECDH) key agreement in ephemeral-static (ECDH-ES) mode.
Deprecated.
Use
SecretECDSASigningHandler
insteadThis class implements an Elliptical Curve Json Web Key storage and manipulation class.
EC JWK builder.
Deprecated.
Use
SecretEdDSASigningHandler
instead.AuditEventHandler
for Elasticsearch.A configuration for Elasticsearch audit event handler.
Configuration of connection to Elasticsearch.
Configuration of event buffering.
Configuration of index mapping.
Utilities for working with Elasticsearch.
Encapsulates common functionality for JWKs that represent elliptic curve keys: EcJWK and OkpJWK.
A JWE implementation of the
Jwt
interface.An implementation of a JwtBuilder that can build a JWT and encrypt it, resulting in an EncryptedJwt object.
Support for JWT encryption, both asymmetric and symmetric (authenticated encryption) are supported.
A
Filter
implementation to add the client credentials to request as signed then encrypted private key jwt as
per the OpenID Connect Client
Authentication specification.Builder class for creating the Encrypted PrivateKey Jwt ClientAuthentication Filter.
Heaplet supporting creation of an encrypted private-key-jwt authentication
Filter
.An implementation of a JWS with a nested JWE as its payload.
An implementation of a JwtBuilder that can build a JWT and encrypt it and nest it within another signed JWT,
resulting in an SignedEncryptedJwt object.
An implementation of a JWS Header builder that provides a fluent builder pattern to create JWS headers for
signed encrypted JWTs.
The interface for EncryptionHandlers for all the different encryption algorithms.
Marker interface for all key types that can be used for encryption.
A service to get the appropriate EncryptionHandler for a specified Java Cryptographic encryption algorithm.
An Enum of the possible encryption methods that can be used when encrypting a JWT.
Registry for Identity Gateway REST API endpoints.
Handle for un-registering an endpoint.
Message content.
Extracts regular expression patterns from a message entity.
Creates and initializes an entity extract handler in a heap environment.
Utility class for accessing Java enum types.
Provides a
EnumValueOfHelper.valueOf(String)
method as a replacement for the implicitly declared enum function
valueOf(String)
, which has the advantage of not throwing exceptions when the name
argument
is null
or cannot be found in the enum's values.Encapsulate logic to access configuration files and other directories of the IG base directory.
The root
Heap
that includes access to the environment additional information.An ELContext node plugin that provides read-only access to environment variables.
Base class for audit event handler configuration.
Encapsulates meta-data for event topics.
Builder for
EventTopicsMetaData
.A completion handler for consuming exceptions which occur during the execution of
asynchronous tasks.
This
Filter
executes all CREST operations in an executor, effectively running the rest of the chain in
another thread.Responsible for generating ExecutorService instances which are automatically
wired up to shutdown when the ShutdownListener event triggers.
An exception generated by a
TokenHandler
on extraction when the token is expired.An Unified Expression Language expression.
An exception that is thrown during expression operations.
A wrapper of the
Instant
plus/minus functions for use in expressions.A plugin that contributes a node to the
Expression
context tree.Resolves
Bindings
-based tokens using COMMONS Config PropertyResolver
.This is an implementation of the
AsyncFunction
based on the evaluation of an Expression
.Utility class for evaluating expression in some collections.
Defines the standard Syslog message facilities.
A factory interface.
Wraps an existing
InputStream
, supporting a failed state that is checked before and after each operation.Unable to load the JWK/x5u location points.
Context
implementation to hold error information regarding failures.A
FapiInteractionIdFilter
is responsible to manage the FapiInteractionIdFilter.FAPI_INTERACTION_ID
header value.Creates and initializes a fapi interaction-id filter in a heap environment.
Retrieves and exposes a record from a delimiter-separated file.
Creates and initializes a separated values file attribute provider in a heap environment.
Configures time based or size based log file rotation.
Groups the file retention config parameters.
Groups the file rotation config parameters.
A
BranchingInputStream
for reading from files.Utility class for filename related methods.
An interface to declare the names of audit log files.
A
FileResourceSet
is able to give access to file-based content
within the scope of the root
directory.A
SecretStore
that reads secrets from a directory with the expectation that each file
contains a separate secret.A builder for more fluently creating a FileSystemSecretStore.
This heaplet represents an instance of a
PropertyResolverSecretStore
resolving properties from files
in a directory.Provide the
FileSystemSecretStoreHeaplet
's TypeDefinition
.Interface that represents an audit filter.
Filters the request and/or response of an HTTP exchange.
An interface for implementing request handler filters.
Builds a
Filter
for a given set of FilterPolicy
.A chain of filters terminated by a target request handler.
A condition which controls whether or not a filter will be invoked or not.
Represents a FilterPolicy which contains the includeIf and excludeIf values for the filter.
Utility methods for creating common types of filters.
This class contains methods for creating various kinds of
Filter
and
FilterCondition
s.An implementation of the
ThrottlingPolicy
that always returns the same throtlling rate.Rotates audit files at fixed times throughout the day.
Decodes an HTTP message entity flow.
An exception that is thrown when access to a resource is forbidden during an
operation on an resource.
Form fields, a case-sensitive multi-string-valued map.
A
Header
representation of the Forwarded
HTTP header.This class represents a request's hop detail.
Rebase the
UriRouterContext
's Original URI with a computed scheme, host name and port.Creates and initializes an
ForwardedRequestFilter
in a heap environment.The
FragmentFilter
supports URIs that contain fragments, keeping track of the fragment part when a request
triggers a login redirect.Creates and initialises a
FragmentFilter
in a heap environment.A
RetentionPolicy
that will retain/delete log files given a minimum amount of disk space the file system
must contain.A synchronous function which returns a result immediately.
Methods exposed for EL usage.
Configuration class for configuring the Identity Gateway.
An undecoded HTTP message header.
A generic base class for heaplets with automatically injected fields.
A generic secret represented as an opaque blob of bytes, such as a password or API key.
A GlobalDecorator stores decorators configuration in order to re-apply them when requested
to decorate a given heap object instance.
Unsubscribe from every subscribed topics on closure.
Creates and initializes a
Filter
supporting the transformation of a request - e.g.Creates and initialises an
GrantSwapJwtAssertionOAuth2ClientFilter
in a heap environment.Abstract base class for OAuth 2 grant type handlers for calling the token endpoint.
Provide support for scripts written in the Groovy language.
Utility methods for creating common types of handlers.
Provides commonly used handler implementations.
An HTTP message header.
Creates instances of
Header
classes from String representation.Removes headers from and adds headers to a message.
Creates and initializes a header filter in a heap environment.
Provide
HeaderFilter
's TypeDefinition
.Message headers, a case-insensitive multiple-value map.
Resolves
Headers
objects.Utility class for processing values in HTTP header fields.
Provides an OpenAM SSO Token in the given header name for downstream components.
Manages a collection of associated objects created and initialized by
Heaplet
objects.An exception that is thrown during heap operations.
The concrete implementation of a heap.
Creates and initializes an object that is stored in a
Heap
.Builds
Heaplet
instances.Loads
Heaplet
classes based on the class of object they create.Resolves
Heap
objects.Routines for encoding and decoding binary data in hexadecimal format.
For every key that starts with the keyToHide, return an empty value.
Implements the HKDF key deriviation function to allow a
single input key to be expanded into multiple component keys.
A secret key designed to be used as the master key for HKDF key generation.
Deprecated.
Use
SecretHmacSigningHandler
insteadA loader for the
KeyStoreSecretStore
that knows how to load standard PKCS#11 Hardware Security Module
(HSM) providers on our supported platforms.This heaplet represents an instance of a
HsmSecretStoreHeaplet
.This filter aims to send some access audit events to the AuditService managed as a CREST handler.
Configuration class to configure the
HttpApplication
instance.An exception that is thrown during a Http Application start up when the start up of the application fails.
Creates and initializes a
Filter
supporting the injection of a Basic Authorization
header in the request for the configured credentials.Performs authentication through the HTTP Basic authentication scheme.
Creates and initializes an HTTP basic authentication filter in a heap environment.
An SPI interface for HTTP
Client
implementations.An HTTP client for sending requests to remote servers.
SSL host name verification policies.
Encapsulates the details of the proxy if one is required when making outgoing requests.
Abstract Heaplet to create HTTP clients with different behaviors.
A provider interface for obtaining
HttpClient
instances.A
Context
containing information relating to the originating HTTP request.A factory which is responsible for creating new request
Context
s for
each JSON request.HTTP utility methods and constants.
HTTP WebSocket client interface.
QueryResourceHandler
that searches for a specific identifier value.This class encapsulates the result of calling the
IdentityAssertionPlugin.process(org.forgerock.services.context.Context, org.forgerock.http.protocol.Request)
method.This class encapsulates the result of calling the
IdentityAssertionPluginTechPreview.process(org.forgerock.services.context.Context, org.forgerock.http.protocol.Request, java.util.Map<java.lang.String, java.lang.Object>)
method.An exception specific to issues within the
assertion
package.Provides support to locally process a user and generate a JWT assertion that represents the user back to the
calling party.
Creates and initializes a
IdentityAssertionHandler
in a heap environment.Provides support to locally process a user and generate a JWT assertion that represents the user back to the
calling party.
A builder of a
IdentityAssertionHandlerTechPreview
.Creates and initializes a LocalAuthenticationHandler in a heap environment.
Provide
IdentityAssertionHandler
's TypeDefinition
.Implementations of this interface carry out some user processing and returns the
claims that should be included in the Identity Assertion JWT in the
IdentityAssertionClaims
.An exception specific to issues within the
plugin
package.Implementations of this interface carry out some user processing and returns the
claims that should be included in the Assertion JWT in the
IdentityAssertionClaims
.An
IdentityRequestJwtContext
is used to store the key details of the Identity Request JWT.Enums that represent the version of the Identity Request JWT.
Defines the contract to generate global unique identifiers.
Default implementation of the
IdGenerator
that will output some ids based on the following pattern :
<uuid> + '-' + an incrementing sequence
.An
IdTokenValidationFilterHeaplet
creates a filter that can be used to validate the given
idToken
according to the provided configuration by leveraging the JwtValidationFilter
.This class is responsible for locating the IG instance directory.
A time source; returns a time value representing the number of nanoseconds elapsed since some fixed but arbitrary
point in time.
An exception which is thrown when two incompatible
RouteMatch
instances are attempted to be compared.Interface of an object that can be indexed with a unique key.
Matches IPs (v4 or v6) with a CIDR pattern RFC4632.
Subscribe to a set of initial topics while starting.
This filter is responsible to check that an @
InternalSsoTokenContext
was defined in the context's chain and
to propagate the SSO token (potentially not valid) into the request as a header.This class provides utility methods for converting Java Date objects into and from IntDates.
An exception that is thrown during an operation on a resource when the server
encountered an unexpected condition which prevented it from fulfilling the
request.
An
InternalSsoTokenContext
used to store an SSO token.An
InvalidCallerTokenDetectionFilter
provides a mechanism that allows IG to detect an incorrect response
and trigger a token refresh before making the request again with the updated token.Represents an exception that occurs when a JWT is determined as invalid.
An exception generated by a
TokenHandler
on validation or extraction when the token is invalid.Utility class that can stream to and from streams.
Metadata of an OAuth2 issuer.
A configuration for an OAuth2 or an OpenID Connect Issuer.
A repository to store and create all the OAuth2 issuers.
Creates and initializes an
IssuerRepository
in a heap environment.Default implementation of a Keystore handler.
Implements a
AuditEventHandler
to write AuditEvent
s to a JDBC repository.Configures the JDBC mapping and connection pool.
Configuration for a connection pool.
Configuration of event buffering.
Creates and initializes a JDBC data source in a heap environment.
Publishes Audit events on a JMS Topic.
Configuration object for the
JmsAuditEventHandler
.This class holds the configuration properties that are used by the {#link BatchPublisher} to control the
batch queue and worker threads that process the items in the queue.
Stores the JNDI context properties and lookup names.
Interface for retrieving a
JMS topic
and a JMS connection factory
.Set of
SecretConstraint
s for filtering Secrets.Provides read and write JSON capabilities.
Jackson Module that uses a mixin to make sure that a
JsonValue
instance is
serialized using its #getObject()
value only.Jackson Module that adds a serializer for
LocalizableString
.AuditEventHandler
for persisting raw JSON events to a file.Configuration for
JsonAuditEventHandler
.Configuration of event buffering.
An exception that is thrown during JSON operations.
Processes partial modifications to JSON values.
RFC6902 expects the patch value to be a predetermined, static value to be used in the
patch operation's execution.
Identifies a specific value within a JSON structure.
Contains Utility methods for dealing with JsonSchema data.
AuditEventHandler
for persisting raw JSON events to stdout.Configuration for
JsonStdoutAuditEventHandler
.Represents a value in a JSON object model structure.
An exception that is thrown during JSON value operations.
A
QueryFilterVisitor
that returns true if the provide JsonValue
meets the criteria of
the QueryFilter assertions and false if it does not.This class contains the utility functions to convert a
JsonValue
to another type.This class contains the utility functions to convert a
JsonValue
to CREST (json-resource) types.Provides additional functionality to
JsonValue
.Contains some JsonValue Utility methods.
An Enum of the possible encryption algorithms that can be used to encrypt a JWT.
An Enum of the possible types of JWE algorithms that can be used to encrypt a JWT.
Represents an exception for when compression/decompression of the plaintext fails.
This exception entirely duplicates
JweDecryptionException
except that it is a checked exception so that it
can be used with a Promise
.Class supporting
EncryptedJwt
encryption verification with a verification Purpose
and a SecretsProvider
responsible for getting the decryption key.Represents an exception for when decryption of the JWE fails.
This class represents the result from the encryption process of the JWT plaintext.
Represents an exception for when encryption of the JWE fails.
Represents a generic exception for JWE operations.
An implementation for the JWE Header parameters.
An implementation of a JWE Header builder that provides a fluent builder pattern to create JWE headers.
An Enum for the additional JWE Header parameter names.
The abstract base class for the 3 implementations of JWK.
JWK builder.
Exports keys in JSON Web Key (JWK) format.
Helper class to look up and return the keys from specific JWK implementation
algorithm types.
Decodes a JSON Web Key (JWK) as a secret.
Builds a
JwkPropertyFormat
used to decode JSON Web Key formatted keys that can be used
with SecretStore
mappings configuration.Provide the
JwkPropertyFormatHeaplet
's TypeDefinition
.Holds a Set of JWKs.
Creates a JwkSetHandler to store the cryptographic keys.
Creates and initializes a JwkSetHandler in a heap environment.
Provides methods to gather a JWKSet from a URL and return
a map of key ids to keys as dictated by that JWKS.
A secret store that loads cryptographic keys from a local or remote
JWKSet
.This heaplet represents an instance of a
JwkSetSecretStore
resolving secrets from an URL of a JSON Web Key
Set(JWKSet
).Store JWKs into a jwkSet from a JWKs_URI and refresh the jwkSet when necessary.
Manage the jwks store, to avoid having more than one jwks store for the same JWKs_URI unnecessary.
A base implementation class for a JSON Web object.
An Enum of the possible signing algorithms that can be used to sign a JWT.
An Enum of the possible types of JWS algorithms that can be used to sign a JWT.
Represents a generic exception for JWS operations.
An implementation for the JWS Header parameters.
An implementation of a JWS Header builder that provides a fluent builder pattern to create JWS headers.
An Enum for the JWS Header parameter names.
Class supporting
Jwt
signature verification with a verification Purpose
and a SigningManager
responsible for the verification.Represents an exception for when signing of the JWS fails.
Represents an exception for when verification of the JWS signature fails.
The interface for all types of JSON Web Tokens (JWTs).
Implements the JWT bearer assertion grant type.
The base interface for all JwtBuilders for each type of JWT (plaintext, signed or encrypted).
Used by the
JwtBuilderFilter
to make the JWT available in the context.Represents an exception that occurs when creating/rebuilding JWTs.
A factory for getting builders for plaintext, signed and encrypted JWTs and reconstructing JWT strings back into
their relevant JWT objects.
The JwtBuilderFilter collects data from template
and puts the name-value pairs into a JWT structure.
Creates and initializes a JwtBuilderFilter in a heap environment.
A
JwtClaimConstraint
represents an individual check that can applied to test a claim from a JWT.An implementation that holds a JWT's Claims Set.
An implementation of a JWT Claims Set builder that provides a fluent builder pattern to creating JWT Claims Sets.
An Enum for the JWT Claims Set names.
A
JwtConstraint
represents an individual check that can applied to test a JWT.A
JwtFactory
encapsulates JWT production strategy into a re-usable and testable design.The JwtFactory supports securing of JWTs.
A base implementation class for JWT Headers.
A base implementation of a JWT header builder that provides a fluent builder pattern to creating JWT headers.
An Enum for the JWT Header parameter names.
A service that provides a method for reconstruct a JWT string back into its relevant JWT object,
(
SignedJwt
, EncryptedJwt
, SignedThenEncryptedJwt
, EncryptedThenSignedJwt
).Represents an exception that occurs when reconstructing JWTs.
Represents a generic exception for JWT operations.
A base implementation for the common security header parameters shared by the JWS and JWE headers.
A base implementation of a JWT header builder, for the common security header parameters shared by the JWS and JWE
headers, that provides a fluent builder pattern to creating JWT headers.
This
Heaplet
is responsible for configuring and creating a JwtSession
.Deprecated.
Prefer
SecretsJwtTokenHandler
instead.A type that stores the media/jwt types for JWTs.
Utility methods supporting JWTs.
A
JwtValidationContext
used to store the JWT and claims.A
JwtValidationErrorContext
used to store the JWT and
the list of violations for this JWT.A
JwtValidationFilter
validates the given JWT according to the provided configuration.Creates and initializes a JwtValidationFilter in a heap environment.
The
JwtValidator
is responsible for the JWT validation.Builder for the JwtValidator.
This interface provides a generic way to enrich a
JwtValidator.Builder
.A class that handles the results for the JWT validation.
A
SecretPropertyFormat
that wraps another format, extracting the secret value from a JWT before
delegating to the wrapped format.Provides support for validating a user's Kerberos token, works as an
IdentityAssertionPlugin
for the
IdentityAssertionHandler
.Creates and initializes a
KerberosIdentityAssertionPlugin
in a heap environment.Provide the
KerberosIdentityAssertionPlugin
's TypeDefinition
.A key that is used in a key-agreement protocol (such as Diffie-Hellman) to agree another key.
A key that is used to decrypt (or "unwrap") other keys that have been encrypted with a
KeyEncryptionKey
.A key that is used to encrypt ("wrap") other keys.
A format that can be used for exporting key material.
Exports a key in the PEM (Privacy Enhanced Mail) format.
Exports the raw key.
Deprecated.
Use
SecretsKeyManagerHeaplet
instead.Represents the Possible key operations values.
Define here the constants that can be used as Heap's keys.
Handles the access to a KeyStore.
Decorate a
KeyStoreHandler
in order to add some commons utility methods to read or write keystore's entries.Strategy for obtaining a keystore handler.
Deprecated.
Use
KeyStoreSecretStoreHeaplet
instead.A secret store for cryptographic keys based on a standard Java
KeyStore
.Specifies an alias with its validity for use in the store.
Permits to retrieve the list of usable AliasSpecs of a specific KeyStore.
Aggregates multiple AliasSpecProviders results to serve the list of AliasSpec for a KeyStore.
Serves a matching subset of the aliases present in a KeyStore based on a predicate.
An interface to allow the consuming application to provide the stable ID for the secret.
Serves a static list of AliasSpecs, without looking at the real content of a KeyStore.
This heaplet represents an instance of a
KeyStoreSecretStore
.Provide the
KeyStoreSecretStoreHeaplet
's TypeDefinition
.Implementation of a secure storage using a keystore.
Utility class to retrieve private keys from
KeyStore
.Provides support for a service login using a Keytab file.
Creates and initializes a
KeytabServiceLogin
in a heap environment.Provide the
KeytabServiceLogin
's TypeDefinition
.Enum representing the possible KeyTypes.
Indicates the type of key.
Indicates the allowed usages for a particular key.
Represents the supported KeyUse values.
For a given key/value pair, return the processed value as an Optional.
Class representing a value to be processed.
Utility methods for interacting with lambdas that throw exceptions.
A list with lazy initialization.
A map with lazy initialization.
A
Supplier
that lazily computes a value the first time it is accessed and then caches the result to return
on subsequent requests.A
LeftValueExpression
is a specialized Expression
to which we can assign a value.Manages Lifecycle on an object.
Wraps another map.
Resolves
List
objects.Provides helper methods for
List
.An SPI interface for implementing alternative service loading strategies.
Provides methods for dynamically loading classes.
Strategy for obtaining the server's local hostname.
Represents a String which could be localizable.
An implementation of an in-memory session store.
Processes the
Location
message header.Rewrites Location headers on responses that generate a redirect that would
take the user directly to the application being proxied rather than taking
the user through the Identity Gateway.
Creates and initializes a LocationHeaderFilter in a heap environment.
A
LogAttachedExceptionFilter
prints attached exceptions to filtered responses.Thrown when a header string cannot be parsed to a rich
Header
implementation.Wraps another map.
A
QueryFilterVisitor
that produces a Map representation of the filter tree.Implementation of
ThrottlingPolicy
backed by a Map
.Creates and initializes a
MappedThrottlingPolicy
in a heap environment.Resolves
Map
objects.An implementation of
Action
that will preserve the SLF4J MDC
.An implementation of
Consumer
that will preserve the SLF4J MDC.A SingleObserver wrapper that manages the MDC.
An implementation of
Subscriber
that will preserve the SLF4J MDC
.Store SLF4J Mapped Diagnosed Context (aka MDC) when tasks
are submitted, and re-inject it when tasks are executed.
A
MdcRouteIdFilter
aims to prepare the current thread with SLF4J MDC information about the current route.Store SLF4J Mapped Diagnosed Context (aka MDC) when tasks
are submitted, and re-inject it when tasks are executed.
A simple in-memory collection resource provider which uses a
Map
to
store resources.Elements common to requests and responses.
Abstract message base class.
Indicates a type of HTTP message.
A metered stream is a subclass of OutputStream that
(a) forwards all its output to a target stream
(b) keeps track of how many bytes have been written.
Collect request processing metrics.
Wraps a map for which the values are lists, providing a set of convenience methods for
handling list values.
A MutableUri is a modifiable
URI
substitute.A Name uniquely identify an object within a hierarchy.
The
NeverThrowsException
class is an uninstantiable placeholder
exception which should be used for indicating that a Function
or
AsyncFunction
never throws an exception (i.e.Allows the Caching of an object.
An event handler that does nothing.
Used as a no-op placeholder for an
AuditService
which can be overridden via config.Creates a
NoOpAuditService
in a heap environment.A Decorator which does nothing but act as if it had decorated the object.
A NOP implementation of the Compression Handler, which will be used when no compression is to be
applied.
A
ProxyOptions
to use when no proxy must be used.Creates and initializes a
NoProxyOptions
in a heap environment.Provide the
NoProxyOptions
's TypeDefinition
.Deprecated.
This algorithm is inherently insecure and shouldn't be used.
Indicates that no secret was configured for the given purpose, or the named secret is not available.
An exception that is thrown when a specified resource cannot be found.
A
Notification
is a special message that AM send to its "agents" to notify the occurrence of an event.Listen to topic notification.
The configuration object used to set up the
NotificationService
.Builder to ease the creation of a
NotificationsConfig
.Class providing constants used in AM notifications support.
Represents a source of notifications.
Represents the connection event listener registration.
NotificationService
implementation.An exception that is thrown during an operation on a resource when the
resource does not implement/support the feature to fulfill the request.
A convenient implementation of a CREST
Filter
that just returns a NotSupportedException
for all the
methods implementations.This class is used to filter null responses.
OAuth2 utility class.
Processes the OAuth 2.0 Bearer
WWW-Authenticate
message header.Register all the aliases supported by the openig-oauth2 module.
A filter which is responsible for authenticating the end-user using OAuth 2.0
delegated authorization.
Creates and initializes the filter in a heap environment.
An
OAuth2Context
could be used to store and retrieve an AccessTokenInfo
.Declares the Heap objects needed by this module in the main IG heap.
Describes an error which occurred during an OAuth 2.0 authorization request
or when performing an authorized request.
An exception that is thrown when OAuth 2.0 request fails.
Context
implementation to hold OAuth2 error details, should a failure occur during OAuth2 scenarios.Validates a
Request
that contains an OAuth 2.0 access token.Provide a
TypeDefinitionProvider
for OAuth2ResourceServer.This context helps to manage the
OAuth2Session
when used with OAuth2ClientFilter
.Context
supporting OAuth2 token exchange scenarios, this manages the resulting exchange token.Filter
supporting OAuth2 token exchange scenarios.Creates and initialises an
OAuth2TokenExchangeFilter
in a heap environment.Attempt to deserialize the Object into its String representation.
Common utility methods for Objects.
Creates an Octet JWK.
The Octet JWK builder.
An Octet Key-Pair (OKP) JWK as defined in RFC 8037.
Builder object for Octet Key-Pair (OKP) JWKs.
Deprecated.
The “/oauth2/tokeninfo” endpoint was deprecated in AM 6.5.
Register all the aliases supported by the openig-openam module.
This filter looks for the query parameter {code _api} : if present then it returns the API description of the
downstream handlers, otherwise the request is processed as expected.
A configuration option whose value can be stored in a set of
Options
.A set of options which can be used for customizing the behavior of HTTP
clients and servers.
Filter
which handles OPTION HTTP requests to CREST resources.A
StableIdResolver
that uses a version suffix and a subsequent number to determine
the stableId of a Secret
.An exception that is thrown if a buffer would overflow as a result of a write operation.
Ordered pair of arbitrary objects.
Supports password replay feature in a composite filter.
An individual patch operation which is to be performed against a field within
a resource.
A request to update a JSON resource by applying a set of changes to its existing content.
Utilities for manipulating paths.
If the key matches the expression, return a masked value otherwise return the original value.
Expresses a transformation to be applied to a regular expression pattern match.
The interface represents the body of a JWT.
Supports decoding keys and certificates in PEM
format.
Builds a
PemPropertyFormat
used to decode keys and certificates in a
PEM format that can be used
with SecretStore
mappings configuration.Provide the
PemPropertyFormatHeaplet
's TypeDefinition
.A simple reference to an object that is periodically refreshed.
Renew the
AmLink
periodically without causing any disconnection.A type helper to supply an
AmLink.AmLinkSupplier
from a set of topics.PerItemEvictionStrategyCache is a thread-safe write-through cache.
An exception that indicates that a failure is permanent, i.e.
Register all the aliases supported by the openig-ping module.
This filter permits to evaluate the HTTP request and response against Ping One API Access Management (P1 AAM).
Context
supporting risk analysis with PingOne Protect, capturing the evaluation result.The
PingOneProtectEvaluationFilter
supports integration with PingOne Protect.Creates and initialises a
PingOneProtectEvaluationFilter
in a heap environment.The
PingOneProtectFeedbackFilter
provides a feedback mechanism to capture the outcome of actions completed
as a result of the risk evaluation.Creates and initialises a
PingOneProtectFeedbackFilter
in a heap environment.The
PingOneProtectThreatLevelRoutingHandler
routes the request to one of the configured handlers, based on
the PingOneProtectEvaluationContext's level
, captured during
evaluation.Creates and initialises a
PingOneProtectThreatLevelRoutingHandler
in a heap environment.Represents a pipe for transferring bytes from an
OutputStream
to a InputStream
.A
PolicyDecisionContext
convey policy decision information to downstream filters and handlers.This filter requests policy decisions from Access Management which evaluates the
original URI based on the context and the policies configured, and according
to the decisions, allows or denies the current request.
Creates and initializes a policy enforcement filter in a heap environment.
An exception that is thrown to indicate that a resource's current version
does not match the version provided.
An exception that is thrown to indicate that a resource requires a version,
but no version was supplied in the request.
A
Predicate
functional interface which can thrown a checked Exception.Utility class for
Predicate
.This class encapsulates an ordered list of preferred locales, and the logic
to use those to retrieve i18n
ResourceBundle
s.Container for a principal and secret.
Resolves
Principal
objects.A
Filter
implementation for adding the client credentials to request as signed private key jwt as per
the OpenID Connect Client
Authentication specification.PrivateKeyJwtClientAuthenticationFilter.Builder<T extends PrivateKeyJwtClientAuthenticationFilter.Builder<T>>
Builder class for creating the PrivateKey Jwt ClientAuthentication Filter.
Heaplet supporting creation of a private-key-jwt authentication
Filter
.Utility class to retrieve product information.
Strategy for obtaining the information relating to the product in which the AuditService is deployed.
A
Promise
represents the result of an asynchronous task.An implementation of
Promise
which can be used as is, or as the basis
for more complex asynchronous behavior.Utility methods for creating and composing
Promise
s.Ordered list of joined asynchronous results.
Utility class for promises management.
Decodes secrets in raw base64 format.
A
SecretStore
implementation that resolves secrets as base64-encoded strings from an underlying
PropertyResolver
.Configure proxy settings.
A purpose encapsulates both a name for a function that requires access to secrets, together with a hint as
to the intended usage of those secrets.
A filter which can be used to select resources, which is compatible with the CREST query filters.
QueryFilter constants.
A query string has the following string representation:
Convenience methods to create
QueryFilter
that
specify fields in terms of JsonPointer
instances.A visitor of
QueryFilter
s, in the style of the visitor design
pattern.A request to search for all JSON resources matching a user specified set of criteria.
A completion handler for consuming the results of a query request.
The final result of a query request returned after all resources matching the
request have been returned.
The
Randoms
utility class offers methods to generate random values.Generates a random value (cryptographically secure) that can be used in a query parameter value.
Exposes a range of integer values as a set.
Utility class for ReactiveX operations.
A request to read a single identified JSON resource.
This class defines a Realm as it is used in OpenAM.
A
RealmNormalizer
computes the path segment that includes the AM realm information
as it should be used in REST API call.CREST collection service dedicated to persist JSON objects (other types are not supported: arrays,
primitives, and null).
File-based
Record
storage service.A
Header
representation of the Referrer
HTTP header.A grant type handler that can obtain an access token using a previously obtained refresh token.
Represents an exception whilst performing OpenID registration.
A input parameter-validating utility class using fluent invocation:
A request message.
Common attributes of all JSON resource requests.
A context for audit information for an incoming request.
Exposes incoming request cookies.
Provide the
RequestFormResourceAccess
's TypeDefinition
.Represents the contract with a set of resources.
Resolves
Request
objects.The
RequestResourceUriProvider
has the following configuration:Creates and initializes a RequestResourceUriProvider in a heap environment.
A utility class containing various factory methods for creating and
manipulating requests.
An enumeration whose values represent the different types of request.
A visitor of
Request
s, in the style of the visitor design pattern.Exposes an object's elements for access through dynamic expressions and
scripts.
Performs object resolution by object type.
A
Resource
represents any content that can be served through the ResourceHandler
.A
ResourceAccess
encapsulates the logic of required scope selection.Utility class providing
ResourceAccess
configuration support.Class aggregating
ResourceAccess
TypeDefinition
s.Implementations of this interface will be responsible for maintaining the
behaviour of API Version routing.
API Version routing filter which creates a
ApiVersionRouterContext
which contains the default routing behaviour when the
Accept-API-Version header is set on the request.API Version routing filter which creates a
ApiVersionRouterContext
which contains the default routing behaviour when the
Accept-API-Version header is set on the request.A
Filter
supporting the specification of resource API version configuration to be
used when a request on a specific endpoint does not contain an Accept-API-Version
header.Handler allowing products to extend behaviour when a request has no resource API version supplied.
Class representing a mapping between a
ResourcePath
and a Version
.ResourceApiVersionSpecificationFilter.VersionSpecification
supporting specification of a request's resource version
based on its resource path.Mechanism supporting specification of a version on the request.
An exception that is thrown during the processing of a JSON resource request.
Utility class to use on ResourceExceptions.
A
ResourceHandler
is a handler that serves static content (content of a directory, or a zip).Creates and initializes a ResourceHandler in a heap environment.
Creates and initializes a
Filter
supporting the transformation of client and user credentials
to an access_token, using the grant type "password".The
TypeDefinitionProvider
of the ResourceOwnerOAuth2ClientFilterHeaplet
.A grant type handler that can obtain an access token using the Resource Owner Password Credentials (ROPC) grant.
A relative path, or URL, to a resource.
A resource, comprising of a resource ID, a revision (etag), and its JSON
content.
This class contains methods for creating and manipulating connection
factories and connections.
Validates a
Request
that contains an OAuth 2.0 access token.A
ResourceSet
abstracts Resource
lookup mechanism.Used to obtain the resource URI to include in policy requests.
A response message.
Common response object of all resource responses.
Indicates whether a response can be cached and under what conditions.
An HTTP Framework Exception that can be used by filters/handlers to simplify
control-flow inside async call-backs.
Provide out-of-the-box, pre-configured
Response
objects.A utility class containing various factory methods for creating and
manipulating responses.
A
Result
represents the result of a validation operation:
either a success or a failure (with an associated description).A
Result
of a JWT validation.A completion handler for consuming the results of asynchronous tasks.
Hook into the retention checking operations for a file.
RetentionHooks
that do nothing.Defines the retention conditions and the files that need to be deleted.
Retry the
AmLink
start according to criterion.A type helper to supply an
AmLink.AmLinkSupplier
from an SSO Token.An exception that indicates that a failure may be temporary, and that
retrying the same request may be able to succeed in the future.
A
RetryFilter
is responsible for re-executing the incoming request should it fail with a runtime exception or
if an optional condition expression evaluates to true.A
RetryFilter
builder.Creates a reverse proxy
Handler
in a heap environment.Provide ReverseProxyHandler's
TypeDefinition
.A
Context
which has an a globally unique ID but no parent.Interface defining methods a rotatable file needs.
Supports file rotation and retention.
Callback hooks to allow custom action to be taken before and after the checks for rotation and
retention is performed.
This class holds some information while a file is being rotated.
Callback hooks to allow custom action to be taken before and after file rotation occurs.
RotationHooks
that do nothing.Interface to decide if a file should be rotated or not.
A
RouteImporter
is responsible for creating a RouteInstance
from a given JsonValue
that represents an IG route.A
RouteInstance
describes a route with all of its internal components, all linked together.Contains the result of routing to a particular route.
A matcher for evaluating whether a route matches the incoming request.
A utility class that contains methods for creating route matchers.
A utility class that contains methods for creating route matchers.
A router which routes requests based on route matchers.
A router which routes requests based on route predicates.
Represents a URI template string that will be used to match and route
incoming requests.
Auto-configured
DispatchHandler
.Creates and initializes a routing handler in a heap environment.
Represents an exception whilst managing the routes in a @
RouterHandler
.Provide
RouterHandler
's TypeDefinition
.Context
implementation to maintain a record of the route that accepted the request.The algorithm which should be used when matching URI templates against
request resource names.
Deprecated.
Use
RSAEncryptionHandler
and AESCBCHMACSHA2ContentEncryptionHandler
instead.Deprecated.
Use
RSAEncryptionHandler
and AESCBCHMACSHA2ContentEncryptionHandler
instead.Abstract base class for implementations of the RSAES-PKCS1-v1_5 and RSA-OAEP encryption schemes.
Implements a RsaJWK.
The RSA JWK builder.
Holds the other prime factors.
Deprecated.
Use
SecretRSASigningHandler
insteadSupported runtime modes.
A completion handler for consuming runtime exceptions which occur during the
execution of asynchronous tasks.
Register all the aliases supported by the openig-saml module.
A simple container for the key SAML configuration items.
Context
implementation to hold error details, should an error occur during SAML processing.The SAML federation filter works like other SSO type filters, a request that passes through the SAML federation
filter, that does not trigger the logout expression or matches one of the SAML endpoints, will be checked for a
valid session.
Provide
SamlFederationFilterHeaplet
's TypeDefinition
.Deprecated.
in 2023.4.0, use
SamlFederationFilterHeaplet
as a replacementProvide
SamlFederationHandlerHeaplet
's TypeDefinition
.Heaplet for building ScheduledExecutorService instances.
Encapsulate an executable script.
A Scriptable access token resolver.
Creates and initializes a scriptable access token resolver in a heap environment.
A scriptable filter.
Creates and initializes a scriptable filter in a heap environment.
A scriptable handler.
Creates and initializes a scriptable handler in a heap environment.
A scriptable
IdentityAssertionPlugin
.Creates and initializes a ScriptableIdentityAssertionPlugin in a heap environment.
A scriptable
IdentityAssertionPluginTechPreview
.Creates and initializes a ScriptableIdentityAssertionPlugin in a heap environment.
Provide
ScriptableIdentityAssertionPlugin
's TypeDefinition
.A Scriptable JWT Validator customizer.
Creates and initializes a scriptable Jwt Validator customizer in a heap environment.
A scriptable resource access.
Creates and initializes a scriptable object in a heap environment.
A scriptable resource URI provider.
Creates and initializes a scriptable resource url provider in a heap environment.
A scriptable throttling datasource.
Creates and initializes a scriptable object in a heap environment.
A factory for
Script
s.A ScriptFactoryManager is the plug-in point where
ScriptFactory
implementations need to be registered
in order to be available to the runtime.A secret is any piece of data that should be kept confidential.
Provides a uniform way for secrets providers to construct secrets and keys.
A Handle to expire a secret.
A simple holder of a secret and its expirer.
Interface for constraints on a secret that must be satisfied for a given
Purpose
.Specifies how data retrieved from a
SecretStore
should be decoded into a secret object.Elliptic Curve Digital Signature Algorithm (ECDSA) signing and verification.
Signing handler for Edwards Curve DSA (EdDSA) as defined in RFC
8037.
An implementation of the SigningHandler which can sign and verify using algorithms from the HMAC family.
Wraps a property format that decodes raw bytes and converts it into a property format for extracting secret keys
using some algorithm.
It builds a
SecretPropertyFormat
that can be use with SecretStore
mappings configuration.Provide the
SecretKeyPropertyFormatHeaplet
's TypeDefinition
.Defines the format of secrets loaded from configuration properties.
Class aggregating basic
TypeDefinition
s for simple subtypes of
SecretPropertyFormat
.A long-lived reference to an active or named secret.
The secret resource used for creating a
Secret
.An
Secret
-based implementation of the SigningHandler which
can sign and verify using algorithms from the RSA family.Provides
Secret
-based signing and verification code base.Token handler for creating tokens using a JWT as the store.
Builder pattern object for configuring a
SecretsJwtTokenHandler
.An
X509ExtendedKeyManager
implementation that gets keys and certificates from a SecretsProvider
.A
SecretsKeyManagerHeaplet
acts as a factory of SecretsKeyManager
.A Java security provider that exposes a KeyStore view of a secret store.
Class used to initialise the keystore when it is initialised via the standard Java interfaces.
The secrets provider is used to get hold of active, named or valid secret objects.
Creates and initializes a
SecretsProvider
in a heap environment.Provide the
SecretsProviderHeaplet
's TypeDefinition
.An implementation of
Saml2CredentialResolver
that provides support for resolving secrets configured in an
IG route/heap.Interface for the
SecretsService
.A backend storage mechanism for certain kinds of secrets.
Provides an implementation of a standard Java TLS
X509ExtendedTrustManager
that will retrieve trusted
certificates from the Secrets API.A
SecretsTrustManagerHeaplet
acts as a factory of SecretsTrustManager
.Utility class to use the Commons Secret API.
Represents a storage for secure keys, to be used for signing files.
Exception that can be thrown by a SecureStorage implementation.
Strategy for obtaining a secure storage, used by handlers providing tamper-evident feature.
A
Context
containing information about the client performing the
request which may be used when performing authorization decisions.Deprecated.
This class will be removed once CAF has been migrated fully to CHF, at which point components should
create
SecurityContext
s directly rather than via request attributes.Allows records to be retrieved from a delimiter-separated file using key and value.
Reads records with delimiter-separated values from a character stream.
A field separator specification, used to parse delimiter-separated values.
Commonly used field separator specifications.
Processes a request through a sequence of handlers.
Creates and initializes a sequence handler in a heap environment.
Provide
SequenceHandler
's TypeDefinition
.Provides server info (build-time defined values only at the moment) in a read-only fashion.
Extension to
TlsOptions
supporting client authentication configuration used to drive the authentication
negotiation between the client and IG.Enum representing the client authentication configuration options driving authentication negotiations between IG
and the client.
A SNI (Server Name Indication) configuration holder.
Creates and initializes server-side TLS options in a heap environment.
Used to implement different Kerberos based service logins.
An exception that is thrown during an operation on a resource when the server
is temporarily unable to handle the request.
An interface for managing attributes across multiple requests from the same user agent.
A
SessionContext
is a mechanism for maintaining state between components when processing a successive
requests from the same logical client or end-user.Represents an exception whilst performing Session Service.
The
SessionInfo
class is responsible to store session info for a given SSO Token.Context
to store Access Management session info and properties.This filter requests user session info from Access Management and stores it
on the context for later use.
Creates and initialises a session info filter in a heap environment.
Deprecated.
Configuration wrapper for JMS
Session.getAcknowledgeMode()
SessionMode setting.The
SessionService
is responsible to perform interactions with AM sessions endpoint,
such as session info or logout, etc.Deprecated, for removal: This API element is subject to removal in a future version.
This header is no longer supported by browsers.
Processes the
Set-Cookie
request message header.This filter allows modification of response cookie attribute values for cookies found in the
Set-Cookies header.
Creates and initializes a SetCookieUpdateFilter in a heap environment.
Contains another set, which is uses as its basic source of data, possibly transforming the
data along the way.
Defines the standard Syslog message severities.
Verifies a certificate thumbprint against a previously calculated thumbprint, stored in a specially named attribute
stored in the context's attributes.
Any component which needs to be shut down should implement this interface
and use the function to shut down the component.
Interface used by shutdown managers to allow for thread safe
adding and removing of shutdown listeners.
This class defines the shutdown priorities that are consumed by
com.sun.identity.common.ShutdownManager
.Sends the requests and responses to the Ping Sideband API, then process its decisions and accept/reject/rewrite
requests and responses.
Utility class for signing and verifying signatures.
Deprecated.
Use
EncryptedThenSignedJwtHeaderBuilder
instead.Deprecated.
Use
EncryptedThenSignedJwt
instead.Deprecated.
Use
EncryptedThenSignedJwtBuilder
instead.A JWS implementation of the
Jwt
interface.A base interface for both SignedJwtBuilder and SignedEncryptedJwtBuilder to create Signed JWTs and Signed and
Encrypted JWTs.
An implementation of a JwtBuilder that can build a JWT and sign it, resulting in a SignedJwt object.
A
JwtFactory
for SignedJwt
.A nested signed-then-encrypted JWT.
Builder for nested signed-then-encrypted JWT.
A
JwtFactory
for SignedThenEncryptedJwt
.The interface for SigningHandlers for all the different signing algorithms.
A key that is used for signing digital signatures.
A service to get the appropriate SigningHandler for a specific Java Cryptographic signing algorithm.
This filter verifies the presence of a SSOToken in the given cookie name.
Creates and initialises an authentication filter in a heap environment.
Provide
SingleSignOnFilter
's TypeDefinition
.An implementation interface for resource providers which exposes a single
permanent resource instance.
A
StableIdResolver
that matches a stableId exactly to the purpose for returning only one Secret
.Created a size based file retention policy.
Creates a file size based rotation policy.
An implementation of a
ResultRecorder
to count the number of failed requests in the last size
requests.A sort key which can be used to specify the order in which JSON resources
should be included in the results of a query request.
This comparator iterates through the provided sortKeys and finds the first comparative difference between the left
and right side JsonValues.
Defines possible positions for JsonValue that wraps a
null
object.Split a target cookie when it is bigger than 4Kb (see RFC
6265) in smaller cookies.
Audit event handler that writes out to Splunk's HTTP event collector RAW endpoint.
Configuration for the splunk audit event handler.
Configuration of event buffering.
Configuration of connection to Splunk.
Executes a SQL query through a prepared statement and exposes its first result.
Creates and initializes a static attribute provider in a heap environment.
Represents the successful result of an authentication against the AM server.
The
SsoTokenContext
provides access to the token and user information related to this session.Permits to use a
AmLink
even if not started or between disconnection and reconnection events.Interface for resolving stable ids in a
SecretStore
.A utility class to capture startup metrics.
A
StatelessAccessTokenResolver
that locally resolves and validates stateless access_tokens issued by AM.Creates and initializes a stateless access token resolver in the heap environment.
Creates a new request and send it down the next handler (effectively replacing the previous request).
Creates and initializes a request filter in a heap environment.
Creates a static HTTP response.
Creates and initializes a static response handler in a heap environment.
Provide
StaticResponseHandler
's TypeDefinition
.The status-code element is a three-digit integer code giving the
result of the attempt to understand and satisfy the request.
The first digit of the status-code defines the class of response.
Utility methods for operating on IO streams.
This class provides an utility method for validating that a String is either an arbitrary string without any ":"
characters or if the String does contain a ":" character then the String is a valid URI.
Common utility methods for Strings.
Miscellaneous string utility methods.
A
StsContext
convey the token transformation results to downstream filters and handlers.Represents a managed subscription to a given topic.
A
SubscriptionAck
is a response message to a SubscriptionRequest
.Represents a subscription (or un-subscription) failure.
A
SubscriptionRequest
is a message send to the notification server when subscribing to a topic.The different kind of subscription requests.
A
Supplier
functional interface which can throw a checked Exception.Enumerates all supported elliptic curve parameters for ESXXX signature formats.
An API Producer for APIs that use the Swagger model implementation of the OpenAPI specification.
Extension of
Swagger
to override some of its behaviors.Swagger utility.
Conditionally diverts the request to another handler.
Creates and initializes a switch filter in a heap environment.
An interface for implementing synchronous
RequestHandler
s.The handler publishes audit events formatted using
SyslogFormatter
to a syslog daemon using
the configured SyslogPublisher
.Configuration object for the
SyslogAuditEventHandler
.Configuration of event buffering.
Encapsulates configuration for mapping audit event field values to Syslog severity values.
This heaplet represents an instance of a
PropertyResolverSecretStore
resolving properties in system then
in environment variables.An ELContext node plugin that provides read-only access to system properties.
A
ProxyOptions
to use when the system defined proxy must be used.Creates and initializes a
SystemProxyOptions
in a heap environment.Provide the
SystemProxyOptions
's TypeDefinition
.Contains the necessary information to map an event to a database table, and the event fields to the columns
in that database table.
A Heaplet to call
IO.newTemporaryStorage()
within a heaplet environment.A TextWriter provides a character-based stream which can be queried for number of bytes written.
A TextWriter implementation which writes to a given output stream.
Wraps a
TextWriter
in a Writer
.A secret store that wraps another secret store and performs all query operations in a background thread using a
thread pool.
Common utility methods for Threads.
This filter applies a rate limitation to incoming requests : over the limit requests will be rejected with a 429
(Too Many Requests) response, others will pass through.
Creates and initializes a throttling filter in a heap environment.
This interface defines the contract to lookup a
ThrottlingRate
that will be applied to the given
Request
.A value object to represent a throttling rate.
This interface defines the contract for any throttling strategy.
Throwable utilities class.
Creates a rotation policy based on a time duration.
Creates and initializes a TimerDecorator in a heap environment.
Provide
TimerDecorator
's TypeDefinition
.A factory for the
TimerDecorator
.A
FilenameFilter
that matches historical log files.Creates a time stamp based file naming policy.
Key TLS Options used by both the
ClientTlsOptions
and the ServerTlsOptions
.The rate limiting is implemented as a token bucket strategy
that gives us the ability to handle rate limits through a sliding window.
Responsible for the validation, generation and parsing of tokens used for keying a JsonValue
representative of some state.
An exception generated by a
TokenHandler
on either creation, validation, or state extraction.An
AccessTokenResolver
which is RFC 7662 compliant.Creates and initializes an
TokenIntrospectionAccessTokenResolver
in a heap environment.Provide
TokenIntrospectionAccessTokenResolverHeaplet
's
TypeDefinition
.Deprecated, for removal: This API element is subject to removal in a future version.
A
TokenTransformationFilter
is responsible for transforming a token issued by Access Management
into a token of another type.Creates and initializes a token transformation filter in a heap environment.
Multiplex topic registration on top of a
AmLink
.A
Header
representation of the Trailer
HTTP response header.TransactionId value should be unique per request coming from an external agent so that all events occurring in
response to the same external stimulus can be tied together.
This context aims to hold the
TransactionId
.Processes the transactionId header used mainly for audit purpose.
This filter is responsible to create the
TransactionIdContext
in the context's chain.This filter aims to create a sub-transaction's id and inserts that value as a header of the request.
Transport protocol over which Syslog messages should be published.
Trust all certificates that this class is asked to check.
Creates and initializes a trust-all manager in a heap environment.
Deprecated.
Use
SecretsTrustManagerHeaplet
instead.Type definitions helpers for generic types.
Register all the aliases supported by the openig-uma module.
UMA Resource Server specific exception thrown when unrecoverable errors are happening.
An
UmaResourceServerFilter
implements a PEP (Policy Enforcement Point) and is responsible to ensure the
incoming requests (from requesting parties) all have a valid RPT (Request Party Token) with the required set of
scopes.Creates and initializes an UMA resource server filter in a heap environment.
An
UmaSharingService
provides core UMA features to the Identity Gateway
when acting as an UMA Resource Server.Creates and initializes an UMA service in a heap environment.
An exception that indicates that a failure is not directly known to the
system, and hence requires out-of-band knowledge or enhancements to determine
if a failure should be categorized as temporary or permanent.
An marker interface for tagging collection implementations as read-only.
Indicates that the JWT had critical headers that were not
recognized by the JWT library and not
implemented by the
application.
Represents an unrecoverable authentication error or failure such as a missing authentication Tree or Service.
Indicates a 415 Unsupported Media Type response that the Content-Type of the request was not acceptable.
A request to update a JSON resource by replacing its existing content with new content.
Filter
supporting URL path rewriting.Create a
UriPathRewriteFilter
in a heap environment.A
Context
which is created when a request has been routed.Ease
UriRouterContext
construction.Utility class for performing operations on universal resource identifiers.
Computes AM endpoint URIs, based on path normalizer, realm and a base Uri.
Provides support for a service login using a username/password.
Creates and initializes a
UsernamePasswordServiceLogin
in a heap environment.Provide the
UsernamePasswordServiceLogin
's TypeDefinition
.Class containing user profile information.
Used by the
UserProfileFilter
to make the user's profile attributes available in the context.Represents an exception thrown whilst performing UserProfileService operations.
This filter requests user profile attributes from Access Management and stores them in the context for later use.
Creates and initialises a
UserProfileFilter
in a heap environment.The
UserProfileService
is responsible for requesting user profile attributes.Creates and initializes a
UserProfileService
in a heap environment.This class provides utility methods to share common behaviour.
Utility class.
Deprecated.
The validation context that will be passed among the different JWT constraints validations.
A set of credential pairs built from a
ValidSecretsReference
.A long-lived reference to a number of secrets.
Utility methods to create
Value
instances related to IG.A key used for verifying digital signatures.
Represents some version in the form majorNumber.minorNumber,
for instance 2.4.
Supports version with the following format: major[.minor[.micro]].
Describe a Violation, used for the JWT validation.
This annotation doesn't actually do anything, other than provide documentation of the fact that a function has
either been marked public, or package private in order for a test (somewhere physically distant in the system)
to compile.
WarningHeader
entry.Processes the
Warning
message header.Basic websocket application interface facilitating different provider implementations.
A configuration holder to instantiate
WebSocketAdapter
.Provider of a WebSocket clients.
A provider capable of providing a
Filter
to manage WebSocket upgrade requests and subsequently manage the
bi-directional communication from the client to the remote application.A provider capable of providing a
Filter
to manage WebSocket upgrade requests and subsequently manage the
bi-directional communication from the client to the remote application.Creates a static response containing a simple HTML welcome page.
Creates and initializes a static response handler in a heap environment.
A
Header
representation of the WWW-Authenticate HTTP header.A single WWW-Authenticate challenge.
Utilities for handling XEC keys for X25519 and X448 ECDH key agreement.
Processes the
X-Forwarded-For
message header.This is a custom XML handler to load the dtds from the classpath This should
be used by all the xml parsing document builders to set the default entity
resolvers.
Utility classes for handling XML.
ContentEncryptionHandler
instead.