All Classes and Interfaces
Class
Description
The Abandon operation allows a client to request that the server abandon an
uncompleted operation.
An abstract connection whose synchronous methods are implemented in terms of
asynchronous methods.
An abstract connection whose synchronous methods are implemented in terms of
asynchronous methods.
This class provides a skeletal implementation of the
Attribute interface, to minimize the effort required to
implement this interface.This class provides a skeletal implementation of the
Connection
interface, to minimize the effort required to implement this interface.An abstract base class from which connection wrappers may be easily
implemented.
An abstract base class from which connection wrappers may be easily
implemented.
A base implementation of the
Context interface.An abstract node implementation for nodes that result in a simple true-false outcome.
Provides a static set of outcomes for decision nodes.
Deprecated.
This class provides a skeletal implementation of the
Entry interface, to minimize the effort required to
implement this interface.An abstract Extended request which can be used as the basis for implementing new Extended operations.
An abstract Extended result which can be used as the basis for implementing
new Extended operations.
This class provides a skeletal implementation of the
ExtendedResultDecoder interface, to minimize the effort required to
implement this interface.An abstract Intermediate response which can be used as the basis for
implementing new Intermediate responses.
A base implementation for all JwtBuilders that provides the basis of the JWT builder methods.
A JASPI Session Module which creates a JWT when securing the response from a successful authentication and sets it
as a Cookie on the response.
Base class for KBA stages.
Defines the common configurations for the KBA stages.
Abstract implementation for
Map based entries.A convenient base class for
AmPlugins that provide authentication nodes.This class implements a default ordering matching rule that matches
normalized values in byte order.
Deprecated.
RequestHandler now has default methods which implement the not-supported behavior.Abstract class that implements the
RequestVisitor interface.An abstract base class for implementing routers.
An abstract SetCookieHeader class for
SetCookieHeader and SetCookie2Header.An abstract connection whose asynchronous methods are implemented in terms of
synchronous methods.
Processes the
Accept-API-Version message header.A header class representing the Accept-Language HTTP header.
Models an OAuth2 access token.
The exception thrown when creating OAuth2 token using client credential grant type.
Represents an exception whilst retrieving an OAuth2 access token.
Represents an OAuth2 Access Token.
A plugin or (extension point) that allows modification of the OAuth2 access token before the token is
persisted/returned to the client.
Encapsulates all relevant data necessary to represent a request for a new access token.
Access token request builder.
Resolves a given token against a dedicated OAuth2 Identity Provider (OpenAM, Google, Facebook, ...).
Encapsulates the minted access token along with its contextual data.
Access token response builder.
A secret store that can obtain access tokens from an OAuth 2 provider.
Builder object for the access token secret store.
Access token service is responsible for serving up OAuth2 access tokens along with its contextual data, based on the
request having been passed.
Implementations of this interface provide the means to search for and create users given a map of attributes.
This class is designed for
Action element in SAML core
assertion.The
Action element specifies an action on the specified
resource for which permission is sought.The
Action element specifies information about the
action requested in the Request context by listing a
sequence of Attribute elements associated with the
action.Indicates an CREST action method on an annotated POJO.
Class that represents the Action operation type in API descriptor.
Immutable container for the result of processing a node.
An
Runnable functional interface which can throw a checked Exception.Builder for the
Action.Builder class for creating the Action.
Deprecated.
As of OpenSSO Express 8.0, use
com.sun.identity.entitlement instead
as Entitlement has replaced Policy.The
Action element specifies information about the
action requested in the Request context by listing a
sequence of Attribute elements associated with the
action.An implementation specific action, or operation, upon a JSON resource.
Response object for JSON responses.
Declare an array of
Action operations from a single method.Annotation to define JSON Schema
additionalProperties, which is useful when working with key/value
JSON data structures.The Add operation allows a client to request the addition of an entry into
the Directory.
An address mask can be used to perform efficient comparisons against IP
addresses to determine whether a particular IP address is in a given range.
The class is used to perform privileged operations using
java.security.AccessController.doPrivileged()
when using
com.iplanet.am.util.AdminUtils to obtain Administrator DN.The class is used to perform privileged operations using
AccessController.doPrivileged()
when using
com.iplanet.am.util.AdminUtils to obtain Administrator
passwords.Provides a centralised method for fetching an administrator token for operations where there
is no user present.
This class contains methods to retrieve Top Level Administrator information.
The persistent search request control for Active Directory as defined by
Microsoft.
The
Advice element contains additional information that the
issuer wish to provide.The
Advice contains any additional information that the
SAML authority wishes to provide.The
Advice element contains additional information
that the issuer wish to provide.A
Context containing information which should be returned to the user in some
appropriate form to the user.WarningHeader implements RFC 2616 section 14.46 - Warning.
Provides JWE key encapsulation using the AES KeyWrap algorithm.
The interface for each possible algorithm that can be used to sign and/or encrypt a JWT.
The
AMAuthCallBack interface should be implemented by external
business logic code, in order to receive callbacks from the authentication
framework when one of the following events happens :
account lockout
password change (via LDAP module)
The
AMAuthCallBackException is used to specify an exception
related to an authentication framework callback.This class represents an Identity which needs to be managed by Access
Manager.
The class
AMIdentityRepository represents an object to access
the repositories in which user/role/group and other identity data is
configured.An abstract class which implements JAAS LoginModule, it provides
methods to access OpenAM services and the module
xml configuration.
This class which contains utilities to encrypt and decrypt attribute value of
password type.
Define an AM plugin.
The
AMPostAuthProcessInterface interface needs to
be implemented by services and applications to do post
authentication processing.Interface for classes which send emails.
Describes a service as defined by an annotated interface.
A registry for all service configuration that is defined in annotated service interfaces.
Anonymous process service progresses a chain of
ProgressStage
configurations, handling any required client interactions.Utility methods for hashing and normalising answers to KBA questions.
Class that represents the ApiDescription type in API descriptor.
Builder for the ApiDescription.
Generates static AsciiDoc documentation for CREST API Descriptors.
Signals that an error occurred while generating API documentation.
Details of an error that could be returned.
Class that represents the ApiError type in API descriptor.
Builder for the ApiError.
A producer of API Descriptions.
Signals that API failed validation.
A
Context which is created when a request is and has been routed
based on resource API version.Oauth 2.0 Client Implementation that supports Apple.
Configuration used for
AppleClient implementation.Builder used to create
AppleClientConfiguration instance.Utility methods to work with CHF Applications.
A utility class for dealing with
CrestApplication instances.Authenticates to Vault using the AppRole
authentication backend to obtain a token that can be used for further operations.
This interface defines method to get application single sign on token.
This class represents the
Artifact element in
SAMLv2 protocol schema.The
ArtifactResolve message is used to request that a SAML
protocol message be returned in an ArtifactResponse message
by specifying an artifact that represents the SAML protocol message.The
ArtifactResopnse message has the complex type
ArtifactResponseType.Root builder for AsciiDoc markup.
Signals that an error occurred while building AsciiDoc markup.
Enumeration of AsciiDoc markup symbols.
AsciiDoc table builder [ref], which defers insertion
of the table, at the end of the parent document, until
AsciiDocTable.tableEnd() is called.AsciiDoc table column-styles.
This class contains various static factory methods for creating ASN.1 readers
and writers.
An interface for decoding ASN.1 elements from a data source.
Provides methods for building and analyzing ASN.1 tag bytes.
The Asn1 tag classes.
An ASN.1 encoder writes ASN.1 elements to an internal byte buffer.
This object stands for
Assertion element.The
Assertion element is a package of information
that supplies one or more Statement made by an issuer.A compiled attribute value assertion.
This object stands for
Assertion element.An Assertion is a
package of information that supplies one or more Statement made
by an issuer.This is the factory class to obtain instances of the objects defined
in assertion schema.
Thrown when the result code returned in a Result indicates that the Request
failed because the filter contained in an assertion control failed to match
the target entry.
This class represents the AssertionIDRef element.
AssertionIDReference element makes reference to a SAML
assertion.This class represents the AssertionIDRequestType complex type.
This interface
AssertonIDRequestMapper is used by assertion
ID request service to process assertion ID request.This class provides methods to send or process
AssertionIDRequest.The assertion request control as defined in RFC 4528.
Attribute value assertion utilities.
An asynchronous
Function which returns a result at some point in the
future.An asynchronous interface counterpart for the
ServerAuthContext.An asynchronous interface counterpart for the
ServerAuthModule.A session manager is responsible to create/save a new type of
Session.Atomic container for Throwables including combining and having a terminal state via ExceptionHelper.
The
Attribute element specifies an attribute of the assertion
subject.The
Attribute element identifies an attribute by name and
optionally includes its value(s).The
Attribute element specifies information about the
action/subject/resource requested in the Request context by
listing a sequence of Attribute elements associated with
the action.Indicates that a method describes a configuration attribute of an SMS service.
An attribute, comprising of an attribute description and zero or more attribute values.
This interface
AttributeAuthorityMapper is used by attribute
authority to process attribute query.Responsible for performing a specialised JSON compression based on the
attribute name being stored in the JSON.
An attribute description as defined in RFC 4512 section 2.5.
The
AttributeDesignator element identifies an attribute
name within an attribute namespace.A configurable factory for filtering the attributes exposed by an entry.
The
Attribute element specifies information about the
action/subject/resource requested in the Request context by
listing a sequence of Attribute elements associated with
the action.Translates from a source to a map of attributes.
Defines the concerns of mapping attributes into SAML2 AttributeStatements.
A fluent API for parsing attributes as different types of object.
This class represents the AttributeQueryType complex type.
This class provides methods to send or process
AttributeQuery.This class contains methods for creating and manipulating attributes.
The class
AttributeSchema provides methods to access the
schema of a configuration parameter.This enum
ListOrder defines the list orders of schema attributes and provides constants for these list
orders.The class
Syntax defines the syntax of the schema
attributes and provides static constants for these types.The class
Type defines the types of schema attributes and
provides static constants for these types.The class
UIType defines the UI types of schema attributes
and provides static constants for these types.An
AttributesContext is a mechanism for transferring transient state between components when processing a
single request.The
AttributeStatement element supplies a statement by the issuer
that the specified subject is associated with the specified attributes.The
AttributeStatement element describes a statement by
the SAML authority asserting that the assertion subject is associated with
the specified attributes.Defines the concerns of generating the AttributeStatement list to be included in the SAML2 assertion.
This class defines a data structure for storing and interacting with an
attribute type, which contains information about the format of an attribute
and the syntax and matching rules that should be used when interacting with
it.
A fluent API for incrementally constructing attribute type.
This enumeration defines the set of possible attribute usage values that may
apply to an attribute type, as defined in RFC 2252.
The
AudienceRestriction specifies that the assertion
is addressed to one or more specific Audiences.This is an implementation of the abstract
Condition class, which
specifes that the assertion this AuthenticationCondition is part of, is
addressed to one or more specific audience.Audit API interface for auditing the result of an authentication request.
Responsible for tracking the auditing of an authentication attempt including auditing each of the modules that
are executed and the overall result of the authentication.
The available types of authentication context comparison methods.
The
AuthContext provides the implementation for
authenticating users.The class
IndexType defines the possible kinds of "objects"
or "resources" for which an authentication can be performed.The class
Status defines the possible
authentication states during the login process.The
AuthContextLocal provides the implementation for
authenticating users.AsyncServerAuthContext implementations should
implement this interface when the AsyncServerAuthContext has its own implementation of
a AuthenticationState that it will be using to store and maintain state for a single
request.A
JwtCryptographyHandler that ensures confidentiality and authenticity of data using authenticated
encryption algorithms.AuthenticationException class is for handling Exception that
is thrown when the user-entered tokens cause the authentication module to
be authenticated to fail.A generic authentication exception which accepts a detail message and/or the cause.
Thrown when the result code returned in a Result indicates that the Bind
Request failed due to an authentication failure.
An authentication exception which signifies that authentication of the request has failed and an
appropriate unauthorized response should be returned to the client.
A HTTP
Filter that will protect all downstream filters or handlers.Builder class that configures an Authentication Framework instance.
Builder class that configures
AsyncServerAuthModules and
ServerAuthModules.An authentication framework for protecting all types of resources.
Maintains state information and provides to retrieve values in a type safe manner.
An exception that is thrown during
AuthenticationState operations.The
AuthenticationStatement element supplies a
statement by the issuer that its subject was authenticated by a
particular means at a particular time.Defines the concern of providing the AuthnStatement list to be included in the generated SAML2 assertion.
This class is for handling message localization in LoginException.
The
AuthnContext element specifies the context of an
authentication event.This class represents the AuthnQueryType complex type.
This class provides methods to send or process
AuthnQuery.The
AuthnRequest interface defines methods for properties
required by an authentication request.The
AuthnStatement element describes a statement by the
SAML authority asserting that the assertion subject was authenticated
by a particular means at a particular time.The
AuthorityBinding element may be used to indicate
to a replying party receiving an AuthenticationStatement that
a SAML authority may be available to provide additional information about
the subject of the statement.The
AuthorityKindType is an inner class defining constants for
the representing the type of SAML protocol queries to which the authority
described by this element will respond.Provides a convenience layer on top of
AuthorizationContext to simplify access to particular attributes in
the authorisation context.A handler that can send an authorization code and optional PKCE verifier to the token endpoint to receive an
access token.
Context to use for authorization requests.
The
AuthorizationDecisionStatement element supplies a statement
by the issuer that the request for access by the specified subject to the
specified resource has resulted in the specified decision on the basis of
some optionally specified evidence.The
AuthorizationDecisionStatement element supplies a statement
by the issuer that the request for access by the specified subject to the
specified resource has resulted in the specified decision on the basis of
some optionally specified evidence.The
DecisionType is an inner class defining constants for the
type of Decisions than can be conveyed by an
AuthorizationDecisionStatement .Represents an exception whilst performing Authorization.
Thrown when the result code returned in a Result indicates that the Request
failed due to an authorization failure.
This class contains methods for creating
FilterChains to protect resources by performing authorization on
each incoming request.A header class representing the
Authorization HTTP header.A factory for creating
AuthorizationHeader instances.The authorization request control as defined in RFC 3829.
The authorization response control as defined in RFC 3829.
Represents the result of the authorization of a request.
A plugin or (extension point) that allows the OAuth2 provider
to return additional data from an authorization request.
Deprecated.
An authentication password, it has a storage scheme, authentication info and authentication value.
Utility class providing utility methods for determining the meaning behind each of the different
AuthStatus
values.The
AuthzDecisionStatement element describes a statement
by the SAML authority asserting that a request for access by the assertion
subject tot he specified resource has resulted in the specified authorization
decision on the basis of some optionally specified evidence.This interface defines the plug-in point for producing AuthzDecisionStatements.
An attribute value assertion (AVA) as defined in RFC 4512 section 2.3
consists of an attribute description with zero options and an attribute
value.
Utility class to help with backpressure-related operations such as request aggregation.
An exception that is thrown during a operation on a resource when the
requested operation is malformed.
This class provides methods for performing base64 encoding and decoding.
Provides RFC 4648 / RFC 2045 compatible Base64 encoding and decoding.
Makes use of the
Base64 class to encode and decode to and from URL-safe Base64.The
BaseID is an extension point that allows
applications to add new kinds of identifiers.The
BaseIDAbstract is an abstract type usable only as
the base of a derived type.Implementation of the OpenIdResolver interface.
A base implementation of
QueryFilterVisitor where
all methods throw an UnsupportedOperationException by default -
override just the methods you need.The interface
ResourceName provides
methods to determine the hierarchy of resource names.A marker interface for types that provider secret store implementations.
A rich representation of basic credentials.
A rich representation of bearer credentials.
A
BiFunction functional interface which can throw a checked Exception.Utils to complement bit operations not covered by the BigInteger functions.
The class
BinarySecurityToken provides interface to parse and
create X.509 Security Token depicted by Web Service Security : X.509
Certificate Token Profile and Liberty ID-WSF Security Mechanisms
specifications.The Bind operation allows authentication information to be exchanged between the client and server.
A Bind result indicates the status of the client's request for
authentication.
This class can be used for filtering string elements by using blacklists and/or whitelists.
Responsible for defining the interface of the Token Blob Strategy.
General interface contract for implementations of Bloom
Filters.
Generic Bloom Filter JMX monitoring.
Operations for monitoring and management of Bloom Filter implementations.
Factory methods for creating bloom filters with various requirements.
Builder for constructing and configuring Bloom Filter implementations.
Builder pattern for Rolling Bloom Filters, which are Scalable Bloom Filters whose elements can expire allowing
space to be reclaimed over time.
Builder pattern for Scalable Bloom Filters.
Provides a snapshot of the current statistics and configuration of a Bloom Filter implementation.
An input stream that can branch into separate input streams to perform
divergent reads.
A dynamically growing data buffer.
An immutable sequence of bytes backed by a byte array.
A mutable sequence of bytes backed by a byte array.
An interface for iteratively reading data from a
ByteString .A
CachingAccessTokenResolver is a delegating AccessTokenResolver that uses a write-through cache
to enable fast AccessTokenInfo resolution.The cancel extended request as defined in RFC 3909.
Thrown when the result code returned in a Result indicates that the Request
was cancelled.
An object that registers to be notified when a cancellation request has been
received and processing of the request should be aborted if possible.
Stage is responsible for captcha based security.
Configuration for the captcha stage.
An implementation of a map whose keys are case-insensitive strings.
An implementation of a set whose values are case-insensitive strings.
Generic interface for methods to verify that a caveat is satisfied.
This service provides operations for querying
X509Certificates.A key used for verifying certificate signatures.
Contains a chain of
PropertyResolvers that should be used to get a token replacement property.A request to modify the content of the Directory in some way.
An interface for reading change records from a data source, typically an LDIF
file.
A visitor of
ChangeRecords, in the style of the visitor design pattern.An interface for writing change records to a data source, typically an LDIF
file.
Indicates the type of change which occurred to a token, which can be understood at the CTS (above the data layer)
layer.
A
CharsetDecoderFlowableTransformer decodes bytes from a stream of ByteBuffer into
a stream of CharBuffer using the given Charset.Interface is to define what needs to be implemented to do the OpenID Connect check session endpoint.
Deprecated.
Will be replaced in a later release by
Client.Implementation of the Google Cloud API
HttpTransport interface using CHF.The abstract class
ChoiceValues provides a mechanism for
services to provide choice values for attributes dynamically instead of being
statically defined in the service XML file stored in the directory.Models an OpenID Connect claim that has been requested in an authorize request.
Deprecated.
use
ClaimBuilder to keep the
Claim immutable.Builder to keep the
Claim immutable.Models OpenID Connect claims that are requested in an authorize request.
An HTTP client which forwards requests to a wrapped
Handler.Client context gives easy access to client-related information that are available into the request.
Builder for creating
ClientContext instances.A grant type handler that can retrieve an access token using the client_credentials grant type.
Deprecated.
since 26.2.
A
Filter implementation to add the credentials to request body for authenticating as per
the OAuth 2.0 Authorization
Framework specification.Common utility methods for Closeables.
AsyncFunction that silently closes an input-parameter after
a delegate-function's AsyncFunction.apply(Object) is completed.Function that silently closes an input-parameter after a delegate-function's Function.apply(Object)
is invoked.For extensibility of the
RecoveryCodeGenerator.Coercions that can be applied to a given json value.
A marker annotation to indicate that the annotated class should be interpreted as an annotated CREST
collection provider resource.
An implementation interface for resource providers which exposes a collection
of resource instances.
Commons ForgeRock API description.
Common api errors.
Constants class for defining fields for common state shared across stages.
The Compare operation allows a client to compare an assertion value with the
values of a particular attribute in a particular entry in the Directory.
An Compare result indicates the final status of an Compare operation.
An Enum of the possible compression algorithms that can be applied to the JWE payload plaintext.
The interface for CompressionHandlers for all the different compression algorithms.
A service to get the appropriate CompressionHandler for a specified Compression algorithm.
Strategy that determines how thread-safety of bloom filters should be managed.
A thread-safe implementation of a Bloom Filter that can expand over time to accommodate arbitrary numbers of
elements, while also allowing old elements to be deleted after they have expired.
Deprecated.
This is an abstract class which servers as an extension point for new
conditions.
The
Condition serves as an extension point for new
conditions.The
ConditionAbstract is abstract and is thus usable
as the base of a derived classClass to represent
EntitlementCondition evaluation match result and - if applicable - its advice.Deprecated.
As of OpenSSO Express 8.0, use
com.sun.identity.entitlement instead
as Entitlement has replaced Policy.Builder to help construct decisions.
The result of a tri-state logical expression.
This
Conditions is a set of Condition.The
Conditions defines the SAML constructs that place
constraints on the acceptable use if SAML Assertions.Implementations of this interface will be consulted to obtain the Conditions object included in generated SAML2 assertions.
Deprecated.
As of OpenSSO Express 8.0, use
com.sun.identity.entitlement instead
as Entitlement has replaced Policy.Indicates that an interface describes the configuration of an SMS service.
The types of visibility available for a service.
Represents an identity in which annotated service configuration may have its scope bounded by.
The
ConfigurationActionEvent class represents
Configuration event.An
ConfigurationException is thrown when there are
errors related to service configuration operations.ConfigurationInstance is the interface that provides the
operations on service configuration.The interface
ConfigurationListener needs to be implemented
by applications in order to receive component data change notifications.Utility methods for config value retrieval.
An exception that is thrown during a operation on a resource when such an
operation would result in a conflict.
Thrown when addition of a schema element to a schema builder fails because
the OID of the schema element conflicts with an existing schema element and
the caller explicitly requested not to override existing schema elements.
A client connection to a JSON resource provider over which read and update
requests may be performed.
A connection with a Directory Server over which read and update operations
may be performed.
A
ConnectionChangeRecordWriter is a bridge from Connections
to ChangeRecordWriters.A
ConnectionEntryReader is a bridge from Connections to
EntryReaders.A
ConnectionEntryWriter is a bridge from Connections to
EntryWriters.An object that registers to be notified when a connection is closed by the
application, receives an unsolicited notification, or experiences a fatal
error.
Deprecated.
Thrown when the result code returned in a Result indicates that the Request
was unsuccessful because of a connection failure.
A connection factory provides an interface for obtaining a connection to a
JSON resource provider.
A connection factory provides an interface for obtaining a connection to a
Directory Server.
Processes the
Connection message header.A connection pool which maintains a cache of client sockets with a configurable core pool size,
maximum size, and expiration policy.
Statistics for a connection pool.
An object that registers to be notified when a connection pool grows or shrinks.
This class contains methods for creating and manipulating LDAP clients and connections.
Indicates whether LDAP client connections should use SSL or StartTLS.
The
ConsentHeader class represents Consent element
defined in SOAP binding schema.An implementation of "consistent hashing" supporting per-partition weighting.
Thrown when the result code returned in a Result indicates that the update
Request failed because it would have left the Directory in an inconsistent
state.
A
Consumer functional interface which can throw a checked Exception.Processes the
Content-API-Version message header.Processes the
Content-Encoding message header.Processes the
Content-Length message header.Processes the
Content-Type message header.Type-safe contextual information associated with the processing of a request in an application.
This is the factory class to obtain instances of the objects defined
in xacml context schema.
An interface for listener to generic changes from a remote source.
Interface for ensuring that continuous queries can be controlled once configured.
Interface for an object that listens to changes resulting from a continuous query.
Interface by which all ContinuousWatchers ensure similar operation.
Service for setting up ContinuousWatchers and ContinuousListeners.
Controls provide a mechanism whereby the semantics and arguments of existing
LDAP operations may be extended.
A factory interface for decoding a control as a control of specific type.
Utility class to resolve controls OID from aliases.
This class creates an API which bridges the differences between the Servlet 2.5 and 3.0 Cookie APIs, as the Servlet
2.5 API does not support HttpOnly cookies and provides no methods to create a HttpOnly cookie.
An HTTP cookie.
Indicates the SameSite
value of the cookie.
Processes the
Cookie request message header.The OpenDJ SDK core schema contains standard LDAP RFC schema elements.
Provides a map of supported locale tags to OIDs.
Represents any configuration required for the Core Token Service.
Responsible for collecting together all constants used in the Core Token Service.
Base Core Token Service exception for all sub types.
CoreTokenField contains a mapping from the Java enumeration and the defined
attributes present in the LDAP Schema for the Core Token Service.
Provides the mapping between CoreTokenFields and the type of the value that is associated to
that field.
The
CorrelationHeader class represents Correlation
element defined in SOAP binding schema.This filters implements the resource processing of the CORS protocol.
The CORS policy is responsible to handle both actual and preflight CORS requests
and set the appropriate set of response headers based on its own configuration.
Builder for
CorsPolicy instances.A
CorsPolicyProvider allows the CorsFilter to lookup its configuration at runtime,
also based on contextual information.Enum that represents the
Query supported count-policy.An enum of count policy types.
Indicates an CREST create method on an annotated POJO.
Class that represents the Create Operation type in API descriptor.
Builder for the Create.
Enum that represents the
Create modes.A specific exception for when Create is not supported, but Upsert might be being attempted so distinguish from
other
BadRequestExceptions.A request to create a new JSON resource.
Types of create that might be singletons.
Credential pair implementation.
This interface is used to parse the credentials component of an
Authorization HTTP header.An extension to the Jackson
AnySchema that includes the custom CREST JSON Schema attributes.An
ApiProducer implementation for CREST resources, that provides ApiDescription descriptors.Declare a CREST Application.
An extension to the Jackson
ArraySchema that includes the custom CREST JSON Schema attributes.A
CrestAuthorizationModule authorizes client REST requests asynchronously.An extension to the Jackson
BooleanSchema that includes the custom CREST JSON Schema attributes.A
JsonSchemaFactory that returns the extension schema objects rather than the default Jackson
implementations.An extension to the Jackson
ObjectSchema that includes the custom CREST JSON Schema attributes.A
SchemaFactoryWrapper that adds the extra CREST schema attributes once the Jackson schema generation has
been completed.Constants for Crypto Algorithms and Json Crypto Json pointer keys.
Base class for all secrets that are used as keys for cryptographic operations.
Cryptography Service for the user self service project.
A generic filter for preventing cross-site request forgery (CSRF) attacks when using cookie-based authentication.
Builder class for the CSRF filter.
CTSOptions are intended to provide guidance to the CTS as to how it should perform the requested
operation.
Persistent storage interface for the CTS (Core Token Service) provides callers with a generic way of storing and
retrieving objects.
A key that is used for decrypting confidential data.
A key that is used for encrypting confidential data.
This class
DataEncryptor is used to encrypt the data
with symmetric and asymmetric keys.Base Data Layer exception for all sub types.
Interface which needs to be implemented to use with
OAuthClient implementations.Exception to be used when an error has occurred while interacting with the data store.
Interface used for storing & retrieving information.
This class is to handle DataStoreProvider related exceptions.
This is a singleton class used to manage DataStore providers.
Deprecated.
Use
Logger instead.The
Decision element is a container of
one or more Decisions issued by policy decision pointThe
Decision element is a container of
one or more Decisions issued by policy decision pointThe class is used to perform privileged operations with
AccessController.doPrivileged()
when using
com.iplanet.services.util.Crypt to decode passwords.Thrown when data from an input source cannot be decoded, perhaps due to the
data being malformed in some way.
Decode options allow applications to control how requests and responses are
decoded.
Decodes an HTTP message entity input stream.
The class is used to perform privileged operation with
AccessController.doPrivileged()
when using
com.iplanet.am.util.AMPasswordUtil to decrypt passwords.Marker interface for all key types that can be used for decryption.
Annotation to define JSON Schema property's default-value, represented as a
String.A purpose that can fallback to a default secret ID if the first - more specific - secret ID could not be found
in the secrets provider.
Default implementation for
SessionPropertyUpgrader
This class basically just lets the session upgrade to copy every single
property into the new session.The abstract class
DefaultValues provides a mechanism for
services to obtain their default values dynamically instead of being
statically defined in the service XML file stored in the directory.The default routing behaviour to use when no Accept-API-Version
is set on the request.
Class that represents API descriptor
Schema definitions.Builder to help construct the Definitions.
An implementation of the CompressionHandler for DEFLATE Compressed Data Format Specification.
A route matcher that delegates to a provided route matcher.
Indicates an CREST delete method on an annotated POJO.
Class that represents the Delete operation type in API descriptor.
Builder for the Delete.
Represents a failure to delete a Token from the Core Token Service.
A request to delete a JSON resource.
The Delete operation allows a client to request the removal of an entry from
the Directory.
A deployment ID, together with its password, facilitates the generation of the cryptographic keys required to
protect a deployment, such as a root CA key-pair for SSL/TLS and a master key-pair for protecting symmetric keys
used for data encryption.
The deployment ID information to be displayed by the deployment ID tool.
A Search operation alias dereferencing policy as defined in RFC 4511 section
4.5.1.3 is used to indicate whether alias entries (as defined in RFC 4512)
are to be dereferenced during stages of a Search operation.
Utility methods for reading and writing DER-encoded values.
A routing component (a CHF
Handler or CREST RequestHandler) can describe its API
by implementing this interface.Interface for listener instances.
A handler that both handles
Requests, and also supports querying for API Descriptors.An
HttpApplication that produces OpenAPI API Descriptors.Version of
SynchronousRequestHandlerAdapter that exposes a described handler.Annotation to define JSON Schema property's description.
Supports direct encryption using a shared symmetric key.
Represents the name/value pair of a HTTP header directives.
High-level interface to the
WatchService API for detecting filesystem change events.This class defines a DIT content rule, which defines the set of allowed,
required, and prohibited attributes for entries with a given structural
objectclass, and also indicates which auxiliary classes may be included in
the entry.
A fluent API for incrementally constructing DIT content rule.
This class defines a DIT structure rule, which is used to indicate the types
of children that entries may have.
A fluent API for incrementally constructing DIT structure rules.
A distinguished name (DN) as defined in RFC 4512 section 2.3 is the
concatenation of its relative distinguished name (RDN) and its immediate
superior's DN.
Validates domain
This is an implementation of the abstract
Condition class, which
specifes that the assertion this DoNotCacheCondition is part of,
is the new element in SAML 1.1, that allows an assertion party to express
that an assertion should not be cached by the relying party for future use.Deprecated.
A CREST CollectionResourceProvider that adds queryFilter, field filtering, sorting abilities, and paging
to the dropwizard json metrics data.
An exception that is used when trying to merge multiple descriptors but a duplicate is detected.
Represents a duration in english.
Marks an attribute as being dynamic.
Implements Elliptic Curve Diffie-Hellman (ECDH) key agreement in ephemeral-static (ECDH-ES) mode.
Deprecated.
Use
SecretECDSASigningHandler insteadThis class implements an Elliptical Curve Json Web Key storage and manipulation class.
EC JWK builder.
This is the factory class to obtain object instances for concrete elements in
the ecp schema.
The
ECPRelayState interface defines methods for properties
required by an ECP RelayState.The
ECPRequest interface defines methods for properties
required by an ECP request.The
ECPResponse interface defines methods for properties
required by an ECP response.Deprecated.
Use
SecretEdDSASigningHandler instead.Encapsulates common functionality for JWKs that represent elliptic curve keys: EcJWK and OkpJWK.
Configuration for the email based user name retrieval stage.
Stage is responsible for retrieving the user name.
Simple whitelisting interface to enforce one-time use for email verification codes.
An empty subscription that does nothing other than validates the request amount.
The class is used to perform privileged operation with
AccessController.doPrivileged()
when using
com.iplanet.services.util.Crypt to encode passwords.The class is used to perform privileged operation with
AccessController.doPrivileged()
when using
com.iplanet.am.util.AMPasswordUtil to encrypt passwords.The
EncryptedAssertion represents an assertion in
encrypted fashion, as defined by the XML Encryption Syntax and
Processing specification [XMLEnc].The
EncryptedAttribute element represents a SAML attribute
in encrypted fashion.The
EncryptedElement carries the content of an unencrypted
identifier in encrypted fasion.The
EncryptedID carries the content of an unencrypted
identifier in encrypted fashion.A JWE implementation of the
Jwt interface.An implementation of a JwtBuilder that can build a JWT and encrypt it, resulting in an EncryptedJwt object.
A resolver capable of verifying encrypted ID tokens.
Factory class responsible for creating
EncryptedOpenIdResolver instances.A
Filter implementation to add the client credentials to request as signed then encrypted private key jwt as
per the OpenID Connect Client
Authentication specification.Builder class for creating the Encrypted PrivateKey Jwt ClientAuthentication Filter.
An implementation of a JWS with a nested JWE as its payload.
An implementation of a JwtBuilder that can build a JWT and encrypt it and nest it within another signed JWT,
resulting in an SignedEncryptedJwt object.
An implementation of a JWS Header builder that provides a fluent builder pattern to create JWS headers for
signed encrypted JWTs.
The interface for EncryptionHandlers for all the different encryption algorithms.
Marker interface for all key types that can be used for encryption.
A service to get the appropriate EncryptionHandler for a specified Java Cryptographic encryption algorithm.
An Enum of the possible encryption methods that can be used when encrypting a JWT.
Encapsulates a Strategy to decide if a
Privilege applies to a given request.Entitlement related exception.
Service provider interface for registering custom entitlement conditions and subjects.
Provides methods for discovering and loading entitlements conditions and subject implementations.
Encapsulates a Strategy to decide if a
Privilege applies to a given
Subject.Message content.
This class contains methods for creating and manipulating entries.
Defines the available strategy to compute changes.
An
Entry which implements the null object pattern.Defines the available strategy to generate changes.
An entry, comprising of a distinguished name and zero or more attributes.
The entry change notification response control as defined in
draft-ietf-ldapext-psearch.
A template driven entry generator, as used by the makeldif tool.
Thrown when the result code returned in a Result indicates that the Request
failed because the target entry was not found by the Directory Server.
An interface for reading entries from a data source, typically an LDIF file.
An interface for writing entries to a data source, typically an LDIF file.
Annotation to provide a title for a given enum value.
Provides a
EnumValueOfHelper.valueOf(String) method as a replacement for the implicitly declared enum function
valueOf(String), which has the advantage of not throwing exceptions when the name argument
is null or cannot be found in the enum's values.The
Environment element contains information about the
enviroment of the Request context by listing a
sequence of Attribute elements associated with the
environment.The
Environment element specifies information about the
environment requested in the Request context by listing a
sequence of Attribute elements associated with the
environment.A property accessor that allows access to environment variables.
Class that represents API descriptor
ApiError errors.Builder to help construct the Errors.
Describes an ETag for a given
Token.The class evaluates entitlement request and provides decisions.
Exception occurs while setting an event request or when trigering the
"entryChanged()" method after a persistent search results are received from
the Directory Server.
The EventService is responsible for listening to and dispatching to listening objects
messages returning from persistent searches running in an underlying LDAP implementation.
The
Evidence element specifies an assertion either by
reference or by value.The
Evidence element contains one or more assertions or
assertion references that the SAML authority relied on in issuing the
authorization decision.The
Evidence element specifies an assertion either by
reference or by value.This annotation marks AM APIs that are continuing to evolve and so should be expected to change, potentially in
backwards-incompatible ways even in a minor release.
This annotation marks AM APIs that are continuing to evolve and so should be expected to change, potentially in
backwards-incompatible ways even in a minor release.
Specify an example value for the JSON schema.
An annotation to specify an example value for the attribute.
A completion handler for consuming exceptions which occur during the execution of
asynchronous tasks.
Responsible for generating ExecutorService instances which are automatically
wired up to shutdown when the ShutdownListener event triggers.
An exception generated by a
TokenHandler on extraction when the token is expired.Strategy pattern for determining when elements added to a
ConcurrentRollingBloomFilter should expire.The Extended operation allows additional operations to be defined for
services not already available in the protocol; for example, to implement an
operation which installs transport layer security (see
StartTlsExtendedRequest).A factory interface for decoding a generic extended request as an extended
request of specific type.
A Extended result indicates the status of an Extended operation and any
additional information associated with the Extended operation, including the
optional response name and value.
A factory interface for decoding a generic extended result as an extended
result of specific type.
The interface
Extensions defines methods for
adding protcol message extension elements.A service provider interface for externalizing the strategy used for wrapping individual private/secret keys.
A representation of the external HTTP request in the current tree authentication context.
A builder for
ExternalRequestContext instances.OAuth 2.0 Client Implementation that supports Facebook.
Configuration used for Facebook Client Implementation.
Builder used to create FacebookClientConfiguration instance.
A factory interface.
Wraps an existing
InputStream, supporting a failed state that is checked before and after each operation.Unable to load the JWK/x5u location points.
An
AsyncServerAuthContext which manages a List of
AsyncServerAuthModules that are in a desired order of preference for authenticating
incoming request messages.A cryptography handler that tries multiple
JwtCryptographyHandlers in turn for decryption.Deprecated, for removal: This API element is subject to removal in a future version.
since AM 7.3.0 Implement use-case specific
FedletAdapter
implementations instead.The
FedletAdapterPlugin abstract class provides methods
that could be extended to perform user specific logics during SAMLv2
protocol processing on the Service Provider side.This interface defines a field storage scheme.
A
BranchingInputStream for reading from files.A
SecretStore that reads secrets from a directory with the expectation that each file
contains a separate secret.A builder for more fluently creating a FileSystemSecretStore.
Filters the request and/or response of an HTTP exchange.
An interface for implementing request handler filters.
A search filter as defined in RFC 4511.
This enumeration defines the set of possible filter types that may be used for search filters.
A chain of filters terminated by a target request handler.
A condition which controls whether or not a filter will be invoked or not.
Utility methods for creating common types of filters.
This class contains methods for creating various kinds of
Filter and
FilterConditions.Deprecated.
This class is currently only used in conjunction with the PropertyResolverSecretStore and this
pairing is deprecated.
Decodes an HTTP message entity flow.
An exception that is thrown when access to a resource is forbidden during an
operation on an resource.
Represents forgotten password console configuration.
Builder for
ForgottenPasswordConsoleConfig.Represents forgotten username console configuration.
Builder for
ForgottenUsernameConsoleConfig.Form fields, a case-sensitive multi-string-valued map.
Annotation to mark a JSON Schema property's
format field.A
Header representation of the Forwarded HTTP header.This class represents a request's hop detail.
A synchronous function which returns a result immediately.
Common
Function implementations which may be used when parsing attributes.An LDAP generalized time as defined in RFC 4517.
A generic control which can be used to represent arbitrary raw request and
response controls.
A generic Extended request which should be used for unsupported extended
operations.
A Generic Extended result indicates the final status of an Generic Extended
operation.
An undecoded HTTP message header.
A Generic Intermediate response provides a mechanism for communicating
unrecognized or unsupported Intermediate responses to the client.
Validation of Open ID Connect JWTs via verification of their internals (issuer, audience, signature, etc.).
A generic secret represented as an opaque blob of bytes, such as a password or API key.
This interface contains methods for the
GetComplete
Element in the SAMLv2 Protocol Schema.A partial implementation of the get effective rights request control as
defined in draft-ietf-ldapext-acl-model.
This interface identifies the
ServiceComponentConfig as containing configuration that is applied
globally.A Cipher implementation using Google KMS symmetric encryption/decryption.
A
SecretPropertyFormat for the PropertyResolverSecretStore
that can decrypt secrets using a Google KMS decryption key.Abstract base class for keys stored in Google KMS.
Represents a private key stored in the Google Cloud Platform Key Management Service.
Provides implementations of Java Cryptography Architecture primitives that use the Google Cloud Platform Key
Management Service.
A cipher implementation for RSA-OAEP based on Google Cloud KMS.
A symmetric secret key stored in Google KMS.
A secret store that can provide cryptographic keys based on the Google Cloud Platform Key Management Service.
Builder class for
GoogleKmsSecretStore.Implementation of the Java Signature SPI that delegates signature operations to the Google Cloud Platform Key
Management Service.
Implements generic RSA-PSS signing.
Implements signing with the SHA-256 message digest.
Implements signing with the SHA-384 message digest.
Implements signing with the SHA-512 message digest.
A secret store that can read secrets directly from Google Secret Manager.
A builder class for configuring an instance of the
GoogleSecretManagerSecretStore.Provides support for fetching secrets from
Google Secret Manager.
Identifies the OAuth2 Authorization Grant (aka OAuth2 Flow) undertaken to obtain an OAuth2 token.
Abstract base class for OAuth 2 grant type handlers for calling the token endpoint.
This class implements a parser for strings which are encoded using the
Generic String Encoding Rules (GSER) defined in RFC 3641.
Details of a handler.
Utility methods for creating common types of handlers.
This visitor detects if there is any token/placeholder inside the given
Template.An HTTP message header.
Creates instances of
Header classes from String representation.Message headers, a case-insensitive multiple-value map.
Utility class for processing values in HTTP header fields.
A
RestRouteProvider that add routes for the AM health check endpoints.Guice module for binding together AM health services and endpoints.
Routines for encoding and decoding binary data in hexadecimal format.
Implements the HKDF key deriviation function to allow a
single input key to be expanded into multiple component keys.
A secret key designed to be used as the master key for HKDF key generation.
Deprecated.
Use
SecretHmacSigningHandler insteadA loader for the
KeyStoreSecretStore that knows how to load standard PKCS#11 Hardware Security Module
(HSM) providers on our supported platforms.Configuration class to configure the
HttpApplication instance.An exception that is thrown during a Http Application start up when the start up of the application fails.
HttpCallback class implements Callback
and is used by the authentication module with HTTP protocol based
handshaking negotiation.Callback handler for the JASPI runtime.
An SPI interface for HTTP
Client implementations.An HTTP client for sending requests to remote servers.
SSL host name verification policies.
Encapsulates the details of the proxy if one is required when making outgoing requests.
A provider interface for obtaining
HttpClient instances.Models the request that a script can send over a
HttpClient.Models a cookie which can be added to a
HttpClientRequest.Factory provided to hide implementation details from the scripting module.
Models the response that a script can receive from sending a
HttpClientRequest over a HttpClient.An Exception thrown by the
HttpClientScriptWrapper which can be used for logging purposes in scripts.A wrapper class to simplify sending HTTP requests in scripts.
The
I18n class provides methods for applications and services
to internationalize their messages.Annotate the choice value enum constant for an
Attribute with a i18nKey value property.Deprecated.
Indicates that a method returns the identifier of a configuration set of a multiple-configuration SMS service.
QueryResourceHandler that searches for a specific identifier value.Models an identity.
Service informs the caller of an identity's active status.
Exception that represents an error on looking up an identity's active status.
This interface identifies the
ServiceComponentConfig as containing configuration that is applied
to an identity.Exception encapsulates an error from trying to interact with an underlying identity.
Factory that helps with the creation of
Identity instances.Exception that signifies that the requested identity was not found.
An identity service that allows performing updates to
Identity instances.A builder which allows several changes to the attributes to be combined into a single update operation
per attribute type.
Interface for initializing Identity services.
Represents an identity store in which user/role/group and other identity data is
configured.
Factory for creating
IdentityStore instances.
Represents the event listener interface that consumers of this API should
implement and register with the
IdentityStore to receive
notifications.Defines the contract to generate global unique identifiers.
Default implementation of the
IdGenerator that will output some ids based on the following pattern :
<uuid> + '-' + an incrementing sequence.A class providing an "openidm" object in JS scripts running within AM, which calls CRUDPAQ endpoints of the
configured IDM instance.
The class
IdOperation defines the types of operations
supported on managed identities, and provides static constants for these
operation.
The interface
IDPAccountMapper is used to map the local identities to the SAML protocol
objects and also the vice versa for some of the protocols for e.g.The interface
IDPAccountMapper is used to map the
local identities to the SAML protocol objects and
also the vice versa for some of the protocols for e.g.This interface
IDPAdapter is used to perform specific tasks in the IdP.Provides helper functions for IDP Adapter Script Implementations.
This interface
IDPAttributeMapper is used to map the
authenticated user configured attributes to SAML Attributes
so that the SAML framework may insert these attribute information as SAML
AttributeStatements in SAML Assertion.This interface
IDPAttributeMapper is used to map the
authenticated user configured attributes to SAML Attributes
so that the SAML framework may insert these attribute information as SAML
AttributeStatements in SAML Assertion.This class exposes methods that are only intended to be used by IDP Attribute Mapper script types.
The interface
IDPAuthenticationMethodMapper creates an
IDPAuthenticationTypeInfo based on the RequestAuthnContext from
the AuthnRequest sent by a Service Provider and the AuthnContext
configuration at the IDP entity config.The class
IDPAuthenticationTypeInfo consists of the mapping
between AuthenticationType and the actual
authentication mechanism at the Identity Provider.The class
IDPAuthnContextInfo consists of the mapping
between AuthnContextClassRef and the actual
authentication mechanism at the Identity Provider.The interface
IDPAuthnContextMapper creates an
IDPAuthnContextInfo based on the RequestAuthnContext from
the AuthnRequest sent by a Service Provider and the AuthnContext
configuration at the IDP entity config.This interface
IDPECPSessionMapper is used to find a valid
session from HTTP servlet request on IDP with ECP profile.This interface defines methods to set/retrieve single identity provider
information trusted by the request issuer to authenticate the presenter.
This interface
IDPFinder is used to find a list of
preferred Identity Authenticating providers to service the authentication
request.This interface specifies the identity providers trusted by the requester
to authenticate the presenter.
This interface defines the methods which need to be implemented by plugins.
Indicates that an interface describes the configuration of an Identity Repository.
An exception type thrown when an
IdRepo is asked to
create an object with a name that is already used.Class is representing error code for different error states
The exception class whose instance is thrown if there is any error during the
operation of objects of the
com.sun.identity.sms package.Factory interface for creating instances of
IdRepo.The exception class whose instance is thrown if there is any error during the
operation of objects of the
com.sun.identity.sms package.Provides methods that can be called by IdRepo plugins to notify change
events.
The exception class whose instance is thrown if there is any error during the
operation of objects of the
com.sun.identity.sms package.This is a helper class which is used in the
IdentityStore
search method.This is a helper class which can be in conjunction with the
IdSearchControl class to make simple modifications to the
basic search performed by each plugin.This class
IdSearchResults provides to obtain the search
results.The purpose of this interface is to allow classes that implement this
interface to listen to Directory Server Events.
The class
IdType defines the types of supported identities,
and provides static constants for these identities.Allows performing operations related to
IdTypeThe class defines some static utilities used by other components like policy and auth
Deprecated.
Exception that represents an unknown stage tag.
An exception which is thrown when two incompatible
RouteMatch
instances are attempted to be compared.Interface of an object that can be indexed with a unique key.
This class is registered with a Backend and it provides callbacks
for indexing attribute values.
Contains options indicating how indexing must be performed.
A factory for creating arbitrarily complex index queries.
All the SAML federation plugins that need to be initialized should extend this.
This class provides utility methods for converting Java Date objects into and from IntDates.
An Intermediate response provides a general mechanism for defining
single-request/multiple-response operations.
A completion handler for consuming intermediate responses returned from
extended operations, or other operations for which an appropriate control was
sent.
An exception that is thrown during an operation on a resource when the server
encountered an unexpected condition which prevented it from fulfilling the
request.
An OAuth 2.0 token abstraction for introspection.
The
InvalidAttributeNameException is thrown to indicate that
an invalid attribute name was used.Invalid audience.
Exception thrown if a name of an object such as policy, rule or
referral has invalid format
Invalid issuer.
Represents an exception that occurs when a JWT is determined as invalid.
Invalid JWT.
Exception thrown if a name of an object such as policy, rule or
referral is invalid
Client authentication failed (e.g., unknown client, no client
authentication included, or unsupported authentication method).
Exception to be used when an OAuth Request cannot be handled due to known causes.
Exception that is thrown when the user-entered password token causes the
authentication module to be authenticated to fail.
Represents a request which has been received and decoded but is invalid according to the LDAP standard because of
an invalid DN syntax or an invalid attribute syntax.
Thrown when the request is missing any required parameters or is otherwise malformed.
Invalid signature.
An exception generated by a
TokenHandler on validation or extraction when the token is invalid.Utility class that can stream to and from streams.
This node handles the authentication of things.
Defines the possible outcomes from this node.
Configuration for the node.
The JWT authentication method used to verify the JWT presented for authentication.
The IotGuiceModule handles all the Guice dependency injections to allow the plugin to be operational within AM.
Installs the IoT authentication nodes and services.
This node handles the registration of things.
Configuration for the node.
The JWT registration method used to verify the JWT presented for registration.
Defines the possible outcomes from this node.
IotRestRouteProvider adds the IoT routes to the CREST router.
This provider exposes the secret IDs used by the IoT component to the
SecretIdRegistry.Service interface for configuring the IoT Service.
Realm config interface holding the config for the IoT service attributes.
This class
ISSecurityPermission is used to protect the Access
Manager resources which should be accessed only by trusted application.The
Issuer provides information about the issuer of
a SAML assertion or protocol message.Comparators for comparing "issuer" values.
Class that represents the Items type in API descriptor.
Builder to help construct the
Items.Deprecated.
Some utilities for dealing with Jackson schemas.
Adapter class implementing methods that adapt to and from JASPI interfaces to be able to
inter-op with pure JASPI implementations.
A TokenAdapter that can adapt Java bean-compliant POJOs that have been annotated with the annotations in
org.forgerock.openam.tokens.
Factory interface for Guice
JavaBeanAdapter instances.Set of
SecretConstraints for filtering Secrets.Provides read and write JSON capabilities.
Jackson Module that uses a mixin to make sure that a
JsonValue instance is
serialized using its #getObject() value only.Jackson Module that adds a serializer for
LocalizableString.Convenience class for constructing a set of JSON-based 1st-party caveats for use with
Macaroon.addFirstPartyCaveat(JsonValue).Implements caveats that are structured as JSON objects.
Represents a JSON
$crypto object.An exception that is thrown during JSON cryptographic operations.
An exception that is thrown during JSON cryptographic operations.
Create a new
JsonValue by applying a decryptor.Decrypts an encrypted JSON value.
Create a new
JsonValue by applying an encryptor.Encrypts a JSON value.
An exception that is thrown during JSON operations.
Processes partial modifications to JSON values.
RFC6902 expects the patch value to be a predetermined, static value to be used in the
patch operation's execution.
Identifies a specific value within a JSON structure.
Responsible for serialising and deserialising objects to and from JSON.
Represents a value in a JSON object model structure.
An exception that is thrown during JSON value operations.
A
QueryFilterVisitor that returns true if the provide JsonValue meets the criteria of
the QueryFilter assertions and false if it does not.This class contains the utility functions to convert a
JsonValue to another type.This class contains the utility functions to convert a
JsonValue to CREST (json-resource) types.A utility that traverses a
JsonValue and does property substitution as well as type coercion.The specification for a coercion function.
Builder to create a
JsonValuePropertyEvaluator.CoercionFunctionSpec.A configuration property resolver that uses a JsonValue to resolve properties.
An Enum of the possible encryption algorithms that can be used to encrypt a JWT.
An Enum of the possible types of JWE algorithms that can be used to encrypt a JWT.
Represents an exception for when compression/decompression of the plaintext fails.
This exception entirely duplicates
JweDecryptionException except that it is a checked exception so that it
can be used with a Promise.Represents an exception for when decryption of the JWE fails.
This class represents the result from the encryption process of the JWT plaintext.
Represents an exception for when encryption of the JWE fails.
Represents a generic exception for JWE operations.
An implementation for the JWE Header parameters.
An implementation of a JWE Header builder that provides a fluent builder pattern to create JWE headers.
An Enum for the additional JWE Header parameter names.
The abstract base class for the 3 implementations of JWK.
JWK builder.
Exports keys in JSON Web Key (JWK) format.
Helper class to look up and return the keys from specific JWK implementation
algorithm types.
This class exists to allow Open Id Providers to supply or promote a JWK exposure point for
their public keys.
Decodes a JSON Web Key (JWK) as a secret.
Holds a Set of JWKs.
Provides methods to gather a JWKSet from a URL and return
a map of key ids to keys as dictated by that JWKS.
A secret store that loads cryptographic keys from a local or remote
JWKSet.Store JWKs into a jwkSet from a JWKs_URI and refresh the jwkSet when necessary.
Manage the jwks store, to avoid having more than one jwks store for the same JWKs_URI unnecessary.
A base implementation class for a JSON Web object.
An Enum of the possible signing algorithms that can be used to sign a JWT.
An Enum of the possible types of JWS algorithms that can be used to sign a JWT.
Represents a generic exception for JWS operations.
An implementation for the JWS Header parameters.
An implementation of a JWS Header builder that provides a fluent builder pattern to create JWS headers.
An Enum for the JWS Header parameter names.
Represents an exception for when signing of the JWS fails.
Represents an exception for when verification of the JWS signature fails.
The interface for all types of JSON Web Tokens (JWTs).
A wrapper class to support the generation of JWT assertions within scripts.
A secret store that authenticates to Vault using a JWT.
Implements the JWT bearer assertion grant type.
The base interface for all JwtBuilders for each type of JWT (plaintext, signed or encrypted).
Represents an exception that occurs when creating/rebuilding JWTs.
A factory for getting builders for plaintext, signed and encrypted JWTs and reconstructing JWT strings back into
their relevant JWT objects.
An implementation that holds a JWT's Claims Set.
An implementation of a JWT Claims Set builder that provides a fluent builder pattern to creating JWT Claims Sets.
An Enum for the JWT Claims Set names.
An abstraction of the cryptographic operations that the JWT session modules will need to do to create a read JWTs.
Expired JWT.
A base implementation class for JWT Headers.
A base implementation of a JWT header builder that provides a fluent builder pattern to creating JWT headers.
An Enum for the JWT Header parameter names.
A service that provides a method for reconstruct a JWT string back into its relevant JWT object,
(
SignedJwt, EncryptedJwt, SignedThenEncryptedJwt, EncryptedThenSignedJwt).Represents an exception that occurs when reconstructing JWTs.
Enum denoting how the request parameter jwt would to be sent to the OIDC provider.
Represents a generic exception for JWT operations.
A base implementation for the common security header parameters shared by the JWS and JWE headers.
A base implementation of a JWT header builder, for the common security header parameters shared by the JWS and JWE
headers, that provides a fluent builder pattern to creating JWT headers.
A JASPI CHF Session Module which creates a JWT when securing the response from a successful authentication
and sets it as a Cookie on the response.
Deprecated.
Prefer
SecretsJwtTokenHandler instead.Configuration for a JwtTokenHandler.
An Enum for the possible types of JWTs.
A wrapper class to support the validation of JWTs within scripts.
Represents a single KBA question in various Locales.
A key that is used in a key-agreement protocol (such as Diffie-Hellman) to agree another key.
A key that is used to decrypt (or "unwrap") other keys that have been encrypted with a
KeyEncryptionKey.A key that is used to encrypt ("wrap") other keys.
A format that can be used for exporting key material.
Exports a key in the PEM (Privacy Enhanced Mail) format.
Exports the raw key.
The
KeyInfoConfirmationData constrains a
SubjectConfirmationData element to contain one or more
ds:KeyInfo elements that identify cryptographic keys that are
used in some way to authenticate an attesting entity.This class contains methods for creating common types of key manager.
Represents the Possible key operations values.
The class
KeyProvider is an interface
that is implemented to retrieve X509Certificates and Private Keys from
user data store.An abstraction of initialising a keystore-based
BaseSecretStoreProvider.Builder class for loading key stores.
Deprecated.
The
AuthenticatedEncryptionCryptographyHandler should be preferred.This interface allows customization of the key ID values associated with public keys stored in
KeyStoreSecretStores.A class that manages a Java Key Store and has methods for extracting out public/private keys and certificates.
Represents an exception from an operation using the KeyStoreManager class.
A service provider interface for implementing key store caches.
The parameters which configure how the LDAP key store will be accessed.
A secret store for cryptographic keys based on a standard Java
KeyStore.Specifies an alias with its validity for use in the store.
Permits to retrieve the list of usable AliasSpecs of a specific KeyStore.
Aggregates multiple AliasSpecProviders results to serve the list of AliasSpec for a KeyStore.
Serves a matching subset of the aliases present in a KeyStore based on a predicate.
An interface to allow the consuming application to provide the stable ID for the secret.
Serves a static list of AliasSpecs, without looking at the real content of a KeyStore.
Enum representing the possible KeyTypes.
Indicates the type of key.
Indicates the allowed usages for a particular key.
Represents the supported KeyUse values.
Utility methods for interacting with lambdas that throw exceptions.
A list with lazy initialization.
A map with lazy initialization.
A
Supplier that lazily computes a value the first time it is accessed and then caches the result to return
on subsequent requests.This class contains various static utility methods encoding and decoding LDAP
protocol elements.
An LDAP client provides an interface for obtaining a
connection to a Directory Server.This class contains methods for creating and manipulating LDAP clients and connections.
A connection with a Directory Server over which read and update operations may be performed.
A factory class which can be used to obtain connections to an LDAP Directory Server.
Thrown when the result code returned in a Result indicates that the Request
was unsuccessful.
Encapsulates a
ProtocolOp with LDAP specific message information.A handle which can be used to retrieve the Result of an asynchronous Request.
Reads LDAP messages from an underlying ASN.1 reader.
A completion handler for consuming the result of an asynchronous operation or
connection attempts.
An LDAP server connection listener which waits for LDAP connection requests to come in over the network and binds
them to a server connection created using the provided server connection factory.
Server side representation of a connected LDAP client.
A reactive socket implementation representing a stream of LDAP messages.
An LDAP URL as defined in RFC 4516.
Utility methods to help interaction with the OpenDJ LDAP SDK.
A model object that contains the settings used for cached connection pools.
Simple failover Ldap Client.
Writes LDAP messages to an underlying ASN.1 writer.
This class contains common utility methods for creating and manipulating
readers and writers.
An LDIF change record reader reads change records using the LDAP Data
Interchange Format (LDIF) from a user defined source.
An LDIF change record writer writes change records using the LDAP Data
Interchange Format (LDIF) to a user defined destination.
An LDIF entry reader reads attribute value records (entries) using the LDAP
Data Interchange Format (LDIF) from a user defined source.
An LDIF entry writer writes attribute value records (entries) using the LDAP
Data Interchange Format (LDIF) to a user defined destination.
This is a collection of identity related methods which either should not exist, or belong elsewhere.
This allows reading and writing service config which is related to a specific identity.
Exception thrown if any configured limit is exceeded
An implementation of the
Attribute interface with predictable iteration order.An implementation of the
Entry interface which uses a LinkedHashMap for storing attributes.Oauth 2.0 Client Implementation that supports LinkedIn.
Configuration used for
LinkedInClient Implementation.Builder used to create
LinkedInClientConfiguration instance.Wraps another map.
Annotated configuration classes implementing this interface will be able to have listeners
registered to be invoked on configuration changes.
Builder responsible for providing fluent-like functions for building up
Action instances which will respond to changes in Service configuration.
A generic listener which will respond to a configuration or schema change event.
Represents an event provided to a service listener.
Deprecated.
Use
ListMultimap instead.Provides helper methods for
List.This interface defines the contract for checking whether an AM service or component is alive and able to function
independent of the state of any 3rd party dependencies or whether the service or component has fallen over to the
point of being beyond recovery.
CHF endpoint that reports AMs liveness, pertaining to the characteristics laid out in the Kubernetes documentation
for the liveness probe.
An object that registers to be notified when an LDAP client associated
with a load-balancer changes state from offline to online or vice-versa.
An SPI interface for implementing alternative service loading strategies.
Provides methods for dynamically loading classes.
This class
Locale.java is a utility that provides
functionality for applications and services to internationalize their
messages.Utility class for Locales.
A mix-in interface which can be used to identify exceptions which support
localization.
A localizable message whose
String representation can be retrieved in
one or more locales.A mutable sequence of localizable messages and their parameters.
An opaque handle to a localizable message.
Subclass for creating messages with no arguments.
Subclass for creating messages with one argument.
Subclass for creating messages with two arguments.
Subclass for creating messages with three arguments.
Subclass for creating messages with four arguments.
Subclass for creating messages with five arguments.
Subclass for creating messages with six arguments.
Subclass for creating messages with seven arguments.
Subclass for creating messages with eight arguments.
Subclass for creating messages with nine arguments.
Subclass for creating messages with an any number of arguments.
Localizable
Operation.Localizable
RefProperty.Represents a String which could be localizable.
Localizable
Tag.Thrown to indicate that a method has been passed an illegal or inappropriate argument.
A localized
KeyStoreException.A logger implementation which formats and localizes messages before
forwarding them to an underlying SLF4J
Logger.An implementation of SLF4J marker that contains a
LocalizableMessage
and does not allow to manage references to other markers.Processes the
Location message header.A provider of commons
SecretStore instances.Deprecated.
Deprecated.
Deprecated.
Deprecated.
Deprecated.
Defines the logging categories and their associated logger.
Deprecated.
This class represents the
LogoutRequest element in
SAML protocol schema.This class represents the
LogoutResponse element in
SAML protocol schema.Deprecated.
Deprecated.
Deprecated.
Helper class for logging securely sensitive values.
A macaroon is a cryptographically protected token which can be attenuated by appending caveats.
Represents a caveat on a macaroon.
Indicates that a macaroon is not well-formed according to a
SerializationFormat.An OAuth2 access or refresh token that is represented as a
Macaroon.A macaroon verifier is used to verify the caveats on a
Macaroon.Indicates whether a macaroon was successfully verified or not.
Validates mail address This class is constructed using default(noarguments)
constructor and mail address is passed to validate function with optional
rules The passed mail address is validated for authenticity and boolean value
is returned accordingly.
Constants representing the names of the mail server configuration attributes.
A
RestRouteProvider that add routes for all email endpoints.Pluggable interface for all email sending in OpenAM.
Factory interface for creating instances of
MailServer.Default
MailServer implementation that sends email via the configured SMTP server.Interface which loads
MailServer.Thrown when a header string cannot be parsed to a rich
Header implementation.The ManageDsaIT request control as defined in RFC 3296.
This class represents the ManageNameIDRequestType complex type.
This class represents the ManageNameIDResponse element declaration.
Wraps another map.
A
QueryFilterVisitor that produces a Map representation of the filter tree.Configures a keystore based on a key/value map.
The matched values request control as defined in RFC 3876.
The types of compiled matcher.
This class defines a data structure for storing and interacting with matching
rules, which are used by servers to compare attribute values against
assertion values when performing Search and Compare operations.
A fluent API for incrementally constructing matching rules.
Represents the types of matching rules, according to RFC 4517 section 4.1.
This interface defines the set of methods that must be implemented to define
a new matching rule.
This class defines a data structure for storing and interacting with a
matching rule use definition, which may be used to restrict the set of
attribute types that may be used for a given matching rule.
A fluent API for incrementally constructing matching rule uses.
An implementation of
Action that will preserve the SLF4J MDC.An implementation of
Consumer that will preserve the SLF4J MDC.An implementation of
Subscriber that will preserve the SLF4J MDC.Store SLF4J Mapped Diagnosed Context (aka MDC) when tasks
are submitted, and re-inject it when tasks are executed.
Store SLF4J Mapped Diagnosed Context (aka MDC) when tasks
are submitted, and re-inject it when tasks are executed.
A simple in-memory collection resource provider which uses a
Map to
store resources.A simple in-memory back-end which can be used for testing.
The
Message class is used by web service client and server to
construct request or response.Elements common to requests and responses.
The authentication framework uses this
MessageContext to pass messages and message
processing state to authentication contexts for processing by authentication modules.An implementation of
MessageContext that holds contextual information and state for a
given request and response message exchange.Abstract message base class.
The authentication framework uses this
MessageContextInfo to pass messages and
message processing state to authentication modules for processing of messages.Exposes statistics on method call timings and rates to JMX monitoring.
Sends emails over REST using the OAuth2 client credentials grant type for authentication.
The
StatusCode element is a container of
one or more Statuss issuded by authorization authority.A modification to be performed on an entry during a Modify operation.
A Modify operation change type as defined in RFC 4511 section 4.6 is used to
specify the type of modification being performed on an attribute.
Contains equivalent values for the ModificationType values.
The Modify DN operation allows a client to change the Relative Distinguished
Name (RDN) of an entry in the Directory and/or to move a subtree of entries
to a new location in the Directory.
The Modify operation allows a client to request that a modification of an
entry be performed on its behalf by a server.
Deprecated.
Use
Multimap instead.Thrown when the result code returned in a Result indicates that the requested
single entry search operation or read operation failed because the Directory
Server returned multiple matching entries (or search references) when only a
single matching entry was expected.
Annotation to mark a numeric JSON Schema property's
multipleOf field.Interface defining support for
multipleOf JSON Schema field.Deprecated.
Use
Multiset instead.An unmodifiable element-count pair for a multiset.
Wraps a map for which the values are lists, providing a set of convenience methods for
handling list values.
A MutableUri is a modifiable
URI substitute.Exception thrown if a name of an object such as policy, rule or
referral already exists (used by another object of the same type)
This class defines a data structure for storing and interacting with a name
form, which defines the attribute type(s) that must and/or may be used in the
RDN of an entry with a given structural objectclass.
A fluent API for incrementally constructing name forms.
The
NameID is used in various SAML assertion constructs
such as Subject and SubjectConfirmation
elements, and in various protocol messages.The NameIdentifier element specifies a
Subject by a
combination of a name and a security domain governing the name of the
Subject.This class provides methods to send or process
NameIDMappingRequest.This class represents the ManageNameIDRequestType complex type.
This class represents the NameIDMappingResponseType complex type.
This interface defines methods to retrieve name identifier related
properties.
The
NameIDType is used when an element serves to represent
an entity by a string-valued name.Exception thrown if an object such as policy, rule or
referral for the given name does not exist.
The
NeverThrowsException class is an uninstantiable placeholder
exception which should be used for indicating that a Function or
AsyncFunction never throws an exception (i.e.Java content class for NewEncryptedID element declaration.
This interface identifies the new identifier in an
ManageNameIDRequest message.A node is the core abstraction within an authentication tree.
Annotation that describes the metadata of the node.
Encapsulates all state that is provided by each node and passed between nodes on tree execution.
Allows the Caching of an object.
A NOP implementation of the Compression Handler, which will be used when no compression is to be
applied.
Exception thrown if a policy operation attempted could not be
done due to insufficient permissions
Deprecated.
This algorithm is inherently insecure and shouldn't be used.
Indicates that no secret was configured for the given purpose, or the named secret is not available.
An exception that is thrown when a specified resource cannot be found.
An exception that is thrown during an operation on a resource when the
resource does not implement/support the feature to fulfill the request.
Deprecated.
An annotation which tags a configuration method as representing a number range.
OAuth2 utility class.
OAuth 2.0 Client Implementation that supports the Authorization Code Grant Flow.
Configuration used for OAuth2 Client Implementations.
OAuth2ClientConfiguration.Builder<T extends OAuth2ClientConfiguration.Builder<T,C>,C extends OAuth2ClientConfiguration>
Builder class for creating the OAuth2ClientConfiguration.
An
OAuth2Context could be used to store and retrieve an AccessTokenInfo.Describes an error which occurred during an OAuth 2.0 authorization request
or when performing an authorized request.
An abstraction of the actual request so as to allow the core of the OAuth2 provider to be agnostic of the library
used to translate the HTTP request.
OAuth2 Session Info Object used to determine if the access token expiry time has passed and to determine
if a session is still active.
Information about the current user.
Generic interface for all OAuth-like clients.
Base configuration of an OAuth client.
OAuthClientConfiguration.Builder<T extends OAuthClientConfiguration.Builder<T,C>,C extends OAuthClientConfiguration>
Base builder used to create OAuthClientConfiguration instances.
Exception used when an error has occurred with an OAuth client's configuration.
An exception that is thrown when an OAuth request has failed.
This class defines a data structure for storing and interacting with an
objectclass, which contains a collection of attributes that must and/or may
be present in an entry with that objectclass.
A fluent API for incrementally constructing object classes.
This enumeration defines the set of possible objectclass types that may be
used, as defined in RFC 2252.
Exception thrown to indicate that an object you are trying to
remove is in use and therefore can not be removed.
Common utility methods for Objects.
The
Obligation element is a container of
one or more AttributeAssignments issuded by
authorization authority.The
Obligation element is a container of
one or more AttributeAssignments issuded by
authorization authority.The
Obligations element is a container of
one or more Obligations issuded by
authorization authority.The
Obligations element is a container of
one or more Obligations issuded by
authorization authority.Creates an Octet JWK.
The Octet JWK builder.
An Octet Key-Pair (OKP) JWK as defined in RFC 8037.
Builder object for Octet Key-Pair (OKP) JWKs.
The
OneTimeUse indicates that the assertion should be
used immediately by the relying party and must not be retained for
future use.Deprecated.
The “/oauth2/tokeninfo” endpoint was deprecated in AM 6.5.
Helper methods for applying commonly needed changes to the
Swagger model.Visits a Swagger
Operation.Transforms an
ApiDescription into an OpenAPI/Swagger model.The OpenDJ LDAP security provider which exposes an LDAP/LDIF based
KeyStore
service, as well as providing utility methods facilitating construction of LDAP/LDIF based key stores.Utility methods for accessing the LDAP schema elements required in order to support the OpenDJ security provider.
OpenID Connect Client Implementation that supports the Authorization Code Grant Flow.
Configuration used for OpenID Connect Client Implementations.
OpenIDConnectClientConfiguration.Builder<T extends OpenIDConnectClientConfiguration.Builder<T,C>,C extends OAuth2ClientConfiguration>
Builder class for creating the OpenIDConnectClientConfiguration.
OpenID Connect module that allows access when a valid OpenID Connect JWT which
our server trusts is presented in the specific header field.
OpenIDSessionInfo object used to determine if the access token or id token expiry time has passed and to determine
if a session is still active.
An interface which allows soap-sts publishers to generate the amr claim for issued OpenIdConnect tokens on the basis
of the validated input token.
OpenIdConnect tokens can include an Authentication Context Class Reference (acr) claim which indicates how the subject
asserted by the OIDC token was authenticated.
An instance of this interface will be used to insert any custom claims into issued OpenIdConnect tokens.
OpenID Connect user information related to a users current social session.
Problem during the verification of an OpenId Connect module.
A resolver that performs validation against a supplied
SignedJwt.For producing OpenId Resolvers.
Interface through which OpenIdResolvers are obtained, and the service providing
them is configured.
Interface directing how to configure
(
OpenIdResolverServiceConfigurator.configureService(OpenIdResolverService, java.util.List))
an OpenIdResolverService.Implementation of the
OpenIdResolverServiceConfigurator interface which
applies a simple priority ordering when reading a service configuration.Holds a copy of the current OpenID Resolvers.
The common details of an operation.
Class that represents the Operation type in API descriptor.
Builder to help construct the Operation.
A configuration option whose value can be stored in a set of
Options.A set of options which can be used for customizing the behavior of HTTP
clients and servers.
Filter which handles OPTION HTTP requests to CREST resources.A
StableIdResolver that uses a version suffix and a subsequent number to determine
the stableId of a Secret.The
OrganizationAlreadyExistsException is thrown if the
organization already exists.The class
OrganizationConfigManager provides interfaces to
manage an organization's configuration data.Describes the outcomes for node instances.
A model object for an outcome.
An exception that is thrown if a buffer would overflow as a result of a write operation.
PagePropertiesCallback class implements
Callback and used for exchanging all UI related attributes
information such as template name, errorState to indicate
whether a template is an error page, page header, image name , page timeout
value, name of module.Enum that represents the
Query paging mode.Ordered pair of arbitrary objects.
This interface defines constants common to all PAOS elements.
The
PAOSException class represents a error while
processing SOAP request and response.The
PAOSHeader class is used by a web application
on HTTP server side to parse a PAOS header in an HTTP request
from the user agent side.The
PAOSRequest class is used by a web application on
HTTP server side to construct a PAOS request message and send
it via an HTTP response to the user agent side.The
PAOSUtils contains utility methods for PAOS
implementation.A extra parameter to an operation.
Class that represents the Parameter type in API descriptor.
Builder to construct Parameter object.
Configuration for parameter passing stage.
Enum that represents where the
Parameter comes from.Captures input parameters to be passed back out at the end of the process.
Represents a partial CTS
Token.Named set of servers defining a distributed service.
A server from a partition.
An annotation which tags a configuration method as representing a "secret" value that is encrypted.
An encoded password.
The class
PasswordDecoder is an interface
that is implemented to decode password.The Netscape password expired response control as defined in
draft-vchu-ldap-pwd-policy.
The Netscape password expiring response control as defined in
draft-vchu-ldap-pwd-policy.
The password modify extended request as defined in RFC 3062.
The password modify extended result as defined in RFC 3062.
A password policy error type as defined in draft-behera-ldap-password-policy
is used to indicate problems concerning a user's account or password.
The exception class whose instance is thrown if there is any error related with password issue.
The password policy request control as defined in
draft-behera-ldap-password-policy.
The password policy response control as defined in
draft-behera-ldap-password-policy.
A password policy warning type as defined in
draft-behera-ldap-password-policy is used to indicate the current state of a
user's password.
Indicates an CREST patch method on an annotated POJO.
Class that represents the Patch operation type in API descriptor.
Builder to help construct the Patch.
Represents all
Patch operations.An individual patch operation which is to be performed against a field within
a resource.
A request to update a JSON resource by applying a set of changes to its existing content.
Allocate a path to a component.
Class that represents the Paths type in API descriptor.
Utilities for manipulating paths.
Builder to help construct the Paths.
Jackson Module that adds a serializer modifier for
Paths.Utilities for working with API Description paths and path-parameters.
The interface represents the body of a JWT.
Supports decoding keys and certificates in PEM
format.
PerItemEvictionStrategyCache is a thread-safe write-through cache.
An exception that indicates that a failure is permanent, i.e.
Extension filter that will be called before permission request creation.
A POJO to represent the UMA Permission Ticket.
The Microsoft defined permissive modify request control.
A persistent search change type as defined in draft-ietf-ldapext-psearch is
used to indicate the type of update operation that caused an entry change
notification to occur.
The persistent search request control as defined in
draft-ietf-ldapext-psearch.
Represents a pipe for transferring bytes from an
OutputStream to a InputStream.Proof Key for Code Exchange (PKCE) transformation method.
An annotation which tags a configuration method as being placeholdered.
An exception for an error in plugin operation.
A collection of simple tools for interacting with the SMS (Service Management Service).
Deprecated.
As of OpenSSO Express 8.0, use
Entitlement instead
as Entitlement has replaced Policy.Deprecated.
As of OpenSSO Express 8.0, use
com.sun.identity.entitlement instead
as Entitlement has replaced Policy.The class
PolicyEvaluationException is the exception
for the error happening in policy request XML parsing and policy
request evaluation.Deprecated.
Deprecated.
As of OpenSSO Express 8.0, use
com.sun.identity.entitlement instead
as Entitlement has replaced Policy.The class
PolicyException is the basic exception for the
the policy component.This is the factory class to obtain instances of the objects defined
in xacml context schema.
Deprecated.
Deprecated.
As of OpenSSO Express 8.0, use
com.sun.identity.entitlement instead
as Entitlement has replaced Policy.The post-read request control as defined in RFC 4527.
The post-read response control as defined in RFC 4527.
An exception that is thrown to indicate that a resource's current version
does not match the version provided.
An exception that is thrown to indicate that a resource requires a version,
but no version was supplied in the request.
An interface for a basic, stand-alone predicate which can be evaluated given some
JsonValue input and serialized for storage.A
Predicate functional interface which can thrown a checked Exception.This class encapsulates an ordered list of preferred locales, and the logic
to use those to retrieve i18n
ResourceBundles.The pre-read request control as defined in RFC 4527.
The pre-read response control as defined in RFC 4527.
Container for a principal and secret.
A
Filter implementation for adding the client credentials to request as signed private key jwt as per
the OpenID Connect Client
Authentication specification.PrivateKeyJwtClientAuthenticationFilter.Builder<T extends PrivateKeyJwtClientAuthenticationFilter.Builder<T>>
Builder class for creating the PrivateKey Jwt ClientAuthentication Filter.
Holds the context of the policy evaluation making it available to policy
conditions.
Process context represents the current state of the workflow.
Represents the configuration for an instance of the anonymous process service.
Process store is used to persist state throughout a given flow cycle.
A property accessor for product paths.
Progress stage represents a single stage within the overall advance flow.
Progress stage binder is responsible for creating bindings between the stage configs and their consuming stages.
Binds together the progress stage with its config.
Progress stage provider.
A
Promise represents the result of an asynchronous task.An implementation of
Promise which can be used as is, or as the basis
for more complex asynchronous behavior.Utility methods for creating and composing
Promises.Ordered list of joined asynchronous results.
When issuing SAML2 Holder-of-Key assertions, the proof token is usually an X509Certificate.
Builder class for
ProofTokenStateGiven a file path this will load the properties within the file as a
PropertyResolver.Supported property formats for file-based and system/environment variable properties.
Decodes secrets in raw base64 format.
Annotation to provide a property order for a given object property.
An annotation to declare the policies for property access in the CREST API Descriptor schema elements.
A property resolver attempt to get the value of a given config property.
A utility class that gives access to the default property resolvers for a product.
A
SecretStore implementation that resolves secrets as base64-encoded strings from an underlying
PropertyResolver.Deprecated.
As of OpenSSO Express 8.0, use
com.sun.identity.entitlement instead
as Entitlement has replaced Policy.This is the factory class to obtain object instances for concrete elements in
the protocol schema.
The base class of all requests and responses provides methods for querying and manipulating the set of Controls.
The proxy authorization v1 request control as defined in
draft-weltman-ldapv3-proxy-04.
The proxy authorization v2 request control as defined in RFC 4370.
Deprecated.
Deprecated.
This class defines the proxy protocol header as it is described in
the proxy protocol documentation.
Exposes the content of the "pp2_tlv_ssl" structure present in the
ProxyProtocolHeader.PP2_TYPE_SSL TLV
header.Represents the possible values for the client property of the "pp2_tlv_ssl" structure.
Represents the possible types of the "sub_tlv" contained in the "pp2_tlv_ssl" structure present in the
ProxyProtocolHeader.PP2_TYPE_SSL TLV header.The
ProxyRestriction specifies limitations that the
asserting party imposes on relying parties that in turn wish to
act as asserting parties and issue subsequent assertions of their
own on the basis of the information contained in the original
assertion.This class exists to allow functionality for those Open ID Connect providers which
supply their signatures through asymmetric key algorithms (e.g.
A purpose encapsulates both a name for a function that requires access to secrets, together with a hint as
to the intended usage of those secrets.
A mapping of purpose to alias with a valid-from date.
This validator makes sure that the secret mappings have both the alias and the secret ID specified, and
additionally it verifies that there is no other secret mapping in the configuration already for the same secret ID.
A
PushNotificationDelegate is an implementation of OpenAM's Push Notification Service
PushNotificationService specific to a realm as generated by a PushNotificationDelegateFactory.Defines how PushNotificationDelegates should be created.
Declare an array of
Query operations from a single method.Indicates an CREST query method on an annotated POJO.
Class that represents the Create Operation type in API descriptor.
Builder to help construct the Read.
Deprecated.
A filter which can be used to select resources, which is compatible with the CREST query filters.
QueryFilter constants.
A query string has the following string representation:
Convenience methods to create
QueryFilter that
specify fields in terms of JsonPointer instances.A visitor of
QueryFilters, in the style of the visitor design
pattern.A request to search for all JSON resources matching a user specified set of criteria.
A completion handler for consuming the results of a query request.
The final result of a query request returned after all resources matching the
request have been returned.
Enum that represents the
Query type.Interface to define the resulting behavior when the session quota is exhausted.
Exposes a range of integer values as a set.
A relative distinguished name (RDN) as defined in RFC 4512 section 2.3 is the
name of an entry relative to its immediate superior.
Indicates an CREST read method on an annotated POJO.
Class that represents the Read Operation type in API descriptor.
Builder to help construct the Read.
This interface defines the contract for checking whether an AM service or component is ready to service requests
successfully, independent of the state of any 3rd party dependencies.
CHF endpoint that reports AMs readiness, pertaining to the characteristics laid out in the Kubernetes documentation
for the readiness probe.
Annotation to mark a JSON Schema property as read-only.
Enum that represents the
Schema read policies.A request to read a single identified JSON resource.
Models a valid realm within OpenAM.
This interface identifies the
ServiceComponentConfig as containing configuration that is applied
to a realm.API for looking up realms and determining if they are active or not.
Signals that the realm
String used to lookup a realm failed due to it being
an invalid realm identifier or the lookup operation failed.A class to statically obtain
Realm instances.Generates codes of a specified length using a given
Alphabet as valid characters.Class that represents the Reference type in API descriptor.
Builder to help construct the Reference.
Helper that registers one or more
ApiDescription instances and provides a means to resolve
References.Deprecated.
Thrown when the result code returned in a Result indicates that the Request
could not be processed by the Directory Server because the target entry is
located on another server.
Deprecated.
As of OpenSSO Express 8.0, use
com.sun.identity.entitlement instead
as Entitlement has replaced Policy.A
Header representation of the Referrer HTTP header.A grant type handler that can obtain an access token using a previously obtained refresh token.
A input parameter-validating utility class using fluent invocation:
A listener interface which is notified whenever a change record cannot be
applied to an entry.
A listener interface which is notified whenever LDIF records are skipped,
malformed, or fail schema validation.
Indicates that a macaroon has been rejected by a
MacaroonVerifier for a reason other than being invalid.The internet-draft defined Relax Rules control.
Service Discovery Mechanism retrieving information from a replication topology.
The
Request element is the top-level element in the XACML
context scehema.A request message.
Common attributes of all JSON resource requests.
The base class of all Requests provides methods for querying and manipulating
the set of Controls included with a Request.
The type of this request.
This interface defines methods for setting and retrieving attributes and
elements associated with a SAML request message used in SAML protocols.
A context for audit information for an incoming request.
Extension filter that will be called before request authorization and after
request authorization.
Exposes incoming request cookies.
Java content class for RequestedAuthnContext element declaration.
This interface identifies the requester in an
AuthnRequest
message.Provides the ability to terminate an asynchronous LDAP request.
A marker annotation to indicate that the annotated class should be interpreted as an annotated CREST
request handler.
Represents the contract with a set of resources.
The
Request element is the top-level element in the XACML
context schema.A utility class containing various factory methods for creating and
manipulating requests.
This class contains various methods for creating and manipulating requests.
An enumeration whose values represent the different types of request.
A visitor of
Requests, in the style of the visitor design pattern.A visitor of
Requests, in the style of the visitor design pattern.Helper class to assist with the building of requirements.
The reset password stage.
Configuration for the password reset stage.
The
Resource element specifies information about the
resource to which access is requested by listing a
sequence of Attribute elements associated with the
resource.Class that represents the Resource type in API descriptor.
The variant of the annotated type.
Builder to help construct the Resource.
A
ResourceAccess encapsulates the logic of required scope selection.Implementations of this interface will be responsible for maintaining the
behaviour of API Version routing.
API Version routing filter which creates a
ApiVersionRouterContext
which contains the default routing behaviour when the
Accept-API-Version header is set on the request.API Version routing filter which creates a
ApiVersionRouterContext
which contains the default routing behaviour when the
Accept-API-Version header is set on the request.A
Filter supporting the specification of resource API version configuration to be
used when a request on a specific endpoint does not contain an Accept-API-Version
header.Handler allowing products to extend behaviour when a request has no resource API version supplied.
Class representing a mapping between a
ResourcePath and a Version.ResourceApiVersionSpecificationFilter.VersionSpecification supporting specification of a request's resource version
based on its resource path.Mechanism supporting specification of a version on the request.
Encapsulates a Strategy to derive attributes to be returned with a particular
Entitlement when evaluating Privileges.The
ResourceContent element specifies information about the
resource to which access is requested by listing a
sequence of Attribute elements associated with the
resource.Extension filter that will be called before a resource is shared, after a
resource is shared, before a shared resource is modified and on a resource
no longer being shared.
An exception that is thrown during the processing of a JSON resource request.
The
Resource element specifies information about the
resource to which access is requested by listing a
sequence of Attribute elements associated with the
resource.Deprecated.
As of OpenSSO Express 8.0, use
ResourceMatch instead as
Entitlement has replaced Policy.The class
ResourceMatch defines the results
of a resource match with respect to Policy.Deprecated.
The interface
ResourceName provides
methods to determine the hierarchy of resource names.A grant type handler that can obtain an access token using the Resource Owner Password Credentials (ROPC) grant.
A relative path, or URL, to a resource.
Extension filter that will be called before and after resource sets are
registered.
A resource, comprising of a resource ID, a revision (etag), and its JSON
content.
Deprecated.
As of OpenSSO Express 8.0, use
com.sun.identity.entitlement instead
as Entitlement has replaced Policy.This class contains methods for creating and manipulating connection
factories and connections.
Validates a
Request that contains an OAuth 2.0 access token.Represents a resource set description created by an OAuth2 client (resource server).
The
Response message element is used when a response consists
of a list of zero or more assertions that satisfy the request.The
Response element is a container of
one or more Results issued by policy decision pointA response message.
Common response object of all resource responses.
The base class of all Responses provides methods for querying and
manipulating the set of Controls included with a Response.
Indicates whether a response can be cached and under what conditions.
An HTTP Framework Exception that can be used by filters/handlers to simplify
control-flow inside async call-backs.
Response mode enum as described by
OAuth 2.0 Multiple
Response Type Encoding Practices - Response Modes.
Deprecated.
Deprecated.
As of OpenSSO Express 8.0, use
com.sun.identity.entitlement instead
as Entitlement has replaced Policy.Provide out-of-the-box, pre-configured
Response objects.A utility class containing various factory methods for creating and
manipulating responses.
This class contains various methods for creating and manipulating responses.
Handles the issuing of Tokens for a response type, i.e.
Writes
AuthenticationException responses for different media types.A filter that can be applied to a CREST route in order to enter the restricted token context for a request if
it contains a requester token as well as subject token.
Interface defining token creators in the rest-sts.
Parameter state passed to JsonTokenProvider instances.
Defines the contract for token validators deployed in the context of token transformation.
Defines the parameter state which needs to be passed to the RestTokenTransformValidator#validateToken instances.
The
Result element is a container of
one or more Results issuded by authorization authority.A Result is used to indicate the status of an operation performed by the
server.
An operation result code as defined in RFC 4511 section 4.1.9 is used to
indicate the final status of an operation.
Contains equivalent values for the ResultCode values.
ResultHandler is responsible for providing a mechanism of allowing access to the result
of an asynchronous operation.
A completion handler for consuming the results of asynchronous tasks.
Configuration for the retrieve email stage.
Stage is responsible for retrieving the email.
Configuration for the retrieve username stage.
Stage is responsible for retrieving the username.
An exception that indicates that a failure may be temporary, and that
retrying the same request may be able to succeed in the future.
A
Context which has an a globally unique ID but no parent.The root DSE is a DSA-specific Entry (DSE) and not part of any naming context
(or any subtree), and which is uniquely identified by the empty DN.
Singleton class used to manage Root URL providers.
Interface used for getting a context's root url.
To be used when an exception has occurred in a root url provider.
Contains the result of routing to a particular route.
A matcher for evaluating whether a route matches the incoming request.
A utility class that contains methods for creating route matchers.
A utility class that contains methods for creating route matchers.
A router which routes requests based on route matchers.
A router which routes requests based on route predicates.
Represents a URI template string that will be used to match and route
incoming requests.
The algorithm which should be used when matching URI templates against
request resource names.
Deprecated.
Use
RSAEncryptionHandler and AESCBCHMACSHA2ContentEncryptionHandler instead.Deprecated.
Use
RSAEncryptionHandler and AESCBCHMACSHA2ContentEncryptionHandler instead.Abstract base class for implementations of the RSAES-PKCS1-v1_5 and RSA-OAEP encryption schemes.
Implements a RsaJWK.
The RSA JWK builder.
Holds the other prime factors.
Deprecated.
Use
SecretRSASigningHandler insteadDeprecated.
As of OpenSSO Express 8.0, use
com.sun.identity.entitlement instead
as Entitlement has replaced Policy.A completion handler for consuming runtime exceptions which occur during the
execution of asynchronous tasks.
Utility class for creating reactive transports and sockets.
A reactive server socket listens for incoming connections and binds them to a
RxSocket.A transport agnostic reactive socket abstraction.
Constants used by the SAML2 Client implementation.
Guice module containing bindings for SAML2 client APIs.
Encapsulates the configuration state necessary to produce SAML2 assertions.
Builder used to programmatically create SAML2Config objects
This interface defines constants common to all SAMLv2 elements.
Constants for SAML2 scripted plugins
Deprecated, for removal: This API element is subject to removal in a future version.
since AM 7.3.0 Implement use-case specific
IDPAdapter implementations instead.Deprecated, for removal: This API element is subject to removal in a future version.
since AM 7.3.0 Implement use-case specific
IDPFinder implementations instead.This class is an extension point for all SAML related exceptions.
This class is an extension point for invalid usernames in the SAML flow.
The
SAML2MetaUtils provides metadata related util methods.This class contains the currently available options that can control the SAML2 flows.
Called on the way back into the SAML2 Authentication Module
by the saml2AuthAssertionConsumer jsp.
Response data from SAML2 IDP, combined here for ease of access.
The
SAML2SDKUtils contains utility methods for SAML 2.0
implementation.Deprecated, for removal: This API element is subject to removal in a future version.
since AM 7.3.0 Implement use-case specific
SPAdapter implementations instead.Initiates SAML2 single sign-on on the service provider side.
An exception type that highlights that an issue has occurred during SAML2 single sign-on.
This interface exposes APIs to allow callers to initiate SAML2 Single Sign-on flows when AM acts as a service
provider.
Utility methods for working with SAML2 SSO responses.
This POJO contains information collated during SAML2 response processing.
Enum defining the SAML2 SubjectConfirmation values used in the REST-STS and the TokenGenerationService.
The
SAML2Utils contains utility methods for SAML 2.0
implementation.This is a common class defining some constants common to all SAML elements.
This class is an extension point for all SAML related exceptions.
The marker interface that all the federation plugins should extend from.
This exception is thrown when the request could not be performed due to
an error in the sender or in the request.
This exception is thrown when the request could not be performed
due to an error at the receiving end.
This class contains some utility methods for processing SAML protocols.
This exception is thrown when the receiver could not process the request
because the version was incorrect.
A reactive socket which adds SASL QOP to an underlying reactive socket..
Specify a schema for the element that is being described.
Class that represents the Schema type in API descriptor.
This class defines a data structure that holds information about the
components of the LDAP schema.
A builder class for
Schema instances.Schema builders should be used for incremental construction of new schemas.
Allows to perform modifications on element's builders before adding the result to this schema builder.
Interface for schema elements.
The
SchemaException is thrown if the error encountered is
related to the schema.Common options for LDAP schemas.
Schema resolvers are included with a set of
DecodeOptions in order to
allow application to control how Schema instances are selected when
decoding requests and responses.The class
SchemaType defines the types of schema objects, and
provides static constants for these schema objects.This class provides various schema validation policy options for controlling
how entries should be validated against the directory schema.
An enumeration of the possible actions which can be performed when a
schema validation failure is encountered.
A plugin or (extension point) that evaluates and returns an OAuth2 access token's scope information.
A plugin or (extension point) that allows the OAuth2 provider to customise the set of requested scopes for authorize,
access token, refresh token and back channel authorize requests.
Deprecated.
since 7.2.0
This interface defines methods to retrieve Identity Providers and
context/limitations related to proxying of the request message.
The SCRAM credential data persisted in the server using the representation described in RFC 5803 which is a
specialization of RFC 3112.
Server-side callback for obtaining the stored SCRAM credential for a given user and mechanism.
A wrapper class to limit an authentication script's exposure to a AmIdentity object
A repository to retrieve user information within a scripting module's script
A wrapper around the Secrets API that allows a simplified interface to access secrets from a scripting context.
This class wraps around an
EntitlementInfo object for consumption in scripts.This class wraps around an
EntitlementInfo object for consumption in scripts.Resolver for getting properties in scripts.
The Search operation is used to request a server to return, subject to access
controls and other restrictions, a set of entries matching a complex search
criterion.
A Search Result Entry represents an entry found during a Search operation.
A completion handler for consuming the results of a Search operation.
A Search Result Reference represents an area not yet explored during a Search
operation.
Thrown when an iteration over a set of search results using a
ConnectionEntryReader encounters a SearchResultReference.A Search operation search scope as defined in RFC 4511 section 4.5.1.2 is
used to specify the scope of a Search operation.
Contains equivalent values for the SearchScope values.
Value object that models a secret as a value.
A secret is any piece of data that should be kept confidential.
Provides a uniform way for secrets providers to construct secrets and keys.
An exception that occured when reading the configuration of the secret API.
Interface for constraints on a secret that must be satisfied for a given
Purpose.Specifies how data retrieved from a
SecretStore should be decoded into a secret object.Elliptic Curve Digital Signature Algorithm (ECDSA) signing and verification.
Signing handler for Edwards Curve DSA (EdDSA) as defined in RFC
8037.
A class of exception arising from use of the secrets API.
An implementation of the SigningHandler which can sign and verify using algorithms from the HMAC family.
A
ChoiceValues implementation that fetches the names of all known purposes.This interface allows AM's modules/components to easily expose which secret IDs they are using.
An exception that occurred when initialising the secret API.
An exception that represents an inability to instantiate a secret object.
Wraps a property format that decodes raw bytes and converts it into a property format for extracting secret keys
using some algorithm.
Defines the format of secrets loaded from configuration properties.
Type adapter annotation for giving information about a secret purpose.
A long-lived reference to an active or named secret.
The secret resource used for creating a
Secret.An
Secret-based implementation of the SigningHandler which
can sign and verify using algorithms from the RSA family.The top-level API to obtain secrets in AM.
Provides Google SDK credentials from the secrets API.
Provides
Secret-based signing and verification code base.Token handler for creating tokens using a JWT as the store.
Builder pattern object for configuring a
SecretsJwtTokenHandler.An
X509ExtendedKeyManager implementation that gets keys and certificates from a SecretsProvider.A Java security provider that exposes a KeyStore view of a secret store.
Class used to initialise the keystore when it is initialised via the standard Java interfaces.
The secrets provider is used to get hold of active, named or valid secret objects.
A facade around
SecretsProvider instances from the realm and global levels that will delegate correctly
to the global provider when a secret is not found in the realm, and knows how to resolve secrets for a
DefaultingPurpose.Deprecated.
The
AuthenticatedEncryptionCryptographyHandler should be preferred.A class that can provide secret references for a given purpose.
A backend storage mechanism for certain kinds of secrets.
Encapsulates the context in which a secret store is being instantiated.
Provides an implementation of a standard Java TLS
X509ExtendedTrustManager that will retrieve trusted
certificates from the Secrets API.Utility methods for dealing with secrets.
SecureAttrs class forms the core api of "Secure Attributes
Exchange" (SAE) feature.Utility Class for Security Answers.
Configuration for the KBA Security Answer Definition Stage.
Stage is responsible for supplying the KBA questions to the user and capturing the answers provided by the user.
Interface to manage security question answer match failures and subsequent lockout.
Configuration for the KBA Security Answer Verification Stage.
Stage is responsible for verifying the answers provided by the user for the KBA questions.
The
SecurityAssertion class provides an extension to
Assertion class to support ID-WSF
ResourceAccessStatement and
SessionContextStatement.A
Context containing information about the client performing the
request which may be used when performing authorization decisions.This class has common utility methods .
Denotes self service dependencies.
Defines the bases for which all self service console configuration should be built on.
A Context that indicates the request came from Self-Service.
Determines how to serialize and deserialize macaroons into a string format.
The server-side sort request control as defined in RFC 2891.
The server-side sort response control as defined in RFC 2891.
The
ServiceAlreadyExistsException is thrown if the service
already exists.The interface
ServiceAttributeValidator should be implemented
by the services/applications if validator plugins are required.A marker interface indicating that the sub-type defines configuration for a Service Component.
The class
ServiceConfig provides interfaces to manage the
configuration information of a service configuration.An exception that indicates there was a problem when using the Service Component Config API.
A sub-exception of
SMSException for the ServiceConfigValidator.The class
ServiceConfigurationManager provides interfaces to manage the service's configuration data.Provides self service config instances based of the passed console configuration instance.
This interface provides a means to validate an entire
ServiceConfig's attribute values together.This interface provides a means to validate an entire
ServiceConfig's attribute values together.This interface defines the methods that a Service Discovery consumer should implement if it wishes to be notified of
changes in the service.
Maintains a set of
Partitions keeping it up to date according to a specific discovery mechanism.A sub-exception of
SMSException for the ServiceConfigValidator.The class
ServiceInstance provides methods to manage service's
instance variables.The
ServiceInstanceUpdateHeader class represents
ServiceInstanceUpdate element defined in SOAP binding schema.The
ServiceInstanceUpdateHeader.Credential class represents
Credential element in ServiceInstanceUpdate
element defined in SOAP binding schema.The interface
ServiceListener needs to be implemented by
applications in order to receive service data change notifications.The
ServiceManager class provides methods to register/remove
services and to list currently registered services.The
ServiceNotFoundException is thrown if the service does not
exist.Class that represents API descriptor's Service
Resource definitions.Builder to help construct the Services.
The class
ServiceSchema provides interfaces to manage the
schema information of a service.The class
ServiceSchemaManager provides interfaces to manage
the service's schema.An exception that is thrown during an operation on a resource when the server
is temporarily unable to handle the request.
General utility class.
A JASPI Servlet API Session Module which creates a JWT when securing the response from a successful authentication
and sets it as a Cookie on the response.
An interface for managing attributes across multiple requests from the same user agent.
A
SessionContext is a mechanism for maintaining state between components when processing a successive
requests from the same logical client or end-user.This class is to handle Session related exceptions.
This class represents the
SessionIndex element in
SAML protocol schema.SessionInfo object represents information about an Oauth session.
Interface used for session invalidation notification.
Deprecated.
This class is used in case of session upgrade for copying session properties
from the old session into the new one.
Interface used for creating sessions, and for accessing session
information.
Implementation of this class gets executed every time when an SSO Session
times out (either idle or max timeout).
Deprecated, for removal: This API element is subject to removal in a future version.
This header is no longer supported by browsers.
Processes the
Set-Cookie request message header.Support class for generating Set-Cookie header values.
Contains another set, which is uses as its basic source of data, possibly transforming the
data along the way.
This class exists to allow functionality for those Open ID Connect providers which
supply their signatures through symmetric key algorithms (e.g.
Provided as an extension point to allow customised transformation of the OATH shared secret attribute.
This class represents all the constants that can be used as keys for storing values in the tree's shared state.
Any component which needs to be shut down should implement this interface
and use the function to shut down the component.
Interface used by shutdown managers to allow for thread safe
adding and removing of shutdown listeners.
This class defines the shutdown priorities that are consumed by
com.sun.identity.common.ShutdownManager.Utility class for signing and verifying signatures.
Deprecated.
Use
EncryptedThenSignedJwtHeaderBuilder instead.Deprecated.
Use
EncryptedThenSignedJwt instead.Deprecated.
Use
EncryptedThenSignedJwtBuilder instead.A JWS implementation of the
Jwt interface.A base interface for both SignedJwtBuilder and SignedEncryptedJwtBuilder to create Signed JWTs and Signed and
Encrypted JWTs.
An implementation of a JwtBuilder that can build a JWT and sign it, resulting in a SignedJwt object.
A nested signed-then-encrypted JWT.
Builder for nested signed-then-encrypted JWT.
The interface for SigningHandlers for all the different signing algorithms.
A key that is used for signing digital signatures.
A service to get the appropriate SigningHandler for a specific Java Cryptographic signing algorithm.
Decrypts a
$crypto JSON object value encrypted with the
x-simple-encryption type.Encrypts a JSON value into an
x-simple-encryption type $crypto JSON object.A basic implementation of
HttpClientRequest that a script can send over a HttpClient.A basic implementation of
HttpClientResponse that a script can receive from sending a
HttpClientRequest over a HttpClient.Interface to select keys from a key store.
Simple implementation for selecting keys from a provided key store.
The simple paged results request and response control as defined in RFC 2696.
Provides instances of the commons secrets
SecretStore without needing references to other secrets.Validates purpose mappings for the
GoogleKeyManagementServiceSecretStore and
GoogleSecretManagerSecretStoreProvider.Abstract node for nodes that always result in the same single outcome.
Provides a static single outcome for nodes with a single outcome.
A marker annotation to indicate that the annotated class should be interpreted as an annotated CREST
singleton provider resource.
An implementation interface for resource providers which exposes a single
permanent resource instance.
A
StableIdResolver that matches a stableId exactly to the purpose for returning only one Secret.The exception class whose instance is thrown if there is any error during the
operation of objects of the
com.sun.identity.sms package.Defines the ability to send SMS (Short Message Service) and e-mail via a gateway implementation.
The class
SMSThreadPool provides interfaces to manage notification thread pools shared by idm and sm.Callback is invoked when a new snapshot token is created
just before requirements are returned to the client.
Represents the configuration for an
TokenHandler.Factory for delivering snapshot token handlers.
This class contains all the constants used by the
Soapbinding classes.
The
SOAPBindingException class represents a error while
processing SOAP request and response.An
SOAPClientException is thrown when there are errors related
to JAXRPC and SOAP methods.An
SOAPClientException is thrown when there are errors related
to JAXRPC and SOAP methods.The
SOAPFault class represents a SOAP Fault element.The
SOAPFaultDetail class represents the 'Detail' child element
of SOAP Fault element.The
SOAPFaultException class represents a SOAP Fault while
processing SOAP request.A sort key which can be used to specify the order in which JSON resources
should be included in the results of a query request.
A search result sort key as defined in RFC 2891 is used to specify how search
result entries should be ordered.
Comparator derived from a sort key which can be used to compare entries.
This comparator iterates through the provided sortKeys and finds the first comparative difference between the left
and right side JsonValues.
Defines possible positions for JsonValue that wraps a
null object.The interface
SPAccountMapper is used to identify the local identities that maps the SAML
protocol objects such as Assertion, ManageNameIDRequest etc.The class
PartnerAccountMapper is an interface
that is implemented to map partner account to user account
in OpenAM.This class is used by a service provider (SP) to process the response from
an identity provider for the SP's Assertion Consumer Service.
The
SPAdapterPlugin provides contracts to perform user specific logics during SAMLv2
protocol processing on the Service Provider side.Provides helper functions for SP Adapter Script Implementations.
This interface
SPAttributeMapper is used to map the
SAML Attributes to the local user attributes.This interface
SPAttributeMapper is used to map the
SAML Attributes to the local user attributes.The interface
SPAuthnContextMapper.java determines
the Authentication Context to be set in the Authentication Request
and the Auth Level of an Authentication Context.Collection of methods for identifying whether a given
String corresponds to the UniversalId or
Dn of the super or special users.This interface exposes the key components necessary to establish secure HTTPS connections.
Encapsulates options for configuring SSL based security as well as providing methods for building
SSLEngines.Represents the client authentication policy option.
A reactive socket implementation which adds SSL to an underlying reactive socket.
This
SSOException is thrown when there are single sign on token
operation error.This
final class SSOProviderImpl implements
SSOProvider interface and provides implementation of the methods
to create , destroy , check the validity of a single sign on token.The
SSOToken class represents a "single sign on"(SSO) token.
The
SSOTokenEvent is an interface that represents an SSO token
event.The single sign on token event represents a change in
SSOToken.The
SSOTokenID is an interface that is used to identify a single
sign on token object.The
SSOTokenListener interface needs to be implemented by the
applications to receive SSO token events.This
SSOTokenCannotBeObservedException is thrown when calling
SSOToken.addSSOTokenListener(SSOTokenListener) on an SSOToken
type that does not generate lifecycle events.SSOTokenManager is the final class that is the mediator between the SSO APIs
and SSO providers.
Represents API stability.
Interface for resolving stable ids in a
SecretStore.Represents the configuration for a given progress stage.
Represents some framework error around the use of progress stages and configs.
Stage response represents a response from having invoked a progress stage.
Builder assists with the creation of
StageResponse instances.Requirements builder allows for the definition of a snapshot token
callback, which gets invoked with just prior to requirements being
sent to the client.
Utility class.
The start TLS extended request as defined in RFC 4511.
The start tls extended result as defined in RFC 4511.
The
Statement element is an extension point that allows
other assertion-based applications to reuse the SAML assertion framework.The
Statement element is an extension point that allows
other assertion-based applications to reuse the SAML assertion framework.Describes the outcomes for node instances that have static outcomes.
This mechanism only returns the list of servers in its configuration, without checking for availability.
Allows a uniform interface to statistics information in a uniform format.
This class represents the
StatusType complex type in
SAML protocol schema.The
Status element is a container of
one or more Statuss issuded by authorization authority.The status-code element is a three-digit integer code giving the
result of the attempt to understand and satisfy the request.
The first digit of the status-code defines the class of response.
This class represents the
StatusCodeType complex type in
SAML protocol schema.The
StatusCode element is a container of
one or more StatusCodes issuded by authorization authority.The
StatusCode element is a container of
one or more StatusCodes issuded by authorization authority.This class represents the
StatusDetailType complex type in
SAML protocol schema.The
StatusCode element is a container of
one or more Statuss issuded by authorization authority.The
StatusCode element is a container of
one or more Statuss issuded by authorization authority.The
Status element is a container of
one or more Statuss issuded by authorization authority.This class represents the
StatusMessage element in
SAML protocol schema.The
StatusMessage element is a container of
one or more StatusMessages issuded by authorization authority.The
StatusMessage element is a container of
one or more StatusMessages issuded by authorization authority.This class represents the
StatusResponseType complex type in
SAML protocol schema.Indicates whether the service should operate in stateless or stateful mode.
Utility methods for operating on IO streams.
This class provides an utility method for validating that a String is either an arbitrary string without any ":"
characters or if the String does contain a ":" character then the String is a valid URI.
Common utility methods for Strings.
Indicates that a method contains rich sub-configuration(s) of the parent configuration (or sub-configuration).
The sub-entries request control as defined in RFC 3672.
Deprecated.
The
Subject element specifies one or more subjects.The
Subject specifies the principal that is the subject
of all of the statements in the assertion.The
Subject element specifies information about a
subject of the Request context by listing a
sequence of Attribute elements associated with the
subject.The
SubjectConfirmation element specifies a subject by specifying
data that authenticates the subject.The
SubjectConfirmation provides the means for a relying
party to verify the correspondence of the subject of the assertion
with the party with whom the relying party is communicating.The
SubjectConfirmationData specifies additional data
that allows the subject to be confirmed or constrains the circumstances
under which the act of subject confirmation can take place.Class to represent
EntitlementSubject evaluation match result and - if applicable - its advices.The
Subject element specifies information about a
subject of the Request context by listing a
sequence of Attribute elements associated with the
subject.The
SubjectLocality element specifies the DNS domain name
and IP address for the system entity that performed the authentication.The
SubjectLocality element specifies the DNS domain name
and IP address for the system entity that performed the authentication.Defines the concerns of providing the Subject to be included in the generated SAML2 assertion.
This class represents the SubjectQueryAbstractType complex type.
The
SubjectStatement element is an extension
point that allows other assertion-based applications to reuse the SAML
assertion framework.Deprecated.
Sub-resources of a resource are declared here.
Builder to help construct the SubResources.
Utility methods to validate Subscriptions in the various onSubscribe calls.
A
SubstitutionContext holds both runtime and config time values for the substitution process.Exception thrown during substitution process.
Substitute tokens in the source String with their resolved value.
This visitor evaluates
Templates with the help of a PropertyResolver.Builder of
SubstitutionVisitor.The tree delete request control as defined in draft-armijo-ldap-treedelete.
An RFC 3672 subtree specification.
A refinement which uses a search filter.
Abstract interface for RFC3672 specification filter refinements.
A
Supplier functional interface which can throw a checked Exception.This annotation marks AM APIs that are considered stable and should not change in minor releases (except possibly
when a security fix requires such change).
This annotation marks AM APIs that are considered stable and should not change in minor releases (except possibly
when a security fix requires such change).
Enumerates all supported elliptic curve parameters for ESXXX signature formats.
Suspended text output callback extends
TextOutputCallback to allow a custom message to be displayed to the
user whilst informing the client that the current auth flow has been suspended.This handler interface allows authentication nodes to suspend authentication and send a unique ID out of band to the
end-user.
A reactive socket implementation which delegates to a replaceable delegate reactive socket.
An interface for implementing synchronous
RequestHandlers.Deprecated.
As of OpenSSO Express 8.0, use
com.sun.identity.entitlement instead
as Entitlement has replaced Policy.This class defines a data structure for storing and interacting with an LDAP
syntaxes, which constrain the structure of attribute values stored in an LDAP
directory, and determine the representation of attribute and assertion values
transferred in the LDAP protocol.
A fluent API for incrementally constructing syntaxes.
This interface defines the set of methods and structures that must be implemented to define a new attribute syntax.
This class provides functionality that allows single-point-of-access to all
related system properties.
A SystemPropertyResolver resolves a config token using system properties.
Represents a templated string.
A template parser receives a string input source, tokenize it (honoring escaping settings)
and build a
Template that can be processed later on.A
TemplateVisitor represents an operation applied to a Template.An annotation which tags a configuration method as representing a large body of text which requires a larger input.
Audit filter for capturing details about the things endpoint responses.
ThingsResource handles REST calls made to the things endpoint.
This thread pool maintains a number of threads that run the tasks from a task
queue one by one.
A secret store that wraps another secret store and performs all query operations in a background thread using a
thread pool.
Common utility methods for Threads.
Thrown when the result code returned in a Result indicates that the Request
was aborted because it did not complete in the required time out period.
Invokes
TimeoutScheduler.TimeoutEventListener at a regular interval.Listener on timeout events.
Annotation to define JSON Schema property's title.
A simple domain value responsible for modelling a Core Token Service Token.
Models a OAuth2 token.
Describes the ability to convert from one type of object into a Token and the
reverse operation of converting from a Token into the object of type T.
Responsible for selecting the appropriate algorithm for dealing with Token binary objects
prior to them being stored in the data store.
Responsible for handling the encoding and decoding of the binary object format
the CTS Token.
An instance of this exception is thrown for errors encountered during token creation.
Is responsible for deleting expired tokens and performing any post-processing.
Creates a
Token object that can then be stored into the CTS.Describes a collection of filters which can be applied to the CTS query function
as part of a complex query.
Allows the assembly of
TokenFilter instances for use with the CTSPersistentStore
and other uses of the generic data layer.Responsible for the validation, generation and parsing of tokens used for keying a JsonValue
representative of some state.
An exception generated by a
TokenHandler on either creation, validation, or state extraction.In interface for objects that can generate an identifier for a token if the existing one is null.
An
AccessTokenResolver which is RFC 7662 compliant.Describes the possible modifications that can be applied as part of the
CTSPersistentStore
patch operation.Contains equivalent values for the ModificationType values.
Adapts the token to some activity against the connection type.
Responsible for capturing the reason why a Token Blob Strategy failed.
Responsible for defining the available token types in the Core Token Service.
Provides an extensible means of identifying a to-be-validated or to-be-provided token type.
An instance of this exception is thrown for all errors related to token validation.
A
Header representation of the Trailer HTTP response header.TransactionId value should be unique per request coming from an external agent so that all events occurring in
response to the same external stimulus can be tied together.
This context aims to hold the
TransactionId.Processes the transactionId header used mainly for audit purpose.
This filter is responsible to create the
TransactionIdContext in the context's chain.This filter aims to create a sub-transaction's id and inserts that value as a header of the request.
A reactive socket which wraps an underlying downstream reactive socket, providing opportunities to transform
transferred data or provide additional functionality.
Signals that an error occurred while transforming an API Description to another format.
Iterates over each JsonValue node in the JsonValue structure and if it's a String marked for translation,
It replaces the String with a LocalizableString.
A representation of the context of the current tree authentication process.
A TreeHook encapsulates some functionality that should be executed at the end of a tree, after authentication.
Annotation that describes the metadata of the node.
An implementation of the
Entry interface which uses a TreeMap for storing attributes.Meta data API to expose data concerning the evaluating tree, to nodes who care for that data.
A trusted JWT issuer for use in validating a JWT bearer grant.
This class contains methods for creating common types of trust manager.
An exception that occured when a secret reference is not available.
The Unbind operation allows a client to terminate an LDAP session.
An exception that indicates that a failure is not directly known to the
system, and hence requires out-of-band knowledge or enhancements to determine
if a failure should be categorized as temporary or permanent.
Annotation to mark a JSON Schema array-items as unique.
Represents a reference to an identity that is managed by AM.
Wraps a message that the
LdapServer was unable to decode because it did not recognize it.Exception thrown when a transport implementation can't be found.
Thrown when a schema query fails because the requested schema element could
not be found or is ambiguous.
An marker interface for tagging collection implementations as read-only.
Indicates that the JWT had critical headers that were not
recognized by the JWT library and not
implemented by the
application.
Indicates a 415 Unsupported Media Type response that the Content-Type of the request was not acceptable.
Indicates an CREST update method on an annotated POJO.
Class that represents the Create Operation type in API descriptor.
Builder to help construct Update.
A request to update a JSON resource by replacing its existing content with new content.
This class is an extension point for all Upgrade related exceptions.
This class contains utilities to upgrade the service schema
configuration to be compatible with OpenAM.
A
Context which is created when a request has been routed.Ease
UriRouterContext construction.Utility class for performing operations on universal resource identifiers.
The
UsageDirectiveHeader class represents 'UsageDirective'
element defined in SOAP binding schema.Generator for OAuth2 User Codes.
Configuration for the user details stage.
Stage is responsible for request a new user json representation.
An application implements a
UserIDGenerator interface and
registers itself to the Core Authentication service so that authentication
modules can retrieve a list of auto-generated user IDs.Each instance will return the user subject that identifies a user on an auth server as well
as the entire raw profile that was retrieved when making a request to the user info endpoint.
Simple bean that contains the values of claims, and the scopes that
provisioned them (if any).
A plugin or (extension point) that fetches the resource owners information based on an issued access token.
Deprecated.
This class is for handling Exception that is thrown when the user name
password validation plugin is failed or any invalid characters detected in
user name.
An encoded user password that contains a storage scheme and an encoded vaulue.
Configuration for the user query stage.
Stage is responsible for querying the underlying service for a user based on the supplied query fields.
Configuration for the user registration stage.
Represents user registration console configuration.
Builder for
UserRegistrationConsoleConfig.Stage is responsible for registering the user supplied data using the underlying service.
A RequestHandler that proxies user requests to update the user's KBA answers.
This class contains utility methods.
This class provides utility methods to share common behaviour.
This class provides utility functions.
Deprecated.
Configuration for the validate active account stage.
Stage is responsible for validating account status.
API Descriptor model-validation utilities.
A long-lived reference to a number of secrets.
Deprecated.
As of OpenSSO Express 8.0, use
com.sun.identity.entitlement instead
as Entitlement has replaced Policy.Cipher implementation for the
Hashicorp Vault transit backend.
Encapsulates the common configuration required for Hashicorp Vault secret backends.
Builder object for Vault configuration settings.
A secret store that can fetch fresh database credentials from the Vault Database secret engine.
A secret store that fetches secrets from a Hashicorp Vault
server, using version 2 of the key-value
backend.
Standard implementations of
VaultKeyValueSecretStore.SecretFieldDecoder for common fields.Determines how a field in the Vault JSON response should be decoded into one or more fields on a
SecretBuilder object.Provides HMAC support using the Hashicorp Vault
transit backend.
HMAC-SHA-224.
HMAC-SHA-256.
HMAC-SHA-384.
HMAC-SHA-512.
A secret store that is able to retrieve PKI certificates and private keys from the Hashicorp Vault PKI backend.
Provides signature support using the
Hashicorp Vault transit backend.
ECDSA with SHA-256.
ECDSA with SHA-384.
ECDSA with SHA-512.
Ed25519.
Generic RSA with PSS padding.
RSA with SHA-256 and PKCS#1 v1.5 padding.
RSA with SHA-384 and PKCS#1 v1.5 padding.
RSA with SHA-512 and PKCS#1 v1.5 padding.
RSA with SHA-256 and PSS padding.
RSA with SHA-384 and PSS padding.
RSA with SHA-512 and PSS padding.
Cryptographic provider that delegates cryptographic operations to the
Hashicorp Vault transit backend.
Implements a store for cryptographic keys based on Vault's
transit engine, which implements
cryptography as a service.
A key used for verifying digital signatures.
Configuration for the email account verification stage.
Having retrieved the email address from the context or in response to the initial requirements, verifies the
validity of the email address with the user who submitted the requirements via an email flow.
Represents some version in the form majorNumber.minorNumber,
for instance 2.4.
Class that represents versioned
Resources on an API descriptor path.Builder to help construct the VersionedPath.
The virtual list view request control as defined in
draft-ietf-ldapext-ldapv3-vlv.
The virtual list view response control as defined in
draft-ietf-ldapext-ldapv3-vlv.
This annotation doesn't actually do anything, other than provide documentation of the fact that a function has
either been marked public, or package private in order for a test (somewhere physically distant in the system)
to compile.
WarningHeader entry.Processes the
Warning message header.XMLParser provides a way for applications to handle a hook into
applications and applications and its server.
This class creates JWKOpenIdResolverImpl's from a supplied
well-known open id configuration url.
The who am I extended request as defined in RFC 4532.
The who am I extended result as defined in RFC 4532.
Extension for CREST and OpenAPI schemas to express an example value.
Enum that represents the
Schema write policies.This class is an extension point for all WS-Federation related exceptions.
A
Header representation of the WWW-Authenticate HTTP header.A single WWW-Authenticate challenge.
A class for building X509 certificates as described in RFC 5280.
An enumeration of extended key usages.
An enumeration of key usages.
The
XACMLAuthzDecisionQuery element is a SAML Query that
extends SAML Protocol schema type RequestAbstractType.The
XACMLAuthzDecisionQueryImpl is an impelmentation
of XACMLAuthzDecisionQuery interface.XACMLAuthzDecisionStatement is an extension of
samlp:StatementAbstractType that is carried in a
SAML Assertion to convey xacml-context:Response
Schema:This interface defines constants common to all XACML elements.
This class is an extension point for all XACML related exceptions.
This class provides methods to send or process
AttributeQuery.This class provides the public API to process XACML context Request.
The
XACMLSDKUtils contains utility methods for XACML 2.0
implementation.Utilities for handling XEC keys for X25519 and X448 ECDH key agreement.
Processes the
X-Forwarded-For message header.This is a custom XML handler to load the dtds from the classpath This should
be used by all the xml parsing document builders to set the default entity
resolvers.
Common super-interface for all SAML elements that can be serialized into XML.
Utility classes for handling XML.
ContentEncryptionHandlerinstead.